.svg)
In refusing to approve the applications of firms it deems to have insufficient presence in the country, the Danish Financial Supervisory Authority (FSA) has taken a stand against regulatory shopping.
The announcements in early May 2026 that the FSA would not be granting crypto-asset service provider (CASP) licences under the Markets in Crypto-Assets (MiCA) Regulation to Fuse Loyalty and BigeDirect on the grounds that neither has effective management based in Denmark signal that the regulator does not intend to allow firms to use the country as a gateway to the EU without a concrete local presence.
Given that MiCA is a relatively new framework, the rejections are among the earliest high-profile examples of an EU regulator formally denying a CASP license application to operational virtual asset service providers (VASPs).
Both Fuse Loyalty and BigeDirect had been operating under Denmark’s transitional VASP rules and had to stop operations immediately after their CASP licence applications were refused.
The FSA noted in its statement on BigeDirect that it was rejecting the firm’s application under Article 63(10)(d) of MiCA, which requires a CASP to have its registered office and “place of effective management” in the member state where it applies for authorisation.
It added that it was not satisfied that decision-making authority was exercised from Denmark, or that BigeDirect actually wanted to operate the company from the country.
The regulator similarly stated that Fuse Loyalty had not documented adequate presence in Denmark, as the majority of the company’s management resides outside the country.
It also noted that Fuse Loyalty had insufficient competencies and measures over its outsourced activities. This highlights a critical intersection between MiCA and the Digital Operational Resilience Act (DORA).
Under MiCA, regulators are required to ensure that CASPs have robust ICT and operational risk frameworks. If a crypto firm relies heavily on a parent company abroad, a white-label technology provider or third-party liquidity providers, regulators expect the local entity to have absolute oversight.
Similarly, under DORA, the local EU-regulated entity is legally accountable for ensuring security and resilience. If the Danish entity lacks local “ownership” of its IT risk management, it cannot be compliant, which may lead to the rejection of its MiCA application.
The importance of being local
Although the Danish FSA has taken a relatively early stand on local presence, it is unlikely to be an outlier in terms of rigour or attitude.
The European Securities and Markets Authority (ESMA) has issued clear guidelines urging national regulators to prevent “regulatory shopping”, in which a firm seeks out the weakest link in the EU chain to get a passport.
Its guidance states: “Home NCAs [national competent authorities] should verify the decision-making powers and presence of executives and senior managers in the Member State. The burden of proof lies on CASPs. NCAs should be convinced that decision making does not lie elsewhere.”
Other member states are therefore likely to share Denmark’s position that applicants must clearly demonstrate an established presence in the jurisdiction rather than merely use it as a gateway to access the EU market.
Key steps to demonstrating this local presence include showing that senior management and compliance officers are residents of the country and actively work out of the local office, and that board meetings and strategic decisions physically occur within the jurisdiction.
Firms that set up shop in one member state but target their marketing and services at another, with no local focus, risk regulators concluding that the local office is a shell.
It should be becoming clear that firms cannot simply hire a nominee director or rent a virtual mailbox in a member state to gain a passport to the rest of the EU.
