BizLegal-AIStart Free
jurisdiction

Crypto Exchange Registration EU: MiCA CASP Guide 2024

BizLegal-AI Intelligence Deskeu

Crypto Exchange Registration EU: MiCA CASP Guide 2024

What is Crypto Exchange Registration in the European Union (MiCA)?

Crypto exchange registration in the European Union is now governed by the Markets in Crypto-Assets Regulation (MiCA), which entered into full force on 30 December 2024. MiCA establishes a unified, pan-EU licensing framework that replaces the fragmented national regimes previously in place across member states. Under MiCA, any entity operating a crypto exchange — technically classified as a Crypto-Asset Service Provider (CASP) — must obtain authorisation from the competent national authority (NCA) of its home member state before providing services to EU clients.

Prior to MiCA, operators could register under national frameworks such as Germany's BaFin crypto custody regime, France's DASP registration with the AMF, or Lithuania's FNTT virtual currency operator license. Those legacy registrations do not automatically convert to MiCA authorisations. Entities operating under grandfathering provisions had until 1 July 2026 to obtain full MiCA CASP authorisation, subject to individual member state transition periods.

For founders building a crypto exchange targeting European users, understanding the scope of MiCA authorisation is critical. The regulation covers the operation of a trading platform for crypto-assets, which includes centralised exchanges (CEXs), OTC desks, and certain hybrid models. Decentralised exchanges (DEXs) operating without an identifiable legal entity may fall outside MiCA's scope, but regulators are actively assessing this boundary.

Legal Requirements & Regulatory Framework

MiCA is directly applicable EU law — Regulation (EU) 2023/1114 — meaning it does not require transposition into national law and applies uniformly across all 27 member states. The European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) serve as the primary European Supervisory Authorities (ESAs) with mandate to develop Regulatory Technical Standards (RTS) and binding guidelines under MiCA.

The competent national authority varies by jurisdiction. Key regulators include:

  • Germany: Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
  • France: Autorité des marchés financiers (AMF)
  • Netherlands: Autoriteit Financiële Markten (AFM)
  • Ireland: Central Bank of Ireland (CBI)
  • Lithuania: Bank of Lithuania (LB)
  • Malta: Malta Financial Services Authority (MFSA)
  • Luxembourg: Commission de Surveillance du Secteur Financier (CSSF)

Once authorised in one member state, a CASP benefits from the EU passporting mechanism, enabling it to provide crypto exchange services across all EU member states without requiring separate national authorisations. This passporting right is one of the most commercially significant features of the MiCA framework for exchange operators.

MiCA also incorporates Anti-Money Laundering (AML) obligations through its interaction with the Transfer of Funds Regulation (TFR) recast — the so-called Travel Rule — which requires CASPs to transmit originator and beneficiary information for crypto-asset transfers above €0 threshold (no de minimis exemption for crypto).

Key Requirements for CASP Authorisation Under MiCA

Obtaining a crypto exchange EU authorisation under MiCA requires satisfying a comprehensive set of organisational, financial, and governance requirements. The following are the core substantive obligations:

  • Legal Entity Establishment: The applicant must be a legal entity (e.g., a limited liability company or public limited company) registered in an EU member state. Third-country entities cannot directly hold a MiCA CASP authorisation — they require a locally incorporated EU subsidiary.
  • Registered Office & Effective Management: The entity must have its registered office in the member state where it applies for authorisation. At least one director must be resident in the EU, and effective management must demonstrably take place within the EU.
  • Own Funds / Capital Requirements: For operators of a trading platform for crypto-assets (the MiCA classification for crypto exchanges), the minimum own funds requirement is the higher of: €150,000 fixed capital, or one-quarter of the preceding year's fixed overheads. Capital must be in the form of Common Equity Tier 1 (CET1) instruments.
  • Governance & Fit and Proper: All members of the management body, shareholders holding qualifying holdings (≥10%), and senior management must pass fit and proper assessments covering competence, experience, and good repute. Criminal records checks and regulatory history reviews are standard.
  • AML/CFT Programme: A comprehensive AML/CFT framework must be implemented, including a Money Laundering Reporting Officer (MLRO), customer due diligence (CDD) procedures, transaction monitoring systems, and suspicious activity reporting (SAR) protocols consistent with AMLD6 requirements.
  • Custody & Safeguarding: Client crypto-assets and funds must be segregated from the exchange's own assets. Exchanges must implement robust custody policies, including cold storage protocols, key management procedures, and insurance or capital buffers to cover operational losses.
  • Complaints Handling & Conflicts of Interest: Exchanges must have documented complaints handling procedures and publish clear policies on managing conflicts of interest, particularly relevant for exchanges that also act as market makers or issue their own tokens.
  • ICT & Cybersecurity: Resilience requirements under MiCA align with the Digital Operational Resilience Act (DORA), applicable from January 2025, requiring comprehensive ICT risk management frameworks, incident reporting, and third-party risk management.
  • White Paper (where applicable): If the exchange issues or lists crypto-assets that qualify as asset-referenced tokens (ARTs) or e-money tokens (EMTs), separate white paper and issuer authorisation requirements apply.

Step-by-Step Process: CASP Registration Under MiCA

The following outlines the practical pathway to obtaining exchange license Europe authorisation under MiCA:

  • Step 1 — Jurisdiction Selection & Entity Incorporation: Select your home member state based on regulatory pragmatism, existing infrastructure, and NCA responsiveness. Incorporate a local legal entity, ensuring the registered office and management substance meet local requirements. Popular jurisdictions include Ireland, Lithuania, and Luxembourg for their established fintech frameworks.
  • Step 2 — Pre-Application Engagement: Most NCAs offer pre-application meetings or innovation hub consultations. Engage early — BaFin, CBI, and CSSF all have structured pre-submission processes. Use this phase to validate your business model classification and confirm which MiCA crypto-asset service categories apply to your exchange operations.
  • Step 3 — Application Package Preparation: Prepare a comprehensive application dossier including: programme of operations, business plan (3-year financial projections), governance structure, shareholder and UBO documentation, fit and proper evidence for all relevant persons, AML/CFT policy framework, IT infrastructure description, custody and safeguarding policies, complaint handling procedures, and conflicts of interest policy.
  • Step 4 — Submission to NCA: Submit the application through the NCA's designated portal or submission process. Under MiCA, NCAs have 25 working days to assess application completeness and a total of 40 working days (extendable to 80 working days for complex cases) to reach a determination once the application is deemed complete.
  • Step 5 — NCA Review & Supplementary Information: Expect written questions and requests for supplementary information (RFIs) during the review period. Response timelines typically pause the regulatory clock. Engage legal and compliance counsel to prepare accurate, consistent responses.
  • Step 6 — Authorisation Decision: Upon approval, the CASP authorisation is published on ESMA's public CASP register. The authorisation specifies the permitted crypto-asset services, including operation of a trading platform.
  • Step 7 — Passporting Notifications: To expand services into other EU member states, submit passporting notifications to the home NCA, which then coordinates with host NCAs. Passporting is effective upon notification — host NCAs cannot block access but may impose supplementary conduct requirements.
  • Step 8 — Ongoing Compliance: Maintain continuous compliance with MiCA obligations including periodic reporting to the NCA, annual audited accounts, incident reporting, Travel Rule compliance, and any changes to governance or ownership requiring pre-approval.

Common Mistakes to Avoid

Experienced legal practitioners advising on CASP registration MiCA applications consistently identify the following errors as the most costly and time-consuming to remediate:

