MiCA License in Spain 2026

Obtain CNMV-authorised CASP status in Spain under MiCA. RUE supports exchanges, custody providers, brokers, and crypto platforms seeking compliant EU market access.

Book MiCA Readiness Call

Regulator

CNMV

Timeframe

3-6+ months

Cost

from €19,900

Capital

€50k-€150k

Depends on CASP scope, substance, tech stack and dossier readiness.

Why Spain for a MiCA Licence

Spain MiCA license means CASP authorisation under Regulation (EU) 2023/1114, typically supervised through the CNMV as the key national competent authority for crypto-asset services. RUE helps founders structure the Spanish entity, prepare the application pack, and align AML, governance, safeguarding, and operational controls before filing.

Polina Merkulova

Licensing Services Manager

[email protected]

As your point of contact, I help coordinate the licensing process end-to-end, keep communication clear, and move your application forward without unnecessary delays.

Regulated United Europe (RUE) provides end-to-end support for MiCA license in Spain projects: service perimeter analysis, Spanish company setup, governance design, AML/KYC framework, Travel Rule implementation logic, safeguarding documentation, and CNMV-facing application drafting.

We also support banking readiness, internal controls, outsourcing governance, and post-authorisation compliance so your Spain MiCA license is built for approval and day-to-day operation, not just for filing.

Contact me

🏛️

Recognised EU Regulatory Base

A Spain MiCA license can position your business in a major EU market under a regulator known for formal supervisory standards and institutional credibility.

🌍

EU Passporting Potential

Once authorised, your CASP may notify cross-border activity and serve clients across the EU single market, subject to MiCA passporting rules.

🧭

Strong Substance Narrative

Spain suits operators prepared to show real governance, effective management, outsourcing oversight, and regulator-facing operational substance.

🏦

Banking and Fiat Readiness

A properly structured Spanish setup can improve conversations with banks, EMIs, payment providers, and local counterparties compared with unregulated models.

MiCA Licence in Spain

25,900 EUR

Package includes (8)

Preparation of necessary documents for registration of a new company in Spain 2026
Translation of a certificate of no criminal record through a sworn translator
Payment of state fees related to company registration
Payment of notary fees related to company registration
Preparation of compliance documents for MiCA application
Preparation of a business plan
Submission of the necessary documents to CNMV
Recruitment of local MLRO/Compliance officer

Order now

Timeframe: From 6 months

Comprehensive Requirements for Spain MiCA License

A MiCA license in Spain is, in substance, a CASP authorisation under Regulation (EU) 2023/1114, not the old AML-only VASP registration model. In 2026, applicants are expected to demonstrate not only minimum capital, but also a credible operating model, fit-and-proper management, AML/CFT controls, safeguarding arrangements, outsourcing oversight, ICT resilience, complaints handling, and a realistic wind-down framework.

The practical review logic is simple: the regulator does not approve a PowerPoint idea. It reviews whether your Spanish entity can actually deliver the crypto-asset services requested, protect clients, monitor abuse and financial crime risk, and remain governable after launch. The exact depth of review depends on your service perimeter, especially where the model includes custody, exchange, execution, operation of a trading platform, or client fiat flows.

Minimum Capital and Own Funds +

MiCA uses standard initial capital thresholds of €50,000, €125,000, or €150,000 depending on the CASP services provided. These are the core reference points for Spain MiCA license planning and are materially more reliable than outdated marketing claims such as €60,000.

€50,000: lower-risk CASP profiles under the MiCA classification logic;
€125,000: intermediate service scope;
€150,000: higher-impact models such as broader execution/platform-type activity.

Initial capital is only the entry threshold. Your company must also maintain adequate own funds on an ongoing basis, document liquidity planning, and show that regulatory capital is not the same thing as launch budget. In practice, founders should budget separately for legal work, staffing, technology, Travel Rule tooling, audit, insurance, translations, and banking onboarding.

Spanish Company and Real Substance +

You generally need a Spanish legal entity with a registered address, operational accessibility, and a governance model that can be supervised in Spain. A virtual office alone is not a substance strategy.

Regulators usually look for evidence of:

place of effective management and real decision-making trail;
board minutes, delegated authority matrix, and local accessibility;
identified control functions and vendor oversight;
operational records available for supervisory review;
credible explanation of why Spain is the home Member State.

If key functions are outsourced, the Spanish entity must still remain the mind and manager of the business. An outsourcing-heavy model without internal ownership of risk, compliance, and safeguarding logic is a common weakness in CASP applications.

Management, UBOs and Fit-and-Proper Review +

The management body, shareholders, and key function holders must pass a fit-and-proper assessment. The review usually covers reputation, competence, time commitment, conflicts of interest, source of wealth/funds, and prior regulatory or criminal history.

Directors should understand crypto operations, not just general corporate administration;
UBOs and qualifying shareholders must be fully transparent and documentable;
an AML/MLRO function must be credible, not nominal;
compliance and risk responsibilities should be clearly allocated;
CVs, references, criminal record certificates, and questionnaires must be internally consistent.

A recurring failure point is appointing prestigious but unavailable directors. Regulators increasingly test whether named individuals can actually challenge management, review incidents, approve policies, and supervise outsourced providers.

AML/KYC, Travel Rule and Financial Crime Controls +

A Spain MiCA license application must show an operational AML/CFT framework aligned with Law 10/2010, EU AML expectations, and the Transfer of Funds Regulation (EU) 2023/1113. A generic AML manual is not enough.

business-wide ML/TF risk assessment tailored to your services and geographies;
CDD/EDD procedures for retail, corporate, and high-risk clients;
sanctions screening and adverse media controls;
transaction monitoring and KYT logic for on-chain activity;
Travel Rule data exchange workflow, often using IVMS101-compatible tooling;
controls for unhosted wallets, wallet attribution, and escalation paths;
recordkeeping, STR reporting logic, and governance around alerts.

