MiCA License in Cyprus 2026

Obtain CySEC MiCA authorisation in Cyprus for exchanges, custody, brokerage, and trading platforms. RUE supports structuring, filing, AML, Travel Rule, and DORA readiness.

Book MiCA Readiness Call

Regulator

CySEC

Timeframe

6-9 months

Cost

from €24,900

Capital

€50k-€150k

Depends on service scope, substance, outsourcing model, and banking readiness.

Why Cyprus for a MiCA License

Cyprus is a practical home state for EU-facing crypto businesses that need CySEC supervision, access to experienced legal and compliance providers, and a tax-efficient corporate environment. RUE helps founders map their business model to MiCA, build substance, prepare the dossier, and manage the authorisation process end-to-end.

Polina Merkulova

Polina Merkulova

Licensing Services Manager

[email protected]

As your point of contact, I help coordinate the licensing process end-to-end, keep communication clear, and move your application forward without unnecessary delays.

Regulated United Europe (RUE) provides end-to-end support for a MiCA Licence in Cyprus, from service-perimeter mapping and company setup to drafting the application dossier, governance framework, AML/CFT controls, outsourcing model, and regulator-facing responses.

We also support related workstreams that often decide the project outcome in practice: banking strategy, accounting setup, local substance, MLRO/compliance staffing, Travel Rule implementation, and post-authorisation compliance.

Contact me

🏛️

CySEC as National Competent Authority

CySEC is the licensing authority for Cyprus MiCA authorisation and supervises governance, conduct, safeguarding, and AML controls for CASPs established in Cyprus.

🌍

EU Market Access

A Cyprus MiCA license can support cross-border expansion across the EU through passporting after authorisation and notifications.

🧩

Strong Fit for Regulated Fintech

Cyprus combines company law flexibility, experienced service providers, and a familiar environment for financial and high-risk businesses.

🛡️

Operational Compliance Build-Out

Cyprus works best for founders prepared to build real substance, AML architecture, Travel Rule controls, and DORA-grade ICT governance.

MiCA Licence in Cyprus

18,900 EUR

Package includes (8)

Preparation of necessary documents for registration of a new company in Cyprus 2026
Translation of a certificate of no criminal record through a sworn translator
Payment of state fees related to company registration
Payment of notary fees related to company registration
Preparation of compliance documents for MiCA application
Preparation of a business plan
Submission of the necessary documents to CySEC
Recruitment of local MLRO/Compliance officer

MiCA Class Comparison for MiCA Licence in Cyprus

Compare MiCA Class 1, Class 2 and Class 3 by permitted activities and baseline requirements.

Mica Class 1 - 50 000 EUR

CapitalFrom EUR 50,000 TimeCountry-specific

Swipe left/right to switch license type

Reception and transmission of client orders

Execution of orders on behalf of clients

Placement and advisory services

Portfolio management

No custody of client crypto-assets

Target Models

Advisory firms Introducing brokers Portfolio advisory setups

Mica Class 2 - 125 000 EUR

CapitalFrom EUR 125,000 TimeCountry-specific

Swipe left/right to switch license type

All Class 1 services

Crypto-fiat and crypto-crypto exchange

Custody and administration of client assets

Transfer services for crypto-assets

Higher organizational and AML requirements

Target Models

Exchanges Custody providers Broker-dealer operations

Mica Class 3 - 150 000 EUR

CapitalFrom EUR 150,000 TimeCountry-specific

Swipe left/right to switch license type

All Class 2 services

Operation of crypto-asset trading platform

Enhanced governance and internal controls

Advanced risk management and reporting

Typical for full-scale marketplace operators

Target Models

Trading venues Multi-service CASP groups Institutional-grade operators

Discuss this license

MiCA Class Comparison (Class 1, Class 2, Class 3)

Activity / Option	Mica Class 1 - 50 000 EUR	Mica Class 2 - 125 000 EUR	Mica Class 3 - 150 000 EUR
Reception and transmission of orders	V	V	V
Execution of orders on behalf of clients	V	V	V
Advisory and portfolio management	V	V	V
Crypto-fiat and crypto-crypto exchange	X	V	V
Custody and administration of crypto-assets	X	V	V
Operation of a trading platform	X	X	V

Core Requirements for a Cyprus MiCA License

A MiCA license in Cyprus is a CySEC authorisation for a crypto-asset service provider (CASP) under Regulation (EU) 2023/1114. In 2026, the practical test is no longer whether a company can file forms, but whether it can demonstrate a credible operating model, adequate own funds, real governance, and control over AML, safeguarding, outsourcing, and ICT risk.

CySEC will typically assess the applicant across five layers at once: service perimeter under MiCA, Cyprus AML law, Travel Rule obligations under the Transfer of Funds Regulation, DORA-style ICT resilience, and fit-and-proper suitability of shareholders and management. Generic templates and shell-company structures are a common failure point.

Below are the main requirements that usually determine whether a Cyprus MiCA application is review-ready.

Correct Service Mapping and MiCA Perimeter Analysis +

You must identify exactly which MiCA crypto-asset services your business model triggers. This is the first legal gate in any Cyprus MiCA license project.

Typical regulated services include custody and administration, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of orders, reception and transmission of orders, placing, transfer services, portfolio management, advice on crypto-assets, and operation of a trading platform.
A single product may trigger multiple service categories. For example, an exchange with hosted wallets usually combines exchange + custody + transfer.
MiCA does not apply where the token qualifies as a financial instrument under MiFID II. That boundary analysis is often decisive for tokenised securities, profit-right tokens, and some structured yield products.

