MiCA Regulation (EU) 2023/1114 — In force since December 2024
VASP→CASP Transition Deadline: 1 July 2026
Offices in Düsseldorf · Vilnius · Tallinn
Free Initial Consultation
Crypto License Europe MiCA CASP Authorization
Get Free Consultation
MiCA Art. 70 · Class 3 CASP · €125,000–€150,000 Capital

Crypto Custody License EU — MiCA CASP Authorization Guide 2026

Digital vault representing EU crypto custody authorization under MiCA Article 70 — secure key management and client asset safeguarding

Holding client crypto-assets in custody anywhere in the European Union requires a MiCA CASP authorization specifically covering custody and administration of crypto-assets under MiCA Article 70. This applies to exchanges offering hosted wallets, dedicated institutional custodians, and any business that controls client private keys on an ongoing basis. The minimum own funds requirement is €125,000–€150,000, authorization takes 4–7 months, and a single EU custody license enables you to provide custodial services to clients across all 27 member states. Technical requirements — cold storage segregation, HSM key management, insurance coverage, and DORA resilience — are more demanding for custody than for other CASP service types. The best jurisdictions for institutional custody are Luxembourg, Ireland, Lithuania, and Estonia. This guide covers everything you need to obtain your EU crypto custody license under MiCA.

Get Your Custody License — Free Consultation View MiCA Art. 70 Requirements ↓
MiCA Framework

What is a MiCA Crypto Custody License?

A MiCA crypto custody license is a CASP authorization granted by a National Competent Authority (NCA) under MiCA Regulation (EU) 2023/1114, covering the service defined in MiCA Article 70: custody and administration of crypto-assets on behalf of clients. This includes safeguarding private keys or other means of access to clients' crypto-assets, holding crypto-assets in segregated wallets, and performing related administrative services such as settlement, staking, or governance participation on behalf of clients.

A custody license is required whenever a business controls access to a client's crypto-assets on an ongoing basis. It is distinct from merely transferring crypto-assets — a transfer is a one-time operation, whereas custody is an ongoing holding relationship. The defining characteristic is the custodian's ability to access or move client funds using private keys or equivalent means without the client's direct involvement at the transaction level.

Who Needs a Crypto Custody License?

  • Centralized exchanges offering hosted (custodial) wallets to clients — separate custody authorization is required alongside exchange authorization
  • Institutional custodians safeguarding Bitcoin, Ether, or other crypto-assets for hedge funds, family offices, and asset managers
  • Dedicated custody-only businesses providing safekeeping without trading services
  • Crypto prime brokers holding client crypto collateral for lending or derivatives positions
  • Staking service providers that stake client crypto-assets and manage validator keys on behalf of clients
  • Tokenized asset platforms that issue and hold tokenized securities or real-world assets on behalf of investors
MiCA Article 70

MiCA Art. 70 Requirements

MiCA Article 70 sets out specific obligations for CASPs providing custody and administration of crypto-assets. These go beyond the general CASP requirements (AML, DORA, capital) and impose custodian-specific safeguards:

🔒
Client Asset Segregation
Client crypto-assets must be held separately from the custodian's own assets at all times. Each client must have individual sub-accounts or wallet addresses clearly attributable to their holdings. Commingling of client assets with firm assets is prohibited under MiCA Art. 70(3).
🗝️
Key Management Standards
Private keys must be secured using institutional-grade technology: Hardware Security Modules (HSMs), Multi-Party Computation (MPC) key management, or equivalent. Cold storage (offline keys) must be used for a significant portion of assets under custody, with multi-signature authorization for hot wallet transactions.
📝
Client Agreement Requirements
Custodians must enter into a written agreement with each client specifying the crypto-assets held, key management procedures, liability arrangements, fee structure, and procedures for returning assets on termination. The agreement must be provided before services commence.
📊
Regular Client Statements
Custodians must provide clients with regular account statements showing all crypto-assets held on their behalf, their current value, and any transactions processed during the period. Statement frequency requirements vary by NCA but quarterly is standard; institutional clients typically require monthly statements.
🛡️
Insurance or Own Funds Coverage
Under MiCA Art. 70(2), custodians must hold either a professional indemnity insurance policy or additional own funds sufficient to cover potential losses from key loss, cyber incidents, or professional negligence. Insurance must be from an EU-regulated insurer and reviewed at least annually.
⚖️
Liability Regime
Under MiCA Art. 70(5), custodians are liable to clients for the loss of crypto-assets resulting from a malfunction or from fraud, negligence, or willful misconduct of the CASP or a third party to whom custody has been outsourced. The liability cannot be excluded by contract.
MiCA Art. 70: Strict Liability for Custodians

Unlike most financial service providers, MiCA custodians face strict liability for loss of client assets caused by cyber incidents, key loss, or operational failures — even when caused by outsourced technology providers. This makes robust key management, insurance coverage, and DORA resilience not just regulatory requirements but essential risk management tools. Our team helps custodians design compliant key management frameworks from the ground up.