In practice, the regulator wants to see how alerts are generated, who reviews them, what the SLA is, how false positives are tuned, and how the firm handles blocked or rejected transfers. This is where many otherwise polished applications become too abstract.

Safeguarding, Custody and Client Asset Protection +

If your model includes custody or control over client crypto-assets or client fiat, safeguarding design becomes central. The application should explain legal segregation, operational segregation, reconciliation, incident handling, and client disclosure.

segregation of client assets from proprietary assets;
wallet governance and entitlement mapping;
daily or near-daily reconciliation logic;
key management architecture such as MPC, multisig, or HSM-supported controls;
access control, maker-checker approvals, and privileged access logging;
breach response, loss allocation logic, and recovery procedures.

Where client fiat is received, firms should also map the safeguarding route, payment partner dependencies, and timing of fund placement. The regulator will usually expect the safeguarding model to be understandable by both compliance and operations teams, not only by engineers.

Technology, ICT Governance and Operational Resilience +

The regulator expects a licensing-grade description of your ICT environment. In 2026, this means more than saying you use cloud hosting and multi-factor authentication.

system architecture, data flows, and critical vendor map;
identity and access management, log retention, and privileged access review;
incident response plan, severity classification, and escalation matrix;
business continuity and disaster recovery with tested recovery assumptions;
vulnerability management, patch governance, and penetration testing;
outsourcing register and exit planning for critical technology providers;
GDPR alignment for KYC and transaction data handling.

Even where DORA does not apply in the same way as to traditional financial entities, supervisory expectations around operational resilience are materially higher than many crypto founders assume. Weak evidence of control over vendors, logs, and incident handling often triggers RFIs.

Business Plan, Programme of Operations and Financials +

The application pack should include a coherent programme of operations and a business plan that match the requested services exactly. The regulator will compare your narrative, policies, org chart, client journey, and financial projections for consistency.

service perimeter and regulatory classification memo;
target markets, client types, and distribution channels;
token admission/listing or asset selection methodology where relevant;
revenue model, fee model, and outsourcing dependencies;
3-year financial projections with assumptions and stress cases;
complaints handling, conflicts of interest, and market abuse controls;
wind-down plan explaining how clients are protected if the business exits.

A useful technical nuance: if your platform intends to list third-party crypto-assets, the regulator will often expect a token due diligence process covering MiCA classification, sanctions exposure, liquidity manipulation risk, and whether a crypto-asset white paper exists or should exist.

Banking, Fiat Rails and Source-of-Funds Narrative +

Banking is not formally part of MiCA authorisation, but a weak banking narrative can undermine the application because it affects safeguarding, client money flows, and operational viability. Spain MiCA license applicants should prepare a bank-ready due diligence pack early.

clear explanation of fiat inflows, outflows, and settlement routes;
source-of-funds and source-of-wealth documentation for founders and funding rounds;
description of payment service providers, EMIs, or acquiring partners;
transaction flow maps by customer type and geography;
AML controls around fiat-to-crypto and crypto-to-fiat conversion.

RUE usually recommends building the banking narrative in parallel with the licence file, not after approval. That reduces friction with Spanish and EU banks, especially where the model includes merchant flows, OTC settlement, or high-volume retail onboarding.

Jurisdiction Comparison

Compare Spain with other jurisdictions by key conditions for obtaining and operating a MiCA/CASP license: regulator, review period, fees, capital, local substance, and passporting.

* This table focuses on MiCA/CASP authorization conditions. Use the settings icon to customize countries and parameters.

Taxation of Crypto Companies in Spain

Spanish crypto companies are generally subject to the ordinary corporate tax framework unless a specific incentive or special regime applies. For most operating companies, the baseline reference point is Corporate Income Tax at 25%. A Spain MiCA license does not create a special tax regime by itself; licensing, AML, prudential, and tax treatment are separate layers and should not be conflated.

Core tax position for CASP businesses in Spain

Crypto exchanges, brokers, custody providers, and related service companies usually need to analyse taxation across at least five dimensions: corporate income tax, VAT treatment, payroll/social security, transfer pricing for group structures, and indirect/reporting obligations. The tax result depends heavily on the actual service performed, where counterparties are located, whether the firm acts as principal or agent, and whether separate technology, advisory, or white-label services are charged.

Corporate Income Tax: standard reference rate is 25% for most companies;
VAT: some exchange-related services may be exempt under financial-services logic, but advisory, software, SaaS, token design, or ancillary services may not be;
Withholding / cross-border structuring: depends on treaty position, legal form, and payment type;
Accounting and annual reporting: Spanish companies must maintain proper books, file annual accounts, and keep tax records consistent with the regulatory perimeter described to the CNMV;
Payroll and management presence: local staff and directors can create additional labour and social contribution obligations.

Practical caution for crypto founders

Do not rely on generic internet claims that “crypto is tax exempt” or that one VAT result applies to every crypto service. In Spain, tax treatment is fact-sensitive and should be checked against Agencia Tributaria (AEAT), current administrative guidance, accounting treatment, and where relevant, EU case law on financial-service exemptions.

Legal and tax disclaimer: this page is for general information only and is not legal, tax, or investment advice. Tax treatment should be confirmed for the exact business model, client geography, and contractual setup before launch.

Corporate Income Tax

Standard corporate tax for most Spanish companies

25%

The standard reference rate for Spanish corporate income tax is 25% for most companies. Taxable profit is determined under Spanish accounting and tax rules, with adjustments for deductible and non-deductible items, transfer pricing, and losses. A licensed CASP should ensure that its accounting model, revenue recognition, and token/fiat treatment are documented consistently with its regulatory business model.

