BaFin and the MiCAR Perimeter: How Regulators Separate Tokenised Securities From Crypto-Assets

Last updated: June 2026

Put a financial product on a blockchain and the hardest question is not how the token works. It is which rulebook the token sits under. Get the MiCAR perimeter wrong and a reporting team builds the wrong control set around the wrong instrument: white-paper notifications and crypto-asset service provider records where a prospectus, and potentially MiFID/MiFIR controls depending on trading and service activity, were actually required, or the reverse. The two obligation stacks do not overlap. A token can meet MiCAR’s broad crypto-asset concept and still qualify as a MiFID financial instrument, but MiCAR does not apply once Article 2(4)(a) excludes it. For operational purposes, the asset sits either in the MiCAR obligation stack or in the MiFID and securities-rulebook stack, and that perimeter decision drives every obligation that follows.

On 15 June 2026, BaFin gave a concrete example of where that line falls. The German supervisor told the public it had sufficient grounds to suspect that a US-based entity, Hartmann & Benz LLC, was offering tokenised securities under the names Easygold Token and EASG to the public in Germany without the required prospectus. BaFin did not reach for MiCAR. It reached for the EU Prospectus Regulation and the German Securities Prospectus Act because it treated the product as tokenised securities on the financial-instrument side of the perimeter. That choice of legal basis is the whole point of this article.

For reporting and compliance teams, the takeaway is procedural, not philosophical. The classification step happens before any obligation attaches, the issuer or offeror carries the burden of getting it right, and the supervisor can disagree at any time. This piece walks through how the MiCAR perimeter is actually drawn, why a tokenised security falls outside it, what BaFin’s action signals about supervisory practice, and where teams keep misreading the boundary.

Related reading: MiCAR Token Classification: Reporting Obligations for ARTs, EMTs, and Utility Tokens

The MiCAR perimeter hinge: Article 2(4)(a)

The entire perimeter rests on one short provision. Article 2(4) of Regulation (EU) 2023/1114 states that the Regulation does not apply to crypto-assets that qualify as one or more of a listed set of things, and the first item on that list is financial instruments. Deposits, funds (unless they qualify as e-money tokens), securitisation positions, insurance products and several pension products complete the carve-out, but financial instruments are the exclusion that matters for tokenised securities.

MiCAR then closes the loop with its own definition. Article 3(1)(49) defines a financial instrument as financial instruments as defined in Article 4(1)(15) of Directive 2014/65/EU, which is MiFID II. So MiCAR does not invent its own concept of a security. It points straight at MiFID. Whatever counts as a financial instrument under MiFID is, by that reference, excluded from MiCAR. The two regimes are deliberately wired to be mutually exclusive at the level of a single asset.

This is where teams usually misread the structure. The MiCAR carve-out is not a discretionary safe harbour an offeror elects into. It is a definitional gate. If the asset is a financial instrument, MiCAR never applied in the first place, and the securities rulebook governed from the start. There is no MiCAR white paper to file, no crypto-asset service provider notification to lodge, and no point pretending the token is a new species of asset. The blockchain is plumbing. The instrument is what travels through it.

What MiFID counts as a financial instrument

MiFID II lists financial instruments in Section C of Annex I. The first entry on that list is transferable securities. The rest of Section C runs through money-market instruments, units in collective investment undertakings, the full family of derivative contracts on securities, currencies, commodities, credit risk and other underlyings, financial contracts for differences, and emission allowances. For tokenised investment products, the relevant entry is almost always the first one.

Transferable securities have their own definition in MiFID. Article 4(1)(44) describes them as those classes of securities which are negotiable on the capital market, with the exception of instruments of payment, and gives shares, bonds and other forms of securitised debt as the worked examples, alongside any other securities giving the right to acquire or sell such transferable securities or giving rise to a cash settlement. The operative idea is negotiability on the capital market and membership of a class of fungible, standardised instruments. A one-off, bespoke claim that nobody can trade is not a transferable security. A standardised, tradable, fungible instrument that promises a return tied to an underlying asset usually is.

Read the BaFin notice against that test. BaFin describes the matter as a suspected public offer in Germany of tokenised securities under the names Easygold Token and EASG without the required prospectus. That is enough for the article’s point: BaFin treated the case as a securities-perimeter and prospectus case. The notice should still be described as a suspicion notice, not a final merits decision on every legal feature of the product.

The common error here is to treat the absence of a paper certificate, or the presence of a DLT wallet, as evidence that the asset escapes MiFID. It is not. MiFID never required a financial instrument to be paper-based. Dematerialised, book-entry and now token-recorded securities have always been securities. The recording technology was never part of the definition.

