Ana Filipa Ribeiro (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – UMINHO/BIM/2026/33)
Regulation (EU) 2023/1114 on Markets in Crypto-assets (MiCAR)[1] is the European Union’s first comprehensive framework for crypto-assets that fall outside existing financial-services legislation,[2] designed to harmonise rules across the internal market, while pursuing objectives traditionally associated with public regulation, including investor and consumer protection, market integrity and financial stability.[3] MiCAR does so in large part by placing crypto-asset service providers (CASPs) at the centre of its governance architecture. A CASP[4] is a legal person or other undertaking that is authorised and supervised as an intermediary that provides one or more crypto-asset services to clients on a professional basis, including custody and administration of crypto-assets, operation of trading platforms, exchange, execution of orders and transfers on behalf of clients.[5] In practice, CASPs set and enforce platform rules, monitor activity, restrict access, freeze, or limit the movement of assets, suspend trading and delist tokens, often in real time and on the basis of risk assessments that combine regulatory obligations and internal policies.[6] It is therefore plausible to say that these entities go beyond acting as technical conduits and participate in a form of private ordering with structurally quasi-public effects, a claim developed below.
Because CASPs control the infrastructure through which most users access crypto markets, their decisions can function as immediate constraints on market access and on effective enjoyment of asset-related interests. Crucially, these decisions often give rise to dispute’s origin, by unilaterally altering a client’s position through measures such as freezing assets, restricting transfers, suspending trading, or delisting a token.[7] The resulting conflict is then typically channelled into an internal process designed and administered by the CASP itself, with the provider acting simultaneously as rule-maker, investigator, decision-maker, and initial reviewer.[8] This concentration of functions is a familiar source of legitimacy concerns in public governance, yet it has received limited conceptual attention in the MiCAR context.
A useful way to sharpen these legitimacy concerns is to rely on the functional notion of quasi-public powers developed in the academic literature.[9] This is not to say that private actors become public authorities, but that, where public entities have a limited ability to interfere effectively in digital environments, certain private operators end up exercising powers that can be enforced autonomously, sometimes automatically, through the infrastructure they control and for which users often find few meaningful means of recourse, with redress mechanisms largely shaped by the provider itself. The idea of quasi-public power by digital platforms or services can be structure through a threefold that mirrors classic public functions:[10] private operators can exercise (1) a quasi-legislative function by unilaterally setting the rules of the environment; (2) a quasi-executive function by enforcing those rules through restrictions; and (3) a quasi-judicial function by resolving conflicts on a case-by-case basis, including through balancing competing interests. Once rulemaking, enforcement and dispute resolution are concentrated in a single actor, legitimacy questions usually associated with public governance become structurally relevant, even when the legal form remains private.
Read against MiCAR’s architecture, the parallel becomes difficult to ignore. CASPs effectively perform a quasi-legislative role when they define the operational rules and participation conditions that structure access to their services and to the liquidity they intermediate. They perform a quasi-executive role when those rules are enforced through self-executing measures inside the controlled infrastructure, such as freezes, transfer restrictions, suspensions and delistings. And they perform a quasi-judicial role to the extent that adverse decisions are contested through internal channels that the CASP administers, a design MiCAR expressly assumes by requiring CASPs to maintain complaints-handling procedures,[11] which are then further specified in the delegated technical standards on complaints handling.[12] In this framing, the quasi-public exercise of powers by CASPs does not describe a moral judgment about CASPs, but instead a governance structure. Once MiCAR places these intermediaries at the centre of market access and user protection, the central question is no longer whether such powers exist in practice, they clearly do. The question is what renders the exercise of those powers legitimate within an EU regulatory programme that pursued public objectives, while operating through private infrastructures.
By design, MiCAR ties the exercise of CASP power to a set of public-regulatory aims[13] and to specific organisational and conduct constraints.[14] This suggests that CASPs are not left to operate purely as private contractors, as they are authorised and supervised market actors, subject to duties that reach beyond pure disclosure and into how they must behave when dealing with clients. In particular, MiCAR requires CASPs to act honestly, fairly, and professionally in the best interests of clients and it imposes governance and conflicts-of-interests requirements that implicitly recognise the risk of self-serving decision-making in a setting where the provider both runs the infrastructure and benefits from it.[15]
Yet, these conduct and governance duties only perform a genuine legitimacy function if users have practical ways to react when a CASP takes an adverse decision. In practice, this may give rise to concerns regarding contestability and exit. Contestability, in this regard, covers whether a user can meaningfully contest a restrictive measure, obtain reasons, and secure a review capable of changing the outcome, while exit concerns whether the user can realistically move to another provider or whether infrastructure control and ecosystem dynamics make departure illusory.
