Step-by-Step Guide to CASP Licensing Under MiCA
Obtain a MiCA CASP license: choose jurisdiction, meet capital and governance requirements, prepare your application, and avoid common pitfalls.
The Markets in Crypto-Assets Regulation (MiCA) is the EU's unified framework for crypto regulation. If you're a Crypto-Asset Service Provider (CASP) offering services like custody, exchanges, or trading platforms, you need a CASP license to legally operate in the European Economic Area (EEA).
Key points:
- License Benefits: Once licensed in one EU Member State, you can operate across all 27 EU countries through a simple notification process (passporting).
- Deadline: All CASPs must secure authorization by July 1, 2026.
- Requirements:
- Governance: EU-based office, at least one EU-resident director, and management checks.
- Capital: €50,000–€150,000 minimum, depending on services offered.
- Compliance: Full adherence to Anti-Money Laundering (AML), Know Your Customer (KYC), and cybersecurity regulations.
The process includes defining your services, choosing an EU jurisdiction, meeting capital and governance criteria, and submitting a detailed application. Expect timelines of 3–12 months depending on the country.
Non-compliance can lead to penalties of up to €5 million or 12.5% of annual turnover. The shift to MiCA has led to a significant drop in registered providers, creating opportunities for compliant businesses to stand out.
Preparing for CASP Authorization
Defining Your CASP Service Scope
Before diving into the application process, it's crucial to clearly outline your services and confirm whether MiCA applies to your business. MiCA governs ten specific crypto-asset services, including custody, portfolio management, fiat-to-crypto exchanges, and order execution. Accurately mapping your business activities to these services is essential since it directly influences your capital requirements. Keep in mind that adding services later often means reapplying for authorization from scratch.
Properly classifying your assets is equally important. If your assets qualify as financial instruments, MiFID II regulations will apply. Similarly, offering custody or transfer services for EMTs triggers PSD2 compliance. Even if your firm operates with a non-custodial model, MiCA may still apply if you're running an exchange or executing orders. These classifications impact both your capital needs and the legal framework for your operations.
To assess your regulatory exposure, you can use a five-step test. Evaluate factors like your corporate location, target market, offered services, control over private keys, and revenue generation. If most of these criteria align with your business, obtaining a CASP license is likely necessary.
Choosing Your Jurisdiction and Legal Structure
Once you've defined your service scope, the next step is selecting the right jurisdiction and legal structure for your CASP. Your choice of EU Member State is critical.
"The jurisdiction you choose for your CASP license is the single most consequential decision in the entire process. It defines your regulator for the life of the license, shapes your banking access, and determines how fast you can passport across the EU." - Mark Gofaizen, Senior Partner, Gofaizen & Sherle
As of April 2026, only 182 CASP licenses have been issued across the EU. Germany leads with 54 licenses, followed by the Netherlands with 25, and France and Malta tied at 12. Each jurisdiction has its own regulatory nuances, processing timelines, and fee structures. Here's a quick look at some key differences:
| Jurisdiction | Key Advantage | Typical Timeline | Corporate Tax (approx.) |
|---|---|---|---|
| Bulgaria | Low fees and taxes (10% tax) | 3–4 months | 10% |
| Germany | High institutional credibility | 6–12+ months | ~30% |
| Czech Republic | Fast registration (30–60 days) | 2–5 months | 21% |
| Malta | Hub for large exchanges | 4–6 months | ~35% (can be reduced) |
| Lithuania | Strong fintech infrastructure | 3–6 months | 16% |
It's worth noting that some jurisdictions, like Lithuania, the Netherlands, and Germany, have already closed their transitional windows as of early 2026. If you're targeting these markets, you'll need to start with a fresh application, as grandfathering provisions no longer apply.
Your company must be fully incorporated as a legal entity within the EU. "Letterbox" setups with no real presence won't meet regulatory requirements. You'll need a physical office and local decision-making authority in the Member State where you apply.
