MiCA CASP License in 2026: The Complete Guide

What a MiCA CASP licence authorises

A Crypto-Asset Service Provider (CASP) licence is the single authorisation granted under Regulation (EU) 2023/1114, better known as MiCA, that lets a firm provide regulated crypto-asset services anywhere in the European Economic Area. It replaces the patchwork of national VASP registrations (French PSAN, German BaFin crypto custody, Italian OAM, Spanish registry, Lithuanian VASP, Dutch DNB, Maltese VFA and so on) with a single rulebook supervised by home-state competent authorities in coordination with ESMA and the EBA.

By early 2026 roughly 60 CASPs have been authorised across the EU, concentrated in Germany (18), the Netherlands (14), France (6) and Malta (6). Named firms already on the ESMA register include Crypto.com (Foris DAX MT), OKX (Okcoin Europe), ZBX (Zillion Bits), Bitpanda Asset Management, MoonPay Europe and bitFlyer Europe.

Title V of MiCA defines ten regulated services. A CASP applies for any combination, and the capital class is driven by the mix.

MiCA does not cover crypto-assets that already qualify as financial instruments under MiFID II (those stay under the investment-firm regime), deposits, pension products, insurance, securitisation, or fully decentralised services without an identifiable provider. NFTs are out of scope in principle, but regulators read "genuinely unique" narrowly: large collection issuances routinely fall back in.

Am I even in scope? The five-step founder test

MiCA is activity-based and effect-based. What matters is what your users can actually do through your product, not the label on the landing page. Before you spend a euro on legal counsel, run your business through the five-step scope test.

1. Corporate location. Incorporation in the EU creates a presumption of scope. Incorporation outside the EU does not automatically exempt you: if you actively serve EU users, you are in scope.
2. User geography. Any active EU user base or intentional targeting of EU markets (EU-language site, EU advertising, EU payment rails) triggers MiCA, regardless of where the legal entity sits.
3. Service mapping. Match product features to the ten MiCA services. Custody, trading platform operation, exchange, execution, placing, reception/transmission, advice, portfolio management and transfers are each captured separately.
4. Fund control. Holding keys or controlling access to user assets tilts heavily toward custody scope. A non-custodial design does not automatically remove you from scope if you also operate exchange, execution or a trading platform.
5. Monetisation. Professional provision of services (fees, subscriptions, revenue shares, spreads, maker/taker) is a regulatory signal. Free, ad-hoc or one-off activity may escape scope; fee-earning activity almost never does.

Five dangerous misconceptions founders keep making (and which regulators reject on day one of the review):

• "Non-custodial equals out of scope." False. Execution, exchange and platform operation are independent scope triggers, even when the firm never touches user keys.
• "We are only a tech provider." If users can transact in crypto through your product and your company earns revenue from it, you are a service provider, not software.
• "We are incorporated outside the EU, so we are fine." Serving or targeting EU users extends MiCA reach regardless of domicile. The ESMA register already lists enforcement notices against offshore firms.
• "We outsourced the regulated bit." Outsourcing custody, matching or KYC to a vendor does not strip you of CASP status if the service is part of your product.
• "Disclaimers will solve it." MiCA is drafted around substance over form. A banner saying "not for EU residents" does not protect you if an EU resident can sign up in 30 seconds.

Reverse solicitation exists but is genuinely narrow. An EU user must initiate contact for a truly specific service. Any marketing, SEO, referral programme or paid acquisition aimed at EU users breaks the defence.

The MiCA timeline and how the transitional period actually ends

MiCA entered into force on 29 June 2023 and applies in phased stages.

1. 30 June 2024. Titles III and IV start to apply. Issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs, the MiCA name for fiat-backed stablecoins) must be authorised or be an authorised credit institution or EMI.
2. 30 December 2024. Title V starts to apply. Every firm providing crypto-asset services in the EU needs a CASP authorisation, or must use the Article 60 simplified notification route available to existing MiFID firms, credit institutions, EMIs, PIs, UCITS managers or AIFMs.
3. Transitional window. Firms lawfully providing crypto services under national law before 30 December 2024 may continue operating while their CASP application is processed, up to a maximum of 18 months. Each Member State chose its own window.
4. 1 July 2026. Absolute EU-wide deadline. Any firm still trading without a granted CASP authorisation or simplified notification is operating unlawfully, regardless of prior national status.

