Lessons Learned from Knaken’s Bankruptcy
By Jean-Hugues Migeon
On 30 June 2026, the Dutch Public Prosecution Service (Openbaar Ministerie) asked the Rotterdam District Court to declare the crypto platform Knaken Cryptohandel B.V. and its affiliated Stichting Knaken Payments bankrupt. The prosecutor acted in the public interest, on signals from the Autoriteit Financiële Markten (AFM) describing a “very worrying situation.” Knaken had gone dark at the start of June, its website and app offline, and had stopped paying out its customers. The Openbaar Ministerie estimates around 30,000 clients are affected; the Knaken Collectief has already registered between 3,500 and 4,000 of them. In parallel, the FIOD opened a criminal investigation, conducting searches, seizing digital data carriers, and freezing company assets.
The headline reads as a crypto story. It is not. It is a governance story, and every regulated technology company in Europe should read it as one.
What actually happened
Knaken let customers exchange euros for crypto-assets such as bitcoin and ether, trade on its platform, and store their coins with it. Under the EU Markets in Crypto-Assets Regulation (MiCA), those are regulated crypto-asset services. Providing them to EU clients requires authorisation as a Crypto-Asset Service Provider (CASP). Knaken never obtained it.
This is the first and most important point of precision, and it is where the common framing gets the story wrong. Knaken did not lose a licence. It held the older registration under the national anti-money-laundering regime supervised by De Nederlandsche Bank, and it failed to convert that registration into a MiCA authorisation before the deadline. When the transitional window closed, the legal basis to operate closed with it. The company did not have a licence revoked; it ran out the clock on the only path to keeping one.
The Netherlands made that clock unusually short. Where France, Malta and Luxembourg took the full eighteen-month transitional period running to 1 July 2026, the AFM applied a six-month window that closed on 30 June 2025 — one of the shortest in the Union. From 1 July 2025 onward, every provider serving Dutch clients needed a MiCA licence in hand. Knaken did not have one, kept operating, drew AFM restrictions and a threat of closure, and eventually collapsed.
The lessons
A pending application is not an authorisation. This is the trap that catches sub-scale operators. Under MiCA, only a granted authorisation permits continued service. A filing in progress, a good-faith intention, or a history of prior national registration confers nothing once the transitional deadline passes. Firms that treated “we’ve applied” as equivalent to “we’re licensed” discovered that the regulator does not share that view.
The transitional clock is a national variable, not an EU constant. The single most expensive assumption a cross-border operator can make is that the 1 July 2026 outer limit applies to them. It does not apply uniformly. The Netherlands, Finland, Latvia, Hungary and Slovenia closed at six months; Germany, Austria and Ireland at twelve. A firm passporting an assumption from one jurisdiction to another is planning against the wrong deadline. Compliance timelines must be mapped per member state, not per regulation.
Authorisation is the operating licence, not a legal formality. When Knaken’s regulatory basis lapsed, the business did not slow down — it stopped. The platform went offline, customer access was cut, and payments ceased. There is no partial-credit version of operating without authorisation. This is the difference between compliance as an overhead line and compliance as the precondition for the enterprise to exist at all.
Client-asset protection is the core of the regime, and its failure is what triggers intervention. A licensing gap on its own is a supervisory matter. What converted Knaken into a public-interest bankruptcy petition was the interruption of client payouts and the fear that customer funds would not be returned in an orderly way. MiCA’s segregation and safekeeping obligations exist precisely to prevent this. The moment client assets are at risk, the response escalates from enforcement to intervention.
An orderly wind-down is itself a regulated obligation. Knaken said it was “working out how to handle the settlement with clients.” That is not a plan. ESMA has been explicit that firms losing transitional cover must implement documented, orderly wind-down plans that protect clients. Ceasing services is a lawful option; ceasing services without a controlled exit is what draws a prosecutor. The wind-down deserves the same rigour as the launch.
Brand visibility is not a substitute for authorisation. Knaken was widely known as a shirt sponsor of Eredivisie clubs — Ajax, Sparta, Feyenoord — and even launched a product letting Feyenoord supporters pay for season tickets in crypto. None of that visibility survived contact with the regulator. Marketing reach masked a fragile balance sheet: revenue of €765,000, a net profit of €29,000 in 2024 against a €600,000 loss the year before, and seven employees carrying a full CASP compliance burden. Prominence created the customer base that made the failure a public problem; it did nothing to prevent the failure.
The regulator’s toolkit is now existential, and personal. The Openbaar Ministerie used a civil instrument rarely deployed — a bankruptcy petition in the public interest — precisely because the scale of consumer harm justified it. Alongside it runs a criminal investigation, with searches, seizures of devices, and frozen assets. For directors, the consequences of treating authorisation as optional are no longer a manageable fine. They are the end of the company and personal legal exposure.
The wider point
MiCA is not an isolated case. It is the template. The same logic now governs financial entities under DORA, and it is the logic the EU AI Act applies to high-risk AI systems: authorisation, documentation, client and consumer protection, and orderly conduct are preconditions of operating, not features to add once the product has traction. In every one of these regimes, the regulator’s first question is not whether your technology works. It is whether you are permitted to offer it at all.
Knaken failed the only question that mattered. It built a customer base, a brand, and a product on a legal foundation it never secured, and when the deadline arrived, there was nothing to stand on. The firms that survive the MiCA transition — and the DORA and AI Act transitions after it — are the ones that treated governance as infrastructure from the first line of the business plan, not as a compliance project bolted on when the letter from the regulator arrived.
It is not how much you put in
Which returns to the question that decides everything: not how much you put in, but whether you do what actually needs to be done. Knaken had the brand, the sponsorships, the customer base — and none of it counted, because it never secured the one thing the regulation required.
The inverse proves the same point. On 30 December 2024 — MiCA’s first day of enforcement — the AFM granted the European Union’s very first CASP licences. Among the four recipients was BitStaete, a Dutch crypto asset-management firm running on a team of fewer than ten. It was not the biggest name in the market. It was one of the ones that did what was necessary, before almost anyone else.
Size does not clear the bar. Spend does not clear the bar. Doing the necessary work — authorisation, governance, client-asset protection, an orderly plan — clears the bar. Everything else is marketing.
You can be the biggest name in the market. If you do not do what is necessary, you will still lose against the regulator. The cost is no longer a penalty — it is the business.