What MiCA Art. 62 Requires
MiCA Article 62 defines the authorization requirements that any legal entity must satisfy before
a National Competent Authority (NCA) can grant CASP status. These requirements apply across all
EU member states and cannot be substituted by national law.
Authorization is mandatory for any firm wishing to provide crypto-asset services to clients in the EU
on a professional basis. Meeting the requirements set out in MiCA Art. 62–76 is a strict precondition:
no NCA may grant CASP authorization to an entity that does not satisfy every applicable criterion.
The requirements span capital adequacy, corporate governance, AML/KYC infrastructure, information
technology resilience, and procedural compliance.
VASP Transition Deadline
If you currently hold an EU VASP registration, you must obtain full MiCA CASP authorization by
1 July 2026. Existing VASPs operating under grandfathering provisions have until that date to submit
a complete MiCA application to their NCA.
Capital Requirements (MiCA Art. 67)
MiCA defines three capital classes based on the services a CASP intends to provide. The minimum
initial capital must be maintained at all times. Alternatively, professional indemnity insurance or
a combination of capital and insurance may satisfy the requirement.
| Class |
Minimum Capital |
Covered Services |
| Class 1 |
€50,000 |
Order execution, reception & transmission of orders, placement of crypto-assets, transfer services for crypto-assets |
| Class 2 |
€125,000 |
Custody & administration of crypto-assets on behalf of clients; portfolio management of crypto-assets |
| Class 3 |
€150,000 |
Exchange of crypto-assets for fiat currency; exchange of crypto-assets for other crypto-assets |
| EMT/ART Issuers |
€350,000 |
Issuance of e-money tokens (EMTs) or asset-referenced tokens (ARTs) — requires credit institution or dedicated authorization |
Where a CASP offers services from multiple classes, the highest applicable threshold applies.
Capital must be held in liquid assets — cash, bank deposits, or government bonds with residual
maturity of less than 90 days. Certain NCAs may impose higher own-funds requirements based on
fixed overheads calculation under MiCA Art. 67(3).
Governance Requirements
MiCA imposes robust governance requirements reflecting the systemic importance of crypto-asset services.
NCAs pay close attention to management body composition and the independence of control functions.
🏛️
Management Body
At least two independent directors (four-eyes principle). At least one must be resident in or regularly present in the licensing jurisdiction. Management body members must collectively possess sufficient knowledge and experience in crypto-asset markets, technology, and regulatory compliance.
✔️
Fit & Proper Assessment
All management body members, qualifying shareholders, and key function holders are subject to NCA fit & proper assessment. This covers professional qualifications, good repute (no criminal convictions, regulatory sanctions), financial soundness, and conflicts of interest.
🔍
Compliance Function
An independent compliance function is mandatory. For smaller CASPs, the compliance officer may hold a dual role, but must have sufficient resources and authority. The compliance function reports directly to the management body and may not be subordinated to business units.
🛡️
MLRO Designation
A Money Laundering Reporting Officer (MLRO) must be formally designated. The MLRO must be a natural person, hold an appropriate qualification in AML/CFT compliance, and be resident in the EU. The MLRO is responsible for receiving and assessing internal suspicious activity reports.
AML/KYC Requirements
CASPs are obliged entities under the EU Anti-Money Laundering Directives (AMLD5/AMLD6) and must implement
a comprehensive AML/CFT framework as part of their MiCA application. The NCA will require evidence of
documented policies and tested procedures.
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures for high-risk clients, including PEPs and sanctioned persons
- Know-Your-Customer (KYC) onboarding procedures with documented identity verification — electronic ID verification is acceptable if compliant with eIDAS
- Ongoing transaction monitoring system capable of identifying unusual or suspicious patterns — must be documented and tested
- Sanctions screening against EU consolidated list, OFAC SDN, and UN sanctions lists — real-time screening at onboarding and periodic re-screening
- Suspicious Activity Report (SAR/STR) procedures with defined escalation path to the MLRO and national financial intelligence unit (FIU)
- AML/CFT risk assessment covering the CASP's business model, client base, geographic exposure, and service types
- Record-keeping procedures (minimum 5 years) for client identification documents, transactions, and internal reports
IT & DORA Requirements
From 17 January 2025, CASPs in scope of DORA (Digital Operational Resilience Act) must comply with
its ICT risk management requirements. Even CASPs below DORA thresholds must satisfy MiCA's own ICT
requirements under Art. 70.
📋
ICT Risk Management Policy
A documented ICT risk management framework covering identification, protection, detection, response, and recovery. Must be approved by the management body and reviewed annually. Includes asset inventory, network security policy, and access control procedures.
🚨
Incident Response Plan
Formal incident classification system and response procedures. Major ICT-related incidents must be reported to the NCA within defined timeframes (initial report within 4 hours of classification under DORA). The plan must define roles, escalation paths, and client communication procedures.
🔬
Resilience Testing
CASPs must perform regular ICT resilience testing including vulnerability assessments and, for significant entities, threat-led penetration testing (TLPT). Test results and remediation plans must be documented and available for NCA review.
🔗
Third-Party Risk
CASPs must maintain a register of ICT third-party service providers and conduct due diligence before engagement. Critical ICT providers must be subject to enhanced contractual requirements under DORA Art. 30. Cloud service concentration risks must be assessed and mitigated.
Application Documents Checklist
MiCA Art. 62 and the ESMA Guidelines specify the documents that must accompany a CASP authorization
application. The NCA will not start the statutory 3-month review clock until the application is
deemed complete.
- Business plan — detailed description of services, target markets, revenue model, and 3-year financial projections
- AML/KYC policy — comprehensive anti-money laundering and counter-terrorist financing procedures, risk assessment, and internal controls
- IT/DORA policy — ICT risk management framework, business continuity plan, disaster recovery plan, and incident response procedures
- Management CVs and fit & proper declarations — professional background, qualifications, clean criminal record certificates for all management body members
- Proof of capital — bank statement or auditor confirmation demonstrating the required minimum initial capital is available and unencumbered
- Organisational chart — legal and operational structure, group structure (if applicable), reporting lines, and key functions identification
- Governance policy — decision-making procedures, conflicts of interest policy, remuneration policy, and internal control framework
- Client asset segregation policy — procedures for keeping client funds and crypto-assets segregated from the firm's own assets
- Complaints handling procedure — documented process for receiving, investigating, and resolving client complaints
- Custody and key management policy (where applicable) — private key management, cold/hot wallet architecture, insurance arrangements
Jurisdiction-Specific Requirements
Individual NCAs may require additional documents beyond the MiCA minimum. For example, BaFin (Germany)
requires a written programme of operations; KNF (Poland) requires documents in Polish. Our team prepares
jurisdiction-specific application packages tailored to each NCA's expectations.