Meeting Capital and Governance Standards
MiCA's capital requirements are tiered based on the type of services you provide:
| Class | Minimum Capital | Covered Services |
|---|---|---|
| Class 1 | €50,000 | Advice, order execution, reception/transmission, placing, portfolio management, transfers |
| Class 2 | €125,000 | All Class 1 services plus custody and fiat-to-crypto or crypto-to-crypto exchanges |
| Class 3 | €150,000 | All Class 2 services plus trading platform operation |
In addition to meeting the minimum capital thresholds, you'll need to maintain ongoing own funds equal to at least 25% of the previous year's fixed overheads. These funds must consist of Common Equity Tier 1 items, such as paid-up share capital and retained earnings.
Governance requirements are just as stringent. At least two members of your management team must reside in the EU. Senior managers and shareholders holding 10% or more of the company must pass "fit and proper" assessments, which evaluate their professional history, reputation, and criminal record. Regulators also expect robust procedures for segregating client assets - both legally and technically - to ensure customer funds are kept separate from the firm's assets.
To avoid delays, secure an EU bank account early in the process. This will be essential for onboarding your operational capital and ensuring a smooth path toward licensing. These foundational steps will set you up for the next stages of the CASP authorization process.
sbb-itb-0796ce6
Step-by-Step CASP Licensing Process
CASP License Under MiCA: Step-by-Step Authorization Process
Once you've decided on your jurisdiction, set up your legal structure, and ensured you meet the capital requirements, it's time to dive into the authorization process. Here's how it typically works:
Step 1: Define Your Services and Regulatory Scope
Start by aligning every feature of your product with the ten crypto-asset services outlined in MiCA Article 3. Regulators will scrutinize areas like control points, customer journeys, custody, and revenue flows.
"If your legal narrative says one thing, your compliance manual says another, and your product flows show a third version of the business, expect questions." - NUR Legal
Use the Founder Test to evaluate your service mapping, determine who controls funds (like private keys), and outline your revenue model. Focus on applying only for the services you need to start with - adding services later can complicate the process and increase capital requirements.
Once you've mapped your services and regulatory scope, you're ready to formalize your business entity.
Step 2: Incorporate Your Entity
Before applying, your company must be fully incorporated as a legal entity in your chosen EU Member State. This involves having a registered physical office, establishing local decision-making authority, and appointing at least one EU-resident director (some jurisdictions may require two). Directors and shareholders with 10% or more ownership must pass "fit and proper" assessments, which evaluate their professional history, reputation, and criminal background.
Step 3: Engage With the Regulator
Before officially filing, schedule an informal pre-application meeting with your National Competent Authority (NCA). During this meeting, present your business model and a detailed Programme of Operations. This document should clearly outline the services you offer, your target customers, and how you plan to generate revenue. Early discussions with the regulator can highlight potential issues and help avoid problems later on. Keep in mind that vague business models or templated policies for areas like AML or ICT are common reasons for rejection.
Once you've completed initial discussions, prepare and finalize your application file for submission.
Step 4: Submit Your Application
Submit your application to the NCA, which will have 25 working days to verify its completeness. After this, the substantive review begins. If the regulator issues Requests for Information (RFIs), the review period pauses until you respond. It's essential to provide timely and thorough answers, as delays or incomplete responses can extend the process or even lead to rejection. Keep in mind that application fees vary significantly, ranging from approximately $1,600 in Lithuania to over $10,700 in countries like Germany or France.
Step 5: Pass the Substantive Assessment and Get Authorized
Once your application is under review, the regulator will assess your operational readiness. This includes examining your AML/CFT controls, governance, capital adequacy, EU presence, and clarity of your business model. Management interviews are a key part of this process, as directors must demonstrate a clear understanding of the business and its risk management framework.
The statutory review period is 40 working days, which can be extended by another 20 days if additional information is needed. However, actual timelines often vary and can take anywhere from 4 to 12 months, depending on the jurisdiction and the quality of your application. Upon approval, your firm will be added to the ESMA public register and granted passporting rights to operate across all 27 EU Member States. The notification process for passporting typically takes about 15 days.
Practical Considerations for CASP Licensing
These practical details go beyond the procedural steps, helping ensure you're fully prepared for what lies ahead.
