In 2026, crypto businesses in Slovakia operate in a full MiCA environment: legacy VASP-style positioning is no longer enough, CASP authorisation is the core entry route for regulated crypto-asset services, TFR applies to crypto transfers, DORA applies to ICT resilience, and post-authorisation operations must be built for supervision by the National Bank of Slovakia (NBS) and AML oversight under Slovak law.
In 2026, crypto businesses in Slovakia operate in a full MiCA environment: legacy VASP-style positioning is no longer enough, CASP authorisation is the core entry route for regulated crypto-asset services, TFR applies to crypto transfers, DORA applies to ICT resilience, and post-authorisation operations must be built for supervision by the National Bank of Slovakia (NBS) and AML oversight under Slovak law.
This page is an information resource, not legal or tax advice. Slovak perimeter, tax treatment, token classification, and passporting analysis depend on the exact business model, client base, and operational setup.
Key regulatory facts, timeline markers, and practical next steps for a fast initial read.
ART and EMT rules became applicable before the full CASP regime.
Crypto-asset service authorisation and Travel Rule architecture became live at EU level.
CASPs need ICT risk, incident, outsourcing, and resilience controls that stand up to supervisory review.
Legacy grandfathering logic is no longer a forward-looking compliance strategy in Slovakia.
Market entry now turns on fresh authorisation, valid EU passporting, or a defensible perimeter analysis.
Slovakia is no longer a jurisdiction where crypto businesses can rely on legacy VASP terminology or generic trade-licence narratives. In 2026, the operating framework is defined by MiCA, TFR, DORA, Slovak AML/CFT law, and the supervisory role of the National Bank of Slovakia. A business that performs regulated crypto-asset services in or from Slovakia generally needs CASP authorisation unless it can clearly document that it falls outside MiCA scope or lawfully passports from another EU Member State. The real compliance burden is broader than the licence itself: NBS will care about governance, fit and proper evidence, safeguarding, outsourcing, source of funds, complaints handling, and service-specific controls, while AML teams must operationalise sanctions screening, blockchain analytics, Travel Rule data exchange, and suspicious transaction reporting. The practical mistake founders make most often is treating minimum capital as the full cost of entry; in reality, launch readiness depends on a combined budget for prudential capital, local substance, AML tooling, Travel Rule infrastructure, ICT controls, legal drafting, translations, and ongoing reporting.
The short answer is that Slovakia is now operating in a full post-transition EU crypto regime. Since 30 December 2024, MiCA has applied to CASPs and TFR has applied to crypto transfers; since 17 January 2025, DORA has applied to ICT resilience; and since the MiCA transition window ended on 30 December 2025, the market in 2026 must be analysed on a live-authorisation basis rather than a future-deadline basis. That changes both legal messaging and operational reality. In practice, old pages that still sell a Slovak ‘VASP registration’ as if it were the current market-entry route are outdated. The relevant question now is whether the business is authorised as a CASP, lawfully passporting from another EU state, or relying on a defensible perimeter position outside MiCA. The second major change is supervisory depth: NBS review is not only about corporate paperwork, but about whether management can evidence effective direction, whether outsourcing is controlled, whether safeguarding and reconciliations are credible, and whether AML and Travel Rule workflows are operational rather than aspirational.
| Topic | Legacy Approach | Current Approach |
|---|---|---|
| Market entry label | VASP-style setup, local registration language, trade-licence framing | MiCA CASP authorisation or valid EU passporting into Slovakia |
| Regulatory focus | AML-heavy entry logic with lighter prudential framing | Integrated MiCA + AML + TFR + DORA operating model |
| Transfer compliance | KYC and wallet screening discussed at a high level | Travel Rule data exchange, hosted/unhosted wallet controls, sanctions screening, audit trail |
| ICT expectations | Generic cybersecurity statements | DORA-grade ICT risk management, incident response, third-party risk, BCP/DRP evidence |
| Transition narrative | Prepare before the future deadline | Assess current legality after the 30 December 2025 transition end |
| Cost assumptions | Minimum capital presented as the main cost driver | Total launch budget includes capital, substance, tooling, legal drafting, translations, and recurring compliance |
The legal framework is an EU-first stack with Slovak supervisory and AML implementation layers. For a CASP, the core analysis starts with MiCA for authorisation and conduct, TFR for transfer data and Travel Rule obligations, DORA for ICT resilience, and Slovak AML/CFT law for customer due diligence, monitoring, recordkeeping, and suspicious transaction reporting. A second layer matters for tax and reporting architecture: DAC8 is relevant to future tax information exchange design, while Slovak accounting and tax rules determine how crypto-related revenues, holdings, fees, and disposal events are booked and taxed. A third layer matters for perimeter: some tokens or activities may fall under financial instruments law, e-money law, or other sectoral regimes rather than MiCA alone.
