.webp)
A Crypto Asset Service Provider (CASP) license is the formal authorization under the EU’s Markets in Crypto-Assets (MiCA) regulation that permits companies to offer regulated crypto-asset services across the European Economic Area.
Think of it as the crypto-sector equivalent of a banking charter: the credential that makes your business legitimate to regulators, institutional clients, and banking partners across 27 countries at once.
If your platform runs a crypto exchange, provides asset custody, or manages digital asset portfolios for European clients, operating without one after July 1, 2026 means operating illegally.
The CASP concept first appeared in 2020 with the draft MiCA regulation. Before MiCA, EU countries had a patchwork of national Virtual Asset Service Provider (VASP) registrations, each with its own thresholds, rules, and supervisory bodies. MiCA replaced this with a single regime.
ESMA maintains a public register of all authorized CASPs, published weekly as a CSV file on its website. As of early 2026, roughly 130 to 140 CASPs had received full MiCA authorization across the EU.
→ Learn more about MiCA regulation.
The CASP license solves a fundamental problem: before MiCA, a company licensed in Lithuania had no automatic right to serve French users. The CASP framework removes this fragmentation. With a single authorization, you gain legal access to a market of approximately 450 million people under one rulebook.
Beyond market access, the license signals financial integrity. MiCA’s requirements are modeled on rules applied to traditional investment firms and e-money institutions. Passing the authorization process proves to clients, banks, and institutional counterparties that your operation meets a standard they know and trust.
The license also includes consumer protections that regulators designed to prevent platform failures like the FTX collapse in November 2022. Requirements for client asset segregation, white paper disclosures, and real-time incident reporting are part of what the CASP license demands from day one.
Any company that provides crypto-asset services to EU clients on a professional basis needs a CASP license. MiCA’s definition of “crypto-asset service” is deliberately wide and captures the full value chain of the digital asset industry.
The following activities all require CASP authorization under MiCA:
Non-EU firms are not exempt. If you actively solicit or serve EU clients, MiCA applies regardless of where your company is incorporated. The only path is establishing an authorized EU subsidiary and passporting services from there. One exception applies to existing regulated financial institutions such as credit institutions, EMIs, and MiFID firms, which can extend activities to crypto services via a faster Article 60 notification route instead of a full CASP application.
The VASP concept was introduced by the Financial Action Task Force (FATF) in 2019, specifically to bring AML and counter-terrorism financing (CTF) controls to crypto businesses. Countries then implemented FATF’s recommendations independently, producing a spectrum of national regimes: from light-touch registration in some offshore jurisdictions to substantive licensing in Singapore and Hong Kong.
The CASP license under MiCA supersedes national VASP regimes within the EU. As of December 30, 2024, EU member states stopped accepting new VASP registrations. The strategic difference is that VASP offers flexibility and lower entry costs outside the EU, while CASP provides legal certainty and passporting inside it.
If your target market is European retail or institutional clients, the CASP license is not one option among many. It is the only option that remains legally valid after July 1, 2026.
Yes. A CASP license issued by any one NCA in the EU grants passporting rights across all 30 EEA jurisdictions. You authorize once and operate everywhere else through a notification process, not a second application. Think of it as the difference between having a driving license and needing to pass a driving test in every country you visit.
The mechanics are straightforward. Once your home NCA grants authorization, it notifies the host country’s regulator on your behalf. Services can legally start in that country 15 calendar days after notification. No additional capital, second review, or separate application is needed.
This is one of the most commercially valuable features of the CASP license. Running a crypto exchange across Germany, France, the Netherlands, and Malta under separate national regimes required maintaining four distinct compliance programs. The CASP passporting model collapses that into one. Firms like Coinbase, Bitstamp, and Gemini leveraged this by choosing Luxembourg as their home member state and passporting rapidly across the bloc.
