MiCA Licence (CASP): How to Get a Crypto Licence in Europe in 2026
- Apr 22
- 15 min read
MiCA Licence (CASP): How to Get a Crypto Licence in Europe in 2026
Quick summary. A MiCA licence (officially CASP authorisation, under Regulation (EU) 2023/1114) is the single EU crypto licence that lets a firm provide crypto-asset services across all 27 EU Member States. Initial capital is €50,000, €125,000 or €150,000 depending on services (these are statutory minimums set by MiCA Article 67). A complete application takes 6 to 12 months from submission, plus 2 to 3 months of preparation. Existing VASPs in most Member States must obtain CASP authorisation by 1 July 2026 or stop trading.
Quick answers
What is a MiCA licence?
A MiCA licence is the EU's single crypto-asset authorisation. It replaces 27 different national rules with one regime that works across the entire European Economic Area. Once authorised in any one Member State, a Crypto-Asset Service Provider (CASP) can serve customers in every other EU country without seeking further authorisation, the same way a Payment Institution or Electronic Money Institution can passport across the EU.
The legal basis is the Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114, published in the Official Journal on 9 June 2023. Stablecoin rules (Titles III and IV, covering Asset-Referenced Tokens and E-Money Tokens) entered into force on 30 June 2024. The full CASP authorisation regime entered into force on 30 December 2024 with an 18-month transitional window for existing VASPs that closes on 1 July 2026.
The regulation is supplemented by Level 2 and Level 3 measures from the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA), including detailed Regulatory Technical Standards on capital, governance, custody, market abuse, white papers and reserve assets. ESMA maintains the central register of authorised CASPs and approved white papers.
Who needs a MiCA licence?
You need a MiCA licence if you provide any of ten regulated crypto-asset services in or to the EU. The ten services, set out in MiCA Article 3, are:
Custody and administration of crypto-assets on behalf of clients
Operation of a trading platform for crypto-assets
Exchange of crypto-assets for funds (fiat)
Exchange of crypto-assets for other crypto-assets
Execution of orders for crypto-assets on behalf of clients
Placing of crypto-assets
Reception and transmission of orders for crypto-assets
Providing advice on crypto-assets
Providing portfolio management on crypto-assets
Providing transfer services for crypto-assets on behalf of clients
This captures essentially every commercial crypto business model: centralised exchanges, custodians, brokers, OTC desks, market makers operating client-facing services, advisory firms, portfolio managers, NFT marketplaces with secondary trading features, and crypto payment processors. Wallet providers fall in scope where they custody private keys on the client's behalf; pure self-custody software is generally outside MiCA.
Non-EU firms targeting EU customers are also caught. The reverse solicitation exception (Article 61) is interpreted narrowly: an EU client must approach the third-country firm entirely on their own initiative without any marketing, promotion or solicitation by the firm. ESMA has been explicit that reverse solicitation cannot be the basis for an ongoing commercial business model. In practice, any third-country crypto firm that wants meaningful EU revenue needs CASP authorisation through an EU subsidiary.
What's outside MiCA: financial instruments under MiFID II (security tokens, tokenised shares, derivatives — these stay under existing financial services law), fully decentralised protocols with no identifiable issuer or service provider, unique non-fungible tokens, and central bank digital currencies. The perimeter around DeFi and NFT collections is genuinely uncertain in many cases and ESMA has signalled further guidance is coming.
What is the capital requirement?
Initial capital is set by MiCA Article 67 in three tiers depending on the services provided. Class 1 services (advice, reception and transmission of orders, execution, placing, transfer services) require €50,000 of initial capital. Class 2 services (Class 1 plus custody, exchange of crypto for fiat or for other crypto) require €125,000. Class 3 services (Class 2 plus operation of a trading platform) require €150,000. Capital must be paid up in cash and held with an EU credit institution at the point of authorisation. Ongoing own funds must equal the higher of the initial capital and a percentage of fixed overheads.
Application fees are set by each home Member State's competent authority (NCA) and published in each NCA's fee schedule. Among the more transparent fee regimes: Malta's MFSA charges CASP application fees broadly in the range of €8,000 to €30,000 with annual supervisory fees of €6,000 to €30,000+ depending on licence class, transaction volume and risk profile (under the Financial Markets (Fees) Regulations, 2024 in effect from 1 January 2025). Latvia's Latvijas Banka charges a €2,500 application fee plus an annual supervisory fee of 0.6% of gross profits with a €3,000 minimum. The Bank of Lithuania, the Czech National Bank, BaFin, ACPR/AMF, the Central Bank of Ireland and other NCAs each publish their own fee schedules, with structures varying between flat application fees, supervisory fees scaled to firm size, and combined approaches. Applicants should confirm the current fee schedule with the home Member State NCA before submission.
