Last updated
Circular CSSF 26/909 Explained: MiCA Knowledge and Competence Rules in Luxembourg
Direct answer
If you are a Luxembourg CASP or preparing for MiCA authorization, Circular CSSF 26/909 means the CSSF will apply ESMA's MiCA knowledge-and-competence guideline in Luxembourg from 28 July 2026. The practical job now is to identify which staff provide information or advice on crypto-assets or crypto-asset services, confirm that their knowledge and competence match the scope of the service, and make sure the management body can evidence review of the related policies and procedures.
The answer changes when staff only provide information, provide advice, or control automated or semi-automated content, because the ESMA guideline distinguishes between those functions. It also changes if the firm is outside the CASP perimeter, because the circular is aimed at CASPs rather than at the whole Luxembourg financial sector. Use the official CSSF circular page and the underlying ESMA guideline as the controlling sources: CSSF Circular 26/909 and ESMA MiCA knowledge and competence guideline.
Next step: map each relevant role to the MiCA service it supports, then review training, assessment, and annual governance evidence against the official texts before 28 July 2026.
Current as of June 4, 2026. This guide is general information for compliance, legal, governance, and training teams. It is not legal, regulatory, or compliance advice. Verify the current CSSF circular, ESMA guideline, and your own professional advice before changing controls.
Circular CSSF 26/909 is not a broad MiCA handbook. It is the CSSF notice that, in Luxembourg, the authority applies ESMA's guideline on the criteria for assessing knowledge and competence under MiCA, integrates that guideline into its administrative practices and regulatory approach, and does so for crypto-asset service providers, or CASPs, within the MiCA perimeter. The CSSF circular was published on 1 April 2026, and both the circular and the underlying ESMA guideline apply from 28 July 2026.
For a Luxembourg CASP, the immediate question is narrower than "are we MiCA-ready?" The official texts point to a more specific review: which staff give information or advice on crypto-assets or crypto-asset services, whether their knowledge level matches the scope and degree of the service they provide, whether they understand and apply the firm's internal MiCA policies and procedures, and whether the management body can show an at-least-annual review of the control framework.
What Circular CSSF 26/909 does
The circular functions as Luxembourg's application layer for an ESMA standard rather than as a stand-alone Luxembourg rewrite. According to the CSSF PDF, the purpose of Circular CSSF 26/909 is to inform CASPs that the CSSF, acting as competent authority, applies the ESMA guideline on knowledge and competence under MiCA and has integrated it into its administrative practices and regulatory approach.
That framing matters because it tells readers where to look for the real rule stack. The CSSF landing page confirms the document, the audience, and the subject. The CSSF PDF states the Luxembourg supervisory position. The underlying ESMA guideline sets out the more detailed expectations on knowledge, competence, review, and supervisory consistency.
| Source | What it establishes | Why it matters in practice |
|---|---|---|
| CSSF landing page | Confirms Circular CSSF 26/909 as the relevant CSSF document | Useful for identifying the official Luxembourg entry point |
| CSSF circular PDF | States that the CSSF applies the ESMA guideline and integrates it into its supervisory approach | This is the core Luxembourg authority text for scope and date |
| ESMA guideline and PDF | Sets the underlying criteria on knowledge and competence under MiCA | This is where the operational expectations come from |
The circular should therefore be read as a supervisory adoption notice with operational consequences, not as a generic crypto explainer and not as proof of Luxembourg-specific deviations unless the official texts say so.
Which firms and functions should pay attention
The official scope is clear on the legal perimeter: the circular applies to crypto-asset service providers as defined in Article 3(1)(15) of MiCAR. That means the article stays focused on CASPs and should not be read as covering the whole Luxembourg financial sector.
Within a CASP, the official ESMA material matters for more than one team. The guideline applies to competent authorities and CASPs, and it expects relevant staff to possess the knowledge and competence necessary for the services they provide. It also draws a sharper line between staff who provide advice and staff who provide information only: advice roles are held to a higher standard.
