EU Crypto Regulation Guide

MiCA License in 2026

A MiCA license is the market shorthand for CASP authorisation under Regulation (EU) 2023/1114. It allows a crypto-asset service provider to operate from one EU home state and use passporting across the EU and EEA, subject to notification. This page explains who needs a MiCA licence, which services fall in scope, what documents regulators expect, how MiCA, TFR, DORA and GDPR interact, and how to choose the right jurisdiction for your business model.

Book a Consultation Compare EU Jurisdictions

27 EU member states covered

€50k-€150k minimum capital range

3-6+ mo practical authorisation horizon

Disclaimer

General information only. MiCA outcomes depend on token classification, service perimeter, home-state regulator practice, and adjacent obligations under AML, TFR, DORA and GDPR.

Scroll to review scope, timeline, capital, documents, compliance stack, and jurisdiction fit.

Featured MiCA Jurisdictions

These are the main starting points for founders comparing MiCA authorisation routes by regulator posture, banking access, staffing reality, and long-term passporting value.

Europe

Czech Republic

Timeline: From 6 months
Capital: From €50,000
Passporting: Yes
Price: from EUR 18,900

Open jurisdiction

Europe

Estonia

Timeline: From 6 months
Capital: From 50 000 EUR
Passporting: Yes

Open jurisdiction

Europe

Lithuania

Timeline: From 6 months
Capital: From 50 000 EUR
Passporting: Yes
Price: from EUR 19,900

Open jurisdiction

Europe

Malta

Timeline: From 6 months
Capital: From 50 000 EUR
Passporting: Yes
Price: from EUR 23,900

Open jurisdiction

Europe

Poland

Timeline: From 6 months
Capital: From 50 000 EUR
Passporting: Yes
Price: from EUR 18,900

Open jurisdiction

What Is a MiCA License and Who Actually Needs It

A MiCA license is not a separate pan-European certificate; it is the market term for authorisation as a Crypto-Asset Service Provider (CASP) under Regulation (EU) 2023/1114. If your company provides regulated crypto-asset services in or into the EU on a professional basis, you generally need home-state authorisation from a National Competent Authority (NCA) and then may passport the service into other EU states.

The regime became fully applicable to CASPs on 30 December 2024. That date did not mean every existing provider had to be licensed on the same day. Transitional regimes may still apply in some member states, but only within local limits and in any case not beyond 1 July 2026. If your business still relies on an older AML-only VASP registration, the strategic question is no longer whether MiCA matters, but whether your governance, safeguarding, outsourcing, complaints handling, prudential planning and ICT controls can survive MiCA scrutiny.

MiCA does not cover everything called “crypto”. Financial instruments remain outside MiCA and stay within the MiFID II perimeter. EMTs and ARTs have their own issuer rules. Certain genuinely decentralised arrangements, central bank-issued assets and some NFTs may fall outside or on the edge of scope, but those conclusions require case-by-case legal analysis. In practice, the first real gate is always token and service qualification.

Regulatory risks

Perimeter risk: a token misclassified under MiCA may actually fall under MiFID II, EMT or other financial-services rules.
Enforcement risk: operating without required authorisation can trigger cease-and-desist action, fines, and forced market exit.
Banking risk: weak licensing status or weak substance often blocks bank accounts, fiat rails and payment partners.
Reverse solicitation risk: non-EU firms often overestimate this exemption and undermine it through EU-facing marketing.

Who this guide is for

Exchange and brokerage founders

Teams offering crypto-fiat, crypto-crypto conversion, order execution, order routing, OTC flow or platform-style matching.

Custody and wallet operators

Businesses safeguarding client crypto-assets or cryptographic keys and needing defensible segregation, reconciliation and key-management controls.

Compliance leads and legal counsels

In-house teams preparing a MiCA dossier, mapping service perimeter, or upgrading from a legacy VASP registration.

Token issuers and listing projects

Companies assessing white paper obligations, ART/EMT qualification, admission to trading, and issuer-side disclosure duties.

MiCA replaced fragmented VASP regimes

Old national AML registrations were often narrow and local. MiCA adds conduct, governance, prudential, safeguarding and passporting logic at EU level.

One home-state authorisation can scale across Europe

A properly structured CASP authorisation can support cross-border activity through notification instead of rebuilding licensing state by state.

The regulator reviews operating model, not only documents

NCAs test whether your company can actually control client assets, outsourcing chains, ICT incidents, complaints, and financial resilience after go-live.

MiCA is only one layer of the compliance stack

A workable EU setup also requires alignment with Regulation (EU) 2023/1113 on the Travel Rule, DORA, AML/CFT controls, sanctions screening and GDPR.

Regulation (EU) 2023/1114 entered into force on 29 June 2023.

ART and EMT rules started applying on 30 June 2024.

CASP rules started applying on 30 December 2024.

Transitional regimes may run only up to 1 July 2026, depending on the member state.

MiCA passporting works through home-state authorisation plus notification, not through direct ESMA licensing.

Key MiCA and CASP Terminology

MiCA / MiCAR

EU / EEA

The Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114, is the core EU rulebook for crypto-asset issuers and crypto-asset service providers.

CASP

EU / EEA

Crypto-Asset Service Provider is the MiCA-regulated entity authorised to provide one or more crypto-asset services, with potential passporting across the EU and EEA.

NCA

EU / member state

National Competent Authority is the home-state regulator that receives and assesses the CASP application. MiCA authorisation is granted by the NCA, not by ESMA.

ART

EU / issuer perimeter

Asset-Referenced Token is a crypto-asset that seeks to maintain stable value by referencing another value, right, or combination of assets, excluding EMT logic.