Note one important limit: companies still operating under grandfathered transitional status do not have passporting rights. Grandfathering allows continued domestic operations; it does not grant the cross-border privileges that come only with a full CASP authorization.
If you want to understand what a CASP license actually demands, picture a five-pillar compliance structure: legal presence, governance, capital, operational standards, and ongoing compliance.
You must incorporate a legal entity in an EU member state and establish genuine operational substance there. Virtual office addresses and nominee directors are among the top reasons NCAs reject applications. At least one director or senior manager must be EU-resident with documented decision-making authority.
Your management body must pass a fit-and-proper assessment covering professional qualifications, clean records, and adequate time commitment. MiCA requires documented policies on AML/CTF, conflicts of interest, data protection, risk management, consumer protection, and business continuity. From January 17, 2025, DORA (Digital Operational Resilience Act) applies to all MiCA-licensed CASPs, meaning your ICT infrastructure needs formal incident classification procedures, resilience policies, and a documented recovery plan.
MiCA’s Annex IV assigns each firm to one of three prudential classes:
Each class also requires maintaining financial reserves equal to at least one quarter of the previous year’s fixed overheads.
CASPs must comply with the EU’s Transfer of Funds Regulation, collecting and transmitting verified originator and beneficiary data for every crypto transfer. White papers for any crypto-assets you issue must be filed in iXBRL format, a requirement effective December 23, 2025. Order book records must be maintained in JSON format per ESMA’s machine-readable specification published November 28, 2025.
Expect regular reporting cycles to your home NCA, periodic audits, and material incident notifications routed through ESMA’s reporting channels.
Understanding how to get a CASP license starts with accepting that it is a formal regulatory process, not a registration form. The entire sequence from planning to live authorization typically takes 4 to 12 months. Here is the core pathway:
Confirm which services you offer and which Annex IV capital class applies. Then choose your home member state based on NCA speed, local corporate law, and your substance capacity. Lithuania (Bank of Lithuania) clears clean files in 4 to 6 months. The Netherlands (AFM) takes 9 to 12 months. Germany’s BaFin is the most demanding NCA. Its review runs 12 to 24 months, and applicants report that documentation packages exceed 200 pages just to survive the first round of regulator questions.
Register your legal entity in the chosen member state. Establish a real office. Appoint EU-resident directors and a full-time compliance officer with documented crypto-sector experience. Shell structures are flagged early and kill applications.
A complete CASP application includes a business plan, financial statements, and capital projections, AML/CTF policies, governance frameworks, DORA-compliant IT security documentation, safeguarding procedures, client-facing white papers if applicable, and a formal complaint-handling process. Most applications stall at this stage.
The process gives the NCA 25 working days to assess completeness, then 40 working days for substantive review (extendable by 20 days). Based on 2025 data, the fastest NCAs (Malta, Lithuania) closed files in about 4 months when submissions were clean. Germany and Ireland extended timelines to 12 months or more.
NCAs issue Requests for Information (RFIs) during review. Slow responses are the biggest timeline killer. Once approved, ESMA adds you to its public register, and passporting starts immediately.
If you’re already a regulated financial institution, MiCA’s Article 60 notification route lets you add crypto-asset services in a fraction of the standard application time and cost.
The CASP license cost is not a single number. Founders who budget only for the government filing fee often run short because the true cost spans three distinct categories that must be funded simultaneously.
These vary by member state and typically run €3,000 to €15,000 for the initial filing. Most NCAs charge additional annual supervisory fees scaled to your business activity.
Building your documentation package, drafting policies, engaging legal advisors, and satisfying DORA ICT requirements typically costs €20,000 to €80,000 or more. Companies with no prior regulatory footprint spend toward the upper end; former VASPs with existing AML programs spend less.
This is not a fee but capital you must hold on your balance sheet. Your floor ranges from €50,000 to €150,000 depending on your CASP class, plus a reserve equal to at least one quarter of your previous year’s fixed overheads. A CASP providing both custody and EMT-related payment services also faces a parallel PSD2 capital requirement, as the EBA confirmed in 2025. Budget for the higher amount.
