MiCA for crypto asset service providers: what authorisation actually requires
CASP authorisation under MiCA is a full financial services licence, not a registration. This guide covers what national competent authorities assess, what documentation is required, how long the process takes, and what to consider when choosing a home member state.
From registration to licence: what changed under MiCA
Before MiCA, crypto firms operating in the EU were subject to a patchwork of national frameworks. In most member states, this meant registration as a virtual asset service provider (VASP) under anti-money laundering rules. The threshold was low: demonstrate basic AML and counter-terrorist financing controls, register with the national authority, and you could operate. There was no passporting, no capital requirement, no governance standard that applied across borders.
MiCA replaced that system. From 30 December 2024, any firm providing crypto-asset services to EU clients must hold a CASP authorisation issued by a national competent authority (NCA). A VASP registration no longer satisfies the legal requirement. A CASP authorisation is a full financial services licence, with capital requirements, governance obligations, conduct rules, and ongoing supervision. The comparison is to a MiFID investment firm authorisation, not to a registration regime.
For existing firms, a transitional provision allowed those legally operating under national law before 30 December 2024 to continue doing so while seeking MiCA authorisation. The maximum transitional period runs to 1 July 2026. Most member states set shorter deadlines, and for the majority of jurisdictions that window is now closed or closing. Firms that have not obtained authorisation, or do not have a timely application in progress, are operating without a legal basis.
This article covers what authorisation actually requires: what NCAs assess, what documents the application must contain, what the process looks like, and how to think about jurisdiction selection.
For background on MiCA’s overall scope and the services it regulates, see what is MiCA and who does it affect. For the key dates and transitional deadlines, the MiCA compliance deadline tracker is the reference.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
What authorisation is not
A MiCA CASP application is not a form submission. It is a structured dossier, typically running to hundreds of pages, that makes the case that the applicant can meet every obligation MiCA imposes, across governance, capital, operations, AML, ICT, client protection, and conduct. The NCA’s starting position is sceptical. The burden is on the applicant to demonstrate readiness, not on the regulator to identify deficiencies and give the applicant time to fix them.
Generic templates do not work. An AML policy copied from a standard framework will not satisfy ESMA’s Level 2 technical standards, which require the programme to map directly to the applicant’s specific user flows, onboarding processes, and risk profile. A business plan that projects unrealistic growth curves will be flagged during review. A governance structure that looks coherent on an org chart but does not reflect actual accountability will attract scrutiny during fit and proper assessments. NCAs return incomplete applications without beginning the substantive review clock.
The formal timeline under MiCA is 25 working days for the NCA to assess whether an application is complete, and 60 working days for substantive assessment from the date the application is deemed complete. In practice, most applications take between four and twelve months from submission to decision, because the NCA can pause the assessment clock to request additional information. Applications with significant gaps can cycle through multiple rounds of questions before the clock resumes.
What the application must contain
The application requirements are set out in MiCA itself and in the implementing technical standards published by ESMA. Commission Implementing Regulation (EU) 2025/306 specifies the standard forms, templates, and procedures for CASP authorisation applications. The core components are as follows.
Service classification and legal analysis
Before anything else, the application must map the applicant’s specific business model to MiCA’s service definitions. MiCA defines ten regulated CASP services, and the authorisation scope is determined by which services the applicant seeks to provide. The NCA cannot assess which capital tier applies, which conduct obligations are relevant, or which policies need to be in place without a precise classification analysis. Applications that submit a generic description of the business without mapping it to specific MiCA service categories are returned at the completeness check stage.
Where a business model involves services that overlap with payment services regulated under PSD2, or investment services regulated under MiFID II, a dual-licensing analysis is required. CASPs whose transfer service architecture involves fiat fund movement or the holding of client fiat balances may need an Electronic Money Institution or Payment Institution authorisation alongside the CASP licence.
Programme of operations
This is the substantive core of the business plan. It must set out the types of crypto-asset services the applicant intends to provide, the crypto-assets involved, the commercial strategy, and a three-year financial forecast. Projections must be grounded in realistic assumptions. The NCA assesses whether the business plan demonstrates a credible path to maintaining regulatory capital on an ongoing basis, not just at the point of authorisation.