| Law / Regime | Scope | Applies To | Why It Matters |
|---|---|---|---|
| Regulation (EU) 2023/1114 - MiCA | Authorisation and conduct regime for crypto-asset service providers; issuer rules for ARTs, EMTs, and certain public offerings | CASPs, ART issuers, EMT issuers, offerors and admission-to-trading actors within scope | Defines the 10 regulated crypto-asset services, capital classes, governance standards, safeguarding duties, complaints handling, conflicts, and EU passporting logic |
| Regulation (EU) 2023/1113 - TFR | Transfer-of-funds framework extended to transfers of crypto-assets | CASPs involved in crypto transfers | Drives Travel Rule data collection, transmission, sanctions screening, counterparty controls, and traceability of originator/beneficiary information |
| Regulation (EU) 2022/2554 - DORA | Digital operational resilience, ICT risk management, incident reporting, testing, and third-party risk | Financial entities in scope, including CASPs under the EU framework | Requires evidence of ICT governance, asset inventory, incident classification, business continuity, disaster recovery, and oversight of cloud/KYC/wallet vendors |
| Act No. 297/2008 Coll. (Slovak AML law), as amended | AML/CFT obligations, customer due diligence, suspicious transaction reporting, record retention, internal controls | Obliged entities under Slovak law, including relevant crypto businesses | MiCA authorisation does not replace AML duties; Slovak AML controls still govern onboarding, monitoring, escalation, and FIU reporting |
| Council Directive (EU) 2023/2226 - DAC8 | Tax reporting and exchange-of-information architecture for crypto-assets and e-money | Relevant reporting crypto-asset service providers and tax administration frameworks | Affects data architecture, record design, and future reporting readiness even where implementation detail is still operationally evolving |
| Slovak Commercial Code, Accounting Act, Income Tax rules | Corporate formation, bookkeeping, financial statements, tax treatment | Slovak entities and foreign entities with relevant local nexus | Determines legal form, financial reporting, capital evidence, and tax treatment of fees, holdings, and crypto-related transactions |
The regulator map is split by function, not by marketing label. NBS handles authorisation, prudential and conduct supervision under MiCA. The Slovak Financial Intelligence Unit (FIU) is relevant for AML/CFT reporting and suspicious transaction escalation. At EU level, ESMA and EBA shape the rulebook through RTS, ITS, guidelines, Q&A, and convergence work, while the European Commission drives Level 1 legislation and delegated measures. For a real launch, that means the business must be able to answer four different supervisory questions at once: is the service in scope, is management fit and proper, is the AML system effective, and is the ICT stack resilient enough to survive DORA scrutiny.