EMT

EU / issuer perimeter

E-Money Token is a crypto-asset that purports to maintain stable value by referencing the value of one official currency. EMT analysis often overlaps with e-money concepts and redemption-at-par logic.

Passporting

EU / cross-border

Passporting is the right of a CASP authorised in one EU home state to provide services in other member states after notification, without a full relicensing process in each country.

White paper

EU / disclosure

A white paper is the mandatory disclosure document for certain crypto-asset offers and admissions to trading under MiCA. It is not a marketing deck; it is a regulated disclosure instrument.

Reverse solicitation

EU / cross-border exemption

A narrow exemption where a third-country firm provides a service at the exclusive initiative of the client. It cannot be used as a disguised EU acquisition strategy.

CASP Services Under MiCA by Business Model

Exchange

Exchange models fall within MiCA where the company exchanges crypto-assets for funds or for other crypto-assets, and may also trigger reception, transmission or execution of orders. The legal perimeter depends on whether the firm acts as principal, agent, broker or venue operator.

Typical services

Crypto-fiat exchange, crypto-crypto conversion, retail brokerage, OTC execution support, order handling.

CapitalMedium to high

ComplexityHigh

Best regionsEU / EEA

Common jurisdictions

Crypto License in Lithuania 2026 Crypto License in Malta 2026 Crypto License in Poland 2026

Trading Platform

Operating a trading platform is the highest-intensity MiCA service model because the regulator will test venue logic, market integrity controls, listing governance, conflict management and operational resilience more deeply than in simple brokerage models.

Typical services

Order-book venue, multilateral matching, platform execution environment, listing and admission workflows.

CapitalHigh

ComplexityVery high

Best regionsEU / EEA

Common jurisdictions

Crypto License in Malta 2026 Crypto License in Germany 2026 Crypto License in Lithuania 2026

Custody and Administration

Safekeeping or controlling client crypto-assets or the means of access to them is a core MiCA service. In practice, regulators focus on wallet architecture, key governance, segregation, reconciliation, liability allocation, incident response and outsourcing to custody technology providers.

Typical services

Custodial wallets, institutional custody, key management, safekeeping, account administration.

CapitalMedium to high

ComplexityHigh

Best regionsEU / EEA, UK, Gibraltar

Common jurisdictions

Crypto License in Malta 2026 Crypto License in Germany 2026 Crypto License in Gibraltar 2026

Brokerage and Order Transmission

A broker that receives, transmits or executes client orders without operating a full venue may still need multiple MiCA permissions. Founders often underestimate how quickly a light brokerage model becomes a broader CASP perimeter once execution, placement or advice is added.

Typical services

Reception and transmission of orders, execution of orders, agency brokerage, smart routing, OTC intermediation.

CapitalMedium

ComplexityMedium to high

Best regionsEU / EEA

Common jurisdictions

Crypto License Czech Republic 2026 Crypto License in Poland 2026 Crypto License in Lithuania 2026

Advisory and Portfolio Management

MiCA includes advice on crypto-assets and portfolio management of crypto-assets. These services are often overlooked by content providers because they resemble MiFID concepts, but they are expressly regulated under MiCA for crypto-assets that are not financial instruments.

Typical services

Crypto investment advice, managed crypto portfolios, discretionary allocation, strategy recommendations.

CapitalLow to medium

ComplexityMedium

Best regionsEU / EEA

Common jurisdictions

Crypto License in Estonia 2026 Crypto License in Poland 2026 Crypto License in Malta 2026

Token Issuance and Placement

Issuer-side activity does not follow one single CASP route. The correct framework depends on whether the token is a non-ART/EMT crypto-asset, an ART, an EMT, or a financial instrument outside MiCA. Placement services and admission to trading can also create CASP obligations.

Typical services

Public token offer, admission to trading, placement, utility token launch, issuer disclosure, stablecoin structuring.

CapitalCase-dependent

ComplexityHigh

Best regionsEU / EEA, selected non-EU hubs

Common jurisdictions

Crypto License in Malta 2026 El Salvador crypto license 2026 Crypto license in Dubai 2026

MiCA Jurisdiction Comparison

Compare EU jurisdictions by regulator style, transition regime, banking access, language, local substance expectations, staffing needs, and practical launch conditions.

Scroll horizontally to compare all licensing variables.

Jurisdiction	Regulator	Price	Period	State fee	Annual fee	Capital	Staff	Office	Passporting	Audit
Austria	Austrian Financial Market Authority (FMA)	from EUR 27,900	From 6 months				No	No	No	No
Cyprus	Cyprus Securities and Exchange Commission (CySEC)	from EUR 18,900	From 6 months	10,000 EUR	From 10000 EUR	From 50 000 EUR	Required	Required	Yes	Required
Czech Republic	Czech National Bank (CNB)	from EUR 18,900	From 6 months	CZK 20,000 (~€800)	Variable (based on AUM)	From €50,000	Required	Required	Yes	Required
Estonia	Estonian Financial Supervision Authority (FIU)		From 6 months	10000 EUR	10000 EUR	From 50 000 EUR	Required	Required	Yes	Required
Finland	Finanssivalvonta (FIN-FSA)	from EUR 21,500	From 6 months				No	No	No	No
France	Autorité des Marchés Financiers (AMF)	from EUR 26,800	From 6 months				No	No	No	No
Germany	Federal Financial Supervisory Authority (BaFin)		From 6 months	10750 EUR	From 10000 EUR	From 50 000 EUR	Required	Required	Yes	Required
Ireland	Central Bank of Ireland (CBI)	from EUR 23,900	From 6 months	No	No annual fee	From 50 000 EUR	Required	Required	Yes	Required
Lithuania	Bank of Lithuania	from EUR 19,900	From 6 months	2,500 EUR	From 3000 EUR	From 50 000 EUR	Required	Required	Yes	Required
Luxembourg	Commission de Surveillance du Secteur Financier (CSSF)	from EUR 34,900	From 6 months				No	No	No	No
Malta	Malta Financial Services Authority (MFSA)	from EUR 23,900	From 6 months	From 10,000 EUR	From 10000 EUR	From 50 000 EUR	Required	Required	Yes	Required
Netherlands	Netherlands Authority for the Financial Markets (AFM)	from EUR 28,900	From 6 months				No	No	No	No
Poland	Polish Financial Supervision Authority (KNF)	from EUR 18,900	From 6 months	4,500 EUR	No annual fee	From 50 000 EUR	Required	Required	Yes	Required
Slovakia	National Bank of Slovakia (NBS)		From 6 months	From 1000 EUR	No annual fee	From 50 000 EUR	Required	Required	Yes	Required
Spain	Comisión Nacional del Mercado de Valores (CNMV)	from EUR 25,900	From 6 months				No	No	No	No

