MiCA Licence Requirements for CASPs: Practical Guide
- ASD Labs
- Apr 10
- 18 min read
Updated: Nov 26
~15 min read – A founder-level roadmap to MiCA, PSD2 overlaps, and CASP authorisation across the EU.
This guide explains the EU CASP licensing requirements under MiCA and how they intersect with PSD2, MiFID II, and national supervisory practices.
Jump to
TL;DR – What You Must Have to Qualify
To qualify for a Markets in Crypto‑Assets Regulation (MiCA) licence as a crypto-asset service provider (CASP) in the EU, your business must tick a set of non-negotiable minimum boxes. In short – if you’re serious about playing in this arena, this is your regulatory checklist.
Governance & fit-and-proper personnel
A clear organisational structure with defined reporting lines, internal controls and oversight functions.
Senior management, directors and significant shareholders who meet “fit & proper” criteria – reputationally clean, qualified and equipped to perform.
Presence of local substance in your member state of establishment (for example, EU-resident director, registered office).
Minimum capital / prudential buffer
Capital thresholds depend on your service type – €50k for advisory/execution, €125k for exchange or brokerage, and €150k for custody or trading-platform CASPs.
Additional requirement: own funds must cover whichever is higher between the fixed-overhead test and the service-specific minimum.
Safeguarding & segregation of client assets
If you custody or administer crypto-assets for clients, you must demonstrate how client assets are segregated from your own, how control and return rights are structured.
Systems must exist to protect client assets, including contracts, architecture, record-keeping.
Policies, controls & risk frameworks
AML/KYC/CTF policies, outsourcing policies, incident-response, business continuity and disaster-recovery (including ICT resilience).
Conflicts-of-interest, complaints handling, marketing communications must be clear, fair and not misleading.
Audit readiness & application pack
A robust business plan, programme of operations, financial projections and documentation ready for submission (and audit/inspection afterwards).
Expect ongoing reporting obligations, record-keeping, internal audit and supervisory access.
These MiCA authorisation criteria apply EU-wide, regardless of your base country
For a founder-level readiness self-audit, see MiCA Compliance Checklist: What Founders Must Build Before Applying.
MiCA CASP Licencing Process (Step-by-Step)
Scope services → write down what you actually do for clients (per MiCA service list).
Decide stack → CASP-only or CASP + PSD2 (PI/EMI) if you touch fiat.
Stand up governance & capital → org chart, accountable persons, committees, own funds.
Design safeguarding/segregation → wallet architecture + client money/asset segregation.
Draft core policies → AML/CTF, sanctions, TRF, outsourcing, incidents, complaints, etc.
Assemble application pack → programme of operations (3-year outlook), fit & proper, prudential, ICT/DORA, outsourcing, safeguarding evidence.
Dry-run & evidence → tabletop tests, control walkthroughs, artifacts/screenshots.
Submit & iterate → respond to NCA questions; passport post-authorisation.
Scope Your Services (What You Actually Do for Clients)
Map to MiCA’s service taxonomy (custody, trading platform, exchange for funds/crypto, execution, placing, RTO, advice, portfolio mgmt, transfer). Build a simple matrix: feature → client action → underlying MiCA service. This helps regulators understand exactly which MiCA services you’re performing.
Flag “hidden” services (copy-trading, bots, robo): these can equal advice/portfolio mgmt with higher obligations (suitability, staff competence). Document intent, controls, and who is the “provider.”
Describe flows, not buzzwords: write a 1-page client journey for each service: onboarding → deposit → action → reconciliation → withdrawal → complaint handling.
List dependencies: on-chain networks, custodians, fiat partners, analytics, TRF vendors, cloud – and what happens if they fail (continuity plan).
Choose Path: CASP Only vs CASP + EMI/PI Under PSD2
CASP-only if you never hold/transfer fiat for clients; all value stays crypto-native.
CASP + PSD2 if you store EUR balances, initiate SEPA, issue IBANs, or run off-/on-ramps – typically PI for payments or EMI if you issue e-money/hold fiat.
Partner route: you can launch faster by integrating a licenced PI/EMI – but you still need MiCA for the crypto side, robust outsourcing oversight, and clear SLAs.
Tip: Decide this before drafting policies – the PSD2 layer adds safeguarding, SCA, and reporting specifics you’ll want reflected end-to-end.
Governance, Capital, and Responsible Persons
Substance, not shells: local place of effective management, at least one EU-resident director, no “letter-box” outsourcing. Show real decision-making in-house.