Authorisation, supervisory review, governance assessment, ongoing oversight, enforcement within its competence
CASP application, change in business model, ongoing reporting, supervisory inquiry, incident or safeguarding concern
AML/CFT intelligence, suspicious transaction reporting interface, AML enforcement touchpoints
Suspicious activity, sanctions concerns, AML control failures, reporting obligations under Slovak AML law
MiCA convergence, technical standards, guidance, supervisory coordination
Interpretation of MiCA service perimeter, reporting standards, conduct and disclosure expectations
Technical standards and guidance, especially where prudential, safeguarding, or stablecoin issues intersect
ART/EMT issues, prudential and governance implementation, cross-sector consistency
EU legislative framework and delegated acts
Changes to Level 1 and Level 2 regulation affecting CASPs and issuers
If a business performs a regulated crypto-asset service in or from Slovakia, the starting assumption in 2026 is that CASP authorisation is required unless a careful perimeter analysis shows otherwise. The most common in-scope models are custody, exchange, brokerage-style execution, order routing, platform operation, transfer services, advice, and portfolio management. Founders often misclassify themselves by product label: calling a model a ‘wallet app’, ‘OTC desk’, ‘launchpad’, or ‘API infrastructure’ does not decide the legal perimeter. NBS and EU supervisors will look at the actual function performed, who controls client assets or orders, whether the firm intermediates execution, and whether the firm provides a service to third parties on a professional basis.
Custody and administration of crypto-assets on behalf of clients
Usually requires authorisation
Operation of a trading platform for crypto-assets
Usually requires authorisation
Exchange of crypto-assets for funds
Usually requires authorisation
Exchange of crypto-assets for other crypto-assets
Usually requires authorisation
Execution of orders for crypto-assets on behalf of clients
Usually requires authorisation
Placing of crypto-assets
Usually requires authorisation
Reception and transmission of orders for crypto-assets on behalf of clients
Usually requires authorisation
Providing advice on crypto-assets
Usually requires authorisation
Providing portfolio management on crypto-assets
Usually requires authorisation
Providing transfer services for crypto-assets on behalf of clients
Usually requires authorisation
| Business Model | MiCA Relevance | Adjacent Regimes | Practical Answer |
|---|---|---|---|
| Custodial wallet with key control and client asset administration | Directly aligned with custody and administration service | AML, TFR, DORA, safeguarding, outsourcing | Usually requires CASP authorisation |
| Broker or exchange converting crypto to fiat or crypto to crypto | Exchange service and often execution/order handling | AML, TFR, sanctions screening, tax reporting architecture | Usually requires CASP authorisation |
| Non-custodial software provider with no control over assets or orders | May fall outside CASP scope depending on facts | Consumer law, data protection, cyber risk, possible AML edge cases | Needs perimeter analysis; not automatically in scope |
| Treasury management or proprietary trading using only own balance sheet | May fall outside client-service perimeter | Corporate, tax, market abuse analogies, financial instruments analysis | Case-by-case; not every proprietary strategy is a CASP service |
| Token issuance with public marketing and admission-to-trading plan | May trigger issuer and white paper obligations beyond CASP rules | ART/EMT analysis, consumer disclosures, financial instruments perimeter | CASP review alone is insufficient |
Token classification is a legal substance exercise, not a branding exercise. In Slovakia, as elsewhere in the EU, the first question is not whether a token is called ‘utility’, ‘payment’, or ‘community token’, but whether it is a crypto-asset under MiCA, an ART, an EMT, a financial instrument, or a structure outside MiCA scope. That classification matters because a business may need one regulatory analysis for its services and another for the token itself. A custody or exchange platform can be a CASP even if the listed token is outside MiCA; equally, a token issuer can trigger white paper or stablecoin rules even if it is not itself operating a full exchange.
