MiCA CASP vs VASP — Key Differences Explained 2026

Q: What is the difference between a VASP and a CASP?

A VASP (Virtual Asset Service Provider) is a designation from the FATF recommendations, implemented in the EU through the 5th and 6th Anti-Money Laundering Directives (AMLD5/6). VASPs were registered with national AML supervisors — a relatively light-touch regime focused primarily on AML/KYC compliance. A CASP (Crypto-Asset Service Provider) is an authorization under MiCA Regulation (EU) 2023/1114 — a full prudential and conduct-of-business authorization equivalent to a financial services license. CASPs must meet capital requirements, governance standards, consumer protection rules, DORA ICT obligations, and have full EU passporting rights.

Q: Is a VASP registration still valid in 2026?

In most EU member states, no. The MiCA transitional period for existing VASPs ended on December 30, 2025. From January 1, 2026, businesses providing crypto-asset services in the EU must hold a MiCA CASP authorization — not just a VASP registration. Member states had the option to grant transitional grandfathering until July 1, 2026, but this was optional and not all jurisdictions implemented it. Businesses operating without a CASP authorization after December 30, 2025 risk NCA enforcement action.

Q: Do CASPs have EU passporting rights that VASPs did not have?

Yes. This is one of the key benefits of CASP authorization. VASP registrations were purely national — a Lithuanian VASP registration only permitted activities in Lithuania. A MiCA CASP authorization grants the right to passport services to all 26 other EU/EEA member states by submitting a notification to ESMA and the host state NCA. Passporting notifications take 10–15 business days and there is no additional full authorization required in each host state.

What Was the VASP Framework?

The Virtual Asset Service Provider (VASP) designation originated with the Financial Action Task Force (FATF) Recommendation 15, updated in 2018 and 2019. FATF defined VASPs as businesses providing exchange services between virtual assets and fiat currencies, transfers of virtual assets, safekeeping and administration, and participation in financial services related to issuance or sale of virtual assets.

In the EU, VASP obligations were implemented through the 5th Anti-Money Laundering Directive (AMLD5, 2020) and tightened under AMLD6. Under AMLD5, EU member states were required to create national VASP registration regimes, impose AML/KYC requirements on VASPs, and subject them to AML supervision by national Financial Intelligence Units (FIUs) or AML supervisors.

The critical feature of the VASP regime was its narrow scope: VASP registration required compliance with anti-money laundering rules. It did not impose capital requirements, governance standards, conduct-of-business rules, consumer protection obligations, or prudential oversight. Registering as a VASP was comparable to registering a business with AML obligations — not obtaining a financial services license.

National VASP regimes varied enormously across the EU. Estonia's FIU issued thousands of VASP licenses between 2017 and 2022. Lithuania's FNTT had a different process. Germany required crypto custody providers to hold a BaFin license under §1 KWG. The absence of EU harmonization was precisely the problem MiCA was designed to solve.

What Is MiCA CASP Authorization?

A Crypto-Asset Service Provider (CASP) under MiCA Regulation (EU) 2023/1114 holds a full financial services authorization — not merely a registration. MiCA treats CASPs as a new category of regulated financial entity, applying a framework broadly comparable to investment firm regulation under MiFID II.

MiCA Art. 3(1)(16) defines CASP as "any legal person or other undertaking whose occupation or business is the professional provision of one or more crypto-asset services to clients." The 10 defined crypto-asset services under MiCA Art. 3(1)(17) include:

Custody and administration of crypto-assets on behalf of clients
Operation of a trading platform for crypto-assets
Exchange of crypto-assets for funds or for other crypto-assets
Execution of orders for crypto-assets on behalf of clients
Placing of crypto-assets
Reception and transmission of orders for crypto-assets on behalf of clients
Providing advice on crypto-assets
Providing portfolio management of crypto-assets
Providing transfer services for crypto-assets on behalf of clients

CASP authorization is granted by the national competent authority (NCA) of the EU member state where the applicant has its registered office. Once authorized, the CASP is listed in ESMA's public CASP register and may passport its services across all EU/EEA member states.

CASP vs VASP — Key Differences

The table below summarizes the principal regulatory differences between the pre-MiCA VASP regime and MiCA CASP authorization:

Dimension	VASP (AMLD5/National)	CASP (MiCA)
Legal basis	FATF Rec. 15 / AMLD5 / National law	MiCA Reg. (EU) 2023/1114
Type of clearance	Registration (AML supervisor)	Authorization (prudential NCA)
Capital requirement	None (in most jurisdictions)	€50,000–€150,000 minimum own funds
Governance requirements	Minimal (UBO disclosure, AML officer)	Full fit-and-proper for all directors, detailed governance framework
AML obligations	Full AMLD AML/KYC compliance	Full AMLD AML/KYC compliance (same or more)
Consumer protection	None specific	Best execution, complaints handling, conflict of interest, client asset safeguarding
ICT / cyber requirements	None specific	DORA ICT risk management framework mandatory
Whitepaper obligations	None	Required for certain crypto-asset issuances (Art. 4–15 MiCA)
EU passporting	None — national only	Full EU passporting to all 27 member states
Supervisory body	National FIU / AML supervisor	National NCA (financial regulator) + ESMA oversight
Ongoing reporting	Suspicious transaction reports, annual AML compliance report	Periodic NCA reporting, ESMA register maintenance, capital adequacy reporting

New Obligations Under MiCA CASP Not Required From VASPs

Capital Adequacy

The most fundamental new requirement under MiCA is minimum capital. Former VASPs that operated with €2 share capital (e.g., Estonian OÜ) must now hold €50,000–€150,000 in own funds — a genuine financial buffer. Capital must be maintained on an ongoing basis and reported to the NCA. Shortfalls require immediate remediation.