Fit & proper: management/body must be competent (incl. technical crypto understanding), of good repute, with time commitment evidenced; assess shareholders with qualifying holdings. Use the Joint EBA/ESMA suitability criteria.
Key functions & committees: compliance (incl. ML/TF), risk, internal control, info-security/ICT, incident mgmt; document roles, escalation, and independence lines.
Own funds: maintain minimum capital per service class and show prudential risk management (capital planning, wind-down).
Safeguarding & Segregation (Wallet Architecture, Client Money)
Crypto-asset segregation: clients’ assets ring-fenced, never rehypothecated; clearly separate omnibus vs. individual wallets; robust key ceremony, access controls, and reconciliation.
Client fiat (if PSD2 layer): safeguarded at credit institutions or via insurance/guarantees per PSD2/EMI rules; daily reconciliation and segregation statements.
Operational detail: show how deposits move from client → warm/cold → reconciliation → withdrawal; include exception handling and timeliness SLAs.
Deep dive → see MiCA VASP Fund Segregation: Best Practices
Why NCAs care: custody = fiduciary duty; NCAs scrutinise segregation/liability, incident playbooks, and audit trails.
Policies & Controls (AML, TRF, Outsourcing, Incidents)
Governance & conduct: Governance Charter; Conflicts of Interest Policy; Remuneration Principles; Staff Knowledge & Competence framework (training/CPD).
Prudential & risk: ICAAP-lite/Capital Policy; Risk Appetite Statement; Enterprise Risk Register; Business & Wind-Down Plan.
Client asset protection: Custody & Segregation Policy; Key Management Standard; Reconciliation SOP; Withdrawal & Freeze SOP.
AML/CTF & Sanctions: AML Policy; ML/TF Business-wide Risk Assessment; CDD/KYC/KYB Procedures; Transaction Monitoring & Case Mgmt (incl. Travel Rule (TRF)); Sanctions Screening & Escalation; STR/SAR Reporting SOP. (Regulators explicitly stresses ML/TF risk, sanctions, and internal control robustness, read more about a Three-layered TX Monitoring Approach).
Outsourcing & third-party risk: Outsourcing Framework (materiality tests, due diligence, exit/contingency); Register of Outsourced Functions; Cloud & Critical Vendor Oversight (DORA-aligned).
ICT / Operational resilience: Information Security Policy; Access Control & Key/Secrets Mgmt; Change & Release Mgmt; Business Continuity & Disaster Recovery; Major Incident & Breach Response (incl. notification thresholds); Logging/Monitoring. (Align to DORA expectations referenced by NCAs.)
Market-facing: Complaints Handling (MiCA RTS); Disclosures & T&Cs; Marketing & Fair-Communication Standard; Best-execution/Order Handling (where relevant).
Lithuania-specific note: BoL’s expectation letter emphasises high-quality, tailored Lithuanian-language documentation (programme of activities, client-facing docs) and warns against empty-shell setups. Use it as your checklist baseline.
Application Pack & Testing (docs, dry runs, evidence)
What “application pack” means: ESMA’s RTS/ITS under MiCA Art. 62 standardise what you file – e.g., programme of operations (Annex I of RTS includes the – programme of operations template) with a 3-year outlook, governance, and F&P files, prudential info (Annex II covers the financial plan and prudential statements), safeguarding model, outsourcing map, complaints procedures, register inputs for ESMA’s public register.
Why “testing” matters (plain English): your NCA isn’t buying promises; they want proof your controls work.
Do tabletop walk-throughs for high-risk flows (onboarding, deposits/withdrawals, freezes, incident).
Capture evidence: screenshots, audit logs, mock tickets, monitoring alerts, reconciliation reports, vendor SLAs, and board minutes approving frameworks.
Run a TRF end-to-end to show interoperability; record the trace.
Produce a BCP mini-drill (e.g., custodian outage) and outcomes.
Pragmatic bar: keep the dry-runs short but real – 60–90 minutes each, with artifacts attached to the application annex.
Timelines & Indicative Costs (Ranges; Dependencies)
Regulatory clocks (MiCA): NCAs check completeness within 25 working days, then decide within 40 working days of a complete file. Clocks pause if they ask for more info (typically up to 20 working days). Real timelines depend on quality and Q&A rounds.
Reality check: clean, well-evidenced applications commonly land in 4–9 months end-to-end (prep → Q&A → decision), faster for simple scopes, slower for multi-service groups. (ESMA also encourages elevated scrutiny for higher-risk profiles.)