Non-EUR state and annual fees include approximate EUR equivalents based on reference rates used on March 11, 2026.

Minimum Capital

MiCA commonly uses €50,000, €125,000 and €150,000 thresholds depending on the service class. That is the legal floor, not the full prudential story.

Legal and Dossier Preparation

A serious application requires perimeter analysis, token qualification, programme of operations, policy pack drafting, governance mapping, financial model support and regulator-facing responses. Generic templates are one of the fastest ways to trigger RFIs.

People and Substance

Budget for directors, compliance leadership, AML/MLRO function, local office logic where needed, and time commitment of senior management. Regulators increasingly challenge letterbox structures.

Compliance Technology

Travel Rule messaging, sanctions screening, blockchain analytics, case management, secure access control, logging and incident handling are operating requirements, not optional extras.

Banking and Fiat Infrastructure

Many MiCA business models still fail operationally because banking is not arranged in parallel. Account opening, safeguarding arrangements and payment connectivity should be planned before approval, not after.

Three-Year Cost of Ownership

The correct comparison is not filing cost alone. The real metric is whether the chosen home state remains workable over three years for reporting, staffing, product expansion and counterparty acceptance.

Find the Right Home State for a MiCA License

Use the selector to narrow the field by business model, budget, banking needs, target countries, language, and tolerance for local substance and governance depth.

Budget Access route

Setup footprint Minimum capital Priority

MiCA Timeline, Scope and What Changed From Old VASP Registration

MiCA created the first unified EU framework for crypto-asset services, but it did not erase national supervisory differences or adjacent compliance obligations.

MiCA changed the legal baseline from local AML registration to full prudential-style authorisation. Under many pre-MiCA VASP regimes, the regulator mainly tested AML/CFT controls and beneficial ownership. Under MiCA, the NCA also reviews governance, safeguarding, complaints handling, conflicts of interest, outsourcing, ICT security, continuity planning, and whether the management body is genuinely capable of running the business.

The timeline matters. MiCA was published in the Official Journal on 9 June 2023, entered into force on 29 June 2023, applied to ARTs and EMTs from 30 June 2024, and applied to CASPs from 30 December 2024. Transitional regimes may still exist in some member states, but they are country-specific and cannot extend beyond 1 July 2026.

MiCA does not harmonise everything in practice. The rulebook is EU-wide, but supervisory style still differs between authorities such as BaFin, AMF/ACPR, CSSF, MFSA, Central Bank of Ireland, AFM/DNB, Banco de España and Lietuvos bankas. The same business model can face different questions on local directors, outsourcing depth, language of submission, pre-application meetings and evidence of banking readiness.

MiCA also has clear boundaries. It does not apply to crypto-assets that qualify as financial instruments under Directive 2014/65/EU (MiFID II). That boundary is commercially critical. A founder who files under MiCA with a token that is actually a financial instrument may lose months and still end up in the wrong regulatory perimeter.

Best fit

Best for firms targeting EU users, institutional counterparties, payment integrations or long-term European expansion under a recognised regulatory framework.

Less suitable for

Less suitable for founders seeking a low-substance offshore structure, relying on aggressive cross-border marketing from outside the EU, or operating a token that more likely falls under MiFID II or another non-MiCA regime.

Key dates

Publication: 9 June 2023. Entry into force: 29 June 2023. ART/EMT application: 30 June 2024. CASP application: 30 December 2024. Transitional end-stop: 1 July 2026.

Old VASP vs MiCA

Old VASP regimes often focused on AML registration. MiCA requires a fuller operating model with governance, safeguarding, conduct and prudential controls.

Home-state logic

The authorisation is granted by the home-state NCA. ESMA does not issue CASP licences directly, but ESMA remains central through registers, technical standards and supervisory convergence.

Country-by-country reality

Grandfathering, pre-application expectations, language, office substance and review style still vary materially across member states.

See MiCA jurisdictions

Explore MiCA and Related Licensing Jurisdictions

Start with EU home states for MiCA, then compare non-EU alternatives where your strategy requires a different market-access or regulatory profile.

Europe

15 jurisdictions

EU jurisdictions where MiCA passporting, banking access, and supervisory credibility are usually the main decision drivers.