The ESMA guideline also matters for firms using automated or semi-automated customer journeys. The ESMA text states that when information or advice is provided in an automated or semi-automated manner, the guideline still applies to the staff who determine the content, parameters, and settings of that information or advice. In other words, a digital flow does not remove the need to think about who owns competence and controls behind the flow.
| Function or role | Official reason to pay attention | Internal evidence to review |
|---|---|---|
| Staff giving information on crypto-assets or crypto-asset services | They must have knowledge and competence appropriate to the service scope | Role mapping, training coverage, policy understanding |
| Staff giving advice | The guideline requires a higher standard than for information-only roles | Advice-specific competence criteria and assessment evidence |
| Staff setting automated or semi-automated content or parameters | The guideline still attaches to the staff determining the content and settings | Ownership, review records, parameter governance |
| Management body | It should review the effectiveness of policies and procedures at least annually and address deficiencies | Review calendar, escalation record, remediation follow-through |
The right audience for this article is therefore not only compliance officers. It also includes legal teams, training owners, front-office leaders, and governance owners who need to know whether the firm's current MiCA readiness work already covers knowledge and competence in a defensible way.
What to review in knowledge, competence, and training controls
The underlying ESMA guideline requires CASPs to ensure that relevant staff possess the necessary knowledge and competence, understand and apply the firm's internal MiCA policies and procedures, and have levels of knowledge that reflect the scope and degree of the services provided. That creates a practical review agenda even where a firm already has general compliance training in place.
A cautious reading of the official text suggests starting with role-to-service mapping. If the standard turns on the scope and degree of the services provided, then a CASP needs to know which roles are actually giving information, which are giving advice, and which are shaping automated or semi-automated outputs. A flat, one-size-fits-all training label is harder to defend when the guideline itself draws distinctions between activities and standards.
The management body requirement is the second major control point. The ESMA guideline states that the management body should assess and review the effectiveness of the relevant policies and procedures at least annually and should address deficiencies identified. That means the issue is not only whether a policy exists, but whether the firm can show a recurring governance review and follow-up when gaps are found.
As an operational inference from those official obligations, Luxembourg CASPs would usually want to test the following points before 28 July 2026:
- Whether all relevant roles under MiCA service delivery have been identified and classified.
- Whether the firm distinguishes information-only roles from advice roles in its competence standards.
- Whether staff training and assessment are tied to the actual scope and degree of service provided.
- Whether relevant staff can show familiarity with the firm's internal MiCA policies and procedures.
- Whether automated or semi-automated content owners are captured in the control framework.
- Whether the management body has a documented annual review cycle and a process for addressing deficiencies.
Those are not new invented obligations; they are the operational questions that follow from the CSSF and ESMA texts. The distinction matters because the circular should not be overstated as a source of broader Luxembourg-specific MiCA obligations.
How the circular relates to MiCA and the ESMA guideline stack
At EU level, the underlying ESMA guideline is aimed at consistent, efficient, and effective supervisory practices and at the common, uniform, and consistent application of Articles 68(5) and 81(7) of MiCA. The CSSF circular shows how that EU-level standard is taken into Luxembourg supervisory practice.
That hierarchy helps answer a common reader confusion. Circular CSSF 26/909 is not the source of an entirely separate Luxembourg rulebook on knowledge and competence. It is the CSSF document saying, in effect, that Luxembourg supervision will apply the ESMA guideline identified as ESMA35-24871704-2922. If a compliance team wants to understand the underlying standard in more detail, the ESMA text is the deeper layer; if it wants to confirm Luxembourg supervisory adoption and the application date, the CSSF circular is the key local layer.
This also helps prevent over-reading. Based on the official texts, the safer interpretation is that the circular applies the ESMA guideline without turning itself into a broader MiCA implementation manual. Readers should resist stretching it into sanctions analysis, wider conduct obligations, or general crypto-regulation commentary that the official texts do not support.
Immediate checklist for Luxembourg compliance teams
If a CASP wants a first-pass internal review before the 28 July 2026 application date, this is the narrow checklist supported by the official sources:
- Confirm that the firm falls within the CASP definition relevant to the circular.
- Identify which staff provide information, which provide advice, and which set automated or semi-automated content or parameters.
- Check whether competence expectations differ appropriately between information-only and advice roles.
