MiCA Compliance Guide for CASPs: Jurisdictions, Costs & Supplier Requirements (2026)

MiCA is no longer a future event. The Markets in Crypto-Assets Regulation has been fully applicable to Crypto-Asset Service Providers since 30 December 2024, and the transitional period that allowed legacy VASPs to keep operating expires for most member states between 1 July 2026 and 30 December 2026. If you provide any of the eight regulated crypto-asset services to EEA residents — exchange, custody, execution, advice, portfolio management, transfer, placement, or operating a trading platform — you need a CASP authorisation in hand, or a passported one from another EEA national competent authority.¹^[1]

The good news: a single CASP licence passports across all 30 EEA member states. The hard part: regulators have stopped accepting thin applications. Bank of Lithuania, Central Bank of Ireland, BaFin, CySEC and MFSA are all asking for substance — real local directors, a fully scoped Programme of Operations, a written AML/CTF programme, ICT risk management aligned with DORA, and prudential capital actually segregated and held.

This guide walks through what MiCA actually requires, the three CASP licence classes and capital thresholds, jurisdiction-by-jurisdiction differences in authorisation timelines and cost, the supplier stack you need to operate (Travel Rule provider, blockchain analytics, KYC/KYB, custody, sanctions screening), and the most common reasons authorisation files get rejected or stalled.⁶^[2]

MiCA splits the crypto universe into three asset categories — Asset-Referenced Tokens (ART), E-Money Tokens (EMT), and other crypto-assets — and licences eight services around them. Issuers of ART and EMT face their own authorisation regime; the CASP regime applies to anyone providing services on those assets to third parties.

The eight regulated CASP services under the Markets in Crypto-Assets Regulation are: custody and administration of crypto-assets, operation of a trading platform, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placement, reception and transmission of orders, providing advice, and portfolio management. If your activity touches any of these on behalf of clients in the EEA, the CASP perimeter applies — including pure software wallets that take custody of private keys.

MiCA Article 67 sets prudential capital floors (Annex IV) by class of service. The figure that actually applies is the higher of the class floor and one quarter of the prior year's fixed overheads — the fixed overhead requirement. Below those minimums you are not capitalised.³^[3]

In practice, every operating exchange or custodian needs Class 3 capital plus a meaningful FOR cushion — so €150,000 is the floor, but mid-sized CASPs typically hold €350,000–€750,000 in segregated own funds to satisfy supervisory expectations on solvency through stress.

MiCA Article 59 requires every CASP to be authorised before providing services in the Union. The authorisation file is detailed and standardised across NCAs, but the depth of evidence that satisfies each regulator differs materially. Below are the five workstreams every applicant must complete.²^[4]

A 50–120 page narrative description of every service you will provide, the client journey end-to-end, target geographies, expected volumes, the technology architecture, the order-routing and execution logic, the custody model (hot/warm/cold split), conflicts of interest, complaints handling, and how each service maps to the MiCA service definitions. Regulators read this first; if it is generic, the rest of the file is read sceptically.

MiCA Article 68 requires sound governance arrangements proportionate to the nature, scale, and complexity of the CASP. In practice: a board with at least one EEA-resident executive director, independent risk and compliance functions reporting to the board, a clear three-lines-of-defence model, fit-and-proper assessments of all key function holders (CEO, CFO, CRO, MLRO, Head of Custody, Head of IT), and approved deputies for every regulated function. Lithuania and Cyprus have both rejected applications where directors were resident outside the jurisdiction.⁴^[5]

A complete AML/CTF programme aligned with the EBA Guidelines on ML/TF risk and the Sixth Anti-Money Laundering Directive: a written ML/TF risk assessment, customer due diligence procedures, enhanced due diligence triggers, sanctions and PEP screening at onboarding and ongoing, transaction monitoring rules with documented thresholds, suspicious activity reporting workflow into the national FIU, MLRO appointment with regulatory approval, and a Travel Rule policy for transfers above €1,000.⁷^[6]⁹^[7]

From 17 January 2025 the Digital Operational Resilience Act applies to every CASP. The authorisation file must document: ICT risk management framework, third-party risk register for ICT providers, business continuity plan with annual testing, incident classification and reporting (major incidents reportable within hours), threat-led penetration testing on a 3-year cycle for significant CASPs, and exit strategies from critical ICT third parties.⁵^[8]

Own funds must be held in cash or HQLA (High-Quality Liquid Assets) and segregated from operating accounts. Client crypto-assets held in custody must be segregated on-chain from CASP proprietary assets, with attestations from the custody provider (or, for self-custody CASPs, audit-grade evidence of segregation). Lost or compromised client assets trigger CASP liability under MiCA Article 75 — this is one of the most heavily-tested points during supervisory inspections.

Every EEA national competent authority issues the same MiCA CASP licence, and every licence passports across the EEA — but timelines, ongoing cost, and supervisory style differ markedly. The table below compares the five most common CASP jurisdictions for foreign applicants.

Budget for authorisation in two phases. Phase 1 — pre-authorisation — is one-off and front-loaded: legal fees for the Programme of Operations and AML programme (€80,000–€200,000), application fees (€5,000–€25,000 depending on NCA), recruitment and relocation of local directors and the MLRO (€100,000–€250,000 in salary plus bonuses for the first year), and translation/notarisation of corporate documents (€10,000–€30,000).

