← Back to the blog
The Investor's MiCA Due Diligence Guide for Web3 Game Studios
Before backing a Web3 game studio, you need to know whether it can legally operate in the EU. The short answer: most cannot. Our studio-by-studio check of 36 notable Web3 game developers against the ESMA CASP register in June 2026 found that not one of them appeared on the register. Zero of 36. The register was verified directly against ESMA’s Article 109 CSV files, downloaded June 20, 2026. This is not a small-sample anomaly. It is a strong indication of the baseline condition across the industry.
That result matters for your investment thesis regardless of where the studio is domiciled, how large it is, or what blockchain it runs on.
What you'll learn
- Zero of 36 notable Web3 game studios appear in the ESMA CASP register — a strong indication of the baseline condition across the industry.
- MiCA exposure affects EU market access, payment processor relationships, enforcement risk, and exit valuation.
- Five questions to run before closing: ESMA register status, which token mechanics trigger CASP, custody and marketplace presence, grandfathering window by jurisdiction, and compliance runway.
- A studio with no register entry, no application, and no infrastructure arrangement carries open-ended regulatory liability that survives any clean-round qualification.
The compliance gap most investors are ignoring
MiCA’s transitional period (Article 143(3)) expired entirely on July 1, 2026 for the final group of EU jurisdictions. Several member states with shorter transitional periods (Germany at 12 months, Sweden at 9 months, the Netherlands, Finland, and others at 6 months) already hit their deadlines in 2025. After July 1, any entity providing crypto-asset services to EU clients without a CASP authorisation is in breach of EU law and must cease those services. ESMA confirmed this in a formal statement on April 17, 2026 and again in a public statement on June 23, 2026.
The compliance gap is not a future risk. It is the current state of the market.
The 36 studios checked span the full range of the industry: flagship titles with millions of active players, EU-domiciled companies with no reverse-solicitation exemption available to them, and studios across every major chain and infrastructure stack. The register absence is not explained by studio size, jurisdiction, or chain choice. It is an industry-wide pattern.
For investors, this creates a category of unpriced risk sitting inside almost every Web3 gaming deal.
What MiCA exposure means for your investment thesis
MiCA exposure affects a studio’s investment profile across four dimensions.
EU market access. A studio that cannot legally serve EU players after July 1, 2026 must either obtain a CASP licence, operate under a licensed third party’s infrastructure, or geo-block the EU. Studios that can serve EU players compliantly have a structural advantage over those that cannot.
Commercial counterparty risk. Regulatory non-compliance does not require a regulator to act before consequences arrive. Payment processors, on-ramps, and banking partners cut off unlicensed counterparties on their own compliance schedules. App stores can remove non-compliant apps. B2B infrastructure providers geo-block. The enforcement that matters arrives through commercial relationships, not just fines, and it arrives faster.
Enforcement penalties. Fines under MiCA Article 111 can reach up to €5 million or 5% of annual global turnover, whichever is higher, for providing services without authorisation. Criminal liability applies in several member states (France carries up to two years’ imprisonment under Article L.572-23 of the Code monétaire et financier). An unremediated regulatory breach on the books creates a liability that survives any clean-round qualification argument.
Exit risk. An acquirer’s legal team will surface unresolved regulatory exposure in due diligence. A studio with open MiCA liability is harder to exit at full value, whether the buyer is a publisher, a fund, or a strategic acquirer.
The five-question due diligence checklist
Run these five questions against any Web3 gaming company before closing a deal.
1. Does the studio appear in the ESMA CASP register, or is it actively in a licensing process?
The ESMA register is publicly accessible and searchable by company name via the Article 109 CSV files at esma.europa.eu. A studio that does not appear in the register and has not filed a CASP application with its national competent authority is operating unlicensed.
There is an important nuance: a studio with a pending application filed before the relevant national deadline may in some jurisdictions continue operating while the application is under review. The specifics depend on how each member state implemented the transitional regime. A studio claiming to be “in the process” should be able to name the NCA it applied to, the date of filing, and the status of the application.
2. Which token mechanics in the game trigger CASP requirements?
The CASP trigger is not blockchain use generally. It is the specific service the studio provides to players. Four mechanics create CASP exposure: operating a player-to-player marketplace, custodying player wallets, selling tokens or items directly for fiat, and controlling the withdrawal mechanism that moves tokens to external wallets. A studio can have on-chain assets without triggering any of these (for example, issuing NFTs that trade on third-party platforms the studio does not operate). The diligence question is whether the studio provides any of the listed services, not whether the game uses blockchain technology.
3. Does the studio custody wallets or operate a marketplace?
These are the two most common CASP triggers and the hardest to remediate without changing core product mechanics. A studio operating a fee-taking in-game marketplace is providing a Class 3 service (operating a trading platform, €150K capital requirement). A studio custodying player wallets is providing a Class 2 service (custody and exchange, €125K capital requirement). Classes are cumulative under MiCA Annex IV: if both are present, the studio needs a licence covering both service categories, and the capital requirement is set by the highest class triggered.
For custody specifically: when a studio integrates a third-party embedded wallet SDK, the custody question typically sits with the wallet vendor, not the studio. But the vendor’s compliance posture matters directly. Our ESMA check found that major infrastructure operators also do not appear in the register. A studio that has outsourced its regulatory fate to an unlicensed infrastructure provider has not solved the problem.