Austria

Regulator: Austrian Financial Market Authority (FMA)
Timeline: From 6 months
Price: from EUR 27,900

Cyprus

Regulator: Cyprus Securities and Exchange Commission (CySEC)
Timeline: From 6 months
Price: from EUR 18,900
Capital: From 50 000 EUR

Czech Republic

Regulator: Czech National Bank (CNB)
Timeline: From 6 months
Price: from EUR 18,900
Capital: From €50,000

Estonia

Regulator: Estonian Financial Supervision Authority (FIU)
Timeline: From 6 months
Capital: From 50 000 EUR

Finland

Regulator: Finanssivalvonta (FIN-FSA)
Timeline: From 6 months
Price: from EUR 21,500

France

Regulator: Autorité des Marchés Financiers (AMF)
Timeline: From 6 months
Price: from EUR 26,800

Germany

Regulator: Federal Financial Supervisory Authority (BaFin)
Timeline: From 6 months
Capital: From 50 000 EUR

Ireland

Regulator: Central Bank of Ireland (CBI)
Timeline: From 6 months
Price: from EUR 23,900
Capital: From 50 000 EUR

Lithuania

Regulator: Bank of Lithuania
Timeline: From 6 months
Price: from EUR 19,900
Capital: From 50 000 EUR

Luxembourg

Regulator: Commission de Surveillance du Secteur Financier (CSSF)
Timeline: From 6 months
Price: from EUR 34,900

Malta

Regulator: Malta Financial Services Authority (MFSA)
Timeline: From 6 months
Price: from EUR 23,900
Capital: From 50 000 EUR

Netherlands

Regulator: Netherlands Authority for the Financial Markets (AFM)
Timeline: From 6 months
Price: from EUR 28,900

Poland

Regulator: Polish Financial Supervision Authority (KNF)
Timeline: From 6 months
Price: from EUR 18,900
Capital: From 50 000 EUR

Slovakia

Regulator: National Bank of Slovakia (NBS)
Timeline: From 6 months
Capital: From 50 000 EUR

Spain

Regulator: Comisión Nacional del Mercado de Valores (CNMV)
Timeline: From 6 months
Price: from EUR 25,900

MiCA Application Dossier: What Documents You Actually Need

A MiCA file is a structured authorisation dossier, not a bundle of templates. The regulator expects consistency between the business model, governance, financials, outsourcing map, and technical controls.

Corporate documents

1

Programme of Operations

The core operational narrative of the application: services requested, target clients, geographic scope, onboarding flow, execution model, safeguarding logic, outsourcing structure and launch plan.

Corporate Prepared by: Client with legal and licensing support

2

Corporate, Shareholder and Fit-and-Proper Files

Constitutional documents, ownership chart, UBO evidence, CVs, criminal-record and integrity materials, time-commitment evidence, conflict disclosures and proof that the management body is fit and proper.

Corporate Prepared by: Client and corporate services team

Financial evidence

1

Business Plan and Three-Year Financial Forecast

A three-year plan showing revenue model, cost base, capital adequacy, funding assumptions, fixed overhead resilience and realistic growth metrics. Regulators often challenge unrealistic customer-acquisition assumptions.

Financial Prepared by: Management with legal and finance support

Compliance documents

1

AML/CFT and Sanctions Framework

Customer due diligence, enhanced due diligence, transaction monitoring, suspicious activity escalation, sanctions screening, risk scoring and governance over high-risk customers and jurisdictions.

Compliance Prepared by: Compliance lead or external compliance provider

2

Travel Rule / TFR Procedures

Operational procedures for originator and beneficiary data exchange under Regulation (EU) 2023/1113, including counterparty workflows, unhosted wallet controls, exception handling and data governance.

Compliance Prepared by: Compliance and operations team

3

Safeguarding and Client Asset Controls

Segregation model, wallet structure, reconciliation process, client-asset records, access control, liability logic, incident handling and restrictions on use of client assets for own account.

Compliance Prepared by: Operations, legal and custody architecture team

4

Outsourcing Policy and Third-Party Register

A map of outsourced functions, critical providers, contractual controls, audit rights, concentration risk, exit planning and retained internal oversight. Weak outsourcing governance is one of the most common MiCA pain points.

Compliance Prepared by: Legal and operations team

Technical and control documents

1

ICT Security and DORA-Aligned Control Set

System architecture, access management, logging, backup, recovery, vulnerability handling, incident classification, third-party ICT oversight, cloud dependencies and business continuity logic.

Technical Prepared by: Technical lead with security and legal input

MiCA Does Not Work Alone: Governance, Safeguarding, TFR, DORA and Ongoing Compliance

A MiCA licence solves the authorisation question, not the operating-model question. The sustainable compliance stack combines MiCA conduct rules with AML/CFT, TFR, DORA, sanctions controls, outsourcing governance and GDPR data discipline.

01

Local Substance and Management Body

MiCA expects a real EU establishment, an effective management body and defensible control over the licensed activity. In practice, regulators test whether directors understand the business model, challenge outsourcing, and can evidence time commitment rather than merely lend names to the file.

Typical failure

The company presents nominee-style governance, unclear reporting lines, or a board that cannot explain safeguarding, revenue logic or incident escalation in regulator interviews.

Why it matters

MiCA is explicitly anti-letterbox in supervisory logic. Weak substance can delay approval even where the paperwork looks polished.

02

Safeguarding, Segregation and Reconciliation

Client assets must be identifiable, segregated and controlled through a reliable operating model. For custody-heavy firms, regulators increasingly ask how private keys are governed, whether HSM or MPC architecture is used, how hot and cold wallet thresholds are set, and how reconciliation breaks are escalated.

Typical failure

The policy says assets are segregated, but the ledger design, wallet architecture or reconciliation cadence does not prove that segregation operationally exists.

Why it matters

Safeguarding is one of the clearest areas where the regulator distinguishes a real operator from a paper application.

