Malta MFSA CASP & EMI Authorisation Guide (2026)

Malta is the only EEA Member State that ran a full crypto-asset regulatory regime — the Virtual Financial Assets Act 2018 — for six years before MiCA arrived. That history matters in 2026. The MFSA — the Malta Financial Services Authority — supervises a population of 16 MiCA CASP authorisations on the ESMA register, 18 EMI authorisations, and 3 EMT issuer authorisations — but it does so under a unique dual-track structure in which legacy VFA Act firms transition into MiCA under Article 143 grandfathering while new entrants apply directly under MiCA.

The dual-track is more than a transitional curiosity. It changes the practical experience of authorisation. New entrants apply against an MFSA supervisory desk that has been licensing crypto firms since 2018 — meaning the playbook, the in-house expertise, and the policy reflexes are all crypto-fluent in a way that newer entrants to MiCA supervision are still building. The trade-off is that MFSA's substance bar — driven by post-Moneyval remediation since 2021 — is materially higher than in newer jurisdictions, and timelines run longer.

This guide maps the Malta dual-track end-to-end: the MiCA CASP authorisation path under MFSA, the surviving role of the VFA Act 2018, the EMI overlay for firms holding both licences, the 2026 substance bar, timeline and cost, and the structural question every founder should answer before filing — when is Malta actually the right answer?

Most EEA Member States are MiCA-only jurisdictions in 2026 — they had no crypto framework before MiCA, so MiCA authorisation is the first and only regime. Malta is structurally different. The MFSA¹^[1] had been licensing VFA agents and VFA service providers under the VFA Act 2018 framework — Class 1, Class 2, Class 3 and Class 4 — for six years before MiCA fully applied on 30 December 2024.

The result is that the VFA Act²^[2] did not vanish on 30 December 2024. Existing VFA service providers continued under their VFA authorisations during the MiCA Article 143 grandfathering window, while applying for MiCA CASP authorisation in parallel. The dual-track exists because Malta inherited a pre-MiCA crypto cohort that no other EEA Member State carries at comparable scale.

For new entrants in 2026, the practical implication is twofold. First, the MFSA crypto desk has eight years of accumulated supervisory experience with crypto-asset firms — operational risk, custody, market-abuse surveillance, AML for token flows — which is qualitatively different from a regulator that has supervised crypto only since late 2024. Second, the MFSA's enforcement reflexes were calibrated by the post-Moneyval remediation programme of 2019–2022, which reshaped Malta's AML and supervisory infrastructure. Malta is no longer the light-touch jurisdiction it was perceived to be in 2018; it is one of the more demanding EEA supervisors in 2026.

A new entrant CASP applies for authorisation under the Markets in Crypto-Assets Regulation³^[3] via the MFSA's authorisation pre-application and full-application process. The application is filed against the relevant CASP class under MiCA Annex IV — Class 1 (€50,000 minimum own funds), Class 2 (€125,000), or Class 3 (€150,000) — depending on the bundle of services offered.

The MFSA process runs in three stages: a pre-application meeting — mandatory in practice, where MFSA assesses business-model fit and identifies prima facie blockers — followed by in-principle approval once the dossier is substantively complete, followed by full authorisation on satisfaction of conditions. Realistic total elapsed time from pre-application to authorisation is 8–12 months; complex applications with novel business models or weak management dossiers can run longer.

MFSA's review is exhaustive. The supervisor scrutinises the programme of operations, the business plan and financial projections (three-year, base-case and stressed), governance arrangements, fit-and-proper of all directors, senior managers, qualifying shareholders and beneficial owners, the ICT and cyber-resilience framework against DORA, segregation of client assets, custody policy where applicable, AML and CFT programme, MLRO appointment, market-abuse surveillance, and complaints handling.

Two areas where Malta is materially stricter than newer MiCA jurisdictions: custody safekeeping arrangements (segregation, key management, insurance, business-continuity testing of custody operations) and market-abuse monitoring where the CASP operates a trading platform under Article 76 MiCA. MFSA carries over the surveillance expectations from its investment-services supervision and applies them at Class 3 CASP level.

The comparison with two other common EEA crypto-asset jurisdictions — Lithuania and Cyprus — is informative.

The headline number — 16 MiCA CASP authorisations in Malta — is smaller than Lithuania's or Cyprus's CASP cohorts, but the qualitative composition is different. The Maltese cohort skews toward larger, longer-established firms that ran VFA authorisations from 2019 onward, rather than first-time crypto applicants. That is a function of the substance bar more than appetite.