4. What is the studio’s compliance runway, and has the grandfathering period ended for its jurisdiction?
Transitional grandfathering under Article 143(3) expired at different dates by country. Per the official ESMA list (updated May 2026): Germany expired after 12 months (December 2025), Sweden after 9 months (September 2025), and the Netherlands, Finland, Poland, Hungary, Latvia, and Slovenia after 6 months (June 2025). France, Spain, Malta, Cyprus, Luxembourg, and most other EU/EEA states chose the full 18-month period, which expired on July 1, 2026. A studio domiciled in any of these jurisdictions that has not filed for a CASP authorisation or secured infrastructure under a licensed umbrella is now non-compliant.
For non-EU-domiciled studios (US, Singapore, South Korea), the analysis is different. The reverse-solicitation exemption under MiCA Article 61 theoretically allows passive access from third-country firms if the EU client initiated the relationship without being solicited. But ESMA’s April 17, 2026 statement is explicit: entities established outside the EU are “not permitted to provide crypto-asset services that qualify as MiCA services to EU investors or to solicit EU clients with a view to provide MiCA services to them.” Active marketing, EU-language materials, or EU-targeted advertising undermines the reverse-solicitation defence.
5. Does the studio have a compliance infrastructure partner, or a credible in-house plan?
The cost and timeline of self-application (€500K to €1M in first-year costs, 6 to 12 months to authorisation) means most studios will need an infrastructure partner rather than a standalone CASP application. The question is whether the studio has a concrete arrangement in place or is planning to build in-house without having scoped the cost.
| Studio size | Initial CASP compliance cost |
|---|---|
| Small (under 10 staff) | €50K – €150K |
| Medium (10–50 staff) | €150K – €500K |
| Large (50+ staff) | €500K – €2M |
A studio with no plan, a vague intent to “become compliant”, or an assumption that enforcement will be slow is carrying open-ended regulatory liability. A studio with a signed infrastructure agreement with a licensed or licence-pending provider, a written legal opinion on its compliance structure, and a defined timeline for achieving authorisation is in a materially different position.
What “compliant by Genesis Engine” means as an investment signal
Triolith is building the licensed infrastructure that lets game studios operate marketplace, custody, payment, and transfer services under a CASP-compliant umbrella without obtaining their own licence. The model is a single API integration with no upfront fees. Triolith absorbs the regulatory obligations, and the studio operates on compliant rails from day one.
For investors evaluating Web3 gaming companies, a studio that is committed to operating on Genesis Engine’s rails has addressed the primary compliance risk that applies to most of the sector. The studio does not need its own licence. It does not need to staff an AML function or lock capital reserves. It operates under Triolith’s perimeter.
The practical due diligence implication: a studio with no current CASP status and no compliance infrastructure arrangement is carrying a contingent liability that will limit its EU market access, complicate future raises, and surface in any exit process. Requiring a clear compliance path as a condition of investment is not an unusual ask. It is the same standard applied to any regulated-market business.
The bottom line for investors
The EU’s MiCA regulation sets a clear bar: after July 1, 2026, serving EU players with crypto-asset services requires a CASP authorisation or an arrangement with a licensed infrastructure provider. The ESMA register check confirms that not one of 36 notable studios currently meets that bar. That gap is either a risk or an opportunity, depending on which side of it your portfolio companies sit.
The questions above give you a framework for placing each company. A studio in the register, or credibly in the process with a named NCA and a filed application, has addressed the primary risk. A studio with no register entry, no application, no infrastructure arrangement, and no concrete plan has not.
The compliance infrastructure market for Web3 gaming is genuine white space. No off-the-shelf licensed alternative currently exists for game studios specifically. For investors, the actionable question after due diligence may not be whether a given studio faces MiCA exposure, but whether there is a licensed infrastructure provider in the portfolio that benefits from the whole sector’s compliance need.
FAQ
How do I check if a Web3 game studio has a CASP licence?
Search the ESMA CASP register directly via the Article 109 CSV files published at esma.europa.eu. The register is updated as authorisations are granted and lists all licensed CASPs by company name and jurisdiction. A studio not appearing in the register has not received authorisation. If a studio claims to have a pending application, ask for the name of the national competent authority it filed with and the date of submission.
Does MiCA apply to game studios based outside the EU?
Yes, if they actively serve EU players. MiCA applies to any entity providing crypto-asset services to EU clients, regardless of where the entity is based. The reverse-solicitation exemption under Article 61 is narrow — it applies only when the EU client initiates contact without any solicitation. Active marketing, EU-language storefronts, or EU-targeted advertising undermines that defence. ESMA’s April 17, 2026 statement confirmed that third-country firms cannot solicit EU clients for MiCA-qualifying services.
What is the realistic cost of a Web3 game studio becoming MiCA compliant?
For a studio applying for its own CASP licence, first-year costs run €500K to €1M, covering legal fees, compliance infrastructure, AML/CFT staffing, and capital reserves (€50K to €150K depending on licence class). The alternative is operating under a licensed infrastructure provider, which eliminates the upfront authorisation cost and capital lock-up. Most small-to-mid studios will find the infrastructure partner route significantly cheaper than self-application.
What MiCA compliance questions should I ask before closing an investment?
Five questions cover the main exposure: Does the studio appear in the ESMA CASP register? Which specific game mechanics trigger CASP requirements? Does the studio custody wallets or operate a marketplace? Has the grandfathering period for the studio’s jurisdiction already expired? And does the studio have a concrete compliance path — either a filed application or a signed arrangement with a licensed infrastructure provider? A studio that cannot answer all five clearly carries unresolved regulatory liability.
— Magnus
All posts