How to Get a Crypto License: A Step-by-Step Guide

Getting a crypto license is the regulated process of obtaining authorization to legally provide crypto-asset services. In the EU this means a CASP authorization under MiCA, granted by a national competent authority and valid across the EEA. The route runs through twelve clear steps: define your service scope, choose a jurisdiction, form an entity, meet the capital rule, build AML controls, pass fit-and-proper checks, file the application, then clear the statutory review clock.

That sequence is the same whether you plan to run a trading platform, hold client assets in custody, or offer order execution. What changes is the capital tier, the documents you attach, and the regulator you file with. This guide walks the whole path in order, with the working-day timelines and capital figures pinned to MiCA Regulation (EU) 2023/1114 and named regulators. For the broader landscape and how this page fits, see our complete crypto licensing guide.

By Magnus Müller · Reviewed by Magnus Müller · Last updated: 2026-06-14

How to get a crypto license in brief (the 12-step overview)

The fastest way to understand the process is to read the full sequence end to end, then the headline timeline. Everything that follows in this guide expands one of these twelve steps with the underlying rule and the documents it demands.

The full process at a glance (numbered list)

1. Define your service scope and pick the regulated activities (programme of operations).
2. Select the jurisdiction or home Member State and confirm the right regime.
3. Form the legal entity and meet the prudential capital requirement.
4. Deposit and evidence your share capital.
5. Build the AML/CFT framework and appoint an AML/compliance officer (MLRO).
6. Assemble fit-and-proper and governance documentation.
7. Prepare the full application pack (business plan, policies, ICT systems).
8. Submit the application to the regulator and pay the fee.
9. Pass the completeness check, which starts the statutory clock (25 working days).
10. Clear the substantive assessment and regulator question round (40 working days).
11. Receive approval and entry on the national and ESMA registers, then passport across the EEA.
12. Run ongoing compliance and supervision obligations.

How long it takes and what it costs (the short answer)

Under MiCA the regulator has 25 working days to confirm your application is complete, then 40 working days to issue a reasoned decision once it is complete, and the clock can pause for up to 20 working days while you supply missing information (MiCA Art. 63). Capital is the higher of the Annex IV class minimum (EUR 50,000 / 125,000 / 150,000) or one quarter of your fixed overheads.

Before you start: which crypto license do you actually need?

The phrase "crypto license" covers several distinct regimes, and the one you need is driven by what your business does and where it is based, not by preference. A custodian, an exchange operator and a portfolio manager all hold different authorizations even inside the same jurisdiction. Resolving this early prevents the most expensive mistake in licensing, which is preparing the wrong application. The three live pathways in 2026 are MiCA CASP authorization in the EU, legacy national VASP regimes that are now being phased out, and non-EU routes such as Switzerland's FINMA and self-regulatory-organisation framework. For a structured map of every license category, see our breakdown of the types of crypto licenses.

CASP authorization under MiCA (the EU default)

Inside the European Union the default pathway is authorization as a crypto-asset service provider under MiCA Regulation (EU) 2023/1114. You apply to the national competent authority of your home Member State, and a single MiCA authorization then passports across the entire European Economic Area without a fresh license in each country. ESMA coordinates a convergent approach across NCAs so the bar is broadly consistent (ESMA MiCA). This is why most operators serving European customers treat CASP under MiCA as the baseline target.

The legacy VASP to CASP transition

Before MiCA, member states ran their own virtual-asset-service-provider registers. Those legacy national VASP regimes are being replaced by harmonized MiCA CASP authorization, and operators on old registrations must migrate. Estonia is the clearest marker: legacy FIU VASP licences cease to be valid after 1 July 2026 (Estonia FSA confirmation, 23 March 2026). Grandfathering windows differ by Member State, so existing registrants should confirm their own deadline early. If you are evaluating the FATF-derived VASP framework rather than the EU regime, start with our guide to VASP registration.

Non-EU routes (Switzerland FINMA / SRO)

Switzerland sits outside the EU and runs a separate regime. AML-only activity is handled through mandatory membership in a self-regulatory organisation under the Anti-Money Laundering Act, while banking, securities, DLT-trading-facility or stablecoin activity needs direct authorization from FINMA. There is no MiCA-style 25 plus 40 working-day statutory clock here; the regulatory path is determined by what the business does. Because Crypto Valley Partners AG is based in Zug, this is a route we work in closely. For the full Swiss picture, see our page on Switzerland licence requirements.

Step 1-2: Define your service scope and choose a jurisdiction

The first two steps shape everything downstream, because the services you commit to determine your capital class, your document load and even which regulator is the right one. These decisions belong on paper before you incorporate anything, since they form the spine of the application itself.

