How long does MiCA CASP authorisation take?

The authorisation process typically takes 3 to 6 months from submission of a complete application. The NCA has 25 business days to assess completeness, then up to 40 business days to grant or refuse authorisation. In practice, NCAs frequently request additional information, which pauses the clock and extends timelines.

How much capital do I need for a MiCA CASP licence?

MiCA sets three capital tiers: €50,000 for custody and transfer services; €125,000 for exchange, portfolio management, and advice services; €150,000 for operating a trading platform or placing crypto-assets. These are minimum requirements — NCAs may require higher capital based on business risk.

Can I passport my MiCA CASP licence across the EU?

Yes. Once you hold MiCA authorisation from one EU member state, you can provide services across all 27 member states by notifying your home NCA under Article 65 of MiCA. The NCA forwards the notification to the host member state NCAs, and you can typically start providing services within one month.

Which EU country is best for MiCA CASP authorisation?

The optimal jurisdiction depends on your business model, timeline, and budget. Malta, Luxembourg, France, and Estonia are frequently chosen. Germany and the Netherlands have issued the most licences to date. Factors include processing speed, NCA responsiveness, local legal costs, and ongoing supervisory expectations.

CASP Licence Requirements 2026: Complete EU Guide

What is a CASP under MiCA

A Crypto-Asset Service Provider (CASP) is a regulated entity authorised under Title V of MiCA to provide one or more of ten defined crypto-asset services to clients in the EU. Every crypto exchange, custodial wallet provider, OTC desk, trading venue operator, and crypto advisory firm serving European users needs — or will soon need — a CASP licence.

Before MiCA, crypto service providers in the EU operated under a patchwork of national regimes — BaFin registration in Germany, PSAN in France, VASP registration in various other states. MiCA replaces these with a unified CASP authorisation valid across all 27 Member States. The trade-off: the new regime is substantially more rigorous than most previous national frameworks.

The CASP authorisation is a full prudential licence, not a registration. This means:

You must submit a detailed application package before commencing services
Your management must pass fit-and-proper tests
You must maintain minimum capital requirements proportional to your activities
You are subject to ongoing supervision by a national competent authority (NCA)
Client assets must be segregated and safeguarded
You must have governance, risk management, AML, and operational resilience frameworks in place

Key point: The CASP authorisation is entity-specific, not service-specific. Your entity gets authorised to provide specific services listed in the licence. Adding new services later requires a licence amendment.

The ten CASP service categories

Under Article 3(1)(16) MiCA, the following ten activities constitute "crypto-asset services" and trigger CASP authorisation when provided in the EU. Understanding which categories apply to your business model is the first step in scoping your CASP application.

1. Custody and administration of crypto-assets on behalf of clients

This is the most common CASP service and applies to any entity that holds or controls crypto-assets for third parties. Wallet providers, exchanges that hold customer deposits, staking services that take custody — all trigger this category. It requires the most stringent capital and operational controls of any CASP service.

2. Operation of a trading platform for crypto-assets

This covers centralised exchanges that match buy and sell orders. If you run a matching engine, order book, or similar venue, you fall here. Non-custodial DEX frontends that don't operate a matching engine but facilitate peer-to-peer trades may or may not fall here depending on specifics — this is an area of active regulatory debate.

3. Exchange of crypto-assets for funds

Buying and selling crypto for fiat currency. Fiat on/off-ramps are explicitly covered. This applies whether you're operating as principal (acting for your own account) or as agent (facilitating third-party trades).

4. Exchange of crypto-assets for other crypto-assets

Swap services — BTC for ETH, USDC for SOL — fall here. Many DEX aggregators and swap widgets trigger this category when they provide the service to EU users.

5. Execution of orders for crypto-assets on behalf of clients

Broker-style services where you execute client orders on a trading venue. Similar to MiFID II-style brokerage but for crypto-assets.

6. Placing of crypto-assets

Helping an issuer distribute their crypto-assets to investors, whether on a firm commitment or best-efforts basis. Crypto-native investment banks and token launch platforms fall here.

7. Reception and transmission of orders for crypto-assets on behalf of clients

Receiving client orders and transmitting them to another entity for execution. This is a common intermediary service used by wealth managers and retail-facing brokers.

8. Providing advice on crypto-assets

Personalised advice about buying, selling, or holding specific crypto-assets. Mass-market content and research is generally not advice in the regulatory sense — personalised recommendations are.

