MiCA License in Spain 2026

MiCA license in Spain in 2026: what it is and who actually needs it

MiCA license in Spain is market shorthand for CASP authorisation under Regulation (EU) 2023/1114. It is not a separate Spanish-only product and it is not the same thing as the older AML-oriented VASP registration model used before full MiCA harmonisation.

In practical terms, your company needs a Spain MiCA license if it provides regulated crypto-asset services from Spain or uses Spain as its home Member State for services such as custody and administration of crypto-assets on behalf of clients, operation of a trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of orders, placement, reception and transmission of orders, transfer services, portfolio management, or advice on crypto-assets.

The key business consequence is material: MiCA moves the market from fragmented national registration logic to a harmonised EU authorisation framework. That means governance, safeguarding, prudential controls, outsourcing oversight, complaints handling, and market-conduct expectations are now part of the licensing conversation from day one.

For founders, the strategic question is not only “can we get licensed?” but also “does our current operating model survive regulator scrutiny?”. A business that depends on nominee governance, generic AML templates, unclear token classification, or outsourced everything-without-oversight will usually struggle under MiCA even if it previously operated under a lighter VASP regime.

MiCA vs VASP in Spain: what changed after the old registration regime

Direct answer: the old VASP model in Spain was primarily an AML registration framework linked to the Banco de España, while MiCA creates a full CASP authorisation regime with broader conduct, governance, safeguarding, and passporting consequences.

• Old VASP regime: focused mainly on AML/CFT registration and controls;
• MiCA CASP regime: adds authorisation, prudential expectations, conduct rules, safeguarding, complaints, outsourcing, and EU passporting;
• Old regime consequence: limited utility for EU-wide scaling;
• New regime consequence: one home-state authorisation can support cross-border EU activity through passporting notifications.

The most common market mistake is to treat legacy VASP status as if it were equivalent to MiCA authorisation. It is not. A prior registration may help show operating history and AML maturity, but it does not replace the need for a proper CASP file under MiCA.

RUE typically starts Spain MiCA projects with a perimeter memo that maps each product feature to a MiCA service category, a MiFID II exclusion analysis where relevant, and a legacy-to-MiCA gap review. That step often prevents months of avoidable rework later in the process.

Which services are covered by a MiCA Licence in Spain?

Direct answer: a MiCA Licence in Spain covers the regulated crypto-asset services listed in MiCA for Crypto-Asset Service Providers (CASPs). The scope is broader than “exchange and wallet” and should be mapped feature by feature.

The core service perimeter typically includes:

• custody and administration of crypto-assets on behalf of clients;
• operation of a trading platform for crypto-assets;
• exchange of crypto-assets for funds;
• exchange of crypto-assets for other crypto-assets;
• execution of orders for crypto-assets on behalf of clients;
• placing of crypto-assets;
• reception and transmission of orders for crypto-assets on behalf of clients;
• providing advice on crypto-assets;
• providing portfolio management on crypto-assets;
• providing transfer services for crypto-assets on behalf of clients.

In practice, one business often triggers several service categories at once. For example, an app that lets users onboard fiat, execute swaps, hold balances, and send assets externally may combine exchange, custody, execution, and transfer services. That means the licence strategy should be built on the actual customer journey, not on the product team’s marketing labels.

Business models that usually require authorisation

Typical in-scope models include centralised exchanges, OTC brokers, custodial wallet providers, crypto apps with order execution, platforms that route orders to liquidity venues, advisory businesses recommending crypto-assets to clients, and venues admitting crypto-assets to trading.

If your platform holds client private keys, settles client trades, receives client instructions, or intermediates transfers between customers and other CASPs, you should assume a licensing analysis is required. White-label structures do not automatically remove authorisation risk if your company still controls onboarding, execution logic, or client relationships.

A useful technical nuance often missed by competitors: internal treasury dealing is not the same as client-facing execution. The moment your firm starts receiving and transmitting client orders or acting on behalf of clients, the regulatory analysis changes materially.

What MiCA does not cover

MiCA does not automatically cover every digital asset activity. Crypto-assets that qualify as financial instruments under MiFID II fall outside MiCA and into securities/investment-services analysis. Purely decentralised arrangements may fall outside parts of MiCA, but “DeFi” is not a magic exemption label.