DORA ICT Risk Management

The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) applies to all CASPs as "financial entities" from January 17, 2025. VASPs had no comparable ICT security mandate. CASPs must maintain an ICT risk management framework, classify and report ICT incidents, conduct penetration testing, and maintain a register of third-party ICT service providers. This adds €10,000–€25,000 in annual compliance overhead.

Consumer Protection and Conduct Rules

MiCA Title V (Arts. 66–89) imposes comprehensive conduct-of-business obligations on CASPs: acting honestly and fairly, providing clear disclosures, best execution for client orders, complaints handling with defined timelines, conflict of interest identification and management, and safeguarding of client assets in segregated accounts. None of these obligations existed under VASP registration.

Fit-and-Proper Requirements

MiCA Art. 68 requires all members of the management body and key function holders to be fit and proper. This means documented professional experience in financial services, criminal record clearance (apostilled), financial integrity declarations, and NCA approval. Many VASP regimes accepted nominal directors with minimal financial background.

EU Passporting — The Key New Benefit

While CASP imposes more obligations, it also delivers a significant commercial benefit that VASPs never had: EU-wide passporting. A CASP authorized in Lithuania can serve clients in Germany, France, Spain, and all other EU member states without a separate local authorization. This is a genuinely transformative change for businesses that were previously forced to either operate in a single market or navigate 27 separate national licensing regimes.

VASP to CASP Transition — What Happened and What's Next

MiCA's transition provisions (Art. 143) allowed existing VASPs registered under pre-MiCA national regimes to continue operating without a CASP authorization during a transitional grandfathering period. The key dates:

June 29, 2023: MiCA published in the Official Journal of the EU
June 30, 2024: MiCA Title III and IV (stablecoin rules) entered into force
December 30, 2024: MiCA Title V (CASP rules) entered into force — CASP authorization applications began
December 30, 2025: Grandfathering period ended. Member states could optionally extend transitional period for previously VASP-registered firms up to 18 months from December 30, 2024 (i.e., until June 30, 2026)

As of early 2026, the position varies by member state. Lithuania implemented a grandfathering period allowing registered VASPs to continue operating while applying for CASP authorization, but required CASP applications to be filed by December 30, 2025 to benefit from this. Estonia took a stricter approach — the FSA had largely wound down the pre-MiCA VASP registry and required CASP applications. Poland's KNF did not operate a formal pre-MiCA VASP registration, so Polish businesses are applying fresh for CASP.

Operating Without a CASP in 2026? Act Immediately

If you are providing crypto-asset services to EU clients without a CASP authorization in 2026, you are operating in breach of MiCA. NCAs are actively monitoring and the risk of enforcement action — including public warnings and activity bans — is real. Contact us immediately to assess your options for urgent authorization or market exit.

For businesses still in the transition process, the path forward is: (1) assess whether grandfathering still applies in your specific member state, (2) immediately file a CASP application if not already submitted, and (3) ensure your operations are fully documented so that the NCA review process is not delayed. See our full VASP-to-CASP transition guide for jurisdiction-specific details.

Frequently Asked Questions

What is the difference between a VASP and a CASP?

A VASP (Virtual Asset Service Provider) was a designation from FATF/AMLD5 — a registration focused on AML/KYC compliance with no capital requirements or EU passporting. A CASP (Crypto-Asset Service Provider) under MiCA is a full financial services authorization requiring €50,000–€150,000 capital, governance standards, consumer protection rules, DORA ICT compliance, and carrying EU passporting rights across all 27 EU member states.

Is a VASP registration still valid in 2026?

In most EU member states, no. The MiCA transitional grandfathering period for existing VASPs ended on December 30, 2025. From 2026, businesses providing crypto-asset services in the EU must hold a MiCA CASP authorization. Some member states offered an optional extension to June 30, 2026 for VASPs that filed CASP applications before December 30, 2025. Businesses operating without CASP authorization risk NCA enforcement action.

What new obligations does MiCA CASP add compared to VASP?

MiCA CASP adds substantially more obligations than the VASP regime: (1) Minimum capital requirements of €50,000–€150,000, (2) Fit-and-proper requirements for all directors, (3) Consumer protection rules — best execution, complaints handling, conflicts of interest, (4) Client asset safeguarding in segregated accounts, (5) DORA ICT risk management framework, (6) Ongoing NCA supervisory reporting. The key new benefit is EU passporting to all 27 member states.

Do CASPs have EU passporting rights that VASPs did not have?

Yes. VASP registrations were purely national — a Lithuanian VASP registration only permitted activities in Lithuania. A MiCA CASP authorization grants the right to passport services to all 26 other EU/EEA member states by submitting a passporting notification to ESMA and the host state NCA. Passporting notifications take 10–15 business days and require no additional full authorization in each host state — a fundamental improvement for businesses serving EU-wide clients.