All in, a startup pursuing a mid-tier CASP authorization (exchange and custody services, €125,000 capital threshold) should budget €150,000 to €300,000 for the first year, covering government fees, legal and compliance work, minimum capital, local staffing, and banking setup. Operational firms with existing compliance frameworks usually cost less.
The CASP grandfathering period is the transitional window MiCA’s Article 143(3) created for companies that were already legally operating under national crypto-asset service provider regimes before December 30, 2024. Those companies could continue operating while they prepared and submitted a full CASP application, rather than ceasing services immediately on MiCA’s application date.
The maximum grandfathering window runs until July 1, 2026, which is 18 months from MiCA’s full entry into application. But the period is not uniform across the EU. Member states elected their own windows, and many chose shorter ones. Germany and Austria set 12-month periods ending December 31, 2025. Lithuania set 6 months, ending January 1, 2026. France, Malta, and Luxembourg took the full 18 months to July 1, 2026.
Per ESMA’s Article 143(3) list, the deadline to file an application to enter grandfathering has generally already passed; most member states set cut-offs around October 8, 2025. If your firm did not file in time, grandfathering no longer covers you, and a fresh CASP application is required.
Grandfathered status also does not carry passporting rights. Cross-border operations under grandfathering remain limited to jurisdictions that still recognize your home country’s transitional regime. Two sets of obligations applied from day one, with no transitional cover: MiCA’s market abuse rules (Title VI) and the EU’s Transfer of Funds Regulation. Operating under grandfathering did not exempt you from either.
Yes, CASP licenses are available through the acquisition of an existing authorized entity. Instead of spending 6 to 24 months in the authorization queue, you acquire a company that already holds a valid CASP authorization. The buyer assumes the entity’s regulatory permissions, subject to the NCA’s approval of the change of control.
This route makes practical sense for any investor or founder who needs EU market access now. A fresh CASP application submitted today cannot realistically clear before July 1, 2026. An acquisition with a completed change-of-control process is the only realistic path to operating legally in the EU before that window closes.
Pricing for a CASP license for sale depends on the jurisdiction, whether the entity is operational with revenue, the scope of authorized services, and the cleanliness of its compliance record. Shell CASPs with minimal operational history typically transact in the low-to-mid six figures. Operational entities with active passporting across EEA states and live revenue can reach into the multi-millions. A ready-made MiCA CASP license with active passporting across all EU member states is currently listed for EUR 6,000,000 at Acquire.Fi’s Financial Licenses Marketplace.
When looking at any CASP license for sale, run due diligence on: the scope of authorized services and any conditions attached to the authorization, the passporting registrations in place, any open NCA findings or enforcement history, the quality and employment status of the current management body, AML compliance documentation, and whether banking and payment-rail relationships survive the ownership change. NCAs must approve the change of control before it takes effect, and fit-and-proper reviews of incoming beneficial owners and directors are standard in every EU member state.
Acquiring a licensed CASP and securing the regulatory change of control is typically faster than a fresh application, but it requires disciplined legal structuring. Work with advisors who have handled MiCA change-of-control filings before.
Owning a CASP license, whether obtained through a fresh application or an acquisition, puts your platform on the right side of the July 1, 2026 compliance line and opens the door to EU-wide growth, institutional partnerships, and the kind of regulatory credibility that is increasingly difficult to build from scratch. The companies that moved early are already passporting across 30 EEA jurisdictions and establishing the compliance track records that attract both users and capital. That first-mover gap widens every month.
With deep roots in traditional finance and the digital asset industry, Acquire.Fi operates as a specialist M&A advisory firm. Coverage spans M&A, secondaries, OTC, and capital markets advisory across digital assets and frontier tech. Decades of combined experience across every stage of the deal lifecycle.
.webp)