Phase 2 — ongoing — is what determines the total cost of ownership. Annual supervisory fees (see table above), audit (€40,000–€90,000), Travel Rule subscription (€20,000–€60,000), blockchain analytics (€60,000–€180,000), KYC/KYB tooling (€30,000–€90,000), custody fees on client assets (basis points on AUC), and ongoing legal/compliance retainers (€50,000–€150,000). A mid-sized CASP runs €400,000–€900,000/year in regulatory operating cost before headcount above the regulated functions.

MiCA does not mandate specific vendors, but the supervisory inspection checklist effectively does. Below is the minimum stack regulators expect to see in operational tests.

• Travel Rule provider — required for crypto-asset transfers ≥ €1,000. Notabene, Sumsub Travel Rule, Sygna, and Veriscope are the most-deployed across EEA CASPs.

• Blockchain analytics — for source-of-funds checks, sanctions screening on inbound deposits, and risk scoring of counterparty addresses. Chainalysis, Elliptic, and TRM Labs are the dominant providers.

• KYC/KYB — identity verification and corporate onboarding with EDD workflows. Sumsub, Onfido, Veriff and Jumio are the most common; expect to layer document verification, biometric liveness, and PEP/sanctions screening.

• Custody — qualified custodians (Fireblocks, BitGo, Anchorage Digital, Komainu) or self-custody with hardware security modules and a documented key ceremony. Self-custody requires SOC 2 Type II reports and an annual cryptographic audit.

• Sanctions & PEP screening — real-time screening at onboarding plus ongoing monitoring against EU consolidated list, OFAC SDN, UN sanctions, and adverse media. ComplyAdvantage, Refinitiv World-Check, and LexisNexis Bridger are typical.

• Transaction monitoring — rules engine with documented thresholds, structuring detection, and SAR generation. Built in-house for large CASPs; off-the-shelf via Hummingbird, Sardine, or vendor-bundled into KYC platforms.

Plan 9–18 months from board decision to operational launch under a CASP licence in a fast jurisdiction. The clock is dominated by NCA review iterations, not by your drafting speed.

• Generic Programme of Operations copied from a template — regulators recognise these instantly and the file is downgraded to high-scrutiny review.

• Non-resident directors. MiCA Article 68 requires real EEA residence — flying in monthly does not satisfy the substance test in Lithuania, Cyprus or Ireland.

• AML programme that omits crypto-specific typologies — mixers, privacy coins, peel chains, NFT wash trading — and treats crypto as if it were card payments.

• Travel Rule scoping that excludes self-hosted wallet transfers. NCAs increasingly expect attestation procedures for outbound transfers to non-custodial wallets.

• Capital that is held but not segregated. Own funds in the same account as operating cash will fail the Article 67 check on first inspection.

• Outsourcing critical functions without a written contract that meets DORA Article 30 requirements (audit rights, exit plan, sub-outsourcing controls).

6–12 months in Lithuania, 9–14 months in Cyprus, 9–18 months in Malta, 12–18 months in Ireland, 12–24 months in Germany. The clock starts on a complete file — incomplete files sit in completeness-check limbo. Plan 9–18 months end-to-end including pre-application work, and budget for 2–4 rounds of supervisory questions before a decision.

Only inside the transitional period and only in jurisdictions that opted into the maximum 18-month grandfathering window. The transitional period ends between 1 July 2026 and 30 December 2026 across member states. After that, every CASP needs a fresh MiCA authorisation. National pre-MiCA registrations do not auto-convert — you must submit a full MiCA file. Several NCAs (Germany, Netherlands) opted for shorter transitional windows.

Lithuania has the lowest combined application + first-year supervisory fee burden (~€20,000–€40,000) and the deepest pool of compliance contractors. Cyprus and Malta are close on direct fees but slower. Germany and Ireland are 2–3× the cost of Lithuania across legal, supervisory and salary lines, but provide stronger institutional credibility.

Yes. The authorisation file must evidence operational Travel Rule capability — the NCA will not accept 'we will procure on day one'. Sign a contract, complete onboarding, and include integration evidence in the application. The Travel Rule applies to crypto-asset transfers above €1,000 under the Transfer of Funds Regulation.

MiCA Recital 22 carves out fully decentralised services from scope, but the bar is high: the protocol must operate without any identifiable intermediary in control of governance, treasury, or upgrade keys. Most live 'DeFi' protocols today have a foundation, multi-sig, or DAO with material control — and ESMA has signalled that those projects fall inside scope. Treat DeFi-out-of-scope as the exception, not the rule.⁸^[9]

The higher of the Class floor (€50,000 / €125,000 / €150,000) and 25% of prior year fixed overheads. For a Class 3 CASP with €1.5 million in annual operating costs, that is €375,000 — well above the floor. Hold it in cash or HQLA, in a segregated account, with a quarterly attestation to your NCA.

• EEA vs UK vs Offshore: Where to Incorporate Your Crypto Business: How MiCA passporting compares with UK FCA and Singapore / UAE alternatives

• EMI vs PSP vs VASP vs CASP: Which financial licence do you actually need?

• How to Get a Bank Account for a VASP or CASP: The 2026 banking playbook for regulated crypto firms

• AML Compliance for Crypto Firms: What the 6AMLD requires from CASPs and VASPs

MiCA is the most consequential European fintech regulation since PSD2 — and like PSD2, the firms that get authorisation early gain a passporting moat that latecomers spend years catching up to. The technical work is large but tractable: hire a serious local executive team, write a non-generic Programme of Operations, build the supplier stack before you submit, and pick a jurisdiction whose supervisory style matches your operating model. Done well, a single CASP licence is the cheapest market access in fintech. Done badly, it is an 18-month sunk cost.