NFTs can also fall outside MiCA in some cases, but fractionalisation, series-based issuance, or economic standardisation may change that analysis. Likewise, a token marketed as “utility” can still raise MiCA, consumer-protection, or even MiFID classification issues depending on rights attached and how it is distributed.

AML/KYC and Travel Rule obligations for CASPs in Spain

Direct answer: a licensed CASP in Spain must operate a live AML/CFT framework, not just hold an AML policy on file. In 2026, that means integrating customer due diligence, sanctions screening, transaction monitoring, blockchain analytics, suspicious activity escalation, and Travel Rule data exchange into day-to-day operations.

The legal backbone is not only MiCA. You also need to account for Regulation (EU) 2023/1113 on transfers of funds and certain crypto-assets, Spanish AML law including Law 10/2010, and supervisory expectations shaped by FATF standards and EU AML practice. That is why AML design should be built jointly by legal, compliance, product, and operations teams.

A mature Spain MiCA license file usually includes:

• business-wide ML/TF risk assessment by product, geography, customer type and delivery channel;
• CDD and EDD procedures for retail, corporate, institutional and high-risk clients;
• PEP, sanctions and adverse media screening rules;
• transaction monitoring with scenario logic for structuring, layering, sanctions evasion and mule patterns;
• blockchain analytics and wallet risk scoring;
• Travel Rule operating model, including rejection/escalation paths;
• governance around alert review, STR decisioning and record retention.

How the Travel Rule works in practice

The Travel Rule requires originator and beneficiary information to travel with qualifying crypto transfers. In practice, CASPs usually implement this through vendor solutions or interoperable messaging standards such as IVMS101.

Your operating model should explain:

• what customer data is collected before a transfer is released;
• how data is transmitted to another CASP or received from it;
• what happens when the counterparty CASP cannot receive or validate the data;
• how rejected, returned, or suspended transfers are handled;
• how records are stored and linked to the underlying blockchain transaction.

A useful technical point: firms that treat Travel Rule as an API plug-in often miss governance around exception handling. Regulators increasingly care about what your team does when the message format fails, the beneficiary CASP is unknown, or the transfer involves a high-risk jurisdiction.

Unhosted wallets, sanctions screening and KYT

Unhosted wallets are not automatically prohibited, but they require a risk-based control framework. That usually includes wallet ownership or control checks where appropriate, blockchain analytics, sanctions exposure review, behavioural monitoring, and escalation for high-risk patterns.

For many CASPs, the real risk sits at the intersection of unhosted wallets, sanctions screening, and rapid movement across chains or mixers. A serious application should therefore explain how the firm handles wallet screening, chain hops, privacy-enhancing tools, and transfers that are technically valid but commercially or sanctions-wise unacceptable.

Banking and payment rails after authorisation

Direct answer: a Spain MiCA license improves banking credibility, but it does not guarantee a bank account. Banks and EMIs still run their own risk, AML, sanctions, and reputational due diligence.

In practice, post-authorisation banking readiness depends on whether your firm can present a coherent package covering ownership transparency, source of funds, safeguarding model, AML controls, transaction flows, and expected geographies. The ESMA register helps because it gives counterparties public evidence of authorisation, but banks still underwrite the client independently.

What banks usually ask for

Banks and EMIs typically request:

• proof of authorisation and public register evidence;
• corporate structure and UBO documentation;
• business plan and transaction flow charts;
• AML/CFT and sanctions framework summary;
• safeguarding and client money/fiat handling description;
• source-of-funds and source-of-wealth documents for founders and investors;
• target markets, prohibited jurisdictions, and onboarding criteria.

A practical nuance: many bank onboarding failures happen because the compliance pack is drafted for the regulator, not for the bank. The regulator wants legal and operational sufficiency; the bank wants to know whether your flows are understandable, monitorable, and commercially acceptable. Those are overlapping but not identical questions.

RUE supports clients with both the licensing file and the post-licensing banking package, including introductions where appropriate through our crypto business bank account and bank account in Spain service lines.