03

Travel Rule / TFR Operations

Under Regulation (EU) 2023/1113, CASPs must implement originator and beneficiary data collection and transmission for relevant crypto transfers. That usually means workflow design with Travel Rule vendors, use of standards such as IVMS101, counterparty due diligence and controls for transfers involving unhosted wallets.

Typical failure

The firm treats the Travel Rule as an AML note rather than a live data-exchange process, with no tested vendor integration or exception management.

Why it matters

Without TFR readiness, cross-CASP transfer operations can become non-compliant even after the MiCA licence is granted.

04

DORA and ICT Risk Management

Regulation (EU) 2022/2554 (DORA) made ICT governance, incident reporting, resilience testing and third-party ICT oversight central to financial-sector operations. Even where the exact firm-level application needs careful analysis, MiCA regulators increasingly expect DORA-style maturity in access control, logging, backup, recovery and cloud outsourcing oversight.

Typical failure

Security policies are generic, vendors are not risk-ranked, incident response is not linked to escalation governance, and no one owns the control framework end to end.

Why it matters

MiCA files are increasingly judged on operational resilience, not only on legal drafting.

05

Conduct Rules, Complaints and Marketing Communications

CASPs must act honestly, fairly and professionally in the best interests of clients. Marketing communications must be fair, clear and not misleading. Complaint handling, conflict management and disclosure discipline are not peripheral; they are core conduct requirements.

Typical failure

Websites use unqualified claims such as 'guaranteed returns', 'fully protected assets' or 'EU regulated everywhere' without legal basis or without matching the actual permissions granted.

Why it matters

Conduct failures create both supervisory and reputational risk. They also surface quickly in regulator reviews of customer journey and website copy.

06

Why MiCA Applications Get Delayed

The most common delay drivers are weak token qualification, generic policy packs, unclear outsourcing, unrealistic financial forecasts, no real safeguarding proof, incomplete fit-and-proper files, poor Travel Rule readiness and an overreliance on reverse solicitation for non-EU strategy.

Typical failure

Management assumes the application is mainly a legal filing and underestimates the evidence needed to prove control over the post-approval operating model.

Why it matters

The regulator is authorising a live business, not approving a concept deck.

Who Regulates a MiCA License

MiCA is an EU regulation, but the authorisation process is still home-state based. The practical supervisory environment therefore combines EU institutions, technical standard setters and national regulators.

Regulator

European Commission, Parliament and Council

MiCA was adopted through the EU legislative process, not created by a single supervisory agency. The European Commission, European Parliament and Council of the European Union form the legal backbone of the regime.

Key takeaway: MiCA is primary EU law. Any serious analysis should start with the regulation text itself and then move to technical standards and local supervisory practice.

Official source

Regulator

ESMA

The European Securities and Markets Authority drives supervisory convergence, maintains relevant registers and develops level-2 measures and guidance that shape how MiCA works in practice for CASPs and market participants.

Key takeaway: ESMA does not issue CASP licences directly, but ESMA guidance heavily influences what NCAs ask for in the application and post-authorisation phase.

Official source

Regulator

EBA and ECB

The European Banking Authority is particularly important for stablecoin-related areas, prudential expectations and technical standards. The European Central Bank becomes relevant especially where EMTs, payment-system implications or significant token issues intersect with monetary and financial stability concerns.

Key takeaway: For ART and EMT projects, EBA and ECB relevance increases materially beyond the standard CASP analysis.

Official source

Regulator

National Competent Authorities

The home-state NCA receives the file, runs the completeness check, conducts the substantive review, asks RFIs and grants or refuses authorisation. Examples include BaFin, AMF/ACPR, CSSF, MFSA, Central Bank of Ireland, AFM/DNB, CNMV/Banco de España and Lietuvos bankas.

Key takeaway: The same MiCA text can lead to meaningfully different review experiences depending on the home-state authority.

Official source

Regulator

Adjacent Regulators and Frameworks

MiCA firms also operate under adjacent frameworks including TFR, AML/CFT supervision, sanctions enforcement, data protection authorities under GDPR, and potentially payment or securities regulators where the product crosses into EMT, e-money or MiFID II territory.

Key takeaway: A MiCA project should be managed as a multi-regime compliance programme, not as a single licence filing.

Official source

Banking, Safeguarding and Fiat Rails for MiCA Firms

For many CASPs, banking is the real launch bottleneck. A MiCA authorisation improves credibility, but it does not automatically solve account opening, safeguarding arrangements or payment connectivity.

1

Start Banking Workstreams Early

Parallel work on banking, safeguarding and payment rails usually saves months. Waiting until after authorisation often delays real go-live more than the regulator review itself.

2

Banks Look Beyond the Licence

Banks and EMIs typically ask for the same fundamentals the regulator tests: business model clarity, UBO transparency, AML controls, sanctions governance, target markets and realistic transaction flows.

3

Custody Models Need Stronger Evidence

Where the CASP safeguards client assets or handles fiat interfaces, counterparties often ask for deeper evidence on wallet governance, reconciliation, source-of-funds controls and client-money logic.

4

Payment Services Perimeter Still Matters

Some crypto-fiat models create overlap with EMI, PI or payment-services questions. A MiCA licence is not a substitute for every fiat-facing permission that may be required.

5

Choose the Home State With Bankability in Mind

A jurisdiction that looks fast on paper can become expensive if local or cross-border banking remains weak. In practice, bankability is often one of the decisive factors in home-state selection.

MiCA Application Process Step by Step

The real MiCA process starts before filing. Most delays come from weak perimeter analysis, incomplete governance design, poor outsourcing logic, or a dossier that looks assembled rather than operationally coherent.