9. Providing portfolio management on crypto-assets

Managing crypto portfolios on behalf of clients on a discretionary basis. Robo-advisory services operating in crypto fall here.

10. Providing transfer services for crypto-assets on behalf of clients

Moving crypto-assets from one address to another on behalf of clients. This can overlap with custody services and has significant AML implications under the Travel Rule.

Planning tip: Most real businesses provide several CASP services simultaneously. A crypto exchange typically covers custody (1), trading platform operation (2), fiat exchange (3), crypto-to-crypto exchange (4), and order execution (5). Your application must list each service you intend to provide.

Who needs CASP authorisation

CASP authorisation is required when you provide any of the ten services listed above to clients in the Union on a professional basis. Three elements matter:

Service provided — One or more of the ten listed activities
Clients in the EU — Services directed at or provided to EU residents
Professional basis — Commercial activity, not one-off personal transactions

The "clients in the EU" element is broader than many founders realise. An exchange incorporated in Singapore that accepts EU residents without restriction is providing services in the EU and triggers CASP requirements. Geoblocking and enforced KYC exclusions are the only reliable ways to stay outside scope.

Who does not need CASP authorisation

The following are typically outside the CASP regime:

Pure infrastructure providers — Node operators, RPC providers, blockchain indexers. Providing infrastructure that happens to be used by crypto services is not itself a crypto-asset service.
Genuinely decentralised protocols — Per Recital 22 of MiCA, fully decentralised services without an identifiable service provider may fall outside scope. The bar for "fully decentralised" is high.
Credit institutions, investment firms, and other regulated entities — Under Article 60 MiCA, entities already authorised under MiFID II, the Banking Directive, or other EU financial regulation can provide certain crypto-asset services through a notification procedure rather than full CASP authorisation.
Activities conducted entirely outside the EU — With genuine geoblocking and no marketing to EU residents.

Capital requirements by service type

CASP capital requirements are set out in Article 67 MiCA and Annex IV. They scale with the riskiness of the service. Every CASP must maintain minimum own funds equal to the higher of:

The fixed initial capital requirement for its service class
One-quarter of fixed overheads of the preceding year

Initial capital requirements by class

Annex IV MiCA defines three classes of CASP, each with its own minimum initial capital requirement. The classes reflect the risk profile of the services provided — custody and exchange carry the highest prudential requirements because they involve direct exposure to client assets.

Class	Services covered	Minimum initial capital
Class 1	Reception and transmission of orders, execution of orders, placing, advice, portfolio management, transfer services	EUR 50,000
Class 2	Operation of a trading platform for crypto-assets	EUR 125,000
Class 3	Custody and administration of crypto-assets, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets	EUR 150,000

If your business provides services spanning multiple classes, the highest applicable minimum applies. A custodial exchange that provides custody (Class 3), exchange services (Class 3), and operates a trading platform (Class 2) must meet the EUR 150,000 threshold.

Practical note: these are minimum floors, not realistic operational capital. Most CASPs raise substantially more to cover:

Operational cash flow requirements (typically 12-18 months runway)
Liquidity buffers for exchange operations
Insurance premiums for custody activities
Technology infrastructure and cybersecurity investments
Ongoing compliance and legal costs

Reality check: While the regulatory minimum for a custodial exchange is EUR 150,000, the realistic operational capital to run a compliant exchange is in the millions. NCAs look at whether your capital base is credible for the scale of activity you propose — and client asset safeguarding, insurance coverage, and DORA-grade ICT resilience all demand substantial funding beyond the regulatory floor.

Unsure which CASP services you need?

Compliora AI analyses your business model against all ten CASP service categories, plus MiFID II, PSD2 and AIFMD boundaries. Get a clear roadmap of which authorisations you actually need.

Start Assessment →

€49 · No signup required

Governance and fit-and-proper requirements

Beyond capital, MiCA imposes significant governance requirements on CASPs. Under Articles 68 and 71 MiCA, the persons running a CASP must satisfy fit-and-proper tests, and the organisation must meet structural governance standards.

