Who needs a MiCA CASP license?
Since 2024, the crypto market in the EU has been operating under new rules. The MiCA regulation introduced mandatory licensing for all crypto-asset service providers (CASPs), covering everything from exchange and custody to order execution and asset transfer. Companies without a CASP license can no longer serve EU clients, even if they’re registered outside the Union. According to estimates, the number of such providers is expected to exceed 1,000 by 2026. But who needs a CASP license? And who might be exempt under MiCA? This article breaks down the key requirements, explains the most common mistakes, and helps you navigate the new framework without putting your business at risk.
Who is required to obtain a CASP license under MiCA?
The introduction of CASP licensing under the MiCA framework is one of the EU’s most significant steps toward legalizing and standardizing the crypto market. Any company offering crypto-asset-related services must now assess whether its activities fall under MiCA regulation. Non-compliance may lead to a ban on operating within the EU, administrative penalties, and disconnection from essential financial infrastructure.
Mandatory categories of CASPs
According to Regulation (EU) 2023/1114 (MiCA), licensing is required for any company that provides at least one of the following services, as listed in Article 3(1):
- Custody and administration of crypto-assets on behalf of clients (custodial wallet providers);
- Exchange of crypto-assets against fiat currency and vice versa;
- Exchange of one crypto-asset against another;
- Execution of orders on behalf of clients;
- Transfer of crypto-assets between wallets;
- Reception and transmission of client orders related to crypto-assets;
- Placement of crypto-assets;
- Providing advice on crypto-assets.
According to TRM Labs, between 1,100 and 1,300 VASP-registered companies were active in the EU prior to the implementation of MiCA. Most of them will be required to undergo reauthorization under the new CASP regime.
Territorial scope: who falls under MiCA?
MiCA applies not only to companies registered within the EU, but also to any business that:
- Offers crypto-asset services to clients located in the EU, regardless of where the company is based;
- Actively markets its services or products to EU residents, including through online advertising, localized websites, or EU-targeted domains.
Even companies based outside the EU must obtain a CASP license if they target EU residents. The only exception is reverse solicitation, where a client initiates the relationship without any active marketing effort from the provider. However, this exception is narrowly interpreted and only applies when no promotion or outreach is conducted toward the EU market.
Who is exempt from having to obtain a CASP license?
Not all companies working with crypto-assets are required to obtain a CASP license. MiCA clearly outlines specific scenarios where licensing is not mandatory. However, it's essential to understand that these exemptions apply only under certain conditions — any deviation may result in the company being considered as operating illegally within the EU.
Grounds for exemption from licensing
According to Article 2 of MiCA, the regulation does not apply to the following categories:
- EMI (Electronic Money Institutions) and PI (Payment Institutions) — provided that their crypto-asset-related activity is limited to functions within their main license (e.g., issuing stablecoins as part of a payment service).
- Banks and investment firms regulated under CRD IV and MiFID II — if crypto services are integrated into their existing licensed operations.
- Technology providers that develop crypto infrastructure or software but do not offer services to third parties (e.g., DeFi protocol developers without control over client assets).
- Non-EU companies that do not market their crypto services within the EU. This exemption requires proof that there is no targeted activity toward EU residents (e.g., no localized website, advertising, or region-specific outreach).
Transitional regime
MiCA establishes a temporary transitional period for companies already registered as VASPs under national legislation. If a company was officially registered in an EU country before 30 December 2024, it may continue operating without a CASP license until July 2026, provided certain conditions are met:
- Notification of the national regulator about the intention to use the transitional regime;
- Continued compliance with existing AML/KYC requirements;
- Timely submission of a complete application for a CASP license before the transitional period ends.
Although MiCA allows for a maximum transitional period of 18 months (until 1 July 2026), this is not automatic. Each EU Member State determines its own timeline and deadline for submitting license applications. Companies operating in multiple jurisdictions must carefully monitor these national rules to avoid regulatory breaches or business interruptions.
What are the risks of operating without a CASP license?
The MiCA Regulation sets out clear consequences for companies that provide crypto-asset services without the required authorization. Without a CASP license, a business not only loses the legal right to operate within the EU but also risks facing sanctions, account freezes, and exclusion from the financial system.
Sanctions and business bans
According to Article 111 of MiCA, national regulators in EU Member States have the authority to:
- Suspend or prohibit any crypto-related activity conducted without a valid CASP license;
- Impose administrative fines of up to 12.5% of the company’s annual turnover or €5 million, depending on the severity of the violation;
- Publicly disclose information about non-compliant entities in regulatory registers.
Companies that are not authorized CASPs may also be removed from licensed trading platforms and lose access to banking, payment gateways, and fiat ramps.
Reputational and future licensing risks
Even in the absence of direct penalties, unauthorized crypto businesses may encounter serious long-term consequences:
- Future licensing applications may be denied, as past regulatory violations are taken into account;
- Public exposure as a non-compliant entity can severely damage trust among users, investors, and institutional partners;
- Integration with payment or banking infrastructure may be denied — many providers require proof of MiCA compliance for even basic technical access.
Additionally, regulatory issues can impact affiliated projects, brands, and management teams, affecting operations across the EU.
How to get a CASP license: basic steps
Obtaining a CASP license is a complex but clearly regulated process. Any company planning to offer crypto-asset services within the EU must be prepared to demonstrate not only technical readiness but also full compliance with legal, governance, and risk management requirements. Below are the key steps involved:
- Establishing a legal presence in the EU. The company must be incorporated in an EU Member State and have a real, operational business address. A virtual office or mailing address alone is not sufficient.
- Appointing responsible individuals. Firms are required to designate qualified persons to oversee regulatory compliance, including a compliance officer, AML officer, and other relevant roles. These individuals must meet integrity, experience, and competence standards set by national regulators.
- Implementing internal control systems. This includes robust AML/CFT procedures, know-your-customer (KYC) protocols, management of conflicts of interest, customer data protection, cybersecurity frameworks, and operational risk management strategies.
- Preparing a comprehensive documentation package. Applicants must submit a detailed business plan, financial projections, descriptions of internal policies and processes, ownership structure, resumes of key personnel, and relevant regulatory documents.
- Applying the national regulator. Once submitted, the application undergoes formal review, typically lasting between 3 and 6 months. During this period, the regulator may request additional information or adjustments before granting the CASP license.
How Key2Law can help you get your CASP license
The Key2Law team provides end-to-end support at every stage of the CASP licensing process and helps minimize the risk of rejection or delays. We offer:
- Professional assessment of your business model – we determine whether your activities fall under MiCA and which specific services require licensing.
- Jurisdiction selection – we help choose the best EU country for registration and application, taking into account regulatory expectations and tax implications.
- Preparation of a complete application package, including a business plan, AML/KYC policies, operational descriptions, control schemes, and internal procedures.
- Regulatory communication – we handle your application from submission to approval, including responding to authority queries, providing clarifications, and assisting during inspections.
- Post-licensing support, such as adapting to regulatory changes, compliance audits, and protection in case of claims.
If you want to operate legally in the EU crypto market, avoiding service blocks, sanctions, and partner distrust, start with a solid license. Contact Key2Law today to ensure your licensing process is smooth, efficient, and fully compliant.