How to Get a CASP Licence in Europe: Requirements, Process and Jurisdiction Guide (2026)

Any business providing crypto-asset services in the European Union now needs a CASP (Crypto-Asset Service Provider) licence. This requirement comes from MiCA - the Markets in Crypto-Assets Regulation - which replaced the patchwork of national VASP registrations with a single EU-wide authorisation framework.

This guide covers what a CASP licence is, who needs one, the requirements, the application process, how to choose a jurisdiction, and the most frequently asked questions about getting licensed.

What Is a CASP Licence?

A CASP licence is the regulatory authorisation required under MiCA (Regulation (EU) 2023/1114) for any legal entity providing crypto-asset services professionally within the EU. It is issued by the national competent authority (NCA) of the EU member state where the business applies.

The key feature of the CASP licence is passporting. Once authorised in one member state, the licence holder can provide services across all 27 EU countries and the wider European Economic Area without needing separate authorisations in each country.

MiCA's provisions for CASPs took effect on 30 December 2024. Existing VASPs were granted a transition period — up to 1 July 2026, depending on the member state - to obtain full CASP authorisation. After that date, any business operating without a CASP licence is doing so illegally.

Who Needs a CASP Licence?

Under MiCA, a CASP licence is required for any business providing one or more of the following services to clients on a professional basis:

• Custody and administration of crypto-assets on behalf of clients

• Operation of a trading platform for crypto-assets

• Exchange of crypto-assets for fiat currency

• Exchange of crypto-assets for other crypto-assets

• Execution of orders for crypto-assets on behalf of clients

• Placing of crypto-assets

• Reception and transmission of orders on behalf of clients

• Providing advice on crypto-assets

• Providing portfolio management on crypto-assets

• Providing transfer services for crypto-assets on behalf of clients

Certain already-regulated financial institutions - including credit institutions, investment firms authorised under MiFID, and electronic money institutions - do not need a separate CASP licence. However, they must notify their national regulator before providing crypto-asset services and update their programme of activities accordingly.

Businesses based outside the EU that actively target EU clients are also within scope. MiCA's reverse solicitation provisions are narrow and not a viable basis for ongoing EU market access. Any firm with a serious intention to serve European clients needs to be authorised as a CASP.

Capital Requirements

MiCA sets minimum capital thresholds based on the services provided, divided into three classes:

Class 1 — €50,000: Reception and transmission of orders, providing advice, execution of orders on behalf of clients, and placing of crypto-assets.

Class 2 — €125,000: All Class 1 services plus exchange of crypto-assets for fiat currency, exchange of crypto-assets for other crypto-assets, and operation of a trading platform.

Class 3 — €150,000: All Class 2 services plus custody and administration of crypto-assets on behalf of clients.

Where a business provides services that fall across multiple classes, the highest applicable threshold applies. For example, a firm operating a trading platform (Class 2) that also provides custody (Class 3) must hold €150,000 in capital.

CASPs must also hold an EU credit institution bank account for their operational capital.

Substance and Governance Requirements

MiCA requires genuine operational substance in the EU. This is not a letterbox exercise. The key requirements are:

Legal entity: The CASP must be incorporated as a legal entity in an EU member state.

Physical office: A real office where business activities are conducted. Virtual addresses are not accepted.

EU-resident director: At least one member of the management body must be resident in the EU. Regulators assess whether genuine decision-making takes place within the EU.

Fit and proper assessment: All members of the management body and shareholders with qualifying holdings (typically 20%+) must pass fit and proper checks. This includes criminal record checks, assessment of professional competence, and evaluation of time commitment.

Compliance function: The business must appoint a compliance officer, an AML reporting officer (MLRO), and, depending on the jurisdiction, a chief risk officer. These roles must have genuine authority and appropriate experience.

Governance framework: Documented governance policies covering internal controls, risk management, conflicts of interest, business continuity, outsourcing arrangements, and IT security.

AML and Regulatory Compliance

CASPs are subject to the EU's Anti-Money Laundering Directives and the Transfer of Funds Regulation (TFR). This means full implementation of:

• Customer due diligence and KYC procedures

• Ongoing transaction monitoring

• Suspicious activity reporting

• Sanctions screening

• Enhanced due diligence for higher-risk clients and jurisdictions

• Record keeping (minimum five years)

CASPs must also comply with DORA (the Digital Operational Resilience Act), which sets requirements for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. DORA compliance is assessed as part of the CASP application and is an ongoing obligation.

The Application Process

While each NCA has its own procedural specifics, the CASP application process follows a consistent structure under MiCA:

Step 1 — Jurisdiction selection. 

Choose the EU member state where you will apply. This decision affects regulator processing times, substance requirements, banking access, and operational costs. It is one of the most consequential decisions in the process.

Step 2 — Corporate setup.

