CASP License in Germany: BaFin Crypto Authorization Under MiCAR

A CASP license in Germany is the authorisation a crypto-asset service provider must obtain from BaFin under the EU Markets in Crypto-Assets Regulation (MiCAR, Regulation (EU) 2023/1114) to provide regulated crypto-asset services. BaFin is Germany's National Competent Authority, and the national framework runs through the Kryptomärkteaufsichtsgesetz (KMAG).

If you operate a crypto exchange, a custody business, a trading platform, or an advisory service touching crypto-assets, and you want German market access with an EU passport, the route now runs through MiCAR CASP authorisation rather than the older national permissions Germany used before 2025. This guide explains who issues the licence, which law applies, which services are caught, how much capital you need, how the procedure works, and the Germany-specific transition that legacy custody firms must navigate. It corrects a common misconception from older guidance: the binding capital test is not a flat share-capital figure but MiCAR's class-based own-funds requirement under Annex IV and Article 67.

This is the German chapter of an EU-wide regime. The same MiCAR rules apply across the single market, with each member state's National Competent Authority running the file. Germany's distinctive feature is its shortened transitional window and a fast-track for firms that already held a national crypto-custody licence.

By Magnus Müller · Reviewed by Magnus Müller · Last updated: 2026-06-14

What is a CASP license in Germany and who issues it?

A CASP (crypto-asset service provider) license in Germany is the MiCAR authorisation that lets a firm provide any of the ten regulated crypto-asset services to clients. It is issued by BaFin, Germany's financial supervisor, under Regulation (EU) 2023/1114. In German regulatory language these authorised firms are referred to as "Kryptoinstitute."

The authorisation is harmonised across the EU. A firm authorised in Germany is subject to the same MiCAR core obligations as one authorised in Ireland, Spain, or France, but BaFin is the body that assesses the application, grants the licence, and supervises the firm afterwards. Because the rules are EU-wide, the page that explains the CASP license under MiCA at the European level sits above this German guide: Germany is the national instance of that EU framework.

BaFin as Germany's National Competent Authority for MiCAR

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) is the German National Competent Authority (NCA) designated for MiCAR. Crypto-asset service providers that want to operate in Germany must obtain CASP authorisation from BaFin under Regulation (EU) 2023/1114, and BaFin retains ongoing supervisory responsibility for them (BaFin MiCAR).

BaFin also handles cross-border activity. Where a firm authorised in Germany wants to passport its services into other EEA states, or where a firm authorised elsewhere notifies its intention to operate in Germany, the relevant passport notifications are submitted to BaFin by email at passporting-notification@bafin.de (BaFin Kryptoinstitute).

CASP authorisation vs the old crypto-custody licence

Before MiCAR applied, Germany regulated crypto custody through a national permission under §1(1a) sentence 2 no. 6 of the German Banking Act (KWG), effective 1 January 2020 (BaFin custody guidance). That was a purely national licence and carried no EU passport. MiCAR CASP authorisation supersedes it and, unlike the old KWG permission, passports across the EEA. The transition between the two is the most consequential part of this guide for any firm already holding the legacy licence.

What German law implements MiCAR? FinmadiG and the KMAG

MiCAR is a directly applicable EU regulation, but member states still need national law to operationalise it: to designate the competent authority, set notification duties, and fix transitional rules. In Germany this was done through the Finanzmarktdigitalisierungsgesetz (FinmadiG), which introduced the Kryptomärkteaufsichtsgesetz (KMAG, the Crypto Markets Supervision Act). The KMAG implements MiCAR operationally in German law and defines BaFin's supervisory role over crypto-asset providers (Freshfields).

This is one of the clearest improvements over older German crypto-licence guidance, which framed everything through the Banking Act and the AML Act (GwG) without naming the actual implementing instrument. For 2026 applicants, the operative national law is the KMAG, read together with MiCAR itself.

The Kryptomärkteaufsichtsgesetz (KMAG) and BaFin's powers

The KMAG is the German statute that gives MiCAR its national footing. It confirms BaFin as the NCA, sets the supervisory and notification framework, and contains the German transitional provisions in §50, including the shortened grandfathering deadline and the simplified-procedure gateway for legacy licensees (Freshfields). Because the KMAG was introduced by the FinmadiG package, the two names appear together in legal commentary: FinmadiG is the umbrella act, KMAG is the crypto-specific piece inside it.