Governance and fit and proper documentation
MiCA requires that members of the management body of a CASP are of sufficiently good repute and possess appropriate knowledge, skills, and experience individually and collectively. The application must include an organisational chart, details of the management body, and individual fit and proper documentation for each director, the money laundering reporting officer, and any beneficial owner holding more than ten percent of the applicant.
Fit and proper documentation typically includes criminal record certificates, CVs with detailed professional history, references, and a personal statement addressing the specific knowledge and experience requirements. In practice, NCAs assess fitness and propriety rigorously. Management candidates without relevant financial services experience, or with undisclosed prior regulatory or legal issues, are the most common source of rejection at this stage.
Internal policies and procedures
The application must include complete, implemented policy documentation across all areas MiCA and its technical standards regulate. The areas that most frequently cause delays when missing or underspecified include:
AML and counter-terrorist financing: the programme must describe the applicant’s customer due diligence process in detail, including how it handles high-risk customers, politically exposed persons, and the travel rule requirements under the Transfer of Funds Regulation. A generic policy template does not satisfy this requirement.
Safeguarding of client assets: the application must demonstrate how client crypto-assets and fiat funds are segregated from the firm’s own assets, including custody agreements, sub-custody arrangements where applicable, and the reconciliation procedures used to maintain accurate client records. NCAs expect this to be resolved in detail before submission, not outlined as a plan to be implemented after authorisation.
Conflicts of interest: firms providing multiple services, or firms where individuals hold multiple roles, must have documented policies identifying, disclosing, and managing conflicts. This is an area where ESMA has issued specific technical standards (Commission Delegated Regulation (EU) 2025/1142) and where the CASP’s specific service combination is what drives the policy content.
ICT and operational resilience: from 17 January 2025, licensed CASPs are subject to DORA. The application must address ICT risk management, incident reporting procedures, third-party provider oversight, and operational resilience testing. Business continuity and disaster recovery plans are required for systems supporting critical functions.
Complaints handling: the application must demonstrate a complaints process that meets the requirements in Commission Delegated Regulation (EU) 2025/294.
Capital documentation
Capital must be fully paid up before the NCA can grant authorisation. The minimum capital thresholds under MiCA are:
| Services provided | Minimum capital |
|---|---|
| Advisory services only | EUR 50,000 |
| Custody, exchange for fiat, exchange for other crypto-assets, execution of orders, placing, reception and transmission of orders, transfer services, portfolio management | EUR 125,000 |
| Operation of a trading platform | EUR 150,000 |
For firms providing services across multiple tiers, the highest applicable threshold applies. These are floors, not targets. Where the firm’s fixed overheads exceed four times the minimum capital, the firm must hold own funds equal to at least one quarter of its fixed overheads.
The capital documentation includes audited or reviewed financial statements, a description of capital monitoring processes, and confirmation of how ongoing capital adequacy will be maintained.
What NCAs assess beyond the documentation
ESMA published a peer review report in 2025 examining CASP authorisation practice at the Malta Financial Services Authority. ESMA cannot direct NCAs to change their supervisory approach, but the peer review mechanism creates public and political pressure, and its findings signal what ESMA considers the correct standard. NCAs participate in the ESMA forums where those expectations are developed and most adjust their practice accordingly. The areas the report identified as warranting particular focus are:
Business plans assessed in a forward-looking manner, taking into account expected growth and associated risks. A business that is small at application but projecting rapid growth is assessed against what it will need to look like at that scale, not just what it looks like today.
Governance and intragroup arrangements. Where the applicant is part of a group structure, the NCA assesses how governance responsibilities flow between entities, whether the CASP has genuine decision-making autonomy, and whether intragroup ICT and service arrangements are managed as third-party relationships under DORA.
ICT architecture and security. NCAs review ICT systems, including business continuity, in light of DORA. Functions and services most critical to the CASP’s business model receive particular attention. The NCA will assess whether the applicant can demonstrate that its systems are resilient and that it can respond effectively to a security incident.