1

1-3 weeks

Scoping and Token Qualification

Define exactly which MiCA services are triggered, whether any token may be a financial instrument under MiFID II, whether issuer rules also apply, and whether the model includes custody, platform operation, advice, placement or transfer services.

2

1-3 weeks

Jurisdiction Choice and Pre-Application Strategy

Choose the home state based on regulator style, language, banking access, staffing reality, transition status and target-market fit. In many cases, a pre-application discussion materially improves the filing strategy.

3

2-6 weeks

Entity Setup and Governance Design

Incorporate the legal entity, define shareholder and UBO structure, appoint directors and control functions, and establish the governance map the regulator will expect to see in practice.

4

1-4 weeks

Capital and Financial Planning

Evidence the required capital, prepare the three-year financial forecast, explain revenue logic, stress assumptions and fixed overhead resilience, and align the funding plan with the actual launch model.

5

4-10 weeks

Document Package Preparation

Prepare the programme of operations, business plan, AML/CFT framework, safeguarding model, outsourcing policy, ICT security package, complaints process, conflict controls, continuity planning and all shareholder and management files.

6

1 week

Application Filing

Submit the dossier to the home-state NCA. The authority first tests completeness. Under MiCA, the completeness check is generally up to 25 working days, but an incomplete file can reset momentum quickly.

7

2-5 months

Regulator Review and RFI Rounds

The substantive assessment is generally around 40 working days, with possible extensions and practical delays where the NCA sends requests for information, asks for policy rewrites, interviews management or challenges outsourcing and safeguarding assumptions.

8

2-6 weeks

Approval, Register Entry and Passporting

After authorisation, the firm can move to passporting notification and operational launch. Approval is not the same as readiness: banking, Travel Rule workflows, incident reporting and client-asset controls must still be live before onboarding customers.

About Our Company

Why Regulated United Europe?

Regulated United Europe OÜ (RUE) is a European legal consulting firm specializing in financial licensing, company formation, and regulatory compliance. Since 2016, we have helped hundreds of businesses obtain crypto, gambling, forex, and EMI/PSP licenses across 35+ jurisdictions.

With offices in four EU countries and a team of experienced lawyers, we provide end-to-end support — from initial consultation and company registration to license acquisition and ongoing compliance management.

500+

Clients Served

35+

Jurisdictions

Since 2016

Years in Business

4

EU Offices

⚖️

Licensed Legal Practice

Fully registered and regulated EU company with partnerships across major financial centers.

🌐

Multilingual Team

Our experts speak English, German, Russian, Chinese, and 12+ other languages for global client support.

🔑

Turnkey Solutions

From company registration to license acquisition and compliance — we handle the entire process end-to-end.

📞

Dedicated Support

Personal consultant assigned to each client. Direct communication channels, no call centers.

🇪🇪 Tallinn, Estonia

🇱🇹 Vilnius, Lithuania

🇨🇿 Prague, Czech Rep.

🇵🇱 Warsaw, Poland

Tax, Substance and Why the Cheapest MiCA Setup Can Become the Most Expensive

MiCA jurisdiction choice should never be made on tax alone. For crypto businesses, tax outcome, management location, local office logic, transfer pricing, VAT exposure and banking reality must be assessed together.

Substance note

A low-tax or low-cost structure without defensible management and operational substance can fail under both regulatory and tax scrutiny. For MiCA businesses, substance is not only a tax issue; it is also a licensing credibility issue.

Corporate Tax Is Only One Variable

A lower headline tax rate may look attractive, but it can be outweighed by higher staffing costs, slower regulator interaction, weaker bankability or heavier local operating requirements.

Management and Control Matter

If strategic decisions are taken outside the claimed home state, the tax and regulatory narrative can diverge. MiCA filings should be aligned with where the business is genuinely directed and controlled.

Crypto-Fiat Models Need VAT and Payment Analysis

Some business models create VAT, payment-services or e-money questions alongside MiCA. Tax planning should therefore be coordinated with product qualification, not done afterwards.

Transfer Pricing and Group Structures

Where a MiCA entity sits inside a wider group, regulators and tax authorities may both ask what functions are really performed locally and what is outsourced to affiliates.

Accounting and Audit Readiness

A MiCA business should plan accounting, recordkeeping and auditability from day one. Weak finance infrastructure often becomes visible during prudential review and later during supervisory reporting.

Use Effective Three-Year Outcome

The right comparison is the three-year operating outcome across tax, staffing, compliance, banking and expansion cost, not the cheapest incorporation package.

Which Firms Are in Scope — and Which Are Not

MiCA applies where a legal or natural person provides regulated crypto-asset services professionally in the EU. Typical in-scope firms include exchanges, brokers, custodians, trading platforms, order-routing businesses, transfer service providers, crypto advisers and crypto portfolio managers. One company often needs authorisation for multiple services because the commercial model combines exchange, custody, order execution and transfer functions.

MiCA does not apply to everything labelled “crypto”. Crypto-assets that qualify as financial instruments remain outside MiCA and inside the MiFID II perimeter. Central bank-issued assets are outside MiCA. Some NFTs may fall outside where they are genuinely unique and non-fungible, but fractionalisation, series issuance or economic standardisation can move them back toward regulation. DeFi is not automatically exempt either: where there is an identifiable operator, front-end control, governance concentration or fee-taking intermediary layer, regulators may still find a regulated person in the structure.

The practical test is not branding but function. If your platform controls private keys, executes client instructions, routes orders, matches buyers and sellers, or markets crypto-asset services into the EU, you should assume a perimeter analysis is required. RUE usually treats token qualification and service mapping as the first workstream before any home-state filing strategy is chosen.

