CASP License: How to Get Authorised Under MiCA

A CASP license is the European Union authorisation a business needs to provide crypto-asset services. Under Articles 59 and 63 of Regulation (EU) 2023/1114, known as MiCA, any firm offering one of the ten defined crypto-asset services in the Union must hold an authorisation as a crypto-asset service provider (CASP). This guide walks through the ten services, the three capital classes, the Article 62 application, the statutory timeline and EU passporting.

Before MiCA, anyone wanting to operate a compliant crypto exchange, custody service or brokerage in Europe faced a patchwork of national registrations that differed from one country to the next. MiCA replaced that fragmentation with a single, harmonised authorisation. Once granted by your home Member State, a CASP license lets you serve all 27 EU Member States. Below we set out exactly what the regulation requires, citing the article numbers throughout so you can verify each point against the primary text on EUR-Lex.

What Is a CASP License Under MiCA?

A CASP license is an authorisation issued under Article 63 of MiCA (Regulation (EU) 2023/1114) that permits a legal person to provide one or more of the ten crypto-asset services defined in Article 3(1)(16). Without it, a firm may not lawfully offer crypto-asset services within the Union. The authorisation specifies exactly which services the provider is allowed to deliver.

The acronym CASP stands for "crypto-asset service provider", a defined term in MiCA Title V. In everyday search and conversation people say "CASP license", but the legal instrument is an authorisation, granted and supervised by the national competent authority (NCA) of the firm's home Member State. That distinction matters: an authorisation is assessed against substantive criteria, not simply registered. The authorisation regime applies across the entire Union, which is why a single grant carries weight in every Member State through the passporting mechanism we cover later on this page. For a broader overview of the whole framework, see the full MiCA regulation guide.

CASP vs VASP: which term applies to you

If you have researched crypto licensing before, you have probably met the term VASP, "virtual asset service provider". That is the FATF Recommendation 15 term used in anti-money-laundering standards worldwide. CASP is the MiCA term used in EU law. In lay search the two are near-synonyms, but they are distinct in scope: a VASP registration under national AML rules is not the same as a MiCA CASP authorisation, and the EU framework now supersedes the older national VASP regimes for activities within its scope. If you are weighing the two concepts, our breakdown of VASP vs CASP sets out where they overlap and where they diverge.

Authorisation, not registration: what MiCA changed

Article 59 of MiCA establishes that a person may not provide crypto-asset services in the Union unless they are an authorised CASP under Article 63 or an eligible financial entity permitted to do so under Article 60. The practical effect is that the old approach of registering with each national regulator separately has been replaced by one authorisation from a single home-Member-State NCA. The authorisation is granted against a defined set of prudential, governance and conduct standards, and once issued it is recognised across the single market. This is the structural shift that makes a CASP license valuable: depth of scrutiny at the point of entry, breadth of reach once you hold it.

Do You Need a CASP License? Scope and Exemptions

You need a CASP license if your business provides any of the ten crypto-asset services to clients in the Union. Article 59(1) of MiCA is unambiguous: a person shall not provide crypto-asset services within the Union unless that person is either an authorised CASP under Article 63 or one of a defined list of financial entities permitted to provide those services under Article 60. There is no informal exemption for small operators or "introducing" intermediaries: if the activity falls within one of the ten defined services, authorisation is the default requirement.

Who must be authorised (Art. 59)

Under Article 59(1) of MiCA, the requirement to be an authorised CASP applies to any legal person or undertaking providing crypto-asset services in the Union. That covers exchanges, custodians, brokers, portfolio managers, advisers and transfer-service operators. The authorisation specifies the precise services the provider may offer, so a firm that wants to add a service later must request an extension, which the NCA processes under Article 63 (Article 59(8)). In short, the scope is activity-based: it is the service you perform, not your size or your branding, that triggers the requirement.

The Article 60 pathway for banks and investment firms

Not every regulated firm needs a full Article 63 authorisation. Article 60 of MiCA provides a lighter notification route for entities that are already authorised under other EU financial legislation. Credit institutions, central securities depositories, investment firms, market operators, electronic money institutions, UCITS management companies and alternative investment fund managers may provide equivalent crypto-asset services through a 40-working-day notification to their NCA rather than a full CASP authorisation. The notification still requires substantive documentation of how the firm will provide the services, but it leverages the supervision the entity already sits under. If you are a bank or investment firm, this pathway can shorten your route to market considerably.

The 10 Crypto-Asset Services and Their Capital Classes

MiCA Article 3(1)(16) defines a crypto-asset service as any of ten enumerated services and activities, listed (a) to (j) in the regulation. Each service maps to one of three capital classes set out in Annex IV. The class your business falls into is determined by the most capital-intensive service you intend to provide, so identifying your services precisely is the first step in sizing your application. The matrix below maps every service to its Annex IV class and minimum capital figure.

The three Annex IV capital classes (EUR 50k / 125k / 150k)

Annex IV of MiCA groups the ten services into three permanent minimum capital classes. The classes are cumulative: a higher class always includes the services of the classes below it.

Because the classes stack, a firm running a trading platform that also offers custody and execution sits in Class 3 at EUR 150,000. The figure is a floor, not the whole story: as the next section explains, the actual capital requirement is the higher of the Annex IV class figure or one quarter of your fixed overheads.

Service definitions that matter most (custody, trading platform, exchange)

Three definitions carry the most weight when classifying your business. Under Article 3(1) of MiCA, custody and administration means the safekeeping or controlling, on behalf of clients, of crypto-assets or of the means of access to them, including private cryptographic keys. Operation of a trading platform means managing one or more multilateral systems that bring together multiple third-party buying and selling interests. Exchange of crypto-assets, whether for funds or for other crypto-assets, means concluding purchase or sale contracts with clients using the provider's own proprietary capital. Getting these definitions right determines whether you fall into Class 2 or Class 3 and what service-specific policies your application must include.

How Much Capital Does a CASP License Require?

The capital requirement for a CASP license is not simply the Annex IV class figure. Article 67(1) of MiCA requires a CASP to hold, at all times, prudential safeguards equal to at least the higher of two amounts: the permanent minimum capital for its Annex IV class, or one quarter of the fixed overheads of the preceding year, reviewed annually. For an established firm with significant operating costs, the fixed-overheads limb can exceed the class minimum, so the real requirement scales with the size of the business.

This is one of the most commonly misunderstood points in CASP licensing. Many summaries quote only the EUR 50,000 to EUR 150,000 range. That range is the class floor under Annex IV, but it is just the first of the two amounts you compare. The binding figure is whichever is higher. Planning your own funds around the class minimum alone risks under-capitalising the moment your overheads grow.

Own funds or qualifying insurance (Art. 67(4)-(6))

Article 67(4) of MiCA specifies how the prudential safeguards must be held. They consist of own funds in the form of Common Equity Tier 1 items, defined by reference to Regulation (EU) No 575/2013 (the Capital Requirements Regulation, or CRR), and/or a qualifying insurance policy or comparable guarantee. Where insurance is used, Articles 67(5) and 67(6) set conditions: a minimum initial term of one year, a cancellation notice of at least 90 days, provision by an authorised third-party insurer, and coverage of specified operational risks such as loss of documents, misrepresentation, breaches of duty, business disruption and gross negligence in safeguarding client assets. Most applicants combine own funds with insurance to meet the floor efficiently.

How new firms calculate the overheads floor

A brand-new CASP has no preceding year of fixed overheads to draw on. Article 67(2) of MiCA addresses this by allowing new firms to use projected fixed overheads for the first 12 months, submitted with the application, when calculating the one-quarter limb. This means founders must build a credible first-year cost model: staffing, technology, compliance, office and professional fees. The NCA will scrutinise these projections, so a realistic, well-documented budget is part of a strong application rather than an afterthought.

What Documents Go Into a CASP Application? (Article 62)

The CASP application is defined by Article 62(2) of MiCA, which lists the information an application "shall contain" in points (a) to (s). The list runs from core corporate and governance documents through to service-specific policies that depend on which of the ten services you provide. Treat it as a checklist: a missing item is precisely what stalls a file during the completeness phase. The application is submitted to the competent authority of your home Member State under Article 62(1).

Core documents every applicant files (a)-(l)

Points (a) to (l) of Article 62(2) apply to every applicant regardless of service mix S1:

• Identification details, including legal name, commercial names, the Legal Entity Identifier (LEI), website, contact email, phone and physical address (a)
• Legal form (b)
• Articles of association, where applicable (c)
• A programme of operations setting out the crypto-asset services intended and how they will be marketed (d)
• Proof of the prudential safeguards required under Article 67 (e)
• A description of governance arrangements (f)
• Proof that the management body is of sufficiently good repute with appropriate knowledge, skills and experience (g)
• Identity of shareholders and members with qualifying holdings, the amounts held, and proof of their good repute (h)
• A description of internal control mechanisms, risk-management policies including AML/CTF, and a business-continuity plan (i)
• Technical documentation of ICT systems and security arrangements, with a non-technical description (j)
• The procedure for segregating clients' crypto-assets and funds (k)
• Complaints-handling procedures (l)

Service-specific policies (m)-(s)

Points (m) to (s) depend on the services you intend to provide S1. A custody provider files a custody and administration policy (m). A trading-platform operator files operating rules plus a market-abuse detection procedure and system (n). An exchange provider files a non-discriminatory commercial policy and a price-determination methodology (o). A firm executing orders files an execution policy (p). Advisers and portfolio managers file proof that the natural persons advising or managing have the necessary knowledge and expertise (q). A transfer-service provider describes how the transfers will be carried out (r). Finally, every applicant states the type of crypto-asset to which the service relates (s). Aligning these policies with your programme of operations is where the MiCA compliance checklist earns its keep.