VAT on Crypto Services

Depends on the exact service and contractual role

Exempt / 21%

Some crypto exchange services may fall within VAT exemption logic similar to financial services, but this does not automatically cover every crypto-related activity. Technology licensing, consulting, white-label services, software subscriptions, data services, and certain platform fees may be taxable at the standard Spanish VAT rate of 21%. A line-by-line VAT mapping is recommended before invoicing clients.

Withholding and Cross-Border Payments

Depends on treaty network and payment character

Case-specific

Payments of dividends, interest, royalties, or service fees to non-residents may trigger withholding analysis depending on domestic law, treaty relief, beneficial ownership, and anti-abuse rules. This matters for founder structures, holding companies, and IP/licensing arrangements used by crypto groups operating across several EU and non-EU jurisdictions.

Payroll and Social Contributions

Applies where local employees or directors are engaged

Variable

If your Spain MiCA license structure includes local staff, directors, compliance officers, or operations personnel, payroll tax and social security obligations arise under Spanish labour and tax rules. Substance planning should therefore be coordinated with employment, immigration, and budget assumptions from the start.

Annual Accounts and Tax Filings

Mandatory bookkeeping and periodic filings

Ongoing obligation

Spanish companies must maintain accounting records, prepare annual accounts, and submit tax returns in line with statutory deadlines. For CASPs, a recurring practical issue is ensuring that accounting descriptions, revenue categories, and client-asset treatment do not contradict the regulatory file submitted to the CNMV or AML documentation used for banking.

Transfer Pricing

Relevant for group structures and related-party services

Arm’s length

If the Spanish entity buys software, compliance support, liquidity access, marketing services, or management services from related parties, transfer pricing rules apply. This is especially relevant where founders use a Spanish licensed entity with development, treasury, or IP functions elsewhere in the group.

Regulatory and Operating Cost Layer

Not a tax, but a core budget category founders miss

€120k+ / year

Beyond tax, founders should budget for annual compliance and operating costs: MLRO/compliance staffing, legal support, accounting, audit, Travel Rule vendor, blockchain analytics, cybersecurity tooling, insurance, and banking fees. For many small-to-mid CASPs, this layer can easily exceed €120,000-€300,000+ per year depending on scale and service complexity.

Compliance & Ongoing Obligations

A Spain MiCA license is not a one-time approval. After authorisation, your CASP must maintain ongoing prudential, AML, governance, safeguarding, and operational controls under MiCA and related EU and Spanish rules.

📊

Regulatory Reporting

Periodic regulatory reporting to the competent authority as applicable to the CASP model
Annual audited financial statements and corporate filings
Incident and material change notifications where required
Recordkeeping supporting supervisory inspections and RFIs
Updates to passporting notifications for cross-border activity changes

🛡️

AML/KYC and Travel Rule

Customer due diligence and enhanced due diligence on a risk basis
Ongoing transaction monitoring and blockchain analytics review
Sanctions screening of customers, wallets, and counterparties
Travel Rule data capture and transmission under Regulation (EU) 2023/1113
Suspicious transaction/internal escalation and reporting workflows

🔐

Safeguarding and ICT Controls

Segregation and reconciliation of client assets and relevant fiat balances
Wallet governance, key management, and privileged access controls
Cybersecurity policy, logging, and incident response testing
Business continuity and disaster recovery maintenance
Outsourcing register and oversight of critical technology vendors

📋

Governance Maintenance

Ongoing fit-and-proper suitability of directors and key function holders
Board review of compliance, risk, complaints, and incidents
Policy updates for MiCA, AML, GDPR, and operational changes
Notification of ownership, management, or scope changes
Wind-down readiness and periodic control testing

💡

RUE handles compliance for you. Our team provides ongoing compliance support, including AML officer services, regulatory reporting, and policy updates. We ensure your license stays in good standing year after year. Contact us for compliance support →

Last reviewed: March 2026

MiCA license in Spain: executive summary

Direct answer: a MiCA license in Spain means CASP authorisation under Regulation (EU) 2023/1114, typically handled at national level by the CNMV as the key competent authority for crypto-asset services in Spain.

Who needs it: exchanges, brokers, custodians, trading platforms, execution providers, portfolio managers, transfer services and crypto advice models that fall within MiCA CASP services;
Main regulator: CNMV for authorisation and conduct supervision; SEPBLAC remains central for AML/CFT supervision logic; Banco de España still matters for legacy VASP context, banking ecosystem and payment infrastructure relevance;
Capital: standard MiCA thresholds are €50,000, €125,000, and €150,000 depending on service scope;
Timeline: realistic preparation and review often takes 3-6+ months, depending on dossier quality and RFI rounds;
EU access: after authorisation, a Spanish CASP may use passporting mechanisms to provide services across the EU.

Important: this page is general information, not legal, tax, or investment advice. Transitional issues and supervisory practice should always be checked against the latest CNMV, BOE, and EUR-Lex materials in 2026.

Request Spain MiCA Assessment

MiCA license in Spain in 2026: what it is and who actually needs it

MiCA license in Spain is market shorthand for CASP authorisation under Regulation (EU) 2023/1114. It is not a separate Spanish-only product and it is not the same thing as the older AML-oriented VASP registration model used before full MiCA harmonisation.

In practical terms, your company needs a Spain MiCA license if it provides regulated crypto-asset services from Spain or uses Spain as its home Member State for services such as custody and administration of crypto-assets on behalf of clients, operation of a trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of orders, placement, reception and transmission of orders, transfer services, portfolio management, or advice on crypto-assets.

The key business consequence is material: MiCA moves the market from fragmented national registration logic to a harmonised EU authorisation framework. That means governance, safeguarding, prudential controls, outsourcing oversight, complaints handling, and market-conduct expectations are now part of the licensing conversation from day one.