| Category | Core Feature | Typical Trigger |
|---|---|---|
| Crypto-asset under MiCA | Digital representation of value or rights transferable and storable electronically using DLT or similar technology | Starting point for MiCA perimeter unless excluded or reclassified under another regime |
| Asset-referenced token (ART) | Purports to maintain stable value by referencing another value, right, or combination including currencies or assets | Special issuer regime under MiCA effective from 30 June 2024 |
| E-money token (EMT) | Purports to maintain stable value by referencing one official currency | Special issuer regime linked to e-money logic and MiCA stablecoin rules |
| Other crypto-assets | Crypto-assets that are not ARTs or EMTs but may still fall within MiCA | May require white paper analysis or CASP service analysis depending on activity |
| Financial instruments / excluded assets | Tokens that qualify under existing financial services law or fall under MiCA exclusions | Requires separate legal perimeter review outside standard CASP framing |
Yes: Proceed to ART/EMT/other crypto-asset analysis and then assess service activity
No: Check financial instruments law, e-money law, or other excluded regimes
Yes: Assess whether it is an ART or EMT and whether issuer obligations apply
No: Continue with other crypto-asset or excluded-asset analysis
Yes: Assess the 10 MiCA crypto-asset services for CASP authorisation
No: A pure issuer or proprietary holding model may require a different analysis
Yes: Document who controls governance, interfaces, fees, upgrades, and client touchpoints
No: Assume a conventional regulated intermediary analysis is likely
The transition story matters only as legacy context. The practical position in 2026 is that the MiCA transition window ended on 30 December 2025, so old Slovak market language built around ‘VASP registration’ no longer describes the current authorisation standard for ongoing regulated crypto-asset services. That does not mean every pre-2026 operator automatically became unlawful on a single narrative basis; it means the legal analysis now turns on whether the operator obtained authorisation, relied on a valid transitional mechanism while available, ceased the in-scope activity, or moved to a passported model from another EU state. For due diligence, this is critical: acquirers, banking partners, and institutional counterparties increasingly ask for evidence of current MiCA status rather than historical registration paperwork.
Many providers marketed local VASP-style setups; the EU end-state was not yet fully live
Stablecoin-related issuer analysis became urgent earlier than the full CASP regime
Authorisation, conduct, and Travel Rule architecture became the operational baseline
ICT governance and third-party risk moved from best practice to a regulated expectation
Legacy operators needed to resolve authorisation, exit, or restructuring before the window closed
NBS and counterparties focus on current authorisation status, passporting validity, and operating controls
Legacy VASP-style references may still appear in older market materials, but they should be treated as historical terminology, not as the current Slovak authorisation label for MiCA-regulated crypto-asset services.
The NBS process is a two-clock system: a statutory supervisory clock and a much longer preparation clock. Under the MiCA process framework, the authority reviews completeness within 25 working days and, once the file is complete, decides within 40 working days, with a possible extension of 20 working days. Those numbers are regulator review periods, not the total project duration. In practice, the slow part is usually before filing: perimeter scoping, governance design, source-of-funds evidence, drafting service descriptions, building AML and DORA documentation, and aligning outsourced vendors with a defensible control framework.
Define the exact services, client journey, custody logic, target markets, outsourcing model, and whether the filing is purely CASP or also touches issuer analysis. A pre-filing discussion reduces wrong-class filings and exposes documentation gaps early.
Prepare corporate, governance, AML/CFT, safeguarding, ICT/DORA, financial, and service-specific annexes. The dossier should explain how the business actually operates, not just what it plans to sell.
Once filed, the authority checks whether the package is complete and may request clarifications or missing items. Translation quality and internal consistency are frequent friction points.
NBS assesses management suitability, safeguarding, AML controls, financial soundness, outsourcing, ICT resilience, and whether the business model is coherent and controllable.
Authorisation is not the final milestone. The firm must operationalise reporting, complaints handling, Travel Rule workflows, incident escalation, reconciliations, and board-level oversight before scaling.
The file should read like one operating model, not like disconnected policy appendices.
| Document | Purpose | Owner |
|---|---|---|
| 3-year business plan | Shows service scope, target market, revenue logic, risk assumptions, and operational model | Management with compliance and finance input |
| Programme of operations / service description | Maps each requested MiCA service to actual workflows, counterparties, and controls | Legal and operations |
| Governance framework and organisational chart | Explains decision-making, reporting lines, conflicts management, and effective direction | Board / founders / legal |
| Fit and proper evidence pack | Supports suitability of directors, key function holders, and relevant owners | HR / legal / management |
| AML/CFT policy suite | Covers KYC, CDD, EDD, sanctions, monitoring, STR escalation, record retention, and training | MLRO / AML function |
| Safeguarding and client asset segregation framework | Explains wallet governance, reconciliations, access rights, and client asset protection | Operations / custody / compliance |
| ICT and DORA documentation | Evidences asset inventory, access control, incident response, BCP/DRP, vendor oversight, and logging | ICT/security owner |
| Financial evidence and capital proof | Shows prudential capital availability, source of funds, and financial sustainability | Finance / founders |
Minimum capital is a regulatory floor, not a business budget. Under MiCA, the key prudential thresholds are €50,000, €125,000, and €150,000 depending on the service class. Separately, a Slovak s.r.o. typically has its own company-law capital mechanics, which should not be confused with MiCA prudential capital. The practical launch budget is broader: legal drafting, translations, local substance, AML tooling, blockchain analytics, Travel Rule infrastructure, cloud security, external audit support, insurance analysis, and contingency for supervisory remediation all sit outside the headline capital number. A useful founder formula is: total launch budget = share capital + prudential capital + legal/compliance build + translations/notary + AML tooling + Travel Rule tooling + ICT/security setup + local substance + audit + contingency.
