--- title: "MiCA Compliance Guide for CASPs: Jurisdictions, Costs & Supplier Requirements (2026)" slug: mica-compliance-guide-casps publishedAt: 2026-04-25T09:00:00Z author: Finconduit Editorial Team tags: MiCA, CASP, ESMA canonicalUrl: https://finconduit.com/resources/mica-compliance-guide-casps --- # MiCA Compliance Guide for CASPs: Jurisdictions, Costs & Supplier Requirements (2026) Complete guide to MiCA CASP licensing in 2026 — EU jurisdiction comparison, capital requirements, barriers of entry, and MiCA-approved supplier requirements for liquidity, KYC, KYT, and Travel Rule. **MiCA** is no longer a future event. The [Markets in Crypto\-Assets Regulation](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) has been fully applicable to **Crypto\-Asset Service Provider**s since **30 December 2024**, and the **transitional period** that allowed legacy **VASP**s to keep operating expires for most member states between **1 July 2026** and 30 December 2026. If you provide any of the eight regulated **crypto\-asset service**s to EEA residents — exchange, custody, execution, advice, portfolio management, transfer, placement, or operating a trading platform — you need a **CASP authorisation** in hand, or a **passport**ed one from another EEA **national competent authority**.¹[^1] The good news: a single **CASP licence** **passport**s across all 30 EEA member states. The hard part: regulators have stopped accepting thin applications. **Bank of Lithuania**, **Central Bank of Ireland**, **BaFin**, **CySEC** and **MFSA** are all asking for **substance** — real local directors, a fully scoped **Programme of Operations**, a written **AML/CTF programme**, **ICT risk management** aligned with **DORA**, and **prudential capital** actually segregated and held. This guide walks through what **MiCA** actually requires, the three **CASP licence** classes and capital thresholds, jurisdiction\-by\-jurisdiction differences in authorisation timelines and cost, the supplier stack you need to operate \([Travel Rule](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Updated-guidance-rba-virtual-assets.html) provider, **blockchain analytics**, **KYC**/**KYB**, custody, sanctions screening\), and the most common reasons **authorisation file**s get rejected or stalled.⁶[^2] ## What **MiCA** Actually Regulates **MiCA** splits the crypto universe into three asset categories — Asset\-Referenced Tokens \(**ART**\), E\-Money Tokens \(**EMT**\), and other crypto\-assets — and licences eight services around them. Issuers of **ART** and **EMT** face their own authorisation regime; the **CASP** regime applies to anyone providing services on those assets to third parties. The eight regulated **CASP** services under the Markets in Crypto\-Assets Regulation are: custody and administration of crypto\-assets, operation of a trading platform, exchange of crypto\-assets for funds or other crypto\-assets, execution of orders, placement, reception and transmission of orders, providing advice, and portfolio management. If your activity touches any of these on behalf of clients in the EEA, the **CASP** perimeter applies — including pure software wallets that take custody of private keys. > **Warning:** Reverse solicitation is a narrow exemption, not a workaround. Any active marketing into the EEA — paid ads, affiliate referrals, EU\-language support, or app\-store listings targeting EEA storefronts — pulls you into MiCA scope regardless of where the entity is incorporated. Do not rely on reverse solicitation as a market\-access strategy. ## The **CASP** Licence Classes & Capital **MiCA** [Article 67](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) sets **prudential capital** floors \(Annex IV\) by class of service. The figure that actually applies is the higher of the class floor and one quarter of the prior year's fixed overheads — the **fixed overhead requirement**. Below those minimums you are not capitalised.³[^3] *Table: MiCA CASP prudential capital by class \(Annex IV\).