Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 2 hours ago
This page is the definitive guide for founders, compliance officers, in-house counsel and crypto-exchange or custody teams seeking structured, lawyer-led support for MiCA CASP authorisation EU-wide. Whether you are launching a new crypto-asset service or migrating an existing operation into the regulated perimeter, the information below covers every stage from eligibility and capital planning through to passporting and ongoing compliance.
The transitional arrangements that allowed certain crypto-asset service providers to continue operating under national regimes have now ended. On 23 June 2026, ESMA issued a public statement confirming the expiry of the MiCA transitional period. Firms still relying on interim or grandfathered registrations now face enforcement risk, restricted passporting options and, in many cases, the obligation to cease providing services to EU clients. The window for orderly preparation has narrowed immediate action is essential.
Regulation (EU) 2023/1114 commonly known as MiCA establishes a harmonised licensing framework for crypto-asset service providers across the entire European Union. Once a firm obtains authorisation from the national competent authority (NCA) in its home Member State, it receives a single EU passport that enables it to provide the authorised services in every other EU/EEA country without the need for a separate licence in each jurisdiction.
The European Commission summarises the policy intent as creating a level playing field: one application, one set of prudential standards, and cross-border access for both providers and their clients. In practice, passporting is subject to a notification procedure the home NCA informs the host NCA, and the CASP must comply with local AML and consumer-protection rules where it serves clients. The passport covers the crypto-asset services specified in the authorisation (for example, custody and administration, exchange services, order execution, transfer services, advice, and portfolio management) but does not extend to activities outside MiCA’s scope, such as the issuance of asset-referenced tokens (ARTs) or e-money tokens (EMTs), which require separate authorisation tracks.
MiCA requires that a CASP applicant has its registered office and effective management in an EU Member State. The home Member State is determined by the location of the registered office. Substance expectations are real: NCAs will assess whether decision-making, compliance oversight and key operational functions are genuinely located within the EU rather than being letter-box arrangements. At least one director (and typically the compliance officer and MLRO) must be resident in the home jurisdiction. The ESMA Supervisory Briefing on Authorisation of CASPs reinforces these substance expectations and signals that NCAs should scrutinise whether the entity is genuinely managed from within its home Member State.
Applicants must demonstrate robust governance, including fit-and-proper assessments for all members of the management body and qualifying shareholders. NCAs evaluate professional experience, criminal-record checks and potential conflicts of interest. Internally, the CASP must establish documented policies for risk management, internal audit, outsourcing oversight, business continuity and conflict-of-interest management. A clear organisational chart delineating reporting lines, control functions and segregation of duties is a mandatory component of the application dossier.
MiCA sets minimum own-funds requirements that vary by the type of crypto-asset service provided. Under the regulation’s framework, the baseline floors are designed to ensure that CASPs can absorb operational losses and wind down in an orderly manner. The own-funds requirement is the higher of a fixed minimum (which varies by service class, with the lowest floor set at €50,000 for certain advisory or order-reception services and higher thresholds up to €150,000 for custody or exchange-type activities) or a percentage of fixed overheads. Delegated and implementing measures further specify calculation methods. Applicants should model both the fixed floor and the overheads-based calculation to determine which binds. NCA-specific guidance may add supplementary buffers; always confirm with the relevant authority. These requirements are set out in Title V of Regulation (EU) 2023/1114.
Beyond capital, CASPs must satisfy a range of prudential and operational standards:
A well-managed MiCA CASP authorisation application typically follows a structured path from initial planning through to passporting readiness. The downloadable “MiCA CASP Authorisation: Complete Application Checklist & Documentation Pack” provides an itemised annex list, sample organisational chart and jurisdiction-by-jurisdiction contact details. The summary process below outlines the core stages.
Define the services to be authorised (custody, exchange, transfer, advice, portfolio management, etc.), the target client base and the preferred home Member State. Prepare a shortlist of jurisdictions based on regulatory speed, language capabilities, substance feasibility and corporate-law environment. Engage specialist legal counsel for a preliminary eligibility review and gap analysis against MiCA requirements before committing resources.
