ESMA July 2025 Guidelines on Crypto Market Abuse: What Changes for CASPs

ESMA published its final guidelines on market abuse supervision under MiCA in July 2025. Here is what they change in practice for CASPs: surveillance systems, STOR handling, NCA expectations, and on-chain monitoring.

By Seqlense · 2026-02-25 09:00:00 · #ESMA #MiCA #market abuse #CASP #STOR #on-chain surveillance #crypto compliance #PPAETs

On July 9, 2025, the European Securities and Markets Authority published its final Guidelines on supervisory practices to prevent and detect market abuse under MiCA (reference: ESMA75-453128700-1039). These guidelines formally entered into application shortly after publication.

While the document is technically addressed to National Competent Authorities (NCAs) — the AMF, BaFin, AFM, CySEC and their peers — the implications for Crypto-Asset Service Providers are direct and significant. NCAs are now expected to assess whether your market abuse detection systems meet the standards ESMA has defined. If they do not, you are exposed during licensing reviews, supervisory inspections, and enforcement proceedings.

This article breaks down all 12 guidelines and translates them into concrete obligations and action items for compliance teams.

Context: Why ESMA Published These Guidelines
Scope: Who Is Directly Affected?
The 12 Guidelines — Full Breakdown
What NCAs Will Now Look For During Inspections
The STOR Framework Under the Guidelines
On-Chain and Off-Chain Surveillance: ESMA's Expectations
Cross-Border Challenges and Third-Country CASPs
Gap Analysis: Are You Compliant?
How Seqlense Aligns With These Guidelines

1. Context: Why ESMA Published These Guidelines {#context}

MiCA Article 92(3) explicitly mandated ESMA to issue guidelines on supervisory practices for NCAs within 24 months of the regulation entering into force — a deadline of June 30, 2025. ESMA met this deadline with the July 2025 publication.

The need for these guidelines reflects a structural challenge: crypto market abuse is fundamentally different from traditional securities market abuse. Traditional MAR supervision was built around centralised exchanges with standardised order books. Crypto markets are:

Fragmented across hundreds of CEX and DEX venues simultaneously
Borderless — manipulation schemes routinely span multiple jurisdictions
On-chain — significant activity occurs directly on public blockchains, outside any regulated venue
24/7 — markets never close, which strains human surveillance capacity
Influenced by social media — coordinated pump-and-dump campaigns are often orchestrated on Telegram, Discord, or X before any price movement appears on-chain

The guidelines acknowledge all of these specificities and build a supervision framework designed to address them. Critically, they also create convergence expectations — NCAs are expected to develop a common supervisory culture, meaning the AMF and BaFin should assess CASPs using broadly consistent standards.

2. Scope: Who Is Directly Affected? {#scope}

The guidelines apply to NCAs as defined in Article 3(1)(35) of MiCA. But in practice, they define the standards against which your market abuse detection systems will be evaluated.

The key category is PPAETs — Persons Professionally Arranging or Executing Transactions. ESMA confirmed in its delegated regulations that the following CASP services fall within this definition:

CASP Service	PPAET Status
Operating a trading platform	Yes
Executing orders on behalf of clients	Yes
Receiving and transmitting orders	Yes
Managing crypto-asset portfolios	Yes
Exchange of crypto-assets for fiat	Yes
Exchange of crypto-assets for other crypto-assets	Yes
Custody and administration	No (not a PPAET, but other MiCA obligations apply)
Transfer services	No (not a PPAET)

If your entity falls into any of the PPAET categories above, Guideline 9 applies directly to you: NCAs will assess whether your systems are adequate.

3. The 12 Guidelines — Full Breakdown {#twelve-guidelines}

General Principles (Guidelines 1–7)

Guideline 1 — Proportionality

NCAs must calibrate their supervisory intensity to the risk profile of each entity. Larger platforms with higher volumes, more complex products, and broader geographical reach will face more intensive scrutiny. Smaller CASPs — such as a simple Bitcoin DCA service — will be subject to proportionate oversight.

What this means for you: Proportionality cuts both ways. A large exchange cannot hide behind a 'we are new to this' argument. A small CASP cannot simply copy-paste a surveillance policy from a large peer without adapting it to its actual risk profile.