Incorporate a legal entity in the chosen jurisdiction. Appoint directors and key personnel. Establish a physical office. Open an EU credit institution bank account and deposit the required capital.

Step 3 — Documentation preparation. 

Prepare the full application package. Under MiCA, this typically includes: a detailed programme of operations and business plan; description of governance arrangements and internal control mechanisms; AML/CTF policies and procedures; IT security and DORA compliance documentation; proof of capital; fit and proper documentation for management and qualifying shareholders; a description of the complaint handling procedure; and a business continuity plan.

Step 4 — Submission and review. 

Submit the application to the NCA. The regulator has 25 working days to confirm whether the application is complete. If it is not, you will be asked to provide missing information within a set deadline. Once the application is deemed complete, the NCA has 40 working days to assess it and issue a decision. During the first 20 working days of the assessment, the regulator may request additional information, which pauses the clock for up to 20 working days.

Step 5 — Decision. 

The NCA grants or refuses the licence within five working days of its decision. Approved CASPs are entered into ESMA's public register.

Realistic timeline: 

The formal statutory process suggests approximately four to five months. In practice, most CASP authorisations take six to twelve months from initial submission to approval. Regulators routinely request additional information across multiple rounds, and the quality of the initial application directly affects how many rounds of questions arise.

Choosing a Jurisdiction

Although MiCA applies uniformly, the choice of member state still matters. Regulator capacity, processing speed, substance expectations, banking access, and local operational costs vary significantly. Below is a summary of the most active jurisdictions for CASP licensing:

Germany — Regulator: BaFin. Germany has seen the highest volume of CASP approvals to date, driven by major banks and established financial institutions. BaFin is thorough and expects high-quality submissions. Strong banking infrastructure. Best suited for firms wanting institutional credibility and deep capital markets links. Processing can be lengthy.

Netherlands — Regulator: AFM / DNB. Among the first to issue CASP licences on 30 December 2024 (first-day approvals included MoonPay, Bitvavo, and others). Strong for on/off-ramp and brokerage models. Experienced regulator with clear expectations. Competitive banking environment.

Lithuania — Regulator: Bank of Lithuania. Historically popular for VASP registrations. Processes applications in approximately 90–120 days. Requires local CEO, CCO, and MLRO. Cost-effective for substance. Good for exchanges and wallet providers. Grandfathering period ended 1 January 2026.

Malta — Regulator: MFSA. Established track record in digital asset regulation. Attracted large exchanges including OKX, Crypto.com, and Gemini. MFSA is familiar with complex crypto business models. Suitable for trading platforms and exchange-focused businesses.

France — Regulator: AMF. Longer review periods, typically five to six months. Strict AML registration requirements. Large domestic market. Suitable for firms with existing French operations or targeting French-speaking markets.

Poland — Regulator: KNF. Local MiCA implementation legislation was delayed but is now in effect. Growing regulatory infrastructure. Cost-effective substance and incorporation. KNF is building capacity for CASP applications.

Spain — Regulator: CNMV. Active domestic crypto market with growing user base. Application review takes up to three months once submitted. Transition period ended 31 December 2025.

Czech Republic — Regulator: CNB. Clear transitional rules. Relatively straightforward registration procedures. Required CASP application by July 2025 to maintain grandfathering until July 2026. Favourable corporate tax rate (19%).

Estonia — Regulator: Estonian Financial Intelligence Unit. Advanced digital infrastructure. Share capital requirement of at least €100,000. Board members must be Estonian residents. Enhanced verification of IT systems during licensing. Grandfathering period until 30 June 2026. Processing can take up to 12 months.

Luxembourg — Regulator: CSSF. Attracted global brands including Coinbase, Bitstamp, and Clearstream. Strong for firms seeking fast EU-wide reach with a capital markets-friendly home regulator.

Ireland — Regulator: Central Bank of Ireland. Emerging jurisdiction for CASP applications. Strong reputation as a domicile for regulated financial services. English-speaking, which simplifies documentation and regulator engagement for international firms.

The right jurisdiction depends on your business model, target markets, operational budget, language capabilities, and banking requirements. Firms operating trading platforms may favour Malta or the Netherlands. Firms prioritising low substance costs may look at Lithuania or Poland. Firms wanting institutional positioning may prefer Germany or Luxembourg.

VASP to CASP Transition

If you already hold a national VASP licence in an EU member state, you must apply for full CASP authorisation under MiCA. The grandfathering provisions allow you to continue operating under your existing licence during the transition period, but only if you submit your CASP application before the relevant deadline in your jurisdiction.

Transition deadlines vary by country. Several have already passed (Lithuania: 1 January 2026; Spain: 31 December 2025). The final deadline across the EU is 1 July 2026. After your jurisdiction's deadline, operating without a CASP licence is prohibited.

Key steps for transitioning VASPs: review your existing compliance framework against MiCA requirements; identify gaps in capital, governance, substance, IT security, and AML controls; prepare the CASP application package addressing all MiCA requirements; submit well before the deadline, as regulator capacity is under pressure from the volume of applications.