  • Insufficient Management Substance: Appointing nominee directors or routing all decision-making outside the EU is the single most common rejection basis. NCAs conduct substance assessments including reviewing board meeting locations, management contracts, and organisational charts.
  • Underestimating Capital Requirements: Applicants frequently calculate minimum own funds solely on the €150,000 fixed minimum without modelling the fixed overhead calculation, which can significantly exceed the floor for operational exchanges with staff and infrastructure costs.
  • Inadequate AML Infrastructure at Application Stage: Submitting a theoretical AML framework without demonstrable implementation evidence — including technology stack details, MLRO appointment, and CDD procedures — routinely triggers prolonged review cycles or outright rejection.
  • Misclassifying Business Activities: Exchanges offering staking, lending, or portfolio management services alongside trading must ensure all service categories are captured in the application. Operating unlicensed MiCA services post-authorisation constitutes a serious regulatory breach.
  • Failing to Account for DORA Obligations: CASPs that qualify as financial entities under DORA must implement full ICT risk management frameworks from day one of authorisation. Treating DORA as a post-licensing compliance item is a significant error.
  • Ignoring Travel Rule Readiness: Exchanges must demonstrate operational Travel Rule compliance at the point of authorisation, not merely at some future date. Integration with a VASP data-sharing solution (e.g., Notabene, Sygna, or VerifyVASP) should be completed before submission.

Frequently Asked Questions

How long does CASP registration under MiCA take in practice?

The statutory timeline under MiCA is 40 working days from a complete application, extendable to 80 working days. However, in practice, the total process from initial NCA engagement to authorisation typically ranges from 6 to 18 months, depending on the jurisdiction, the complexity of the business model, and the quality of the initial application. NCAs with higher application volumes, such as BaFin, may experience longer de facto timelines than smaller jurisdictions like Lithuania or Malta.

Can a non-EU company offer crypto exchange services to EU clients under MiCA?

Third-country CASPs cannot passport into the EU under MiCA in the same manner as authorised EU CASPs. MiCA does not include a formal third-country equivalence regime for CASPs comparable to MiFID II's third-country firm framework. Third-country entities can only serve EU clients on a reverse solicitation basis — where the client exclusively initiates the relationship — which is narrowly interpreted by ESMA. Practically speaking, any exchange actively marketing to EU clients must hold a MiCA CASP authorisation through an EU-incorporated entity.

Does MiCA apply to decentralised exchanges (DEXs)?

MiCA applies to crypto-asset services provided by identifiable legal entities. Where a DEX operates through fully automated, non-custodial smart contracts without any controlling legal entity, it may fall outside MiCA's scope. However, ESMA has signalled that DEXs with a controlling company, governance token holders exercising material control, or any centralised operational component are likely to be captured. Founders of DEX projects should obtain specific legal analysis of their architecture before concluding they are outside MiCA's perimeter.

What is the difference between MiCA authorisation and the previous national crypto registrations?

Pre-MiCA national registrations — such as Germany's Section 32 KWG crypto custody licence, France's DASP registration, or Lithuania's FNTT virtual currency operator registration — were jurisdiction-specific and did not provide passporting rights. MiCA authorisation is a single EU-wide licence with full passporting across all 27 member states, substantially higher governance and capital requirements, and ongoing supervisory obligations enforced at both national and ESA level. Existing national registrations do not automatically convert; operators must apply for full MiCA authorisation within the applicable transition period.

Which EU member state is the best jurisdiction for CASP registration?

Jurisdiction selection depends on your specific operational profile, existing corporate infrastructure, and regulatory risk tolerance. Lithuania and Ireland have historically offered pragmatic, commercially experienced regulators with fintech-friendly ecosystems. Luxembourg's CSSF and Malta's MFSA bring established financial services frameworks. Germany's BaFin offers regulatory credibility but higher scrutiny and longer timelines. France's AMF is rigorous but has deep crypto expertise given its early DASP regime. Legal counsel with direct NCA relationships in your preferred jurisdiction is essential — the quality of pre-application engagement significantly affects outcomes.

crypto exchange EUCASP registration MiCAexchange license Europeeuropean-union
Turn this guide into a plan

Get your jurisdiction-specific compliance risk score

BizLegal-AI maps your structure against this exact regulation and tells you what's missing — before a regulator does. Free preview, no card required.

Run my free risk check →

Used by founders & counsel across 50+ jurisdictions · Not legal advice

Related

Regulatory changes, before they cost you

One email when a rule that affects crypto, fintech, or cross-border deals actually changes. No noise. Unsubscribe anytime.

Disclaimer: BizLegal-AI produces regulatory intelligence and working drafts. It is not legal, financial, or tax advice. Consult qualified counsel for specific situations.