Crypto Asset Service Provider Licensing in the EU: A Practical Guide

Key Takeaways

• MiCA creates a single EU licence for Crypto‑Asset Service Providers (CASPs) that replaces 27 national regimes.
• Minimum capital ranges from €125,000 for custody services to €730,000 for trading platforms.
• At least one director must be resident in the EU member state that grants the licence.
• CASPs serving more than 15million EU users become "significant CASPs" and face extra supervision.
• Application times vary widely - from 6months in Germany to 11months in Estonia.

Want to sell crypto services across Europe without juggling 27 different licences? The EU’s Markets in Crypto‑Assets Regulation (MiCA) (Regulation (EU)2023/1114) makes that possible, but you still need a solid Crypto‑Asset Service Provider (CASP) licence. Below you’ll find a step‑by‑step roadmap, the numbers you have to meet, where the process slows down, and practical tips to keep your project on track.

Who Needs a CASP Licence?

MiCA defines a CASP as any legal person that offers one or more of the following services on a professional basis:

• Custody or administration of crypto‑assets for third parties.
• Operation of a crypto‑asset trading platform.
• Exchange services between crypto‑assets and fiat currencies.
• Execution of client orders, placement of crypto‑assets, or advisory services.

If your business does any of the above for EU residents, you fall under MiCA and must apply for authorisation from the National Competent Authority (NCA) of the member state where you intend to establish your registered office.

Core Licensing Requirements

MiCA packs a lot into a single licence. The most important boxes to tick are:

1. EU Registered Office: you need a legal address inside the EU.
2. Resident Director: at least one director must live in the state that grants the licence.
3. Minimum Operational Capital: see the table below for exact figures.
4. AML Compliance: align with the 6th AML Directive and the upcoming AML Authority (effective June2026).
5. Cyber‑security Standards: meet the NIS2 Directive requirements.
6. Environmental Impact Disclosure: quantify energy consumption using the EU Blockchain Observatory methodology.

Capital Requirements at a Glance

The figures above are the bare minimum. Most mid‑size firms end up allocating 1.5‑3times the capital to cover regulatory buffers, insurance, and the cost of third‑party audits.

Application Process - Step by Step

1. Pre‑application sanity check: confirm that your service falls under MiCA and not under existing EU directives (e.g., MiFID‑II for tokenised securities).
2. Choose the host NCA: most firms pick a jurisdiction with a reputation for clear guidance - France’s AMF, Germany’s BaFin, or Luxembourg’s CSSF are popular choices.
3. Prepare documentation (usually 120days to compile):
   • Business plan with revenue forecasts.
   • Governance structure and board biographies (resident director proof).
   • Risk‑management framework covering market, credit, operational, and AML risks.
   • Technical annexes - AML procedures, transaction‑monitoring system specs, NIS2 cyber‑security architecture.
   • Environmental impact methodology and baseline energy‑consumption figures.
4. Submit the application through the NCA’s online portal. Pay the initial filing fee (varies €5,000‑€20,000).
5. Review period: the NCA has up to 6months to respond, but real‑world timelines differ - BaFin averages 6months, Spain’s CNMV stretches to 9months.
6. Conditional approval: you may be asked to provide additional information (e.g., third‑party audit plan).
7. Final licence issuance: once granted, you can passport the authorisation to the other 26 EU states.

Most applicants need 9‑12months from first document draft to licence in hand. Non‑EU firms often add 2‑3months to set up a EU‑resident director and a local legal entity.

Significant CASPs (sCASPs) - When Scale Triggers Extra Supervision

If your platform averages more than 15million EU users annually, MiCA automatically classifies you as a “significant CASP”. The consequences are:

• Quarterly stress‑testing reports submitted to the host NCA.
• Mandatory third‑party audit of AML and cyber‑security controls.
• Real‑time transaction monitoring with a minimum 24‑hour feed to the NCA.
• Higher capital buffers - an extra €500,000 on top of the base requirement for trading platforms.

Early‑stage start‑ups should model growth scenarios to see if they’ll cross the threshold within 18months. If they do, it often makes sense to adopt the sCASP compliance framework from day one.

Country‑Specific Nuances

While MiCA is EU‑wide, each NCA adds its own flavour. Here are the most visited jurisdictions and what makes them unique:

• France (AMF): provides a detailed 40‑page technical guide covering AML, NIS2, and environmental reporting. Processing time averages 7months. The AMF also offers a “fast‑track” for custodial services that meet its pre‑approved risk model.
• Germany (BaFin): known for rigorous AML checks and a high‑quality supervisory staff (42% of NCAs meet staffing requirements). Expect thorough documentation reviews and a 6‑month turnaround.
• Luxembourg (CSSF): strong focus on cross‑border passporting. The CSSF demands a separate environmental impact annex, but its approval time (8‑10months) is competitive.
• Lithuania (Bank of Lithuania): cheaper filing fees and a reputation for helping fintech start‑ups. However, the NCA’s staff is smaller, which can lengthen review periods to 9‑12months.
• Estonia: the quickest filing fee (≈€5,000) but the longest processing lag (up to 11months) due to limited crypto‑supervision resources.

When picking a host, weigh the trade‑off between fee, speed, and post‑licence support. Many firms start in France or Germany and later open branches in lighter‑touch jurisdictions for cost optimisation.

Cost Breakdown - From Application to Ongoing Compliance

A realistic budget looks like this (based on PwC’s August2025 benchmark):

• Initial filing fee: €5,000‑€20,000 depending on NCA.
• Legal & consulting (drafting business plan, governance docs): €150,000‑€300,000.
• Technology stack for AML and transaction monitoring: €800,000‑€1.2million.
• Environmental impact reporting system: €100,000‑€250,000 (most firms outsource).
• Capital reserve (as per table above): €125,000‑€730,000.

Ongoing annual costs include compliance staff (5‑7 full‑time equivalents), third‑party audit fees (~€150,000 for sCASPs), and periodic updates to the AML‑AMLA framework (≈€50,000). All told, a mid‑size exchange can expect €1‑2million in first‑year total outlay.

Common Pitfalls & Pro Tips

1. Under‑estimating the resident‑director requirement: you need a director who can be legally served in the host country. Remote board members don’t count.
2. Missing the 120‑day documentation window: the CSSF’s guidance stresses a complete business plan before submission; start early.
3. Neglecting the environmental annex: the ESMA technical standards launched March2025; without it, the NCA will reject the file outright.
4. Assuming the passport is instant: after licence issuance, each additional EU country may still require registration of a branch, which adds 1‑2weeks per state.
5. Overlooking the AMLA transition: from June2026 the new AML Authority will take over AML supervision. Align your AML governance now to avoid a second audit.

Pro tip: keep a compliance tracker spreadsheet that aligns each MiCA article with your internal evidence. Regulators love a tidy, cross‑referenced file.

Future Outlook - MiCA 2.0 and Beyond

The European Commission drafted a MiCA2.0 package in June2025 aimed at DeFi protocols and NFTs. While the new rules are still under consultation, they signal that the EU will eventually broaden the passport to cover non‑centralised entities - provided they can identify a legal “service provider” behind the code.

In the meantime, the Crypto‑Assets Supervision Network (CASN), launched early2026, will give CASPs a single point of contact for cross‑border queries, potentially shaving weeks off the passporting process.

For firms that can lock in a licence now, the upside is huge: 62% of EU crypto‑trading volume already runs through MiCA‑authorised platforms, and institutional investors are making the licence a prerequisite for partnership.