Contestability under MiCAR starts inside the CASP, as the Regulation requires CASPs to maintain effective and transparent complaints-handling procedures and to investigate complaints in a timely and fair manner, while the delegated technical standards specify how this channel must operate in practice, including communication of outcomes and procedural discipline.[16] MiCAR also provides for complaint channels at the level of national competent authorities, with ESMA publishing links to those procedures.[17] Even so, the first response to a freeze, restriction, suspension, or delisting will typically be processed within the provider that imposed it, which keeps informational asymmetry and institutional self-review at the centre of the dispute. This is precisely where the EU principle and fundamental right to effective judicial protection becomes relevant. As a general principle of EU law anchored in Article 19(1) of the Treaty of European Union and developed by the Court of Justice, it presupposes that individuals have access to remedies and procedural guarantees that secure, at minimum: (1) the right of action, (2) the right to an independent and impartial tribunal, (3) the rights of defence, and (4) access to justice for those who lack sufficient resources.[18] In parallel, Article 47 of the Charter of Fundamental Rights of the European Union guarantees an effective remedy and a fair trial when EU-law rights and freedoms are at stake. In this perspective, procedural regularity cannot be reduced to the formal existence of a route to court, as it requires that the procedural set-up is materially capable of enabling the person affected to defend their rights effectively, in line with the Rule of Law commitments of Article 2 TEU. Read against this light, contestability under MiCAR cannot be viewed merely as a consumer service expectation. As a matter of fact, contestability becomes one of the practical conditions through which effective judicial protection is realised. If the decisive stage of review takes place internally, a user’s ability to obtain a meaningful remedy later depends on whether they can understand the measure they are facing (what was decided, on what basis, with what effects and for how long). Without intelligible reasons and clear terms, the right to be heard and the right to defence risk becoming hollow, because the affected person cannot frame a challenge, gather relevant evidence, or assess whether escalation to a competent authority or a court is warranted.
Exit is the second constraint. MiCAR does not create an EU-wide “ban” that automatically follows a customer from one CASP to another, nor does a delisting on one platform automatically remove an asset from the market as such. In practice, however, exit can be constrained when the initial CASP controls custody and transfers or when multiple platforms converge on similar risk assessments and replicate restrictions across the ecosystem. Therefore, exit constraints could also have a competition dimension. When liquidity and user access are concentrated in a small number of CASPs,[19] restrictive decisions may raise switching costs and, in cases of market power or coordinated behaviour, could engage EU competition-law concerns.
Once these two correctives are placed next to MiCAR’s reliance on intermediaries, the legitimacy question becomes sharper. If contestability is mostly internal and weak and if exit is practically constrained, then CASPs’ capacity to set rules, enforce them through infrastructure and review disputes within their own procedures begins to resemble a closed governance loop.
Nevertheless, this architecture is understandable from a regulatory standpoint. MiCAR is meant to create a harmonised EU framework that supports innovation and fair competition while pursuing objectives such as a high level of protection for retail holders and the integrity of crypto-asset markets.[20] Rather than attempting to regulate protocols as such (something that is hardly possible given the decentralised nature of the technology), the EU governs the market where accountability, supervision and enforcement are realistically available.
On the other hand, it is reasonable to recognise that now decentralisation often describes the technology itself more than the dominant patterns of use. The original Bitcoin white paper framed the core promise as enabling payments “directly from one party to another without going through a financial institution”.[21] Contemporary market practice frequently departs from that ideal, as many of the largest and most popular exchanges function as centralised intermediaries and, in practice, can negate the aim of decentralisation.[22] In that environment, relying on CASPs is less a rejection of decentralised technology than a pragmatic response to the fact that, for most users, access to crypto markets is mediated, concentrated and operationally governed through private infrastructures.
That choice of architecture, even if understandable, does not make the legitimacy question disappear. Once MiCAR relies on CASPs as the main points of access to liquidity, custody, execution and market participation, the moment when a CASP freezes assets, restricts transfers, suspends trading, or delists a token cannot be seen as a routine contractual event. Rather, it is experienced as a market-shaping intervention that is immediately effective because it is executed through infrastructure control and that often becomes the very source of the dispute the user is then forced to navigate.
If quasi-public powers are the possible solution, the corresponding responsibility cannot be ignored. MiCAR already sketches the legitimacy constraints that should travel with that power, namely conduct duties that exclude arbitrary treatment, organisational and conflicts-of-interest requirements that address self-serving incentives, operating rules that discipline platform intervention and mandatory complaints-handling that structures the first line of contestation. These are the conditions that keep the model from collapsing into a closed circuit where the same entity sets the rule, enforces it, and validates its own enforcement. In practice, this means that the credibility of MiCAR’s regulatory settlement depends on whether high-impact measures are intelligible and contestable. As the Rule of Law imposes, users must be able to understand what happened and why, restrictive measures should be time-bounded rather than indefinite by inertia, internal review must be capable of changing outcomes rather than merely confirming them and decisions should remain traceable for supervisory scrutiny and, where necessary, judicial review.
