CASP license

The CASP (Crypto Asset Service Provider) license is a mandatory authorization for companies that provide crypto asset services. It covers exchange, storage, portfolio management, and advisory services. CASP regulates crypto-asset services, including exchange for fiat money and other digital assets, trading platform management, order fulfillment, transfer, and placement. With this license, companies can offer services across the European Union on a “passport-able” basis, similar to the EMI license.

The Markets in Crypto Assets Regulation (MiCA), which defines the rules for the CASP license, was adopted by the European Union in 2023 to unify cryptocurrency market regulation and create common standards across the EU. This decision was an important step towards a transparent and secure crypto market.

MiCA envisions a two-stage implementation of regulations:

• The first set of regulations

Affects issuers of stablecoins and came into force on June 30, 2024, providing additional requirements for this type of asset.

• The second set of rules

It will go into effect on December 30, 2024, and will cover cryptocurrency exchanges and other crypto asset service providers, including CASPs.

There is a transition period for existing virtual asset service providers (VASPs). They can continue to operate under their current national licenses until December 31, 2025, and in some countries, this period can be extended until July 1, 2026. From January 1, 2025, companies must apply for a MiCA CASP license to comply with the new requirements by the end of the transition period.

MiCA will significantly change the crypto services market in the EU by introducing strict standards of security and transparency, which in turn will increase trust in crypto assets. The new regulation will open up cross-border opportunities for companies and ensure that they operate under a single legal framework. This will allow them to expand their client base and provide services across the EU.

Gofaizen & Sherle is fully prepared for MiCA. We are experienced in dealing with regulators and have thoroughly understood the requirements of the new legislation, including CASP licenses. Our team offers full licensing and MiCA adaptation support, from preparing documentation to setting up processes that comply with all regulations. When MiCA comes into force, our clients will be able to grow their business with the confidence that they are fully compliant with the regulator’s requirements.

After the transition period, providing crypto-asset services without CASP authorization will expose companies to enforcement action and market exclusion within the EU.

CASP licensing under MiCA applies to companies that provide crypto-asset services to clients in the European Union. Any business providing crypto-asset services on a commercial basis requires CASP authorization from an EU national competent authority.

The following types of businesses are required to obtain a CASP license:

• Crypto exchanges — platforms for crypto-to-fiat and crypto-to-crypto trading;
• Custody providers — companies holding and safeguarding crypto-assets for clients;
• Trading platforms — operators of crypto-asset trading venues and order-matching systems;
• Brokers and dealers — intermediaries executing crypto-asset orders for clients;
• Portfolio management — firms managing crypto-asset portfolios under discretionary mandates;
• Crypto advisors — entities providing investment advice on crypto-assets;
• Placement services — businesses offering or selling crypto-assets on behalf of issuers.

Non-EU companies are also subject to CASP licensing if they provide crypto-asset services to EU residents. An exception applies in cases of reverse solicitation, where services are provided exclusively at the client’s initiative. The provider must not engage in any marketing, targeting, or solicitation within the EU.

With the introduction of MiCA to regulate crypto assets, current VASP licensees in Europe must adapt to the new requirements for a favorable transition to CASP licensing. MiCA establishes uniform standards under EU regulations aimed at enhancing the transparency, security, and financial stability of crypto asset companies.

Key steps for the transition:

• Capitalization. MiCA requires companies to ensure a minimum level of capitalization (up to €150,000, depending on the range of services provided). This requirement aims to improve financial stability and customer protection. Companies will need to review their capitalization to meet these standards.

• AML compliance and internal policies. The requirements for AML policies and internal controls are significantly strengthened. Companies are required to create and implement detailed policies for risk management, data protection, protection of customer funds, and transaction monitoring. This also includes the implementation of internal controls and regular risk assessments.

• Local presence. Companies must have a physical office in the EU and conduct some of their activities within the European Union. There must also be at least one EU-domiciled manager and an anti-money laundering compliance team.

1. CASPs must be registered as legal entities with a statutory structure that protects clients and allows them to comply with MiCAR requirements.
2. Must have a registered office in the jurisdiction in which they are licensed and have effective management in the EU. There must be at least one EU resident director on the management team to comply with local controls.
3. CASP companies are required to implement internal controls and risk management systems that incorporate anti-money laundering (AML) and preventing the financing of terrorism (CFT) measures. MiCAR requires companies to develop procedures to identify customers, monitor transactions, assess potential risks, and provide mechanisms to manage operational, legal, and information technology threats.
4. Companies are required to protect customer data and assets. MiCAR requires the implementation of security measures such as access controls, data encryption, and regular security audits to ensure the confidentiality and integrity of information.
5. Candidates for a CASP license must have insurance reserves to cover risks associated with privacy breaches, business process errors, and customer liabilities. These safeguards can be implemented through equity or insurance policies.
6. MiCAR requires CASPs to develop a business continuity policy, including backup, data recovery, and crisis response plans, to ensure the smooth running of the company.
7. CASP companies are required to develop clear procedures for handling complaints, respond promptly to customer complaints, and disclose how they are made.
8. Procedures must be in place to identify, manage, and disclose internal and external conflicts of interest. This is important to maintain fair and transparent relationships with customers.
9. Must apply for authorization with full information about their activities. Once licensed, CASPs can offer crypto asset services across the EU without the need for separate national authorizations.