The real punchline nobody prints on the homepage: for most Member States the application-submission deadline (the date by which you had to file a complete CASP file to benefit from grandfathering) has already passed. If you missed your national submission window, you are not in transition; you are in cliff-edge territory.

Firms still unlicensed in expired jurisdictions face three options: (1) withdraw from that market, (2) passport in from a Member State where they already hold a CASP, (3) use the Article 60 simplified notification if they also hold a compatible EU licence (MiFID, EMI, PI, credit institution).

CASP vs MiFID vs national VASP vs Article 60 notification

Four regimes overlap in 2026 and founders routinely confuse them.

Rule of thumb: tokenised equity or bonds go MiFID, everything else on an ordinary blockchain goes CASP. A credit institution, EMI, PI or MiFID firm adding a crypto product almost always runs the Article 60 notification route because it collapses the timeline to a few months at a fraction of the cost.

One trap worth flagging. A CASP that offers custody or transfer services for e-money tokens (MiCA EMTs) must comply simultaneously with the MiCA capital requirement in Article 67 and Annex IV and the PSD2 Article 7 initial capital requirement, because EMT custody is treated as a payment service. EBA confirmed this in 2025. Budget for the higher of the two and plan governance that satisfies both rulebooks.

Initial capital, own funds and what the NCA actually looks at

Annex IV of MiCA assigns each CASP to one of three prudential classes. Initial capital is the floor. Ongoing own funds is the higher of the class floor or one quarter of the previous year's fixed overheads. Both figures are consumed by losses and must be rebuilt within 30 days.

A CASP authorised for several services pays the highest applicable class once, not cumulatively. Capital must be paid up in cash and sit in a segregated bank account at the time of authorisation. Own funds qualify only as Common Equity Tier 1 under Articles 26 to 30 of Regulation (EU) 575/2013 after the Article 36 deductions: founders' shareholder loans or uncalled capital do not count.

Professional indemnity insurance does not substitute for capital under MiCA, but a CASP must carry PII sized to activity, client count and business model. CASPs offering custody additionally need a policy or capital set-aside covering operational and cyber risks that could cause client losses under Article 75.

The real cost of getting licensed (and staying licensed)

Most competitor guides either skip numbers or give a single range. This is what the first 18 months of a serious CASP project actually looks like.

Realistic first-year all-in for a credible Class 2 or Class 3 CASP: EUR 350k to EUR 900k, of which EUR 125k to EUR 150k is the locked capital you keep. Malta's public estimates put first-year costs between EUR 200k and EUR 300k for a lean setup with a white-label technology stack. Germany, France and Ireland run 2 to 3 times that for a comparable operation.

The cheapest line to discount is the technology stack. Every first-wave CASP that tried to build custody, matching, KYC and Travel Rule in-house overshot the budget and the timeline, and several withdrew their application to resubmit with a vendor stack.

The authorisation process in six phases with realistic durations

Articles 62 and 63 of MiCA set a standardised procedure across all NCAs. Differences in speed, language of procedure and flexibility mirror what you already see under PSD2.

1. Phase 1 - Home Member State selection and incorporation (1 to 4 weeks). Establish the EU entity, lease a real office, appoint a resident executive director. Regulators now check Companies House, land-registry and social-security records before they meet you.
2. Phase 2 - Pre-application engagement (1 to 3 weeks). Almost every NCA expects an informal meeting before filing. Bring a one-pager business model, the Class 1/2/3 scope, capital plan, custody architecture and the AML approach. Skipping this meeting is a red flag on its own.
3. Phase 3 - Application package development (6 to 12 weeks). Full file: programme of operations, three-year business plan with stressed projections, structural and governance arrangements, ICT and cybersecurity framework (DORA-aligned), AML/CFT manual with Travel Rule implementation, safeguarding and custody policy, market-abuse detection procedures, outsourcing register, complaints handling and conflicts-of-interest policy, plus fit-and-proper questionnaires for every director and qualifying shareholder.
4. Phase 4 - Submission and completeness check (25 working days). The NCA has 25 working days to confirm the file is complete. Missing items reset the clock. First-wave CASP files routinely failed this step because firms underestimated the depth expected on custody and ICT.
5. Phase 5 - Substantive assessment (40 working days, extendable by 20). The statutory maximum is roughly five months of clock time once the file is complete. Real-world timelines in 2025 ran from 4 to 12 months depending on jurisdiction and quality of the file.
6. Phase 6 - Decision and ESMA register (1 to 3 weeks). Once granted, the CASP is added to the ESMA register. The interim register is published as a weekly CSV on the ESMA website until mid-2026, when it migrates into ESMA's full IT systems.

