MiCA CASP Licensing: The Definitive Guide to EU Crypto-Asset Service Provider Authorization
Obtaining Crypto-Asset Service Provider (CASP) authorization under MiCA is the gateway to operating in the world’s largest single market for regulated financial services. A single CASP authorization provides passported access to all 27 EU member states — representing over 450 million potential customers and the world’s second-largest economy. But the authorization process is demanding, requiring significant preparation, capital, and compliance infrastructure.
This guide provides a detailed roadmap for the CASP authorization process, covering every requirement, the expected costs, realistic timelines, and strategic considerations for choosing your home member state.
Understanding CASP Authorization
The Ten Crypto-Asset Services
MiCA Article 3(1)(16) defines ten services that require CASP authorization. Understanding which services your business provides is the first step in the authorization process, as requirements vary by service class:
Class 1 Services (EUR 150,000 minimum own funds):
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for funds
- Exchange of crypto-assets for other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Placing of crypto-assets
- Reception and transmission of orders for crypto-assets
- Providing transfer services for crypto-assets
Class 2 Services (EUR 125,000 minimum own funds):
- Custody and administration of crypto-assets on behalf of clients
Class 3 Services (EUR 50,000 minimum own funds):
- Providing advice on crypto-assets
- Providing portfolio management on crypto-assets
Most CASPs will seek authorization for multiple services. The highest minimum own funds requirement among the authorized services applies.
Who Needs CASP Authorization?
Any legal person or undertaking that provides one or more crypto-asset services on a professional basis within the EU must obtain CASP authorization. This includes:
- Crypto exchanges (centralized platforms matching buy and sell orders)
- Custody providers (holding crypto-assets on behalf of clients)
- Broker-dealers (facilitating client transactions)
- Advisory firms (providing investment recommendations regarding crypto-assets)
- Portfolio managers (managing portfolios of crypto-assets on behalf of clients)
- Payment service providers (transferring crypto-assets between parties)
Exemptions
Certain entities are exempt from separate CASP authorization:
- Credit institutions: Banks authorized under CRD IV may provide CASP services after notifying their competent authority (no separate authorization needed)
- Investment firms: MiFID-authorized firms may provide certain CASP services after notification
- Electronic money institutions: May provide certain CASP services related to EMTs
- UCITS management companies and AIFMs: May provide portfolio management and advice services
The Application Process
Step 1: Selecting Your Home Member State
The choice of home member state is strategically significant because:
- The home state’s national competent authority (NCA) will be your primary supervisor
- The home state’s implementation of MiCA transitional provisions affects your timeline
- Regulatory culture and processing speed vary among NCAs
- Language and operational considerations differ
Popular jurisdiction choices:
- France (AMF): Early MiCA implementation, established DASP (Digital Asset Service Provider) framework from pre-MiCA era, experienced with crypto licensing
- Germany (BaFin): Largest EU economy, established crypto custody licensing framework, rigorous but thorough
- Ireland (Central Bank of Ireland): English-speaking, favorable corporate tax environment, established fintech hub
- Lithuania (Bank of Lithuania): Efficient licensing process, lower operational costs, pre-MiCA experience with crypto licensing
- Luxembourg (CSSF): Established fund administration and custody hub, favorable for investment-related CASP services
- Netherlands (AFM/DNB): Pre-MiCA crypto registration experience, sophisticated regulatory framework
Step 2: Pre-Application Preparation
Before filing the formal application, prepare:
Legal Entity:
- Establish an EU legal entity in the chosen home member state
- The entity must have its registered office and head office in the same member state
- Appoint directors and key personnel who meet fitness and propriety requirements
Governance Framework:
- Board of directors with adequate collective knowledge and experience
- Clear organizational structure with defined responsibilities
- Policies for managing conflicts of interest
- Internal control mechanisms
Compliance Infrastructure:
- AML/CFT compliance program (per the Transfer of Funds Regulation and national AML laws)
- Data protection compliance (GDPR)
- Complaint handling procedures
- Outsourcing policies and agreements
- Business continuity and disaster recovery plans
Technology Infrastructure:
- Secure custody systems (for custody CASPs)
- Trading platform infrastructure (for exchange CASPs)
- Cybersecurity frameworks
- Record-keeping systems
Step 3: Formal Application
The application must contain:
Corporate Information:
- Legal name, LEI, website, and contact details
- Articles of association
- Organizational chart showing the internal structure and relationships with parent companies, subsidiaries, and affiliates
- Identification of all shareholders with qualifying holdings (10% or more)
- Description of the governance arrangements
Management and Personnel:
- Identity and proof of fitness and propriety of members of the management body
- Identity of persons responsible for internal control functions
- CVs and criminal record checks for key personnel
- Evidence that the management body has adequate collective knowledge, skills, and experience
Business Plan:
- Detailed description of each crypto-asset service to be provided
- Types of crypto-assets involved
- Marketing and distribution strategy
- Target customer segments
- Projected financial statements for the first three years
- Description of pricing policy
Prudential Information:
- Evidence of own funds meeting the minimum requirements
- Description of the safeguarding arrangements for client assets
- Insurance policy or equivalent guarantee (where applicable)
Compliance Programs:
- AML/CFT policies, procedures, and controls
- Complaint handling procedures
- Conflicts of interest policy
- Outsourcing arrangements
- Business continuity plan
- ICT security policies (per DORA requirements)
Step 4: Assessment and Decision
Completeness check: The NCA has 25 working days from receipt to assess whether the application is complete. If incomplete, the NCA requests additional information, and the applicant has a specified period to respond.