The VFA Act 2018⁴^[4] — Chapter 590 of the Laws of Malta — created four classes of VFA service provider licence and a separate VFA agent regime. Class 1 covered reception and transmission and investment advice; Class 2 added portfolio management and execution; Class 3 covered dealing on own account; Class 4 covered custody, operation of trading facilities and market-making. The classes were calibrated to mirror MiFID-style permissions, adapted to crypto-asset services.

On 30 December 2024 MiCA fully applied, and the VFA Act was substantially superseded for activities now scoped into MiCA. The remaining role of the VFA Act is residual: it covers VFA agents — the Maltese institutional figure that signs off VFA whitepapers and acts as gatekeeper — and the legacy framework under which existing VFA service providers continued to operate during the Article 143 grandfathering window. Malta opted for an 18-month grandfathering period — the maximum permitted under MiCA — so VFA service providers active before 30 December 2024 may continue under VFA authorisation until 1 July 2026, by which point MiCA authorisation must be in hand or activity must cease.

This is where the Malta dual-track gets practical. In 2026 there are three categories of crypto firm in Malta: new MiCA CASPs authorised directly under MiCA (the 16 on the ESMA register); transitioning VFA firms operating under Article 143 grandfathering with MiCA applications mid-flight; and non-CASP VFA-adjacent activity that remains under residual VFA Act scope (notably the VFA agent function).

For a new entrant, the VFA route is not available — MiCA is the only viable framework. The VFA Act mattered as a transitional bridge for the legacy cohort and continues to matter for the gatekeeper roles MiCA does not directly cover.

The table makes the practical point: VFA legacy authorisation is a bridging position. Every firm running under VFA Act in 2026 must reach MiCA CASP authorisation by 1 July 2026 to continue operating. The strategic question is not whether to transition — it is how early to file the MiCA application so that the in-principle decision lands well before the grandfathering deadline.

Malta is also a credible EMI jurisdiction. MFSA supervises 18 EMI authorisations — a moderate cohort by EEA standards, smaller than Lithuania's flagship EMI base but with materially stronger supervisory depth on AML and governance. 3 EMT issuer authorisations sit inside that cohort — Malta has been one of the early jurisdictions to license MiCA Title III e-money tokens.

EMI authorisation in Malta sits under EMD2⁵^[5] — the Electronic Money Directive — transposed into Maltese law via the Financial Institutions Act. Minimum initial capital is €350,000, with own-funds requirements scaling under Method D against outstanding electronic money in issue. Safeguarding of customer funds is mandatory and the MFSA scrutinises the safeguarding methodology — segregated bank account vs. insurance — at authorisation and on supervisory cadence.

The natural reason a firm holds both an EMI authorisation and a CASP authorisation in Malta is the EMT issuance use-case. Under MiCA Title III, EMT issuance requires the issuer to be authorised as either a credit institution or an EMI; offering services on the EMT — exchange, custody, transfer — requires a CASP authorisation. Firms running both legs of the model in-house need both authorisations, supervised by the same MFSA desk.

The other common pattern is a CASP that wants to issue prepaid card products or run a custodian-wallet model with on-platform fiat balances — that fiat component pushes the firm into EMD2 scope, requiring an EMI authorisation alongside the CASP authorisation.

Malta's substance bar is high in 2026 — materially higher than 2018-era VFA-applicant expectations. Five concrete elements MFSA will not accept compromises on.

• Real management in Malta — the CEO, the senior risk function and the MLRO must be tax-resident in Malta and physically present for the working week. Fly-in directors are not accepted at MFSA fit-and-proper review for senior-management roles.

• Local board composition — a majority or near-majority of directors should have meaningful Malta presence, with at least one independent non-executive director with Maltese supervisory pedigree.

• Documented governance — board AML and risk committees with documented quarterly cadence, terms of reference, minutes, and demonstrable challenge of management at each cycle.

• AML programme depth — the firm-wide ML/TF risk assessment, control framework, transaction-monitoring system, sanctions screening configuration, MLRO reporting line directly to the board, and Travel Rule operationalisation must all be authorisation-ready, not roadmap commitments.

• ICT and DORA readiness — ICT risk framework, third-party risk register, incident-response runbook, business-continuity and disaster-recovery testing on an annual cycle, all in place at the date of authorisation, not promised for year one.

