May 26, 2026
MiCA CASP framework: what changes for crypto operators in 2026
The EU's Markets in Crypto-Assets framework introduces CASP authorisation requirements that replace existing national VASP regimes. Capital thresholds, conduct rules, and white-paper duties are now standardised — and the compliance shape of an EU crypto business changes accordingly.

MiCA changes the practical shape of EU crypto licensing by moving operators away from fragmented national VASP regimes and toward a harmonised CASP authorisation. The direction is simple; the consequences are not. A registration that used to be a formality in one member state is now a full authorisation file with capital, governance, and conduct obligations attached — and a passport worth having once it is granted. This is a practitioner's walkthrough of what actually changes, what the file looks like, and where applicants lose time.
How we got here: the timeline that matters
The Markets in Crypto-Assets Regulation entered into force in June 2023 and applied in stages: the stablecoin titles — asset-referenced tokens and e-money tokens — from mid-2024, and the CASP authorisation regime from the end of December 2024. From that point, providing crypto-asset services in the EU is a regulated activity in the MiFID sense of the word: defined services, authorisation before activity, ongoing supervision, and enforcement with teeth.
Member states were allowed to grandfather operators that held national registrations before the cutover, for transition periods they set themselves within an 18-month ceiling. They used that discretion unevenly. Some kept the full window; several shortened it deliberately to force early filings. The single most expensive misunderstanding we see is an operator assuming the longest published window applies to them: the date that matters is the one set by the member state where the registration lives, and several of those dates land well before the regulation's outer deadline of mid-2026.
The operational consequence is blunt. An operator relying on a national registration should know the exact date its grandfathering ends, subtract the realistic authorisation queue at its choice of supervisor, and treat what is left as the filing deadline. A lapsed registration with a pending application is a bad place to run a business from, and supervisors have shown no appetite for informal extensions.
From VASP registrations to CASP authorisation
Until MiCA, most EU crypto businesses operated under national AML registrations: VASP lists in Lithuania, Estonia, or Poland, France's PSAN regime, Germany's crypto custody licence as the notable heavyweight exception. Most of those registrations were cheap, fast, and shallow — they confirmed an AML programme existed, not that the business was supervised as a financial institution.
CASP authorisation replaces that model. An operator applying under MiCA files for specific services from the regulation's list — custody and administration, operation of a trading platform, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placing, reception and transmission, advice, portfolio management, and transfer services. The regulator assesses the whole operating model: ownership and the provenance of capital, governance and the people in it, IT and custody architecture, conflicts of interest, complaints handling, outsourcing, and the credibility of the financial projections.
The result is closer to a payment institution authorisation than to the old VASP registration, and the file should be built with that comparison in mind. Teams that staff the project the way they would staff an EMI application — a named project owner, a real compliance hire before filing, financials a supervisor can interrogate — move through the queue. Teams that submit a refreshed version of their old VASP pack get a question letter the size of the original application.
The compensation for the heavier file is the passport. A CASP authorised in one member state can notify its way across the EEA without re-licensing — something national VASP registrations never offered, and the reason consolidation toward a handful of filing jurisdictions is already visible.
Capital: fixed floors that move with the business
MiCA ties minimum capital to the class of services:
- Class 1 — the lighter services: execution, placing, reception and transmission, advice, portfolio management, transfer services: €50,000.
- Class 2 — custody and administration, and exchange services: €125,000.
- Class 3 — operating a trading platform: €150,000.
Three practical notes that the headline table hides:
- The own-funds requirement is the higher of the class minimum or a quarter of the preceding year's fixed overheads. A growing operator should expect the requirement to track its cost base, not stay frozen at the class figure — and supervisors read the projections with exactly that in mind.
- The capital must be real and demonstrably available: paid in, held with an identifiable institution, reconciled to the application's financial plan. A shareholder's comfort letter is not capital.
- Insurance can substitute for part of the prudential requirement in defined circumstances, but the market for compliant policies is thin. Treat insurance as an optimisation to explore after authorisation, not a filing strategy.