MiCA Article 67

Capital Requirements — €125,000–€150,000

Crypto custody falls under MiCA Article 67(1)(c) — the Class 3 tier — placing it at the highest capital level alongside trading platform operations. This reflects the significant risk to client assets that custody services involve:

CASP Class Service Types Covered Min. Own Funds MiCA Reference
Class 1 Advice; Reception & transmission; Execution; Placing €50,000 Art. 67(1)(a)
Class 2 Exchange for fiat/crypto; Portfolio management; Transfer services €125,000 Art. 67(1)(b)
Class 3 Custody & administration; Operation of trading platform €150,000 Art. 67(1)(c)

In practice, NCA guidance and ESMA technical standards have clarified that standalone custody-only CASPs (not combining with exchange services) may be assessed at the €125,000 level by some NCAs — confirm this at pre-application stage with your target NCA. Custodians combining custody (Art. 70) with exchange services (Art. 5) or trading platform operation always require the full €150,000 Class 3 level.

Additionally, under MiCA Art. 67(2), own funds must be at least one-quarter of the fixed overheads of the preceding year. For institutional custodians managing significant assets under custody (AUC), NCAs may also require capital scaled to AUC as a prudential buffer — particularly in Luxembourg and Ireland, where supervisory expectations for institutional custodians are well-developed.

Technical & Operational Requirements

Technical Requirements for MiCA Custody

MiCA custody authorization imposes more demanding technical requirements than other CASP service types, reflecting the direct responsibility custodians hold for client assets. NCAs scrutinize technical architecture in detail during the authorization review:

🧊
Cold/Hot Wallet Architecture
A documented cold storage policy specifying what percentage of AUC must be held in offline (air-gapped) cold storage. Most NCAs expect 90–95% of assets in cold storage. Hot wallets must use multi-signature authorization (e.g., 3-of-5 multisig) and have daily transaction limits. Cold-to-hot transfers must follow a documented authorization protocol.
🔑
HSM / MPC Key Management
Private keys must be generated and stored in Hardware Security Modules (HSMs) meeting FIPS 140-2 Level 3 or equivalent standards, or using Multi-Party Computation (MPC) technology that eliminates single points of key compromise. Key ceremony documentation and audit trails are required for authorization applications.
🔄
Disaster Recovery & Key Backup
Documented key backup and recovery procedures covering: geographically distributed key material backup, multi-person authorization for recovery operations, recovery testing frequency, and procedures for returning client assets in the event of custodian insolvency or operational failure. NCAs require evidence of successful recovery testing.
📡
DORA ICT Resilience
Full Digital Operational Resilience Act (DORA) compliance: ICT risk management framework, ICT-related incident classification and reporting to the NCA, digital operational resilience testing plan (including penetration testing), and management of critical ICT third-party providers (cloud, HSM vendors, blockchain nodes).
🔍
Blockchain Analytics
Integration with blockchain analytics tools (e.g., Chainalysis, Elliptic, TRM Labs) for transaction screening, sanctions checking, and AML monitoring. NCAs expect custodians to screen incoming deposits for high-risk wallet associations and to implement Travel Rule compliance for all outgoing transfers above €1,000.
🛡️
Cybersecurity Framework
Documented cybersecurity policy covering network segmentation, access controls, privileged access management (PAM), endpoint detection and response (EDR), penetration testing frequency, and incident response procedures. Many NCAs require evidence of third-party cybersecurity assessment as part of the CASP application.
Jurisdiction Comparison 2026

Best EU Jurisdictions for Custody

The best custody jurisdiction depends heavily on whether you are serving retail or institutional clients. Institutional custody requires different regulatory credibility, fund-industry connectivity, and supervisory sophistication compared to retail custody operations:

