LogoRegulatory Alerts
2025-12-23

Guidelines on Organizational Requirements for Crypto-Asset Service Providers

The Croatian Financial Services Supervisory Agency (HANFA) issued these guidelines to define good practices and organizational requirements for crypto-asset service providers (CASPs) under the MiCA Regulation. The document mandates robust internal control systems, including distinct risk management, compliance monitoring, and internal audit functions, while strictly regulating the externalization of services to prevent regulatory arbitrage and ensure effective oversight. It further establishes specific standards for ICT risk management, third-party due diligence, and the retention of critical in-house expertise to maintain market stability and investor protection.

Croatian Financial Services Supervisory Agency logo

Croatia

Croatian Financial Services Supervisory Agency

Click to view thumbnail

Croatian Financial Services Supervisory Agency, 10000 Zagreb, Franje Račkoga 6, P.O. Box 164, Croatia t: 01 6173 200, f: 01 4811 507, e: info@hanfa.hr, OIB: 49376181407, MB: 02016419, w: www.hanfa.hr

Pursuant to Article 15(4) of the Act on the Croatian Financial Services Supervisory Agency ("Narodne novine", No. 140/05 and 12/12) and Article 47(7) of the Act on the Implementation of Regulation (EU) 2023/1114 on markets in crypto-assets ("Narodne novine", No. 85/24), the Croatian Financial Services Supervisory Agency, at the meeting of the Board of Directors held on 23 December 2025, adopts

GUIDELINES ON ORGANIZATIONAL REQUIREMENTS FOR CRYPTO-ASSET SERVICE PROVIDERS

  1. Introduction

Article 68(4) of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (hereinafter: MiCA Regulation) stipulates that crypto-asset service providers shall adopt policies and procedures that are sufficiently effective to ensure compliance with the aforementioned Regulation.

Article 20 of the Act on the Implementation of Regulation (EU) 2023/1114 on markets in crypto-assets ("Narodne novine", No. 85/24, hereinafter: MiCA Implementation Act) further specifies certain requirements for the management system of crypto-asset service providers.

Article 73 of the MiCA Regulation sets out certain requirements related to the outsourcing of services or activities for the performance of operational functions of crypto-asset service providers to third parties.

The European Securities and Markets Authority (ESMA) adopted the document Supervisory Briefing on Authorisation of CASPs under MiCA (ESMA75-453128700-1263) on 31 January 2025.

With the aim of the correct interpretation of the requirements set out in the cited regulations, in order to ensure uniform application and understanding of the relevant provisions, the Croatian Financial Services Supervisory Agency adopts these Guidelines, which elaborate in more detail on the requirements of the relevant regulation regarding the organizational requirements of crypto-asset service providers.

  1. Definitions

MiCA Regulation - Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.

MiCA Implementation Act - Act on the Implementation of Regulation (EU) 2023/1114 on markets in crypto-assets ("Narodne novine", No. 85/24).

HANFA - Croatian Financial Services Supervisory Agency.

Company - a crypto-asset service provider referred to in Article 59(1) of the MiCA Regulation to which HANFA issues a license for operation in accordance with the MiCA Implementation Act.

Unless otherwise stated, other terms used in these Guidelines have the meaning defined in the MiCA Regulation and the MiCA Implementation Act.

  1. What do these Guidelines regulate and who do they apply to?

With the aim of defining good practices and the correct implementation of obligations related to the organizational requirements of crypto-asset service providers, these Guidelines further clarify and elaborate on the requirements of the relevant regulation regarding the internal control system of crypto-asset service providers and requirements related to the outsourcing of services or activities for the performance of operational functions of crypto-asset service providers to third parties, in the context of providing crypto-asset-related services.

The purpose of the Guidelines is to create good practices and eliminate bad business practices, as well as to support HANFA in the development of the crypto-asset market in a manner that ensures the stability of the operations of crypto-asset service providers, as well as an appropriate level of protection for the interests of investors in crypto-assets.

The Guidelines apply to crypto-asset service providers referred to in Article 59(1) of the MiCA Regulation to which HANFA issues a license for operation in accordance with the MiCA Implementation Act. Other crypto-asset service providers apply organizational requirements as prescribed by sectoral regulations governing the business of those entities.

  1. Company's Internal Control System

The Company's internal control system includes the functions of risk management, compliance monitoring, and internal audit.

Companies should ensure that responsibility for the functions of risk management, compliance monitoring, and internal audit permanently rests with the Company, which is responsible for monitoring its own non-compliance risks.

The combination of the risk management or compliance monitoring function with the internal audit function may be used only in exceptional cases, if the Company can demonstrate that this does not significantly impair their effectiveness and independence.

For smaller Companies or Companies of lower risk profile, the risk management and compliance monitoring functions may be combined if their separate establishment would be disproportionate to the scope and complexity of their business activities, provided that this does not significantly impair their effectiveness and independence.

Companies should ensure that the Company's internal control system enables the appropriate identification, assessment, and mitigation of money laundering and terrorist financing risks.