Guideline 2 — Risk-Based and Forward-Looking Approach

NCAs should anticipate emerging manipulation tactics rather than only reacting to known patterns. ESMA explicitly highlights MEV (Maximal Extractable Value), DeFi-specific manipulation, and social media-coordinated schemes as forward-looking risk areas.

What this means for you: Your surveillance ruleset should not be static. ESMA expects systems capable of detecting new manipulation patterns as the market evolves — not just the classic wash trading and spoofing scenarios.

Guideline 3 — Integration of MAR Experience

Before introducing new crypto-specific tools, NCAs should leverage existing expertise from traditional market abuse supervision under MAR. The conceptual frameworks of insider trading, market manipulation, and unlawful disclosure are directly transferable.

What this means for you: If your compliance team has traditional capital markets experience, that background is directly applicable to MiCA market abuse obligations. The terminology and conceptual framework are largely the same.

Guideline 4 — Common Supervisory Culture

NCAs must share experiences, pool tools, and develop consistent approaches. ESMA is the coordinating body. This guideline directly targets the risk of regulatory fragmentation — where a CASP gets an easy ride from one NCA and a tough inspection from another.

What this means for you: You cannot rely on regulatory arbitrage by choosing a lenient licensing jurisdiction. As supervisory culture converges, the AMF and BaFin will apply increasingly similar standards.

Guideline 5 — Human Resources and Specialist Training

NCAs should build dedicated crypto surveillance teams with specific expertise in blockchain technology, DeFi mechanics, and on-chain analytics. ESMA recommends participation in EU-level initiatives such as the EU Securities and Financial Regulators (EU-SDFA) network.

What this means for you: As NCA staff become more technically sophisticated, the bar for what constitutes an "adequate" detection system will rise. Systems that were acceptable in 2024 may not pass inspection in 2026.

Guideline 6 — Stakeholder Dialogue

NCAs must engage with exchanges, technology providers, academics, and advocacy groups to stay current on emerging risks and available solutions. ESMA explicitly recommends that NCAs interact with IT firms and data service providers to understand what detection tools are available.

What this means for you: This is a positive signal. RegTech providers are explicitly recognised as valuable stakeholders in building effective supervision. CASPs using third-party surveillance solutions can and should highlight this during regulatory interactions.

Guideline 7 — Market Integrity Education

NCAs should run educational programmes explaining what constitutes market abuse under MiCA, including concrete examples. The language should be accessible to retail participants, not just sophisticated institutions.

What this means for you: Expect NCAs to publish more detailed guidance, FAQs, and case studies on market abuse. Monitor your NCA's website regularly — these publications will directly inform what your detection systems need to flag.

Supervision and Compliance (Guidelines 8–12)

Guideline 8 — Data-Driven Surveillance

This is one of the most operationally significant guidelines. NCAs must use both public and private data, combining:

On-chain transaction data and wallet analytics
Off-chain order book and trade data from regulated venues
Social media monitoring for coordinated manipulation signals
Artificial intelligence and machine learning models for anomaly detection

ESMA explicitly endorses AI-powered surveillance as a core supervisory tool — not just a nice-to-have.

What this means for you: Your own surveillance systems will be assessed against an NCA that is using AI and on-chain analytics. Rule-based systems that only flag obvious thresholds will increasingly miss the patterns that regulators are looking for. Behavioral models are expected.

Guideline 9 — Supervision of PPAETs' Detection Systems

This is the guideline that most directly creates ongoing obligations for CASPs. NCAs must:

Continuously monitor whether CASPs have effective arrangements and systems in place
Assess the adequacy of detection systems — not just their existence
Evaluate whether systems are calibrated to the CASP's specific risk profile, product mix, and client base

ESMA is clear: having a surveillance policy document is not the same as having an effective detection system. NCAs will want to see evidence of how the system works, what it detects, and how alerts are handled.

What this means for you: Prepare for supervisory questions such as:

How many alerts did your system generate in the last 12 months?
What percentage were investigated and closed vs. escalated to STOR?
How do you tune your detection models?
Can you demonstrate detection of a specific manipulation pattern?

Guideline 10 — Handling STORs

NCAs must establish efficient internal procedures for receiving, classifying, analysing, and responding to Suspicious Transaction and Order Reports. ESMA has published a standardised STOR template that NCAs must accept.