[1] For a complementary analysis of the MiCA Regulation, developed from a different perspective, see our post: Ana Filipa Ribeiro, “New digital manifestations of financial services and european integration: what benefits for the european citizen,” Official Blog of UNIO – Thinking and Debating Europe, April 25, 2024, accessed March 5, 2026, https://officialblogofunio.com/2024/04/25/new-digital-manifestations-of-financial-services-and-european-integration-what-benefits-for-the-european-citizen/.
[2] Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, CELEX:32023R1114, recital 6.
[3] European Securities and Markets Authority (ESMA), “Markets in Crypto-Assets Regulation (MiCA),” ESMA, last update February 23, 2026, accessed March 5, 2026, https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica.
[4] The definition can be found in Article 3(1)(15) of MiCAR.
[5] MiCAR clarifies that it applies to crypto-asset services and activities performed, provided, or controlled by natural or legal persons and certain other undertakings including when part of such activities or services is performed in a decentralised manner. Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within its scope. See Regulation (EU) 2023/1114, recital 22. Accordingly, purely self-custodial tools that do not safeguard or control clients’ assets and/or keys on their behalf and do not otherwise provide a listed crypto-asset service (as hardware wallets or non-custodial software wallets) will generally fall outside the CASP category, although the classification depends on the concrete functionality and business model.
[6] Regulation (EU) 2023/1114, article 76.
[7] Regulation (EU) 2023/1114, article 76(1)(b), (f), (g).
[8] Regulation (EU) 2023/1114, article 71.
[9] Giovanni De Gregorio, “From constitutional freedoms to the power of the platforms: protecting fundamental rights online in the algorithmic society,” European Journal of Legal Studies 11(2), (Spring 2019): 65-103, accessed March 5, 2026, https://cadmus.eui.eu/server/api/core/bitstreams/17922b19-9645-5935-901a-6b4b942e2682/content. See also Miguel Pereira, “Mapping the values of digital constitutionalism: guiding posts for digital Europe?”, UNIO – EU Law Journal 10 (2), (December 2024): 70-90, accessed March 2, 2026, https://revistas.uminho.pt/index.php/unio/article/view/6045/6907.
[10] De Gregorio, “From constitutional freedoms to the power of the platforms”, 85-89. Pereira, “Mapping the values of digital constitutionalism”, 75.
[11] Regulation (EU) 2023/1114, article 71.
[12] Commission Delegated Regulation (EU) 2025/294 of 1 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the requirements, templates and procedures for the handling of complaints by the crypto-asset service providers, Official Journal of the European Union L 2025/294 (February 13, 2025), accessed March 5, 2026
[13] An EU framework is needed “to foster innovation and fair competition” while ensuring “a high level of protection of retail holders” and “the integrity of crypto-asset markets”, as expressed in Regulation (EU) 2023/1114, recital 6.
[14] Regulation (EU) 2023/1114, articles 66, 67, 68, 70, 71 and 72.
[15] Regulation (EU) 2023/1114, article 66.
[16] Commission Delegated Regulation (EU) 2025/294, article 1(2).
[17] Regulation (EU) 2023/1114, article 108.
[18] Joana Covelo de Abreu, “Princípio da tutela jurisdicional efetiva”, in Enciclopédia da União Europeia, ed. Ana Paula Brandão et al. (Lisbon: Petrony, 2017), 329-32.
[19] On market concentration, ESMA reports that despite the large number of crypto-assets, both market capitalisation and trading activity remain significantly concentrated. See Malena Calissano, Filippo Giuglini, and Paul Reiche, “Crypto assets: market structures and EU relevance”, European Securities and Markets Authority TRV Risk Analysis, ESMA50-524821-3153, April 10, 2024, 9-10, accessed March 10, 2026, https://www.esma.europa.eu/sites/default/files/2024-04/ESMA50-524821-3153_risk_article_crypto_assets_market_structures_and_eu_relevance.pdf.
[20] It will not be discussed whether one agrees or disagrees with this approach, as that is not the scope of this article.
[21] Satoshi Nakamoto, “Bitcoin: a peer-to-peer electronic cash system”, October 31, 2008, 1, accessed March 9, 2026, https://bitcoin.org/bitcoin.pdf.
[22] Parma Bains, Arif Ismail, Fabiana Melo, and Nobuyasu Sugimoto, “Regulating the crypto ecosystem: the case of unbacked crypto assets,” FinTech Notes no. 2022/007 (Washington, DC: International Monetary Fund, September 2022), 18, accessed March 11, 2026, https://doi.org/10.5089/9798400221361.063.
Picture credit: by Alesia Kozik on pexels.com.
Author: UNIO-EU Law Journal (Source: https://officialblogofunio.com/2026/04/11/quasi-public-powers-in-private-crypto-governance-a-question-of-legitimacy/)