For founders, the strategic question is not only “can we get licensed?” but also “does our current operating model survive regulator scrutiny?”. A business that depends on nominee governance, generic AML templates, unclear token classification, or outsourced everything-without-oversight will usually struggle under MiCA even if it previously operated under a lighter VASP regime.

MiCA vs VASP in Spain: what changed after the old registration regime

Direct answer: the old VASP model in Spain was primarily an AML registration framework linked to the Banco de España, while MiCA creates a full CASP authorisation regime with broader conduct, governance, safeguarding, and passporting consequences.

Old VASP regime: focused mainly on AML/CFT registration and controls;
MiCA CASP regime: adds authorisation, prudential expectations, conduct rules, safeguarding, complaints, outsourcing, and EU passporting;
Old regime consequence: limited utility for EU-wide scaling;
New regime consequence: one home-state authorisation can support cross-border EU activity through passporting notifications.

The most common market mistake is to treat legacy VASP status as if it were equivalent to MiCA authorisation. It is not. A prior registration may help show operating history and AML maturity, but it does not replace the need for a proper CASP file under MiCA.

RUE typically starts Spain MiCA projects with a perimeter memo that maps each product feature to a MiCA service category, a MiFID II exclusion analysis where relevant, and a legacy-to-MiCA gap review. That step often prevents months of avoidable rework later in the process.

See CASP Licensing Support

Who regulates what in Spain in 2026

Authority	Main role	Why it matters for CASPs
CNMV	Key national competent authority for MiCA/CASP authorisation and conduct supervision in Spain	Primary authority for Spain MiCA license strategy, application review, service perimeter, governance and conduct expectations
SEPBLAC	AML/CFT supervisory and FIU-related function	Critical for AML controls, suspicious transaction logic, risk assessment, and financial crime governance
Banco de España	Legacy VASP register context, banking/payment ecosystem relevance, central bank functions	Important for historical registration context, banking optics, and payment-side practicalities, but not the body that “issues MiCA licenses”
ESMA	EU coordination, standards, registers, supervisory convergence	Does not issue the licence; relevant for public registers, technical standards and EU-level consistency
EBA	EU banking and prudential role, especially relevant to ART/EMT topics	Important for stablecoin-adjacent issues, prudential interpretation and broader EU supervisory architecture
AEAT	Spanish tax authority	Relevant for corporate tax, VAT, reporting and tax treatment of crypto business models

Regulatory map: CNMV, Banco de España, SEPBLAC, ESMA and EBA

Direct answer: in Spain, the CNMV is the authority you should treat as the central regulator for CASP authorisation under MiCA, while SEPBLAC remains critical for AML/CFT supervision logic and Banco de España remains relevant for legacy VASP context and banking/payment ecosystem issues.

This distinction matters because many low-quality market pages still blur the roles of these institutions. ESMA does not issue the Spain MiCA license. ESMA contributes to supervisory convergence, technical standards, Q&As, and public registers at EU level, but the authorisation itself is granted by the national competent authority.

Who grants the Spain MiCA license?

The short answer is CNMV. Under MiCA, CASP authorisation is granted by the relevant national competent authority in the home Member State. For Spain, the operative regulatory focus for CASP authorisation is the Comisión Nacional del Mercado de Valores (CNMV).

That is why your filing strategy, governance narrative, and service perimeter analysis should be built around what the CNMV will review, not around generic EU-level marketing language.

What role do Banco de España and SEPBLAC still play?

Banco de España still matters because founders, banks, and consultants often come from the legacy VASP-registration era, and because payment flows, fiat interfaces, and banking diligence still interact with the broader Spanish financial system. It remains a relevant institutional actor even where it is not the authority issuing the MiCA authorisation.

SEPBLAC remains operationally critical because AML/CFT is not displaced by MiCA. Your customer risk scoring, sanctions controls, suspicious activity escalation, Travel Rule implementation, and recordkeeping must still work in the real Spanish AML environment. In practice, a weak AML framework can damage both the licence file and post-licensing banking outcomes.

Common misconception: founders sometimes assume that once MiCA applies, AML becomes secondary. In reality, the opposite is often true in review meetings and banking onboarding: AML maturity is one of the fastest ways to distinguish a serious CASP from a fragile one.

Which services are covered by a MiCA Licence in Spain?

Direct answer: a MiCA Licence in Spain covers the regulated crypto-asset services listed in MiCA for Crypto-Asset Service Providers (CASPs). The scope is broader than “exchange and wallet” and should be mapped feature by feature.

The core service perimeter typically includes:

custody and administration of crypto-assets on behalf of clients;
operation of a trading platform for crypto-assets;
exchange of crypto-assets for funds;
exchange of crypto-assets for other crypto-assets;
execution of orders for crypto-assets on behalf of clients;
placing of crypto-assets;
reception and transmission of orders for crypto-assets on behalf of clients;
providing advice on crypto-assets;
providing portfolio management on crypto-assets;
providing transfer services for crypto-assets on behalf of clients.

In practice, one business often triggers several service categories at once. For example, an app that lets users onboard fiat, execute swaps, hold balances, and send assets externally may combine exchange, custody, execution, and transfer services. That means the licence strategy should be built on the actual customer journey, not on the product team’s marketing labels.

Business models that usually require authorisation

Typical in-scope models include centralised exchanges, OTC brokers, custodial wallet providers, crypto apps with order execution, platforms that route orders to liquidity venues, advisory businesses recommending crypto-assets to clients, and venues admitting crypto-assets to trading.

If your platform holds client private keys, settles client trades, receives client instructions, or intermediates transfers between customers and other CASPs, you should assume a licensing analysis is required. White-label structures do not automatically remove authorisation risk if your company still controls onboarding, execution logic, or client relationships.

