The Qualifications Threshold: What 2026 CASP / EMI / PI Authorisation Demands of Founders

The crypto landscape has matured. Running a regulated CASP, EMI or PI in 2026 now looks far more like running a small MiFID-regulated investment firm than running a 2019-era web3 VASP. The licence file, the senior-management bench, the governance paper trail and the inspection posture have all converged on a standard set by MiFID II a decade earlier.

We call the bar that a regulated crypto firm must clear in 2026 the Qualifications Threshold — the personnel-and-substance test that MiCA, EMD2, PSD2, AMLR and DORA collectively impose on the founder, the executive bench, the MLRO, the compliance officer, the CTO/CISO, the risk function and the non-executive directors. Most founders coming from a tech / web3 background do not see this coming — and the gap between what they bring and what authorisation requires is the single most common reason files stall mid-application.

This article codifies the Threshold role by role, places it next to the small MiFID investment firm to show how far it has moved, names the offshore exception (Cayman, BVI, Seychelles, Bermuda, Mauritius) where the bar is materially lower at the price of downstream banking and tax friction, and ends with a three-pathway decision framework: upskill, offshore, or step back from authorisation entirely.

Three structural drivers explain the convergence. First, regulator hardening post-2022: the collapse of FTX, Celsius, Three Arrows and the wider 2022 cohort recalibrated supervisory tolerance across the EEA, UK, MENA and APAC. National competent authorities now treat founder track record and senior-management seasoning as a primary risk-mitigant, not a tick-box.

Second, MiCA was drafted deliberately in the image of MiFID II. Read Articles 68 and 69 of the Markets in Crypto-Assets Regulation side by side with Article 9 of MiFID II and the duplication is intentional — same vocabulary, same fit-and-proper architecture, same prior-assessment workflow for management body members and qualifying shareholders.¹^[1]

Third, the supervisory perimeter itself has consolidated. AMLA in Frankfurt now sits over national AML supervisors. ESMA and EBA jointly issue the suitability guidance that NCAs are expected to apply. The result is a single de facto European standard that the Bank of Lithuania, MFSA, CySEC, BaFin and the Central Bank of Ireland are now broadly aligned on — and that standard is the small MiFID investment firm bar.

Article 68 of MiCA requires that members of the management body of a CASP be of sufficient good repute and possess adequate knowledge, skills and experience — individually and collectively — to perform their duties. The competent authority must be notified in advance of any proposed appointment and may oppose it. The operative standard the NCA actually applies is the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body (EBA/GL/2021/06).²^[2]

In practice this means each named individual must produce a personal questionnaire (CV, criminal record certificate, declarations on conflicts, other directorships, time commitment), and the firm must produce a collective suitability matrix mapping the management body's coverage of: regulated-firm experience, AML/CFT, ICT and cyber risk, capital markets and securities, accounting and audit, and the relevant crypto-asset business model. Gaps in the matrix are gaps in the application.

Article 69 then extends the same prior-assessment logic to shareholders or members holding a qualifying holding (10% or more of the capital or voting rights, or significant influence). A founder who controls the cap table is therefore inside the assessment perimeter twice — once as an executive and once as a qualifying shareholder.

The EU Anti-Money Laundering Regulation has elevated the MLRO function from a tick-box appointment to a named senior officer with explicit statutory powers. Article 10 requires firms to appoint a compliance officer at management-body level responsible for AML/CFT, supported by an MLRO with direct reporting access to the board, sufficient resources, documented independence, and prior senior AML experience proportionate to the firm's risk profile.³^[3]

Reading the Threshold literally: a 28-year-old crypto-native who was "the compliance person" at a 2021 exchange is not a Tier-1 NCA MLRO candidate in 2026. NCAs expect a candidate who has personally signed SARs, run an EDD desk, owned a sanctions framework and survived at least one supervisory examination. We cover the hiring market in detail in our CASP MLRO hiring guide.

Article 5 of DORA makes the ICT risk management framework the responsibility of the management body itself — it is explicitly non-delegable. Board members must approve, periodically review and demonstrate effective oversight of the ICT framework, the third-party ICT register, the resilience testing programme and the incident-reporting workflow.⁴^[4]

The collateral consequence is that a board with zero ICT-literate members will fail the Threshold. An NCA cannot accept a management body that is structurally incapable of discharging a statutory duty. In practice this is forcing one of three responses: a CTO/CISO promoted to the management body, an executive director with ICT seasoning, or a non-executive director with technology-risk credentials.