Jurisdiction Regulator Timeline Gov. Fee Institutional Focus Best For
🇱🇺 Luxembourg INSTITUTIONAL CSSF 5–8 months €3,000–€8,000 Very High Fund custody, EuVECA/AIFMD clients, family offices
🇮🇪 Ireland Central Bank of Ireland 5–8 months €5,000–€15,000 High UK-adjacent institutional clients, UCITS fund custody
🇱🇹 Lithuania Bank of Lithuania 4–6 months €1,000–€2,000 Medium Cost-efficient custody for retail and SME clients
🇪🇪 Estonia FSA (Finantsinspektsioon) 3–5 months €1,000–€3,300 Medium Fastest authorization, tech-first custody operations

Luxembourg's CSSF is the preferred regulator for institutional crypto custodians because Luxembourg is the EU's largest investment fund domicile — home to UCITS, AIFs, EuVECA, and EuSEF funds that need crypto custody services. A Luxembourg CASP custody license creates natural synergies with fund clients that already use Luxembourg-domiciled administrators, depositaries, and auditors. For institutional custodians, see our guide on Luxembourg CASP License. For faster, cost-efficient custody authorization, see Estonia or Lithuania.

Step-by-Step

Application Process — 5 Steps to Your EU Custody License

1
Custody Model Analysis & Jurisdiction Selection
We assess your custody model — retail, institutional, or hybrid; custody-only or combined with exchange services — and map it to MiCA Art. 70 requirements. We identify the required capital level, insurance requirements, and technical standards for your target NCA. We select the optimal EU jurisdiction based on your client profile, timeline, and budget. Timeline: 1 week.
2
EU Entity Formation
We establish the legal entity in the chosen jurisdiction — Luxembourg SA, Irish Limited, Lithuanian UAB, or Estonian OÜ — with registered office, genuine substance, local bank account, and corporate structure appropriate for a regulated custodian. For institutional custodians, we advise on board composition and qualifying shareholder fit & proper assessments. Timeline: 2–4 weeks.
3
Technical Architecture Review & Documentation
We work with your technology team to document the custody technology stack: HSM/MPC key management architecture, cold/hot wallet policy, key ceremony procedures, disaster recovery plan, and blockchain analytics integration. We prepare the technical systems description required by the NCA as a core part of the custody application. Timeline: 3–6 weeks concurrent with Step 4.
4
Full Compliance Documentation Package
We prepare the complete CASP custody application: business plan with AUC projections, AML/KYC program with Travel Rule implementation, DORA ICT risk management framework, client asset segregation policy, client agreement template, insurance policy or own funds confirmation, and fit & proper documentation for all directors and key function holders. Timeline: 4–8 weeks.
5
NCA Submission, Review & Authorization
We submit the complete application to the NCA and manage the statutory review process — up to 65 working days under MiCA Art. 63 once the application is deemed complete. We respond to all NCA information requests, coordinate with the regulator on technical questions, and manage the authorization decision and ESMA register listing. Upon authorization, we activate EU passporting for your target member states. Timeline: 65 working days statutory + 2 weeks post-authorization setup.
Frequently Asked Questions

Crypto Custody License EU — FAQ

What is a MiCA crypto custody license?
A MiCA crypto custody license is a CASP authorization under MiCA Regulation (EU) 2023/1114 covering the service in MiCA Article 70: custody and administration of crypto-assets on behalf of clients. It authorizes a legal entity to hold and safeguard private keys or other access means to clients' crypto-assets, manage client wallets, and perform administrative functions such as settlement and staking on clients' behalf. It is required by any business that controls client crypto-assets on an ongoing basis — including exchanges with hosted wallets, dedicated custodians, and staking service providers.
What capital do I need for a custody license?
Under MiCA Article 67(1)(c), crypto custody is a Class 3 CASP service with a minimum own funds requirement of €150,000. Some NCAs and ESMA guidance have indicated that standalone custody-only CASPs (not combined with trading platform operations) may be assessed at €125,000 in certain jurisdictions — confirm with the target NCA at pre-application stage. Combined exchange + custody operations always require €150,000. Own funds must be freely available, unencumbered, and maintained at all times — not just at authorization.
What are the technical requirements for MiCA custody?
MiCA custody requires: cold/hot wallet segregation with 90–95% of AUC in cold storage; HSM or MPC key management meeting institutional security standards (FIPS 140-2 Level 3 or equivalent); key backup and disaster recovery with geographically distributed backups and tested recovery procedures; DORA ICT resilience framework with penetration testing and incident reporting; blockchain analytics integration for AML screening; and cybersecurity framework with documented network security policies. NCAs may require third-party security assessment or SOC 2 Type II certification as supporting evidence.
Do I need insurance for a crypto custody service?
Yes. Under MiCA Article 70(2), custodians must maintain either a professional indemnity insurance policy covering losses from key loss, cyber incidents, and professional negligence, or hold additional own funds as an alternative. Insurance must be from an EU-regulated insurer, with coverage proportionate to AUC. Most institutional-grade NCAs — particularly in Luxembourg and Ireland — expect comprehensive cyber liability and professional indemnity insurance. Coverage typically starts at €5–€10 million for institutional custodians. We can introduce you to specialist crypto custody insurers as part of the authorization process.
Which EU country is best for a custody license?
Luxembourg (CSSF) is the leading choice for institutional custodians serving investment funds, family offices, and asset managers — due to Luxembourg's dominant fund industry position. Ireland (CBI) is strong for custodians serving UK-adjacent institutional clients and UCITS-related custody. Lithuania (Bank of Lithuania) offers fast, cost-efficient custody authorization with good institutional credibility. Estonia (FSA) is the fastest for retail and digital-native custody businesses. For pure cost minimization, Bulgaria (FSC) remains the EU's most affordable custody jurisdiction.
Can I combine custody with exchange services?
Yes. MiCA allows a single CASP authorization to cover multiple service types. Most centralized exchanges require both Art. 5/6 exchange authorization and Art. 70 custody authorization within the same CASP license. Combined applications are assessed holistically — the capital requirement is set at the highest applicable class (€150,000 for exchange + custody). The technical requirements for custody (key management, segregation, insurance) apply regardless of whether custody is standalone or combined with exchange services. Contact us about crypto exchange licenses for a combined exchange + custody authorization strategy.
Institutional crypto custody security technology — HSM key management and cold storage infrastructure for MiCA authorized custodians
Custody Compliance

