How to Get a MiCA CASP License: The Complete EU Application Guide

Why MiCA Matters for Tokenization

The Markets in Crypto-Assets Regulation (MiCA) — Regulation (EU) 2023/1114 — entered full application on 30 December 2024. It is the most comprehensive crypto-asset regulatory framework yet enacted by any major jurisdiction, and it replaces the patchwork of national regimes that previously governed crypto activities across EU member states.

For tokenization platforms, MiCA creates a definitive answer to a question that had previously generated substantial legal uncertainty: what license do you need to issue, manage, and trade tokenized assets within the EU? The answer depends on whether your token is classified as a crypto-asset (requiring CASP authorization), an asset-referenced token (ART), or an e-money token (EMT) — or whether it qualifies as a financial instrument and therefore falls under MiFID II rather than MiCA.

This guide focuses on the CASP authorization pathway, which covers the nine categories of crypto-asset services. Platforms issuing ARTs or EMTs face additional requirements under MiCA Title III and IV respectively, which are addressed separately in the Regulatory Encyclopedia.

Who Needs a MiCA CASP License

MiCA Article 59 requires any legal person or undertaking providing crypto-asset services in the EU to be authorized as a CASP, unless they are (a) a credit institution already authorized under the Capital Requirements Directive, (b) an investment firm under MiFID II, (c) an e-money institution, or (d) a market operator — all of which may provide certain crypto-asset services under a notification procedure rather than a new authorization.

Critically, MiCA applies to firms that provide services in the EU regardless of where they are incorporated. A Cayman Islands entity offering exchange services to German retail clients requires CASP authorization. The jurisdictional hook is the location of the client, not the location of the service provider.

The nine CASP service categories are:

1. Custody and administration of crypto-assets on behalf of clients
2. Operation of a trading platform for crypto-assets
3. Exchange of crypto-assets for fiat currency
4. Exchange of crypto-assets for other crypto-assets
5. Execution of orders for crypto-assets on behalf of clients
6. Placing of crypto-assets
7. Reception and transmission of orders for crypto-assets on behalf of clients
8. Providing advice on crypto-assets
9. Providing portfolio management on crypto-assets

Most tokenization platforms will require authorization for a combination of services. A secondary trading marketplace for tokenized real estate will typically require services 2, 3, 4, and 5 at minimum. A custody-focused platform requires service 1. An issuance platform that also provides advice on token structure requires service 8.

Capital Requirements by Service Class

MiCA establishes three capital classes. The applicable class is determined by the highest-capital service authorized, not the sum of services.

Capital must be maintained on an ongoing basis. NCAs expect quarterly capital adequacy reporting. The capital must consist of Common Equity Tier 1 instruments — paid-up ordinary shares, share premium, retained earnings — and cannot include subordinated debt or preference shares that lack loss-absorption characteristics.

Professional indemnity insurance is an alternative to own funds capital only for Class 1 and Class 2 services, and only if the NCA accepts this route. Germany’s BaFin has historically preferred own funds. Luxembourg’s CSSF has been more open to hybrid approaches.

Selecting the Right NCA: Home Member State Principle

MiCA operates on the home member state principle. The CASP files its application with the NCA of the member state where it has its registered office (for EU-incorporated entities) or its head office (for entities with offices in multiple EU states).

If you are establishing a new EU entity specifically for the MiCA authorization, you have genuine optionality. The most commonly selected NCAs for CASP authorizations in 2025–2026 are:

BaFin (Germany): The German regulator brings the deepest institutional credibility for European institutional clients but is known for rigorous documentation standards and slower processing times. BaFin issued the most crypto custody licenses in Europe prior to MiCA and brings significant institutional knowledge.

CSSF (Luxembourg): Luxembourg’s CSSF has positioned itself as a fund-friendly regulator and is highly familiar with alternative investment structures. For tokenized funds targeting European institutional investors, the CSSF has the most relevant supervisory experience. Processing times are competitive.

AMF (France): The French AMF operated a voluntary PSAN (Prestataire de Services sur Actifs Numériques) registration regime pre-MiCA. AMF staff have significant experience with crypto business models and have been transparent about their expectations. The AMF is actively courting crypto businesses post-MiCA.

CBI (Ireland): The Central Bank of Ireland has the largest AUM of any EU fund regulator and is experienced with complex financial products. For tokenized fund structures, the CBI brings relevant precedent. However, the CBI is known to be deliberate in its approach.

AFM/DNB (Netherlands): The Netherlands has an active crypto industry and competitive processing times. DNB focuses on AML compliance; AFM on conduct.

