Crypto License in Europe

A crypto license in Europe is CASP authorization under the Markets in Crypto-Assets Regulation (MiCA) — the mandatory legal basis for providing crypto-asset services in the EU since 30 December 2024. One authorization, issued by a national competent authority in any EU member state, covers all 27 EU markets through passporting.

CASP authorization applies to any company providing crypto-asset services to EU clients on a professional basis — regardless of where the company is incorporated. Non-EU businesses must establish an EU legal entity and meet all MiCA requirements to serve EU residents. Reverse solicitation is narrowly defined and is not a workable compliance path for scaling.

For existing VASPs operating under legacy national registrations: the transitional window is closing. Most EU member states require a CASP application before 1 July 2026. After that date, operating without MiCA authorization is prohibited. For detailed CASP authorization requirements, capital classes, and the step-by-step licensing process, see the full CASP license guide.

Jurisdiction trends are shifting. In 2026, the strongest demand for CASP authorization concentrates in Lithuania, Malta, and the Netherlands — driven by reasonable timelines, established banking relationships, and supervisory teams with crypto-sector experience.

Germany remains the first choice for institutional operators – Commerzbank, N26, Trade Republic, and BitGo all hold BaFin authorization, and the regulatory stamp itself functions as a trust signal for banking partners and investors. The Netherlands attracted crypto-native platforms early – Bitvavo, MoonPay, and Amdax secured some of the first CASP authorizations in 2025. Luxembourg became the EU home for Coinbase and Bitstamp, offering fast passporting and capital-markets alignment. Early expectations around the Czech Republic’s fast-track procedures have been tempered by more selective NCA screening as application volumes grew through late 2025.

For teams targeting a first-half 2026 submission: Lithuania for speed. Netherlands for crypto-native ecosystem. Germany for institutional credibility. Spain — an underrated option for operators bridging EU and Latin American markets.

MiCA does not reach beyond the EU / EEA. European countries outside the Union keep their own national VASP regimes, each with separate legal bases and territorial limits.

• United Kingdom (FCA) — registers crypto businesses under the UK AML framework (Money Laundering Regulations 2017, as amended). Post-Brexit, this is a fully standalone regime with its own scope.
• Gibraltar (GFSC) — operates a dedicated DLT framework for virtual asset service providers, applicable only within Gibraltar.
• Bosnia and Herzegovina — regulates virtual asset activities at the national level under local AML rules.
• Montenegro — applies a national VASP-style registration framework outside MiCA.
• Switzerland (FINMA) — non-EU jurisdiction outside MiCA scope; dual-track regime through SRO membership (VQF, ARIF, PolyReg) or direct FINMA authorization for deposit-taking, custodial, and trading infrastructure models. Typical timeline 2-3 months for SRO, 6-12 months for FINMA licenses.

Important: none of these licenses grant EU market access. A UK VASP registration does not allow you to serve clients in Germany, France, or Spain. If your target market includes EU residents, you need CASP authorization under MiCA.

The right CASP jurisdiction depends on your business model, team location, target markets, and timeline. Since the license passports EU-wide, the choice of home member state sets the regulator you live with for the life of the authorization. Four common scenarios:

• If you want speed and cost efficiency: Czech Republic, Poland, or Lithuania. The Czech Republic offers registration timelines of 30-60 days for qualifying entities. Poland and Lithuania typically complete full CASP authorization in 3-6 months with lower procedural overhead than larger member states.
• If you need bank-grade credibility: Germany (BaFin) or the Netherlands (AFM + DNB). Expect longer timelines – 6 to 12+ months — but the regulatory stamp unlocks institutional banking relationships, VC scrutiny, and enterprise partnerships where jurisdiction of authorization is itself a trust signal.
• If your model is a trading platform or exchange: Malta (MFSA) is the established exchange hub — OKX, Crypto.com, Gemini, ZBX, and Bitpanda are authorized there. Ireland is the MiCA home of Coinbase. Both combine trading-platform expertise in the supervisory culture with EU-wide passporting.
• If you serve Spanish-speaking LatAm alongside the EU: Spain (CNMV) – a natural regulatory and linguistic bridge between European and Latin American markets, particularly for exchanges and brokerages targeting both regions.

Pick your home member state deliberately. Passporting gives you access to all 27 markets, but your home NCA is the one reviewing your applications, approving changes, and handling enforcement. Moving the license later means a new authorization – not a transfer.