Institutional-Grade Custody Under MiCA

MiCA's custody framework (Art. 70) is designed to bring institutional-grade safeguarding standards to the crypto sector — standards similar to those applied to securities custodians and fund depositaries under UCITS and AIFMD. For operators moving from informal custody arrangements to MiCA compliance, this represents a significant operational upgrade.

The Institutional Custody Opportunity

  • Regulatory gateway: Institutional investors — pension funds, insurance companies, sovereign wealth funds — require counterparties to hold regulated crypto custody status. A MiCA custody license is the gateway to institutional AUC.
  • Bank-grade credibility: MiCA-authorized custodians can open correspondent banking relationships that unregulated crypto custodians cannot access. EU banking groups are building crypto custody services alongside their traditional custodian offerings, and MiCA is the license they require.
  • EU fund integration: UCITS and AIF managers seeking to include crypto-assets in regulated fund portfolios require a MiCA-authorized custodian for the crypto portion of the fund. This creates a structural demand driver that will grow as EU funds increase crypto exposure.
  • Transition pressure: The VASP-to-CASP deadline of 1 July 2026 means custodians operating under pre-MiCA national registrations must obtain CASP authorization. Early movers secure institutional relationships before competitors complete their own licensing.

Our custody team has advised dedicated custodians, exchanges adding custody services, and institutional prime brokers on MiCA Art. 70 compliance. We handle the technical architecture review, insurance procurement introduction, NCA pre-application meetings, and full application submission. Schedule a free consultation to discuss your custody authorization strategy. Related services: Exchange License, Broker License, DORA Compliance.

Thomas Müller — MiCA Custody and Institutional Crypto Specialist
Custody & Institutional Expert
Thomas Müller
MiCA Custody & Institutional Crypto Specialist · Düsseldorf / Luxembourg

Thomas Müller leads Crypto License Europe's institutional custody practice, specializing in MiCA Article 70 authorization, institutional crypto custody structuring, and Luxembourg CSSF and Ireland CBI CASP applications for custodians serving investment funds, family offices, and asset managers. He has advised over 20 custody-focused CASP applicants across six EU jurisdictions, with expertise in HSM/MPC key management documentation, custody insurance procurement, and DORA resilience framework design for crypto custodians. Prior to Crypto License Europe, Thomas worked in alternative investment fund regulation at a Luxembourg-based law firm, advising AIFMs and depositaries on AIFMD compliance — giving him a unique understanding of the intersection between fund regulation and crypto custody requirements. Speak to Thomas →

€125K
Min Capital (Class 2/3)
4–7
Months Authorization Timeline
27
Countries EU Passporting
Art. 70
MiCA Legal Basis

Get Your Custody License — Free Consultation

Our MiCA custody specialists will assess your custody model, technical architecture, and target jurisdiction — then guide you through the full Art. 70 CASP authorization. Free 30-minute consultation, response within 1 business day.

Start Free Consultation