How to Get a Crypto License in Europe — Step-by-Step Guide 2026

The first question is whether your business activities require a MiCA CASP authorization. Under MiCA Art. 3(1)(16), authorization is required if you provide any of 10 defined crypto-asset services to EU clients on a professional basis:

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform for crypto-assets
• Exchange of crypto-assets for funds (fiat) or for other crypto-assets
• Execution of orders for crypto-assets on behalf of clients
• Placing of crypto-assets (primary market services)
• Reception and transmission of orders for crypto-assets on behalf of clients
• Providing advice on crypto-assets
• Providing portfolio management of crypto-assets
• Providing transfer services for crypto-assets

If your services fall outside these categories — for example, purely internal treasury management, non-custodial software development, or services exclusively to non-EU clients — a CASP license may not be required. Our MiCA scope analysis service provides a definitive legal opinion for your specific business model.

Jurisdiction selection is one of the most commercially significant decisions in the CASP process. All EU authorizations carry identical MiCA rights — including EU passporting — but differ significantly on cost, timeline, tax, and regulatory culture. Key criteria to evaluate:

• Government fee: €500–€2,000 (Bulgaria) to €15,000–€30,000 (Germany)
• Authorization timeline: 3–4 months (Bulgaria, Lithuania) to 6–12 months (Germany)
• Corporate tax: 10% (Bulgaria) to 30% (Germany statutory rate)
• Regulatory reputation: BaFin and CBI rank highest for credibility; FSA Estonia and Bank of Lithuania for fintech-friendliness
• Operating costs: Sofia and Vilnius 40–60% below Frankfurt or Dublin
• English-language process: Lithuania, Estonia, Malta, Cyprus, Ireland all process applications in English
• Ecosystem: Lithuania hosts 1,000+ licensed entities; a well-developed fintech infrastructure

For most businesses, our full jurisdiction comparison guide recommends Lithuania for ecosystem access, Bulgaria for minimum cost, Estonia for credibility in the mid-tier, and Germany or Ireland for specific market-access needs.

MiCA requires CASP authorization to be held by a legal person established in the EU. The entity must have a genuine registered office and demonstrable business substance in the jurisdiction. Foreign branches or holding structures without a local operating entity are not eligible. Common entity types by jurisdiction:

• Poland: sp. z o.o. (spółka z ograniczoną odpowiedzialnością) — LLC, minimum PLN 5,000 share capital
• Estonia: OÜ (osaühing) — private limited company, minimum €2,500 share capital
• Lithuania: UAB (uždaroji akcinė bendrovė) — private limited company, minimum €2,500 share capital
• Germany: GmbH (Gesellschaft mit beschränkter Haftung) — minimum €25,000 share capital
• Malta / Cyprus / Ireland: Ltd (private limited company) — minimum €1,165 (Malta), €1 (Cyprus), €1 (Ireland)
• Bulgaria: OOD (Дружество с ограничена отговорност) or EOOD — minimum BGN 2 (approx. €1)

Entity formation typically takes 1–4 weeks depending on jurisdiction. All entities require a registered office address — not a virtual office — and at least one director with genuine connection to the business.

Documentation preparation is the most time-consuming phase — typically 4–8 weeks with professional assistance. A complete MiCA CASP application package includes:

Core Required Documents

• AML/KYC Program: Full anti-money laundering policy, KYC procedures, beneficial ownership verification, transaction monitoring rules, PEP screening, MLRO appointment letter, and reporting procedures. Must comply with EU AML Directive 6AMLD and national implementing legislation.
• Business Plan: 3-year financial projections, revenue model, target market analysis, service description mapped to MiCA CASP service categories, and risk assessment.
• IT Security & DORA Documentation: ICT risk management framework, business continuity plan, ICT incident classification and response procedures, third-party ICT service provider register, and penetration testing evidence.
• Capital Proof: Bank statements or auditor confirmation showing minimum own funds available (€50,000–€150,000 depending on service class). Capital must be present at application — not promised or anticipated.
• Fit-and-Proper Dossiers: CV, educational diplomas, criminal record certificates (apostilled from country of issue), financial integrity declarations, and references for each director and key function holder.
• Governance Documentation: Board structure, internal controls description, conflict of interest policy, remuneration policy, and outsourcing arrangements.
• Client Asset Safeguarding: Segregation arrangements, custodian agreements (if applicable), and insurance policies.
• Complaints Handling Procedures: Client complaint escalation process, timelines, and NCA reporting obligations.

