Source: OJ L, 2025/1125, 15.9.2025

Current language: EN

Article 2 Programme of operations: information on the business model, strategy and risk profile


Summary What does Article 2 of the RTS on ART issuer authorisation say?

This article sets out the detailed content requirements for the programme of operations that applicant issuers of asset-referenced tokens must include in their application for authorisation under MiCA (Regulation (EU) 2023/1114).

It is a substantive content article that directly implements Article 18(2)(d) of MiCA, translating the high-level requirement for a programme of operations into a granular list of what that programme must actually contain.

At its core, the article demands a comprehensive picture of the applicant issuer's business activities, the environment in which it will operate, and its overall strategy and risk assessment, all projected over a three-year horizon.

It also addresses the scenario where an authorised issuer delegates the distribution of tokens to third parties, making clear that regulatory responsibility stays with the issuer throughout.

Important points:

  • Include a programme of operations in your authorisation application covering business activities, the competitive environment, strategy, and a risk assessment spanning three years from the grant of authorisation.
  • The risk assessment must address a broad range of risks, including business, operational, ICT, cybersecurity, financial, third-party, and money laundering and terrorist financing risks.
  • Where third parties are appointed to carry out the offer to the public or admission to trading of the token, include policies and procedures confirming that compliance responsibility under Title III of MiCA remains with the authorised issuer.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. For the purposes of Article 18(2), point (d), of Regulation (EU) 2023/1114, the application for authorisation shall contain a programme of operations setting out the applicant issuer’s business model, strategy and risk assessment for three years following the granting of the authorisation.

    1. In accordance with Article 19 of Regulation (EU) 2023/1114, the programme of operations referred to in paragraph 1 shall include all of the following:

      1. information on the applicant issuer’s business activities, including:

        1. main features of the asset-referenced token for which the authorisation is sought, including all of the following:

          1. the name and type of asset-referenced token that the applicant issuer intends to issue and for which authorisation to offer to the public or to seek admission to trading is sought;

          2. specification as to whether the authorisation is sought for an offer to the public or an admission to trading of such asset-referenced token;

          3. description of the mechanism through which the asset-referenced token is issued, including the smart contracts together with an explanatory document on their functioning, the method of payment to buy the asset-referenced token, and the distribution channels, in particular the crypto-asset service providers executing selling orders or crypto-asset exchange platforms;

          4. where an agreement by the applicant issuer is entered into for the distribution of the asset-referenced token, the name and contact details of the distributors and description of the roles, responsibilities, rights and obligations of both the issuer of the asset-referenced token and the distributors, including the law applicable to the agreement;

          5. description of the mechanism through which the asset-referenced token is redeemed, including, where applicable, the indication whether crypto-asset service providers will be involved in the execution of the redemption;

          6. the protocol or consensus mechanism used for validating transactions, including the description of the settlement finality features;

          7. the single or the multiple distributed ledger technology (DLT) where the asset-referenced token is issued and the interoperability bridges between such different DTLs that are available at the time of the application for authorisation, as indicated in the white paper;

        2. any already existing, outstanding asset-referenced token, e-money token, crypto-assets or other digital assets issued by the applicant issuer, with the indication of the related outstanding amounts, the networks and markets where those are distributed and traded, the amount, composition, custody arrangements and custodians of the related reserve of assets, or safeguarding requirements for e-money tokens, as applicable;

        3. any other financial and non-financial activity that is carried out by the applicant issuer and that the applicant issuer intends to continue to carry out in case the authorisation is granted, and the interaction among such activities, if any;

        4. where the applicant issuer belongs to a group, an overview of the organisation and structure of that group, describing the activities of the entities in the group and indicating the parent undertakings, financial holding companies as defined in Article 4(1), point (20), of Regulation (EU) No 575/2013 of the European Parliament and of the Council(9), mixed financial holding companies as defined in Article 4(1), point (21), of that Regulation, and investment holding companies as defined in Article 4(1), point (20a), of that Regulation, within the group, as well as any authorisation, registration or other licences granted by a competent authority in the financial sector held by any such group entity or by the applicant issuer;

      2. description of the business environment where the applicant issuer will operate, focusing on the crypto-asset and payment sectors, including:

        1. the main existing market players and principal peers;

        2. the likely development of the business environment and any related potential risks;

        3. an analysis of the applicant issuer’s competitive position in the market;

      3. description of the applicant issuer’s overall business strategy and, where the applicant issuer belongs to a group, the overall group strategy, including:

        1. explanation of the strategic goals;

        2. indication of the key business drivers;

        3. indication of any identified competitive advantage, including any prior experience in the digital sector, size and scalability of the business, DLT specificities, including permissioned or permissionless access to the blockchain network granted by the network owner or governing arrangements, related validation protocols and consensus mechanisms or the planned number of transactions per second;

        4. description of the target customers, including retail, corporate, institutional, small and medium enterprises, public entities, of the target markets and geographical distribution, including the list of host Member States as referred to in Article 18(2), point (r), of Regulation (EU) 2023/1114;

        5. a risk assessment covering the actual or potential risks that the planned business may be exposed to, including:

          1. business risk factors, such as failure to reach the minimum target subscription goal of the asset-referenced token issuance, where provided;

          2. operational risk, fraud, ICT and cyber-security risks;

          3. financial risks including liquidity risk, market and credit risk;

          4. risks related to the significant third-party providers;

          5. inherent and residual risks of money laundering and terrorist financing, also having regard to the mechanisms and arrangements relating to the issuance, redemption and distribution of the asset-referenced token;

        6. matrix resulting from the interaction of the strengths, weaknesses, opportunities and threats of the business strategy.

    2. For the purposes of point (a)(i)(4), where, upon being granted authorisation, the applicant issuer intends to appoint by consent and in writing other entities to carry out the offer to the public or the admission to trading of the asset-referenced token, the application for authorisation shall include policies and procedures clarifying, inter alia, that the responsibility for the compliance with Title III of Regulation (EU) 2023/1114 will remain with the issuer of an asset-referenced token that has been granted authorisation and that such other entities will be subject to the conduct and marketing requirements laid down in Article 16(1), second subparagraph, of that Regulation.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod