MiCA CASP License Guide EU: Crypto Asset Service Provider 2024

What is a MiCA CASP License in the European Union?

A Crypto Asset Service Provider (CASP) license under the Markets in Crypto-Assets Regulation (MiCA) is the mandatory authorization required for any entity wishing to provide crypto asset services to clients within the European Union. MiCA Regulation (EU) 2023/1114) entered into force on June 29, 2023, with CASP-specific provisions applying from December 30, 2024. This unified regulatory framework replaces the fragmented national licensing regimes previously operated by individual EU member states and creates a single passportable authorization valid across all 27 EU member states.

The MiCA CASP license is issued by a National Competent Authority (NCA) in the member state where the applicant is domiciled. Prominent NCAs include the Autorité des marchés financiers (AMF) in France, the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) in Germany, the Central Bank of Ireland, the Commissione Nazionale per le Società e la Borsa (CONSOB) in Italy, and De Nederlandsche Bank (DNB) in the Netherlands. The European Securities and Markets Authority (ESMA) plays a central coordination and supervisory convergence role, maintaining the public register of all authorized CASPs across the EU.

Entities that require a MiCA CASP license include operators of crypto asset trading platforms, providers of custody and administration services for crypto assets on behalf of clients, operators of crypto asset exchanges, crypto asset portfolio managers, crypto asset advisors, and transfer service providers. Notably, issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) are subject to separate but related MiCA authorization requirements handled primarily by banking or financial regulators.

Legal Requirements and Regulatory Framework

The MiCA CASP license regime is governed by Title V of Regulation (EU) 2023/1114. Articles 59 through 76 set out the authorization requirements, ongoing obligations, and conduct-of-business rules applicable to all crypto asset service providers. The legal basis is complemented by ESMA's regulatory technical standards (RTS) and implementing technical standards (ITS), several of which were finalized and published throughout 2024 to provide granular compliance guidance.

Under Article 62, any legal person or certain undertakings intending to provide crypto asset services in the EU must apply for authorization as a CASP. Applicants must be established in an EU member state, have their registered office in that same state, and conduct at least part of their crypto asset service activities in that jurisdiction. Third-country firms may only offer services to EU clients under a reverse solicitation exception, which ESMA has clarified is strictly narrow in scope and cannot be used as a systematic business strategy.

Capital requirements under Article 67 are tiered by service type. Entities providing only crypto asset advice or order reception and transmission must hold minimum own funds of €50,000. Those operating a trading platform or providing portfolio management services must hold €125,000. Entities offering custody, exchange against fiat, or operating a multilateral trading facility for crypto assets must hold €150,000. These requirements are floors, and NCAs may impose higher requirements based on the risk profile of the applicant.

Prudential requirements also mandate that CASPs hold either own funds meeting the minimum threshold or a professional indemnity insurance policy covering territories where services are provided. Governance requirements mandate at least two independent directors, fit-and-proper assessments of all management body members, robust internal controls, and documented conflicts-of-interest policies. CASPs must also hold client crypto assets and funds in segregated accounts and implement comprehensive cybersecurity frameworks aligned with DORA (Digital Operational Resilience Act, Regulation EU 2022/2554), which applies concurrently to regulated crypto entities.

Key Clauses and Compliance Requirements

The MiCA CASP license framework imposes a detailed set of ongoing obligations that extend well beyond initial authorization. Key compliance requirements include the following areas:

• Client Asset Protection (Article 70): CASPs must segregate client crypto assets and fiat funds from their own proprietary assets. Custody providers must maintain detailed registers of client holdings and implement recovery procedures in the event of insolvency.
• Conflicts of Interest (Article 72): CASPs must identify, disclose, and manage conflicts of interest. Firms that operate both a trading platform and provide portfolio management must demonstrate structural separation between these functions.
• Complaints Handling (Article 71): Effective and transparent procedures for receiving, investigating, and resolving client complaints must be in place, with records maintained for at least five years.
• Market Abuse Prevention (Articles 90-96): CASPs must establish insider trading and market manipulation surveillance systems. Suspicious transaction and order reporting (STOR) obligations apply, with reports directed to the relevant NCA.
• AML/CFT Compliance: MiCA does not replace but operates alongside the EU Anti-Money Laundering framework. CASPs are obligated entities under the Sixth Anti-Money Laundering Directive (6AMLD) and the Transfer of Funds Regulation (TFR), which since 2023 applies the Travel Rule to all crypto asset transfers regardless of value.
• White Paper Requirements: When a CASP admits crypto assets to trading or provides services related to assets for which no issuer white paper exists, the CASP may be required to produce a white paper on the issuer's behalf under Article 68.
• Annual Reporting: CASPs must submit periodic regulatory reports to their NCA covering capital adequacy, client asset positions, incident reports, and business volume data as specified in ESMA's ITS on reporting formats.