Timelines and Cost Breakdown
Getting authorization often takes longer than expected. Under the MiCA regulation, the statutory review period is about 70 working days (25 for completeness checks and 40 for substantive evaluation). However, the entire process usually takes between 6 and 12 months. Some jurisdictions, like Lithuania and the Czech Republic, might complete applications in 3 to 4 months, whereas Germany's BaFin review can stretch to 9 to 15 months.
| Jurisdiction | Typical Timeline | Key Characteristic |
|---|---|---|
| Lithuania | 90–120 days | Cost-efficient with a streamlined process |
| Czech Republic | 3–4 months | Lower operational costs |
| France | 5–6 months | Focus on IT and risk management |
| Netherlands | 6–10 months | Strong for brokerage and on/off-ramp services |
| Germany | 9–15 months | High institutional credibility; thorough review |
When it comes to costs, the minimum initial capital requirement depends on the service class. For example, advisory and execution services typically require around €50,000, while custody or trading platforms may need €150,000. Legal and advisory fees can also vary widely. Custom documentation might cost about €60,000, while fully managed submissions could range from €90,000 to €120,000 or more. After licensing, small-to-mid-sized CASPs should budget €80,000 to €200,000 annually for compliance officers, external audits, and transaction monitoring systems.
"The market went from 11,000+ registered VASPs to 378 licensed CASPs. That contraction is not a failure of the system – it's the system working as designed." - ASD Labs Guide
While knowing the timelines and costs is important, avoiding operational missteps is just as crucial.
Common Pitfalls and How to Avoid Them
One of the main reasons applications get delayed or rejected isn't missing paperwork - it’s deeper issues. Regulators require companies to show a strong EU presence. For instance, appointing a director who lives outside the EU or lacks financial services experience can raise red flags and jeopardize your application.
Another frequent problem is submitting generic compliance documentation. Regulators interpret this as a lack of proper operational planning. Similarly, many applicants fail to meet the requirements of the Digital Operational Resilience Act (DORA). Regulators will scrutinize your MiCA submission to ensure it includes robust ICT risk management and incident reporting frameworks. Treating your ICT audit as an afterthought could derail your application.
Lastly, delayed responses to Requests for Information (RFIs) can halt the review process. Each outstanding request can delay it by up to 20 working days. To avoid this, assign a dedicated point of contact to handle RFIs promptly. Make sure your technology, compliance, and operations teams are fully aligned before submitting your application. This proactive approach can minimize internal inconsistencies and prevent additional regulatory inquiries.
User Trust and Operational Readiness
Obtaining a MiCA license doesn't just tick regulatory boxes - it actively protects crypto buyers while reinforcing the operational readiness that forms the backbone of the regulatory framework outlined in this guide.
Regulatory Compliance in Daily Operations
With a MiCA CASP license, platforms introduce critical safeguards into their daily operations, significantly enhancing user protection. One key measure is asset segregation, which requires licensed CASPs to keep client crypto and fiat funds separate from company funds. This ensures that user assets remain protected and recoverable at all times.
In addition to asset security, platforms must meet stringent AML (Anti-Money Laundering) and KYC (Know Your Customer) requirements. Compliance with the Transfer of Funds Regulation (TFR) ensures that both originator and beneficiary information is attached to crypto transfers. Moreover, adherence to the Digital Operational Resilience Act (DORA) requires firms to implement enterprise-level cybersecurity measures, maintain robust incident reporting systems, and establish effective business continuity plans to handle potential disruptions.
MiCA also prioritizes transparency by mandating clear fee disclosures, straightforward marketing practices, and accessible complaint resolution processes. This ensures users understand costs upfront and have a reliable way to address grievances. These measures collectively strengthen user confidence - a cornerstone of the MiCA licensing process.
"A license application may look like a paper exercise, but the regulator will keep you to your word. Don't use template policies and procedures that may look good but don't fit your organization in practice." - Willem Röell, Financial Regulatory Expert
By embedding these operational safeguards, platforms create a transparent and user-focused experience that aligns with the goals of the MiCA framework.