* | Class | Services covered | Min. own funds | Notes | | --- | --- | --- | --- | | Class 1 | Reception/transmission, advice, portfolio management, placement | €50,000 | Lowest\-risk activities; no client custody | | Class 2 | All Class 1 services \+ execution, exchange, transfer | €125,000 | Adds principal and agent risk | | Class 3 | All Class 2 services \+ custody, operating a trading platform | €150,000 | Highest\-risk; full custody \+ matching | | FOR test | Fixed overhead requirement \(all classes\) | 25% of prior year fixed overheads | Applies if it exceeds the class floor | In practice, every operating exchange or custodian needs Class 3 capital plus a meaningful FOR cushion — so **€150,000** is the floor, but mid\-sized **CASP**s typically hold **€350,000**–**€750,000** in segregated **own funds** to satisfy supervisory expectations on solvency through stress. ## Authorisation Process — What Regulators Require **MiCA** [Article 59](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) requires every **CASP** to be authorised before providing services in the Union. The **authorisation file** is detailed and standardised across **NCA**s, but the depth of evidence that satisfies each regulator differs materially. Below are the five workstreams every applicant must complete.²[^4] ### 1. **Programme of Operations** A 50–120 page narrative description of every service you will provide, the client journey end\-to\-end, target geographies, expected volumes, the technology architecture, the order\-routing and execution logic, the custody model \(hot/warm/cold split\), conflicts of interest, complaints handling, and how each service maps to the **MiCA** service definitions. Regulators read this first; if it is generic, the rest of the file is read sceptically. ### 2. Governance & Fit\-and\-Proper **MiCA** [Article 68](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) requires sound governance arrangements proportionate to the nature, scale, and complexity of the **CASP**. In practice: a board with at least one EEA\-resident executive director, independent risk and compliance functions reporting to the board, a clear three\-lines\-of\-defence model, **fit\-and\-proper** assessments of all **key function holders** \(CEO, CFO, CRO, **MLRO**, Head of Custody, Head of IT\), and approved deputies for every regulated function. **Lithuania** and **Cyprus** have both rejected applications where directors were resident outside the jurisdiction.⁴[^5] ### 3. **AML**/**CTF** Programme A complete **AML/CTF programme** aligned with the [EBA Guidelines](https://www.eba.europa.eu/) on ML/TF risk and the [Sixth Anti\-Money Laundering Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018L1673): a written ML/TF risk assessment, customer due diligence procedures, enhanced due diligence triggers, sanctions and **PEP** screening at onboarding and ongoing, **transaction monitoring** rules with documented thresholds, suspicious activity reporting workflow into the national FIU, **MLRO** appointment with regulatory approval, and a **Travel Rule** policy for transfers above €1,000.⁷[^6]⁹[^7] ### 4. **ICT** Risk Management & Operational Resilience From 17 January 2025 the [Digital Operational Resilience Act](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554) applies to every **CASP**. The **authorisation file** must document: **ICT risk management** framework, third\-party risk register for **ICT** providers, business continuity plan with annual testing, incident classification and reporting \(major incidents reportable within hours\), threat\-led penetration testing on a 3\-year cycle for significant **CASP**s, and exit strategies from critical **ICT** third parties.⁵[^8] ### 5. Prudential Capital & Client Asset Safeguarding Own funds must be held in cash or HQLA \(High\-Quality Liquid Assets\) and segregated from operating accounts. Client crypto\-assets held in custody must be segregated on\-chain from **CASP** proprietary assets, with attestations from the custody provider \(or, for self\-custody **CASP**s, audit\-grade evidence of segregation\). Lost or compromised client assets trigger **CASP** liability under **MiCA** Article 75 — this is one of the most heavily\-tested points during supervisory inspections. ## Jurisdiction Comparison for **CASP** Licensing Every EEA **national competent authority** issues the same **MiCA CASP** licence, and every licence **passport**s across the EEA — but timelines, ongoing cost, and supervisory style differ markedly. The table below compares the five most common **CASP** jurisdictions for foreign applicants. *Table: Comparison of EEA jurisdictions issuing MiCA CASP authorisations \(2026\).