Step-by-Step Process to Obtain a MiCA CASP License

The MiCA CASP license application process is detailed and typically takes between three and twelve months depending on the NCA, the completeness of the submission, and the complexity of the applicant's business model. The following steps outline the standard process:

• Step 1 — Jurisdiction Selection and Pre-Application Engagement: Select the EU member state where you will be domiciled and establish genuine substance in that jurisdiction. Engage with the chosen NCA's innovation hub or regulatory sandbox program where available (ESMA maintains a directory of national innovation facilitators). Pre-application meetings are strongly recommended and formally encouraged by most NCAs including the Central Bank of Ireland and AMF.
• Step 2 — Legal Entity Establishment: Incorporate a legal entity (typically a private limited company or equivalent) in the chosen member state. The entity must have a registered office and operational presence, including local staff in qualifying roles.
• Step 3 — Governance and Management Body Assembly: Appoint a management body compliant with Article 68 requirements. All directors and qualifying shareholders must undergo fit-and-proper assessments. Prepare detailed CVs, criminal record certificates, and financial soundness declarations for all individuals.
• Step 4 — Policy and Procedure Documentation: Draft the full compliance documentation package including AML/CFT policies, conflicts of interest framework, client asset protection procedures, cybersecurity and DORA compliance documentation, complaints handling procedures, business continuity plans, and the outsourcing register.
• Step 5 — Capital Preparation: Ensure the entity holds the required minimum own funds in a segregated bank account. Prepare audited financial statements or pro forma financial projections if the entity is newly incorporated. Consider professional indemnity insurance as an alternative or supplement.
• Step 6 — Application Submission: Submit the formal application to the NCA using the prescribed forms and information requirements set out in ESMA's RTS on authorization under Article 62(5). The NCA has 25 business days to confirm completeness and 40 business days from confirmation to issue a decision, extendable by a further 20 business days in complex cases.
• Step 7 — NCA Review and Queries: Respond promptly and comprehensively to any NCA queries during the review period. Delays in responding can extend the assessment timeline significantly.
• Step 8 — Authorization and ESMA Registration: Upon approval, the NCA notifies ESMA, which adds the authorized CASP to the public EU-wide register. The authorization is valid across all 27 member states without additional local licensing requirements, subject to standard passporting notifications.

Common Mistakes to Avoid

Legal professionals and founders frequently encounter the following pitfalls in the MiCA CASP licensing process. Awareness of these issues can significantly reduce delays and regulatory risk:

• Letterbox Entity Risk: NCAs are scrutinizing applications where the applicant lacks genuine substance in the member state. A registered address with no local staff or management decision-making is insufficient and will result in rejection or enhanced scrutiny.
• Underestimating the Compliance Documentation Burden: MiCA requires a comprehensive policy framework from day one of authorization, not at some future point. Applicants who submit thin or templated compliance documentation without tailoring it to their specific business model face extended NCA queries and potential refusal.
• Misclassifying Services: Incorrectly identifying which CASP services the entity provides leads to incorrect capital calculations and missing regulatory obligations. Legal counsel with specific MiCA expertise should conduct a service classification analysis before application preparation begins.
• Ignoring DORA Requirements: MiCA CASPs are in-scope entities under DORA. Failing to address ICT risk management frameworks, incident reporting obligations, and third-party provider oversight in the application leads to post-authorization compliance gaps and regulatory action.
• Misuse of the Reverse Solicitation Exemption: Relying on reverse solicitation to serve EU clients without a MiCA CASP license is a high-risk strategy explicitly cautioned against by ESMA. NCAs have signaled enforcement intent against entities that systematically exploit this narrow exception.
• Failing to Plan for Transitional Arrangements: Entities that previously held national crypto licenses in an EU member state may benefit from a transitional period (generally 18 months from December 30, 2024) to obtain their MiCA CASP license. However, this transition is not automatic and requires notification to the relevant NCA.

Frequently Asked Questions

Which EU regulator issues the MiCA CASP license?

The MiCA CASP license is issued by the National Competent Authority (NCA) of the EU member state in which the applicant is domiciled and has its registered office. There is no single EU-level licensing authority. ESMA plays a supervisory convergence and coordination role and maintains the public CASP register, but authorization decisions are made at the national level by bodies such as AMF (France), BaFin (Germany), the Central Bank of Ireland, DNB (Netherlands), and equivalent authorities in other member states.

Does a MiCA CASP license allow me to operate across all EU member states?

Yes. Once authorized in one EU member state, a CASP can passport its services to all other 27 EU member states through a straightforward notification procedure to both its home NCA and the host member state's NCA. This passporting right is one of MiCA's most significant advantages over the pre-MiCA fragmented national regime, where separate licenses were often required in each jurisdiction.

How long does the MiCA CASP license application process take?

The statutory assessment period is 40 business days from the NCA confirming a complete application, with a possible 20 business day extension for complex cases. However, the pre-application preparation phase, which includes governance setup, policy documentation, capital adequacy preparation, and management body vetting, typically adds several months to the overall timeline. Realistically, founders should budget six to twelve months from project initiation to receiving authorization, depending on the NCA and the completeness of the initial submission.

Are decentralized finance (DeFi) protocols required to obtain a MiCA CASP license?

MiCA explicitly excludes fully decentralized crypto asset services where no identifiable intermediary exists from its CASP authorization requirements under Recital 22. However, the boundary between truly decentralized and partially centralized protocols is legally complex and contested. ESMA has indicated it will issue further guidance on this question. Any project with identifiable legal entities, governance token voting mechanisms that confer control, or front-end interfaces operated by a legal person should obtain specialist legal advice before concluding it falls outside MiCA's scope.

What happens to firms that operate without a MiCA CASP license after December 30, 2024?

Operating as a crypto asset service provider in the EU without a MiCA CASP license after the application deadline constitutes a serious breach of EU financial regulation. NCAs have authority under MiCA to issue cease-and-desist orders, impose substantial administrative fines, publicly name non-compliant entities, and refer cases for criminal prosecution where applicable under national law. ESMA has emphasized regulatory enforcement as a priority, and firms relying solely on national transitional arrangements beyond the permitted period face significant legal and reputational risk.