Crypto License in Luxembourg

In 2026, “crypto license in Luxembourg” may mean AML VASP registration, MiCA CASP authorization, or a wider regulated model. RUE maps the correct perimeter before filing with the CSSF.

Request eligibility review
Regulator
CSSF
Timeframe
From 6 months
Cost
34 900 EUR
Capital
From 50 000 EUR
Timing and capital depend on whether the project falls under VASP, CASP, PI/EMI or MiFID perimeter.

What a Luxembourg crypto license means in 2026

A Luxembourg crypto license is not one universal permit. In 2026, founders usually need to distinguish between VASP status under the AML framework, CASP authorization under Regulation (EU) 2023/1114 (MiCA), and edge cases where the business model also triggers PSD2/EMD2 or MiFID II analysis.

Luxembourg remains relevant because the jurisdiction combines a mature financial-services environment, strong regulator credibility and institutional acceptance. The trade-off is equally clear: the CSSF expects substance, governance discipline, documented AML controls, transparent ownership and realistic operational design. RUE structures the application around the actual legal perimeter rather than selling a generic “crypto-friendly” narrative.

RUE performs perimeter analysis, corporate setup coordination, AML framework drafting, MiCA/CASP document preparation, banking-readiness packaging and regulator-facing remediation support. We also align licensing with tax, accounting, outsourcing and post-approval compliance operations.

🏛️

Credible regulator environment

The CSSF is a recognized financial supervisor. For serious counterparties, regulator quality often matters more than marketing claims about a jurisdiction being “crypto friendly”.

🇪🇺

Direct EU regulatory relevance

Luxembourg sits inside the EU framework, which matters for MiCA, Travel Rule implementation under Regulation (EU) 2023/1113, and alignment with broader EU AML architecture.

🧩

Strong fit for institutional structures

Funds, tokenization projects, custody models and governance-sensitive groups often prefer Luxembourg because investors, banks and service providers understand the jurisdiction.

🔍

Better for defensible compliance builds

Luxembourg rewards applicants that can evidence governance, outsourcing control, source of funds, transaction monitoring logic and data-protection readiness from day one.

Crypto License in Luxembourg

34,900 EUR
Package includes (8)
  • Preparation of necessary documents for registration of a new company in Luxembourg
  • Translation of a certificate of no criminal record through a sworn translator
  • Payment of state fees related to company registration
  • Payment of notary fees related to company registration
  • Preparation of compliance documents for MiCA application
  • Preparation of a business plan
  • Submission of the necessary documents to CSSF
  • Recruitment of local MLRO/Compliance officer
Order now
Timeframe: From 6 months

Additional Services

MiCA structuring & jurisdiction selection advisory within the EU
from 2,900 EUR
Legal qualification of tokens (utility vs EMT vs ART vs financial instrument under MiFID II)
from 3,900 EUR
Pre-application gap analysis and readiness assessment
from 4,900 EUR
Regulatory risk memo for business model validation
from 2,900 EUR
Cross-border structuring for non-EU founders entering the EU market
from 5,900 EUR
Annual compliance reviews and internal audits
from 4,900 EUR/year
Updating policies in line with ESMA / EBA guidelines
from 1,900 EUR
Assistance with opening crypto-friendly bank accounts / EMIs
from 2,900 EUR

Ready to Get Started?

Book a free 30-minute consultation with our licensing expert

Request Consultation

Requirements to obtain a crypto license

The core requirement is correct legal classification. A Luxembourg applicant must first determine whether the business is an AML-supervised virtual asset service provider, a MiCA crypto-asset service provider, or a broader regulated financial undertaking. Filing under the wrong perimeter is one of the fastest ways to lose months.