| Cost Bucket | Low Estimate | High Estimate | What Drives Cost |
|---|---|---|---|
| Prudential capital floor - Class 1 | €50,000 | €50,000 | Applies to lower-risk service classes under MiCA; exact class depends on requested services |
| Prudential capital floor - Class 2 | €125,000 | €125,000 | Relevant for broader execution, exchange, or platform-related service sets |
| Prudential capital floor - Class 3 | €150,000 | €150,000 | Highest MiCA capital tier for the most sensitive service combinations |
| Legal, regulatory drafting, and filing support | Variable | Variable | Depends on service complexity, issuer overlap, and number of annexes |
| AML stack and blockchain analytics | Variable | Variable | Usually includes onboarding/KYC, sanctions screening, transaction monitoring, and analytics |
| Travel Rule solution and integration | Variable | Variable | Often underestimated; includes counterparty messaging, IVMS101 mapping, and exception handling |
| ICT resilience and security controls | Variable | Variable | DORA makes asset inventory, access management, logging, incident response, and recovery testing non-optional |
| Local substance and ongoing governance | Variable | Variable | Board time, AML officer, compliance oversight, finance, audit, and local operational presence |
The most common budgeting error is to treat €50k / €125k / €150k as the total cost of entry. In reality, those are only prudential thresholds. A serious Slovak CASP launch is an operating model project, not just a capital deposit.
AML compliance in Slovakia is not absorbed by MiCA. A Slovak CASP must operate a combined AML/CFT + TFR framework that covers onboarding, sanctions, transaction monitoring, suspicious activity escalation, recordkeeping, and transfer traceability. Since 30 December 2024, the EU Transfer of Funds Regulation applies to transfers of crypto-assets, which means the firm must be able to collect, verify where required, transmit, receive, and retain originator and beneficiary information in a controlled workflow. The practical challenge is not only data capture. The hard part is operational interoperability: matching wallet addresses to customers, distinguishing hosted from unhosted wallets, screening both counterparties and blockchain exposure, handling missing or malformed data, and deciding when a transfer must be paused, rejected, escalated, or reported. This is why mature CASPs increasingly design Travel Rule operations around structured data standards such as IVMS101 and integrate them with sanctions screening, case management, and blockchain analytics.
| Workflow Step | Control | Owner |
|---|---|---|
| Customer initiates transfer | Identify customer, wallet context, transfer purpose, and risk score | Operations / AML |
| Determine transfer type | Classify hosted-to-hosted, hosted-to-unhosted, or inbound counterparty scenario | Operations / product |
| Collect required data | Capture originator and beneficiary data fields and structure them for transmission, often using IVMS101 mapping | AML / engineering |
| Screen parties and wallet exposure | Run sanctions, adverse media, and blockchain analytics checks before release where risk requires | AML |
| Transmit or receive Travel Rule data | Use integrated provider workflow or internal messaging architecture with exception handling | Engineering / AML |
| Approve, hold, or escalate | Apply rule-based and analyst review logic for incomplete data, sanctions hits, or suspicious patterns | AML / MLRO |
| Retain records and evidence | Store transfer data, screening results, analyst notes, and decision rationale for auditability | Compliance / records management |
MiCA is an EU market-access regime, so the Slovak question is not always whether to obtain a Slovak licence. If a firm is already authorised as a CASP in another EU Member State, it may be able to passport services into Slovakia subject to the MiCA notification framework. Conversely, a Slovak-authorised CASP can use MiCA passporting to access other EU markets. The operational point many teams miss is that passporting solves authorisation geography, not local execution readiness. Consumer disclosures, complaints handling, tax registrations, language strategy, AML calibration, and outsourcing oversight still need to work in the target market. Reverse solicitation should be treated cautiously and not as a scalable market-entry strategy.
