What is the MiCA CASP license?
As of December 30, 2024, a new mandatory licensing regime for crypto companies has come into force in the EU — the CASP license under the MiCA Regulation. Any company providing custody, exchange, or crypto-asset management services will no longer be able to operate without this license. Regulators are tightening oversight, banks are increasing compliance demands, and failure to meet the new requirements may result in account blocks or forced market exit. Companies that do not prepare in advance risk losing access to EU-based clients. In this article, we’ll take a detailed look at what the CASP license is, who is required to obtain it, what the key requirements are, and how to get ready for the new regulatory framework.
What is a CASP license under MiCA?
The CASP (Crypto-Asset Service Provider) license is a mandatory authorization that companies must obtain to provide crypto-related services under the new MiCA Regulation (Markets in Crypto-Assets). This is the first EU-wide legal framework establishing uniform rules for working with digital assets and crypto service providers across the European Union.
Terminology and legal basis
According to Article 3 of the MiCA Regulation, a Crypto-Asset Service Provider (CASP) is a legal entity that professionally provides one or more crypto-asset services within the EU. While the regulation entered into force in June 2023, mandatory licensing for CASPs became fully effective on December 30, 2024, following the transitional period outlined in Article 143 of MiCA.
MiCA is part of the EU’s broader strategy to create a secure and sustainable digital financial sector, alongside the DORA and PSD3 frameworks. The CASP license is issued by the national competent authority (NCA) of an EU Member State and allows the provider to offer services throughout the Union under the passporting mechanism.
What services are covered by the CASP license?
The MiCA Regulation outlines the following crypto-asset services that require CASP authorization:
- Custody and administration of crypto-assets on behalf of clients;
- Exchange of crypto-assets against fiat currencies and vice versa;
- Exchange of one crypto-asset for another;
- Reception and transmission of orders, and execution of transactions on behalf of clients;
- Placement of crypto-assets (token offerings);
- Operation of a trading platform for crypto-assets;
- Placement of crypto-assets without a firm commitment basis;
- Provision of advice on crypto-assets;
- Portfolio management of crypto-assets;
- Reception and transmission of applications for admission to trading or redemption of crypto-assets.
Any company that provides at least one of these services must obtain a CASP license before the end of the transitional period.
Who is required to obtain a CASP license?
The CASP license is mandatory for all companies that:
- Provide crypto-asset services within the EU (including online);
- Intend to expand operations within the EU or serve clients in other Member States;
- Are based in third countries but target EU clients.
Exemptions may apply only in limited cases—for example, when a company provides services exclusively within a group or to a limited number of qualified counterparties. Even in such cases, regulators typically require prior notification and justification of the exemption status.
How is CASP different from the VASP registrations?
Before MiCA came into force, crypto companies in the EU were registered as VASPs (Virtual Asset Service Providers) under national regulatory regimes that varied significantly from one Member State to another. VASP registration was mostly a notification-based procedure: companies were listed in public registries with minimal regulatory requirements. However, with the implementation of MiCA, this model has been replaced. Full licensing is now required, including a thorough review of the applicant’s internal structure, documentation, and compliance with EU regulatory standards.
Stricter compliance requirements
The CASP license goes far beyond simple registration — it imposes a set of operational and organizational obligations, including:
- A detailed description of the business model;
- Internal AML/CTF policies and KYC procedures;
- Processes for client identification and verification;
- Designation of responsible compliance personnel (compliance function);
- Regular internal audits, reporting, and transaction monitoring.
Regulators are empowered to assess not just the formal presence of these mechanisms, but their actual implementation in day-to-day operations.
Expanded regulatory oversight
Unlike VASP registration, the CASP license subjects companies to ongoing supervision by a national competent authority (e.g., KNF in Poland, BaFin in Germany, or AMF in France). CASPs are required to:
- Submit annual activity reports;
- Notify authorities of any significant changes in structure or business operations;
- Be prepared for on-site inspections and document requests;
- Comply with minimum standards for staffing and IT infrastructure.