A weak perimeter memo creates downstream problems in capital, policies, disclosures, and passporting notifications.

Minimum Capital and Own Funds +

Minimum capital for a MiCA Licence in Cyprus depends on the authorised service scope, not on marketing labels such as “exchange license” or “broker license”. The commonly referenced thresholds are €50,000, €125,000, and €150,000.

€50,000 typically applies to lower-risk service scope such as advice, order reception/transmission, execution, placing, or transfer services.
€125,000 typically applies where the applicant provides custody and administration of crypto-assets on behalf of clients.
€150,000 typically applies to exchange services and operation of a trading platform.

Minimum capital is only the entry threshold. CySEC will also assess whether the firm has adequate own funds, realistic liquidity planning, and enough runway to operate through the first 12 months. Capital must be funded in fiat, not in volatile crypto-assets, and source-of-funds evidence must be clean and documented.

Cyprus Company, Office and Effective Management +

You need a Cyprus legal entity with real operational presence. A paper office is not a credible basis for a CySEC MiCA authorisation.

The company should have a registered office in Cyprus and practical arrangements for day-to-day management, record-keeping, and regulator access.
CySEC will look at place of effective management, governance meetings, local decision-making, and whether critical functions are genuinely directed and overseen from the firm.
For most serious applications, founders should expect to budget for office rent, local service providers, and at least a core operational presence rather than a nominee-only structure.

Substance is also relevant for banking, tax residency analysis, and credibility of outsourcing oversight.

Directors, Shareholders and Fit-and-Proper Assessment +

CySEC will assess whether qualifying shareholders, UBOs, directors, and senior managers are fit and proper. This is not a box-ticking exercise.

Expect review of CVs, education, relevant crypto/fintech/regulated-sector experience, criminal record certificates, bankruptcy/insolvency history, and time commitment.
Applicants with complex ownership chains must provide a transparent group structure and reliable source of wealth/source of funds evidence.
Weak management biographies are a common reason for regulator questions, especially where the proposed board has no hands-on experience with custody, exchange operations, AML, or financial regulation.

Non-EU founders can apply, but the management model must still support effective supervision in Cyprus.

AML/CFT Framework, MOKAS Reporting and Travel Rule +

A Cyprus MiCA license does not replace AML obligations. CASPs remain subject to Cyprus AML law, CySEC AML expectations, and suspicious transaction reporting to MOKAS.

You need a business-wide risk assessment, onboarding and KYC/CDD procedures, sanctions screening, ongoing monitoring, enhanced due diligence, record retention, and staff training.
Crypto transfers also trigger the Transfer of Funds Regulation (TFR), which extends the Travel Rule to crypto. In practice, firms should be ready to transmit and receive originator/beneficiary data and maintain interoperability with market standards such as IVMS101.
CySEC will expect the AML framework to be tailored to your exact channels, client types, geographies, token exposure, and transaction flows.

Generic AML manuals copied from forex or EMI templates are one of the fastest ways to trigger extensive RFIs.

Governance, Control Functions and Outsourcing Oversight +

A credible CASP must show governance that works in practice. For a MiCA authorisation in Cyprus, that usually means clear board oversight, segregation of duties, and documented control ownership.

Typical functions include AML/MLRO, compliance, risk, legal, and depending on scale, internal audit and dedicated ICT/security oversight.
Outsourcing is allowed, but not if it turns the applicant into an empty shell. The firm must keep a vendor register, due diligence files, service-level controls, monitoring cadence, and exit plans for critical providers.
CySEC will usually focus on who controls the outsourced exchange engine, wallet infrastructure, KYC tooling, customer support, and incident response.

The operational question is simple: if the vendor fails tomorrow, can the board explain the risk, the fallback, and the client impact?

Technology Security, Safeguarding and DORA Readiness +

In 2026, a serious Cyprus MiCA license application should already be aligned with DORA-grade ICT governance, especially for custody, exchange, and platform models.

Expected controls usually include access management, MFA, encryption, privileged-user logging, incident response, disaster recovery, vulnerability management, and third-party ICT risk oversight.
Custody models should document wallet architecture such as MPC, multisig, HSM-backed key management, and hot/cold wallet segregation.
Safeguarding must cover segregation of client assets, reconciliation logic, insolvency treatment, and evidence trails. For client fiat, safeguarding arrangements with banks or EMIs should be clearly documented.

Independent penetration testing, audit trails, and a realistic business continuity plan materially improve application credibility.

Business Plan, Financial Model and Full Application Dossier +

The dossier for a MiCA license in Cyprus must show that the business is understandable, financeable, and controllable.

Core documents usually include a business plan, programme of operations, 3-year financial projections, governance papers, shareholder pack, AML/CFT framework, safeguarding policy, complaints policy, conflicts policy, outsourcing policy, ICT/security documentation, and client-facing terms.
Financial projections should show realistic assumptions on volumes, spreads, custody fees, staffing, compliance tooling, and regulatory overhead.
CySEC is more likely to challenge applications where revenue assumptions are aggressive, cost lines are understated, or the firm cannot explain how it will fund loss-making initial months.

At RUE, we treat the dossier as an operating model pack, not just a filing pack. That approach reduces rework during regulator review.

Jurisdiction Comparison

Compare MiCA Licence in Cyprus with other jurisdictions by key conditions for obtaining and operating a MiCA/CASP license: regulator, review period, fees, capital, local substance, and passporting.

* This table focuses on MiCA/CASP authorization conditions. Use the settings icon to customize countries and parameters.