Across most viable structures, the regulator will expect:

  • a properly incorporated Luxembourg entity with transparent ownership and documented beneficial owners;
  • clear governance, fit-and-proper management and allocated compliance responsibility;
  • a risk-based AML/KYC framework built around the actual product, customer base and transaction flows;
  • documented operational model, including outsourcing, wallet operations, safeguarding logic and incident handling;
  • credible financial planning, source-of-funds evidence and realistic banking narrative;
  • data-protection and security controls proportionate to the service, including access governance, recordkeeping and vendor oversight.

A practical nuance often missed in competitor pages: proprietary treasury activity is not automatically the same as client-facing regulated crypto services. The perimeter depends on what the company does for or on behalf of clients, whether it controls client crypto-assets or keys, and whether it intermediates exchange, transfer, execution or custody functions.

Legal perimeter analysis first +

Define whether the model falls under VASP, CASP, or overlaps with PI/EMI or MiFID II. This step should be done before incorporation documents, banking outreach or policy drafting are finalized.

Transparent ownership and UBO file +

Prepare shareholder structure, beneficial ownership chain, proof of identity, source of wealth and source of funds. Nominee-heavy or opaque structures usually trigger deeper questions.

Fit and proper management +

Directors and senior managers must show relevant experience, clean background profile, time commitment and actual control over the business. Generic CVs without product-specific competence are weak evidence.

AML/KYC framework +

The file should include customer onboarding logic, sanctions and PEP screening, risk scoring, EDD triggers, transaction monitoring, suspicious activity escalation and recordkeeping rules.

Operational substance +

Luxembourg does not reward shell-style applications. The regulator will look at decision-making, outsourcing control, staffing model, local touchpoints and whether the company can actually run the service safely.

IT and security controls +

Expect scrutiny of wallet security, privileged access, key management, logging, backup, incident response, vendor due diligence and GDPR-sensitive processing of customer data.

Jurisdiction Comparison

Compare Luxembourg with other jurisdictions by key conditions for obtaining and operating a MiCA/CASP license: regulator, review period, fees, capital, local substance, and passporting.

Countries to compare

Parameters

* This table focuses on MiCA/CASP authorization conditions. Use the settings icon to customize countries and parameters.

Taxation of crypto companies in Luxembourg

Luxembourg taxation must be reviewed separately from licensing. A crypto authorization does not create a special tax regime by itself. In practice, founders usually need to assess corporate income tax, municipal business tax, possible net wealth tax, and the VAT treatment of each revenue line.

The critical legal point is that VAT treatment depends on the nature of the service, not on the word “crypto” alone. Exchange-related services may be analyzed differently from software licensing, advisory, white-label infrastructure, custody support, or token issuance support. EU case law, including the logic associated with Hedqvist, is relevant, but founders should not generalize it to every crypto business model.

RUE normally coordinates licensing and tax work in parallel, because product design affects both. For example, the same group may need one analysis for token dealing, another for SaaS revenue, and a separate one for payment-related flows. Current rates and filing obligations should always be verified at implementation stage with Luxembourg tax advisers and official guidance.

Corporate income tax

Applies to company profits under the ordinary Luxembourg corporate tax framework.
verify current

The applicable burden depends on the tax year, taxable base and current law. Do not rely on outdated web figures; confirm the current rate set before launch and budgeting.

Municipal business tax

Local business tax may apply in addition to corporate taxation.
verify current

The effective burden depends on municipality and company profile. For founders using Luxembourg City assumptions in models, the rate should be verified at the date of filing and updated in the financial plan.

VAT

VAT treatment depends on the exact service supplied, not on crypto branding.
case-based

Crypto-fiat exchange, software subscriptions, consulting, token issuance support and custody-related services may not be treated identically. VAT mapping should be done line by line across the revenue model.

Net wealth tax

May be relevant depending on the company structure and tax position.
verify current

This item is often ignored in startup budgets. It should be reviewed together with capitalization, asset holding pattern and group structure.

Ongoing compliance after approval

Approval is the start of the control cycle, not the end. In 2026, Luxembourg crypto businesses must maintain AML, Travel Rule, governance, reporting and security controls on a continuous basis.