The internal control system should include a well-defined structure together with clear roles and lines of responsibility. At least one member of the management board must be responsible for the operation, maintenance, and monitoring of the risk management, compliance monitoring, and internal audit functions to ensure effective oversight of these functions. An appropriate division of duties should be established to ensure that conflicting tasks and activities are not assigned to the same person or function.

The internal control system should cover the entire organization, covering the activities (including regulated activities) of all business lines and internal units. The internal control system should also cover activities that have been outsourced to external providers to ensure that appropriate controls and oversight are applied to business process outsourcing arrangements.

Companies should establish comprehensive policies and procedures for compliance monitoring, internal audit (if necessary), and risk management, including assigned roles and responsibilities and internal policies/procedures. These policies and procedures must include provisions for periodic reviews and updates when necessary to reflect changes in the regulatory environment and business processes.

The Company's policies, procedures, and processes should ensure the submission of written reports on risks, compliance, and internal audit findings to the management at least once a year, and as necessary more frequently (ad hoc). Companies should establish mechanisms to ensure that annual internal control reports are submitted to the Company's supervisory board, where applicable.

4.1. Risk Management Framework

The risk management framework should include comprehensive policies, procedures, clarify risk appetite, and establish limits and controls to ensure effective and continuous identification, measurement, assessment, monitoring, management, mitigation, reporting on risks, and review of the risk management framework.

The risk management framework should contain:

  1. Roles and responsibilities: Companies should designate key personnel, including risk managers, compliance officers, and internal auditors (if necessary), each with specific duties and responsibilities. Risk owners should be clearly defined for the management of specific identified risks, implementation, and maintenance of appropriate risk controls. The responsibilities of the risk management and internal audit functions should also be clearly defined. Sufficient employees should be ensured within the Company for effective management and oversight of outsourcing risks.

  2. Definition of risk appetite: Companies should have a clearly defined risk appetite, which reflects the level of risk the Company is willing to accept in accordance with its strategic objectives. This appetite can be defined in terms of risk tolerance thresholds and acceptable levels or risk limits.

  3. Risk identification: should cover not only integrity risks (such as preventing money laundering/terrorist financing and fraud), but also ICT, operational, market, legal, compliance risks, conflicts of interest, and other relevant risks in accordance with all intended crypto-asset-related services. The risk identification process should address risks at different levels, including individual business lines and the entire Company, as well as outsourced activities. Companies should maintain a risk register to systematically record identified risks and measures taken to manage and mitigate them.

  4. Risk assessment: Companies should establish detailed approaches for risk assessment, including qualitative and quantitative methods. These methodologies may include risk matrices, scenario analysis, or stress testing and statistical models to ensure comprehensive assessment. Risks should be categorized into different levels, such as high, medium, or low, based on their nature and impact. Companies should develop and use quality risk management tools.

  5. Risk management: Companies should develop specific measures and risk mitigation strategies to reduce or control risk exposure. For each individually identified risk, Companies should develop targeted measures aimed at reducing the likelihood or impact of that specific risk, along with the appointment of a risk owner who has the authority and sufficient knowledge in the field of risk management.

  6. Monitoring and reporting: Companies should implement systems and processes for continuous monitoring of risk management activities. The risk management framework should include procedures for regular reporting on the status of risks and risk management activities to the Company's management. Reporting to the Company's management should also include proposed appropriate measures for risk mitigation.

  7. Review: Companies should conduct a comprehensive assessment of the risk management framework at least once a year. This assessment should evaluate the effectiveness, relevance, and adequacy of the framework in addressing new risks in accordance with the Company's risk strategy and risk appetite. The scope of the assessment should include a review of key risk management processes, controls, and procedures, as well as feedback from relevant stakeholders. Furthermore, the assessment should take into account any significant changes in the operational environment, regulatory requirements, or risk profile to determine whether adjustments are necessary.

4.2. Compliance Monitoring Function

The compliance monitoring function should ensure that the Company adheres to external and internal rules. A strong, independent compliance monitoring function can mitigate risks associated with illegal behavior, money laundering, and other forms of non-compliance.

The compliance monitoring function should have the following:

  1. Roles and responsibilities: The compliance monitoring function should have adequate authority and clear working arrangements with other stakeholders. The compliance monitoring function should, for example, be involved in key strategic decision-making such as the choice of cooperation with third parties and the selection of crypto-assets for which services will be provided. The compliance monitoring function should have sufficient independence, capacity, and competencies to fulfill its tasks. Companies should appoint at least one person for the compliance monitoring function (compliance manager or compliance officer). Exceptionally, where the appointment of a dedicated compliance manager/compliance officer is clearly not proportional to business activities, this role may be combined with the risk management function.

  2. Compliance plan: Companies should adopt annually updated plans with appropriate activities of the compliance monitoring function in view of the nature, scope, and complexity of business activities. The compliance monitoring function should have sufficient authority and appropriate resources to perform these activities.