- Verify that relevant staff understand and apply the firm's internal MiCA policies and procedures.
- Test whether competence standards are matched to the scope and degree of services provided.
- Confirm that the management body has an annual review process for the effectiveness of the relevant policies and procedures.
- Record how deficiencies identified through that review are escalated and addressed.
That checklist does not replace legal analysis, but it is a reasonable first operational screen for deciding whether the firm's MiCA implementation program has left a gap around knowledge, competence, and governance.
Source Review Status
Reviewed on June 4, 2026 against the official and institutional source URLs listed in this article. Recheck CSSF, ESMA, and EUR-Lex pages before relying on the article for a current compliance decision.
Official Sources
- CSSF, Circular CSSF 26/909, official landing page, checked June 4, 2026.
- CSSF, Circular CSSF 26/909 PDF, official circular text, checked June 4, 2026.
- ESMA, Guidelines for the criteria on the assessment of knowledge and competence under MiCA, official landing page, checked June 4, 2026.
- ESMA, ESMA35-24871704-2922 guideline PDF, official guideline text, checked June 4, 2026.
Before changing controls, recheck the current CSSF circular, the underlying ESMA guideline, and any later supervisory updates. Do not rely on third-party summaries or social posts as substitutes for the CSSF and ESMA texts when stating obligations, dates, or scope.
Conclusion
Circular CSSF 26/909 tells Luxembourg CASPs that the CSSF will apply ESMA's MiCA knowledge-and-competence guideline from 28 July 2026. The practical takeaway is not to launch a full MiCA redesign from scratch, but to verify whether relevant staff, automated-content owners, and the management body are already covered by a knowledge, competence, policy, and annual-review framework that can stand up to supervisory scrutiny.
Official source and decision check
Use this section as the practical checkpoint for Circular CSSF 26/909 Explained: MiCA Knowledge and Competence Rules in Luxembourg. The reader decision is whether the available evidence is strong enough to act now, or whether the file should first be confirmed with the CSSF, Luxembourg official journal or EU source. Rules can change by country, status and date, so treat this guide as orientation for the file and recheck the current rule before relying on a filing obligation, governance deadline, supervisory scope or reporting workflow.
For expats, foreigners, students, workers, founders, families and other mobile readers, record the reader category, country, residence status and deadline before comparing the official source with the article checklist.
Official sources to verify first
- CSSF official website
- CSSF documentation portal
- CSSF laws and regulations
- EUR-Lex EU law access
- ESMA official website
| Decision point | What to check | Reader action |
|---|---|---|
| Luxembourg issuer disclosure duty | Confirm that the case is really about Luxembourg issuer disclosure duty, not a different category that follows another rule. | Write down the country, authority, dates, status and document number before asking for a decision. |
| File for CSSF, Luxembourg official journal or EU source | Keep the instrument, deadline and disclosure evidence in one dated file, with originals, translations where required and proof of submission. | Save receipts, emails, appointment confirmations, payment records and authority replies in the same order as the checklist. |
| Circular CSSF 26/909 Explained: MiCA Knowledge and Competence Rules in Luxembourg fallback | If the answer is refused, delayed or unclear, identify the competent authority, review window, complaint route or regulated provider escalation path. | Ask for the reason in writing and compare it with the official source before paying again, travelling, closing an account or resubmitting. |
| When the answer is unclear | What to do next |
|---|---|
| The authority, bank, insurer, employer or provider gives a verbal answer only. | Ask for the answer in writing, save the name of the office or provider, and compare it with the official source before changing travel, payroll, residence or payment plans. |
| The file depends on a deadline, appointment, payment, address or status change. | Keep the dated receipt, note the next deadline, and avoid closing the old route until the replacement document, account, policy or registration is confirmed. |
Related guides to cross-check
- First month in Europe checklist
- Living in one European country and working in another
- EU remote working guide
- Cross-border worker benefits in the EU
- Private health insurance documents in Europe
For legal, tax, medical, immigration or financial consequences, confirm the position with the competent authority or a qualified adviser. This page is designed to organize the decision, source checks and next steps; it is not a substitute for case-specific professional advice.