What this means for you: The STOR process is now standardised across the EU. Your internal STOR workflow must produce output that maps to the ESMA template fields. Review the template and ensure your case management system captures all required data at the alert stage — not just at the point of submission.

Guideline 11 — ESMA Coordination Between NCAs

NCAs must notify ESMA and peer NCAs when they identify cross-border market abuse patterns or systemic concerns. ESMA acts as the central coordination body.

What this means for you: Cross-border manipulation schemes will be harder to run undetected. A scheme coordinated across a French-licensed CASP and an Irish-licensed CASP will now trigger coordinated supervisory responses from both the AMF and the CBI, with ESMA involvement.

Guideline 12 — Third-Country Obstacles

NCAs must identify and report to ESMA any obstacles they encounter when trying to supervise market abuse involving third-country entities. Specific factors to consider include the legal context of the third country, feasibility of information exchange, and the corporate structure of the relevant group.

What this means for you: If your entity has group entities outside the EU — a parent company in the Cayman Islands, a trading desk in Singapore — expect NCAs to scrutinise those relationships more carefully in the context of market abuse supervision.

4. What NCAs Will Now Look For During Inspections {#nca-inspections}

Based on the guidelines, a structured NCA inspection of a CASP's market abuse framework will likely cover the following areas:

Documentation:

Written market abuse prevention policy approved by senior management
Description of detection system architecture and coverage
Alert escalation and investigation procedures
STOR submission log with decision rationale for all alerts reviewed

System Adequacy (Guideline 9 focus):

Scope of monitoring: which assets, which venues, which client segments
Detection methods: rule-based, behavioral, on-chain, off-chain
False positive rate and model tuning process
Coverage of MiCA-specific risk scenarios (MEV, DeFi interactions, social media signals)

Operational Evidence:

Sample of recent alerts and investigation notes
STORs submitted in the past 12 months (or documented rationale for zero submissions)
Evidence of staff training on market abuse detection

Governance:

Reporting line from surveillance function to compliance officer and Board
Periodic management reporting on market abuse metrics

5. The STOR Framework Under the Guidelines {#stor-framework}

Guideline 10 and the associated ESMA delegated regulation on STOR reporting create a harmonised framework that replaces the previous patchwork of national reporting practices.

The Standardised STOR Template

The ESMA template includes the following mandatory fields:

Section	Key Fields
Reporting entity	Name, LEI, MiCA license number, home NCA
Suspicious activity	Description, date(s), asset(s) involved
Blockchain data	Transaction hash(es), wallet address(es), network
Suspicion rationale	Which market abuse type, why suspicious, supporting data
Persons involved	If identified: name, wallet, associated accounts
Internal reference	Case ID, analyst, review date

Timing and Process

Submission must occur as soon as reasonably practicable after the suspicion arises — ESMA guidance indicates that delays of more than a few business days after alert escalation are difficult to justify
The NCA may follow up with requests for additional information — your case file should be complete enough to respond within 24–48 hours
STORs are not public — they are confidential regulatory submissions. Staff involved in STOR preparation must be reminded of tipping-off prohibitions

6. On-Chain and Off-Chain Surveillance: ESMA's Expectations {#surveillance-expectations}

Guideline 8 sets a high bar for the technical sophistication of surveillance. Here is what ESMA expects to be covered:

On-Chain Signals

Signal Type	Detection Approach
Circular fund flows (wash trading)	Graph analysis of wallet interactions
Pre-listing wallet accumulation	Temporal analysis of holdings before announcements
MEV front-running	Mempool monitoring and block sequencing analysis
Mixer/tumbler usage	Attribution clustering across obfuscation layers
Abnormal withdrawal patterns	Statistical deviation from baseline behavior
Cross-chain bridge abuse	Multi-chain asset flow tracking

Off-Chain Signals

Signal Type	Detection Approach
Spoofing / layering	Order book depth and cancellation rate analysis
Coordinated social media	NLP monitoring of Telegram, Discord, X for pump signals
Insider trading signals	Correlation of unusual activity with announcement timing
Cross-platform coordination	Matching order flow across multiple CEX venues

The AI Expectation

ESMA's endorsement of AI in Guideline 8 is not merely aspirational. As NCA surveillance teams deploy machine learning models, they will increasingly identify patterns that pure rule-based systems miss. CASPs whose detection relies solely on static threshold rules — "flag any transaction over X ETH" — will face questions about why their systems did not detect what the NCA's models did.