In cases of non-compliance, the license may be suspended or revoked, and the company may face substantial fines.
Mandatory functions and personnel
To obtain CASP status, a company must:
- Have a physical presence in the EU (legal address, office, and effective control);
- Appoint a qualified compliance officer and AML officer;
- Ensure the presence of an IT security officer (in some jurisdictions);
- Maintain financial reserves to cover operational risks and potential losses;
- Develop internal policies on cybersecurity, data protection, and incident management.
In effect, MiCA introduces full institutionalization of the crypto sector, bringing CASPs to a regulatory level comparable to payment institutions and investment firms.
What are the requirements for applicants?
Licensing as a CASP under MiCA involves a comprehensive assessment not only of documents but also of a company’s internal structure, compliance practices, and financial soundness. The licensing process can take anywhere from 3 to 9 months, depending on the jurisdiction and the applicant’s level of preparation. Below are the key requirements that must be met to obtain the license.
Legal presence and registration in the EU
A company must be legally established within the European Union:
- A legal entity incorporated under the laws of an EU Member State;
- A physical office and staff operating in that jurisdiction;
- Effective control and management exercised from within the EU (real substance).
In some countries, at least one director is also required to be a tax resident.
Organizational structure and personnel
MiCA requires that the applicant has a clear governance structure with key personnel appointed. The following are mandatory:
- A Compliance Officer responsible for regulatory compliance;
- An AML Officer in charge of anti-money laundering and counter-terrorism financing measures;
- A structured internal control system that includes monitoring, reporting, and risk management functions.
It is also recommended to have dedicated cybersecurity and data protection specialists, especially for companies offering custody services.
Financial soundness
To obtain CASP status, the company must demonstrate that it has adequate financial resources to operate. Regulators typically require:
- Minimum share capital (ranging from €50,000 to €150,000 depending on the services provided);
- Documented proof of funding sources (e.g., bank statements or capital contribution reports);
- An internal financial plan, including projected expenses and operational risk forecasts.
Some types of CASPs may also be required to have professional indemnity insurance.
Documentation and internal policies
A complete application must include the following core documents:
- AML/CTF policy and KYC procedures;
- IT documentation, including system architecture, data protection, and access control policies;
- Procedures for handling customer complaints and safeguarding consumer rights;
- Incident management, risk mitigation, and internal audit policies.
Applicants must also demonstrate how these policies are implemented in practice by providing real examples, system logs, or staff training materials.
How can Key2Law help with obtaining a CASP license?
Obtaining a CASP license is not just a matter of applying - it is a complex compliance and regulatory project. Most refusals are not caused by missing documents, but by poor submission strategy, a formalistic approach, or a failure to align the business structure with MiCA requirements. The Key2Law team provides end-to-end regulatory support to crypto companies at every stage: from readiness assessment to communication with regulators and post-licensing assistance.
Our experts are ready to assist you with the following services:
- Structure and risk analysis. We audit your corporate structure, services, ownership chains, and technical infrastructure. We identify risk areas and recommend the optimal jurisdiction for submission.
- Complete dossier preparation. We compile and review the full document set, including the articles of association, KYC/AML policies, business plan, financial model, internal control schemes, and documentation for data protection and IT systems.
- Regulatory representation. We handle communications and act on your behalf throughout the application process. We prepare responses to regulator inquiries, justify key decisions, and provide additional clarifications where needed.
- Integration of MiCA policies into real operations. We help implement compliance functions, establish internal audit procedures, train staff, and build the necessary infrastructure for ongoing monitoring and reporting.
- Post-licensing support. We advise on ongoing CASP obligations, assist with reporting, and represent your company during audits or structural changes.
If you want to obtain a CASP license without the risk of refusal, contact Key2Law. We will provide reliability, a clear strategy, and direct communication with regulators.