Kryptonim as a Regulated Platform Example
Kryptonim provides a real-world example of how MiCA compliance works in practice. Kryptonim, a fiat-to-crypto platform regulated within the EU, embodies the principles of MiCA by prioritizing asset protection, strict KYC protocols, and transparent pricing.
Its fee structure is straightforward: 2% per transaction for EU users and 4% for users outside the EU, with no hidden charges. This aligns perfectly with MiCA's emphasis on clear fee disclosures.
What sets Kryptonim apart is its user-friendly design. It allows customers to purchase crypto quickly without needing to create an account, while still adhering to verification standards. This seamless blend of accessibility and regulatory compliance exemplifies the kind of platform experience MiCA aims to foster across the EU crypto market.
Conclusion
Obtaining a CASP license under MiCA is no small task, but the rewards are undeniable. With just one authorization, platforms gain access to all 27 EU countries through passporting rights. Plus, being listed on the ESMA public register enhances trust among users and partners alike.
The shift to MiCA has transformed the EU crypto landscape. The number of registered VASPs has dropped dramatically - from over 11,000 under the old system to just 378 licensed CASPs as of March 12, 2026. For platforms that meet the requirements, this change offers a competitive advantage. On the flip side, failing to comply comes with steep penalties, especially with the July 1, 2026, deadline looming. Compliance is not optional; it's essential for staying in the game.
Preparation is the key to success. As NUR Legal aptly stated:
"The application is won or lost before submission."
This means regulators expect more than surface-level efforts. Platforms must demonstrate genuine readiness by employing local staff, maintaining a physical office, implementing tailored policies, and building strong AML and ICT frameworks. Regulators can easily spot the difference between a well-prepared platform and one simply going through the motions.
But licensing is only the beginning. Day-to-day compliance is equally important. Platforms need to focus on areas like asset segregation, cybersecurity measures aligned with DORA, transparent pricing, and regular reporting to National Competent Authorities. Companies like Kryptonim show that meeting these standards not only satisfies regulators but also enhances the user experience. When done right, regulation fosters trust and loyalty, giving platforms a long-term edge in the competitive EU market. By following these steps, platforms can position themselves for lasting success.
FAQs
Which MiCA CASP services does my business actually fall under?
If your business offers services such as custody and administration of crypto-assets, operating trading platforms, exchange services, executing orders, or placing crypto-assets for clients, it falls under MiCA's CASP (Crypto-Asset Service Provider) regulations. This applies regardless of whether your company is based within the EU or outside of it - serving EU clients brings these rules into play.
It's crucial to evaluate your activities thoroughly to understand the licensing requirements tied to your specific service model and operations.
How do I pick the best EU country to apply for a CASP license?
To determine the best EU country for obtaining a CASP license under MiCA, you'll need to weigh several factors, such as local regulatory demands, capital requirements, and governance standards. Many businesses lean toward Austria due to its streamlined process and the advantage of EU-wide passporting. Ultimately, the right choice depends on how well a jurisdiction aligns with your business model and operational objectives, while also ensuring full compliance with MiCA’s unified framework and the specific local regulations.
What are the top reasons CASP applications get delayed or rejected?
When applying for CASP (Crypto-Asset Service Provider) approval under MiCA, several common pitfalls can lead to delays or outright rejections. Here’s what often goes wrong:
- Incomplete or inaccurate documentation: Many applications fail because the required documents are either missing or contain errors. Attention to detail is key here.
- Governance and compliance challenges: Regulators expect applicants to demonstrate clear governance structures and ensure that key personnel meet the "fit-and-proper" criteria.
- Lack of preparation for regulatory scrutiny: Skipping pre-application audits or failing to anticipate regulatory questions can leave applicants unprepared.
- Misunderstanding the scope of services: Misdescribing or inaccurately defining the services offered can trigger concerns and complicate the review process.
- Regulatory backlog: Delays can also stem from the regulators themselves, as they deal with high volumes of applications and additional checks.
By addressing these issues upfront, applicants can improve their chances of a smooth review process.