← Frameworks / MiCA / Control Mappings

EU Markets in Crypto-Assets Regulation (MiCA)

Comprehensive EU regulation for cryptoasset markets, fully applicable since December 2024. Covers cryptoasset service provider (CASP) authorisation, governance, safeguarding of client assets, ICT system requirements, operational resilience, AML/CFT, stablecoin issuance (asset-referenced and e-money tokens), reserve management, market abuse prevention, and regulatory reporting. Applies to all CASPs operating in the EU.

Controls: 99
Total Mappings: 290
Publisher: European Parliament and Council Version: Regulation (EU) 2023/1114
MiCA → SP 800-53 SP 800-53 → MiCA Coverage Analysis
AC (6) AT (2) AU (7) CA (5) CM (5) CP (8) IA (4) IR (6) MP (3) PL (2) PM (3) PS (4) PT (8) RA (6) SA (7) SC (8) SI (8) SR (7)

AC Access Control

Control Name MiCA References
AC-01 Access Control Policies and Procedures
Art.62(7)
AC-02 Account Management
Art.67(1)Art.86(1)
AC-03 Access Enforcement
Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.62(9)Art.97(1)
AC-04 Information Flow Enforcement
Art.63(1)Art.68(1)Art.76(1)
AC-05 Separation Of Duties
Art.36(1)Art.63(2)Art.65(1)Art.86(1)Art.92(1)
AC-06 Least Privilege
Art.36(1)Art.40(1)Art.55(1)Art.63(1)Art.65(1)Art.67(1)Art.86(1)Art.92(1)Art.97(1)

AT Awareness and Training

Control Name MiCA References
AT-01 Security Awareness And Training Policy And Procedures
Art.62(7)
AT-02 Security Awareness
Art.62(7)

AU Audit and Accountability

Control Name MiCA References
AU-01 Audit And Accountability Policy And Procedures
Art.43(1)Art.63(2)Art.62(9)Art.94(1)Art.82(1)
AU-02 Auditable Events
Art.68(1)Art.69(1)Art.70(1)Art.72(1)Art.86(1)Art.88(1)Art.92(1)
AU-03 Content Of Audit Records
Art.68(1)
AU-06 Audit Monitoring, Analysis, And Reporting
Art.62(8)Art.88(1)Art.92(1)
AU-09 Protection Of Audit Information
Art.63(2)Art.82(1)
AU-11 Audit Record Retention
Art.63(2)Art.67(1)Art.82(1)
AU-12 Audit Record Generation
Art.63(2)Art.67(1)Art.68(1)Art.69(1)Art.70(1)Art.72(1)Art.86(1)Art.88(1)Art.92(1)Art.82(1)

CA Security Assessment and Authorization

Control Name MiCA References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
Art.34(5)Art.54(1)Art.62(1)Art.62(7)Art.111(1)
CA-02 Security Assessments
Art.34(5)Art.43(1)Art.94(1)Art.111(1)
CA-03 Information System Connections
Art.66(1)Art.66(3)
CA-06 Security Accreditation
Art.59(1)
CA-07 Continuous Monitoring
Art.34(5)Art.43(1)Art.62(1)Art.94(1)

CM Configuration Management

Control Name MiCA References
CM-01 Configuration Management Policy And Procedures
Art.62(1)Art.62(7)
CM-02 Baseline Configuration
Art.62(5)
CM-06 Configuration Settings
Art.62(1)Art.62(5)
CM-07 Least Functionality
Art.68(1)Art.62(5)
CM-08 Information System Component Inventory
Art.40(1)Art.63(2)Art.82(1)

CP Contingency Planning

Control Name MiCA References
CP-01 Contingency Planning Policy And Procedures
Art.68(5)Art.62(6)
CP-02 Contingency Plan
Art.68(5)Art.62(6)Art.47(1)
CP-03 Contingency Training
Art.62(6)
CP-04 Contingency Plan Testing And Exercises
Art.68(5)Art.62(6)
CP-06 Alternate Storage Site
Art.68(5)Art.62(6)
CP-07 Alternate Processing Site
Art.68(5)Art.62(5)Art.62(6)
CP-09 Information System Backup
Art.68(5)Art.62(5)Art.62(6)Art.47(1)
CP-10 Information System Recovery And Reconstitution
Art.68(5)Art.62(6)

IA Identification and Authentication

Control Name MiCA References
IA-01 Identification And Authentication Policy And Procedures
Art.62(7)
IA-02 User Identification And Authentication
Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.72(1)Art.76(1)
IA-04 Identifier Management
Art.63(2)
IA-05 Authenticator Management
Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.76(1)

IR Incident Response

Control Name MiCA References
IR-01 Incident Response Policy And Procedures
Art.64(1)Art.62(7)Art.62(8)
IR-04 Incident Handling
Art.64(1)Art.62(8)Art.92(1)
IR-05 Incident Monitoring
Art.62(8)
IR-06 Incident Reporting
Art.62(8)
IR-07 Incident Response Assistance
Art.64(1)Art.62(8)
IR-08 Incident Response Plan
Art.64(1)Art.62(8)

MP Media Protection

Control Name MiCA References
MP-02 Media Access
Art.40(1)Art.55(1)Art.63(1)Art.97(1)
MP-04 Media Storage
Art.40(1)Art.55(1)Art.63(1)Art.97(1)
MP-06 Media Sanitization And Disposal
Art.62(9)