* | Jurisdiction | Regulator | Typical timeline | Local director req. | Annual supervisory fee | Notes | | --- | --- | --- | --- | --- | --- | | Lithuania | Bank of Lithuania | 6–12 months | ≥2 EEA\-resident directors; one ordinarily resident in LT | €10,000–€25,000 | Fastest serious EEA regulator; EMI \+ CASP combo possible | | Cyprus | CySEC | 9–14 months | ≥2 directors, local compliance officer pre\-approved | €7,500–€20,000 | CIF dual\-licensing \+ IP Box regime | | Ireland | Central Bank of Ireland | 12–18 months | ≥2 INED directors; head of compliance based in IE | €20,000–€50,000 | Demanding but predictable; US investor\-friendly | | Germany | BaFin | 12–24 months | ≥2 directors with KWG fit\-and\-proper review | €25,000–€60,000 | Most demanding; institutional credibility | | Malta | MFSA | 9–18 months | ≥2 directors, MLRO MFSA\-approved | €8,000–€22,000 | 5% effective tax via dividend refund; legacy VFA route closing | > **Note:** Lithuania remains the volume entry point — the Bank of Lithuania has authorised more EMI and CASP combinations than any other EEA NCA, with documented timelines and a published applicant guide. Choose Lithuania if speed matters; choose Cyprus or Malta if tax structure matters; choose Ireland or Germany if institutional counterparties matter. ## Costs — One\-off and Ongoing Budget for authorisation in two phases. Phase 1 — pre\-authorisation — is one\-off and front\-loaded: legal fees for the **Programme of Operations** and **AML** programme \(**€80,000–€200,000**\), application fees \(€5,000–€25,000 depending on **NCA**\), recruitment and relocation of local directors and the **MLRO** \(**€100,000–€250,000** in salary plus bonuses for the first year\), and translation/notarisation of corporate documents \(€10,000–€30,000\). Phase 2 — ongoing — is what determines the total cost of ownership. Annual supervisory fees \(see table above\), audit \(€40,000–€90,000\), **Travel Rule** subscription \(€20,000–€60,000\), **blockchain analytics** \(€60,000–€180,000\), **KYC**/**KYB** tooling \(€30,000–€90,000\), custody fees on client assets \(basis points on AUC\), and ongoing legal/compliance retainers \(**€50,000**–**€150,000**\). A mid\-sized **CASP** runs €400,000–€900,000/year in regulatory operating cost before headcount above the regulated functions. ## Supplier Requirements — Tooling You Will Need **MiCA** does not mandate specific vendors, but the supervisory inspection checklist effectively does. Below is the minimum stack regulators expect to see in operational tests. - **Travel Rule** provider — required for crypto\-asset transfers ≥ €1,000. Notabene, Sumsub **Travel Rule**, Sygna, and Veriscope are the most\-deployed across EEA **CASP**s. - Blockchain analytics — for source\-of\-funds checks, sanctions screening on inbound deposits, and risk scoring of counterparty addresses. Chainalysis, Elliptic, and TRM Labs are the dominant providers. - **KYC**/**KYB** — identity verification and corporate onboarding with **EDD** workflows. Sumsub, Onfido, Veriff and Jumio are the most common; expect to layer document verification, biometric liveness, and **PEP**/sanctions screening. - Custody — qualified custodians \(Fireblocks, BitGo, Anchorage Digital, Komainu\) or self\-custody with hardware security modules and a documented key ceremony. Self\-custody requires SOC 2 Type II reports and an annual cryptographic audit. - Sanctions & **PEP** screening — real\-time screening at onboarding plus ongoing monitoring against EU consolidated list, OFAC SDN, UN sanctions, and adverse media. ComplyAdvantage, Refinitiv World\-Check, and LexisNexis Bridger are typical. - Transaction monitoring — rules engine with documented thresholds, structuring detection, and SAR generation. Built in\-house for large **CASP**s; off\-the\-shelf via Hummingbird, Sardine, or vendor\-bundled into **KYC** platforms. ## Timeline — From Decision to Authorisation Plan 9–18 months from board decision to operational launch under a **CASP licence** in a fast jurisdiction. The clock is dominated by **NCA** review iterations, not by your drafting speed. *Table: Indicative authorisation timeline for a Lithuanian CASP applicant \(2026\).