A useful technical nuance often missed by competitors: internal treasury dealing is not the same as client-facing execution. The moment your firm starts receiving and transmitting client orders or acting on behalf of clients, the regulatory analysis changes materially.

What MiCA does not cover

MiCA does not automatically cover every digital asset activity. Crypto-assets that qualify as financial instruments under MiFID II fall outside MiCA and into securities/investment-services analysis. Purely decentralised arrangements may fall outside parts of MiCA, but “DeFi” is not a magic exemption label.

NFTs can also fall outside MiCA in some cases, but fractionalisation, series-based issuance, or economic standardisation may change that analysis. Likewise, a token marketed as “utility” can still raise MiCA, consumer-protection, or even MiFID classification issues depending on rights attached and how it is distributed.

Read MiCA Regulation Guide

What regulators expect beyond the minimum capital number

Service Perimeter Accuracy

The application must map every product feature to a MiCA service category and explain exclusions where claimed.

Governance That Actually Works

Named directors and control functions must have time, expertise, and authority to run and challenge the business.

Operational AML Stack

Regulators increasingly expect evidence of transaction monitoring, sanctions screening, KYT and Travel Rule workflows, not just policy text.

Safeguarding Design

Client asset segregation, reconciliation, wallet governance and incident handling must be explained in operational detail.

Substance in Spain

A registered address alone is not enough; effective management, oversight and supervisory accessibility matter.

Wind-Down Logic

The regulator wants to know how clients, assets, data and complaints are handled if the business stops operating.

Minimum capital requirements by MiCA threshold

Reference class	Initial capital	Practical note
Class 1	€50,000	Lower-threshold CASP profiles under MiCA classification logic
Class 2	€125,000	Intermediate service scope with broader operational risk
Class 3	€150,000	Higher-impact service combinations, often including platform/execution-type activity

Initial capital is not the full prudential story. Ongoing own funds, governance, safeguarding and operational resilience still apply.

AML/KYC and Travel Rule obligations for CASPs in Spain

Direct answer: a licensed CASP in Spain must operate a live AML/CFT framework, not just hold an AML policy on file. In 2026, that means integrating customer due diligence, sanctions screening, transaction monitoring, blockchain analytics, suspicious activity escalation, and Travel Rule data exchange into day-to-day operations.

The legal backbone is not only MiCA. You also need to account for Regulation (EU) 2023/1113 on transfers of funds and certain crypto-assets, Spanish AML law including Law 10/2010, and supervisory expectations shaped by FATF standards and EU AML practice. That is why AML design should be built jointly by legal, compliance, product, and operations teams.

A mature Spain MiCA license file usually includes:

business-wide ML/TF risk assessment by product, geography, customer type and delivery channel;
CDD and EDD procedures for retail, corporate, institutional and high-risk clients;
PEP, sanctions and adverse media screening rules;
transaction monitoring with scenario logic for structuring, layering, sanctions evasion and mule patterns;
blockchain analytics and wallet risk scoring;
Travel Rule operating model, including rejection/escalation paths;
governance around alert review, STR decisioning and record retention.

How the Travel Rule works in practice

The Travel Rule requires originator and beneficiary information to travel with qualifying crypto transfers. In practice, CASPs usually implement this through vendor solutions or interoperable messaging standards such as IVMS101.

Your operating model should explain:

what customer data is collected before a transfer is released;
how data is transmitted to another CASP or received from it;
what happens when the counterparty CASP cannot receive or validate the data;
how rejected, returned, or suspended transfers are handled;
how records are stored and linked to the underlying blockchain transaction.

A useful technical point: firms that treat Travel Rule as an API plug-in often miss governance around exception handling. Regulators increasingly care about what your team does when the message format fails, the beneficiary CASP is unknown, or the transfer involves a high-risk jurisdiction.

Unhosted wallets, sanctions screening and KYT

Unhosted wallets are not automatically prohibited, but they require a risk-based control framework. That usually includes wallet ownership or control checks where appropriate, blockchain analytics, sanctions exposure review, behavioural monitoring, and escalation for high-risk patterns.

For many CASPs, the real risk sits at the intersection of unhosted wallets, sanctions screening, and rapid movement across chains or mixers. A serious application should therefore explain how the firm handles wallet screening, chain hops, privacy-enhancing tools, and transfers that are technically valid but commercially or sanctions-wise unacceptable.

Prepare MiCA Compliance Documents

Client asset safeguarding, custody architecture and operational resilience

Direct answer: if your business model touches client assets, the regulator will expect a custody and safeguarding framework that is technically credible, legally understandable, and operationally testable.

That framework should normally cover:

segregation: client assets and company assets must be clearly separated in wallets, books, and entitlement records;
key management: use of MPC, multisig, or HSM-anchored controls should be documented with approval workflows and access restrictions;
reconciliation: firms should define reconciliation frequency, exception thresholds, and break-resolution ownership;
incident handling: loss, compromise, delayed settlement, chain reorgs, and vendor outages should have documented playbooks;
vendor risk: if custody infrastructure is outsourced, the CASP must still understand and supervise it.

Technical controls regulators expect to see

In 2026, regulators increasingly expect to see evidence of concrete controls rather than generic cyber statements. Typical examples include privileged access review, immutable or protected audit logs, maker-checker approvals for wallet operations, key ceremony documentation, penetration testing, vulnerability remediation tracking, and tested BCP/DR assumptions.

A technical nuance often absent from competitor pages: if your custody model depends on third-party MPC or wallet orchestration software, the application should explain what happens if that vendor fails, is sanctioned, or loses service continuity. That is why an outsourcing register and vendor exit plan are not paperwork formalities; they are part of operational resilience.