PL Planning

Control Name MiCA References
PL-01 Security Planning Policy And Procedures
Art.34(1)Art.59(1)Art.62(7)
PL-02 System Security Plan
Art.34(5)

PM Program Management

Control Name MiCA References
PM-01 Information Security Program Plan
Art.34(1)Art.36(1)Art.43(1)Art.54(1)Art.59(1)Art.63(2)Art.64(1)Art.65(1)Art.73(1)Art.86(1)Art.92(1)Art.94(1)Art.111(1)Art.83(1)Art.84(1)
PM-02 Information Security Program Leadership Role
Art.34(1)Art.54(1)Art.59(1)
PM-09 Risk Management Strategy
Art.34(5)Art.35(1)Art.41(1)Art.54(1)Art.59(1)Art.62(1)Art.66(1)Art.62(6)Art.111(1)Art.47(1)

PS Personnel Security

Control Name MiCA References
PS-02 Position Categorization
Art.34(1)Art.54(1)
PS-06 Access Agreements
Art.36(1)Art.65(1)Art.73(1)Art.86(1)Art.92(1)
PS-08 Personnel Sanctions
Art.34(1)Art.36(1)Art.65(1)
PS-09 Position Descriptions
Art.34(1)Art.54(1)

PT Personally Identifiable Information Processing and Transparency

Control Name MiCA References
PT-01 Policy and Procedures
Art.62(9)Art.97(1)Art.98(1)
PT-02 Authority to Process Personally Identifiable Information
Art.62(9)Art.98(1)
PT-03 Personally Identifiable Information Processing Purposes
Art.62(9)Art.98(1)
PT-04 Consent
Art.62(9)Art.98(1)
PT-05 Privacy Notice
Art.62(9)Art.98(1)Art.83(1)
PT-06 System of Records Notice
Art.62(9)Art.98(1)
PT-07 Specific Categories of Personally Identifiable Information
Art.98(1)
PT-08 Computer Matching Requirements
Art.98(1)

RA Risk Assessment

Control Name MiCA References
RA-01 Risk Assessment Policy And Procedures
Art.34(5)Art.35(1)Art.54(1)Art.62(1)Art.62(7)Art.111(1)
RA-02 Security Categorization
Art.35(1)
RA-03 Risk Assessment
Art.34(5)Art.35(1)Art.41(1)Art.62(1)Art.66(1)Art.47(1)
RA-05 Vulnerability Scanning
Art.35(1)
RA-07 Risk Response
Art.34(5)Art.35(1)Art.62(1)
RA-09 Criticality Analysis
Art.35(1)

SA System and Services Acquisition

Control Name MiCA References
SA-01 System And Services Acquisition Policy And Procedures
Art.62(1)Art.62(7)
SA-02 Allocation Of Resources
Art.34(5)Art.35(1)Art.41(1)Art.54(1)Art.62(1)
SA-03 Life Cycle Support
Art.62(5)
SA-04 Acquisitions
Art.66(1)Art.66(3)
SA-05 Information System Documentation
Art.84(1)
SA-08 Security Engineering Principles
Art.68(1)Art.68(5)Art.69(1)Art.70(1)Art.72(1)Art.62(5)
SA-09 External Information System Services
Art.66(1)Art.66(3)

SC System and Communications Protection

Control Name MiCA References
SC-01 System And Communications Protection Policy And Procedures
Art.62(7)
SC-05 Denial Of Service Protection
Art.68(1)Art.68(5)Art.62(5)
SC-07 Boundary Protection
Art.68(1)Art.62(5)
SC-08 Transmission Integrity
Art.76(1)Art.97(1)
SC-12 Cryptographic Key Establishment And Management
Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.76(1)Art.97(1)
SC-13 Use Of Cryptography
Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.76(1)
SC-17 Public Key Infrastructure Certificates
Art.63(1)Art.67(1)
SC-28 Protection of Information at Rest
Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.62(9)Art.97(1)Art.98(1)

SI System and Information Integrity

Control Name MiCA References
SI-01 System And Information Integrity Policy And Procedures
Art.34(5)Art.62(1)Art.62(7)
SI-02 Flaw Remediation
Art.62(5)
SI-04 Information System Monitoring Tools And Techniques
Art.68(1)Art.62(5)Art.62(8)Art.88(1)Art.92(1)
SI-05 Security Alerts And Advisories
Art.35(1)Art.62(8)
SI-07 Software And Information Integrity
Art.88(1)
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
Art.68(1)Art.69(1)Art.76(1)
SI-12 Information Output Handling And Retention
Art.82(1)
SI-13 Predictable Failure Prevention
Art.68(5)Art.62(5)

SR Supply Chain Risk Management

Control Name MiCA References
SR-01 Policy and Procedures
Art.66(1)
SR-02 Supply Chain Risk Management Plan
Art.66(1)
SR-03 Supply Chain Controls and Processes
Art.66(1)
SR-04 Provenance
Art.66(3)
SR-05 Acquisition Strategies, Tools, and Methods
Art.66(1)Art.66(3)
SR-06 Supplier Assessments and Reviews
Art.66(1)Art.66(3)
SR-11 Component Authenticity
Art.66(3)