You are already carrying MiCA and DORA. The good news, for once: the AI Act barely touches a crypto-asset service provider.
Check your exposure — freeBlockchain analytics, transaction monitoring, market abuse surveillance, trading bots, KYC verification — none of it appears in Annex III, and the fraud-detection carve-out and the biometric-verification exclusion cover the two that come closest. Unless you lend to consumers, a CASP's AI Act programme is Article 50 and Article 4. That is a policy and a disclosure, not a conformity assessment.
Read this the way the Act reads it: Annex III is a list of named use cases, not a judgement about how important a system is to your business. The most consequential model you run may well be the one the Act says nothing about.
| System | Under the AI Act | Why |
|---|---|---|
| Blockchain analytics and transaction monitoring | Not high-risk Not high-risk | Not in Annex III. And to the extent it functions as fraud detection, point 5(b) excludes it by name. |
| AML screening, sanctions, Travel Rule matching | Not high-risk Not high-risk | Not named in Annex III. Your obligations here come from the AML framework and the Transfer of Funds Regulation. |
| Market abuse surveillance (MiCA Title VI) | Not high-risk Not high-risk | Not in Annex III. MiCA already requires you to detect and report market abuse; the AI Act adds nothing on top. |
| KYC identity verification — selfie / document match | Not high-risk Not high-risk | Annex III point 1 expressly excludes biometric verification whose sole purpose is to confirm a person is who they claim to be. One-to-one onboarding match is verification, not remote identification. |
| Trading bots, market making, liquidity algorithms | Not high-risk Not high-risk | Absent from Annex III entirely. |
| Crypto lending or credit to consumers | Applies High-risk — Annex III 5(b) | If you assess the creditworthiness of natural persons — a collateralised consumer loan still counts — you are in 5(b), and the full high-risk chapter follows. |
| Customer chatbot, or anything that looks like advice | Applies Transparency — Art. 50 | Disclose that the customer is talking to an AI, from 2 August 2026. And note MiCA's own fair, clear and not-misleading standard applies to whatever the bot says. |
| CV screening and employee evaluation | Applies High-risk — Annex III point 4 | Catches you as an employer. For most CASPs this is the only high-risk AI system in the building. |
A CASP carries MiCA for authorisation and conduct, DORA for ICT risk and incident reporting — CASPs have been DORA entities since January 2025 — and the AML framework plus the Travel Rule for monitoring. That is a heavy stack, and the reflex when a fourth regulation arrives is to assume it is heavier still.
It is not. Read Annex III against what you actually run and the list comes back nearly empty. Your realistic AI Act workplan is: disclose the bot, mark generated content, write the AI literacy measures into your training programme, and check whether HR has bought a CV screener. If someone is quoting you for a high-risk conformity assessment on your blockchain analytics, ask them which point of Annex III it falls under.
We describe the delta. The Act itself — all 113 articles, in 24 EU languages — lives on our sister site.
Start free: run the AI Act exposure check to classify a specific system, or read the cross-obligation table showing what the AI Act adds to a DORA programme. Already working on DORA? See DORA for Crypto-Asset Service Providers. Analytical guidance for compliance teams, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.