* | Phase | Duration | Outputs | | --- | --- | --- | | Pre\-application — entity setup, hiring, drafting | 2–4 months | Lithuanian UAB incorporated, directors hired, Programme of Operations drafted | | Authorisation file submission | Day 0 | Complete file lodged with Bank of Lithuania | | Completeness check | Up to 25 working days | NCA confirms file is complete or requests gaps | | Substantive review \(Round 1\) | 60–90 days | First written feedback; typical 30–80 questions | | Iterative Q&A | 60–120 days | 2–4 rounds of follow\-up; site inspection in some cases | | Decision | Within 40 working days of complete review | Licence granted, refused, or granted with conditions | | Operational readiness | 30–60 days | ICT/AML go\-live tests, opening of safeguarding accounts, board approvals | ## Common Authorisation Pitfalls - Generic **Programme of Operations** copied from a template — regulators recognise these instantly and the file is downgraded to high\-scrutiny review. - Non\-resident directors. **MiCA** Article 68 requires real EEA residence — flying in monthly does not satisfy the **substance** test in **Lithuania**, **Cyprus** or **Ireland**. - **AML** programme that omits crypto\-specific typologies — mixers, privacy coins, peel chains, NFT wash trading — and treats crypto as if it were card payments. - **Travel Rule** scoping that excludes self\-hosted wallet transfers. **NCA**s increasingly expect attestation procedures for outbound transfers to non\-custodial wallets. - Capital that is held but not segregated. Own funds in the same account as operating cash will fail the Article 67 check on first inspection. - Outsourcing critical functions without a written contract that meets **DORA** Article 30 requirements \(audit rights, exit plan, sub\-outsourcing controls\). ## Frequently Asked Questions ### How long does **CASP authorisation** take in 2026? **6–12 months** in **Lithuania**, **9–14 months** in **Cyprus**, 9–18 months in **Malta**, **12–18 months** in **Ireland**, **12–24 months** in **Germany**. The clock starts on a complete file — incomplete files sit in completeness\-check limbo. Plan 9–18 months end\-to\-end including pre\-application work, and budget for 2–4 rounds of supervisory questions before a decision. ### Can I keep operating under my old **VASP** registration? Only inside the **transitional period** and only in jurisdictions that opted into the maximum 18\-month **grandfathering** window. The **transitional period** ends between **1 July 2026** and 30 December 2026 across member states. After that, every **CASP** needs a fresh **MiCA** authorisation. National pre\-**MiCA** registrations do not auto\-convert — you must submit a full **MiCA** file. Several **NCA**s \(**Germany**, Netherlands\) opted for shorter transitional windows. ### What is the cheapest jurisdiction for a **CASP licence**? **Lithuania** has the lowest combined application \+ first\-year supervisory fee burden \(\~€20,000–€40,000\) and the deepest pool of compliance contractors. **Cyprus** and **Malta** are close on direct fees but slower. **Germany** and **Ireland** are 2–3× the cost of **Lithuania** across legal, supervisory and salary lines, but provide stronger institutional credibility. ### Do I need a **Travel Rule** provider before authorisation? Yes. The **authorisation file** must evidence operational **Travel Rule** capability — the **NCA** will not accept 'we will procure on day one'. Sign a contract, complete onboarding, and include integration evidence in the application. The **Travel Rule** applies to crypto\-asset transfers above €1,000 under the Transfer of Funds Regulation. ### Does **MiCA** apply to DeFi protocols? **MiCA** Recital 22 carves out fully decentralised services from scope, but the bar is high: the protocol must operate without any identifiable intermediary in control of governance, treasury, or upgrade keys. Most live 'DeFi' protocols today have a foundation, multi\-sig, or DAO with material control — and [ESMA](https://www.esma.europa.eu/) has signalled that those projects fall inside scope. Treat DeFi\-out\-of\-scope as the exception, not the rule.⁸[^9] ### What capital do I really need to hold? The higher of the Class floor \(**€50,000** / **€125,000** / **€150,000**\) and 25% of prior year fixed overheads. For a Class 3 **CASP** with **€1.5 million** in annual operating costs, that is €375,000 — well above the floor. Hold it in cash or HQLA, in a segregated account, with a quarterly attestation to your **NCA**. > **Call to action:** Considering a CASP licence? Finconduit connects you with vetted MiCA legal counsel and compliance specialists who have built live CASP authorisation files. Get a free jurisdiction\-fit assessment tailored to your service mix. ## Related Guides - [EEA vs UK vs Offshore: Where to Incorporate Your Crypto Business](/resources/eea-uk-offshore-crypto-incorporation): How **MiCA** **passporting** compares with UK **FCA** and Singapore / UAE alternatives - [EMI vs PSP vs VASP vs CASP](/resources/emi-psp-vasp-licence-comparison): Which financial licence do you actually need? - [How to Get