💰 Licensing Cost Estimator

Get an approximate cost estimate for your crypto license based on your business needs

Configure Your Licensing Package

Select options below to see estimated costs

License Type

Mica Class 1

Mica Class 2

Mica Class 3

Do you need company registration?

Yes — Register New Company

No — I Have a Company

Additional Services

✓ AML/KYC Package ✓ Bank Account Opening ✓ Physical Office ✓ Compliance Officer

Estimated Cost

€0

Estimated Timeframe

Country-specific

Capital Requirement

€0

📞 Get Exact Quote

* This calculator provides approximate estimates only. Actual costs may vary based on your specific situation. Contact us for a detailed personalized quote.

Tax and Cost Considerations for Cyprus CASPs

Cyprus is often chosen for a MiCA license in Cyprus because the tax baseline is commercially attractive, but founders should avoid simplistic claims. The headline corporate income tax rate is 12.5%, yet the effective tax position of a crypto business depends on legal characterisation of income, expense deductibility, transfer pricing, substance, and whether parts of the group perform regulated, technology, treasury, or IP functions.

What matters in practice for a Cyprus MiCA structure

The first issue is not only tax rate but operating model alignment. A Cyprus CASP may have revenues from exchange spreads, custody fees, listing/placement fees, advisory, SaaS-style technology services, or group recharge arrangements. Each revenue stream can produce a different VAT and direct-tax analysis. The second issue is substance: if strategic control, key staff, and risk management sit elsewhere, tax residency and transfer-pricing questions become harder.

Cyprus also remains relevant because of its treaty network, professional services ecosystem, and compatibility with cross-border group structures. That said, no responsible advisor should present Cyprus as a one-line “low-tax crypto jurisdiction”. For regulated businesses, the real question is whether the tax structure survives audit and matches the governance reality shown to CySEC, banks, and counterparties.

Illustrative launch and annual cost stack

Founders usually underestimate the total budget for a Cyprus MiCA license. The real cost stack typically includes:

company incorporation and corporate maintenance;
legal and regulatory drafting;
AML/CFT framework build and compliance tooling;
MLRO/compliance/risk staffing;
office and local substance;
audit, accounting, and tax support;
IT security uplift, penetration testing, and vendor due diligence;
banking and payment onboarding.

For many applicants, the practical first-year budget is materially higher than the regulatory minimum capital. This page provides indicative market ranges only and should not be treated as legal or tax advice.

Corporate Income Tax

Standard Cyprus corporate tax baseline

12.5%

Cyprus corporate income tax is generally 12.5%. This is the baseline rate often cited for Cyprus companies, including regulated CASP structures. The effective tax outcome depends on actual revenue streams, deductible expenses, transfer pricing, and whether the company is genuinely managed and controlled in Cyprus.

Value Added Tax (VAT)

Depends on service characterisation

19% / mixed

The standard Cyprus VAT rate is 19%, but crypto-related services are not taxed under one universal rule. Some services may be exempt or outside scope depending on the exact legal and economic nature of the activity, while advisory, software, or support services may be taxable. VAT analysis should be done transaction-by-transaction.

Withholding Tax

Often efficient for cross-border structures

0%*

Cyprus is commonly used in international structures because outbound payments can be efficient in many scenarios. However, withholding outcomes depend on the type of payment, recipient jurisdiction, anti-abuse rules, and specific fact pattern. Treat any “0% withholding” statement as structure-dependent, not universal.

Accounting and Audit

Mandatory annual finance function

€8,000-€35,000+

Cyprus companies should budget for bookkeeping, management accounts, annual financial statements, and statutory audit support. A regulated CASP with transaction volume, safeguarding flows, and multiple counterparties will usually incur higher accounting and audit costs than a standard trading company. RUE can coordinate with accounting services in Cyprus.

Legal and Compliance Build

Initial project cost beyond state fees

€20,000-€90,000+

This range typically covers perimeter analysis, application drafting, governance and policy set, AML/CFT framework, outsourcing pack, regulator correspondence support, and remediation rounds. Complex models such as exchange + custody + platform operation sit at the upper end of the range.

Local Substance and Staffing

Office, directors, MLRO, compliance, admin

€90,000-€350,000+

Annual cost depends on whether functions are in-house, outsourced, or hybrid. Founders should budget for office, board support, local administration, and control functions. Even where outsourcing is used, CySEC expects meaningful internal oversight and documented accountability.

Technology, Security and Travel Rule

Operational compliance tooling

€25,000-€150,000+

Typical recurring spend includes KYC/AML systems, blockchain analytics, sanctions screening, transaction monitoring, Travel Rule connectivity, security tooling, logging/SIEM, penetration testing, and vendor assurance. Custody and exchange models usually face the highest recurring technology compliance spend.

Banking and Payment Setup

Onboarding and maintenance costs

€5,000-€40,000+

Crypto businesses should budget for account opening support, compliance packs, enhanced due diligence, onboarding fees, and ongoing bank/EMI charges. Banking is often a gating issue for launch, so this cost line should be planned early. RUE also assists with bank account opening in Cyprus and crypto business banking.

Compliance and Ongoing Obligations After Authorisation

A Cyprus MiCA license is the start of supervision, not the end of the project. CySEC expects continuous compliance across conduct, AML, safeguarding, governance, and ICT resilience.

