The phrase "MiCA pentest requirements" shows up in roughly half of our scoping calls with crypto exchanges, custodians, and stablecoin issuers preparing for European authorisation. The honest summary: MiCA itself does not write the pentest playbook. It relies on the broader EU ICT-risk framework, anchored by DORA, with the PSAN regime in France adding ANSSI-aligned specifics. This piece walks through what that actually looks like in practice.
Where the requirement lives
There is no single MiCA article that says "run a pentest." The compliance bar is built from three overlapping sources:
- MiCA Article 9 and the related Level-2 / Level-3 measures: CASPs must maintain "robust" ICT systems, business continuity arrangements, and tested incident response. The detail is left to DORA.
- DORA Articles 24–27: this is where the testing programme is defined.
- Article 24: ICT risk-based testing programme covering all relevant ICT systems and applications.
- Article 25: vulnerability assessments and pentests at least annually on systems deemed relevant to the firm's risk profile.
- Article 26: threat-led penetration testing (TLPT) for entities classified as significant, every three years, following a TIBER-EU-aligned methodology.
- Article 27: requirements for the testers themselves (independence, certifications, methodology documentation).
- National regimes (France's PSAN, Germany's BaFin, others): these layer additional national-supervisor expectations on top of MiCA + DORA. In France in particular, the AMF aligns with ANSSI technical guidance for PSAN-approved firms.
The practical effect: every CASP under MiCA needs an annual pentest cadence, with documented methodology and an attestation usable by their national competent authority. Significant entities additionally need TLPT every three years.
"Vulnerability assessment" vs "TLPT": what each means
These are not the same exercise, and they are not interchangeable in the eyes of supervisors.
A vulnerability assessment under DORA Article 25 is closer to what most teams already call a pentest: scoped, time-boxed, looking for exploitable weaknesses across in-scope systems. Methodology is documented; findings are ranked; remediation is tracked.
A threat-led penetration test (TLPT) under Article 26 is a different beast. It is intelligence-led, simulating the tactics of a specific threat actor against a wider scope of production systems, often with red-team and purple-team components. It is more expensive (often 5–10× a standard pentest), takes longer (months, not weeks), and follows the TIBER-EU framework if the firm operates in jurisdictions that adopted it.
Most CASPs are not classified as "significant" entities and will only need vulnerability assessments. Significant CASPs (the largest exchanges and stablecoin issuers) need both.
What your supervisor expects to see
A CASP's compliance file for ICT testing should contain:
- A documented testing programme: scope, frequency, methodology, ownership.
- Most recent vulnerability assessment / pentest report: scope statement, methodology, findings ranked by severity, remediation status, re-test results.
- An attestation letter from the testing provider: independence statement, qualifications of the lead tester, dates, executive summary.
- A risk treatment plan: which findings were accepted as residual risk, with sign-off at the right governance level.
- Evidence of remediation: tickets closed, fixes deployed, re-tests passed.
- For TLPT-bound entities: the threat intelligence brief, the test plan validated with the supervisor, the post-test debrief.
The mistake most teams make is treating the pentest as the deliverable and the file as administrative housekeeping. From the supervisor's perspective, the file is the deliverable. A great pentest with a missing attestation letter looks weaker than an average pentest with a clean file.
How often, and on what scope
MiCA + DORA expects:
- At least annually for vulnerability assessments on relevant systems. "Relevant" means anything customer-facing, anything in the trade execution path, custody systems, signing infrastructure, admin panels, and the supporting cloud / network infrastructure.
- After every material change: a new chain integration, a new custody architecture, a major API revision, an acquisition. "Material" is interpreted by your supervisor: when in doubt, scope a targeted re-test.
- Every three years for TLPT, for significant entities.
In practice, a credible cadence for a typical PSAN-approved exchange looks like:
- Annual full-scope pentest of platform + APIs + custody-adjacent infrastructure.
- Targeted re-tests after each major release.
- Continuous wallet surveillance on operational and custody addresses (not strictly mandated by MiCA, but the kind of evidence supervisors increasingly expect).
- A documented incident response plan with tested escalation paths.
What this costs
Compliance pentests are priced higher than a standard pentest of the same surface. The premium pays for:
- Methodology documentation aligned with DORA Article 25 / 26.
- The attestation letter and the supporting evidence package.
- Post-engagement support during supervisor review (responding to follow-up questions, re-running specific tests).
- Independence from the firm's existing security vendors.
For a typical PSAN-registered exchange, expect $30k–$80k for an annual compliance pentest, depending on platform complexity. Significant entities running TLPT should budget $150k–$500k+ per cycle.
Why this matters beyond compliance
The teams we work with that treat MiCA pentest as box-ticking get the worst of both worlds: a meaningful security spend that doesn't actually improve their security posture. The teams that scope the engagement as a real pentest first, packaged with the compliance documentation second, get genuinely safer systems and a defensible file. The marginal cost of doing it right is small; the cost of doing it wrong is finding out at the same time as your regulator.
If you are scoping a pentest for MiCA, DORA or PSAN compliance, book a scoping call and we can walk through the file you'll need before any testing starts.