The capital requirement and application fees are the smaller part of the financial picture for a CASP applicant. The larger components are senior management hiring (a small senior team must be in place at authorisation), technology investment for custody, AML and transaction monitoring, market surveillance for trading platforms, and DORA-compliant ICT, plus legal and consulting fees for the application file. These run-rate costs scale with the services applied for and the jurisdiction selected.
How long does it take?
A complete MiCA CASP application takes 6 to 12 months from submission to authorisation in 2026, plus 3 to 5 months of preparation before submission. Total realistic timeline from project start to operating under a CASP licence is 9 to 18 months.
MiCA Article 63 sets a statutory three-month decision period for a complete application. In practice, every regulator uses "stop the clock" provisions during information request rounds, and most applications go through three to five rounds. Real timelines by Member State, based on early CASP authorisations through 2025 and into 2026:
Lithuania: 5 to 8 months (Bank of Lithuania)
Malta: 5 to 9 months (MFSA)
Czech Republic: 4 to 7 months (Czech National Bank)
Netherlands: 6 to 10 months (DNB and AFM)
France: 8 to 12 months (AMF and ACPR)
Ireland: 8 to 14 months (Central Bank of Ireland)
Germany: 10 to 15 months (BaFin)
Luxembourg: 8 to 12 months (CSSF)
The single biggest variable is application quality at submission. A polished, complete file dramatically reduces information request rounds and shortens the timeline. A weak file can extend assessment by 6 months or more.
Which country is best?
There is no single right answer — it depends on your business model, target market, talent location, banking strategy and substance position. The four most common 2026 choices and what they suit:
Lithuania is the most efficient mainstream EU jurisdiction. The Bank of Lithuania conducts the process in English, has the largest fintech licensing track record in continental Europe, and offers a structured application process with clear timelines. Best for: efficient capital deployment, English-language process, fintech business models, firms wanting fast credible authorisation.
Malta has the longest crypto supervisory track record in the EU (regulating crypto since 2018 under the Virtual Financial Assets Act) and is the home jurisdiction for several major crypto-asset trading platforms. Best for: trading platforms, exchanges, established corporate structures.
Germany offers the highest regulatory credibility in the EU. BaFin authorisation is treated as a quality stamp by banks, institutional counterparties and investors. Process is slow and demanding, in German for substantive submissions. Best for: institutional models, regulated banks issuing crypto products, firms targeting DACH markets.
Netherlands combines a sophisticated regulator (DNB and AFM) with a strong fintech ecosystem in Amsterdam and excellent banking infrastructure. Early CASP authorisations have gone predominantly to crypto-native trading platforms and on-ramp providers. Best for: crypto-native platforms with mainland European focus.
What does the application require?
Every MiCA CASP application is built around a Programme of Operations and a set of supporting policies, plus individual approval of senior managers. The structure is harmonised across the EU under the EBA's Guidelines on authorisation under MiCA Title V.
The Programme of Operations is the central document and the most important deliverable. It describes the business model, target customers, services offered, three-year financial projections, organisational structure, governance, risk framework, AML and financial crime programme, IT and information security, custody arrangements (where relevant), market abuse surveillance (for trading platforms), outsourcing arrangements, complaints handling, conflicts of interest management, and operational resilience. The Programme of Operations for a CASP typically runs to 100 to 250 pages plus annexes.
Supporting policies include: AML and financial crime policy aligned to the EU's AMLR/AMLD package, sanctions policy, custody policy (for custody services), market surveillance policy (for trading platforms), white paper procedure (for tokens issued by the firm), risk management framework, business continuity plan, ICT risk management framework (DORA-aligned), outsourcing policy, complaints policy, conflicts policy, fitness and propriety policy, training policy, record keeping policy.
Senior manager approvals are required for every proposed senior manager. Each must submit a CV, fitness and propriety questionnaire, and (in most jurisdictions) attend an interview with the regulator. Member State expectations on senior management vary: Germany and Ireland are among the most rigorous, Malta and Czech Republic slightly lighter, Lithuania in the middle. Local-resident senior managers are mandatory in every Member State — at minimum the CEO, MLRO and (often) CCO must be EU-resident.