Related reading: MiCA regulation for crypto asset service provider (CASP), MiCA regulation for Tokens, MiCA regulation for Non-Fungible Token (NFT), MiCA regulation for Decentralised Finance.

Discuss Your Perimeter

CASP Capital Thresholds Under MiCA

Class	Typical service profile	Minimum capital
Class 1	Lower-intensity services such as advice, reception and transmission of orders, portfolio management, transfer or placement in narrower models	€50,000
Class 2	Services such as custody and administration, exchange of crypto-assets for funds or for other crypto-assets, execution of orders in relevant models	€125,000
Class 3	Operation of a trading platform for crypto-assets	€150,000

Why Minimum Capital Is Not Enough in Practice

The minimum capital threshold is only the legal entry floor. In real MiCA reviews, the regulator also tests whether the company has enough own funds, liquidity runway and operational resilience to survive the first years of business. A file can meet the formal capital threshold and still look weak if the forecast assumes unrealistic trading volume, underprices compliance cost, or ignores banking friction and vendor spend.

Prudential credibility usually depends on four things.

A defensible three-year financial forecast with realistic customer acquisition and revenue assumptions.
Evidence that the business can absorb fixed overheads and not collapse after launch delays.
Insurance or alternative risk-mitigation logic where the model creates custody, cyber or operational exposure.
Clear funding support from shareholders, especially where the first 12 months are expected to be loss-making.

Regulators increasingly read the financial model as a governance document. If the budget does not include Travel Rule tooling, blockchain analytics, compliance staffing, security testing, audit and local management cost, the authority may conclude that management does not understand the real control burden of the licensed activity.

RUE usually aligns MiCA capital planning with accounting, banking and group-structure workstreams from the start. See also Accounting services, Crypto Business Bank Account and Preparation of compliance documents for MiCA application.

Plan Your MiCA Budget

Top 8 Red Flags Regulators Notice First

Weak substance

Board and senior managers cannot evidence real control, time commitment or EU operational presence.

Generic policies

Template documents do not match the actual product, customer flow, wallet model or outsourcing chain.

Unclear outsourcing

Critical vendors are not mapped, monitored or backed by exit planning and retained oversight.

Poor financials

Forecasts understate compliance cost, overstate growth or ignore funding runway and fixed overhead resilience.

No safeguarding proof

Segregation is asserted in policy but unsupported by ledger design, wallet governance or reconciliations.

Weak AML and TFR stack

CDD, sanctions, KYT and Travel Rule operations are described but not operationally implemented.

Token misclassification

The project assumes MiCA applies without properly testing MiFID II, EMT or issuer-side boundaries.

Unrealistic go-live plan

Approval is treated as launch readiness even though banking, vendors and control functions are not live.

MiCA for Token Issuers: White Papers, Exemptions and Stablecoin Boundaries

MiCA issuer rules are separate from CASP authorisation and should not be collapsed into one analysis. If you are offering crypto-assets to the public or seeking admission to trading in the EU, a white paper may be required unless an exemption applies. Common exemptions include offers addressed to fewer than 150 persons per member state, offers where the total consideration does not exceed €1 million over 12 months, or offers addressed solely to qualified investors. For certain retail offers, MiCA also introduced a 14-day withdrawal right before admission to trading or the relevant triggering event.

ARTs and EMTs are a separate intensity level. EMTs are designed to reference one official currency and carry redemption-at-par logic. ARTs reference other assets, rights or combinations. Both categories are subject to much heavier issuer-side controls than ordinary non-ART/EMT crypto-assets, including reserve, governance, disclosure and supervisory requirements. The role of EBA and, in some cases, ECB becomes more prominent where significance and monetary implications arise.

Algorithmic stablecoins do not fit cleanly into MiCA’s ART/EMT architecture. That is the practical reason many simplistic summaries are misleading. A model that claims stability without the reserve and redemption structure required by MiCA may not have a viable regulated stablecoin path at all.

Related pages: MiCA regulation for Asset-referenced Token (ART), MiCA regulation for Electronic Money Token (EMT), MiCA regulation for stable coin, MiCA regulation for Tokenisation.

Assess Your Token Structure

Reverse Solicitation Is Narrow and Often Misused

Reverse solicitation is not a substitute for a MiCA licence. The exemption applies only where the EU client approaches the third-country firm on the client’s exclusive initiative. It is undermined quickly by EU-facing marketing, local-language landing pages, paid acquisition, affiliate funnels, EU sales staff, retargeting campaigns or onboarding flows designed for EU residents.

The practical red flag is pattern, not wording. A disclaimer saying “we do not target the EU” will not rescue a business that clearly markets into the EU. Regulators look at conduct: website localisation, SEO targeting, app-store availability, webinars, conference activity, referral arrangements and CRM records can all become evidence.

For non-EU firms, the safer route is usually one of two models: either obtain an EU home-state MiCA authorisation, or ring-fence EU activity so strictly that the reverse-solicitation argument remains exceptional rather than structural.

MiCA Compliance Stack Beyond the Licence

Layer	Main legal source	What it changes operationally
CASP authorisation	Regulation (EU) 2023/1114	Service perimeter, governance, safeguarding, conduct, prudential controls, passporting
Travel Rule	Regulation (EU) 2023/1113	Originator/beneficiary data exchange, inter-CASP workflows, unhosted wallet controls
ICT resilience	Regulation (EU) 2022/2554	ICT risk governance, incident reporting, third-party ICT oversight, resilience testing
Data protection	Regulation (EU) 2016/679	Lawful basis, minimisation, retention, data subject rights, cross-border transfer controls
Securities boundary	Directive 2014/65/EU	Determines whether the token or service is outside MiCA and inside MiFID II

MiCA Readiness Starts With Qualification, Not With Templates

The fastest way to lose time is to draft the dossier before confirming the legal perimeter. RUE usually starts MiCA projects with service mapping, token qualification, jurisdiction scoring, governance design and gap analysis against the real operating model.