Application Fees by Major NCA

The Step-by-Step MiCA CASP Application Process

Step 1: Pre-Application Engagement

Most NCAs offer a pre-application meeting or written Q&A process. BaFin operates a structured pre-application consultation. The AMF has published an innovation hub through which firms can seek informal guidance. The CSSF accepts written pre-application queries.

Pre-application engagement is not mandatory, but it substantially reduces the risk of receiving a completeness rejection at Step 3. Use the pre-application phase to confirm: (a) which services require authorization, (b) which capital class applies, (c) whether any aspects of your business model require specific regulatory treatment, and (d) the NCA’s preferences on documentation format and depth.

Step 2: Entity Establishment

The applicant must be a legal person established in an EU member state. Branches of third-country entities cannot hold CASP authorizations; a subsidiary is required. The entity must have its registered office in the member state whose NCA you are applying to.

The entity structure must be documented in the application: articles of association, certificate of incorporation, shareholder register, and organizational chart showing lines of authority and control.

Step 3: Application Submission and Completeness Check

The application is submitted to the NCA via its designated portal or in written form (NCA-dependent). Upon receipt, the NCA has 20 working days to confirm whether the application is complete. If incomplete, the NCA returns it with a list of deficiencies. The 3-month decision clock does not begin until the application is confirmed complete.

This completeness check is a common source of delay. Applications that arrive without all required annexes, or with documentation that fails to address MiCA’s specific requirements, are returned. The NCA then waits for the resubmission before beginning its substantive review.

Completeness is not a low bar. MiCA’s Annex II specifies 17 categories of required information, each with sub-elements. A complete application for a Class 3 CASP (custody + trading platform) will routinely run to several hundred pages with annexes.

Step 4: Substantive Review (3-Month Decision Window)

Once the application is confirmed complete, the NCA has 3 calendar months to issue its decision. The NCA may request additional information during this period; such requests pause the clock.

The NCA must either grant authorization or refuse, with reasons, within the decision window. Conditional authorization — approval subject to specified conditions or undertakings — is not explicitly provided for in MiCA, though some NCAs have issued approvals with attached supervisory expectations.

Step 5: ESMA Registration and CASP Register

Upon authorization, the NCA notifies ESMA. ESMA maintains the public CASP register, which is the definitive record of authorized CASPs in the EU. The register is accessible on the ESMA website.

Third parties — counterparties, investors, institutional clients — will verify CASP status through the ESMA register. Inclusion in the register is a commercial as well as regulatory requirement.

Required Documentation

The MiCA application dossier is extensive. What follows is a structured checklist of the key documentation categories.

Corporate Documentation

• Certificate of incorporation and articles of association
• Shareholder register with beneficial ownership disclosed to the UBO level
• Organizational chart (legal structure, operational structure, governance lines)
• Register of directors and senior management with CVs
• Declarations of fitness and properness for each director, senior manager, and qualifying shareholder

Business Plan

The business plan is one of the most important documents in the dossier. It must cover:

• Description of all services to be provided, with operational detail
• Target markets and client types (retail vs. professional; EU member states targeted)
• Technology infrastructure and custody arrangements
• Projected financial statements for 3 years
• Revenue model and fee structures
• Outsourcing arrangements (if any)

Governance and Internal Controls

• Management body composition and board charter
• Internal audit framework
• Risk management framework (market risk, liquidity risk, operational risk, cyber risk)
• Conflict of interest policy
• Remuneration policy
• Complaints handling procedures
• Business continuity plan and disaster recovery procedures

Capital Adequacy

• Evidence of minimum own funds (audited accounts, bank statements)
• Capital adequacy calculation methodology
• Stress-testing approach for capital adequacy

AML/CFT Framework

• AML/CFT policies and procedures
• Risk assessment for money laundering and terrorist financing
• Customer due diligence (CDD) and enhanced due diligence (EDD) procedures
• PEP and sanctions screening procedures
• Transaction monitoring procedures and thresholds
• Suspicious Transaction Report (STR) procedures
• Appointment and qualifications of the AML Compliance Officer (MLRO)
• Travel Rule compliance procedures (FATF Recommendation 16)

IT Security and Custody

• IT security policy and penetration testing results
• Custody procedures for client crypto-assets (segregation, cold storage ratios, key management)
• Insurance arrangements for custodied assets
• Smart contract audit reports (for platforms using smart contracts)

Safeguarding of Client Funds

• Segregation arrangements for client funds (fiat and crypto)
• Reconciliation procedures
• Arrangements for return of client assets in insolvency

The Passporting Mechanism

Upon authorization, a CASP wishing to provide services in other EU member states initiates the passporting notification procedure under MiCA Article 58.

