Germany BaFin Crypto Licensing: From Kryptoverwahrgeschäft to the MiCA CASP Transition

Most founders treat MiCA as the moment Europe got a crypto licence. Germany got one three years earlier. Since 1 January 2020, crypto custody has been a regulated financial service under §1(1a) KWG — the Kryptoverwahrgeschäft (crypto custody business) authorisation.

That early start created a problem nobody anticipated: two parallel regimes. Firms holding a Kryptoverwahrgeschäft authorisation must now transition into MiCA CASP status, and new applicants must decide whether to enter through the legacy door, the fresh MiCA CASP route, or the securities-adjacent §32 KWG path. The wrong choice costs months.

This guide lays out The BaFin Crypto Entry Map — three routes into German crypto regulation, with capital, timeline, and supervisor intensity for each — and explains why BaFin is the most demanding supervisor in the EU. It then sets out exactly what BaFin inspects and the precise founder profiles for whom Germany is the right answer — not the default one.

Germany is the largest economy in the EU, and its financial supervisor — the Federal Financial Supervisory Authority (BaFin) — supervises banking, insurance, and securities under a single integrated roof, working alongside the Deutsche Bundesbank. Unlike volume-processing regulators, BaFin treats crypto firms with the same prudential seriousness it applies to banks.

That posture is deliberate. BaFin embedded crypto custody inside the German Banking Act (KWG) rather than creating a lighter standalone regime — which means crypto custodians inherit the governance, capital, and fit-and-proper architecture of a regulated financial institution. A Kryptoverwahrgeschäft licence is not a registration; it is an authorisation.

The reward for clearing that bar is institutional credibility no other EU jurisdiction can match. German pension funds, asset managers, and private banks will mandate a BaFin-supervised counterparty where they would not touch a Lithuanian or Maltese one. The trade-off is the longest timeline and the highest substance bar in the EEA.

When Germany transposed the EU's 5AMLD in January 2020, it went further than the directive required and added crypto custody business as a new financial service under the German Banking Act¹^[1].

BaFin defines Kryptoverwahrgeschäft²^[2] as the custody, administration, and safekeeping of crypto-assets or private cryptographic keys on behalf of others. Anyone providing that service commercially in Germany needed BaFin authorisation — making Germany the first major EU state to license crypto custody as a banking-adjacent activity.

The result was a first-mover cohort of BaFin-licensed custodians that built operations, governance, and ICT controls years before their EU peers. That cohort now holds the keys to the transition question — and is the reason grandfathering matters so much in Germany.

Germany offers three distinct entry points into regulated crypto activity, and choosing the wrong one is the single most common mistake foreign founders make. Each carries a different capital floor, timeline, and supervisor-intensity profile.

• Path 1 — Legacy Kryptoverwahrgeschäft → MiCA grandfathering: for firms that already hold a §1(1a) KWG custody authorisation and need to convert to a MiCA CASP licence under the transitional window.

• Path 2 — Fresh MiCA CASP via BaFin: the from-scratch route for new applicants seeking an EEA-passporting crypto-asset service provider authorisation directly under MiCA.

• Path 3 — Securities-adjacent §32 KWG / eWpG: for tokenised securities and crypto-securities that fall under German securities law rather than MiCA, requiring a §32 KWG authorisation or crypto-securities registrar status.

Germany's national MiCA implementation is the Crypto Markets Supervision Act (KMAG)³^[3] — the Kryptomärkteaufsichtsgesetz. It is the statute that maps legacy Kryptoverwahrgeschäft authorisations onto the new MiCA CASP framework.

Who qualifies: firms that were lawfully providing crypto custody under §1(1a) KWG before MiCA applied. MiCA's Article 143 transitional regime lets member states allow existing providers to continue operating while they apply for the new authorisation — Germany used the maximum window available.

The transitional window for German custody firms runs through 1 July 2026 — the latest date a grandfathered provider can continue operating without a full MiCA CASP authorisation. After that, no licence, no operation. The practical advantage of Path 1 is that BaFin can rely on existing governance and ICT documentation, compressing the conversion review.