Notification ordinance (Anzeigenverordnung) expected in 2026

Some procedural detail is still being finalised. BaFin states that the notification ordinance (Anzeigenverordnung) tied to the KMAG notification duties "is expected to enter into force in 2026" (BaFin Kryptoinstitute). Until that ordinance is published, certain formatting and submission specifics for notifications remain subject to confirmation, which is one reason precise procedural timetables for the German process should be treated as provisional rather than fixed.

Which crypto-asset services require a CASP license? (MiCAR Art. 3(1)(16))

CASP authorisation is triggered by activity, not by entity type. MiCAR Art. 3(1)(16) defines ten crypto-asset services, and providing any of them in or into Germany on a professional basis requires a CASP licence (MiCAR). Identifying which of the ten your business model performs is the first step, because the answer determines your capital class.

The ten regulated crypto-asset services

The ten crypto-asset services under MiCAR Art. 3(1)(16) are:

1. Custody and administration of crypto-assets on behalf of clients
2. Operation of a trading platform for crypto-assets
3. Exchange of crypto-assets for funds
4. Exchange of crypto-assets for other crypto-assets
5. Execution of orders for crypto-assets on behalf of clients
6. Placing of crypto-assets
7. Reception and transmission of orders for crypto-assets on behalf of clients
8. Advice on crypto-assets
9. Portfolio management on crypto-assets
10. Transfer services for crypto-assets on behalf of clients

A single firm may perform several of these, in which case the authorisation must cover each service it provides.

How services map to authorisation classes

The ten services group into three capital classes under MiCAR Annex IV. Order-handling and advisory activities (reception and transmission, advice, execution, placing, portfolio management, transfer services) sit in Class 1. Custody and administration, exchange of crypto for funds, and exchange of crypto for other crypto sit in Class 2. Operation of a trading platform sits in Class 3 (MiCAR, FIN LAW). Where a firm spans more than one class, the higher class amount applies to its overall own-funds requirement.

Minimum capital for a German CASP (Annex IV and Art. 67)

The minimum capital for a German CASP is set by MiCAR, not by German company law. A CASP must hold the higher of the Annex IV amount for its class or one quarter of the preceding year's fixed overheads, with the figure recalculated annually (MiCAR, FIN LAW). This is the single correction every German CASP applicant should internalise: there is no flat share-capital threshold that decides the matter.

The three capital classes at a glance

A custody business or an exchange therefore sits at the €125,000 Class 2 level, while a trading platform sits at €150,000 in Class 3 (MiCAR, FIN LAW).

The fixed-overheads test (one quarter of prior-year overheads)

The class amount is a floor, not a ceiling. MiCAR Art. 67 requires a CASP to hold the higher of its Annex IV class amount or one quarter of its fixed overheads of the preceding year (MiCAR). For a small firm with modest running costs, the class amount usually wins. For a larger operation with substantial annual overheads, one quarter of those overheads can exceed the class floor, in which case the higher number is the binding requirement. Because the test is recalculated each year, the permanent minimum own funds move with the business rather than staying static like older MiFID-style baselines (FIN LAW).

Why "€125,000 share capital" is not the right test

Older German crypto-licence guidance often stated a flat "€125,000 minimum share capital." That conflates two different concepts: the GmbH or AG share capital you register under German company law, and MiCAR's class-based own-funds requirement. The binding test for a CASP is the Annex IV class amount or the Art. 67 fixed-overheads figure, whichever is higher, not a single registered-capital number (MiCAR, FIN LAW). The €125,000 figure happens to coincide with the Class 2 own-funds level, which is why the misconception persists, but the legal basis is MiCAR's own-funds test, not a static share-capital rule.

Governance and substance requirements under MiCAR

Capital is only one pillar of authorisation. MiCAR requires a German CASP to demonstrate real substance and sound governance before BaFin will grant the licence (MiCAR). These obligations carry the same weight as the capital test and are usually where applications take the most preparation.

Registered office, effective management and fit-and-proper checks

A CASP must be a legal entity with a registered office in the EU and effective management located in the Union. The management body must satisfy fit-and-proper requirements, and the firm's qualifying shareholders are subject to suitability assessment (MiCAR). In practice this means BaFin examines who runs the firm, who owns it, and whether the people directing the business have the experience and integrity the regulation demands. Substance is a genuine requirement: a registered office on paper without effective management in the Union does not meet the standard.