Fit-and-proper requirements for management

Every member of the management body must be:

Of sufficiently good repute — no disqualifying criminal convictions, no relevant regulatory breaches, no bankruptcies or commercial failures that suggest unfitness
Possess appropriate knowledge, skills and experience — relevant to managing a crypto-asset service provider, including financial, governance, and technology competencies
Able to commit sufficient time to performing their functions
Collectively the management body must have adequate diversity of knowledge and experience

NCAs typically require:

Full CVs for all directors and senior managers
Criminal record certificates from every jurisdiction where management has lived in the past 10 years
Professional references
Confirmation of no pending regulatory or civil proceedings
Disclosure of all other directorships and commitments

Governance structure requirements

The CASP must have:

A management body with ultimate responsibility for the firm's strategy and risk management
Clear division of responsibilities between management and operational functions
Independent risk management, compliance, and internal audit functions
A conflicts of interest policy covering the firm, its management, and its clients
Segregation of duties to prevent unauthorised activities or errors
A remuneration policy that does not encourage excessive risk-taking

Operational and prudential requirements

MiCA requires CASPs to maintain specific operational standards under Articles 68 to 83. The key obligations include:

Client asset safeguarding

Under Article 70 MiCA, CASPs holding client crypto-assets must:

Segregate client assets from the firm's own assets at all times
Maintain accurate records of each client's holdings
Return client assets promptly on request
Not use client assets for their own account or for lending without explicit client consent
Implement custody controls including cryptographic key management, multi-signature arrangements, and cold storage for significant balances

AML, CFT and Travel Rule compliance

CASPs are obliged entities under the EU Anti-Money Laundering framework. From 2025 onwards, the new AML Regulation applies alongside MiCA. Requirements include:

Client due diligence (CDD) and enhanced due diligence for higher-risk clients
Beneficial ownership identification
Suspicious transaction reporting to national FIUs
The Travel Rule under Regulation (EU) 2023/1113 — transmitting originator and beneficiary information for all crypto-asset transfers
Ongoing monitoring and risk-based approaches
Designation of a compliance officer (MLRO) who reports directly to senior management

ICT risk and operational resilience

CASPs are subject to the Digital Operational Resilience Act (DORA), which applies alongside MiCA. DORA requires:

ICT risk management frameworks
Incident reporting to national authorities
Threat-led penetration testing for significant entities
Third-party risk management for critical ICT providers
Business continuity and disaster recovery planning

Market abuse prevention

Under Articles 88-92 MiCA, trading platform operators must have systems and controls to detect and prevent market abuse — insider trading, market manipulation, and the communication of misleading information. This includes order surveillance and the capacity to suspend trading in abusive cases.

Documentation the regulator expects

The CASP application package is substantial. NCAs typically expect:

Programme of operations — Detailed description of services to be offered, target clients, geographic scope, expected volumes
Business plan — Three-year financial projections, revenue model, cost structure, capital plan
Governance documentation — Organisation charts, board composition, committee structure, policies and procedures manual
Shareholder information — Beneficial ownership structure, share capital details, identification of qualifying shareholders
Fit-and-proper documentation for management and key function holders
Risk management framework — Risk identification, measurement, monitoring, and mitigation
AML/CFT manual — Client risk scoring, CDD procedures, transaction monitoring, STR workflows
Technology documentation — System architecture, custody arrangements, cybersecurity measures, DORA compliance
Client terms and communications — Client agreements, fee schedules, complaint handling procedures, marketing communications
Capital evidence — Proof of initial capital, liquidity arrangements

Altogether, a complete CASP application typically runs to 500-1,500 pages of documentation. Preparation time averages 3-6 months even for well-resourced applicants.

The CASP application process step by step

The typical CASP application flow runs as follows:

Jurisdictional choice — Select your home Member State. This is the NCA that will supervise your firm. Considerations include the NCA's experience, timeliness, fees, language requirements, and local business presence expected.
Pre-application engagement — Most NCAs offer pre-submission meetings. This is valuable: it lets you validate your scope, business model, and application approach before full submission.
Document preparation — 3-6 months of work assembling the application package.
Formal submission — Submitting the complete package to the NCA, often via a dedicated regulatory portal.
Completeness review — Under Article 63(2) MiCA, the NCA has 25 working days from receipt to confirm whether the application is complete. If incomplete, the NCA sets a deadline for the applicant to provide missing information.
Substantive assessment — Under Article 63(9) MiCA, once the application is deemed complete, the NCA has 40 working days to adopt a fully reasoned decision granting or refusing authorisation. During this period, under Article 63(12), the NCA may request further information up to the 20th working day and suspend the review period for up to 20 working days while waiting for the response.
Authorisation and registration — Successful applicants receive their authorisation and are entered in the ESMA public register of CASPs.
Commencement of services — The firm can begin providing the authorised services.