Capital evidence is required at the final stage. Most regulators issue a "minded to approve" letter setting out conditions precedent: capital paid up, key hires in place, IT systems tested, custody arrangements live (where relevant). Authorisation is granted once conditions are satisfied.
Information requests run through the assessment period. Three to five rounds is normal. Each round typically takes two to four weeks to respond to substantively. Cumulative response time in a heavily challenged file can extend the assessment by months.
What about stablecoins?
Stablecoins are regulated separately under MiCA Titles III and IV, not under the CASP regime in Title V, and require a different authorisation. There are two categories.
E-Money Tokens (EMTs) reference a single official currency and function as electronic money. They include USD-pegged stablecoins, euro-pegged stablecoins and similar single-currency stablecoins. Only credit institutions or authorised Electronic Money Institutions can issue EMTs in the EU. EMTs must be issued at par value, fully backed by reserves in the same currency, redeemable at any time at par, and cannot pay interest.
Asset-Referenced Tokens (ARTs) reference any combination of currencies, commodities, crypto-assets or baskets — anything other than a single fiat currency. Examples include multi-currency basket tokens and gold-backed tokens. ART issuers can be credit institutions or specifically authorised ART issuers under MiCA. Reserves must be diversified, high-quality and independently custodied, with periodic reserve audits.
Significance triggers under MiCA Articles 43 and 56 catch stablecoins above certain thresholds (10 million holders, €5 billion market cap, 2.5 million daily transactions, €500 million daily volume). Significant EMTs and ARTs fall under direct EBA supervision rather than home-state supervision, with higher capital requirements and additional restrictions including a hard cap of 1 million transactions or €200 million per day on non-EU-currency EMTs used as a means of payment.
A CASP that custodies, exchanges or transfers stablecoins issued by another firm does not need an EMT/ART authorisation itself — it just needs the relevant CASP services. But a firm that wants to issue its own stablecoin needs the issuer authorisation in addition to (or instead of) any CASP authorisation.
What is DORA and how does it apply?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied to CASPs since 17 January 2025. DORA is the EU's framework for ICT risk management and operational resilience across the financial sector and is fully in scope of every CASP application from 2026 onwards.
DORA covers five pillars: ICT risk management (a board-owned framework, written policy, risk assessment and continuous monitoring), ICT-related incident reporting (classification of incidents, root cause analysis, regulator reporting for major incidents), digital operational resilience testing (vulnerability assessments, penetration testing, threat-led penetration testing for significant firms), third-party ICT risk management (contractual standards, register of providers, exit strategies for critical providers), and information sharing.
For CASPs, DORA is structurally challenging because the typical crypto firm relies heavily on cloud providers (AWS, Google Cloud, Azure), specialist custody software, blockchain analytics providers, and other third-party SaaS. The third-party ICT risk management requirements (contractual standards, exit strategies, due diligence) are the area where applications most often face challenge. Building DORA-compliant arrangements before submission is materially cheaper than retrofitting after.
What is the 1 July 2026 deadline?
1 July 2026 is the end of the EU-wide transitional period for existing crypto firms. Article 143(3) of MiCA permits Member States to grandfather entities that were already providing crypto-asset services under national law before 30 December 2024 for up to 18 months — which lapses on 1 July 2026.
After 1 July 2026, any firm providing crypto-asset services in the EU without a CASP authorisation is in breach of EU law and must cease operations. ESMA has confirmed there is no further grace period.
Several Member States adopted shorter transitional periods. The Netherlands ended grandfathering in mid-2025. Germany, Austria and Ireland concluded by end of 2025. Lithuania ended grandfathering on 1 January 2026. Malta, Luxembourg, France and Estonia adopted the full 18-month period to 1 July 2026. Czech Republic required application by 30 July 2025 for grandfathering until 30 June 2026.
As of early 2026, approximately 130-140 CASP licences have been issued across the EU, against an estimated 1,200+ VASPs operating before MiCA. The arithmetic is uncomfortable: a substantial portion of the existing market will not be authorised by 1 July 2026 and will need to either close, sell or relocate.
For new market entrants the deadline is irrelevant — there is no transitional period available to firms not already operating. New entrants apply directly under MiCA from inception.
What about UK firms?
The UK left the EU Single Market on 31 December 2020 and no UK licence permits passporting into the EEA. UK firms targeting EU customers must obtain a separate CASP authorisation in an EU Member State.