📊

Regulatory Reporting

Periodic prudential and operational reporting to CySEC
Annual audited financial statements
Notifications of material changes in ownership, management, or services
Incident and breach reporting where applicable
Maintenance of complete books, records, and decision logs

🛡️

AML and Travel Rule Controls

Risk-based KYC/CDD and enhanced due diligence
Ongoing transaction monitoring and sanctions screening
Suspicious transaction reporting to MOKAS
Travel Rule data collection, transmission, and reconciliation
Periodic AML training and independent review

🔐

Safeguarding and ICT Resilience

Segregation of client assets from the firm’s own assets
Wallet governance, key management, and access controls
Reconciliations, exception handling, and audit trails
Incident response, disaster recovery, and business continuity
Outsourcing oversight and ICT vendor monitoring under DORA-style controls

📋

Conduct and Governance

Fair, clear, and not misleading client communications
Complaints handling and documented service-level timelines
Conflicts of interest identification and disclosure
Board oversight, policy review, and governance minutes
Ongoing fit-and-proper maintenance for key persons

💡

RUE handles compliance for you. Our team provides ongoing compliance support, including AML officer services, regulatory reporting, and policy updates. We ensure your license stays in good standing year after year. Contact us for compliance support →

MiCA License in Cyprus in 2026

MiCA License in Cyprus in 2026: what it is and who needs it

A MiCA license in Cyprus is a CySEC authorisation for a crypto-asset service provider (CASP) under Regulation (EU) 2023/1114. In practical terms, it is the legal basis for providing regulated crypto-asset services from Cyprus into the EU market.

The key dates matter. MiCA entered into force in 2023. Rules for ARTs and EMTs started applying from 30 June 2024. The main CASP regime started applying from 30 December 2024. Transitional arrangements in some Member States could run up to 1 July 2026, but by 2026 new applicants should think in full MiCA terms, not in legacy national-registration terms.

A Cyprus MiCA license is typically required if your business provides regulated services such as:

custody and administration of crypto-assets on behalf of clients;
exchange of crypto-assets for funds or for other crypto-assets;
execution, reception/transmission, or placing of orders;
transfer services for crypto-assets on behalf of clients;
portfolio management or advice on crypto-assets;
operation of a trading platform for crypto-assets.

The term “crypto license Cyprus” is still used commercially, but in 2026 it is too broad. The real legal question is whether your exact business model falls within the MiCA CASP perimeter, or outside it, or partly into another regime such as MiFID II, EMT/e-money, or payments regulation.

RUE helps founders answer the only question that matters before filing: what exactly are you licensing, under which legal perimeter, with which capital, and with which control framework?

Request Cyprus MiCA Assessment

MiCA vs the old Cyprus CASP regime

MiCA vs the old Cyprus CASP/VASP regime

The old Cyprus crypto regime was primarily an AML-based national registration framework. The MiCA regime is an EU-wide authorisation framework with conduct, prudential, governance, safeguarding, and passporting consequences.

Cyprus previously operated a national CASP register under AML legislation and CySEC supervision. That framework was useful for AML registration and domestic oversight, but it was not the same as a MiCA authorisation and did not create the same harmonised EU market access position.

Under MiCA, the legal and commercial stakes are materially higher:

registration is replaced by authorisation for in-scope CASPs;
the firm must demonstrate stronger governance, safeguarding, complaints handling, and conflicts management;
the authorisation can support passporting across the EU after proper notification;
the supervisory conversation is no longer only AML-focused, but also operational and prudential.

In 2026, legacy status is not a strategy on its own. If a business relied on the earlier Cyprus CASP/VASP framework, the practical task is now to perform a gap analysis against MiCA, TFR/Travel Rule, DORA-related ICT expectations, and updated governance requirements. RUE regularly supports this migration path through MiCA compliance document preparation and Cyprus-specific restructuring.

Prepare MiCA Documents

Business model to MiCA service mapping in Cyprus

Business model	Likely MiCA service trigger	Typical capital band	Extra regulator focus
Custodial wallet provider	Custody and administration; transfer services	€125,000	Key management, segregation, reconciliations, insolvency treatment
Crypto-fiat exchange	Exchange of crypto-assets for funds; often custody	€150,000 or combined scope	Banking, safeguarding of client fiat, AML, Travel Rule
Crypto-crypto exchange	Exchange of crypto-assets for other crypto-assets; often custody	€150,000 or combined scope	Market abuse controls, wallet architecture, monitoring
Broker / OTC desk	Reception/transmission, execution, placing, transfer	€50,000 to €150,000	Best execution logic, conflicts, client disclosures
Trading platform	Operation of a trading platform	€150,000	Order book controls, market surveillance, resilience
Crypto adviser / portfolio manager	Advice on crypto-assets; portfolio management	€50,000	Suitability logic, disclosures, conflicts management
Token placement agent	Placing of crypto-assets	€50,000	White paper perimeter, marketing controls, conflicts
Hybrid exchange + custody + cards/payments	MiCA + possible EMT/e-money or payments issues	Case-specific	MiCA/MiFID/EMI perimeter split, group structure

Illustrative mapping only. Final classification depends on the exact product flow, token type, custody model, and client journey.

The 4 legal layers behind a Cyprus MiCA license

A Cyprus MiCA license sits on top of four legal layers, not one.

Layer 1 — MiCA: service authorisation, conduct rules, safeguarding, governance, complaints, conflicts, market integrity, and disclosures.
Layer 2 — Cyprus AML/CFT law: customer due diligence, risk assessment, sanctions screening, suspicious transaction reporting, and internal AML governance under CySEC supervision and MOKAS reporting.
Layer 3 — Transfer of Funds Regulation (TFR): Travel Rule obligations for crypto transfers, including originator and beneficiary information handling.
Layer 4 — DORA / ICT resilience: operational resilience, incident management, outsourcing governance, testing, and third-party ICT risk control.