Appoint or identify proposed board members, compliance officers and the MLRO. Commission fit-and-proper assessments. Draft and adopt all required internal policies: AML/KYC, risk management, custody segregation, outsourcing oversight, conflict-of-interest management, data protection and complaints handling. Each policy must be board-approved, version-controlled and aligned with NCA supervisory expectations set out in the ESMA supervisory briefing.
Prepare three-year financial projections covering revenue assumptions, operating costs and capital adequacy. Determine the applicable minimum own-funds requirement (the higher of the fixed floor for the relevant service class or the overheads-based calculation). Document sources of initial capital, shareholder funding commitments and any planned subordinated instruments. NCAs will scrutinise the credibility and sustainability of the capital plan.
Build or validate IT infrastructure, custody technology, key-management processes and incident-response capabilities. Conduct an independent penetration test and remediate findings. Prepare business-continuity and disaster-recovery plans. Ensure that the technology stack supports MiCA-compliant transaction monitoring, record-keeping and regulatory reporting. Document all outsourcing arrangements and perform due diligence on critical third-party providers.
Compile the complete application dossier as specified by the home NCA. This typically includes the detailed business plan, programme of operations, compliance manuals, organisational chart with CVs of key personnel, shareholder structure diagrams, evidence of capital, internal-control documentation and AML risk assessments. The Bank of Lithuania’s CASP authorisation page provides a representative example of the documentary requirements that NCAs publish.
Most NCAs offer (and some require) a pre-application meeting. This is an opportunity to present the business model, clarify regulatory expectations and identify potential obstacles before formal submission. Following submission, expect an iterative process: the NCA may issue requests for information, require amendments to policies or seek additional evidence of substance. Proactive, well-prepared responses to clarification requests significantly reduce overall timelines.
MiCA allows NCAs up to 25 business days to acknowledge completeness and then up to 40 business days to issue or refuse authorisation from the date the application is deemed complete (with possible extensions). In practice, total elapsed time from first submission to authorisation decision varies considerably between NCAs industry observers note that well-prepared applications in faster jurisdictions may achieve authorisation within three to five months, while complex applications or those requiring substantial remediation can take longer. Common reasons for delay include incomplete documentation, inadequate substance evidence, governance deficiencies and unresolved AML policy gaps.
For an itemised breakdown, refer to the MiCA CASP authorisation application checklist and downloadable documentation pack.
Total set-up costs for MiCA CASP authorisation vary significantly based on business model complexity, jurisdiction and whether the applicant is building compliance infrastructure from scratch. As a broad indication, a smaller CASP (brokerage or advisory model) might expect one-off legal, compliance, technology and audit costs in the range of €150,000–€350,000, while a medium-sized exchange or custody platform could incur set-up costs of €400,000–€800,000 or more. These estimates cover external legal advisory fees, policy drafting, IT security audits, penetration testing, recruitment of key personnel and NCA application fees (which vary by jurisdiction).
As noted above, MiCA’s own-funds floors range from €50,000 for lower-risk service classes up to €150,000 for custody, exchange or trading-platform activities or one quarter of fixed overheads of the preceding year, whichever is higher. In practice, NCAs may require applicants to hold capital above the regulatory minimum where their risk profile, business model or growth projections warrant it. The precise calculation methodology is detailed in Title V of MiCA and associated technical standards.
Post-authorisation, CASPs should budget for recurring compliance costs including regulatory reporting, external audit, SOC assessments, penetration testing, ongoing AML monitoring tools and staff training. Recommended key hires and approximate EU salary ranges include:
Smaller CASPs may combine roles, but NCAs increasingly expect dedicated function holders, particularly for compliance and AML. Total ongoing compliance costs (staff, technology, audit and reporting) typically range from €250,000 to €700,000 annually depending on scale and service scope.