Passporting to other Member States is a notification, not a second licence. The home NCA transmits the file to the host authorities and services can commence 15 calendar days after notification.

The five rejection reasons NCAs cite most often

Data from the first two years of CASP authorisations (ESMA peer review, Hogan Lovells 2025 analysis and published NCA decisions) shows the same five deficiencies appear in almost every rejected file. If your application doesn't cover them with the depth an inspector would recognise, expect a refusal or a two-year stop-the-clock loop.

1. Weak AML/CFT with no evidence of enforcement. Regulators are not satisfied by a well-written policy: they want detection rules, rule-tuning logs, testing evidence, alert-to-SAR conversion rates and the CV of the MLRO. A templated "AML manual" used on day one is an instant flag.
2. Unclear governance and fit-and-proper gaps. Directors without relevant crypto-asset experience, part-time compliance officers, opaque shareholder structures, directors serving on multiple applicants at once. The NCA runs reverse fit-and-proper checks and asks the same question of every candidate.
3. Proof of capital the regulator can't trust. Capital held in a founder's personal account, foreign-currency deposits without a lock-up, shareholder loans, or uncalled capital. Capital must be paid up in cash in an EU credit institution, in the licensed entity's name, and evidenced by a bank statement at submission.
4. No genuine EU substance. Virtual addresses, nominee directors, zero local staff, meetings scheduled over video with founders sitting outside the EU. MiCA requires a physical presence, a resident director, real staff, and demonstrable decision-making in the home state.
5. Vague business model. Applications that can't explain how the firm makes money, who the customers are, or what exactly the product does. NCAs reject files that use marketing language instead of transaction flows, revenue lines and volume projections.

Two operational mistakes kill otherwise decent files: slow or incomplete responses to NCA RFIs, and rushing a filing in the last two months of a national grandfathering window. Both are avoidable. Treat regulator questions as the top priority of the week and file at least six months before the submission deadline.

Popular CASP jurisdictions in 2026 with real benchmarks

Every NCA applies the same regulation, but supervisory style, timelines, cost and substance expectations diverge by a factor of three. Pick the jurisdiction that fits the audience (retail, institutional, B2B), not the one with the shortest headline timeline.

Malta, the Netherlands and Lithuania dominate the "founder-friendly" bucket for Class 2 retail products. Germany and France are the tier-1 stamps for institutional-facing CASPs and listed-exchange subsidiaries. Ireland is the standard for firms that already run a MiFID or EMI there and want crypto alongside. Cyprus, Luxembourg, Czechia and Bulgaria are the next wave for cost-conscious setups.

Governance, fit-and-proper and local substance

MiCA codifies governance expectations at EU level. NCAs run the same four checks on every file.

• Management body. At least two executives of good repute, collectively covering crypto-asset services, governance, IT and AML. The board as a whole must balance strategic, risk and operational expertise. Expect each director's CV to be cross-checked against the ESMA crypto-related enforcement list before approval.
• Qualifying shareholders. Anyone with 10% or more voting rights or capital is fit-and-proper tested. Complex corporate structures are unpacked to the ultimate beneficial owner. Crypto-native cap tables with SAFTs, warrants and tokens must be translated into an orthodox cap table for the NCA.
• Local substance. At least one director resident in the home state. Real office. Local compliance officer, risk lead and head of technology. NCAs now ask for recent payroll records and video of the office. Nominee structures are uniformly rejected.
• Outsourcing. Critical functions that are outsourced (custody tech, matching engine, KYC, Travel Rule) go through an outsourcing risk assessment. The CASP remains fully responsible for the outsourced activity. DORA alignment is expected for every ICT provider.

FAQ