The reverse direction — an EU CASP serving UK customers — is also complex. The UK is finalising its own cryptoasset regime under the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, with the FCA application gateway opening on 30 September 2026 and full commencement on 25 October 2027. Until then, EU CASPs serving UK customers must comply with the UK's Money Laundering Regulations and the financial promotions regime. After commencement, full FCA authorisation will be required.
Most serious crypto firms targeting both markets are now planning parallel UK and EU authorisations. The application files have substantial overlap (governance, AML, ICT, senior management) but the legal entities, regulators and capital pools are separate. Sequenced or parallel submission depends on capital availability and management bandwidth.
Why are applications refused?
The MiCA application process has been more rigorous than many firms expected. Of the first 22 CASP applications submitted to the Bank of Lithuania by mid-2025, most were found ineligible at first review. The pattern is consistent across NCAs.
The most common reasons for refusal or forced withdrawal are:
Generic Programmes of Operations that read like templates rather than describing the specific business model
Senior management without demonstrable crypto, financial services or banking experience
AML and financial crime frameworks that are off-the-shelf and not calibrated to the specific risks of the business model
Insufficient demonstration of the source of funds for the firm's capital and the source of wealth of beneficial owners
Weak custody arrangements (for custody services), particularly around private key management, segregation and insurance
Inadequate market surveillance arrangements (for trading platforms)
DORA-non-compliant ICT and third-party risk arrangements
"Letterbox" arrangements where senior management and operational substance are not genuinely in the home Member State
Where the regulator forms a view that the application is unlikely to succeed, it generally suggests withdrawal rather than proceed to refusal. Withdrawal is preferable to a published refusal but neither is desirable: rebuilding an application after withdrawal typically takes 6 to 12 months and the firm's track record in the home Member State is now part of its file.
What happens after authorisation?
Authorisation is the start, not the end. From day one, an authorised CASP must maintain its capital and own funds, comply with conduct rules, supervise market abuse (for trading platforms), perform AML and transaction monitoring including the Travel Rule, comply with DORA, file regular regulatory returns to the home NCA, notify the regulator of material changes, and engage with supervisory requests.
Cross-border activity into other Member States requires passporting notifications under MiCA Articles 65 and 66. Passporting is a notification not a second authorisation — the home NCA reviews the notification and forwards to the host NCA, which has a defined response window. Most CASPs submit passporting notifications in the first 60 days after authorisation to maximise their addressable market.
Ongoing supervisory engagement varies by Member State. Lithuania, Malta and Czech Republic apply lighter ongoing supervision. Germany, France, Netherlands and Ireland apply heavier supervision with periodic management interviews, deep-dive reviews and (in some cases) on-site visits. ESMA's supervisory convergence work means these differences are narrowing over time but they remain material in 2026.
CARF (the Crypto-Asset Reporting Framework) under DAC8 requires CASPs to collect detailed user transaction data for mandatory tax reporting from 1 January 2026, with the first automatic cross-border data exchanges in 2027. CARF compliance is a separate ICT and operations build that should be planned alongside the CASP authorisation.
How Buckingham Capital Consulting can help
Buckingham Capital Consulting has advised payment institutions, electronic money institutions and crypto firms on regulatory licensing across the United Kingdom and Europe since 2013. Our team has direct, repeated experience with the Bank of Lithuania, the Malta Financial Services Authority, BaFin, De Nederlandsche Bank and the Dutch AFM, the Central Bank of Ireland, the Banque de France and ACPR, the Luxembourg CSSF, the Czech National Bank, and the FCA.
We work with crypto firms at the strategic stage to assess the right regulatory pathway: CASP under MiCA, EMI for stablecoin issuance, parallel UK and EU authorisations, or a sequenced approach. We then manage the full authorisation as a single engagement: business model and licence-scope assessment, jurisdiction selection, EU company incorporation and substance arrangements, preparation of the complete application file including the Programme of Operations and all supporting policies, governance and senior manager framework, AML and financial crime programme, DORA-compliant ICT risk management documentation, custody and market abuse policies (where relevant), capital adequacy calculations, three-year financial projections, fitness and propriety assessments, appointment of senior managers, management of all NCA correspondence, EU banking introductions, and post-authorisation passporting notifications.
For groups maintaining parallel UK and EU authorisations, we coordinate the two regimes to minimise duplication. For stablecoin issuers, we structure the EMI or ART issuer authorisation alongside or in place of the CASP. After authorisation, we provide ongoing compliance support including regulatory reporting, policy updates, governance reviews and preparation for supervisory engagement.
If you are planning a MiCA CASP application, choosing between Member States, structuring a parallel UK and EU presence, or considering stablecoin issuance, contact our team for an initial assessment.
