MiCA License in Finland 2026

MiCA vs old Finnish VASP regime: what changed

The old Finnish regime was built around the Act on Virtual Currency Providers (572/2019). That framework mattered before MiCA because it created a national registration and supervision model for certain virtual currency activities in Finland. The problem for growth-stage founders was fragmentation: a national setup did not equal a harmonized EU authorization.

MiCA changed the center of gravity. Since the CASP regime has applied from 30 December 2024, the operative question for most new businesses is no longer “How do I get a Finnish VASP registration?” but “Does my business model require CASP authorization in Finland, and is Finland the right home state for EU passporting?”

Transition analysis still matters for legacy firms because transitional treatment depends on national implementation and the provider’s status before MiCA. But for new entrants in 2026, the baseline route is MiCA/CASP. This distinction is commercially important: founders who build the wrong legal perimeter often overinvest in company setup before confirming whether they need MiCA, MiFID II, an EMI/PI overlay, or a different jurisdiction.

At RUE, we usually treat VASP vs CASP as a scoping issue first and a filing issue second. That saves time because the application package, capital logic, and staffing plan all depend on the right perimeter from the outset.

Which business models need a Finland MiCA license

A Finland MiCA license is generally relevant if your company provides one or more regulated crypto-asset services in or from Finland. The service list is broader than “exchange and wallet.” Under MiCA, the perimeter can include:

• custody and administration of crypto-assets on behalf of clients;
• operation of a trading platform for crypto-assets;
• exchange of crypto-assets for funds;
• exchange of crypto-assets for other crypto-assets;
• execution of orders on behalf of clients;
• placing of crypto-assets;
• reception and transmission of orders;
• providing advice on crypto-assets;
• portfolio management on crypto-assets;
• transfer services for crypto-assets on behalf of clients.

The practical point is that two businesses may both call themselves “exchange platforms” while sitting in different regulatory buckets. For example, an OTC broker with no custody, a custodial exchange with fiat rails, and a platform operator matching third-party orders each create different governance, capital, and operational expectations.

A nuance many pages miss: token issuance and token service provision are not the same thing. If you issue or offer an ART or EMT, you may be in an issuer regime that is stricter than ordinary CASP authorization. If your token is actually a financial instrument, MiCA may not be the right route at all.

What a MiCA license in Finland covers and what it does not cover

MiCA covers crypto-asset services and certain crypto-asset issuance models, but it does not cover every token, every platform, or every blockchain business. This is the most important perimeter point for founders comparing a CASP license Finland route with other regulatory options.

MiCA is designed for crypto-assets that are not already captured by existing EU financial-services law. If your token qualifies as a financial instrument, the relevant perimeter may move outside MiCA and into MiFID II and related securities rules. That is why “security token under MiCA” is usually the wrong shorthand. The legal answer depends on classification, rights attached to the token, transferability, governance features, and the economic substance of the arrangement.

MiCA also does not magically solve adjacent regimes. A crypto business in Finland may still need to comply with:

• AML/CFT requirements under Finnish and EU AML rules;
• Travel Rule obligations under Regulation (EU) 2023/1113;
• DORA for ICT risk and operational resilience;
• GDPR for customer data and KYC processing;
• tax, consumer law, marketing law, and outsourcing requirements.

Stablecoins require special care. Rules for ARTs and EMTs have applied since 30 June 2024, and they are not just “ordinary crypto.” Reserve composition, redemption rights, white paper obligations, governance, and prudential expectations can be materially stricter than those for a standard CASP. If your model involves issuance, treasury management, or client-facing stablecoin products, the analysis should be done before the CASP filing strategy is fixed.

Another nuance: not every “DeFi” or NFT project is outside MiCA, and not every one is inside it. The legal result depends on whether there is an identifiable issuer, service provider, or intermediary function. Labels are less important than operational reality. In regulator conversations, the question is usually not “Do you call it DeFi?” but “Who controls the service, who profits from it, who interfaces with clients, and who can change the protocol or access layer?”

For deeper topic-specific analysis, founders often review MiCA regulation for Decentralised Finance, MiCA regulation for NFT, MiCA regulation for EMT, and MiCA regulation for ART alongside the Finland licensing route.

Documents required for a MiCA license application in Finland

A regulator-grade Finland CASP dossier usually includes corporate documents, governance disclosures, a programme of operations, a full policy suite, financial projections, and technical/operational evidence. The exact file list depends on the business model, but founders should expect a substantial application package rather than a short form.

Core corporate and governance package:

• incorporation documents and PRH registration extracts;
• ownership chart, shareholder disclosures, and UBO mapping;
• source-of-funds and source-of-wealth evidence where relevant;
• board and senior management CVs;
• fit-and-proper questionnaires and supporting evidence;
• organizational chart and responsibility map.

Operational and prudential package:

• programme of operations describing each regulated service;
• business model narrative and customer journey;
• capital calculation and own-funds evidence;
• 3-year financial projections with assumptions;
• safeguarding model and reconciliation logic;
• outsourcing register and vendor governance framework;
• wind-down plan and continuity arrangements.

Policies and procedures package:

• AML/CFT policy and business-wide risk assessment;
• KYC/KYB procedures and sanctions controls;
• Travel Rule operating procedure;
• complaints handling policy;
• conflicts-of-interest policy;
• market abuse monitoring arrangements where relevant;
• ICT security, incident response, business continuity, and access-control policies;
• outsourcing and third-party risk policy;
• marketing approval and disclosure controls.

A practical nuance many applicants miss: the regulator often tests whether your documents are internally synchronized. If the AML policy says you will onboard retail clients across the EEA, but the business plan speaks only about institutional clients and the support model has no multilingual capability, the file looks unreliable. Consistency is a licensing asset.

RUE regularly prepares these materials together with MiCA application compliance documents, governance packs, and operational annexes so the dossier reads as one controlled submission rather than a patchwork.

Finland as a home state for MiCA passporting

Finland is a strong home state for founders who value regulatory credibility, governance quality, and institutional optics more than the absolute lowest-cost setup. That makes it attractive for custody-heavy, security-sensitive, and compliance-first business models.

When Finland is a strong choice:

• you want a Nordic jurisdiction with serious supervisory optics;
• your business model is institutional-facing or enterprise-facing;
• you expect partners, banks, or investors to examine governance quality closely;
• you are prepared to build real substance rather than a minimal shell;
• your model depends on strong safeguarding and ICT controls.

When another jurisdiction may be more practical:

• you prioritize speed and lower setup cost above reputational positioning;
• your model is lean, advisory-only, or early-stage and substance-light;
• you need a jurisdiction with a denser local crypto service-provider ecosystem;
• you are not ready to support a governance-heavy operating model.

The passporting benefit is the same in principle across MiCA jurisdictions: one home-state authorization can support cross-border EU activity. The difference is not the passport itself but the cost profile, regulator style, banking optics, staffing market, and expected substance. That is why jurisdiction selection should be a strategy decision, not just a filing decision.

For comparative planning, founders often review MiCA in Lithuania, MiCA Licence in Malta, MiCA Licence in Germany, and MiCA Licence in Netherlands before choosing the Finland route.