Where client fiat is involved, the safeguarding narrative should also map payment accounts, settlement timing, reconciliation ownership, and the exact legal basis on which client funds are held. This is often decisive in both licensing review and bank onboarding.

Documents required for a MiCA license in Spain

Document group	What it should contain	Why the regulator asks for it
Corporate documents	Incorporation papers, bylaws, shareholder structure, UBO disclosures	To verify legal form, ownership transparency and control
Programme of operations	Exact services, client journey, jurisdictions, delivery model	To test service perimeter and operational realism
Business plan	Strategy, target market, revenue model, risk assumptions	To assess viability and consistency
Governance pack	Org chart, roles, board matrix, fit-and-proper documents	To assess competence and accountability
AML/CFT framework	Risk assessment, CDD/EDD, monitoring, sanctions, STR logic	To assess financial crime controls
Travel Rule model	Data flow, IVMS101/vendor setup, exception handling	To verify operational compliance with Regulation (EU) 2023/1113
Safeguarding policy	Segregation, reconciliation, client asset handling, fiat flows	To assess client protection
Outsourcing register	Critical vendors, controls, SLAs, exit planning	To assess dependency and oversight
ICT and security pack	Architecture, access control, logs, incident response, BCP/DR	To assess operational resilience
Financial projections	Usually 3-year projections, assumptions, capital and liquidity view	To assess sustainability and prudential readiness
Complaints and conduct policies	Client disclosures, complaint handling, conflicts management	To assess conduct and consumer protection
Wind-down plan	Orderly exit, client communication, asset return, data retention	To assess business continuity in failure scenarios

Commonly missing items: inconsistent org charts, generic AML manuals, no outsourcing register, weak safeguarding narrative, and no credible wind-down plan.

What can kill your application

Common rejection reasons and how to improve approval odds

Direct answer: most weak MiCA applications fail because the regulator cannot see a governable, risk-controlled business behind the documents.

Unclear service perimeter: the product does more than the application admits;
Generic AML framework: policies read like templates and do not match transaction flows;
No credible substance in Spain: no effective management, no local oversight, no supervisory accessibility;
Weak safeguarding design: client asset segregation and reconciliation are poorly explained;
Outsourcing without control: critical functions are delegated but not supervised;
No banking narrative: fiat flows, source of funds and payment partners are vague;
Inconsistent financials: projections do not match staffing, controls, or service scope;
Weak ICT evidence: no serious incident response, logging, vendor map, or recovery plan;
Fit-and-proper weaknesses: directors or key persons lack time, expertise, or clean documentation.

Fix before filing: run a scope mapping exercise, rewrite policies to match real workflows, prepare an outsourcing register, document safeguarding architecture, align financial projections with headcount and tech costs, and build a bank-ready source-of-funds pack before submission.

RUE usually treats the first draft of a MiCA file as a diagnostic tool, not as a filing version. That approach reduces RFIs because it tests whether the business model is internally coherent before the regulator does.

Get Application Gap Analysis

Banking and payment rails after authorisation

Direct answer: a Spain MiCA license improves banking credibility, but it does not guarantee a bank account. Banks and EMIs still run their own risk, AML, sanctions, and reputational due diligence.

In practice, post-authorisation banking readiness depends on whether your firm can present a coherent package covering ownership transparency, source of funds, safeguarding model, AML controls, transaction flows, and expected geographies. The ESMA register helps because it gives counterparties public evidence of authorisation, but banks still underwrite the client independently.

What banks usually ask for

Banks and EMIs typically request:

proof of authorisation and public register evidence;
corporate structure and UBO documentation;
business plan and transaction flow charts;
AML/CFT and sanctions framework summary;
safeguarding and client money/fiat handling description;
source-of-funds and source-of-wealth documents for founders and investors;
target markets, prohibited jurisdictions, and onboarding criteria.

A practical nuance: many bank onboarding failures happen because the compliance pack is drafted for the regulator, not for the bank. The regulator wants legal and operational sufficiency; the bank wants to know whether your flows are understandable, monitorable, and commercially acceptable. Those are overlapping but not identical questions.

RUE supports clients with both the licensing file and the post-licensing banking package, including introductions where appropriate through our crypto business bank account and bank account in Spain service lines.

Discuss Banking Setup

Spain vs other EU jurisdictions for MiCA authorisation

Direct answer: Spain is a strong MiCA jurisdiction for founders who want a serious EU base with credible substance, but it is not automatically the fastest or lightest option for every business model.

Spain is often a good fit when you need:

a large domestic market narrative alongside EU passporting;
institutional credibility with partners, investors, and banks;
a real operating presence rather than a low-substance structure;
alignment between licensing, local staffing, and long-term EU expansion.

Spain may be less optimal if your main priority is the lightest possible setup, minimal local presence, or a highly experimental model that still lacks stable governance and banking assumptions. In those cases, founders often compare Spain with jurisdictions such as Lithuania, France, the Netherlands, Germany, Malta, or Ireland depending on service scope and market strategy.

RUE usually advises clients to choose the home state based on business model fit, not on marketing slogans like “best jurisdiction”. A strong Spain MiCA license strategy starts with the question: can you defend Spain as the genuine centre of management, compliance ownership, and scalable EU operations?

For broader comparison work, see our MiCA license in Europe and country-specific pages such as MiCA Licence in France, MiCA Licence in Germany, MiCA Licence in Netherlands, and MiCA Licence in Malta.

Next step: MiCA readiness assessment for your business model

RUE can assess in 30-45 minutes whether Spain is the right home state for your CASP and what your application path should look like. The goal is not a generic sales call. We map your services, identify the likely MiCA perimeter, test red flags, and outline the shortest credible route to filing.

Your assessment can cover:

service classification and MiCA scope map;
Spain vs alternative EU home-state logic;
capital, substance, and governance requirements;
AML/Travel Rule and safeguarding gaps;
document roadmap, timeline, and launch budget;
banking-readiness issues likely to affect approval and go-live.