The peer review also reflects ESMA’s broader supervisory convergence work, which aims to align NCA practice across member states through guidelines, shared forums, and published expectations. ESMA cannot compel NCAs to apply a specific standard, but the convergence programme means that material differences in how authorisations are assessed have become harder to sustain. Choosing a jurisdiction on the assumption that its NCA applies lower standards is an increasingly unreliable strategy.
Choosing a home member state
Because a CASP authorisation passports across all 27 EU member states, jurisdiction selection determines which NCA the firm deals with for authorisation and ongoing supervision. The choice matters in practice, even if the regulatory standards are converging.
The factors that drive sensible jurisdiction selection are:
NCA capacity and processing time. Some NCAs have built specialist teams for CASP authorisation and have developed clear, documented processes. Others are handling MiCA authorisation alongside their existing supervisory responsibilities without significant additional resource. Processing times vary materially.
The firm’s existing legal and corporate infrastructure. Where the applicant already has an established legal entity, local corporate counsel, and existing banking relationships in a member state, that may outweigh marginal differences in NCA processing time.
The nature of the business model. Some NCAs have developed particular familiarity with specific CASP models. Germany has processed a significant number of custodians and bank-affiliated CASPs. The Netherlands has handled a high volume of on-ramp and brokerage models. Luxembourg processed several large global exchanges seeking rapid passporting reach. Malta has a concentration of large trading platforms.
The dual-licensing question. Where the business model may require an EMI or PI authorisation alongside the CASP licence, the NCA’s approach to coordinating the two processes is relevant.
What jurisdiction selection does not do is substitute for substantive compliance readiness. ESMA’s supervisory convergence work is pushing NCA practice toward a common baseline, and the gap between what different member states expect of applicants has narrowed materially since MiCA’s CASP provisions came into force.
The simplified procedure for existing regulated entities
Entities already authorised under EU financial regulation as credit institutions, investment firms, e-money institutions, payment institutions, UCITs management companies, or alternative investment fund managers can provide certain crypto-asset services under a simplified notification procedure rather than the full authorisation process. The notification must be made to the relevant NCA, and the relevant technical standards specify what information must be included (Commission Delegated Regulation (EU) 2025/303 and Commission Implementing Regulation (EU) 2025/304).
This is not a blanket exemption. The notification procedure covers the services that fall within the scope of the entity’s existing authorisation, and the firm remains subject to MiCA’s conduct and client protection requirements for those services. Where the firm seeks to provide services that go beyond its existing regulated activities, the full CASP authorisation process applies for those additional services.
What to watch in 2026
The transitional period for most member states is at or near its end. The enforcement posture of NCAs is expected to become more active in the second half of 2026 as the remaining transitional provisions expire and the full authorisation regime is universally in effect.
ESMA’s ongoing supervisory convergence work means that the standards applied across member states will continue to move towards a common baseline. Firms that obtained authorisation in a jurisdiction perceived as lenient should expect increasing supervisory scrutiny as convergence progresses.
The interaction between MiCA and DORA continues to generate practical complexity, particularly around third-party ICT arrangements and the treatment of intragroup services. ESMA’s Q and A process is the main mechanism for resolving interpretive questions, and firms should monitor ESMA publications actively.
The intersection of MiCA and the AI Act is a further area developing throughout 2026. CASPs using AI systems in customer onboarding, credit assessment, fraud detection, or trading functions may be subject to both regimes. The EU AI Act and financial services article covers this in more detail.
Forseti monitors MiCA implementation guidance, ESMA supervisory convergence publications, and CASP authorisation developments continuously, anchored to verified official sources. Start for free.
Subscribe for news updates.
The Carbon Border Adjustment Mechanism puts a carbon price on imports of steel, aluminium, cement, fertilisers, electricity, and hydrogen into the EU. This guide explains how it works, what the definitive phase requires from January 2026, and what non-EU exporters need to do to stay competitive.