Assessment period: The NCA has 40 working days from the completeness determination to assess the application and make a decision. This period may be extended by 20 working days for complex applications.
Decision: The NCA either grants authorization (with or without conditions), or refuses authorization with a statement of reasons. The applicant may appeal a refusal.
ESMA registration: Upon authorization, the CASP is entered in the ESMA public register of authorized CASPs, which is the official record of all authorized entities across the EU.
Cost Analysis
Direct Costs
| Cost Category | Estimated Range |
|---|---|
| Application fee (NCA-dependent) | EUR 5,000 - EUR 50,000 |
| Legal counsel (EU regulatory specialists) | EUR 100,000 - EUR 300,000 |
| Compliance program development | EUR 50,000 - EUR 200,000 |
| Technology infrastructure setup | EUR 100,000 - EUR 500,000 |
| AML/CFT system implementation | EUR 50,000 - EUR 150,000 |
| Capital requirement (initial own funds) | EUR 50,000 - EUR 150,000 |
| Personnel (compliance, legal, operations) | EUR 200,000 - EUR 500,000/year |
| Total initial investment | EUR 555,000 - EUR 1,850,000 |
Ongoing Costs
| Cost Category | Annual Estimate |
|---|---|
| Regulatory fees and levies | EUR 10,000 - EUR 100,000 |
| Compliance personnel | EUR 150,000 - EUR 500,000 |
| AML/CFT monitoring and reporting | EUR 50,000 - EUR 200,000 |
| External audit and assurance | EUR 30,000 - EUR 100,000 |
| Insurance | EUR 20,000 - EUR 100,000 |
| Technology maintenance | EUR 50,000 - EUR 200,000 |
| Legal and regulatory advice | EUR 50,000 - EUR 150,000 |
| Total annual ongoing | EUR 360,000 - EUR 1,350,000 |
Ongoing Obligations
Conduct of Business
Authorized CASPs must continuously comply with:
- Duty of care: Act honestly, fairly, and professionally in the best interest of clients
- Information and transparency: Provide fair, clear, and not misleading information
- Risk warnings: Warn clients about the risks of crypto-assets
- Pricing transparency: Publish pricing policies and fee schedules
- Best execution: Execute client orders on the most favorable terms
- Suitability assessment: For advisory and portfolio management services, assess whether the service is suitable for the client
Record-Keeping
CASPs must maintain records of:
- All crypto-asset services, activities, orders, and transactions
- Client agreements and communications
- Complaints and their resolution
- For a minimum of 5 years (member states may require longer)
Reporting
Ongoing reporting obligations include:
- Regular prudential reporting to the NCA
- AML/CFT reporting (SARs, transaction monitoring reports)
- Annual financial statements
- Notification of material changes to authorized information
- Incident reporting (cybersecurity and operational incidents per DORA)
What This Means for Your Business
For firms seeking EU market access: Start the preparation process now. The 40-working-day assessment period is only the formal review — preparation typically takes 6-12 months. The total timeline from decision to launch is 9-18 months.
For existing national licensees: Use the transitional period to apply for MiCA authorization. Your existing national license provides continued operation during the transition, but you must obtain MiCA authorization before the transition period ends.
For non-EU firms: You must establish an EU entity with its registered office and head office in the same member state. Plan your EU corporate structure, hire local personnel, and build compliance infrastructure before applying.
For compliance officers: MiCA’s ongoing obligations are comprehensive and prescriptive. Build compliance monitoring systems that track all obligations continuously, not just at authorization. The NCA will examine your ongoing compliance through regular and ad hoc supervisory activities.