We also coordinate related workstreams through RUE service lines, including preparation of compliance documents for MiCA application, legal services, accounting services, and Spain crypto tax support where needed.

Schedule Free Consultation

📝 Check Your Eligibility

Answer a few quick questions to find out if this jurisdiction suits your crypto business

Step 1 of 5

What type of crypto services will you provide?

Exchange (fiat ↔ crypto)

Custody & Wallet Services

Transfer & Payment Services

Advisory / Portfolio Management

Multiple / All of the Above

Step 2 of 5

What is your target market?

European Union only

EU + Global markets

Global (non-EU priority)

Step 3 of 5

Do you already have a registered company in the EU?

Yes, in this jurisdiction

Yes, in another EU country

No, I need to register one

Step 4 of 5

What is your available budget range?

Under €20,000

€20,000 – €50,000

€50,000 – €100,000

Over €100,000

Step 5 of 5

When do you plan to launch?

As soon as possible (1–3 months)

Within 6 months

Within a year

Just exploring options

✅

This Jurisdiction Is a Great Fit!

Based on your answers, this jurisdiction matches your business requirements well. Here's a quick summary:

Recommended License

CASP License

Estimated Budget

€24,000 – €35,000

Estimated Timeframe

4–6 months

EU Passporting

Available

📞 Get Personalized Assessment

Step-by-Step Licensing Process

Step 1

Scope Mapping

Define the exact CASP services, exclusions, target markets, token types, custody model, and whether Spain is the right home Member State. This step prevents mis-scoped filings. Typical duration: 1-3 weeks.

Step 2

Spanish Entity Setup

Incorporate the Spanish company, structure ownership, prepare UBO disclosures, secure registered office/substance, and align governance with the intended licence scope. Typical duration: 2-4 weeks.

Step 3

Governance & Hiring

Appoint directors and key function holders, define reporting lines, build fit-and-proper files, and allocate AML, compliance, risk, safeguarding, and ICT responsibilities. Typical duration: 2-6 weeks.

Step 4

Dossier Preparation

Draft the programme of operations, business plan, AML/CFT framework, Travel Rule model, safeguarding policy, outsourcing register, ICT/security pack, financial projections, complaints policy, and wind-down plan. Typical duration: 4-10 weeks.

Step 5

Application Submission

Submit the completed CASP application pack to the competent authority with supporting forms, annexes, and corporate evidence. Filing quality at this stage strongly affects the number of later RFIs.

Step 6

Completeness & RFIs

Expect an initial completeness review often modelled around roughly 25-30 working days, followed by substantive questions and clock-stop periods if information is missing. Real timing depends on dossier quality and responsiveness.

Step 7

Substantive Review

Once the file is considered complete, substantive review may run around 40 working days under the MiCA framework, with possible extensions or additional questions. Governance, safeguarding, AML, outsourcing and financial consistency are typical focus areas.

Step 8

Approval & Passporting

After authorisation, the CASP enters the relevant public register and may notify cross-border services into other EU states. Go-live should follow only after banking, safeguarding, operations and compliance controls are fully ready.

Start Your Application

Answers

Frequently Asked Questions

Open the key issues founders, compliance teams and legal leads usually need to confirm before a Lithuania CASP rollout.

What is the difference between a MiCA license and a CASP authorisation in Spain? +

There is no practical difference in ordinary market usage. When people say MiCA license in Spain, they usually mean CASP authorisation under Regulation (EU) 2023/1114. “MiCA license” is commercial shorthand; “CASP authorisation” is the more precise legal term. The key point is that this is a full authorisation regime, not a simple registration.

Who issues the MiCA license in Spain? +

The relevant national competent authority in Spain is the CNMV. For CASP authorisation strategy, you should treat the Comisión Nacional del Mercado de Valores (CNMV) as the core regulator. ESMA does not issue the licence. ESMA supports EU-level convergence and public registers, but the authorisation itself is national.

Can a non-EU founder obtain a Spain MiCA license? +

Yes, non-EU founders can use a Spanish company to apply, provided the structure is transparent and fit for supervision. The key issues are not nationality, but ownership transparency, source of funds, fit-and-proper suitability, governance quality, and substance in Spain. Non-EU ownership often triggers deeper due diligence, so the funding trail and management model must be especially clean.

Do I need a physical office in Spain? +

You need real substance, not just a mailing address. A registered office is necessary, but a “virtual office” alone is usually not enough if the rest of the file shows no effective management, no local oversight, and no operational accessibility. The regulator will look at decision-making, governance presence, outsourcing control, and whether the entity can actually be supervised in Spain.

How much capital is required for a Spain MiCA license? +

The standard MiCA initial capital thresholds are €50,000, €125,000, and €150,000 depending on the services provided. These are the main reference numbers used for CASP planning in Spain. Founders should remember that regulatory capital is only one part of the budget; launch and operating costs often exceed the minimum capital by a wide margin.

How long does the process take in Spain? +

A realistic range is usually 3-6+ months, and complex cases can take longer. Timing depends on entity readiness, quality of the application pack, fit-and-proper documentation, and how many RFI rounds occur. A common workflow is: company setup and preparation first, then completeness review, then substantive review, then approval and post-licensing operational readiness.

Can I passport services across the EU with a Spain MiCA license? +

Yes. Once authorised in Spain as a CASP under MiCA, your company may use the MiCA passporting mechanism to provide services across the EU, subject to the required notification process. Passporting gives access to the 27 EU Member States, but local rules on tax, consumer law, marketing, and data protection may still need separate attention.

