MiCA CASP license application process and timeline
From 2024, crypto service providers must obtain a CASP license to operate legally within the EU. Without this authorization, companies are prohibited from serving EU clients. Violating these rules can lead to access restrictions to financial infrastructure and penalties of up to 12.5% of annual turnover. Yet many businesses are still unsure where to begin — or how long the application process might take. This article provides a step-by-step guide to the CASP licensing procedure under MiCA. We also compare expected processing times across different EU countries to help you choose the most effective licensing strategy.
Why is it important to get CASP licensure?
Since 2024, the Regulation (EU) 2023/1114 (MiCA) has been in force across the European Union, introducing mandatory licensing for all companies offering crypto-asset services. Without a CASP license, any crypto-related activity within the EU is considered illegal, even if the provider is registered outside the EU. This rule applies to all core services, including custody, exchange, order execution, transfer, and the marketing of crypto services.
Article 111 of MiCA grants national regulators the authority to impose sanctions on unlicensed providers. These include the power to suspend or prohibit operations, issue administrative fines (up to €5 million or 12.5% of annual turnover), and publicly list violators in official registers.
Key steps in applying for a CASP license
MiCA regulation sets unified requirements for crypto licensing across the EU. While exact procedures may vary slightly from country to country, the overall application process includes the following core steps.
Step 1. Assess applicability and prepare your strategy
The first step is to determine whether your business activities fall within the scope of MiCA. According to Recital 22, the regulation applies to any entity offering crypto-related services professionally within the EU. Companies should check the following:
- What types of services are offered (e.g., custody, exchange, order execution);
- Whether there is active marketing targeting EU clients;
- Whether the services match those listed in Article 3(1) of MiCA.
Even companies based outside the EU are required to obtain a CASP license if they target EU residents with their services.
According to TRM Labs, before MiCA took effect, over 1,200 registered VASPs were operating in the EU, most of which now need to reapply under the new CASP framework.
Step 2. Register a legal entity in the EU
MiCA requires applicants to be officially registered in an EU Member State and to have a physical presence. A virtual or nominal address is not sufficient. The company must:
- Establish a business entity or subsidiary in the chosen jurisdiction;
- Appoint key personnel (e.g., directors, compliance officer, AML officer) who meet the standards of integrity and professional competence;
- Prepare corporate documents and company statutes.
Step 3. Set up operational infrastructure
Before applying, the company must establish internal systems and procedures, including:
- AML/KYC compliance processes;
- Cybersecurity measures;
- Internal control and audit frameworks;
- Technical platforms (if applicable) with logging, reporting, and data backup functions.
All systems must be properly documented and ready for inspection.
Step 4. Prepare the full application package
This is one of the most complex and resource-intensive stages. Companies need to compile a detailed set of documents, including:
- A business plan, financial model, and description of crypto services offered;
- AML/CFT policies, KYC procedures, and conflict-of-interest frameworks;
- Evidence of compliance with data protection, client safeguarding, IT security, and risk management standards;
- Ownership structure, bios of key persons, and proof of experience.
Step 5. Apply to the national regulator
Once the documents are ready, the application is submitted to the competent national authority—typically the financial supervisory authority or central bank. At this stage, companies should be prepared for direct communication with the regulator, timely responses to queries, and potential revisions.
After submission, the authorization process begins. The standard review timeline is up to three months, but it may be extended if corrections are required. Regulators are allowed to request clarifications, additional documents, or amendments. Several rounds of feedback may occur before a final decision is issued.
Application processing times in popular EU jurisdictions
Although the MiCA Regulation establishes unified licensing rules for all EU Member States, the actual timeline for reviewing a CASP license application depends on the specific jurisdiction. Each national authority sets its own transitional arrangements and processes applications at its own pace. On average, obtaining a CASP license takes between 3 to 6 months, though some countries may offer faster procedures.
Lithuania
Lithuania remains one of the most popular countries for CASP registration. According to the Bank of Lithuania, the average application processing time is 90–120 days. The regulator actively engages with applicants but imposes strict requirements for substantiating the business model and internal procedures.
France
The French regulator AMF typically takes longer to review applications — around 5 to 6 months, especially when companies submit full PSAN registration files aligned with CASP standards. France is considered one of the most rigorous jurisdictions, with a strong emphasis on IT infrastructure resilience and risk management policies. However, it was one of the first to implement a national licensing regime, which facilitates the transition to MiCA.
Cyprus
CySEC demonstrates a moderate review pace of 3–4 months and maintains active communication with applicants, providing detailed feedback when revisions are needed. Applicants must demonstrate local staffing, an internal control system, and a formalized approach to cybersecurity and data governance.
Germany
BaFin in Germany has only recently begun issuing CASP licenses. The estimated processing time is 6 months or more, particularly for companies without prior registration in Germany. However, the regulator has announced plans to streamline the process as application volumes increase.
Estonia
Following regulatory reforms by Finantsinspektsioon in 2022, Estonia tightened its requirements. The average review time for CASP applications is 5–7 months, with the possibility of expedited procedures for companies previously registered as VASPs.
Typical reasons for denial or return of a CASP license application
EU regulators thoroughly review each CASP license application, and even minor oversights may lead to rejection or requests for resubmission. The most common reasons include:
- Weak internal controls. Applications lacking clear AML/CFT procedures, KYC measures, and conflict-of-interest policies are considered incomplete. Many companies fail to provide detailed descriptions of their internal governance, oversight mechanisms, reporting lines, or data protection policies.
- Lack of physical presence in the EU. MiCA requires not only a legal entity within the EU, but also actual operational presence, including an office, local employees, and an executive director. Listing a virtual address or outsourcing critical functions often results in refusal.
- Unclear business model. If the submitted documents fail to explain the exact nature of the services, revenue generation mechanisms, and target audience, the application may be deemed non-compliant. This is especially critical for multi-service platforms that combine brokerage and custody functions.
- Unqualified personnel. Regulators closely assess the qualifications of key individuals responsible for compliance. If the compliance or AML officers lack relevant experience or education, this raises red flags. EU jurisdictions impose strict standards for professional competence and integrity.
- Past regulatory violations. If the applicant or affiliated parties have a history of non-compliance, such as operating without a license, breaching AML rules, or posing sanctions-related risks, this significantly reduces the likelihood of approval.
To avoid delays or rejections, companies should conduct a pre-application compliance audit and address all potential weaknesses in advance.
How Key2Law can help you through the CASP license application process
Obtaining a CASP license is not just a formal step; it’s a complex regulatory and organizational process that determines whether your company can operate in the EU crypto market. The Key2Law team offers full support at every stage: from assessing your business model to handling communications with the regulator and providing ongoing compliance assistance. Our services include:
- MiCA compliance audit: we assess whether your activities fall under the MiCA definition of a CASP and identify which services require authorization.
- Jurisdiction selection: we compare licensing timelines, regulatory environments, and tax factors across different EU countries to find the best option for your business.
- Preparation of all required documentation: including your business plan, AML/KYC policies, operational procedures, ownership structure, and executive resumes.
- Direct communication with regulators: we handle the application process, respond to inquiries, and assist during regulatory inspections.
- Post-licensing support: including compliance audits, adjustments to regulatory changes, and compliance defense in case of potential claims.
If you’re planning to enter the EU crypto market, it’s crucial to get your licensing process right from the start. Contact Key2Law to build a clear, compliant path forward — and avoid unnecessary delays, risks, or refusals.