Clean criminal record proof (Art. 62(3))

Article 62(3) of MiCA adds a specific evidentiary requirement for the management body and qualifying-holding shareholders. The application must include proof of the absence of criminal record or penalties under commercial law, insolvency law and financial-services law, and in respect of AML/CTF and fraud. It must also demonstrate the collective suitability of the management body. In practice this means assembling certificates and declarations early, because they can take time to obtain across multiple jurisdictions and are a frequent cause of delay.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisors, no commitment. Book a Call

The CASP Authorisation Process and Statutory Timeline (Article 63)

The CASP authorisation process follows a statutory sequence of working-day deadlines set out in Article 63 of MiCA. After you submit to your home NCA, the authority acknowledges receipt within 5 working days, assesses completeness within 25 working days, and, once the file is complete, issues a reasoned grant or refusal within 40 working days. A single suspending request for further information can pause the clock for up to 20 working days. The table below sets out each statutory step.

Step-by-step: from submission to decision

Read as a process, the Article 63 sequence breaks into clear stages S1. First, confirm your services and whether you need full authorisation or the Article 60 notification. Second, select your home Member State and identify its NCA, for example AMF in France, BaFin in Germany, CNMV in Spain, DNB in the Netherlands or CBI in Ireland. Third, size your capital and substance. Fourth, prepare the Article 62 application. Fifth, submit to the home NCA, which acknowledges within 5 working days and assesses completeness within 25 working days. Sixth, await the reasoned decision within 40 working days of a complete file, subject to a possible 20-working-day suspension. Seventh, once granted, the NCA enters you on the ESMA register within 2 working days and you can passport across the EU. ESMA maintains the central register, and the NCA must communicate the grant to ESMA within 2 working days under Article 63(13).

Why "40 working days" is not the real wall-clock time

It is essential to read the 40-working-day figure correctly. Under Article 63(9) of MiCA, the 40 working days run from receipt of a *complete* application, not from your first submission. Add the up-to-25-working-day completeness phase, any NCA-set deadline for supplying missing information, and the up-to-20-working-day suspension, and the real elapsed time is materially longer. Industry experience puts a typical end-to-end timeline in the range of several months, often cited as three to six months. That month-range is a practical, observed estimate, not a statutory figure under MiCA. Only the working-day deadlines above come from the regulation itself.

EU Substance and Governance Requirements (Articles 59 and 68)

Beyond capital and paperwork, a CASP must demonstrate genuine substance in the Union and sound governance. Article 59(2) of MiCA sets the substance test, and Article 68 sets the governance, fit-and-proper, ICT and record-keeping obligations. These are not box-ticking items: the NCA assesses them substantively, and weaknesses here are a common ground for refusal. The detail below covers what each requires.

Substance: registered office, effective management, EU-resident director

Article 59(2) of MiCA requires three things together: a registered office in a Member State where the CASP carries out at least part of its crypto-asset services, a place of effective management in the Union, and at least one director resident in the Union. The recital reinforces that crypto-asset services should be provided only by legal persons carrying out substantive business activities in their Member State of registration. A common error is to reduce this to "one EU-resident director". The full requirement is broader: real operational presence, real management in the Union, and a resident director.

Fit-and-proper: management body and 10% qualifying holders

Article 68(1) of MiCA requires the management body to be of sufficiently good repute and to possess appropriate knowledge, skills and experience, both individually and collectively, with no convictions for money laundering, terrorist financing or other repute-affecting offences, and a commitment of sufficient time. Article 68(2) extends the good-repute test to shareholders and members holding a qualifying holding, whether direct or indirect. A qualifying holding is defined as at least 10% of the capital or voting rights, or the ability to exercise significant influence. Identifying and vetting these holders early avoids surprises during the NCA's assessment.

ICT, DORA and AML obligations

Article 68(7) of MiCA requires a CASP to employ resilient and secure ICT systems as required by Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), and to maintain a business-continuity policy with ICT continuity, response and recovery plans. Article 68(8) requires AML/CTF systems aligned with the transposition of Directive (EU) 2015/849, the EU's anti-money-laundering framework. Naming these instruments matters: MiCA does not simply say "have IT security", it ties your ICT and AML obligations to two specific, demanding EU regimes. Building a compliant AML and KYC programme is a project in its own right, and our guide to building an AML and KYC program sets out the components.

