Folio 05 Insights Article

VASP/CASP Crypto Assets

Acquiring an authorised CASP: MiCA change of control

Yes, you can buy your way into MiCA - but not quietly. Acquiring a qualifying holding in an authorised CASP must be notified to the national competent authority and assessed before completion under the MiCA framework (Articles 83-84). The assessment window runs up to 60 working days and stops each time the regulator asks for more information. And inventory is thin: public trackers listed roughly two hundred authorised CASPs across the EEA as of May 2026, so screening targets properly matters more than moving first.

The market

Why buyers are turning to authorised CASPs

For firms on the wrong side of a MiCA transitional deadline - or firms that never held a national registration at all - the realistic options have narrowed to applying fresh or acquiring a company that is already authorised. We covered the first path in our guide to missing the CASP deadline. This article is about the second.

The arithmetic behind the acquisition route is simple: an authorised CASP can operate today, and an application cannot. The supply side is less friendly. Public trackers listed roughly two hundred authorised CASPs across the EEA as of May 2026, only a fraction of which will ever come to market. Sellers know what they hold, and negotiations reflect that.

Scarcity also changes how you should buy. When inventory is thin, the temptation is to take the first available authorisation and bend the business model around it. That is usually backwards: an authorisation with the wrong service classes, or with passporting notifications that were never actually filed, can cost you the very time you were trying to save. If you want to see what a screened pipeline looks like, our catalogue of licensed companies is the starting point.

The process

How the change-of-control assessment works

Buying an authorised CASP is not a private matter between shareholders. Under the MiCA framework (Articles 83-84), acquiring a qualifying holding in an authorised CASP must be notified to the national competent authority and assessed before completion. Signing is your decision; closing, in practice, waits on the regulator.

The assessment window runs up to 60 working days - but the clock stops whenever the regulator requests further information and only restarts when you answer. A thin or inconsistent acquirer dossier can therefore stretch the process well past the headline number. In our experience, the quality of the first filing is the single biggest variable the buyer controls.

Two practical consequences follow. Deal timetables need to be built around the assessment rather than squeezed in front of it - a completion date that ignores the 60-working-day window, and the stops built into it, is a completion date you will renegotiate. And confidentiality has limits: the regulator becomes a participant in the transaction the moment you notify, so both sides should agree early on who prepares what, and when.

If you have bought licensed companies in other regulated sectors, the mechanics will feel familiar - we walk through the generic playbook in our change-of-control guide. What MiCA adds is a harmonised framework applied by national regulators, each with its own forms, working style and appetite for information; the practical texture varies by member state.

Fit and proper

What the NCA assesses in the acquirer

  • Identity and the UBO chain

    The regulator maps ownership up to natural persons. Nominee layers, opaque trusts and unexplained intermediate holdings are the classic trigger for information requests - and every request stops the 60-working-day clock.

  • Source of funds and source of wealth

    How the purchase price is financed and where the money originally came from, evidenced rather than asserted. Expect document-level scrutiny, not a narrative summary.

  • Financial soundness

    Whether you can support the CASP after completion - the resources behind the plan, not merely the ability to pay the purchase price.

  • The plan for the target

    What you intend to do with the business: services, markets, management and systems. A vague plan invites questions; a concrete one gives the regulator less to ask about.

Due diligence

Scope, passporting and DORA: the file you inherit

Ordinary M&A diligence buys you accounts, contracts and liabilities. With a CASP you are also buying a regulatory file, and three parts of that file decide whether the target actually fits your model.

First, scope. CASP authorisations specify service classes: a target authorised for exchange and custody is not automatically authorised for portfolio management. If your model depends on a class the target does not hold, you are buying an application project, not an operating permission.

Second, passporting. Cross-border activity into other EEA states runs on notifications, made state by state. Diligence which notifications are actually in place rather than assuming the home authorisation travels by itself.

Third, DORA. The ICT risk framework applies to CASPs, and the acquired company's DORA compliance state is part of the file you inherit - gaps included. Whatever remediation the target has deferred becomes your programme on day one.

None of these checks is exotic, but sellers in a thin market have little incentive to volunteer weaknesses, and a data room rarely flags what is absent. Ask for the authorisation decision itself, the notification correspondence and the DORA documentation as primary evidence, and treat a summary table prepared by the seller as a starting point for verification, not the end of it.

In practice

Three checks on the target's regulatory file

Diligence area What to verify Why it matters
Diligence area Authorised service classes What to verify The exact services listed on the authorisation, matched line by line against your intended model Why it matters Exchange-and-custody authorisation does not automatically cover portfolio management; missing classes mean a fresh application
Diligence area Passporting notifications What to verify Which host-state notifications have actually been filed, not just the home-state authorisation Why it matters Passporting runs on notifications; EEA coverage can be narrower than a seller's summary suggests
Diligence area DORA compliance state What to verify The state of the ICT risk framework the CASP is required to maintain under DORA Why it matters You inherit the compliance file as it stands; deferred work becomes your remediation cost

Step by step

A realistic sequence for a CASP acquisition

  1. Match scope before price

    Confirm the authorised service classes cover your model before negotiating anything else. Scope mismatch is the one defect money does not fix quickly.

  2. Diligence the regulatory file

    Verify passporting notifications state by state and take an honest view of the DORA compliance position, alongside the usual corporate and financial diligence.

  3. Prepare the acquirer dossier

    Assemble the UBO chain, source-of-funds and source-of-wealth evidence, financial soundness material and the plan for the target before you notify, not after the first information request.

  4. Notify the NCA and manage the assessment

    The window runs up to 60 working days and stops on information requests. Answer quickly and completely; each round-trip you avoid is time recovered.

  5. Complete only after the assessment

    The acquisition is assessed before completion, so structure the purchase agreement to make closing conditional on the regulatory outcome.

FAQ

Frequently asked questions

Straight answers to what founders and buyers ask. If yours isn't here, ask us directly

01 Is acquiring a CASP faster than applying fresh?

Often, but it is not automatic. As of July 2026 the change-of-control assessment runs up to 60 working days and the clock stops on every information request, so a weak dossier erodes the advantage quickly. Fresh authorisation timelines vary by member state; the acquisition route's real edge is that the target is already authorised, so the business is not waiting on a first-time licensing decision.

02 Can the NCA reject the new owner?

Yes. The acquirer is assessed on fit-and-proper criteria - identity and the UBO chain, source of funds and wealth, financial soundness, and the plan for the target - and the acquisition must be assessed before completion. If the regulator objects, the deal cannot close in its intended form.

03 Does the acquired CASP keep its passporting rights?

In principle the authorisation and its passporting notifications belong to the company rather than the outgoing shareholder, so a share purchase does not by itself unwind them. In practice, passporting runs on state-by-state notifications, so verify which ones are actually in place; coverage can be narrower than a seller's summary suggests.

Tell us what you need

Source and screen an authorised CASP target

SKY7 verifies authorisation scope, passporting state and ownership history before you see the file.

Editorial note

Editorial disclaimer

Reviewed by Elena Korniets. Last reviewed: 10 July 2026. This article is general information only, not legal, regulatory, tax, investment or financial advice. Regulatory details in this article are time-sensitive; verify against the regulator's current publications before relying on them.