This four-layer model matters because many applications fail by treating MiCA as a filing exercise. In practice, CySEC wants to see whether the firm can operate safely once live. That means your AML alerting, wallet governance, vendor oversight, and incident response logic must all align.

RUE typically runs Cyprus MiCA projects as a combined legal + compliance + operating model workstream rather than a narrow licence filing. That approach is slower at the start but faster overall because it reduces re-drafting during review.

Who regulates MiCA in Cyprus

MiCA and CySEC supervision

CySEC is the National Competent Authority (NCA) that authorises CASPs in Cyprus. ESMA does not issue the licence. That distinction matters because many commercial pages describe ESMA as if it were the licensing body, which is incorrect.

The supervisory roles are split as follows:

CySEC reviews the application, grants or refuses authorisation, supervises the firm, and receives ongoing notifications and reports.
ESMA coordinates supervisory convergence at EU level and maintains public registers relevant to MiCA.
EBA is particularly relevant for prudential and stablecoin-related issues, especially around ARTs and EMTs.

For founders, the practical implication is straightforward: the application strategy must be built for CySEC review, but the legal interpretation should also be consistent with evolving ESMA/EBA technical standards, guidelines, and supervisory expectations. This is one reason why a Cyprus MiCA application should not rely only on local filing mechanics.

AML law, MOKAS and Travel Rule obligations

A CASP authorised in Cyprus remains fully exposed to AML/CFT obligations. The firm must be able to identify clients, assess risk, monitor transactions, escalate unusual activity, and file suspicious transaction reports to MOKAS where required.

The Travel Rule is operationally separate from MiCA but commercially inseparable from it. If your model involves crypto transfers, you should plan for:

collection and verification of originator and beneficiary data;
screening and exception handling for incomplete or non-compliant transfers;
integration with Travel Rule providers using standards such as IVMS101;
record retention and auditability for regulator review.

One underappreciated issue is interoperability failure. Even where a firm has a Travel Rule vendor, poor data mapping between wallet systems, KYC profiles, and transfer messaging can create unresolved exceptions and manual backlogs. CySEC will care less about the vendor brand than about whether your workflow actually works.

DORA, outsourcing and ICT resilience

DORA is not optional background noise for serious CASPs. In 2026, Cyprus applicants with custody, exchange, or platform exposure should expect scrutiny of ICT risk management, vendor dependency, incident classification, recovery procedures, and testing discipline.

At minimum, a mature Cyprus MiCA application should show:

ICT asset inventory and system ownership;
outsourcing register with criticality assessment;
incident response plan and escalation matrix;
business continuity and disaster recovery logic;
access control, logging, and change-management evidence;
exit strategy for critical ICT providers.

A practical nuance often missed by applicants: if your exchange engine, wallet stack, KYC, and customer support are all outsourced to different vendors, the real risk is not each vendor alone but control fragmentation. Regulators increasingly test whether management can oversee the chain as a whole.

See MiCA Regulation Guide

Minimum capital by MiCA service scope in Cyprus

Service scope	Indicative minimum capital	Typical examples	Key practical note
Advice, portfolio management, reception/transmission, execution, placing, transfer	€50,000	Crypto adviser, broker, placement agent, order-routing model	Still requires full governance, AML, and conduct framework
Custody and administration of crypto-assets on behalf of clients	€125,000	Custodial wallet provider, hosted wallet infrastructure	CySEC will focus heavily on safeguarding and key management
Exchange services and operation of a trading platform	€150,000	Exchange, matching venue, multi-service trading platform	Market abuse controls, resilience, and banking readiness become central

These thresholds are the usual MiCA baseline references. Final capital analysis depends on the precise service combination and prudential treatment.

What CySEC will actually test in a Cyprus MiCA application

Real Substance

CySEC will test whether the company has genuine management, oversight, and operational presence in Cyprus rather than a shell structure.

Tailored AML Architecture

The AML framework must reflect your client types, geographies, token flows, onboarding channels, and transaction patterns.

Safeguarding Logic

Client asset segregation, reconciliation, wallet governance, and insolvency treatment must be clearly documented and operationally credible.

Outsourcing Control

Critical vendors can be used, but the applicant must retain oversight, escalation rights, monitoring, and exit capability.

Financial Sustainability

CySEC will look beyond minimum capital and assess whether the business can survive its first operating year without unrealistic assumptions.

Management Quality

Experienced directors and control-function holders materially improve credibility, especially for exchange, custody, and platform models.

Documents required for a Cyprus MiCA application

Documents required for a Cyprus MiCA license application

A review-ready Cyprus MiCA license dossier usually includes a full operating pack, not just a regulator form set. The exact list depends on service scope, but the core file typically contains:

programme of operations and detailed business model description;
corporate documents, shareholding structure, UBO pack, and source-of-funds evidence;
business plan and 3-year financial projections;
governance framework, board responsibilities, and organisation chart;
fit-and-proper pack for directors and key persons;
AML/CFT manual, business-wide risk assessment, KYC procedures, sanctions and monitoring methodology;
safeguarding policy and client asset segregation model;
complaints handling policy and conflicts of interest policy;
outsourcing policy, vendor due diligence, and critical-function mapping;
ICT architecture, access-control model, incident response plan, BCP/DRP, and security controls;
client terms and disclosures, fee schedule, and risk warnings;
Travel Rule operating procedure and data-flow mapping where transfers are in scope.

The most common documentary weakness is not a missing file but a generic file. Regulators can usually spot when the AML policy, safeguarding model, or outsourcing section was copied from another industry or another jurisdiction. A good dossier reads like the operating manual of the actual business.