The CEO is the visible personification of the firm to the NCA. Expectations: 10+ years in regulated financial services (or a demonstrably equivalent track record); prior P&L responsibility over a comparable business; no adverse regulatory findings in any jurisdiction; and the time commitment to actually run the firm (not a portfolio of board seats). The common founder gap: tech CEO has never been the named regulated-firm head.

The MLRO is the single role that NCAs scrutinise hardest in 2026. Expectations: 7+ years in AML / financial-crime at a regulated firm; senior recent experience (head-of-AML, deputy MLRO or equivalent); demonstrable independence from commercial pressure; resident in the licensing jurisdiction (this is now a hard 2026 Substance Bar requirement at most EU NCAs); and recognised AML qualifications (ICA / ACAMS / national equivalent). Common founder gap: a junior in-house compliance hire passed off as the MLRO.

Distinct from the MLRO. The Compliance Officer owns the broader conduct, prudential, MiCA Title II/III/IV, market abuse and consumer-protection perimeter. Expectations: 5+ years compliance experience in a regulated firm of comparable risk profile; demonstrated familiarity with the relevant regulatory regime (MiCA / EMD2 / PSD2); direct line to the board; and the authority to escalate. Common founder gap: trying to combine MLRO + Compliance Officer in one underqualified person.

Under DORA the technology bench is no longer a backroom function. Expectations: a named CISO with information-security seasoning (CISSP / equivalent), responsibility for the ICT risk register, the third-party-ICT register, the resilience testing programme (including TLPT for significant firms), and a documented incident-classification policy. Common founder gap: an excellent product CTO with no information-security qualifications and no board representation.

MiCA and EMD2 both require a risk management function independent of revenue-generating activity. For a Class 3 CASP this is non-negotiable; for a smaller Class 1 firm a documented proportionality argument is sometimes accepted, but the function must still exist on paper and in fact. Expectations: named Head of Risk, documented risk appetite, board-approved risk policy, operational and prudential KRIs reported quarterly. Common founder gap: no separation between first and second line.

NCAs now expect the management body to include at least one and usually two independent NEDs. The NED bench is where the firm fills the collective suitability matrix it cannot fill with founders alone — typically one regulated-firm veteran (ex-CEO of a payments or banking institution) and one technology / ICT risk specialist. The NEDs must commit real time (typically 20–30 days per year for a CASP) and must demonstrate independence. Common founder gap: a vanity NED bench of friendly investors who cannot demonstrate independence.

Place the two licences side by side and the convergence is unmistakable. The same fit-and-proper architecture, the same management-body suitability matrix, the same board-level ICT and AML responsibilities, the same prudential filing cadence. The remaining differences — capital floor, scope of regulated activity, client-money rules — are now narrower than the differences between two MiFID firms with different business models.

The practical implication: a founder team that would pass for a small MiFID investment firm passes the CASP Threshold; one that would fail the MiFID bar will fail the CASP bar too. The 2026 Substance Bar and the inspection-readiness map are downstream consequences of the same convergence — same supervisory mindset applied at authorisation and at on-site inspection.

Offshore jurisdictions remain a partial exception to the Qualifications Threshold. Cayman under CIMA's VASP regime, BVI under the BVI FSC VASP Act, Seychelles under the FSA's 2024 VASP framework, Bermuda under the DABA, and Mauritius under the FSC's VAITOS Act all apply a meaningfully lower bar than MiCA — typically a one-MLRO, one-compliance-officer, locally-administered structure with a single fit-and-proper director.

The trade-off is not regulatory — it is downstream. We have written about the Offshore VASP Banking Spread: Cayman, BVI and Seychelles entities pay materially more for banking, are restricted to a smaller universe of crypto-friendly EMIs and correspondents, and face higher onboarding friction at every layer of the stack. The Threshold relief comes at a banking cost.

There is also a tax dimension. If the founder team is tax-resident in an EU or UK jurisdiction and continues to make the material decisions of an offshore-domiciled CASP from onshore, the entity is exposed to controlled-foreign-company attribution, place-of-effective-management re-characterisation and Pillar Two top-up tax. The paired piece — our CFC Map 2026 — works through the consequences jurisdiction by jurisdiction.

Before any pre-application meeting with an NCA, a founder team should be able to answer the following in writing, with named individuals and supporting CVs:

• CEO has prior regulated-firm executive seasoning (yes / no — if no, who is the proposed bridge appointment?).

• MLRO has 7+ years AML at a regulated firm and is locally resident (yes / no — named candidate?).

• Compliance Officer is distinct from the MLRO and senior (yes / no).