If your company is moving from a legacy VASP registration, launching a new exchange, adding custody, or entering the EU from a third country, we can help structure the file, prepare the compliance package, coordinate banking and align the launch plan with regulator expectations.

Useful internal pages: MiCA regulation for Crypto Assets, CASP License – How to Get a Crypto Asset Service Provider License, Preparation of compliance documents for MiCA application, High-Risk Business Bank Account.

Request MiCA Roadmap

Frequently Asked Questions

Is a MiCA license mandatory for all crypto companies in the EU? +

No. It is mandatory for firms that provide regulated crypto-asset services within MiCA scope. Some activities fall outside MiCA, including financial instruments under MiFID II, certain central bank-issued assets, and some edge-case NFT or DeFi structures. Scope must be analysed case by case.

Can a non-EU company obtain a MiCA license? +

Yes, but usually through establishing an EU legal entity with real substance and applying to a home-state NCA. Reverse solicitation is narrow and should not be treated as a long-term EU market-entry strategy.

How long does MiCA authorisation take in practice? +

The legal review framework includes a completeness check of up to 25 working days and a substantive assessment generally around 40 working days, subject to extensions and RFIs. In practice, end-to-end preparation and approval often takes 3-6+ months, and complex files can take longer.

What is the difference between MiCA and an old VASP registration? +

Old VASP regimes were often AML-registration models. MiCA is a fuller authorisation regime covering governance, safeguarding, conduct, prudential planning, outsourcing and passporting across the EU.

Can one MiCA licence be passported across the EU? +

Yes. A CASP authorised in one EU home state can generally provide services across the EU and EEA through the MiCA notification framework, rather than obtaining a separate full licence in each member state.

What are the MiCA capital requirements for CASPs? +

The common minimum capital thresholds are €50,000, €125,000 and €150,000 depending on the service class. The regulator will also review whether the wider funding and prudential model is credible.

Does MiCA apply to DeFi, NFTs and DAOs? +

Not automatically. A genuinely decentralised arrangement may fall outside MiCA, but many projects marketed as DeFi or DAO still have identifiable operators, front-end control, treasury governance or fee-taking structures that create regulatory touchpoints. NFTs may also move into scope where issued in series or economically standardised.

Do token issuers need a white paper under MiCA? +

Often yes, unless an exemption applies. Important exemptions include offers to fewer than 150 persons per member state, total consideration of €1 million or less over 12 months, or offers addressed solely to qualified investors.

What is reverse solicitation under MiCA? +

It is a narrow exemption allowing a third-country firm to provide a service at the exclusive initiative of the client. It is usually defeated by EU-targeted marketing, localised websites, affiliate campaigns or other evidence of active solicitation.

What happens if a firm operates without required authorisation? +

The consequences can include fines, cease-and-desist measures, removal from the market, bank account closures, partner offboarding and serious reputational damage.

Are there transitional regimes after 30 December 2024? +

Yes, in some member states, but they are national and conditional. They cannot extend beyond 1 July 2026. A firm should confirm the local position in its intended home state rather than rely on general market summaries.

Are there ongoing activity requirements after approval? +

Yes. As a rule, the CASP should begin the licensed activity within 12 months of authorisation and may lose the authorisation if it does not use it or ceases licensed activity for more than 9 months, subject to the regulation and local supervisory handling.

Need a Practical MiCA Licensing Strategy?

RUE helps crypto businesses structure MiCA authorisation from perimeter analysis to filing, regulator Q&A, banking coordination and post-approval compliance design. We work across licensing, AML/CFT, GDPR, corporate setup, accounting and high-risk banking support in Europe.

Request Consultation View MiCA Jurisdictions

Free Consultation

Get Expert Guidance on Your License

Our specialists will analyze your specific case, recommend the optimal jurisdiction and license type, and provide a detailed roadmap with timeline and costs.

📞 Schedule a Free Call 📧 Send an Inquiry

📱 +372 56 966 260 ✉️ [email protected] 🕐 Mon–Fri, 9:00–18:00 CET

🔒 Confidential • No obligation • Response within 24 hours

Regulated United Europe OÜ

Registration number: 14153440
Anno: 16.11.2016
Phone: +372 56 966 260
Email: [email protected]
Address: Laeva 2, Tallinn, 10111, Estonia

Company in Lithuania UAB

Registration number: 304377400
Anno: 30.08.2016
Phone: +370 6949 5456
Email: [email protected]
Address: Lvovo g. 25-702, Vilnius, 09320, Lithuania

Company in Czech Republic s.r.o.

Registration number: 08620563
Anno: 21.10.2019
Phone: +420 775 524 175
Email: [email protected]
Address: Na Perstyne 342/1, Prague

Company in Poland Sp. z o.o.

Registration number: 38421992700000
Anno: 28.08.2019
Email: [email protected]
Address: Twarda 18, Warsaw, 00-824, Poland

Please leave your request

The RUE team understands the importance of continuous assessment and professional advice from experienced legal experts, as the success and final outcome of your project and business largely depend on informed legal strategy and timely decisions. Please complete the contact form on our website, and we guarantee that a qualified specialist will provide you with professional feedback and initial guidance within 24 hours.

Main Services

Terms of Cooperation

Regulated United Europe