RUE supports this workstream through MiCA document preparation, Cyprus company support, and coordination with legal services in Cyprus.

Get Document Checklist

How long does a Cyprus MiCA license take in practice

How long does it take in practice in 2026?

A realistic timeline for a MiCA Licence in Cyprus is usually 6 to 9 months, but the true answer depends on preparation quality, service complexity, and how quickly the applicant can close gaps raised by CySEC.

A practical timeline model often looks like this:

Scoping and jurisdiction fit: 1-2 weeks
Company setup and substance planning: 2-4 weeks
Dossier drafting and control build: 4-10 weeks
Completeness check: often around 25-30 working days once filed
Substantive review: often around 40 working days, subject to pauses, extensions, and RFIs
Final remediation and go-live readiness: 2-6 weeks

Best case: 4-5 months for a simple advisory or broker model with strong management and clean documentation.
Realistic case: 6-9 months for most exchange, custody, or hybrid models.
Complex case: 9+ months where the business model is novel, the token perimeter is unclear, or the outsourcing chain is heavy.

Why applications get delayed

The most common delay triggers are:

unclear service perimeter or MiCA/MiFID boundary issues;
weak local substance and over-reliance on foreign outsourcing;
generic AML or safeguarding documents;
poorly evidenced source of funds or opaque group structure;
unrealistic financial projections;
immature ICT and incident-response framework;
slow or incomplete responses to CySEC questions.

A useful rule of thumb: most delays are created before filing, not after filing. If the operating model is not internally coherent, the regulator review simply exposes that fact.

Discuss Timeline and Budget

MiCA vs MiFID II boundary

MiCA does not apply to crypto-assets that qualify as financial instruments. This is one of the most important perimeter questions for a Cyprus project.

If a token gives rights similar to shares, bonds, units in collective investment undertakings, or other MiFID II financial instruments, the relevant regime may shift from MiCA to investment services law, prospectus rules, custody rules for financial instruments, or a hybrid structure. The same issue appears in some tokenised debt, revenue-sharing tokens, and structured yield products.

Founders often underestimate this boundary because the product is marketed as “crypto”. Regulators do not classify by marketing label; they classify by legal rights, economic function, transferability, and governance structure. A wrong classification can invalidate the entire licence strategy.

RUE usually recommends a written token classification memo before finalising the Cyprus MiCA scope. This is particularly important for exchanges listing proprietary tokens, launchpad models, and projects with embedded investment features.

When Cyprus is a strong fit and when it is not

When Cyprus is a strong fit — and when it is not

Cyprus is a strong fit for founders who want a credible EU base, are ready to build real substance, and need a balanced combination of CySEC supervision, professional ecosystem, and tax efficiency.

Good fit: exchange, custody, brokerage, or advisory businesses targeting the EU with a real compliance budget and willingness to maintain local governance.
Good fit: groups that need Cyprus company law, accounting, banking strategy, and integration with broader EU operations.
Poor fit: ultra-lean founders seeking a no-substance “paper licence”.
Poor fit: projects with unresolved token-classification issues or models that may fall under MiFID II, EMI, or payments regulation but are trying to force a MiCA narrative.
Poor fit: teams unwilling to invest in AML tooling, Travel Rule workflows, and DORA-grade ICT governance.

The honest answer is that Cyprus is not the cheapest route if you count the full operating model. It is attractive when the objective is a sustainable EU-regulated business, not a short-term licensing shortcut.

Compare EU MiCA Jurisdictions

Common mistakes applicants make

Treating MiCA as an AML registration

MiCA authorisation is broader than AML registration and requires conduct, safeguarding, governance, and prudential readiness.

Using generic policy templates

Copied AML, outsourcing, or safeguarding documents usually trigger RFIs because they do not match the real business flow.

Underbuilding local substance

A shell company with outsourced everything is difficult to defend before CySEC and weakens banking and tax positions.

Ignoring Travel Rule operations

A firm may have KYC in place but still fail operationally if Travel Rule data cannot be transmitted and reconciled reliably.

Misclassifying the token perimeter

If the product may be a financial instrument, MiCA may not be the right regime and the whole application strategy can collapse.

Unrealistic financial projections

Aggressive volume assumptions and understated compliance costs are a recurring red flag in CASP applications.

Legal disclaimer and source framework

Legal disclaimer and source framework

This page is an informational overview prepared by Regulated United Europe (RUE) for founders, legal teams, and compliance officers considering a MiCA license in Cyprus. It is not legal, tax, investment, or accounting advice. The correct licensing path depends on the exact service perimeter, token classification, group structure, outsourcing model, and factual operating setup.

For formal decision-making, the primary sources should include:

Regulation (EU) 2023/1114 on markets in crypto-assets;
CySEC notices, forms, and supervisory materials;
ESMA and EBA technical standards and guidelines;
Transfer of Funds Regulation for Travel Rule compliance;
DORA for ICT risk and outsourcing governance;
Cyprus AML law and MOKAS reporting framework;
Cyprus Tax Department guidance for tax treatment.

If you need a formal position, RUE can deliver a Cyprus MiCA feasibility assessment, token classification memo, document checklist, and budget/timeline estimate.

Request Feasibility Review

📝 Check Your Eligibility

Answer a few quick questions to find out if this jurisdiction suits your crypto business

Step 1 of 5

What type of crypto services will you provide?

Exchange (fiat ↔ crypto)

Custody & Wallet Services

Transfer & Payment Services

Advisory / Portfolio Management

Multiple / All of the Above

Step 2 of 5

What is your target market?

European Union only

EU + Global markets

Global (non-EU priority)

Step 3 of 5

Do you already have a registered company in the EU?

Yes, in this jurisdiction

Yes, in another EU country

No, I need to register one

Step 4 of 5

What is your available budget range?

Under €20,000

€20,000 – €50,000

€50,000 – €100,000

Over €100,000

Step 5 of 5

When do you plan to launch?

As soon as possible (1–3 months)

Within 6 months

Within a year

Just exploring options

✅

This Jurisdiction Is a Great Fit!

Based on your answers, this jurisdiction matches your business requirements well. Here's a quick summary:

Recommended License

CASP License

Estimated Budget

€24,000 – €35,000

Estimated Timeframe

4–6 months

EU Passporting

Available

📞 Get Personalized Assessment

Step-by-Step Cyprus MiCA Process

Step 1

Scoping and Feasibility

Define the exact MiCA service perimeter, check MiCA vs MiFID/EMT boundary issues, assess whether Cyprus is the right home state, and build an initial budget and timeline. Duration: 1-2 weeks.

Step 2

Company Setup

Incorporate the Cyprus entity, plan office and governance substance, appoint directors, map control functions, and prepare ownership and source-of-funds documentation. Duration: 2-4 weeks.

Step 3

Control Framework Build

Draft the business plan, financial model, AML/CFT framework, safeguarding model, outsourcing pack, complaints/conflicts policies, and ICT security documentation. Duration: 4-10 weeks.

Step 4

Application Filing

Submit the complete dossier to CySEC, align supporting annexes, and ensure the filing is internally consistent across legal, financial, AML, and technology sections. Duration: 1-2 weeks.

Step 5

Completeness Review

CySEC checks whether the application is complete enough to enter substantive review. In practice this stage often takes around 25-30 working days, depending on filing quality and follow-up clarifications.

Step 6

Substantive Assessment

CySEC reviews governance, safeguarding, AML, outsourcing, financials, and fit-and-proper suitability. Expect RFIs, document refinements, and possible management interviews. Duration: often 40 working days plus pauses/extensions.

Step 7

Approval and Register

After approval, final conditions are closed, internal controls are confirmed, and the authorised CASP proceeds to registration visibility and cross-border notification planning. Duration: 2-4 weeks.

Step 8

Go-Live and Passporting

Finalize banking/payment rails, Travel Rule operations, staff training, internal reporting, and passporting notifications for target EU states. Duration: 2-6 weeks depending on launch complexity.

Start Your Application

Frequently Asked Questions

What is a MiCA license in Cyprus? +

A MiCA license in Cyprus is a CySEC authorisation for a crypto-asset service provider (CASP) under Regulation (EU) 2023/1114. It allows an authorised firm established in Cyprus to provide in-scope crypto-asset services and, after proper notification, use MiCA passporting for cross-border activity in the EU.

It is not the same as the old Cyprus AML-based CASP registration model. In 2026, new applicants should approach Cyprus as a full MiCA authorisation jurisdiction with governance, safeguarding, conduct, AML, Travel Rule, and ICT-resilience obligations.

Who needs a Cyprus MiCA license? +

A business usually needs a Cyprus MiCA license if it provides regulated crypto-asset services from Cyprus or into the EU market from a Cyprus establishment. Typical examples include:

custodial wallet providers;
crypto-fiat and crypto-crypto exchanges;
brokers and OTC desks;
trading platforms;
crypto advisers and portfolio managers;
firms placing crypto-assets or transmitting client orders.

The exact answer depends on the service flow and token classification. Some models marketed as “crypto” may instead fall under MiFID II, e-money, or payments rules.

Can a non-EU founder obtain a MiCA license in Cyprus? +

Yes, non-EU founders can own a Cyprus CASP structure, but ownership is only one part of the analysis. CySEC will still require transparent UBO disclosure, clean source-of-funds evidence, fit-and-proper management, and a governance model that supports effective supervision in Cyprus.

In practice, non-EU ownership usually increases scrutiny around:

group structure and beneficial ownership transparency;
source of wealth and source of funds;
where strategic decisions are actually made;
whether the Cyprus entity has genuine substance or is only a routing vehicle.

Non-EU founders can succeed, but the Cyprus company must still look and operate like a real regulated business.

Does a Cyprus MiCA license allow passporting across the EU? +

Yes, a Cyprus MiCA license can support passporting across the EU after the required notification process. The licence is granted by CySEC as the home-state authority, and the firm can then notify cross-border services into other Member States.

Passporting is not a free-for-all. The firm must still comply with applicable local rules on matters such as consumer communications, marketing, tax, and data protection. The practical rule is: one authorisation, multiple local conduct overlays.

Is a physical office required in Cyprus? +

A real operational presence is strongly expected for a credible MiCA Licence in Cyprus. While the exact office footprint depends on the business model, a virtual address alone is usually not enough for a serious CySEC application.

CySEC will look at substance through a wider lens:

where management and control sit;
where records are kept and decisions are made;
whether key functions can be supervised effectively;
whether the entity has practical operational capability in Cyprus.

For most applicants, the right question is not “minimum office” but “minimum credible substance”.

Do I need a local MLRO or can the function be outsourced? +

The MLRO/AML function can sometimes be structured with outsourcing support, but CySEC will expect clear accountability, oversight, and practical availability. For many Cyprus CASP projects, a local or strongly Cyprus-connected AML setup is commercially safer.

The regulator will typically test:

who owns AML decisions internally;
whether the MLRO has sufficient authority and time commitment;
how suspicious activity is escalated to MOKAS;
whether outsourced AML support can actually monitor the business in real time.