Selecting the right home Member State for MiCA CASP authorisation is a strategic decision that should account for regulatory predictability, time to decision, language and communication ease, local substance requirements, corporate and tax friction, and proximity to target markets. The authorisation is EU-wide once granted, but the day-to-day supervisory relationship is with the home NCA making regulator engagement quality a critical factor.
| Home Country | Typical Time to Decision | Regulator Responsiveness | Application Fees | Notable Local Requirements |
|---|---|---|---|---|
| Lithuania (Bank of Lithuania) | 3–5 months (well-prepared applications) | High established crypto-licensing track record; English-language engagement | Moderate (fee schedule published by Bank of Lithuania) | Local director/substance; competitive corporate environment; strong fintech ecosystem |
| Netherlands (AFM / DNB) | 4–7 months | High rigorous but predictable; extensive supervisory guidance from DNB | Higher (significant ongoing supervisory levies) | Strong substance expectations; existing AML infrastructure from AMLD registration regime |
| Austria (FMA) | 4–6 months | Moderate-to-high FMA has published MiCA roadmaps and guidance | Moderate | German-language administration (though FMA accepts English documentation in many cases); well-structured corporate law |
| Cyprus (CySEC) | 5–8 months (dependent on application quality) | Moderate improving, with dedicated crypto-asset units | Moderate | Established financial-services hub; favourable corporate/tax environment; close alignment with MiFID-based supervision |
The optimal jurisdiction depends on the CASP’s specific service mix and target market. A custody or exchange platform serving institutional clients may prioritise the Netherlands or Austria for supervisory credibility, while a fintech-oriented brokerage or advisory firm may favour Lithuania for speed and operational flexibility. CASPs expecting the majority of their clients in Southern or Central Europe might weigh Cyprus’s geographic and linguistic advantages. In every case, the passporting mechanism means that the authorisation extends EU-wide the choice of home state shapes the supervisory relationship, not the commercial reach. A detailed comparison of EU member states for MiCA CASP authorisation covering additional jurisdictions is available in the jurisdiction comparison guide.
Authorisation is the beginning, not the end, of the compliance journey. CASPs must submit regular prudential reports (capital adequacy, own-funds calculations, liquidity positions) to their home NCA. Material changes to governance board appointments, qualifying-shareholder changes, outsourcing arrangements require prior notification or approval. Cybersecurity incidents, operational disruptions and significant complaints must be reported within prescribed timeframes. NCAs have the power to require ad hoc reporting and on-site inspections.
To passport services into another Member State, the authorised CASP notifies its home NCA, which then transmits the notification to the host NCA. The host authority may impose local AML obligations and consumer-protection rules, but cannot require a separate licence. The ESMA MiCA rulebook and resources provide the supervisory framework underpinning cross-border notifications. In practice, passporting enables rapid market entry across EU Member States but compliance with host-state AML regimes and local conduct rules remains the CASP’s responsibility. Maintaining accurate registers of passported activities and clients by jurisdiction is essential for audit and supervisory purposes.
MiCA grants NCAs extensive powers to suspend, restrict or withdraw authorisation. Common triggers include persistent capital shortfalls, governance failures, AML breaches, material misstatements in the application, failure to commence services within 12 months of authorisation, or a finding that the CASP no longer meets the conditions for authorisation. Article 64 and Article 74 of MiCA set out the withdrawal grounds and the requirements for orderly wind-down, including the protection of client assets and funds during the wind-down period. Firms should maintain standing wind-down plans and earmarked resources to ensure that an orderly exit is achievable at all times.
With the MiCA transitional period now closed, obtaining full CASP authorisation is no longer optional for any firm providing crypto-asset services to EU clients. The regulatory landscape is consolidating rapidly, and firms without authorisation face enforcement action, market exclusion and reputational damage.
To prepare effectively for MiCA CASP authorisation EU-wide, firms should take the following immediate steps:
The MiCA compliance playbook covering AML, custody and governance requirements provides further operational guidance for firms building or upgrading their compliance infrastructure. Proactive preparation, combined with experienced legal support, remains the most reliable path to timely authorisation and effective EU-wide passporting.
posted 2 hours ago
posted 4 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.