🛡️

AML and customer due diligence

  • Maintain risk-based onboarding, sanctions screening, PEP checks and enhanced due diligence for high-risk customers.
  • Update source-of-funds and source-of-wealth logic where transaction profile, geography or customer type changes.
  • Review customer risk scoring methodology and document override decisions.
🔄

Travel Rule and transaction controls

  • Apply <strong>Regulation (EU) 2023/1113</strong> to relevant crypto-asset transfers and maintain originator/beneficiary data handling.
  • Implement wallet screening, counterparty VASP checks, escalation rules and unhosted-wallet risk controls.
  • Keep an audit trail for blocked, rejected or escalated transfers.
🏢

Governance and outsourcing oversight

  • Board and senior management must retain effective control over compliance, operations and outsourced functions.
  • Material outsourcing requires monitoring, contractual clarity, incident escalation and documented oversight.
  • Changes in ownership, management, product scope or operating model may require prior regulatory assessment.
💾

Security and data protection

  • Maintain access controls, key-management governance, logging, backup, incident response and vendor due diligence.
  • Process personal data under <strong>GDPR</strong> and assess whether broader ICT resilience expectations, including <strong>DORA</strong> relevance, affect the model.
  • Retain evidence of training, testing, control reviews and remediation actions.
💡
RUE handles compliance for you. Our team provides ongoing compliance support, including AML officer services, regulatory reporting, and policy updates. We ensure your license stays in good standing year after year. Contact us for compliance support →

📝 Check Your Eligibility

Answer a few quick questions to find out if this jurisdiction suits your crypto business

Step 1 of 5

What type of crypto services will you provide?

Exchange (fiat ↔ crypto)
Custody & Wallet Services
Transfer & Payment Services
Advisory / Portfolio Management
Multiple / All of the Above
Step 2 of 5

What is your target market?

European Union only
EU + Global markets
Global (non-EU priority)
Step 3 of 5

Do you already have a registered company in the EU?

Yes, in this jurisdiction
Yes, in another EU country
No, I need to register one
Step 4 of 5

What is your available budget range?

Under €20,000
€20,000 – €50,000
€50,000 – €100,000
Over €100,000
Step 5 of 5

When do you plan to launch?

As soon as possible (1–3 months)
Within 6 months
Within a year
Just exploring options

This Jurisdiction Is a Great Fit!

Based on your answers, this jurisdiction matches your business requirements well. Here's a quick summary:

Recommended License

CASP License

Estimated Budget

€24,000 – €35,000

Estimated Timeframe

4–6 months

EU Passporting

Available

📞 Get Personalized Assessment

Step by step licensing process

Step 1

Perimeter review

Start by defining whether the model is VASP, CASP, or overlaps with PI/EMI or MiFID perimeter. This stage usually determines the entire filing strategy and prevents misclassification.

Step 2

Entity setup

Incorporate the Luxembourg vehicle, prepare ownership records, governance structure and initial operating model. Banking-readiness materials should be prepared in parallel, not after filing.

Step 3

Compliance build

Draft the AML/CFT framework, risk assessment, onboarding rules, sanctions controls, outsourcing map, security policies and business plan. The file must reflect the real transaction flow.

Step 4

Application filing

Submit the application package to the competent authority with supporting documents, management information and financial materials tailored to the correct regulatory perimeter.

Step 5

Regulator Q&A

Expect iterative questions, remediation requests and requests for clarification. Most timelines expand here, especially where the product description, outsourcing chain or source-of-funds logic is weak.

Step 6

Approval and launch

After approval, finalize onboarding, reporting, Travel Rule operations, staff training, vendor controls and governance cadence. Post-approval compliance must be operational before scaling.

Start Your Application
Answers

Frequently Asked Questions

Open the key issues founders, compliance teams and legal leads usually need to confirm before launch.