The passporting notice is submitted to the home NCA, which forwards it to the host NCA within 10 working days. The host NCA is notified; it cannot block the passport but may impose additional conduct requirements specific to that member state (for example, local language consumer disclosures).

The CASP may begin providing services in the host member state 15 working days after the home NCA acknowledges the passport notification. There is no separate authorization process, no fee paid to the host NCA, and no substantive review by the host NCA.

This is MiCA’s most commercially significant feature. A CASP authorized by the CSSF in Luxembourg can passport into Germany, France, Spain, Italy, the Netherlands, and the remaining 22 EU member states through a notification — not a new authorization. The EU’s 450 million consumers are accessible from a single regulatory approval.

Transitional Provisions: Existing CASPs

MiCA includes transitional provisions for entities that were lawfully providing crypto-asset services under national law before MiCA’s full application date (30 December 2024). These entities may continue providing services without a MiCA CASP authorization for a transitional period of 18 months — until 1 July 2026 in most EU member states.

The transitional period applies only to services that were previously regulated under national law. Entities providing services that were not regulated nationally (because that member state had no national crypto regime) do not benefit from the transitional provision and must obtain MiCA authorization.

Several member states — including Austria, France, and Poland — have opted for shorter transitional periods, requiring MiCA authorization as early as mid-2025. Compliance officers must check the specific transitional provisions of their home member state.

After 1 July 2026, all CASPs operating in the EU must hold MiCA authorization. There are no further extensions.

Ongoing Obligations Post-Authorization

Authorization is not a one-time event. MiCA imposes substantial ongoing compliance obligations:

Annual Reporting: CASPs must submit annual reports to their home NCA covering financial results, capital adequacy, complaint statistics, incident log, and changes to business model. The precise format is specified by ESMA in regulatory technical standards (RTS).

Governance Updates: Any material change to the management body composition, qualifying shareholders, or business model requires prior NCA notification or approval. The NCA must be notified at least 30 days before material changes take effect.

Incident Reporting: Significant operational or security incidents must be reported to the NCA within 24 hours of detection, with follow-up reports within specified timeframes. ESMA’s RTS defines what constitutes a “significant” incident.

Conduct of Business: CASPs must provide clients with pre-contractual disclosures (white papers or simplified information sheets), treat clients fairly, manage conflicts of interest, and comply with the market abuse rules in MiCA Title VI.

Capital Adequacy Monitoring: Quarterly own funds calculations must be maintained. If the CASP’s own funds fall below the minimum, it must notify the NCA immediately and submit a capital restoration plan.

Common Rejection Reasons

NCAs reviewing CASP applications have identified consistent failure patterns:

1. Inadequate AML/CFT documentation. The most common ground for rejection or return of application. Generic AML policies copied from templates without adaptation to the specific business model are readily identified and rejected. The AML framework must be tailored to the actual services, client types, jurisdictions, and transaction patterns.

2. Insufficiently experienced management. The fit and proper assessment examines whether directors and senior managers have relevant experience for the services being authorized. A custody CASP whose board lacks anyone with securities custody or crypto custody experience will struggle. NCAs expect boards to have members with financial services compliance, technology security, and senior management experience.

3. Business plan lacking financial credibility. Projections that show rapid profitability without credible revenue assumptions, or that underestimate compliance costs, are red flags. NCAs have seen hundreds of business plans and know what plausible projections look like.

4. Missing or inadequate IT security documentation. For Class 3 CASPs (custody and trading), IT security documentation must be comprehensive. Penetration testing reports, cold storage ratios, key management procedures, and cyber insurance coverage are reviewed in detail.

5. Incomplete beneficial ownership disclosure. All qualifying shareholders (those holding 10%+ directly or indirectly) must be disclosed with full beneficial ownership chains. Opaque structures involving nominee shareholders or complex chains of holding companies without clear UBO disclosure are rejected.

6. Failure to address the Travel Rule. NCAs now expect applicants to demonstrate how they will comply with the EU’s Transfer of Funds Regulation as amended (which implements FATF Recommendation 16). Applications that do not address Travel Rule compliance are increasingly returned as incomplete.

External References

• ESMA MiCA Activities and Resources
• MiCA Regulation Full Text — EUR-Lex

Related Resources

• Licensing Cost Comparison by Jurisdiction
• AML Framework for Tokenization Platforms
• Travel Rule Compliance Guide
• Regulatory Encyclopedia: MiCA
• Jurisdiction Comparison Tool