Pick your regulated crypto-asset services (programme of operations)

MiCA requires the application to contain a programme of operations that sets out the types of crypto-asset services the applicant intends to provide, including where and how those services are marketed (MiCA Art. 62(2)(d)). The defined services include reception and transmission of orders, advice, placing, execution, transfer services, portfolio management, custody and administration of crypto-assets, and operating a crypto-asset trading platform. This choice is not cosmetic: it maps directly to the capital tier covered in Step 3 and to the activity-specific policies you must attach. Reviewing the full types of crypto licenses helps confirm you have scoped every activity you actually intend to run.

Choose the home Member State / regime

The application goes to the national competent authority of your home Member State, and one MiCA authorization then passports across the EEA (MiCA Art. 62(1)). Choice of regime is driven by activity rather than preference: a Swiss AML-only intermediary belongs in the SRO route, while a pan-European exchange belongs under MiCA. Practical factors then influence which Member State you file in, including regulator throughput, language of filing and local substance expectations. To compare how each country handles the same regime, see our overview of crypto regulation by country.

Step 3-4: Form the legal entity and meet the capital requirement

With scope and jurisdiction fixed, you incorporate the operating entity and put the prudential capital in place. This is where the "how much money do I need" question gets a precise answer, because MiCA sets a hard floor and a formula that sits above it.

Set up a legal entity with local substance

MiCA authorization requires a legal entity with genuine substance in the jurisdiction, not a shell. The company-law baseline for incorporation depends on the form you pick. On the Switzerland route, for example, an Aktiengesellschaft (AG) carries a minimum share capital of CHF 100,000 with CHF 50,000 paid in initially, while a GmbH carries a minimum of CHF 20,000. Those figures are company-law incorporation baselines, separate from the prudential licence capital under MiCA. For EU routes, paid-in capital is typically evidenced with an EU credit institution. The exact local substance expectations, including resident officers and physical presence, vary by NCA.

Calculate your own funds (Annex IV vs one quarter of fixed overheads)

The own-funds rule is the higher of two numbers. Under MiCA Art. 67 a CASP must hold own funds of at least the higher of (a) the Annex IV permanent minimum capital for its class, or (b) one quarter of the preceding year's fixed overheads. The overheads figure is reviewed annually, so a growing firm should expect its capital floor to rise with its cost base rather than stay fixed at the class minimum. New entrants without a full year of accounts generally start from the Annex IV class figure.

The three capital classes (EUR 50,000 / 125,000 / 150,000)

The Annex IV class minimums step up with the services you provide (MiCA Annex IV):

Remember the higher-of rule: if a quarter of your fixed overheads exceeds the class minimum, that larger figure governs. Pick the tier that matches your scope from Step 1 and budget to the higher number.

Deposit and evidence your share capital

The application must include proof that the applicant meets the prudential-safeguard requirements set out in Article 67 (MiCA Art. 62(2)(e)). In practice that means paid-in capital is evidenced, typically held with an EU credit institution for EU routes, with documentation the NCA can verify. Because hard cost detail beyond the capital floor varies by regime, we keep application fees and ongoing expenses on a dedicated page; see what a crypto licence costs for the figures.

Step 5-6: Build your AML/CFT framework and pass the fit-and-proper checks

Steps 5 and 6 are where most first-time applicants underestimate the work. Regulators treat anti-money-laundering controls and the integrity of your people as non-negotiable, and weak documentation here is a common reason applications stall during the assessment phase.

Appoint an AML/compliance officer (MLRO) and write your AML policies

MiCA requires internal control mechanisms and policies to identify, assess and manage risks, including money-laundering and terrorist-financing risks, alongside a business continuity plan (MiCA Art. 62(2)(i)). Appointing a resident AML officer is standard practice across EU CASP routes, for example under the Bank of Lithuania regime. In Switzerland, AML-only intermediaries satisfy this obligation through mandatory SRO membership under the AMLA rather than a direct CASP filing. Your written policies should cover risk assessment, customer due diligence, transaction monitoring and reporting. For the full programme build-out, see our AML/KYC compliance program guide.

Pass fit-and-proper and good-repute checks

The regulator scrutinises the people behind the firm. The application must describe governance arrangements, prove that management-body members are of good repute and hold appropriate knowledge, skills and experience, and identify shareholders or members with qualifying holdings together with proof of their good repute (MiCA Art. 62(2)(f), (g), (h)). NCAs may also consult AML authorities and financial intelligence units to confirm the applicant has not been investigated for money-laundering or terrorist-financing offences (MiCA Art. 63(6)). Gaps in director CVs, unexplained ownership structures or unresolved background flags are the items that most often trigger a further-information request.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers, no commitment. Book a Call

Step 7-8: Assemble the application pack and submit it

Now the documents come together into a single, regulator-ready pack and go in. The MiCA contents list is fixed by regulation, and the EU has standardised the form itself, which makes this stage more about completeness than guesswork.