Does Luxembourg have one single crypto license? +

No. In 2026, “crypto license in Luxembourg” is an umbrella term. Depending on the facts, the business may need AML VASP treatment, MiCA CASP authorization, or additional analysis under PSD2, EMD2 or MiFID II.

Is crypto business legal in Luxembourg? +

Yes. Crypto business is legal in Luxembourg if the activity is structured within the applicable legal perimeter and the company meets AML, governance, operational and, where relevant, MiCA requirements.

Does a Luxembourg crypto license give EU passporting? +

Not automatically. AML-only VASP status should not be marketed as a universal passport across the EU. Passporting logic must be assessed under the specific authorization regime, especially under MiCA for CASPs.

Who regulates crypto companies in Luxembourg? +

The main financial regulator is the CSSF. Depending on the issue, founders also need to consider the CRF for suspicious activity reporting, LBR/RCS for company and ownership records, and the CNPD for data protection.

Do you need a resident director in Luxembourg? +

Not as a universal rule for every crypto model. Management and substance expectations depend on the regime, structure and operating model. The safer question is whether the company can evidence real control, governance and operational substance in Luxembourg.

Do you need a physical office in Luxembourg? +

Not every case is defined by a simple office requirement, but shell-style setups are weak. The regulator will look at substance in practical terms: decision-making, staff access, governance, records, outsourced functions and the ability to operate compliantly.

Can a foreign shareholder own a Luxembourg crypto company? +

Yes, foreign ownership is generally possible, but ownership transparency is critical. The applicant must disclose the full shareholder and UBO chain and provide credible source-of-funds and source-of-wealth evidence where required.

How long does it take to get a crypto license in Luxembourg? +

It depends on the perimeter and file quality. In practice, founders should budget for 4-9+ months in many cases, including scoping, setup, documentation and regulator review. Complex or poorly prepared files can take longer.

How much capital is required? +

There is no one universal capital figure for all Luxembourg crypto businesses. Capital logic depends on whether the company is assessed as a VASP, CASP, PI, EMI or another regulated entity. Any fixed web number should be treated with caution unless tied to the exact regime.

Do non-custodial wallets need authorization? +

Sometimes no, but never assume that from the label alone. If the provider does not control client keys and does not intermediate regulated services, the model may fall outside the core perimeter. If functionality goes beyond pure software, the analysis changes.

Is proprietary crypto trading regulated in Luxembourg? +

Own-account activity may fall outside the core client-service perimeter, but this is fact-specific. The analysis changes if the company deals for clients, controls client assets, markets execution services or combines treasury activity with regulated intermediation.

Do crypto businesses in Luxembourg need Travel Rule compliance? +

Yes, where the transfer activity falls within the EU framework. In 2026, relevant firms must assess and implement controls under Regulation (EU) 2023/1113, including originator/beneficiary data handling and risk controls for transfers.

Will approval guarantee a bank account? +

No. Licensing and bankability are related but not identical. Banks still run their own risk review and usually want a coherent KYB package, source-of-funds narrative, transaction profile, AML controls and governance evidence. See also our bank account in Luxembourg and crypto business bank account pages.

CONTACT US

RUE (Regulated United Europe) customer support team complies with high standards and requirements of clients. Based on feedback from clients worldwide, we continuously improve service quality and response speed to keep support practical and reliable.

Main offices of the international advisory legal company RUE (Regulated United Europe) are located in Estonia (Tallinn), Lithuania (Vilnius), Czech Republic (Prague) and Poland (Warsaw). Contact the most suitable for you branch, so that our company could provide comprehensive individually-tailored to your needs services.

Please leave your request

The RUE team understands the importance of continuous assessment and professional advice from experienced legal experts, as the success and final outcome of your project and business largely depend on informed legal strategy and timely decisions. Please complete the contact form on our website, and we guarantee that a qualified specialist will provide you with professional feedback and initial guidance within 24 hours.

    Main Services

    Terms of Cooperation

    Regulated United Europe

    Facebook Instagram YouTube LinkedIn
    Chambers Legal500