  3. Monitoring and reporting: The compliance monitoring function identifies, assesses, advises, monitors, and reports on the Company's compliance risk. The compliance monitoring function should use quality compliance monitoring tools. The compliance monitoring function should submit regular reports, at least to the Company's management, and there should be an escalation procedure that allows for reporting to the Company's supervisory board where applicable.

  4. Evaluation: Companies should periodically (at least every year or when there is a significant change in composition and/or structure) assess whether the compliance monitoring function is effective and whether any adjustments are needed in the future.

  5. Externalization

5.1. Basic principles/minimum standards

Outsourcing arrangements should not involve the delegation of functions/services to such an extent that the Company is reduced to a "letter-box entity".

For the assessment of third-party risks related to information and communication technology (ICT), Companies should respect the requirements of the DORA Regulation.

Outsourcing to jurisdictions where HANFA could not obtain information from the entity to whom the business is outsourced is not in accordance with Article 73(1)(d) of the MiCA Regulation.

Companies should be able to demonstrate effective control over activities that have been outsourced to external contractors. Among other things, this should be demonstrated by an appropriate number of employees, i.e., a sufficient number of employees reflecting the level of outsourcing, as well as appropriate skills and experience of employees within the Company for effective management and oversight of outsourcing risks.

In cases where Companies intend to entrust functions/services to entities within the same group, the Company must conduct a deep analysis and ensure that the selection of the group entity is based on objective reasons, whereby outsourcing to entities within the group should not significantly affect the Company's ability to make autonomous decisions regarding the Company's activities. The best interest of the Company's activities should be paramount, not adapting them to benefit other entities within the group to whom the service is outsourced.

5.2. Ensuring that externalization does not result in delegation of the Company's responsibility

(Article 73(1)(a) of the MiCA Regulation)

To ensure that externalization does not result in delegation of responsibility by the Company, Companies should consider:

  1. Services/activities that are outsourced and their criticality for the functioning of the Company (Companies should apply the DORA Regulation where this involves ICT services).

  2. The level of control the Company can exercise over the entities with which it collaborates. Where such control is limited to such an extent that the Company is unable to effectively supervise the outsourcing of the service or is unable to manage the risks associated with outsourcing, Companies should not accept such an arrangement.

  3. Jurisdictions to which the business is outsourced and the extent to which they prevent the regulator from exercising its supervisory powers (in relation to Article 73(1)(d) of the MiCA Regulation).

  4. Whether the entities to whom the business/activities are outsourced subcontract these services/activities for critical and important operational functions provided to the Company. In that case, there may be a greater risk of inadequate oversight and control at the Company level.

  5. Whether Companies have a clear understanding of sub-outsourcing. To ensure good visibility of the entire chain, the outsourcing contract should ensure that the Company is aware of sub-outsourcing and has control over it.

There is a risk that one person does not have sufficient knowledge, experience, and time to effectively monitor a wider range of outsourced services/functions, therefore Companies should critically consider assigning the monitoring of a series of outsourced functions to one person. Companies should ensure that this does not create additional risks for the stability or continuity of services or for the protection of investors/market integrity.

5.3. Ensuring that externalization does not prevent the performance of HANFA's supervisory functions

In some cases, outsourcing to an entity from a third country may require the prior signing of a cooperation agreement between HANFA and the supervisory authority of the third country.

Companies must meet management requirements and must effectively control activities that have been entrusted to external contractors or outsourced. This includes possessing technical knowledge to request changes, monitor implementation, and assess service quality, i.e., persons directly employed by the Company, responsible for specific activities entrusted to external contractors, should have sufficient knowledge/expertise on the activity or activities entrusted to external contractors to enable effective monitoring and control.

HANFA must have effective access to all relevant data and business premises related to activities entrusted to external contractors or outsourced.

5.4. Externalization of very critical functions

Certain activities of the Company, such as internal control, IT control, risk assessment, compliance monitoring, key management, and some other very critical functions, require special control. Although certain elements of such activities may be entrusted to external collaborators, entrusting these activities to external collaborators is not acceptable if it jeopardizes the Company's activities and effective oversight by HANFA.

5.5. Handling of off-shore personnel

The use of off-shore personnel is acceptable to a certain extent, but may potentially impair the Company's ability to ensure continuity and regularity in the performance of its crypto-asset-related services. When hiring off-shore personnel, the Company should take into account limitations and potential risks depending on the roles of off-shore personnel and/or concentration of such personnel in specific functions.

In any case, the use of off-shore personnel should not: • prevent the performance of HANFA's supervisory functions; • prevent HANFA from having quick access to relevant information; • prevent the management from exercising effective control over off-shore personnel; • undermine the Company's ability to operate continuously and regularly.

  1. Final Provisions

These Guidelines are published on HANFA's website and enter into force on the date of publication.

CLASS: 011-01/25-08/01 REF NO: 326-01-70-72-25-9

Zagreb, 23 December 2025

CHAIRMAN OF THE BOARD OF DIRECTORS dr. sc. Ante Žigman

Share