a Bank Account for a VASP or CASP](/resources/bank-account-vasp-casp): The 2026 banking playbook for regulated crypto firms - [AML Compliance for Crypto Firms](/resources/aml-compliance-crypto-6amld): What the **6AMLD** requires from **CASP**s and **VASP**s **MiCA** is the most consequential European fintech regulation since **PSD2** — and like **PSD2**, the firms that get authorisation early gain a **passporting** moat that latecomers spend years catching up to. The technical work is large but tractable: hire a serious local executive team, write a non\-generic **Programme of Operations**, build the supplier stack before you submit, and pick a jurisdiction whose supervisory style matches your operating model. Done well, a single **CASP licence** is the cheapest market access in fintech. Done badly, it is an 18\-month sunk cost. - [MiCA Reverse Solicitation: When Can Offshore Firms Serve EU Clients?](/resources/mica-reverse-solicitation-offshore) — the defence, the limits, and what ESMA's December 2024 statement closed off. - [EMT Issuance Under MiCA Title III](/resources/emt-issuance-mica-title-iii-2026) — stablecoin issuance pathway under Articles 48–58. - [Stablecoin Issuer Banking Architecture: Reserve, Operating, Redemption Rails](/resources/stablecoin-issuer-banking-architecture-emt) — the three\-account banking stack under MiCA Art. 36–38. - [DORA Implementation Playbook for CASPs](/resources/dora-implementation-playbook-casps) — the ICT\-risk and third\-party rules every CASP must operationalise. - [MiCA Class 3 Exchange Playbook](/resources/mica-class3-exchange-playbook) — the full Class 3 authorisation walkthrough for crypto exchanges. - [Significant CASP: The ESMA Threshold and What Triggers Direct Supervision](/resources/significant-casp-esma-threshold) — the EBA significance test and its downstream supervisory implications. - [Malta MFSA CASP / EMI Authorisation](/resources/malta-mfsa-casp-emi-authorisation) — the MFSA route for combined CASP \+ EMI authorisation. - [AMLR / AMLA and the CASP: What Changes by 2027](/resources/amlr-amla-casp-2027) — what AMLA selection and the AMLR mean for CASP supervision. - [VAT on Crypto\-Asset Services in the EU \(2026\)](/resources/vat-crypto-asset-services-eu) — how EU VAT treatment applies to crypto\-asset services under MiCA\-era classifications. - [PSD2 vs MiCA: The Decision Matrix Every Regulated Fintech Needs in 2026](/resources/psd2-vs-mica-decision-matrix) — the practitioner test that separates a MiCA\-only path from a dual\-licensure path. - [Liechtenstein TVTG: The EEA's Hidden Crypto Passport](/resources/liechtenstein-tvtg-crypto-licence) — the parallel\-track EEA crypto licence that predates MiCA and runs alongside it. - [Switzerland's FINMA DLT Act](/resources/switzerland-finma-dlt-licence) — the non\-EU comparator with full settlement\-venue recognition that MiCA does not offer. - [Germany BaFin Crypto Licensing](/resources/germany-bafin-crypto-licence) — how BaFin authorises CASPs under MiCA, and what makes the German route distinct. - [The MiCA Crypto\-Asset White Paper](/resources/mica-white-paper-requirements) — the disclosure document required to offer or admit crypto\-assets to trading under MiCA. - [The Cost of a Crypto Licence in Europe \(2026 Benchmark\)](/resources/cost-of-crypto-licence-europe-2026) — what MiCA authorisation actually costs across leading EU jurisdictions, broken down by line item. ## Footnotes [^1]: Regulation \(EU\) 2023/1114 of the European Parliament and of the Council on markets in crypto\-assets \(MiCA\), OJ L 150, 9.6.2023. [^2]: FATF, Updated Guidance for a Risk\-Based Approach to Virtual Assets and Virtual Asset Service Providers \(Recommendation 16 / Travel Rule\), October 2021. [^3]: MiCA Article 67 — Prudential requirements for crypto\-asset service providers \(Annex IV\). [^4]: MiCA Article 59 — Authorisation requirement for crypto\-asset service providers. [^5]: MiCA Article 68 — Governance arrangements for crypto\-asset service providers. [^6]: EBA Guidelines on the management of money laundering and terrorist financing risks \(EBA/GL/2021/02\). [^7]: Directive \(EU\) 2018/1673 on combating money laundering by criminal law \(6AMLD\). [^8]: Regulation \(EU\) 2022/2554 \(DORA\) on digital operational resilience for the financial sector, applicable from 17 January 2025. [^9]: ESMA, Technical Standards under MiCA \(RTS and ITS adopted under Articles 60–69\). --- Source: https://finconduit.com/resources/mica-compliance-guide-casps