The CASP shall keep records of crypto-asset services, activities, orders, and transactions undertaken by the CASP to enable the competent authorities to fulfill their supervisory tasks and take enforcement measures. The client shall be able to request the necessary record upon request.

According to ESMA, the CASPs will have the flexibility to maintain all the transaction data elements in the format they consider most appropriate, provided that some of these elements can be converted into a specified format when competent authorities request information. The records to be kept shall be sufficient to enable competent authorities to fulfill their supervisory tasks and to perform enforcement measures, in particular, to ascertain whether CASPs have complied with all obligations with respect to clients or prospective clients and the integrity of the market.

The records shall be kept for a period of 5 years and, where requested by the competent authority before five years have elapsed, for a period of up to 7 years.

Companies preparing for CASP licensing must align their business model, governance structure, and compliance setup with MiCA requirements. The following sections outline the key regulatory areas assessed during the authorization process.

• Study the MiCA regulations.
  Familiarize yourself with the requirements that establish CASP categories and rules for crypto asset companies.
• Determine the category for your business.
  Determine which category your company falls under (exchanger, depository accounts, ICO providers), as each category has different requirements.
• Conduct an internal audit to ensure compliance with MiCA requirements.
  Assess whether the company’s current processes are compliant with MiCA risk management, data protection, and AML/CFT compliance requirements.
• Choose the right jurisdiction in the EU.
  As requirements can vary from country to country, select the jurisdiction most suitable for your company’s licensing process.
• Prepare the necessary documentation.
  Compile key application documents such as a business plan, management and shareholder details, a description of risk management systems and IT infrastructure, and financial statements.
• Consult with professionals.
  Professional consultants can assist in compiling documents, reviewing for compliance, and preparing your company for a successful CASP license application.

MiCA applies not only to EU-based companies but also to non-EU crypto-asset service providers that offer services to clients located within the European Union. In such cases, CASP authorization is required to lawfully provide crypto-asset services to EU residents.

Non-EU companies are generally not permitted to provide crypto-asset services into the EU on a cross-border basis without obtaining a CASP license through an EU-established legal entity. The requirement applies where the provision of services results in EU clients being served on a professional and ongoing basis.

An exception exists under the reverse solicitation principle. Reverse solicitation applies only where a client located in the EU initiates the service entirely at their own exclusive initiative, without any prior marketing, advertising, or solicitation by the service provider within the EU. This exception is interpreted narrowly by regulators and does not allow ongoing or repeated provision of services following initial contact.

Non-EU companies relying on reverse solicitation must not engage in any form of marketing, promotion, or client acquisition activities targeting EU residents, including online advertising, localized websites, or direct outreach. Any breach of these conditions may trigger a regulatory obligation to obtain CASP authorization.

As a result, non-EU crypto businesses intending to serve the EU market on a continuous or scalable basis are required to establish an EU presence and apply for a CASP license in accordance with MiCA requirements.

Gofaizen & Sherle is an international legal and consulting firm advising regulated crypto-asset and financial services businesses on licensing and regulatory compliance. The firm has supported 800+ licensing and regulatory projects, including crypto-asset service providers operating under EU and international regulatory frameworks.

Within the European Union, Gofaizen & Sherle advises clients on CASP licensing under the Markets in Crypto-Assets Regulation (MiCA), supporting projects from regulatory scoping and CASP class determination to application submission and ongoing supervisory compliance with national competent authorities. The firm applies a regulatory infrastructure approach, focusing on governance, risk management, and long-term operational alignment with EU supervisory expectations.

The Markets in Crypto-Assets Regulation (MiCA) establishes a unified regulatory framework for crypto-asset service providers operating within the European Union. Under this framework, the CASP license becomes a mandatory authorization for companies providing crypto-asset services to EU clients, replacing fragmented national regimes with a single, passportable licensing structure.

Obtaining a CASP license requires careful alignment of the business model, capital structure, governance, and compliance framework with MiCA requirements. Key considerations include correct CASP class determination, minimum capital thresholds, AML/CFT obligations, ongoing recordkeeping, and supervisory engagement with the relevant national competent authority. For non-EU companies, additional constraints apply, especially regarding cross-border service provision and the limited scope of reverse solicitation.

Given the regulatory complexity and the long-term supervisory nature of MiCA, CASP licensing should be approached as a regulatory infrastructure project, not a one-time authorization exercise. Sustainable compliance, operational substance within the EU, and early regulatory planning are critical to maintaining uninterrupted access to the EU crypto market.

The CASP licensing regime is governed by the Markets in Crypto-Assets Regulation (MiCA) and supervised by EU institutions and national competent authorities. Below are the primary official sources defining CASP requirements, supervisory powers, and implementation timelines:

• Markets in Crypto-Assets Regulation (MiCA) – Regulation (EU) 2023/1114.
  Official legal text published in the Official Journal of the European Union.
• European Securities and Markets Authority (ESMA).
  Supervisory guidance, technical standards, and implementation materials related to CASP authorization.
• European Commission — Digital Finance and Crypto-Assets.
  Official policy materials and regulatory background for MiCA.
• European Banking Authority (EBA).
  AML/CFT-related guidance applicable to crypto-asset service providers.