Conduct, custody, and white-paper duties
Three areas consistently surprise teams migrating from VASP-era operations.
Custody rules with teeth
Custodians must segregate client assets from their own, maintain a custody policy that genuinely describes key management, access controls, and the wallet architecture, and accept liability for the loss of client crypto-assets in most loss scenarios — up to the market value of what was lost. "We use a third-party custodian" does not remove the obligation; it converts it into an outsourcing arrangement the regulator will examine, with the liability staying at home.
The custody policy is where supervisors now spend disproportionate review time. A strong one reads like an operations document, not a legal one: who generates keys and how, where the shards or HSMs live, who can authorise movement at which thresholds, how recovery works when a key holder is hit by the proverbial bus, and what gets reconciled daily against what.
Conduct and conflicts
Exchanges and brokers need published pricing and execution policies, a conflicts framework that addresses proprietary trading and listing decisions, and complaints handling with real timelines and a named owner. The market-abuse provisions apply to crypto trading venues in a form recognisably descended from MAR: insider dealing, unlawful disclosure, and manipulation are now supervisory topics, and venues are expected to surveil for them.
White papers and marketing
Issuance activity — including some token launches operators used to treat as marketing exercises — requires a compliant white paper with prescribed disclosures, notified to the regulator before publication. Marketing communications must be consistent with the white paper and identifiable as marketing. Asset-referenced and e-money tokens carry their own, heavier regimes with separate authorisation tracks; an operator touching stablecoin issuance should treat that as a distinct licensing question with its own timeline, not a footnote to the CASP file.
Choosing the home member state
With the passport equalising the output, the choice of filing jurisdiction comes down to inputs:
- Supervisory temperament and bandwidth. Queues differ by months. Some supervisors run structured pre-application engagement; others assess cold. Ask, before filing, how many CASP files the authority has processed to decision.
- Banking access. The authorisation does not solve banking; local banking culture toward crypto does. A jurisdiction where the file clears but no bank will open the safeguarding and operating accounts is not a result.
- Language and process friction. Filing in a language the team does not work in adds cost to every question round.
- Substance expectations. Every supervisor now expects local management presence and real decision-making; they differ in how much.
The pattern already visible: operators consolidating toward member states with experienced payments supervisors, predictable process, and a banking sector that has decided crypto is a client category rather than a threat.
The transition checklist
- Confirm the exact grandfathering end date for every national registration the group holds.
- Map current activity to the MiCA service list — the old registration's wording will not match, and unlisted services must stop at the deadline.
- Pick the home member state on supervisory temperament, queue length, and banking access, not on where the old registration happened to live.
- Budget capital by class plus the fixed-overheads test, with headroom the projections can defend.
- Write the custody policy as an operations document and rehearse what it describes.
- Treat the white-paper question early if any token issuance is in the model.
- File months before the deadline, and answer the first question letter fast — response latency is the variable the applicant controls.
The application file, section by section
A CASP file that clears without supervisory ping-pong typically contains, in the order reviewers read it:
- Programme of operations: each requested service mapped to its operational reality — systems, partners, volumes — with nothing requested "for optionality" that the business plan does not use. Unused permissions draw questions and conditions.
- Business plan and three-year financials: coherent unit economics, the fixed-overheads calculation shown, the capital buffer surviving the downside case, and the funding source for top-ups evidenced.
- Governance pack: ownership to natural persons with source-of-capital documentation, board composition with individual fit-and-proper files, key function holders named and hired rather than promised.
- Custody and ICT chapter: wallet architecture, key management ceremonies, segregation model, reconciliation cadence, incident playbooks, business continuity with tested recovery objectives.
- AML/CFT programme: risk assessment tuned to crypto typologies, screening and analytics tooling named, travel-rule implementation described, staffing proportionate to projected volumes.
- Conflicts, complaints, and conduct policies: the documents that prove the firm understands it is becoming a financial institution, not registering a website.