AML/CFT, safekeeping and ICT/operational resilience

A CASP must operate robust AML and CFT controls, arrange for the safekeeping and segregation of client crypto-assets and client funds, maintain ICT and operational-resilience arrangements, and put complaint-handling and conflict-of-interest policies in place (MiCAR). The segregation rules matter most to custody and exchange firms, since client-asset protection is central to those services. The broader AML expectations connect to Germany's wider crypto compliance framework, and BaFin will expect documented policies, not intentions, at application. (Exact MiCAR article numbers for application content, governance, and safekeeping are referenced generically here and should be confirmed against the regulation before being asserted as specific citations.)

How does the BaFin CASP authorisation procedure work?

The BaFin CASP authorisation procedure follows the MiCAR application framework. A firm files a complete application with BaFin, BaFin runs a completeness check and then an assessment, and the licence is granted if the firm meets the capital, governance, and substance requirements (MiCAR). The process is documentation-heavy, and the strength of the application package usually drives how smoothly it moves.

What goes into a CASP application

A CASP application to BaFin includes a programme of operations describing the services to be provided, governance arrangements, AML and CFT policies, ICT and operational-resilience documentation, safekeeping and segregation arrangements, evidence of the required own funds, and suitability information for the management body and qualifying shareholders (MiCAR). The more precisely each element maps to the specific services in your authorisation request, the fewer follow-up questions BaFin tends to raise.

Completeness check and assessment timeline

MiCAR sets a completeness check followed by an assessment period. BaFin first confirms the application is complete, then assesses it on the merits before deciding (MiCAR). The exact working-day counts for each stage should be confirmed against the regulation's text before relying on a specific number, and the German procedural detail also depends on the notification ordinance expected in 2026, so a firm should treat any single "X-month" estimate as indicative rather than fixed. [VERIFY: Art. 63 working-day counts]

Three routes into a German CASP authorisation

There is no single path into a German CASP licence. Depending on what your firm already holds, you may file a standard new application, use a simplified fast-track designed for legacy German custody licensees, or, if you are an already-regulated bank or e-money firm, notify BaFin under a separate route. Choosing the correct path is the most consequential decision in the project, and it turns on your firm's existing authorisations and the now-closed grandfathering window (BaFin MiCAR, Freshfields).

Standard authorisation (new applicants, MiCAR Art. 62/63)

For a firm with no prior German crypto authorisation, the default path is a fresh MiCAR application. The firm files the full application package described above, BaFin runs the completeness check and assessment, and the licence is granted on the merits (MiCAR). This de-novo route is the one most new exchange and custody projects will use, and it requires the complete capital, governance, and substance evidence from the outset.

Simplified procedure for legacy KWG custody licensees (Art. 143(6) / §50(3) KMAG)

Firms that already held national authorisation for a crypto-asset service on 29 December 2024, and that are not CRR credit institutions, can use a streamlined conversion path under MiCAR Art. 143(6) together with §50(3) KMAG. This fast-track is aimed at holders of the legacy crypto-custody permission (for example §32(2a) KWG crypto-custody licensees), and it reduces the documentation and assessment burden compared to a fresh application (BaFin MiCAR, Freshfields). One important constraint: the firm must already hold a national licence for the specific MiCA service, and the simplified route cannot be used to add new services it was not previously authorised to provide. There is no cross-service conversion (Freshfields).

Art. 60 notification for already-EU-regulated entities

Some entities do not need full CASP authorisation at all. Credit institutions, investment firms, e-money institutions, and payment institutions that are already authorised under their own EU frameworks may provide certain crypto-asset services by notifying BaFin under MiCAR Art. 60, rather than seeking a full CASP licence, and they are not subject to MiCAR's own-funds requirement for those services because their primary framework already covers capital (MiCAR). Standalone crypto-custody-only firms generally fall outside Art. 60 and instead use the §50(3) KMAG / Art. 143(6) simplified procedure (Freshfields).

The §1(1a) KWG crypto-custody licence and the transition deadline

For firms that already hold the legacy German crypto-custody licence, the central question is what to do now. The short answer is that the national permission is superseded by MiCAR CASP authorisation, the German grandfathering window has closed, and the practical route forward is the simplified procedure. This is the national-to-MiCAR transition for existing licensees seen specifically through the German lens.

