The market
Why buyers are turning to authorised CASPs
For firms on the wrong side of a MiCA transitional deadline - or firms that never held a national registration at all - the realistic options have narrowed to applying fresh or acquiring a company that is already authorised. We covered the first path in our guide to missing the CASP deadline. This article is about the second.
The arithmetic behind the acquisition route is simple: an authorised CASP can operate today, and an application cannot. The supply side is less friendly. Public trackers listed roughly two hundred authorised CASPs across the EEA as of May 2026, only a fraction of which will ever come to market. Sellers know what they hold, and negotiations reflect that.
Scarcity also changes how you should buy. When inventory is thin, the temptation is to take the first available authorisation and bend the business model around it. That is usually backwards: an authorisation with the wrong service classes, or with passporting notifications that were never actually filed, can cost you the very time you were trying to save. If you want to see what a screened pipeline looks like, our catalogue of licensed companies is the starting point.
The process
How the change-of-control assessment works
Buying an authorised CASP is not a private matter between shareholders. Under the MiCA framework (Articles 83-84), acquiring a qualifying holding in an authorised CASP must be notified to the national competent authority and assessed before completion. Signing is your decision; closing, in practice, waits on the regulator.
The assessment window runs up to 60 working days - but the clock stops whenever the regulator requests further information and only restarts when you answer. A thin or inconsistent acquirer dossier can therefore stretch the process well past the headline number. In our experience, the quality of the first filing is the single biggest variable the buyer controls.
Two practical consequences follow. Deal timetables need to be built around the assessment rather than squeezed in front of it - a completion date that ignores the 60-working-day window, and the stops built into it, is a completion date you will renegotiate. And confidentiality has limits: the regulator becomes a participant in the transaction the moment you notify, so both sides should agree early on who prepares what, and when.
If you have bought licensed companies in other regulated sectors, the mechanics will feel familiar - we walk through the generic playbook in our change-of-control guide. What MiCA adds is a harmonised framework applied by national regulators, each with its own forms, working style and appetite for information; the practical texture varies by member state.
Fit and proper
What the NCA assesses in the acquirer
-
Identity and the UBO chain
The regulator maps ownership up to natural persons. Nominee layers, opaque trusts and unexplained intermediate holdings are the classic trigger for information requests - and every request stops the 60-working-day clock.
-
Source of funds and source of wealth
How the purchase price is financed and where the money originally came from, evidenced rather than asserted. Expect document-level scrutiny, not a narrative summary.
-
Financial soundness
Whether you can support the CASP after completion - the resources behind the plan, not merely the ability to pay the purchase price.
-
The plan for the target
What you intend to do with the business: services, markets, management and systems. A vague plan invites questions; a concrete one gives the regulator less to ask about.
Due diligence
Scope, passporting and DORA: the file you inherit
Ordinary M&A diligence buys you accounts, contracts and liabilities. With a CASP you are also buying a regulatory file, and three parts of that file decide whether the target actually fits your model.
First, scope. CASP authorisations specify service classes: a target authorised for exchange and custody is not automatically authorised for portfolio management. If your model depends on a class the target does not hold, you are buying an application project, not an operating permission.
Second, passporting. Cross-border activity into other EEA states runs on notifications, made state by state. Diligence which notifications are actually in place rather than assuming the home authorisation travels by itself.
Third, DORA. The ICT risk framework applies to CASPs, and the acquired company's DORA compliance state is part of the file you inherit - gaps included. Whatever remediation the target has deferred becomes your programme on day one.
None of these checks is exotic, but sellers in a thin market have little incentive to volunteer weaknesses, and a data room rarely flags what is absent. Ask for the authorisation decision itself, the notification correspondence and the DORA documentation as primary evidence, and treat a summary table prepared by the seller as a starting point for verification, not the end of it.
In practice
Three checks on the target's regulatory file
| Diligence area | What to verify | Why it matters |
|---|---|---|
| Diligence area Authorised service classes | What to verify The exact services listed on the authorisation, matched line by line against your intended model | Why it matters Exchange-and-custody authorisation does not automatically cover portfolio management; missing classes mean a fresh application |
| Diligence area Passporting notifications | What to verify Which host-state notifications have actually been filed, not just the home-state authorisation | Why it matters Passporting runs on notifications; EEA coverage can be narrower than a seller's summary suggests |
| Diligence area DORA compliance state | What to verify The state of the ICT risk framework the CASP is required to maintain under DORA | Why it matters You inherit the compliance file as it stands; deferred work becomes your remediation cost |
Step by step
A realistic sequence for a CASP acquisition
-
Match scope before price
Confirm the authorised service classes cover your model before negotiating anything else. Scope mismatch is the one defect money does not fix quickly.
-
Diligence the regulatory file
Verify passporting notifications state by state and take an honest view of the DORA compliance position, alongside the usual corporate and financial diligence.
-
Prepare the acquirer dossier
Assemble the UBO chain, source-of-funds and source-of-wealth evidence, financial soundness material and the plan for the target before you notify, not after the first information request.
-
Notify the NCA and manage the assessment
The window runs up to 60 working days and stops on information requests. Answer quickly and completely; each round-trip you avoid is time recovered.
-
Complete only after the assessment
The acquisition is assessed before completion, so structure the purchase agreement to make closing conditional on the regulatory outcome.
FAQ
Frequently asked questions
Straight answers to what founders and buyers ask. If yours isn't here, ask us directly
01 Is acquiring a CASP faster than applying fresh?
Often, but it is not automatic. As of July 2026 the change-of-control assessment runs up to 60 working days and the clock stops on every information request, so a weak dossier erodes the advantage quickly. Fresh authorisation timelines vary by member state; the acquisition route's real edge is that the target is already authorised, so the business is not waiting on a first-time licensing decision.
02 Can the NCA reject the new owner?
Yes. The acquirer is assessed on fit-and-proper criteria - identity and the UBO chain, source of funds and wealth, financial soundness, and the plan for the target - and the acquisition must be assessed before completion. If the regulator objects, the deal cannot close in its intended form.
03 Does the acquired CASP keep its passporting rights?
In principle the authorisation and its passporting notifications belong to the company rather than the outgoing shareholder, so a share purchase does not by itself unwind them. In practice, passporting runs on state-by-state notifications, so verify which ones are actually in place; coverage can be narrower than a seller's summary suggests.
Keep reading
Related reading
EU MiCA CASP authorisation support
The in-house SKY7 workstream for a fresh own-name MiCA application, from service scope and substance to filing and follow-up.
Missed the MiCA CASP deadline: what now
The options if you are on the wrong side of a transitional deadline - the situation this article starts from.
CASP authorisation tracker 2026
Who is actually authorised across the EEA - the scarce inventory this article describes.
Buying a licensed company: change of control
The generic change-of-control playbook that MiCA's Articles 83-84 build on.