The pattern reviewers punish hardest is internal inconsistency — volumes that differ between the business plan and the AML assessment, services described in marketing language in one chapter and operational language in another. One owner should read the entire file for reconciliation before submission.
The supervisory relationship after authorisation
Authorisation starts the obligations rather than ending them:
- Ongoing capital monitoring against the fixed-overheads test as the cost base grows, with breaches notifiable.
- Periodic regulatory reporting and, for custody, safeguarding-style attestations of client asset segregation.
- Notification or approval duties for changes: new services, qualifying-holding changes, key function replacements, material outsourcing.
- Market-abuse surveillance duties for venues, with the expectation of actual alerts, investigations, and records.
- Inspection exposure from year one — the early supervisory visits typically walk the custody policy and the AML programme against practice.
Budget the standing compliance function — people, tooling, audit — as a permanent cost line. Across delivered files it lands as the second-largest operating cost after core payroll, and supervisors read thin compliance budgets in the projections as a finding in themselves.
Costs to budget beyond capital
- Advisory and drafting for the file, scaled to how much exists already.
- Key hires before revenue: compliance officer and MLRO at market salaries, months before authorisation.
- Tooling: chain analytics, screening, transaction monitoring, market surveillance for venues — annual licences that rival a junior salary each.
- Audit and legal standing costs, including the safeguarding-style attestations.
- The supervisor's own fees: application and annual supervision charges, modest individually, permanent collectively.
The licence is the cheapest line in that table. The organisation it obliges you to run is the real price — and the moat, because most of the pre-MiCA registrant population will not pay it.
Questions operators ask
We are registered in one member state — can we keep serving the rest of the EU during transition?
Grandfathering preserves what the national registration allowed, which for most VASP regimes was national activity plus whatever cross-border tolerance existed informally. It does not create a passport. Reverse-solicitation arguments are narrower than most growth teams want them to be, and supervisors have said so publicly.
Do we need MiCA authorisation if we are purely B2B infrastructure?
It depends on whether the activity touches a listed crypto-asset service for clients. Pure technology provision without custody or execution can sit outside the perimeter; the analysis is worth doing formally, because the line runs through product details, not marketing language.
How long does authorisation actually take?
Statutory assessment clocks are short on paper — the regulation contemplates decisions within months of a complete file. The operative word is complete. Realistic end-to-end planning for a prepared applicant is six to twelve months including the completeness rounds, with the variance driven by file quality and the supervisor's queue.
What happens to our Estonian or Lithuanian VASP registration?
It ends with the transition window, after which the entity either holds a CASP authorisation, operates under someone else's as an agent-like arrangement where the model permits, or stops the regulated activity in the EU.
MiCA rewards preparation the way the old regimes rewarded speed. Operators that build the file the way a payment institution would — evidence first, narrative second — are the ones moving through authorisation queues without supervisory ping-pong, and the passport at the end is worth the discipline.
EU VASP entities ready for the MiCA transition
Registered European VASPs with banking and exchange rails in place — operating bases for a CASP authorisation filed from strength.
Editorial disclaimer
This article is general information only and is not legal, regulatory, tax, investment, or financial advice.
Does this change touch your file?
Tell us where you hold or seek permissions and what activities the file covers. We map the update against your authorisation and reply with what it alters, what it leaves alone, and the dates that matter.
Elena Korniets
Elena Korniets leads SKY7 research on crypto, CASP and VASP licensing routes, with a focus on how authorisation scope, custody model, AML governance and local substance change the practical value of a file. Her notes compare national registration regimes with MiCA-era CASP authorisation, highlight where a seller claim needs regulator evidence, and translate technical permissions into buyer diligence questions. She writes for founders, operators and acquisition teams that need to understand whether an exchange, custody, brokerage or token-services model can be supported by the entity being reviewed. Elena pays particular attention to perimeter language, passporting assumptions, safeguarding, outsourcing and the documents a bank or supervisor will expect before onboarding or change-of-control review.
Related licences