Passporting

Once authorised, a CASP can passport its services to other EU member states by notifying its home regulator. The home NCA then informs the host country authorities and ESMA within 10 working days. After notification, the CASP is free to operate in the host country.

Passporting covers only the services included in the original authorisation. If you later add new services, you must update your authorisation before passporting them.

Passporting information is recorded in ESMA's public register. This register is also used by banks and counterparties to verify that a CASP is properly authorised — making it an important credibility tool for commercial relationships.

Frequently Asked Questions

How long does it take to get a CASP licence?

In practice, most authorisations take six to twelve months. The timeline depends on the jurisdiction, the quality of your application, and how quickly you respond to regulator information requests. Poorly prepared applications generate more rounds of questions and significantly extend the process.

How much does a CASP licence cost?

Costs depend on the jurisdiction and the scope of services. Capital requirements range from €50,000 to €150,000 depending on CASP class. Application fees vary by regulator - some charge no fee, others charge several thousand euros. The largest cost is typically professional advisory fees for preparing the application, compliance framework, and governance documentation, plus ongoing substance costs (office, personnel, compliance officer).

Can I operate across the whole EU with one CASP licence?

Yes. Once authorised in one member state, you can passport your services across all 27 EU countries and the wider EEA. Passporting requires a notification to your home regulator but does not require separate applications in each country.

Do I need a physical office in the EU?

Yes. MiCA requires real operational substance. You need a legal entity incorporated in an EU member state, a physical office where business activities take place, and at least one EU-resident director. Virtual addresses and letterbox arrangements do not meet the requirement.

What happens if I already have a VASP licence?

You must apply for a full CASP licence under MiCA before your jurisdiction's transition deadline. The final EU-wide deadline is 1 July 2026, though many member states set earlier cut-offs. If you do not obtain CASP authorisation by the deadline, you must cease providing crypto-asset services in the EU.

Which jurisdiction should I choose?

The right choice depends on your business model, the services you provide, your target markets, substance budget, and banking requirements. There is no single best jurisdiction - it varies by firm. Key factors include regulator processing speed, local substance requirements, banking access, operational costs, and tax environment.

Do I need a bank account to apply?

CASPs must hold an account at an EU credit institution. Some regulators require this to be in place before the application is submitted. Banking can be challenging for crypto businesses, and the quality of your compliance framework directly affects whether banks will onboard you.

What is DORA and do I need to comply?

DORA (Digital Operational Resilience Act) applies to all CASPs. It sets requirements for ICT risk management, incident reporting, operational resilience testing, and oversight of third-party technology providers. DORA compliance is assessed as part of the CASP application and is an ongoing regulatory obligation.

Can a non-EU company apply for a CASP licence?

A non-EU company cannot apply directly. However, it can incorporate a subsidiary or new legal entity in an EU member state and apply through that entity. The EU entity must have genuine substance - real operations, local management, and a physical office.

What are the ongoing obligations after authorisation?

Authorised CASPs must maintain continuous compliance with MiCA, AML directives, and DORA. This includes ongoing transaction monitoring and reporting, periodic risk assessments, annual financial statement audits, maintaining adequate capital, keeping governance policies current, and submitting regulatory reports as required by the NCA. CASP authorisation can be withdrawn if the business fails to commence services within 12 months or ceases to provide services for nine consecutive months.

How Buckingham Capital Consulting Can Help

Buckingham Capital Consulting has advised crypto-asset businesses on regulatory licensing since 2013, well before MiCA was conceived. Over the past 14 years, we have registered and authorised hundreds of firms across the UK, Europe and internationally, spanning crypto exchanges, custodians, wallet providers, payment institutions and electronic money institutions. Our team has direct experience with the FCA, Bank of Lithuania, MFSA, AFM and other European regulators, giving us a practical understanding of how each NCA approaches CASP applications, what they challenge, and what they expect.

We manage the full CASP authorisation process as a single engagement. This includes jurisdiction selection based on your business model and target markets, EU company incorporation and substance arrangements, preparation of the complete CASP application file including governance framework, AML compliance programme, DORA documentation and risk management policies, appointment of compliance officers and key personnel, management of all regulator correspondence and clarification requests, EU banking introductions and account opening support, and passporting notifications once authorised.

For existing VASPs transitioning to CASP, we conduct a gap analysis against MiCA requirements and build a structured project plan to get you authorised before the deadline, without disrupting your existing operations.

After authorisation, we provide ongoing compliance support including policy updates, governance reviews, regulatory reporting and preparation for NCA inspections.

If you are planning to apply for a CASP licence or need to transition from an existing VASP registration, contact our team for an initial assessment.

Email: info@buckinghamcapitalconsulting.co.uk Tel: 0207 866 2512