Grandfathering is not a free pass on substance. BaFin treats the conversion as a full re-papering against MiCA's authorisation conditions — what it credits is the operating history, the existing ICT controls, and the fit-and-proper assessments already on file. Firms that ran a thin Kryptoverwahrgeschäft operation discover the MiCA bar is higher than the 2020 custody bar, particularly on own funds, conflicts-of-interest policy, and complaints handling.

The strategic value of Path 1 is continuity of operation. A legacy holder keeps serving clients throughout the transition rather than going dark while a fresh file is assessed. That continuity is commercially decisive for a custodian holding live client assets — which is precisely why incumbents guard their first-mover position so closely.

For applicants without a legacy licence, the route is a fresh MiCA CASP authorisation under the Markets in Crypto-Assets Regulation⁴^[4], filed with and supervised by BaFin as the national competent authority.

This is the same MiCA licence available in Lithuania or Ireland — but filed through the EU's most exacting supervisor. BaFin applies the full Article 62 authorisation checklist: programme of operations, governance, fit-and-proper, AML/KYC framework, ICT and DORA resilience, and prudential own funds.

The from-scratch route has no operating history for BaFin to lean on, so every claim must be evidenced rather than asserted. Expect BaFin to test the viability of the business plan — three-year financial projections, capital adequacy under stress, and a credible wind-down plan — alongside the conduct and prudential file. Vague projections are the most common cause of the clock not starting.

BaFin's MiCAR supervisory guidance⁵^[5] makes clear it expects a complete file at submission. The statutory clock — MiCA gives the NCA 40 working days to assess completeness and a further period to decide — only starts once BaFin deems the application complete. In practice, the from-scratch route runs 12–18 months end-to-end including pre-submission preparation.

Not every token is a crypto-asset under MiCA. Where a token qualifies as a financial instrument under MiFID II — a tokenised bond, share, or fund unit — MiCA is expressly disapplied and German securities law governs instead.

Germany's Electronic Securities Act (eWpG) — in force since 2021 — created the crypto-security (Kryptowertpapier), a bond or fund unit issued directly onto a blockchain. Operating a crypto-securities registrar (Kryptowertpapierregisterführung) is itself a §1(1a) KWG financial service requiring BaFin authorisation.

Firms that execute, place, or provide investment services in these tokenised securities generally need a §32 KWG banking/investment-services authorisation — the full MiFID II licensing track, not the MiCA one. This is the heaviest and most expensive path, but the only route for genuine security tokens.

BaFin's review is unforgiving on four fronts. First, governance in German: core authorisation documents must be filed in German, and BaFin conducts substantive correspondence in German. English supporting material is accepted, but the legally binding file is German.

Second, the two-managers rule (Vier-Augen-Prinzip): every authorised institution needs at least two managing directors, each fit and proper, demonstrably experienced, and resident close enough to run the business. BaFin scrutinises CVs, prior regulatory history, and German-market familiarity.

Third, local substance: a real German head office, staffed key functions (compliance, risk, MLRO, internal audit), and demonstrable mind-and-management in Germany. Letterbox structures do not survive first review.

Fourth, ICT and AML rigour: BaFin expects DORA-grade operational resilience — key-management ceremonies, incident response, third-party risk — and an AML framework aligned with EBA guidelines⁶^[6] and the German Money Laundering Act (GwG).

MiCA sets three minimum own-funds tiers in Annex IV, and BaFin applies them as floors, not targets. Class 1 (advice, reception/transmission, execution, placement) is €50,000; Class 2 (custody, exchange against funds or other crypto) is €125,000; Class 3 (operating a trading platform) is €150,000.

BaFin's reading adds the alternative own-funds test: a CASP must hold the higher of its Annex IV class minimum or one quarter of the preceding year's fixed overheads. For any business with meaningful staffing in Germany, the fixed-overheads test usually bites first — so plan capital against your real cost base, not the headline floor.

The securities-adjacent Path 3 is a different world: a §32 KWG investment-services authorisation can require initial capital from €75,000 to €730,000 depending on the investment services performed and whether client assets are held. Budget for the banking-grade tier if you touch security tokens.

Germany has a deep banking market — but depth does not mean openness. German banks remain conservative on crypto counterparties, and a BaFin licence opens doors that an offshore registration never could. The licence is the banking key, not a banking guarantee.