The CASP authorization application is filed with the national competent authority of your chosen jurisdiction. Most NCAs now accept applications through dedicated online portals or via email submission, with hard copies required only for certain documents (criminal record certificates, apostilles). The application form typically requires:

• Identification of the applicant legal entity (company registration, articles of association)
• Description of intended CASP services (mapped to MiCA Art. 3 service categories)
• Ownership structure and UBO declarations
• All supporting documentation from Step 4
• Application fee payment (varies by NCA: €500–€30,000)

Applications must be complete and accurate at submission. Intentional omissions or material errors can result in rejection or — after authorization — revocation. Our specialists review all applications before submission to eliminate completeness issues.

Under MiCA Art. 63, the NCA performs a 40-business-day initial completeness assessment from the date of receiving the application. If the application is incomplete, the NCA notifies the applicant and the clock restarts only when the missing information is received.

Following the completeness assessment, the NCA has 40 additional working days to assess the application and make a determination. The NCA may request additional information during this period — each information request pauses the clock until the response is received. In practice, total NCA review time (from complete application to decision) ranges from:

• Lithuania (Bank of Lithuania): 2–4 months from complete application
• Estonia (FSA): 3–6 months (more thorough review)
• Bulgaria (FSC): 2–3 months from complete application
• Germany (BaFin): 6–12 months (most detailed review)

Upon approval, the NCA issues the CASP authorization decision in writing, specifying which MiCA Art. 3 services have been authorized. The authorized CASP is entered into the ESMA public register of CASPs — publicly accessible at esma.europa.eu — and may immediately begin providing authorized services.

The authorization letter specifies any conditions or limitations attached to the authorization. If you applied for multiple service types, the NCA may grant authorization for some but not all requested services — requiring a separate application or amendment for the remaining services.

From the date of authorization, EU passporting rights are immediately available. Your entity may notify its home NCA of intent to passport into other EU member states and commence cross-border services within 10 working days.

CASP authorization is not a one-time event — it creates ongoing compliance obligations that must be maintained continuously:

• Capital adequacy: Minimum own funds must be maintained at all times, with quarterly monitoring and immediate NCA notification of any breach.
• AML monitoring: Continuous transaction monitoring, annual AML risk assessment updates, MLRO activity reports, and suspicious transaction reporting to the national financial intelligence unit.
• DORA ICT compliance: Annual ICT risk assessment, incident reporting to NCA within 4 hours of major incidents, annual penetration testing, and TLPT (threat-led penetration testing) for larger CASPs.
• Annual reporting: Annual reports to the NCA covering financial statements, client asset reconciliation, complaints received, and compliance officer's annual report.
• Material changes: Significant changes to business model, ownership structure, directors, or service scope require prior NCA notification or approval.
• Passporting notifications: Each new member state requires a formal passporting notification before services commence.

Our ongoing compliance support packages cover all post-authorization obligations, including annual NCA filings, AML program updates, and DORA ICT monitoring.

Total cost of CASP authorization varies significantly by jurisdiction. The following represents typical ranges for a standard single-service CASP application with professional assistance:

• Incomplete AML program: Missing MLRO appointment, inadequate transaction monitoring, or no PEP screening policy. AML gaps are the most common reason for NCA information requests.
• Capital not available at application: Capital must be in the entity's bank account and verifiable at the time of filing — not committed but pending transfer.
• Weak business plan: Unrealistic financial projections or vague revenue models raise NCA concern about viability. Projections should be conservative and clearly tied to the CASP service model.
• Director fit-and-proper gaps: Missing apostilled criminal record certificates, incomplete CVs, or directors with no financial services experience. NCAs require full professional histories for all directors.
• DORA compliance gaps: Many 2025 applicants underestimate DORA's ICT requirements. A documented ICT risk register and third-party service provider inventory are required at application stage.
• Wrong service classification: Applying for CASP service types that don't match the actual business model — NCAs will query discrepancies and may request a revised application.