Crypto License in Europe

MiCA is the EU regulation that establishes uniform market rules for crypto-assets, issuers and crypto-asset service providers across the European Union.

The ESMA MiCA overview explains that MiCA covers crypto-assets not already regulated by existing financial-services legislation and includes rules on transparency, disclosure, authorization and supervision. For crypto companies, MiCA changes the EU from a fragmented national VASP environment into a harmonized CASP authorization framework.

MiCA does not make every EU country operationally identical. National competent authorities still review applications, ask questions, assess management, evaluate documentation and supervise authorized CASPs. The framework is EU-level, but the application strategy remains country-specific.

The commercial implication is simple: a crypto company should not choose a jurisdiction only because it sounds fast or cheap. It should choose a jurisdiction that fits its business model, services, ownership, substance, AML/CFT risk, technology setup, banking plan and long-term compliance budget.

Passporting under MiCA means that an authorized CASP may provide its authorized crypto-asset services across the EU framework after the required notification process.

Article 59 of MiCA allows authorized CASPs to provide crypto-asset services throughout the Union, either through establishment or freedom to provide services. The ESMA Interactive Single Rulebook page on Article 59 Authorisation also confirms that cross-border CASPs do not need physical presence in the host Member State.

Article 65 adds the notification process. A CASP that intends to provide services in more than one Member State must notify its home competent authority of the target Member States, the services to be provided cross-border, the start date and other relevant activities. The ESMA page on Article 65 Cross-border provision provides the cross-border notification basis.

Passporting is not unlimited access to “all Europe”. It applies to authorized services within the EU framework. It does not cover the UK, Switzerland, Canada or other non-EU markets. It also does not allow a CASP to provide services outside the scope of its authorization.

The core requirements for a crypto license in Europe include an EU legal entity, registered office, effective management, suitable directors, own funds, governance, AML/CFT controls, ICT resilience and service-specific documentation.

MiCA Article 59 requires a CASP to have a registered office in a Member State where it performs at least part of its services, effective management in the Union and at least one director resident in the Union. The application is reviewed by the competent authority of the home Member State.

A CASP application normally includes:

• legal entity information and constitutional documents;
• ownership structure and qualifying holders;
• programme of operations;
• service-scope description;
• governance arrangements;
• internal-control framework;
• AML/CFT risk controls;
• ICT and DORA-related documentation;
• safeguarding and custody arrangements where relevant;
• complaints-handling policy;
• conflicts-of-interest policy;
• outsourcing policy;
• proof of own funds;
• management suitability evidence;
• business continuity and incident response materials.

In practice, this means the regulator will not only check legal paperwork. It will check whether the company can operate as a supervised crypto business.

AML/CFT obligations are not replaced by MiCA, and CASP authorization still requires internal controls for money-laundering, terrorist-financing, ICT, safeguarding and conduct risks.

MiCA requires governance, internal controls and risk-management arrangements. AML/CFT remains a separate regulatory layer, but a CASP file should still explain how the applicant identifies, assesses and manages ML/TF risks. DORA adds the EU operational-resilience layer for financial entities. Regulation (EU) 2022/2554 and the EIOPA DORA overview describe the digital operational resilience framework.

MiCA also includes client-protection rules. Article 70 covers safeguarding of clients’ funds and crypto-assets. Article 71 requires complaints-handling procedures, and Article 72 covers conflicts of interest. Article 75 adds custody and administration duties where the CASP holds or controls clients’ crypto-assets or means of access.

For payment-heavy models, a CASP authorization does not replace an EMI license, payment institution permission, bank account or safeguarding arrangement. Crypto companies with fiat flows should map payment permissions, IBAN access and banking onboarding before filing.

An existing fintech or investment group should assess whether the crypto activity belongs in the parent entity, a subsidiary, a branch or an SPV before choosing the CASP jurisdiction.

This is a different problem from a startup application. A group with an existing license, regulated parent, board, investors, internal compliance team or cross-border structure needs a defensible group-level strategy. Article 60 of MiCA allows certain existing financial entities to provide specific crypto-asset services through a notification route where the conditions are met. It does not mean every fintech group can avoid CASP analysis.

The group should assess:

• whether the parent entity is already a regulated financial entity;
• whether Article 60 can apply to the planned services;
• whether a subsidiary or SPV creates cleaner risk separation;
• whether the parent regulator needs to be informed;
• how group outsourcing will work;
• whether management is located in the EU;
• how board approval and risk ownership will be documented;
• how the project affects capital, audit, AML/CFT and DORA obligations;
• whether the structure supports a three-to-five-year business plan.

A full CASP application is not always the right first step. For some groups, the better first step is a narrower service model, an Article 60 notification route, a non-custodial technical assessment, a partnership with an authorized entity or a phased entry plan. This is especially relevant for DeFi teams, infrastructure providers, existing EMIs, investment firms, credit institutions and groups that are testing a limited EU business line.

To get a crypto license in Europe, a company must classify its services, choose a suitable EU jurisdiction, prepare its entity and compliance framework, and submit a CASP application or notification to the competent authority.

A practical CASP project usually follows these steps:

1. Classify the crypto-asset services.
2. Confirm whether MiCA applies.
3. Check whether Article 60, Article 61 or another route affects the strategy.
4. Choose the EU jurisdiction.
5. Set up or adapt the legal entity.
6. Build governance, AML/CFT and ICT frameworks.
7. Prepare the application file and supporting policies.
8. Submit to the national competent authority.
9. Respond to regulator questions.
10. Use passporting where applicable and notified.
11. Maintain post-authorization controls, reporting and change-management processes.

MiCA Article 63 includes official procedural steps. Competent authorities acknowledge receipt within five working days, assess completeness within 25 working days and assess a complete application within 40 working days, subject to information requests and suspension periods. These official periods are not the same as the full commercial project timeline.

No, a CASP authorization should not be treated as a license that can simply be bought because it is granted to a specific entity for specific services, ownership, governance and compliance arrangements.

A buyer can acquire a company, but it cannot assume that the authorization transfers like a product. MiCA Article 83 requires notification for a proposed acquisition or increase of a qualifying holding in a CASP where thresholds such as 20%, 30%, 50% or subsidiary control are reached or exceeded. The competent authority can assess the proposed acquirer and the effect on the CASP.

Due diligence should cover:

• authorized services and service limitations;
• ownership and qualifying holders;
• past regulator correspondence;
• source-of-funds history;
• AML/CFT controls;
• client-asset safeguarding;
• complaints and conflicts procedures;
• ICT and outsourcing arrangements;
• litigation, debts and operational incidents;
• whether the business model has changed since authorization.