Substance is the cost driver. A credible German operation needs two resident managing directors, a compliance and risk function, a resident MLRO, internal audit, and a genuine office. Annual running cost for that substance comfortably exceeds €500,000 before product spend — materially above Lithuania.

The honest read: Germany is expensive and slow to enter, but durable once inside. If your model is high-margin custody or institutional service rather than thin-margin retail throughput, the substance cost is justified by the counterparty trust it unlocks.

There is also a dual-licence reality in Germany that founders underestimate. A firm doing both MiCA crypto custody and eWpG crypto-securities registrar work may need authorisations under both regimes in the same entity — MiCA for the in-scope crypto-assets and §1(1a) KWG for the crypto-securities register. Mapping the activity perimeter precisely before filing avoids a second application cycle.

Finally, factor in ongoing supervision cost, not just the authorisation. BaFin levies annual supervisory fees and conducts periodic reviews and audits with banking-grade intensity. The relationship with the supervisor is continuous — the licence is the start of a permanent compliance obligation, not a one-off cost.

Germany wins for three founder profiles. For everyone else, a faster EEA jurisdiction passports into Germany anyway — so be honest about whether you need a German entity or just German customers.

If your clients are German pension funds, asset managers, insurers, or private banks, a BaFin authorisation is frequently a procurement prerequisite. They will not custody assets with an offshore or even a Lithuanian entity. The Kryptoverwahrgeschäft heritage is purpose-built for this.

If Germany is your primary market — German users, German banking partners, German distribution — a home authorisation removes the friction of passporting in and signals commitment to local supervisors and counterparties.

If you are issuing or servicing tokenised securities under the eWpG, Germany has the most developed legal infrastructure in Europe — the crypto-security and crypto-securities registrar framework has no equivalent elsewhere. For security tokens, Germany is not just a choice; it is often the answer.

Yes — and earlier than most of Europe. Since 1 January 2020, crypto custody has been a regulated financial service under §1(1a) KWG requiring BaFin authorisation. Since MiCA applied, crypto-asset services are also licensed as MiCA CASP authorisations issued by BaFin.

Kryptoverwahrgeschäft is the German term for crypto custody business — the custody, administration, and safekeeping of crypto-assets or private cryptographic keys for others. BaFin introduced it as a financial service under §1(1a) KWG in 2020, making Germany the first major EU state to license crypto custody as a banking-adjacent activity requiring full authorisation.

Firms that lawfully held a Kryptoverwahrgeschäft authorisation before MiCA applied may keep operating under a transitional regime while they convert to a MiCA CASP licence under the KMAG. Germany's window runs to 1 July 2026; after that, grandfathered firms must hold full MiCA authorisation or cease activity.

Generally yes. BaFin applies banking-grade scrutiny, requires the binding file in German, enforces the two-managers rule and genuine local substance, and runs longer timelines — 12–18 months for a fresh CASP versus 6–12 in Lithuania. The payoff is the highest institutional credibility in the EU.

Yes. A MiCA CASP authorisation from any EEA regulator passports into Germany on a notification basis. So if you only need German customers — not a German entity — a faster Lithuanian or Irish licence reaches the German market. You choose a German BaFin entity when institutional counterparties demand a home supervisor.

• MiCA Compliance Guide for CASPs: the full CASP authorisation walkthrough that underpins the German fresh-CASP and grandfathering routes.

• EMI Licence Application in Lithuania: the faster, cheaper EEA-passporting alternative when speed and EUR throughput beat institutional prestige.

• EEA/UK/Offshore Crypto Incorporation: where Germany sits in the wider domicile shortlist for crypto and custody businesses.

• The 2026 Substance Bar: what real local substance now means — directly relevant to BaFin's mind-and-management and two-managers requirements.

Germany is the EU crypto jurisdiction that rewards firms that need credibility more than speed — a pre-MiCA custody heritage, the most trusted supervisor in Europe, and a securities-token framework no competitor matches. It punishes firms that pick it for the wrong reasons: thin-margin throughput, fast launch, or light substance. The right move is to test your model against The BaFin Crypto Entry Map — legacy, fresh CASP, or securities-adjacent — and decide whether you truly need a German entity, or whether a passport from elsewhere reaches the same customers.