Does the old VASP registration in Spain still work as a substitute for MiCA authorisation? +

No. Legacy VASP registration and MiCA CASP authorisation are not equivalent. The old regime was primarily AML-focused and does not replace the need for a proper MiCA authorisation if your business now falls within the CASP perimeter. Transitional issues should be checked against the latest CNMV and BOE materials in 2026.

What are the main AML and Travel Rule obligations? +

The core obligations are customer due diligence, sanctions screening, transaction monitoring, suspicious activity escalation, recordkeeping, and Travel Rule compliance. Under Regulation (EU) 2023/1113, CASPs must capture and transmit originator and beneficiary data for relevant crypto transfers. In practice, firms often use vendor solutions compatible with IVMS101 and combine them with blockchain analytics and KYT tools.

What happens if I operate in Spain without authorisation? +

Operating without the required authorisation creates serious regulatory, banking, and enforcement risk. Consequences can include cease-and-desist orders, administrative sanctions, inability to maintain banking or payment relationships, reputational damage, and personal exposure for directors. The exact sanctions depend on the legal basis used and the facts of the case, so unlicensed operation should never be treated as a temporary shortcut.

Does Spain MiCA licensing cover DeFi or NFTs automatically? +

No. DeFi and NFTs require separate classification analysis. Some arrangements may fall outside MiCA, but many projects use those labels too broadly. Fractionalised NFTs, standardised token series, custodial interfaces, or client-facing intermediation can still trigger MiCA or other financial-services analysis. A classification memo is strongly recommended before launch.

Can RUE help with the full Spain MiCA license process? +

Yes. Regulated United Europe supports clients with service perimeter analysis, Spanish company setup, governance design, application drafting, AML/Travel Rule framework, safeguarding documentation, banking-readiness planning, and regulator-facing support. We also coordinate related legal, tax, accounting, and compliance workstreams through our broader EU licensing practice.

Regulated United Europe OÜ

Registration number: 14153440
Anno: 16.11.2016
Phone: +372 56 966 260
Email: [email protected]
Address: Laeva 2, Tallinn, 10111, Estonia

Company in Lithuania UAB

Registration number: 304377400
Anno: 30.08.2016
Phone: +370 6949 5456
Email: [email protected]
Address: Lvovo g. 25-702, Vilnius, 09320, Lithuania

Company in Czech Republic s.r.o.

Registration number: 08620563
Anno: 21.10.2019
Phone: +420 775 524 175
Email: [email protected]
Address: Na Perstyne 342/1, Prague

Company in Poland Sp. z o.o.

Registration number: 38421992700000
Anno: 28.08.2019
Email: [email protected]
Address: Twarda 18, Warsaw, 00-824, Poland

Please leave your request

The RUE team understands the importance of continuous assessment and professional advice from experienced legal experts, as the success and final outcome of your project and business largely depend on informed legal strategy and timely decisions. Please complete the contact form on our website, and we guarantee that a qualified specialist will provide you with professional feedback and initial guidance within 24 hours.

Main Services

Terms of Cooperation

Regulated United Europe

MiCA License in Spain 2026

Why Spain for a MiCA Licence

Polina Merkulova

Recognised EU Regulatory Base

EU Passporting Potential

Strong Substance Narrative

Banking and Fiat Readiness

MiCA Licence in Spain

Ready to Get Started?

Comprehensive Requirements for Spain MiCA License

Jurisdiction Comparison

Taxation of Crypto Companies in Spain

Core tax position for CASP businesses in Spain

Practical caution for crypto founders

Corporate Income Tax

VAT on Crypto Services

Withholding and Cross-Border Payments

Payroll and Social Contributions

Annual Accounts and Tax Filings

Transfer Pricing

Regulatory and Operating Cost Layer

Compliance & Ongoing Obligations

Regulatory Reporting

AML/KYC and Travel Rule

Safeguarding and ICT Controls

Governance Maintenance

Last reviewed: March 2026

MiCA license in Spain: executive summary

MiCA license in Spain in 2026: what it is and who actually needs it

MiCA license in Spain in 2026: what it is and who actually needs it

MiCA vs VASP in Spain: what changed after the old registration regime

Who regulates what in Spain in 2026

Regulatory map: CNMV, Banco de España, SEPBLAC, ESMA and EBA

Who grants the Spain MiCA license?

What role do Banco de España and SEPBLAC still play?

Which services are covered by a MiCA Licence in Spain?

Which services are covered by a MiCA Licence in Spain?

Business models that usually require authorisation

What MiCA does not cover

What regulators expect beyond the minimum capital number

Service Perimeter Accuracy

Governance That Actually Works

Operational AML Stack

Safeguarding Design

Substance in Spain

Wind-Down Logic

Minimum capital requirements by MiCA threshold

AML/KYC and Travel Rule obligations for CASPs in Spain

AML/KYC and Travel Rule obligations for CASPs in Spain

How the Travel Rule works in practice

Unhosted wallets, sanctions screening and KYT

Client asset safeguarding, custody architecture and operational resilience

Technical controls regulators expect to see

Documents required for a MiCA license in Spain

What can kill your application

Common rejection reasons and how to improve approval odds

Banking and payment rails after authorisation

Banking and payment rails after authorisation

What banks usually ask for

Spain vs other EU jurisdictions for MiCA authorisation

Next step: MiCA readiness assessment for your business model

Next step: MiCA readiness assessment for your business model

📝 Check Your Eligibility

What type of crypto services will you provide?

What is your target market?

Do you already have a registered company in the EU?

What is your available budget range?

When do you plan to launch?

This Jurisdiction Is a Great Fit!

Step-by-Step Licensing Process

Scope Mapping

Spanish Entity Setup

Governance & Hiring

Dossier Preparation

Application Submission

Completeness & RFIs

Substantive Review

Approval & Passporting

Frequently Asked Questions

Related pages: