MiCA Licence in Cyprus

On 30 December 2024, the Markets in Cryptoassets Regulation (MiCA) came into force in the European Union, which establishes a uniform and binding regulatory framework for the cryptocurrency sector in all EU countries. This document establishes transparent rules of operation, strengthens investor protection and introduces comprehensive measures to prevent money laundering. For Cyprus, which is actively developing the fintech and digital assets segment, the entry into force of the MiCA both opens up new opportunities and poses a number of challenges for market participants that require rapid adaptation.

MiCA is designed to address the fragmentation of national cryptocurrency regulatory regimes, creating a unified approach in the following key areas:

• Mandatory licensing for service providers with the right to operate across the EU
• Preparation and publication of detailed investor information documents disclosing risks and financial projections
• Establishing strict requirements for the issuance and circulation of stablecoins, including ensuring the stability of their collateral
• Introduction of enhanced customer identification (KYC) and anti-money laundering (AML) procedures
• Enshrining transparent standards to protect the rights of retail investors, including marketing rules and refund procedures

Due to its strategic geographical location, competitive tax system and flexible business environment, Cyprus maintains a strong position as an attractive jurisdiction for cryptocurrency startups and international platforms. Under MiCA, holding a Cypriot licence gives the right to freely provide services in any EU country without the need for additional permits. At the same time, the tightening of AML/CFT regulations requires businesses to review internal procedures and develop more comprehensive AML/KYC policies. Stablecoin issuers choosing Cyprus as a base jurisdiction gain access to infrastructure and qualified legal support for compliance, reserve management and corporate structure. The introduction of uniform consumer protection standards further increases the level of trust in crypto projects, which is particularly important for attracting investors and users.

The new regulatory environment increases companies’ need for specialised legal services, from drafting internal regulations and advising on licensing issues to supporting regulatory audits and resolving potential disputes. Cyprus is well positioned to become one of the key cryptocurrency business centres in Europe. The combination of the opportunities offered by MiCA and the advantages of the local jurisdiction creates the conditions to attract investment, stimulate innovation and strengthen the country’s international reputation as a stable and predictable financial centre.

Cyprus has developed a reputation as one of the most attractive jurisdictions in Europe for virtual asset-related activities. Its favourable geographical location, legal system based on English common law, competitive tax policy, liberal visa regime for qualified third-country professionals and moderate level of regulation compared to a number of other EU states are contributing to the growing interest from international crypto and fintech companies. eToro was the first company to obtain a MiCA licence in Cyprus.

The Government of the Republic of Cyprus has demonstrated a strategic interest in the adoption and development of distributed ledger technologies, aiming to make the country an advanced and trusted financial centre for cryptoasset-based trading and services. In 2018, Cyprus joined the Southern Mediterranean Declaration on Distributed Ledger Technologies and the European Blockchain Partnership, enabling coordination with other EU states on the regulation of DLT technologies. In the same year, the Cyprus Securities and Exchange Commission (CySEC) established an Innovation Centre that provided direct interaction between the regulator and market participants to accelerate the development of business models while enhancing investor protection. In parallel, a working group was formed by a decision of the Council of Ministers to develop a national blockchain strategy to create a legal framework separating tokens from securities and other types of digital assets. In February 2021, the Law on the Prevention of Money Laundering and Terrorist Financing (188(I)/2007-2019) was amended implementing the provisions of EU Directive 2018/843 (AMLD5), which enshrined the concept of “cryptoasset” at the legislative level. The law defines a crypto-asset as a digital representation of value that is not issued or guaranteed by a central bank or public authority, is not legal tender but is accepted as a medium of exchange or investment instrument and is transferable in electronic form, with the exception of fiat currencies, electronic money and financial instruments defined in Law 87(I)/2017.

Cryptoasset related service providers (CASPs) in Cyprus are required to register with CySEC if they carry out activities including:

• exchanging crypto-assets to and from fiat currencies;
• exchange between cryptoassets;
• storage and administration of cryptoassets (including keys and access mechanisms);
• issuance and sale of cryptoassets;
• providing investment services related to cryptoassets (acceptance and transmission of orders, execution of trades, proprietary trading, portfolio management, consultancy, underwriting and placement of tokens, management of multilateral trading systems).

CySEC maintains a register of CASPs and monitors their activities. The exception is operators already authorised in another EU jurisdiction. Regulated activities include exchange operations, ICOs and asset custody services. At the same time, activities such as cryptocurrency lending, staking or mining are currently not specifically regulated, unless they overlap with CASPs’ asset custody obligations.

Markets in Crypto Assets Regulation in Cyprus

The EU Markets in Crypto Assets Regulation (MiCA), which came into force in June 2023, is due to be implemented into Cypriot law by 30 December 2024. CySEC has therefore suspended the acceptance of new applications for CASP registration under the national rules. MiCA establishes harmonised disclosure, corporate governance and licensing requirements for all cryptoasset market participants in the EU.

The regulation covers three categories of entities:

• Cryptoasset issuers;
• service providers (CASPs);
• trading platform participants.

Cryptocurrencies, stablecoins and utility tokens fall within the scope of MiCA, while tokens qualifying as securities under MiFID II, deposits, securitisation products and insurance/pension instruments are taken outside the scope of the regulation. A separate approach is envisaged for NFTs: unique tokens not organised in collections are mostly excluded, but for collectible NFTs, documentation is required to disclose their purpose.
There is no specific tax regime for cryptocurrencies in Cyprus. The tax authorities qualify income depending on the nature of the transactions: profits from trading assets are subject to corporate tax at 12.5% for companies or progressive income tax for individuals (0-35%), while income from long-term holding or steaking may not be taxed. As far as VAT is concerned, the position of the European Court of Justice (Case C-264/14), which exempts cryptocurrency-to-fiat exchange transactions from VAT, equating them to foreign exchange transactions, applies. As of 2025, Cyprus continues to be a significant international hub for cryptocurrency businesses, offering favourable tax conditions, flexible regulation and access to EU markets. However, the upcoming implementation of MiCA creates the need for companies to proactively adapt corporate procedures and internal policies to the new requirements, as well as to take into account the complexities of opening and maintaining bank accounts for cryptocurrency projects.

Market in crypto assets requirements in Cyprus 2025

As part of the improvement of the national regulation of crypto assets, the Ministry of Finance of the Republic of Cyprus, through the Financial Services Authority, has submitted for public consultation a draft law on “Cryptocurrency Markets 2025”. The document aims to integrate the provisions of the Markets in Cryptoassets Regulation (EU) 2023/1114 (MiCA) into the national legal system and to define the powers of the authorities responsible for its implementation. The MiCA Regulation enters into full force on 30 December 2024 for cryptoassets not covered by existing sectoral financial regulations, including digital assets that are not financial instruments, deposits or insurance products. Although directly applicable in all EU states, a number of MiCA provisions require national acts, primarily in terms of defining competent supervisory authorities, establishing their powers and the procedure for applying administrative sanctions.

Key provisions of the MiCA Bill in Cyprus

1. Dual system of supervision
   Two competent authorities are designated for MiCA purposes:
   • Cyprus Securities and Exchange Commission (CySEC)-supervision of all cryptoasset service providers other than credit, payment and e-money issuers.
   • Central Bank of Cyprus (CBC) -supervision of credit institutions, payment institutions and e-money issuers operating under MiCA.
2. Extended powers of supervisory authorities
   The Bill provides for additional powers, including:
   • the requirement to provide regular reporting and information;
   • the right to immediately suspend entities operating without a licence or in breach of MiCA requirements;
   • imposing additional requirements on cryptoasset service providers’ own funds beyond the minimum requirements set out in Article 67 of MiCA;
   • carrying out audits and inspections both by the authorities and by external auditors, including the inspection of information systems.
3. Extended list of infringements
   In addition to the offences expressly provided for in MiCA, the Bill includes:
   • non-compliance with provisions of national law enacted pursuant to MiCA;
   • provision of crypto services in Cyprus by persons from third countries without proper authorisation;
   • Providing false or misleading information, as well as withholding information from supervisory authorities.
4. Criminal liability
   The Bill introduces criminal sanctions for:
   • public offering of cryptoassets without a licence;
   • providing crypto services without fulfilling authorisation conditions;
   • deliberately providing false information or concealing it when liaising with regulators.

The Cypriot Ministry of Finance invites comments and suggestions from interested parties regarding the applicability and scope of the draft law. An explanatory note and a table of consistency between the MiCA provisions and the proposed national law provisions have been prepared to facilitate analysis.

10 steps to start a crypto project in Cyprus

1. Obtaining a licence to operate
   Any company offering cryptoasset-related services in Cyprus is required to hold a Crypto Asset Service Provider (CASP) licence issued by the Cyprus Securities and Exchange Commission (CySEC). Operating without a licence will result in immediate termination of business, as well as administrative and criminal sanctions. To obtain authorisation, a full set of documents must be submitted to CySEC, including a business plan, internal control policy, details of beneficiaries and management structure.
2. Development and implementation of AML/CFT policies and KYC procedures
   Cyprus strictly applies AML/CFT regulations to CASPs. The company is required to implement a comprehensive system of customer identification, risk assessment, transaction monitoring and timely reporting of suspicious transactions. These processes must be enshrined in internal policies and supported by employee training and the appointment of a Compliance Officer.
3. Proper classification of tokens
   Before launching a crypto project, tokens need to be legally categorised as utility tokens, asset-backed tokens (ART), electronic money tokens (EMT) or tokens qualifying as financial instruments under MiFID II. The category of token determines the set of regulatory requirements, including licensing, disclosure and investor protection. Mis-categorisation can lead to serious sanctions.
4. Personal Data Protection Compliance (GDPR)
   Cyprus, as a member of the EU, fully applies the General Data Protection Regulation (GDPR). Cryptoprojects are required to ensure that personal data is lawfully processed, protected and stored in a way that takes into account the specificities of blockchain technology. This includes documenting processing processes, privacy impact assessments (DPIA), appointing a data protection officer (DPO) and developing a response plan for data breach incidents.
5. Planning the tax structure of the project
   Cyprus does not have a separate tax regime for cryptocurrencies, but income from their sale or exchange may be subject to corporate tax at a rate of 12.5 per cent or, in the case of individuals, on a progressive scale. In order to mitigate tax risks, it is important to determine the taxation model in advance, ensure bookkeeping and documentation of transactions.
6. Legal and technical audit of smart contracts
   Smart contracts in the Cypriot jurisdiction are treated as legally enforceable agreements when the requirements of contractual validity are met. Before implementation, they must undergo both technical and legal audits including code security, compliance with standards and analysing possible legal risks.
7. Develop a crisis management plan
   Crypto projects are subject to technological, regulatory and reputational risks. A strategy for responding to cyberattacks, system failures, or regulatory claims should be provided in advance. The plan should include procedures for notifying regulators, interacting with customers, and restoring operations.
8. Using the MiCA “passporting” mechanism to enter the EU market
   Having a Cypriot CASP licence allows services to be provided throughout the EU, subject to the notification procedure and local requirements of other member states. At the stage of planning international expansion, it is important to take into account the peculiarities of regulation in specific countries, as well as to establish co-operation with local partners.
9. Remuneration of labour and settlements with counterparties in cryptocurrency
   Although Cyprus does not prohibit settlements in cryptocurrencies, payments to employees must comply with labour laws and be accompanied by withholding of taxes and social contributions. For contracts with payment in digital assets, it is recommended to conclude written agreements with a fixed equivalent in Euros and taking into account AML/KYC requirements.
10. Establishing and maintaining banking relationships
    Opening a corporate account for a cryptocurrency company in Cyprus is only possible with proven regulatory compliance, a CySEC licence, internal AML/KYC policies and a transparent ownership structure. Interaction with the bank must be accompanied by the provision of a full set of legal documentation and evidence of the integrity of the business.

Taxation of cryptocurrencies in Cyprus in 2025

In the Republic of Cyprus, the current tax system for cryptoassets provides that profits derived by legal entities from cryptocurrency transactions are subject to a corporate tax rate of 12.5 per cent. For individuals who are not tax residents of Cyprus, a capital gains tax exemption applies to most types of cryptocurrencies, making the jurisdiction attractive to international investors. Non-replaceable tokens (NFTs), when qualifying as digital goods, are subject to taxation rules at the standard value added tax rate of 19%. In the context of crypto-industry regulation, the EU Markets in Cryptoassets Regulation (MiCA) comes into force, which imposes an obligation on service providers in this field to obtain a licence from the Cyprus Securities and Exchange Commission (CySEC) no later than 31 December 2025. Licensing requires compliance with a number of strict requirements, including the implementation of Know Your Customer (KYC) and Anti-Money Laundering and Anti-Terrorist Financing (AML) procedures, the maintenance of a minimum level of equity capital, and the establishment and operation of comprehensive internal control systems. In order to ensure proper compliance with the legal requirements, it is recommended to follow a number of best practices. First of all, there should be a clear distinction between types of tokens according to legal classification – into utilitarian tokens, asset-linked tokens and electronic money tokens (EMTs). With regard to the accounting of transactions with crypto-assets, it is advisable to apply the FIFO method or use a system of special identification of transactions. For operators of trading platforms working with NFTs, an important element of compliance is regular auditing on VAT taxation issues. Additionally, structuring the business through a holding company using such tax optimisation tools as Notional Interest Deduction (NID) and IP Box regime may be considered, which allows to legally reduce the tax burden. As part of legal support for cryptocurrency activities, it is possible to receive comprehensive support, including the development and documentation of financial flow mapping, preparation of internal regulatory framework and submission of a full package of documents to CySEC for licensing purposes. This approach minimises regulatory risks, ensures the sustainability of corporate processes and guarantees compliance with both national and European legislation.

Central Bank of Cyprus – regulator of cryptocurrency companies

The Central Bank of Cyprus has approved the updated version of the Anti-Money Laundering and Terrorist Financing Directive, published in the Official Gazette on 2 May 2025 and effective from 2 June 2025. The document represents a significant development of the national financial supervision system, establishing improved customer due diligence mechanisms and adapting procedures to modern challenges, including formalising the interaction of banking institutions with cryptoasset service providers. The legal framework of the Directive is organised in accordance with the AML/CFT regulations of the European Union, taking into account the provisions of the Fourth and Fifth EU Anti-Money Laundering Directives, as well as the latest developments in European financial regulation. The scope of application of the document covers a wide range of financial intermediaries: credit institutions, payment and electronic money issuing organisations, currency exchangers, credit companies and debt management firms. This establishes harmonised standards for AML/CFT compliance in different segments of the financial market.

The regulatory approach of the Central Bank of Cyprus is based on a balance between strict compliance and consideration of the practical aspects of their application in the industry. Attention is paid to both classic banking transactions and modern financial technologies. Key changes affect customer identification and verification procedures. Norms allowing remote establishment of business relations with the use of digital identification technologies and electronic document transmission have been introduced. This format is adapted to the accelerated digitalisation of the financial sector and complies with the recommendations of the European Banking Authority. However, institutions are required to ensure an equivalent level of security to traditional methods, including the detection of forged documents and the minimisation of technological risks. A significant innovation is the permission to use copies of identity documents when updating data under the KYC programme. This reflects a move to a risk-based approach where documentation requirements depend on the stage and nature of the customer relationship. Higher standards may be maintained for initial identification, while simplified procedures are allowed for subsequent servicing.

The Directive also establishes special conditions for serving persons with disabilities and customers with asylum seeker or other protected status. Financial institutions are required to implement alternative identification mechanisms that exclude discrimination and ensure access to banking services while maintaining security measures. Separate provisions are devoted to identifying and restricting services to shell companies whose activities may involve illegal movement or concealment of beneficial ownership. The document contains criteria to distinguish between legitimate corporate structures and fictitious entities.

The regulator has established enhanced due diligence requirements for clients from specific sectors, including investment companies, gambling and betting operators, law firms and accounting firms. Each category takes into account a specific risk profile, ranging from high velocity of funds and the potential for transactional stratification in the gaming industry to indirect involvement with high-risk clients in professional services. The most significant element of the reform is the entrenchment of the right of credit institutions in Cyprus to open accounts for cryptoasset service providers licensed under Regulation (EU) 2023/1114 (MiCA). This marks a shift from a previously undefined practice to formal recognition of the legal status of such financial market participants. At the same time, additional obligations are created for banks to conduct in-depth due diligence on CASP business models, assess their internal control systems and monitor operations.

There are separate requirements for cryptoasset service providers not subject to MiCA, taking into account the diversity of national and international regulatory regimes. The Directive modernises internal and external suspicious transaction reporting procedures. It introduces harmonised forms for recording information and transmitting it to compliance units, ensuring comparability of data and facilitating supervision. The expanded record keeping requirements are designed to support regulatory examinations and criminal investigations, including long after suspicious activity has been detected. Enforcement of the new regulations involves significant investment in technology infrastructure, including digital verification and electronic document management systems. For small and medium-sized organisations, the Central Bank’s guidance on permissible technologies and uniform standards will be of particular importance.

The implementation of the directive’s provisions requires systematic training of personnel at all levels: from compliance officers to employees directly interacting with clients. In addition to classical AML/CFT schemes, attention is paid to the specifics of working with digital assets, remote identification and special categories of customers. The implementation of the directive is supervised by the Central Bank of Cyprus, which has discretionary powers to assess the adequacy of the procedures and apply enforcement measures. The regulator is expected to continue issuing clarifications and guidance, including standardising KYC approaches for crypto vendors, defining a list of acceptable alternative documentation and technical requirements for remote processes. The new version of the Central Bank of Cyprus Directive thus forms an updated and comprehensive system of anti-money laundering measures that integrates the regulation of the crypto industry into national banking practices. It combines enhanced controls with greater accessibility to financial services and reflects a strategy of harmonising national regulations with pan-European AML/CFT and MiCA standards.

MiCA regulations in Cyprus

The European Union Regulation 2023/1114 on Markets in Cryptoassets (MiCA), which comes into full force at the end of 2024, introduces mandatory requirements for all cryptoasset-related service providers operating in the EU. In Cyprus, the implementation of MiCA provisions is the responsibility of the Securities and Exchange Commission (CySEC), which is responsible for issuing Crypto Asset Service Provider (CASP) licences. From the beginning of 2026 it will be prohibited to conduct cryptocurrency activities without such a licence in Cyprus.

Regulated United Europe provides full support for the process of obtaining a licence, covering both legal and organisational issues. The work starts with a legal analysis of the client’s business model and classification of the planned activity in accordance with MiCA requirements. At this stage, it is determined whether the project is subject to regulation and the category of crypto-assets is established – utility tokens, asset-linked tokens or electronic money tokens. This approach helps to eliminate errors in submitting documents and minimise the risk of rejection by the regulator. The most important area of preparation for licensing is the formation of an internal control system and compliance procedures. Internal documents should cover KYC/AML policies, operational and cyber risk management mechanisms, incident response and internal audit procedures, as well as staff training programmes. All documents shall be developed taking into account both MiCA requirements and Cypriot national legislation, including anti-money laundering regulations.

Cypriot law and CySEC requirements stipulate prescribed minimum capital levels depending on the nature of the business, as well as requirements for the reputation and qualifications of directors and key officers. Regulated United Europe accompanies the process of structuring the company, selecting the management team, preparing supporting documentation and establishing corporate governance in accordance with established standards. Particular attention is paid to describing the technological infrastructure and financial flows. CySEC requires detailed schemes for the storage of digital assets, customer data protection and transaction procedures. Regulated United Europe prepares technical descriptions, fund flow diagrams and security protocols in a format that meets the regulator’s requirements.

Once a complete application, internal regulations and evidence of compliance with the licensing criteria have been prepared, a submission to CySEC is organised and liaison with the regulator is undertaken until authorisation is granted. If necessary, additional clarifications and responses to queries are prepared. From the moment a licence is granted, the company is required to report regularly to CySEC, keep internal procedures up to date and conduct internal audits. Regulated United Europe provides post-licence support services, including reporting, updating compliance documentation and advising on legislative changes, and can also assist in obtaining MiCA licences in other European countries.

The Cyprus jurisdiction combines a flexible approach to regulating innovative financial services with a competitive tax system, with a corporate tax rate of 12.5% and a capital gains tax exemption for non-residents on most cryptocurrencies. Additional regimes, such as IP Box and Notional Interest Deduction, create conditions for tax optimisation. This makes Cyprus an attractive entry point into the EU market for cryptocurrency companies, and Regulated United Europe’s comprehensive support ensures full regulatory compliance and successful licensing in a short timeframe.