ESMA’s guidelines: where the line is actually drawn

MiCAR did not leave the boundary to chance. Article 2(5) instructs ESMA, for the purposes of the financial-instrument carve-out in Article 2(4)(a), to issue guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments. ESMA’s guidelines are dated 19 March 2025 and carry the reference ESMA75453128700-1323. They apply 60 calendar days from the date of publication on ESMA’s website in all official EU languages. They are the practical key to the perimeter.

The guidelines work on a substance-over-form principle. ESMA’s position is that the technological structure of an asset is not the key factor in deciding whether it qualifies as a financial instrument. Tokenisation does not change the legal nature of the thing being tokenised. A tokenised traditional financial instrument, a so-called security token, remains a financial instrument and is regulated as one. The token is a wrapper. What is inside the wrapper decides the regime.

That principle is technology-neutral by design, and it is the reason a national competent authority such as BaFin can look at a token and reach straight for the Prospectus Regulation. ESMA’s guidelines give supervisors and market participants a shared method: assess the rights the instrument confers, whether those rights make it part of a class of negotiable, standardised securities, and whether it functions as an investment rather than purely as access to a service or as a means of payment. If the answer points to a security, the asset is outside MiCAR, and the securities framework applies in full.

One nuance teams get wrong is treating the ESMA guidelines as if they redrew the boundary. They did not. The financial-instrument carve-out was always in Article 2(4)(a). The guidelines specify the conditions and criteria for applying it consistently across Member States, so that one NCA does not wave a token into MiCAR while another treats the identical product as a security. For a cross-border offeror, that convergence is the difference between one classification and twenty-seven.

Why BaFin used the Prospectus Regulation, not MiCAR

Once a tokenised product is a transferable security, the securities rulebook governs its public offer. The headline obligation is Article 3(1) of the Prospectus Regulation, Regulation (EU) 2017/1129, under which securities may only be offered to the public in the Union after prior publication of an approved prospectus, subject to the exemptions in the Regulation. Germany layers its national securities prospectus framework, the Wertpapierprospektgesetz, or WpPG, on top of that EU baseline.

BaFin’s notice tracks exactly that chain. It states that offering securities to the public without an approved prospectus constitutes a violation of the prospectus requirement under Article 3(1) of the EU Prospectus Regulation, references the liability of the parties responsible for a prospectus under sections 9 and 10 of the WpPG, and cites section 14 of the WpPG. The supervisor frames the consequences too: violations of the prospectus requirement are punishable by a fine of up to EUR 5 million or 3% of total revenues for the previous financial year, and fines of up to twice the economic advantage gained from the offence may be imposed. That is the securities enforcement toolkit, not the MiCAR one.

Notice what BaFin did not do. It did not allege a missing crypto-asset white paper, an unauthorised asset-referenced token, or unregistered crypto-asset services. Those are the MiCAR levers, and a supervisor pulls them only when the asset is genuinely a crypto-asset outside the financial-instrument carve-out. The choice of legal basis is the supervisor publicly classifying the product. By citing the Prospectus Regulation and the WpPG, BaFin placed Easygold Token on the securities side of the perimeter.

It is worth being precise about what the 15 June 2026 step is and is not. BaFin published a consumer notice stating it has sufficient grounds to suspect a breach. That is a public warning and a classification signal, not a final adjudication of liability. The regulation sets out the prospectus duty and the penalties available; it does not follow from a warning that any particular sanction has been imposed. Reporting teams should read the action as supervisory positioning on the perimeter, and leave enforcement outcomes to the process that follows.

For broader context on how the crypto and securities rulebooks interact for issuers operating inside MiCAR, our guide to MiCAR reporting obligations sets out what actually attaches once an asset is confirmed to be a crypto-asset.

The classification burden sits with the offeror

MiCAR is explicit about who decides, at least in the first instance. Recital 14 states that offerors or persons seeking admission to trading are primarily responsible for the correct classification of crypto-assets, and that the classification may be challenged by the competent authorities both before the date of publication of the offer and at any time thereafter. The same recital tells the European Supervisory Authorities to use their powers to keep classification consistent where a proposed classification looks inconsistent with MiCAR or with other Union financial-services law.

Two operational facts fall out of that. First, the issuer cannot wait for a regulator to tell it which regime applies. It has to classify, document the reasoning, and stand behind it. Second, that classification is never final from the issuer’s side. A competent authority can revisit it before the offer and afterwards. An offeror that self-classified a token as a MiCAR crypto-asset, filed a white paper, and proceeded, can still be told later that the asset was a transferable security all along, with the prospectus consequences applying retroactively to the public offer.

