Germany Crypto Custody License in 2026: From KWG to MiCA
A 2026 deep dive into Germany's crypto-custody regime: the 2020 KWG §1(1a) sentence 2 no. 6 licence, migration to MiCA CASP, BaFin supervision, the expired 31 December 2025 transitional period, named licensees (Bitpanda Asset Management) and what to do now.
Germany was the first major EU country to license crypto custody
From 1 January 2020 Germany brought crypto custody business under the Banking Act (Kreditwesengesetz, KWG) by adding a new financial service to §1(1a) sentence 2 no. 6 KWG: "the safekeeping, administration and securing of crypto-assets or private cryptographic keys which serve to hold, store or transfer crypto-assets, for others". Any firm providing crypto custody for third parties in Germany needed a BaFin licence under KWG section 32. The regime applied to banks, financial services institutions and foreign firms targeting German clients.
The German crypto-custody licence was a world first. It gave German banks (Solaris, Coinbase Europe, BV Crypto, Bitpanda, Boerse Stuttgart, DekaBank and others) a clear regulatory path for institutional crypto custody three years before MiCA. By 2024, more than a dozen German-authorised crypto custodians existed.
Let's discuss your project and see how we can launch your German MiCA-ready crypto custody product together
Request demoWhat MiCA changed
From 30 December 2024, MiCA Title V (CASPs) started to apply across the EU. The German KWG crypto-custody licence became a national regime superseded by MiCA. Germany also amended KWG and published the Financial Market Digitalisation Act (FinmadiG) in late 2024 to integrate MiCA into German law.
Existing KWG crypto-custody licensees had a grandfathering window until 31 December 2025, shorter than the EU-wide 1 July 2026 backstop. During the window they could continue operating while filing an Article 60 or full MiCA CASP application.
After 31 December 2025, the German grandfathering expired. Firms without a granted MiCA CASP authorisation in Germany now operate illegally unless they passport in from another EU Member State under a MiCA licence.
The current state: MiCA CASP in Germany
New applicants for crypto-custody services in Germany apply directly for a MiCA CASP authorisation under Article 62 of MiCA, supervised by BaFin. The capital classes are the standard MiCA Annex IV:
- Class 2 (custody and administration). EUR 125,000 initial capital plus one quarter of fixed overheads as ongoing own funds.
- Class 3 (custody plus operation of a trading platform). EUR 150,000.
BaFin authorised approximately 18 MiCA CASPs by early 2026, the largest population in the EU. Named firms include Bitpanda Asset Management GmbH.
Typical BaFin CASP timelines: 6 to 12 months for fresh applicants. Firms with a prior KWG crypto-custody licence or a MiFID or banking licence can use the Article 60 simplified notification, which collapses the clock to 40 working days plus 20 extension.
Substance and operational reality
- Local entity. German GmbH or AG with registered office in Germany.
- Management board. Two Geschäftsführer, at least one resident in Germany, both BaFin-approved.
- Key function holders. MLRO, head of compliance, head of risk, head of IT, head of internal audit. All German-resident, full-time.
- Custody architecture. Documented hot/cold wallet design, MPC or multi-signature, key-ceremony procedures, emergency access protocol, third-party IT service providers on the DORA register.
- Article 75 liability cover. Insurance or capital set-aside for loss of assets in custody.
- Procedure. Primarily in German, with technical annexes in English.
What to do if you missed the 31 December 2025 deadline
Firms that continued German crypto-custody services after 31 December 2025 without a granted MiCA CASP authorisation are in breach of German law. BaFin has the full enforcement toolkit including cease-and-desist orders, fines and criminal referral. Three realistic paths:
- Stop serving German clients immediately. Cease new onboarding, freeze existing relationships and migrate assets to a licensed CASP.
- Passport in from another EU CASP. If the group holds a MiCA CASP in another Member State (Malta, France, Netherlands, etc.), notify BaFin of the passport. Services can start 15 calendar days after notification.
- Fast-track an Article 60 notification. If the group has a MiFID, EMI, PI or banking licence, file the simplified notification. 40 working days for BaFin to object.
Ship a German CASP product with Crassula
Crassula provides the MiCA-ready crypto-custody core aligned with BaFin expectations: segregated client wallets, MPC key management, custody evidence pack, Travel Rule, market-abuse surveillance (for trading-venue scope) and DORA-aligned ICT. Useful for BaFin-authorised CASPs, for German banks/EMIs using the Article 60 route and for non-German groups passporting into Germany. See the MiCA CASP guide.
FAQ
A German national licence created on 1 January 2020 under KWG §1(1a) sentence 2 no. 6, allowing firms to provide crypto custody for third parties in Germany under BaFin supervision. Superseded by MiCA from 30 December 2024.
31 December 2025. Germany chose a shorter grandfathering window than the EU-wide 1 July 2026 backstop. After 31 December 2025, firms operating without a granted MiCA CASP authorisation in Germany or a valid passport from another Member State are in breach.
Approximately 18 as of early 2026, the largest population in the EU. Named firms include Bitpanda Asset Management GmbH.
6 to 12 months for fresh applicants. Article 60 simplified notification for MiFID firms, credit institutions, EMIs and PIs runs 2 to 3 months in practice.
Stop serving German clients, or passport in from another EU CASP authorisation, or fast-track an Article 60 notification if you hold a compatible EU licence. Operating without authorisation is a criminal offence.
Crassula provides the MiCA-ready crypto-custody core: segregated wallets, MPC key management, custody evidence pack, Travel Rule, market-abuse surveillance, DORA ICT and BaFin-ready reporting.
