MiCA CASP authorisation is now the only legal basis for providing crypto-asset services to EU clients on a commercial basis. The question is no longer whether you need authorisation — it is whether you still have time to get it.
As of April 2026, only 182 CASP licences have been issued across the EU. The July 2026 transitional deadline applies only to jurisdictions that granted the maximum 18-month window. In most EU member states — including Lithuania, Finland, Latvia, the Netherlands, Poland, and Slovenia — that window has already closed. If you operate in those markets without a MiCA licence, you are already out of compliance.
At VoltLegal, we advise crypto exchanges, custodians, brokers, and token issuers on MiCA CASP authorisation — from initial scoping and jurisdiction selection through application preparation, NCA coordination, and post-authorisation compliance.
Who needs a MiCA CASP licence
Any business providing crypto-asset services to EU clients on a professional basis requires CASP authorisation under MiCA. The services covered include:
- Custody and administration of crypto-assets on behalf of clients
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for fiat or other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Portfolio management of crypto-assets
- Investment advice on crypto-assets
- Transfer services for crypto-assets
- Placement of crypto-assets on behalf of issuers
Third-country firms serving EU clients on a systematic basis must establish an EU entity and obtain authorisation. Reverse solicitation under MiCA is narrowly construed — ESMA has been explicit that it cannot function as a de facto market access strategy.
July 2026 is not the deadline for most — it already passed
The 18-month transitional period under Article 143(3) of MiCA was an option for member states, not a requirement. Many chose shorter windows:
- Already expired — Lithuania, Finland, Latvia, Poland, Slovenia, Hungary, the Netherlands (6–12 month windows)
- July 1, 2026 — Estonia, Malta, Germany, France, Cyprus, and others that applied the maximum window
If you hold a legacy VASP registration in a jurisdiction where the transitional period has already ended, you needed a submitted MiCA application before that deadline to benefit from the grandfathering clause. Operating without one is an active regulatory risk — not a future concern.
Where CASP licences are actually being issued
As of April 2026, the EU CASP register reflects a concentrated pattern. Germany leads with 54 licences, the Netherlands with 25, France and Malta tied at 12. The total across all 27 member states is 182 — a fraction of the estimated 1,200+ VASPs that previously operated across EU markets.
This concentration reflects both regulatory capacity and NCA appetite. Our jurisdiction recommendations are based on current NCA throughput, substance requirements, and fit for your specific business model:
Germany — highest licence count, preferred by regulated banks, broker-dealers, and institutional custodians. BaFin is thorough but has demonstrated capacity to process complex applications.
Netherlands — strong for crypto-native and payments-adjacent models. DNB has approved on/off-ramp, brokerage, and trading structures. Rigorous but predictable.
Malta — established framework for large exchanges and multi-service CASPs. MFSA has significant experience with crypto applicants. OKX, Crypto.com, Gemini, and Bitpanda are authorised here.
France — AMF is processing applications efficiently. Good option for firms with French-speaking management or European institutional ambitions.
Estonia — the Estonian FSA took over all CASP supervision from the FIU in July 2024. Zero CASP licences issued to date. The FSA is applying institutional-grade standards — this is a viable jurisdiction for the right applicant, but not a fast-track option. We advise on Estonia-based applications with full knowledge of the FSA’s current supervisory posture.
Cyprus — CySEC has a track record with crypto and investment firms. Efficient for trading and custody models with EU distribution requirements.
Core authorisation requirements
Capital. Own funds requirements range from €50,000 to €150,000 depending on service scope, with higher expectations for firms holding client assets at scale.
EU substance. Genuine physical presence, effective management in the EU, and at least one EU-resident director. Letterbox structures are rejected at the completeness check stage.
Governance. Fit-and-proper assessments for all management body members and key function holders — CEO, CCO, MLRO. Relevant experience in regulated financial services is expected, not optional.
AML/CFT. A fully documented AML programme including CDD procedures, transaction monitoring, Travel Rule (TFR) implementation, and a qualified MLRO who can engage directly with the NCA.
DORA. ICT risk management framework, incident classification and reporting procedures, and documented business continuity arrangements — all required as part of the application package.
Client asset safeguarding. Client fiat held at an EU credit institution by the end of the next business day. Crypto-assets segregated from firm assets with documented custody arrangements.
MiCA crypto-asset whitepapers
MiCA requires issuers of crypto-assets other than ARTs and EMTs to prepare and notify a compliant whitepaper to their NCA before making a public offering or seeking admission to trading. The whitepaper is not a marketing document — it is a regulated disclosure instrument with mandatory content requirements, liability exposure for the issuer, and a 10-business-day notification window.
A non-compliant whitepaper is grounds for the NCA to prohibit the offering entirely. The most common failure points are inadequate risk disclosure, missing technical information on the underlying protocol, insufficient description of rights attached to the token, and incomplete information on the issuer’s governance and conflict-of-interest arrangements.
We draft MiCA-compliant whitepapers for token issuers across all asset categories — utility tokens, asset-referenced tokens (ARTs), and e-money tokens (EMTs). Our work covers:
- Token classification analysis — determining whether MiCA, MiFID II, or both apply
- Whitepaper drafting to MiCA Article 6 requirements for utility tokens
- ART and EMT whitepaper preparation under Articles 19 and 51
- NCA notification filing and correspondence management
- Liability review — ensuring issuer statements are defensible under MiCA’s civil liability regime
- Coordination with technical teams on protocol and smart contract disclosures
For issuers also seeking CASP authorisation, we coordinate the whitepaper and licensing workstreams to avoid duplication and align timelines with the NCA review process.
How we approach MiCA CASP authorisation
Our MiCA licensing mandate covers the full process:
- CASP class determination — mapping your services to MiCA’s authorisation categories
- Jurisdiction analysis and NCA selection based on your timeline, model, and substance capacity
- Entity structure and EU substance setup
- Application package — business plan, programme of operations, governance framework, AML policies, ICT and DORA documentation
- Fit-and-proper preparation for management body members
- NCA coordination and Q&A management throughout the review
- Post-authorisation compliance framework and ongoing supervisory advisory
We also advise existing VASPs on the transition — including gap analysis against MiCA requirements, documentation uplift, and application strategy that builds on your existing compliance infrastructure.
Talk to us
If you are still outside MiCA and serving EU clients, the window for an orderly application is closing. If your application is already in progress and you need a second opinion on strategy or NCA correspondence, we offer standalone review engagements.
Book a 30-minute consultation to map your MiCA authorisation pathway — jurisdiction, timeline, and what a realistic application looks like for your business model.