The regulatory surface of a wrong call is easy to underestimate. A wrong classification is not a paperwork slip that gets corrected with a re-file. It can mean an entire public offer was conducted without the prospectus the law required, which is precisely the situation BaFin describes. The control that prevents it is a documented classification assessment, run against the ESMA guidelines, kept current, and revisited whenever the product’s rights or structure change.

What this means for reporting and compliance teams

The perimeter decides the reporting architecture, so the classification step has to come first in any build. Map the two outcomes before writing a single control.

If the asset is a crypto-asset inside MiCAR, the obligations are the MiCAR set: a crypto-asset white paper for the relevant token type, notification to the competent authority, and, for service providers, crypto-asset service provider authorisation or the notification route for certain financial entities, plus the ongoing record-keeping and market-abuse arrangements MiCAR imposes. Asset-referenced tokens and e-money tokens carry their own heavier regimes on top.

If the asset is a financial instrument, the MiCAR set is irrelevant and the securities set governs. A public offer triggers the Prospectus Regulation prospectus duty unless an exemption applies. Trading and post-trade activity pull in the MiFID and MiFIR obligations that attach to financial instruments, including transaction reporting where the instrument is in scope. Our MiFIR transaction reporting guide covers what that feed looks like once a security, tokenised or not, is admitted to trading or traded on a venue.

The trap is building both stacks, or the wrong one, because the team treated “it is on a blockchain” as the controlling fact. A tokenised bond does not need a crypto-asset white paper. A genuine utility token does not need a securities prospectus. The single classification decision, grounded in the rights the instrument confers rather than the ledger it lives on, tells you which stack to build and which to leave alone.

There is also a cross-border dimension that German practice highlights. The offeror in the BaFin matter is US-based, yet the relevant trigger is the offer to the public in Germany. A non-EU issuer does not escape the EU securities perimeter by incorporating elsewhere if it offers tokenised securities into a Member State. The same logic runs in the MiCAR world, where the location of the offer to the public, not the issuer’s home country, drives the obligation.

Where the perimeter still gets blurred

A few edges of the boundary genuinely are harder than the BaFin facts, and it helps to name them rather than pretend the line is always crisp.

The first is the hybrid token. A product can bundle a payment-like function, an access function and an investment-like return. ESMA’s substance-over-form method asks what the instrument actually confers and how it is used, not what the marketing calls it. A token labelled a utility token that in practice gives holders a tradable claim on a pool of value can still be assessed as a transferable security. Labels do not control classification; rights and economic function do.

The second is the deposit and e-money edge. The Article 2(4) carve-out also excludes deposits and funds, except where funds qualify as e-money tokens. A single-currency stablecoin can be an e-money token inside MiCAR, while a tokenised structured deposit can be a structured deposit outside it. These are different exclusions with different home regimes, and conflating them is a common error. The financial-instrument carve-out is only one door out of MiCAR; the others lead to banking, e-money and insurance rulebooks rather than to MiFID.

The third is timing and supervisory disagreement. Because classification can be challenged at any time, an offeror operating on a defensible but aggressive reading carries a standing risk that a competent authority re-characterises the asset. The mitigant is not to guess conservatively for its own sake, but to hold a documented, criteria-based assessment that a supervisor can follow. The EBA’s own work on the application of MiCAR to asset-referenced and e-money tokens, summarised in our note on the EBA statement on ARTs and EMTs, shows how granular the in-scope analysis becomes once an asset is confirmed to be a crypto-asset rather than a security.

Frequently Asked Questions

Does MiCAR apply to tokenised shares or bonds?

No. Article 2(4)(a) of Regulation (EU) 2023/1114 excludes crypto-assets that qualify as financial instruments, and Article 3(1)(49) defines financial instrument by reference to Article 4(1)(15) of MiFID II. A tokenised share or bond is a transferable security under MiFID, so it falls outside MiCAR and inside the securities rulebook, including the Prospectus Regulation for public offers.

Who decides whether a token is a crypto-asset or a financial instrument?

The offeror or person seeking admission to trading is primarily responsible for the correct classification, per recital 14 of MiCAR. Competent authorities can challenge that classification before the offer is published and at any time afterwards. The classification is the issuer’s to make and document, but never the issuer’s to make finally.

What guidance governs the boundary between MiCAR and MiFID?

ESMA’s guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments, reference ESMA75453128700-1323, published 19 March 2025, with application 60 calendar days after the translations are published. They apply a technology-neutral, substance-over-form test under the mandate in Article 2(5) of MiCAR.

Why did BaFin use the Prospectus Regulation instead of MiCAR against the Easygold Token offer?

Because BaFin assessed the product as a tokenised security rather than a crypto-asset. A security offered to the public requires an approved prospectus under Article 3(1) of Regulation (EU) 2017/1129 and the German WpPG. The choice of legal basis is the supervisor publicly placing the asset on the securities side of the perimeter.