Timeline, costs and which NCA to choose

Realistic timelines and costs vary significantly:

Total timeline from decision to live services

Preparation: 3-6 months for documentation
Pre-application engagement: 1-2 months
NCA review: Up to 65 business days formally (around 3 months), but in practice often 4-8 months including information requests
Total realistic timeline: 9-15 months from decision to authorisation for most applicants

Typical cost breakdown

External legal fees: EUR 150,000 - 500,000 for specialist counsel
NCA application fees: EUR 5,000 - 50,000 depending on jurisdiction
Ongoing supervisory fees: EUR 10,000 - 100,000+ annually
Internal staff time: Equivalent to 2-3 FTEs for 6-12 months
Infrastructure and technology: Custody, AML, surveillance systems — six to seven figures for an exchange
Insurance: Professional indemnity and crime insurance, typically EUR 50,000 - 250,000 annually

Total cost for a serious CASP operation from kickoff to authorisation: EUR 500,000 to EUR 2,500,000+, depending on complexity and service scope.

Which NCA should you choose?

The choice of home Member State materially affects timeline, process, and cost. The most active MiCA jurisdictions so far:

Jurisdiction	NCA	Notes
Germany	BaFin	Established crypto regulator (ex-KWG), high bar, longer timelines
France	AMF	Mature PSAN experience, relatively efficient, English-friendly
Netherlands	AFM / DNB	Generally pragmatic, tech-friendly
Ireland	CBI	English-language, fintech hub, tight capacity constraints
Malta	MFSA	Crypto-friendly history, faster for straightforward cases
Luxembourg	CSSF	Sophisticated regulator, suited to institutional-grade applicants

Passporting CASP services across the EU

One of MiCA's most valuable features is the EU passport. Under Article 65 MiCA, an authorised CASP can provide services in any other EU Member State by notifying its home NCA of the intention to passport.

The passporting mechanics:

You notify your home NCA of the Member States you intend to serve and the services to be provided there
Your home NCA forwards the notification to the host NCA within a short timeframe (typically 10 business days)
You can commence services in the host Member State shortly after — often immediately

Passporting is a one-way channel: your home NCA remains your supervisor. Host states can only intervene in narrow circumstances, primarily consumer protection in their territory.

Strategic implication: Because passporting is efficient, the choice of home Member State matters enormously. A well-chosen home NCA gives you access to all 27 markets with a single supervisor relationship.

Ongoing compliance after authorisation

CASP authorisation is the beginning, not the end. Ongoing obligations include:

Periodic reporting to your home NCA — quarterly and annual returns covering financials, operational metrics, complaints, incidents
Material change notifications — Any significant change to business model, ownership, management, or services requires advance notification and often NCA approval
Annual audit — Financial statements audited by a qualified external auditor
AML reporting — STRs to FIUs, annual AML compliance reports
DORA reporting — ICT incidents, third-party registers, resilience testing results
Market abuse monitoring — Ongoing surveillance for trading platforms
ESMA contributions — Transaction data and registry updates where applicable
Ongoing capital monitoring — Continuous maintenance of own funds above the regulatory minimum

The ongoing compliance burden typically requires 2-10 dedicated compliance FTEs depending on the scale of the CASP. Large exchanges run compliance teams of 50+ people.

Conclusion: is CASP authorisation the right path for you?

CASP authorisation is a serious commitment. It requires substantial capital, months of preparation, skilled management, and an ongoing compliance function. For many Web3 founders, the first practical question is whether they genuinely need CASP status — or whether their business model can be structured to fall outside MiCA scope.

Some patterns we see among serious EU crypto operators:

Full CASP route — Large exchanges, institutional custody providers, regulated DeFi frontends. Committed long-term EU presence.
MiFID investment firm route — For entities offering crypto services alongside traditional financial services. MiFID II firms can provide certain CASP services under the notification regime in Article 60 MiCA.
Restructure outside scope — Decentralising operations, limiting services to wholesale counterparties, geoblocking EU users. Narrows addressable market but avoids regulatory cost.
B2B2C model — Provide technology to authorised CASPs without being a CASP yourself. Infrastructure plays.

The right path depends on your specific business model, funding, timeline, and strategic goals. If you want a structured analysis of whether CASP authorisation applies to your project — and if so, which services and which jurisdiction make most sense — Compliora AI provides that assessment in five minutes.

Plan your CASP authorisation with clarity

Run your business model through Compliora AI's 5-agent legal pipeline. Identify which CASP services you need, which alternative structures might work, and what the next 12 months should look like.

Start Assessment →

€49 · No subscription · No signup required