CASP authorization follows four stages: activity classification, NCA application, supervisory review, and passporting activation. The statutory NCA review period is 3 months — but the real clock starts earlier and runs longer.

What the 3-month statutory window does not account for: pre-submission preparation (entity formation, substance setup, AML policy drafting, business plan development, director appointments), completeness checks (the NCA has 25 business days just to confirm the application is complete), and iterative document requests during review — particularly common with BaFin in Germany and DNB in the Netherlands.

In practice, the jurisdictions in the comparison table above show a wide range. Simplified registration in the Czech Republic can complete in weeks; a full BaFin authorization in Germany may take over a year. For most mid-complexity applications across Lithuania, Poland, Malta, and the Netherlands, expect 4 to 8 months from submission — plus 3 to 5 months of preparation before that.

Total realistic timeline from first engagement to operating under a CASP license: 7 to 18 months depending on jurisdiction, business complexity, and how prepared you are at submission.

One CASP authorization covers all 27 EU member states — no separate national applications, no additional fees. Your home NCA remains your primary supervisor; host NCAs retain market monitoring and consumer protection roles in their territories. Passporting is service-specific: you can cross-border only the services listed in your authorization. Adding new regulated services requires an authorization update before offering them abroad.

The MiCA transitional period ends on 1 July 2026. After that date, continued operation without CASP authorization is prohibited in the EU. National transitional periods vary:

• Netherlands – ended July 2025.
• Germany, Austria, Ireland – concluded end of 2025.
• Lithuania – grandfathering until 1 January 2026.
• Czech Republic – required application by 30 July 2025 for grandfathering until 30 June 2026.
• Estonia – 30 June 2026. Malta, Luxembourg, France – applied the full 18-month period until 1 July 2026.

ESMA has warned that last-minute applications face heightened regulatory scrutiny. Several NCAs — notably BaFin, AFM, and CNMV — have issued enforcement guidance targeting operators still running without CASP authorization.

Penalties for operating without CASP authorization vary by member state but can reach up to €5 million for legal entities or 12.5% of annual turnover – whichever is higher. National regulators may also impose public statements, management bans, and cease-and-desist orders.

Three patterns cause most CASP applications to fail or stall at NCA review:

1. Insufficient operational substance — and it goes deeper than having a registered address. NCAs increasingly request evidence of genuine local operations: board meeting minutes held in the home member state, local IT service contracts predating the application by at least 3 months, and proof that the AML officer physically works from the declared office. A nameplate on a door and a remote director no longer pass review.
2. Misclassification of crypto-asset services — the boundary between ‘exchange’ and ‘reception and transmission’ is where most errors occur. Applying for Class 1 (€50K capital) when your platform actually matches an exchange or OTC desk triggers a reclassification mid-review — adding months and requiring capital restructuring. Validate scope under MiCA Article 3 before forming the entity.
3. Unverifiable source of funds — particularly for founders with mixed crypto/fiat wealth histories. NCAs now routinely request bank statements, tax filings, and wallet-to-bank transaction chains going back 5+ years. For teams that built capital through early crypto trading or token sales, documenting this chain is the most time-consuming step — and the one most often underestimated.

Beyond the application stage, ongoing CASP obligations include maintaining minimum capital continuously, meeting supervisory reporting requirements, and operating within the scope of authorized services. Non-compliance can result in restrictions, enforcement measures, or withdrawal of authorization.

In 2026, operating a crypto business in the EU requires one thing: CASP authorization under MiCA. The fragmentation is over. The transitional period ends 1 July 2026, and after that date, CASP is the only legal basis for serving EU clients.

Non-EU European jurisdictions — the UK, Gibraltar, Bosnia and Herzegovina, Montenegro — continue to run their own national VASP regimes. Those licenses work within their issuing country, but they do not grant EU market access.

The commercial implication is clear: if your target market is the EU, CASP is your only path. If your focus is non-EU European territories, a national VASP license is sufficient. Mixed strategies are common — a UK VASP registration combined with CASP authorization in an EU member state for full European coverage.
Gofaizen & Sherle structures CASP and VASP applications across both frameworks, from jurisdiction selection to regulatory engagement. If you are evaluating your MiCA path, we can map your business model to the appropriate regime and build the authorization strategy around your commercial goals.