Does putting an instrument on a blockchain change its regulatory treatment?

No. ESMA’s guidelines state that the technological structure is not the key factor and that tokenisation does not change the legal nature of the underlying instrument. A tokenised financial instrument remains a financial instrument. The ledger is the recording method, not the classification.

What are the consequences BaFin sets out for offering securities without a prospectus in Germany?

BaFin’s notice states that violations of the prospectus requirement are punishable by a fine of up to EUR 5 million or 3% of total revenues for the previous financial year, and that fines of up to twice the economic advantage gained from the offence may be imposed. It also references prospectus-responsibility liability under sections 9 and 10 of the WpPG. These are penalties the regulation makes available, not an outcome that automatically follows a warning.

If a token is misclassified as a MiCAR crypto-asset, can the error be fixed later?

Not cleanly. If a competent authority later determines the asset was a financial instrument, the securities obligations applied from the start, which can mean a public offer was conducted without the prospectus the law required. The practical defence is a documented, criteria-based classification assessment kept current as the product evolves.

Related Articles

• MiCAR Token Classification: Reporting Obligations for ARTs, EMTs, and Utility Tokens – How the three MiCAR token types are defined and what each one obliges issuers and service providers to report.
• MiCAR Reporting Obligations – The reporting architecture that attaches once an asset is confirmed to be a crypto-asset inside MiCAR.
• EBA MiCA Statement on ARTs and EMTs: Issuer Takeaways – The EBA’s reading of how MiCAR applies to asset-referenced and e-money tokens, and what issuers must prepare.
• MiFIR Transaction Reporting – What the transaction-reporting feed looks like for financial instruments, including tokenised securities, once they are traded on a venue.
• EC MiCAR Review Consultation: What It Means for European CASPs – How the Commission’s review of MiCAR may reshape the perimeter and the obligations around it.

Key Takeaways

• MiCAR and MiFID are mutually exclusive at the level of a single asset. Article 2(4)(a) of Regulation (EU) 2023/1114 carves financial instruments out of MiCAR, and Article 3(1)(49) defines financial instrument by reference to MiFID II Article 4(1)(15).
• A tokenised security is a transferable security under MiFID II Annex I Section C(1), so it sits in the securities rulebook, including the Prospectus Regulation, not in MiCAR.
• ESMA’s guidelines ESMA75453128700-1323, published 19 March 2025, draw the line on a technology-neutral, substance-over-form basis: tokenisation does not change the legal nature of the instrument.
• BaFin’s 15 June 2026 action against the Easygold Token offer used Article 3(1) of the Prospectus Regulation and the WpPG, signalling that it classified the product as a security, not a crypto-asset.
• The offeror carries the classification burden under recital 14 of MiCAR, and a competent authority can challenge that classification before and after the offer.
• A wrong classification is not a re-file. If an asset is later found to be a security, the prospectus duty applied from the start of the public offer.
• The classification decision drives the entire reporting architecture, so it has to be made and documented before any control is built.

Sources and References

• Regulation (EU) 2023/1114 (MiCAR), Articles 2(4), 2(5), 3(1)(5), 3(1)(49), and recital 14 – EUR-Lex CELEX 32023R1114
• Directive 2014/65/EU (MiFID II), Article 4(1)(15), Article 4(1)(44) and Annex I Section C – EUR-Lex CELEX 32014L0065
• Regulation (EU) 2017/1129 (Prospectus Regulation), Article 3(1) – EUR-Lex CELEX 32017R1129
• ESMA, Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments (ESMA75453128700-1323, published 19 March 2025) – ESMA Guidelines page
• ESMA, Overview of Level 2 and Level 3 measures related to MiCA (ESMA75-113276571-1510) – ESMA Level 2 and 3 table
• BaFin consumer notice, Hartmann & Benz LLC: suspected offer of tokenised securities (Easygold Token / EASG) without the required prospectus, 15 June 2026 – BaFin notice
• German Securities Prospectus Act (Wertpapierprospektgesetz, WpPG), sections 9, 10 and 14 – BaFin WpPG (English)

Classify first, build second

The lesson from the Easygold Token notice is not really about gold tokens. It is that the MiCAR perimeter is a definitional gate the issuer walks through before any obligation attaches, and a supervisor can send the issuer back through it at any time. BaFin’s choice to reach for the Prospectus Regulation and the WpPG, rather than MiCAR, was the classification made visible. For reporting and compliance teams, the discipline is the same regardless of jurisdiction: assess the rights the instrument confers, run them against the ESMA guidelines, document the conclusion, and only then decide which rulebook, and which reporting stack, the token actually lives in.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.