Outsourcing can reduce cost, but it does not remove board responsibility.

How much capital is required for a MiCA Licence in Cyprus? +

The standard MiCA minimum capital thresholds commonly referenced for a Cyprus MiCA license are €50,000, €125,000, and €150,000, depending on the authorised service scope.

€50,000 — typically for advice, portfolio management, placing, transfer, execution, or order reception/transmission;
€125,000 — typically for custody and administration of crypto-assets on behalf of clients;
€150,000 — typically for exchange services and operation of a trading platform.

Minimum capital is not the full answer. CySEC will also assess own funds, liquidity, funding sources, and whether the firm has enough runway to operate safely after authorisation.

How much does a MiCA license in Cyprus really cost in 2026? +

A realistic first-year budget for a MiCA license in Cyprus is usually much higher than the minimum capital alone. In practice, founders should budget for:

company formation and corporate maintenance;
legal and regulatory drafting;
AML/CFT framework and compliance tooling;
MLRO/compliance/risk staffing;
office and substance costs;
audit, accounting, and tax support;
security, penetration testing, and ICT remediation;
banking and payment onboarding.

For many serious applicants, the practical project budget starts from the mid-five figures and can move well into six figures depending on scope. Exchange and custody models are typically the most expensive. RUE provides a tailored feasibility estimate rather than a generic headline quote.

How long does CySEC take to review a MiCA application? +

The practical answer is usually 6-9 months end-to-end, including preparation, filing, review, RFIs, and go-live remediation.

A common timing structure is:

4-10 weeks for preparation;
around 25-30 working days for completeness review;
around 40 working days for substantive assessment, subject to pauses and RFIs;
2-6 weeks for final conditions and operational readiness.

Delays usually come from weak documentation, unclear outsourcing, poor substance, or slow responses rather than from the formal clock alone.

What happens to old Cyprus CASP structures after the transition period? +

Legacy Cyprus CASP/VASP structures do not remain a permanent substitute for MiCA authorisation. Transitional treatment depended on the national and EU timing framework, with a ceiling that could run up to 1 July 2026 in some cases.

In 2026, the practical approach for legacy firms is:

perform a MiCA gap analysis;
upgrade governance, safeguarding, AML, Travel Rule, and ICT controls;
prepare a full authorisation strategy rather than relying on historical registration status.

If a business is still operating on a legacy logic without a valid MiCA path, it should obtain jurisdiction-specific legal advice immediately.

Does MiCA cover token issuance, staking, and DeFi? +

Sometimes yes, sometimes no. MiCA covers certain issuer activities and CASP services, but not every blockchain activity fits neatly inside it.

Token issuance: MiCA can apply to public offers and admissions to trading of crypto-assets, with separate regimes for ARTs and EMTs, including white paper and issuer obligations.
Staking: treatment depends on how the product is structured. Native protocol participation, custodial staking, reward pooling, and yield-bearing wrappers can produce different regulatory outcomes.
DeFi: fully decentralised models may sit outside parts of MiCA, but many projects marketed as DeFi still have identifiable operators, interfaces, treasury control, or governance concentration that bring regulation back into scope.

The right answer depends on factual control, custody, client intermediation, and token rights. A product memo is usually required before choosing the Cyprus licensing path.

When does MiCA not apply because MiFID II may apply instead? +

MiCA does not apply where the token is a financial instrument within the meaning of MiFID II. This can happen with tokenised shares, bonds, fund interests, and some rights-bearing or profit-linked instruments.

The boundary is assessed by substance, not branding. Regulators will look at:

the legal rights attached to the token;
whether it resembles transferable securities or other financial instruments;
how returns are generated and promised;
whether the structure creates investment-service features.

This is one of the most important threshold questions in a Cyprus MiCA project because the wrong perimeter choice can invalidate the entire application strategy.

What are the penalties for operating without authorisation in Cyprus? +

Operating an in-scope crypto business without the required authorisation can lead to severe regulatory consequences, including cease-and-desist measures, administrative sanctions, reputational damage, banking termination, and personal exposure for directors.

The exact enforcement route depends on the facts, but the commercial consequences are often immediate:

loss of banking and payment support;
inability to onboard institutional partners;
public enforcement visibility;
difficulty obtaining future licences in Cyprus or elsewhere in the EU.

If a business may already be in scope, the safest step is to stop expansion, preserve records, and obtain urgent legal advice on authorisation strategy.

Regulated United Europe OÜ

Registration number: 14153440
Anno: 16.11.2016
Phone: +372 56 966 260
Email: [email protected]
Address: Laeva 2, Tallinn, 10111, Estonia

Company in Lithuania UAB

Registration number: 304377400
Anno: 30.08.2016
Phone: +370 6949 5456
Email: [email protected]
Address: Lvovo g. 25-702, Vilnius, 09320, Lithuania

Company in Czech Republic s.r.o.

Registration number: 08620563
Anno: 21.10.2019
Phone: +420 775 524 175
Email: [email protected]
Address: Na Perstyne 342/1, Prague

Company in Poland Sp. z o.o.

Registration number: 38421992700000
Anno: 28.08.2019
Email: [email protected]
Address: Twarda 18, Warsaw, 00-824, Poland

Please leave your request

The RUE team understands the importance of continuous assessment and professional advice from experienced legal experts, as the success and final outcome of your project and business largely depend on informed legal strategy and timely decisions. Please complete the contact form on our website, and we guarantee that a qualified specialist will provide you with professional feedback and initial guidance within 24 hours.

Main Services

Terms of Cooperation

Regulated United Europe