Email: info@buckinghamcapitalconsulting.co.uk Tel: 0207 866 2512
Frequently asked questions
What is a MiCA licence? A MiCA licence is the EU's single crypto-asset authorisation under Regulation (EU) 2023/1114. Officially called CASP (Crypto-Asset Service Provider) authorisation, it lets a firm provide crypto-asset services across all 27 EU Member States from a single home authorisation. It replaces the previous patchwork of national VASP regimes. Authorisation in any Member State gives passporting rights to operate throughout the EEA.
What is the capital requirement for a MiCA licence? Initial capital is set by MiCA Article 67 in three statutory tiers: €50,000 for Class 1 services (advice, reception and transmission of orders, execution, placing, transfer services), €125,000 for Class 2 services (Class 1 plus custody, exchange of crypto for fiat or for other crypto), and €150,000 for Class 3 services (Class 2 plus operation of a trading platform). Capital must be paid up in cash and held with an EU credit institution at the point of authorisation. Ongoing own funds must equal the higher of the initial capital and a percentage of fixed overheads.
How long does it take to get a MiCA licence? A complete CASP application takes 6 to 12 months from submission to authorisation in 2026, plus 3 to 5 months of preparation. Lithuania and Malta are typically 5 to 9 months. Netherlands and France are 6 to 12 months. Germany is 10 to 15 months. Application quality at submission is the biggest variable: a weak file extends assessment by 6 months or more.
Who needs a MiCA licence? Any firm providing one or more of MiCA's ten regulated crypto-asset services in or to the EU: custody, trading platforms, exchange of crypto for fiat, exchange of crypto for crypto, execution of orders, placing, reception and transmission of orders, advice, portfolio management, and transfer services. Non-EU firms targeting EU customers also need authorisation through an EU subsidiary. The reverse solicitation exception is interpreted narrowly and cannot support a commercial business model.
What is the 1 July 2026 deadline? 1 July 2026 is the end of the EU-wide transitional period for existing crypto firms. After this date, firms providing crypto-asset services in the EU without CASP authorisation are in breach of EU law and must cease operations. Several Member States adopted shorter transitional periods (Netherlands mid-2025, Germany/Austria/Ireland end-2025, Lithuania 1 January 2026). New market entrants have no transitional period and must obtain authorisation before commencing services.
What is the difference between an EMT and an ART under MiCA? An EMT (E-Money Token) references a single official currency and is treated as electronic money. Only credit institutions or authorised EMIs can issue EMTs. Examples include USD-pegged and euro-pegged stablecoins. An ART (Asset-Referenced Token) references multiple currencies, commodities, crypto-assets or a basket. ART issuers can be credit institutions or specifically authorised ART issuers. The classifications are mutually exclusive — a stablecoin is either an EMT or an ART, never both.
Can a UK firm get a MiCA licence? A UK firm cannot directly hold a MiCA licence — MiCA authorisation requires an EU-incorporated legal entity with EU-resident management. UK firms targeting EU customers must establish an EU subsidiary and obtain CASP authorisation through that subsidiary. The most common choices are Lithuania, Malta, Ireland and Netherlands. Many serious crypto firms maintain parallel UK and EU authorisations.
Which is the best EU country for a MiCA licence? There is no single best answer — it depends on business model, target market, talent location and substance position. Lithuania is the most efficient mainstream jurisdiction. Malta has the longest crypto supervisory track record. Germany offers the highest regulatory credibility. Netherlands suits crypto-native platforms. Ireland suits English-speaking firms. France suits firms targeting French and Southern European markets.
What are the main reasons MiCA applications are refused? Generic Programmes of Operations that read as templates, senior management without crypto or financial services experience, off-the-shelf AML frameworks, inadequate source of funds and source of wealth documentation, weak custody arrangements (for custody services), inadequate market surveillance (for trading platforms), DORA-non-compliant ICT arrangements, and "letterbox" substance. Where the regulator forms a view that the application will not succeed, it generally suggests withdrawal rather than refusal.
Is MiCA the same as the UK crypto regime? No. The UK is finalising its own regime under the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, separate from MiCA. The FCA application gateway opens on 30 September 2026, with full commencement on 25 October 2027. UK and EU regimes are broadly aligned in objectives but differ in detail, particularly on stablecoins (the UK has separate qualifying stablecoin and Bank of England systemic stablecoin regimes). UK firms serving EU customers need EU authorisation; EU firms serving UK customers will need UK authorisation from October 2027.