Record-keeping: five years, up to seven on request

Article 68(9) of MiCA sets a precise record-keeping rule. A CASP must keep records of all services, activities, orders and transactions for a period of five years and, where the competent authority requests it before the five years have elapsed, for a period of up to seven years. The often-quoted "at least five years" is accurate but incomplete: the up-to-seven-year extension on NCA request is the full rule and should be built into your data-retention design from the outset.

Passporting a CASP License Across the EU (Article 65)

A CASP license passports across the EU through a notification regime, not a fresh authorisation. Article 65 of MiCA lets an authorised CASP extend its activities into other Member States by notifying its home NCA. The notification lists the target Member States, the services to be provided cross-border, the intended start date and any other non-MiCA activities. This is the mechanism that turns a single home-state authorisation into genuine single-market reach, and it is why choosing the right home Member State is a strategic decision rather than an administrative one. For the mechanics in depth, see how single-licence EU passporting works.

Notification, not re-authorisation

The passport is procedural, not substantive. Under Article 65(2) of MiCA, the home NCA communicates the notification to the host-Member-State single points of contact, ESMA and EBA within 10 working days. The CASP may then begin to provide services in the host Member State from the date it receives that communication, or at the latest from the 15th calendar day after submitting the information (Article 65(4)). No physical presence in the host Member State is required (Article 59(7)). Describing passporting as "automatic" is imprecise: it is a fast notification with a defined start trigger, not a re-assessment, and not an open-ended permission that exists without filing.

Refusal, Withdrawal and the MiCA Transition Deadline

Authorisation is not guaranteed, and once granted it can be lost. MiCA sets out explicit grounds for refusing an application under Article 63(10) and for withdrawing an authorisation under Article 64, and it provided a transitional window under Article 143 for firms already operating before the regime applied. Understanding all three protects you from avoidable mistakes and sets realistic expectations about timing and conduct.

Grounds for refusal (Art. 63(10)) and withdrawal (Art. 64)

Article 63(10) of MiCA allows an NCA to refuse where there are objective and demonstrable grounds that the management body threatens sound and prudent management or exposes the firm to money-laundering or terrorist-financing risk, where members fail the Article 68(1) criteria, where qualifying holders fail the Article 68(2) good-repute test, or where the applicant fails or is likely to fail any Title V requirement. Article 64 sets out withdrawal grounds: among others, an authorisation left unused within 12 months, no services provided for 9 consecutive months, authorisation obtained by irregular means, a serious infringement, or AML failures. These are the conduct lines that keep a CASP licence valid once issued.

The 1 July 2026 grandfathering cut-off (Art. 143)

Article 143(3) of MiCA provided a transitional regime: CASPs that lawfully provided crypto-asset services before 30 December 2024 could continue to do so until 1 July 2026, or until they were granted or refused an authorisation under Article 63, whichever came sooner. Member States were permitted to shorten or disapply this window where their pre-MiCA national regime was less strict, so the practical deadline varied by country. As of mid-2026 this grandfathering window is essentially closing. Firms still relying on national regimes must already be authorised or have an application in process. We state the general rule here; specific Member State choices and the current usability of the Article 143(6) simplified procedure should be confirmed against MiCA key dates and transition periods before you rely on them.

How We Help You Obtain a CASP License

Obtaining a CASP license is a substantive regulatory project, and the difference between a smooth grant and a stalled file usually lies in preparation. Crypto Valley Partners AG, based in Zug, advises crypto founders, exchange operators and compliance officers through the full Article 62/63 process: confirming which of the ten services you provide and whether the Article 60 pathway applies, selecting your home Member State and NCA, structuring capital and own funds against the Article 67 rule, building the governance, fit-and-proper, DORA and AML elements, preparing the Article 62 application file, and handling the Article 65 passport notifications once you are authorised. We do this without quoting a price list on this page: the right structure and budget depend on your services and home jurisdiction, which we scope together.

From our practice, the completeness phase under Article 63(2) is where most files lose time. NCAs return applications for missing or inconsistent items, the programme of operations, the service-specific policies, the fit-and-proper evidence, before the 40-working-day decision clock even starts. The applications that move fastest are the ones assembled as a coherent whole, where the capital plan, the governance description and the technical ICT documentation tell one consistent story. Front-loading that consistency is the single most useful thing a founder can do.

Choosing your home Member State and NCA

Because a CASP license passports across the EU, your home Member State is a strategic choice rather than a default. Each NCA has its own processing realities, language requirements and supervisory style, which is why we cover them on dedicated country pages. If you are weighing Germany, our guide to BaFin CASP authorisation in Germany covers the German route, and for Spain see the CNMV process in Spain. We help you match your business model, capital position and operational footprint to the jurisdiction where authorisation is most achievable and where your passport will serve you best.