The crypto license document checklist (MiCA Art. 62(2))

The core documents required of every applicant are set out in MiCA Art. 62(2):

• Legal and commercial name, LEI, website, contact details and physical address (a).
• Legal form (b) and articles of association where applicable (c).
• Programme of operations and business plan, with how and where services are marketed (d).
• Proof of prudential safeguards (capital) per Article 67 (e).
• Description of governance arrangements (f).
• Management-body good repute and knowledge, skills and experience (g).
• Qualifying-holding shareholders: identity and good repute (h).
• Internal controls and risk management, including ML/TF, plus a business continuity plan (i).
• ICT systems and security documentation with a non-technical description (j).
• Client crypto-asset and funds segregation procedure (k) and complaints-handling procedure (l).
• Activity-specific policies where applicable: custody (m), trading-platform rules and market-abuse detection (n), exchange pricing methodology (o), order-execution policy (p), advice or portfolio-management expertise (q), transfer-services methodology (r), and the type of crypto-asset involved (s).

The standard EU application form is set by the implementing technical standards in Commission Implementing Regulation (EU) 2025/306, with the detailed contents specified in the regulatory technical standards in Commission Delegated Regulation (EU) 2025/305 (ESMA). National NCAs may add local requirements such as notarised translations or local audit on top of this MiCA baseline. For a worked national example, see our Switzerland application checklist.

Submit to the regulator and pay the application fee

Submission runs through each NCA's channels. The CSSF in Luxembourg, for instance, takes initial contact, then submission via its Managed File Transfer system, then examination, then registration (CSSF). Sweden's Finansinspektionen assigns a reference number and issues a fee and administrator letter before assessment begins (Finansinspektionen). Application fees vary by regime and several are only market-reported rather than confirmed against live schedules, so we route the hard numbers to what a crypto licence costs rather than state them as official here.

Step 9-10: The statutory review clock (completeness check and decision)

This is the part of the process most applicants want pinned down, because it is the only stretch with hard, published deadlines. MiCA splits the review into a completeness check and a substantive decision, each with its own working-day clock.

Completeness check (within 25 working days)

Once your application arrives, the NCA must assess whether it is complete within 25 working days of receipt by checking that the Article 62(2) information was submitted (MiCA Art. 63(2)). If anything is missing, the regulator sets a deadline for you to supply it, and the substantive clock does not start until the file is complete. A clean, complete pack is therefore the single biggest lever on total elapsed time.

Substantive assessment and the 40-working-day decision

From receipt of a complete application, the NCA has 40 working days to assess compliance and adopt a fully reasoned decision granting or refusing authorization (MiCA Art. 63(9)). Yes, this clock can be paused: during the assessment, and no later than the 20th working day, the regulator may request further information, which suspends the 40-working-day clock until you respond, and that suspension cannot exceed 20 working days (MiCA Art. 63(12)).

Real-world timelines by regime (how long it really takes)

The statutory working-day figures are the only official numbers. Real end-to-end timelines, including entity setup and document preparation, are longer and are estimates rather than published figures.

End-to-end, allowing for entity formation, document preparation and the statutory review, the full cycle commonly runs several months to roughly one year depending on regime and application quality. That range is an estimate, not an official figure.

Step 11-12: Get authorized, then stay compliant

A grant of authorization is the start of an obligation, not the finish line. The last two steps cover what approval actually delivers and what you must keep doing once you hold the license.

Approval, register entry and the EEA passport

On a positive decision the entity is authorized and entered on both the national register and the ESMA register (CSSF). An authorized EU CASP can then passport its services across the EEA by notification, without a separate license in each Member State (ESMA). This single-authorization, multi-market outcome is the core commercial reason most operators choose the MiCA route over a patchwork of national registrations.

Ongoing compliance and supervision obligations

After authorization you must maintain prudential safeguards at all times, with the quarter-of-overheads figure recalculated and reviewed annually (MiCA Art. 67). AML/CFT controls, client-asset segregation, complaints handling, ICT resilience and governance must stay operative, alongside ongoing supervisory and reporting duties. Supervision also carries cost: Sweden's Finansinspektionen levies an annual supervisory fee from a minimum of SEK 150,000 per year on top of the application fee (Finansinspektionen).

How a Zug-based advisor shortens the path

From our practice at Crypto Valley Partners AG in Zug, the steps that decide whether an application clears the clock cleanly are rarely the dramatic ones. They are the unglamorous ones: a programme of operations that maps precisely to the capital class, director and shareholder documentation that survives fit-and-proper scrutiny without a follow-up question, and an AML framework written to the regulator's expectations rather than a template. When those are right the first time, the further-information request that suspends the 40-working-day clock simply does not arrive.