What the old crypto-custody licence covered

Crypto custody business under §1(1a) sentence 2 no. 6 KWG was defined as the custody, management, and protection of crypto-assets or the private cryptographic keys used to keep, store, or transfer crypto-assets for others. It was introduced through Germany's transposition of the amended Fifth AML Directive and took effect on 1 January 2020 (BaFin custody guidance). It was a German national licence, and crucially it carried no EU passport.

From a national licence with no passport to an EEA-passportable CASP

The most important upgrade in moving from the old KWG custody permission to MiCAR CASP authorisation is reach. The §1(1a) KWG custody licence conferred no EU passport, so a firm holding it could serve the German market but could not automatically operate across the EEA (BaFin custody guidance). A MiCAR CASP authorisation, by contrast, passports across the EEA, letting an authorised German firm provide its services in other member states on a single licence (MiCAR). That ability to passport across the EEA is the commercial reason most legacy custody firms convert rather than wind down.

Germany's shortened grandfathering (31 December 2025)

Germany chose a shorter transitional period than the EU default. Under §50(2) No.3 KMAG, German grandfathering ended on 31 December 2025, rather than the EU-wide default end-date of 1 July 2026 set by MiCAR Art. 143(3) (Freshfields, MiCAR). As of the 2026-06-13 research date, that window has already closed, which means firms operating in Germany must already hold CASP authorisation or be advanced in the BaFin pipeline rather than continuing under the legacy national regime. The same dates underpin our MiCA transition timeline.

What does a German CASP licence cost and how long does it take?

Cost and timeline are reasonable questions, but they are also where outdated guidance does the most damage. Older German crypto-licence pages cited specific figures that have not been verified against current primary sources, and we will not republish them as if they were settled. The honest position is that both depend on the firm's profile, the chosen route, and procedural detail still being finalised.

BaFin fees (verify against the current cost ordinance)

BaFin fees are set by its current cost schedule (the BaFin-Kostenverordnung and the FinDAGKostV framework). Any single fee figure should be checked against that primary schedule rather than older published estimates, and the frequently quoted "€10,750 application fee" from legacy guidance has not been verified against a current BaFin cost ordinance. We therefore do not state a fixed fee on this page. [VERIFY: BaFin application fee]

Realistic timeline drivers

The realistic timeline depends on the completeness of your application, the route you use, and the readiness of your documentation. A complete, well-evidenced application moves through the completeness check and assessment faster than one that triggers repeated follow-up questions. The simplified procedure reduces the documentation burden for qualifying legacy licensees, while a fresh standard application carries the full evidentiary load. Because the German procedural timetable also depends on the notification ordinance expected in 2026, we treat any fixed "X-month" promise as indicative rather than guaranteed. [VERIFY: legacy "4-8 months" timeline]

Is Germany the right MiCAR jurisdiction for your crypto business?

Germany is one National Competent Authority among many under MiCAR, and the right jurisdiction depends on your business model, your existing authorisations, and where your team and clients sit. Because the substantive MiCAR rules are harmonised, the differences between member states lie mainly in regulator posture, language of process, and transitional treatment rather than in the core capital and substance requirements.

Germany vs other EU CASP jurisdictions

Choosing between member states is a comparison of regulators, not of rulebooks. A firm weighing Germany against, for example, CASP authorization in Ireland with the Central Bank of Ireland, or Spain CNMV crypto authorization, is really comparing supervisory approach, processing experience, and language. The own-funds classes and governance requirements are the same MiCAR rules in each. Germany's distinctive feature is its legacy KWG custody base and its shortened transitional window, which matter most to firms that were already operating there.

How our Zug team supports your German CASP application

From our practice at Crypto Valley Partners AG in Zug, the work that makes a German CASP application succeed is done before anything is filed: mapping the precise services to capital classes, building the governance and AML documentation BaFin expects, and choosing the correct route among standard authorisation, the simplified KMAG fast-track, and Art. 60 notification. We help firms determine which of the ten MiCAR services they actually perform, confirm whether the simplified procedure is open to them, and prepare the application so it survives BaFin's completeness check on the first pass. If you are unsure whether you need CASP framing at all, our note on VASP vs CASP clarifies the distinction, and the broader MiCA regulation guide sets the EU context.