Behavioral models that establish a baseline for each wallet, user, or asset and flag statistically significant deviations are now the expected standard for sophisticated CASPs.

7. Cross-Border Challenges and Third-Country CASPs {#cross-border}

Guideline 12 addresses a real operational problem: many crypto manipulation schemes are coordinated by actors based in third countries, using wallets and entities that are deliberately structured to frustrate EU supervisory jurisdiction.

ESMA's approach is pragmatic: NCAs should identify and escalate obstacles rather than simply accepting them. This means:

Documenting cases where third-country entity structures hinder investigation
Reporting these cases to ESMA for potential diplomatic or regulatory escalation
Cooperating with IOSCO and FATF frameworks for cross-border crypto enforcement

For CASPs, the practical implication is that your AML/KYC and market abuse surveillance must be designed to flag suspicious patterns even when the ultimate beneficial owner is obscured behind complex corporate structures or privacy coins. The inability to identify a person is not an acceptable reason to close an alert without investigation.

8. Gap Analysis: Are You Compliant? {#gap-analysis}

Use this checklist to assess your current state against the July 2025 guidelines:

Governance and Policy

[ ] Board-approved market abuse prevention policy that references MiCA Title VI
[ ] Designated compliance officer responsible for market abuse oversight
[ ] Staff training programme covering MiCA-specific scenarios (MEV, DeFi, social media manipulation)

Detection System (Guideline 9)

[ ] Automated surveillance covering all MiCA Article 92 scenarios
[ ] Both rule-based and behavioral/ML detection components
[ ] On-chain monitoring of customer wallets, not just platform order books
[ ] Off-chain signal integration (social media, news, cross-venue data)
[ ] Regular model tuning and backtesting process documented

STOR Process (Guideline 10)

[ ] Internal STOR workflow with defined escalation paths and timelines
[ ] Alert investigation log maintained for all flagged events
[ ] STOR template aligned with ESMA standardised format
[ ] Tipping-off controls in place for staff involved in STOR preparation

Documentation for NCA Inspection

[ ] Architecture documentation of your detection system
[ ] Last 12 months of alert statistics (volume, investigation rate, STOR rate)
[ ] Sample investigation notes demonstrating quality of review
[ ] Evidence of at least one annual review of detection system effectiveness

9. How Seqlense Aligns With These Guidelines {#seqlense}

Seqlense MABU was built with MiCA Article 92 requirements as the core design constraint. Here is how our platform maps to the July 2025 guidelines:

Guideline	Seqlense MABU Capability
Guideline 8 — Data-driven surveillance	On-chain wallet scanning + off-chain behavioral models + ML anomaly detection
Guideline 9 — System adequacy	Pre-built MiCA scenario library (wash trading, spoofing, pump & dump, MEV) with customisable thresholds
Guideline 10 — STOR handling	STOR-ready alert export mapped to ESMA template fields
Guideline 12 — Cross-border	Multi-chain coverage including bridge monitoring and cross-platform correlation

Seqlense DOC complements MABU by ensuring your compliance team tracks every ESMA and NCA publication that updates the market abuse framework — so your detection rules stay aligned with evolving regulatory expectations.

Key Takeaways

ESMA's July 2025 guidelines are now in application — NCAs are expected to use them as the basis for assessing CASP market abuse systems
Guideline 9 is the most operationally significant: NCAs will assess the adequacy of your systems, not just confirm their existence
Behavioral and AI-powered detection is now the expected standard — pure rule-based systems are increasingly insufficient
The STOR process must produce output aligned with ESMA's standardised template — review your case management workflows
Cross-border manipulation schemes are a supervisory priority — your systems must flag suspicious patterns even when beneficial owners are obscured
Proportionality applies, but every CASP in PPAET scope must have a documented, tested, and auditable surveillance system

Last updated: February 25, 2026. This article reflects ESMA guidelines and MiCA implementing measures available as of that date. Use Seqlense DOC to stay current on regulatory updates.

Tags: ESMA guidelines, MiCA market abuse, CASP compliance, STOR reporting, on-chain surveillance, crypto market manipulation, PPAETs, MiCA Title VI, crypto compliance 2025, behavioral surveillance