Reverse solicitation is narrow and fact-sensitive. It is not a substitute for MiCA authorisation planning, and it becomes hard to defend where the firm markets actively, localises onboarding, or systematically targets Slovak clients.
The main enforcement risk in 2026 is not theoretical. Once the transition period has ended, a firm that performs in-scope crypto-asset services without valid authorisation or passporting exposes itself to supervisory action, banking friction, counterparty offboarding, AML escalation, and transaction-flow disruption. Enforcement risk is wider than formal fines. In practice, the first symptoms are often commercial: payment providers refuse onboarding, institutional clients require MiCA evidence, auditors raise going-concern or compliance flags, and Travel Rule counterparties reject transfers from non-credible operators. This is why a perimeter memo, governance file, and authorisation strategy are not paperwork luxuries but core risk controls.
Legal risk: Unauthorised regulated activity; supervisory and contractual exposure
Mitigation: Delay launch, narrow the service, or use a lawful authorised/passported structure
Legal risk: Misclassification of service perimeter and misleading compliance position
Mitigation: Run a documented functional analysis and redesign control points if needed
Legal risk: AML breaches, TFR failures, suspicious transfer exposure, FIU escalation
Mitigation: Implement live screening, data exchange, QA testing, and exception management
Legal risk: ICT control failure, incident response weakness, operational resilience gaps
Mitigation: Maintain outsourcing register, due diligence, SLAs, exit plans, and board oversight
Legal risk: Application delay, rejection, AML concerns, banking friction
Mitigation: Prepare traceable source-of-wealth and source-of-funds pack before filing
Legal risk: Issuer-rule breach, white paper issues, financial instruments perimeter risk
Mitigation: Run separate token classification and issuer analysis alongside CASP review
Tax analysis in Slovakia should be handled as a separate workstream from MiCA authorisation. The safe high-level position in 2026 is that tax treatment depends on the taxpayer profile, legal form, accounting classification, transaction type, and current Slovak law. Blanket statements such as ‘Slovakia crypto tax is X%’ are not reliable enough for a regulated market-entry decision. For a CASP, the practical tax questions usually include corporate income recognition on fees and spreads, VAT treatment of specific services, accounting for crypto holdings and liabilities, treatment of staking- or mining-related flows where relevant, transfer pricing for group structures, and the data architecture needed for future reporting obligations including DAC8 readiness. Finance and compliance teams should also align their books with operational records: wallet reconciliations, client asset segregation, treasury holdings, fee recognition, and disposal events must reconcile across accounting, compliance, and blockchain data.
| Topic | Why It Matters | Responsible Team |
|---|---|---|
| Corporate income tax on operating revenue | Exchange fees, custody fees, spreads, advisory fees, and treasury gains may be taxed differently depending on accounting treatment and entity profile | Finance / tax |
| VAT analysis | Some crypto-related services may require careful VAT treatment analysis in light of EU and Slovak rules; assumptions should not be copied from another jurisdiction | Tax / finance |
| Accounting classification of crypto holdings | Balance-sheet treatment affects valuation, impairment logic, revenue timing, and audit evidence | Finance / accounting |
| Client asset segregation versus proprietary assets | A CASP must be able to distinguish customer assets from house assets operationally and in records | Operations / finance / compliance |
| Staking, mining, lending, and rewards flows | These models can create separate tax timing and characterisation issues and should not be collapsed into generic trading treatment | Tax / legal |
| DAC8 data readiness | Future tax reporting obligations require structured customer, transaction, and jurisdictional data architecture | Tax / engineering / compliance |
First 90 days of serious preparation
Sequence these after the core perimeter, governance, and launch-control decisions are stable.