• CISO has information-security credentials and named ownership of the ICT framework (yes / no).

• Risk function is second-line and independent of revenue (yes / no).

• Management body has 1–2 independent NEDs covering regulated-FS and ICT (yes / no).

• Qualifying shareholders (≥10%) can evidence source of funds and clean UBO chain (yes / no).

Three or more "no" answers means the file is not application-ready — whatever the product or capital position. Fix the bench before approaching the NCA; remediating mid-application is more expensive and more visible than fixing it before submission.

The most common pathway and, for any firm with ambition beyond a single offshore licence, the only durable pathway. Budget realistically: a senior MLRO in an EEA jurisdiction now costs €140–220k all-in; a regulated-FS-veteran independent NED typically €40–80k per year; a senior Compliance Officer €110–180k; a CISO with the right credentials €150–230k. Add a CEO bridge appointment if the founder cannot personally clear the Threshold and the total senior-management cost runs €500k–1.0m per year before bonus — a number that must be capital-planned alongside the MiCA Annex IV minimum own funds.

Viable if the customer base is genuinely non-EU and non-UK, the founder team accepts the Offshore VASP Banking Spread, and the corporate structure is engineered to defend against CFC and place-of-effective-management challenges. Not viable as a workaround for an EU founder team that wants to serve EU customers — that is the structure most likely to attract enforcement attention from both onshore tax authorities and the offshore regulator's own annual review.

If the Threshold genuinely cannot be cleared and offshoring does not fit the business, the third pathway is to ride a regulated sponsor's licence — BaaS for fiat, a licensed CASP for crypto rails, an Article 60 reverse-solicitation arrangement for non-EU clients. The trade-off is lower margin, less product latitude and dependency on the sponsor's risk appetite, but it is a legitimate strategic choice for a team that lacks the bench and capital to clear the Threshold on day one.

Partially. A strong MLRO + Compliance Officer bench is necessary but not sufficient. MiCA Article 68 looks at the management body as a whole. If the CEO is the same tech founder with no prior regulated-firm experience, NCAs will require a regulated-FS-seasoned independent NED at minimum, and in many cases an executive-director bridge appointment for the first 24–36 months.

Three options. Bring in a regulated-FS-seasoned executive chairman with formal authority; bring in a co-CEO with the right track record; or — in some NCAs — accept a formal undertaking that the founder will be coached and mentored by a named senior regulated-FS adviser for the first two years. Bare assertion that the founder "will learn on the job" is no longer accepted.

The architecture is identical — same fit-and-proper test, same AMLR Article 10 MLRO, same DORA Article 5 board responsibility. What changes is the depth of seniority each role must demonstrate. A Class 1 advice-only firm can defend a leaner bench under proportionality; a Class 3 custody / exchange firm cannot. The capital floor (€50k vs €150k) is a small fraction of the actual cost difference, which is driven almost entirely by senior-management hiring.

PSD3 hardens it. The draft proposal sharpens management-body suitability, integrates AMLR Article 10 by reference, and strengthens the ICT governance overlap with DORA. An EMI or PI authorisation in 2027–2028 will require a bench that looks almost identical to a Class 3 CASP, further reducing the marginal difference between regulated crypto and regulated payments.

By a wide margin, the MLRO appointment. NCAs see crypto-native compliance hires who would be solid at a tech firm but cannot demonstrate the AML seasoning the AMLR demands. The second most common failure is the absence of any ICT-literate management-body member, which collides with DORA Article 5 on first read of the file.

• The 2026 Substance Bar: the hardened residency, decision-making and FTE expectations that sit alongside the Qualifications Threshold.

• CASP MLRO Hiring Guide: what a Tier-1 NCA expects from the MLRO bench and how to source it.

• Offshore VASP Banking Spread: the downstream banking cost of choosing the offshore route around the Threshold.

• MiCA Class 3 Inspection Anatomy: how the Threshold is re-tested on-site once the licence is granted.

• Controlled Foreign Company Map 2026: the tax consequences of running an offshore CASP from an onshore founder seat.

The Qualifications Threshold is not a transient regulatory mood — it is the structural endpoint of a decade-long convergence between regulated crypto and the small MiFID investment firm. Founders who recognise this in 2026 will plan the bench, the NEDs, the MLRO appointment and the ICT governance before they file; those who do not will discover the Threshold mid-application, at the most expensive possible moment. If you are weighing whether your team clears it, we run a structured diagnostic as part of our regulatory legal opinions service, and the verdict is usually deliverable inside two weeks: the cost of finding out before you file is a small fraction of the cost of finding out after.