Malta's substance reset traces back to the Moneyval-driven AML overhaul of 2019–2022. MFSA's standards in 2026 are calibrated for a post-Moneyval supervisor that will not tolerate the brass-plate model that some 2018 applicants attempted. Firms that arrive expecting that earlier template — minimal local presence, contracted-out compliance — are routinely turned away at pre-application stage.

A realistic Malta CASP authorisation timeline runs 8–12 months from first pre-application meeting to authorisation in hand. Pre-application: 1–2 months. Full application drafting and submission: 1–2 months. MFSA review and questions: 4–6 months. In-principle approval then conditions: 1–2 months. Authorisation: when conditions are satisfied.

Cost is harder to typify because so much depends on the complexity of the business model and the quality of the advisory team. Indicative ranges for a Class 3 CASP authorisation: regulatory fees in the low five figures (MFSA application fee, supervisory fee); external counsel and authorisation-consultant fees €150,000–€400,000 depending on complexity; first-year fully-loaded operating cost (real-management substance, MLRO, board, ICT, AML systems) of €800,000–€1.5m. Firms that under-budget on substance routinely face conditional approvals or rejections that cost more time and money to remediate than building substance properly from the start.

Malta is the right answer for a specific founder profile. Choose Malta if the firm is building a long-horizon CASP with serious institutional ambitions, values supervisory expertise over speed, can credibly run real management in a small EU island jurisdiction, and is comfortable carrying the substance cost in exchange for MFSA's deep crypto-asset supervisory bench and full EEA passporting. See our wider EEA vs UK vs offshore comparison for how Malta benchmarks against alternative incorporation pathways.

Choose Lithuania instead if speed of authorisation is the primary driver, the firm's first wedge is payments-first with crypto layered on, or the founder team is more comfortable with the Bank of Lithuania's faster, more procedural authorisation desk.

Choose Cyprus if the firm wants a common-law-flavoured legal environment, an institutional-grade CySEC supervisor with deep investment-services pedigree, and the 12.5% headline corporate tax rate as part of the structuring case.

Across all three EEA options, the underlying MiCA rulebook is identical — see the MiCA compliance guide for CASPs for the operational obligations every authorised CASP will live under. The differentiator is the supervisor.

16 MiCA CASP authorisations under MFSA appear on the ESMA MiCA register⁶^[6] in 2026. The cohort is smaller than Lithuania's or Cyprus's, partly because the substance bar is higher and partly because many would-be CASPs in Malta are still mid-flight through the VFA-to-MiCA transition.

Only in a residual sense. The VFA Act 2018 remains in force to cover VFA agent gatekeeper roles and to support legacy firms running under MiCA Article 143 grandfathering through 1 July 2026. New entrants in 2026 cannot apply for a VFA service-provider licence — the only route is MiCA CASP authorisation.

8–12 months from first pre-application meeting to authorisation is the realistic envelope in 2026. Complex business models, weak management dossiers, or applications that arrive at full application without pre-application preparation routinely run longer.

No. MFSA will not accept fly-in directors for senior-management roles. The CEO, senior risk function and MLRO must be tax-resident in Malta and physically present during the working week. A majority of the board should have meaningful Malta presence, with at least one independent non-executive director carrying Maltese supervisory experience.

Only if the business model creates EMD2 scope. Firms that issue EMTs in-house, run prepaid-card programmes, or maintain on-platform fiat balances that constitute electronic money will need both. Pure crypto-asset exchange and custody businesses can typically operate on the CASP authorisation alone, provided fiat handling is via correspondent banking rather than e-money issuance.

• MiCA Compliance Guide for CASPs: authorisation, ongoing obligations and Article 60 / Article 65 mechanics for EEA crypto-asset service providers.

• EMI Licence Cyprus: CySEC EMI authorisation walkthrough — capital, governance, timelines, comparison points for founders weighing Malta vs Cyprus.

• EMI Licence Lithuania: the Bank of Lithuania EMI authorisation track, speed advantage and substance expectations.

• EEA vs UK vs Offshore Crypto Incorporation: the wider jurisdictional comparison framework — when EEA passporting beats offshore optionality.

• Regulatory Legal Opinions: independent legal opinions on MiCA classification, CASP scope and EMI overlay structuring.

The Malta dual-track is a window that closes on 1 July 2026. After that date, the regime simplifies into a single MiCA-only framework — and Malta's distinctive value will be the depth of MFSA's supervisory bench, not the legacy VFA framework. Firms choosing Malta in 2026 are choosing a supervisor with eight years of crypto-asset experience, a substance bar that filters out brass-plate operators, and an authorisation that — once granted — passports across the entire EEA.