Open the key issues founders, compliance teams and legal leads usually need to confirm before launch.
Usually yes, if your business performs a regulated crypto-asset service and is not already covered by valid MiCA authorisation or lawful EU passporting. The key point in 2026 is that the MiCA transition window ended on 30 December 2025. A historical VASP-style setup is not, by itself, the current legal answer for ongoing CASP activity in Slovakia.
The main regulator for MiCA authorisation and supervision is the National Bank of Slovakia (NBS). AML/CFT reporting and suspicious transaction escalation also engage the Slovak Financial Intelligence Unit (FIU). At EU level, ESMA and EBA shape technical standards and supervisory convergence, so Slovak compliance must be read in an EU context, not only a domestic one.
The statutory supervisory timeline is typically 25 working days for completeness review and 40 working days for the decision after the file is complete, with a possible 20 working day extension. Those are regulator clocks, not total project duration. Preparation, drafting, translations, governance design, and remediation often take much longer than the formal review period.
MiCA prudential capital floors are €50,000, €125,000, or €150,000 depending on the class of crypto-asset services requested. The exact tier depends on the service mix. These thresholds should not be confused with company-law share capital or with the full launch budget, which also includes legal, AML, Travel Rule, ICT, and substance costs.
Yes, MiCA is designed to support EU passporting. A CASP authorised in another Member State may provide services into Slovakia through the MiCA notification framework. But passporting only solves the authorisation geography. The firm still needs operational readiness for Slovak clients, including AML calibration, disclosures, complaints handling, tax analysis, and local language or support considerations where relevant.
Not always. If a firm trades only on its own account and does not provide a crypto-asset service to third parties, it may fall outside the CASP perimeter. But the answer is highly fact-specific. Once the firm starts receiving client orders, routing execution, holding client assets, or otherwise acting as an intermediary, MiCA authorisation risk increases materially.
Some NFTs may fall outside MiCA, but there is no blanket NFT exemption that should be relied on without legal analysis. Supervisors look at the actual economic substance, fungibility, series structure, rights attached, and how the asset is marketed and used. If an NFT project is functionally close to a broader token issuance or trading model, perimeter risk increases.
Staking is not a single legal category. The answer depends on the structure: self-staking, delegated staking, custodial staking, reward distribution, and pooled models can raise different MiCA, AML, tax, and consumer-law issues. If the provider controls client assets, intermediates rewards, or packages staking as a managed service, a more detailed regulatory analysis is needed.
There is no safe one-line rule that can replace a substance assessment. The practical question is whether the business can show effective management, credible governance, local operational reality where required, and supervisory accessibility. NBS will care more about real substance, accountable management, and control functions than about a purely formal address with no operating depth.
The Travel Rule applies through TFR to transfers of crypto-assets and requires CASPs to collect, transmit, receive, and retain originator and beneficiary data in relevant scenarios. The operational challenge is strongest for hosted-versus-unhosted wallet flows, incomplete counterparty data, and sanctions exposure. Mature implementations use structured data standards such as IVMS101 together with screening, blockchain analytics, and exception management.
The risk is both regulatory and commercial. A firm may face supervisory action, AML escalation, banking refusal, counterparty offboarding, blocked integrations, and due-diligence failure with institutional clients. In 2026, after the transition period has ended, operating without valid authorisation, passporting, or a documented out-of-scope position is a high-risk strategy.
No. A CASP analysis and an issuer analysis are different workstreams. If your model includes token issuance, public offering, admission to trading, or a stable-value mechanism, you may also need to assess ART, EMT, or white paper obligations under MiCA. Exchange or custody authorisation does not automatically solve token-classification and issuer-rule questions.
The right first step is a perimeter and operating-model review, not a generic licence quote. In Slovakia, the difference between a clean CASP filing and a delayed one is usually the quality of service mapping, source-of-funds evidence, AML design, safeguarding logic, and DORA documentation.