Budgeting (what you’re actually buying) – typical EU ranges we see in market practice:
€10k → “template pack” from fly-by-night shops (usually recycled, light on substance; expect rework).
€45k → bespoke documentation aligned to your model (no PM/leadership).
€70k → docs plus project management (workshops, vendor coordination, Q&A support).
€100k+ – hands-on leadership to decision (design, testing, NCA engagement, remediation cycles; multi-entity/multi-service scope).
Above costs are in addition to €50k - €150k that is necessary as statutory capital, up to €1k for company formation, and any costs necessary to cover management team's compensation.
Timelines and budgets only tell a part of the story – get to knowVASP Market Evolution.
Post‑authorization Obligations (Reporting, Audits, Changes)
These obligations mirror what you committed to during authorisation – now regulators expect them to operate in practice.
Ongoing compliance: you must operate to your authorised scope, maintain minimum own funds, keep controls live, and evidence staff competence (training logs).
Change management: notify/seek approval for material changes (services, outsourcing of critical functions, senior management, qualifying holdings, safeguarding model, tech stack with risk impact). Keep a Regulatory Change Log.
Outsourcing oversight: retain control (no letter-box), assess concentration/geography risk, test exit plans, and keep a current Outsourcing Register.
Complaints & client comms: run MiCA-compliant complaints handling with metrics and board reporting; keep disclosures/ToS aligned with actual operations.
AML/CTF & sanctions: keep BWRA current, re-calibrate TM models, test TRF interoperability, file STRs/SARs, and evidence sanctions screening efficacy.
ICT/DORA resilience: incident thresholds, 24/7 monitoring proportional to risk, DR tests, vulnerability mgmt, and third-party ICT risk oversight.
Reporting & audits: respond to NCA data calls, prudential and governance attestations, and periodic independent reviews (internal audit or external assurance); remediate findings with dated action plans.
Before diving into PSD2 overlaps and national specifics, it’s worth understanding how MiCA fits alongside Europe’s other regulatory pillars – MiFID II and AMLD5.
EU CASP Licensing Requirements: MiCA vs MiFID II vs AMLD5
Many founders confuse which regime applies – MiCA covers crypto, MiFID covers securities, AMLD5 was the old registration-only approach. The following table summarises how MiCA, MiFID II, and AMLD5 differ across scope, obligations, and regulatory outcomes.
Dimension | MiCA (MiCAR) | MiFID II | AMLD5 (VASP) |
Primary scope | Crypto-assets not already regulated as financial instruments; CASP activities (custody, trading platform, exchange crypto↔funds, execution, placing, RTO, advice, portfolio mgmt, transfer). | Investment services in financial instruments (e.g., tokenised equity/bonds/derivatives). If your token is a financial instrument, MiFID II applies.
| Registration-onlyAML/CTF regime for VASPs (pre-MiCA), focused on KYC/AML–not prudential or conduct licensing.
|
Regulatory outcome | Authorisation (licence) as a CASP by an NCA; EU-wide passporting once authorised | Authorisation as an investment firm; passporting across the EU. | Registration with local AML supervisor; no passporting; limited to AML/CTF obligations. |
When you fall in | You perform a listed crypto-asset service and the asset is not a MiFID financial instrument. | Your product involves MiFID financial instruments (incl. tokenised), or you provide investment services (execution, dealing on own account, advice, portfolio mgmt). | You operate pre-MiCA or in contexts still requiring AML registration; you provide VASP services with remuneration. |
Core obligations | Governance, fit & proper, own funds, client-asset safeguarding/segregation, complaints handling, conduct rules, disclosures, outsourcing oversight, ongoing reporting. | Investor protection (suitability/appropriateness, best execution), conduct, organisational requirements, capital, conflicts, product governance, transparency. | AML/CTF programme: BWRA, CDD/KYC/KYB, TM/sanctions, STR/SAR, governance of AML function. |
Key trigger test | What service you provideunder MiCA’s list – whether the token is not a financial instrument. | Is the token a financial instrument? If yes → MiFID II (even if on-chain). | Do you provide VASP services (as defined) and get remunerated? Then registration required. |
Typical use cases | Centralised exchange (non-security tokens); custodial wallet; brokerage/execution for crypto; advice/portfolio mgmt for crypto-assets; transfer service. | Tokenised securities venue/broker; STO platforms; investment advice/portfolio mgmt in security tokens/derivatives. | Legacy/pre-MiCA VASP footprints; jurisdictions still using AMLD5 registration pending full MiCA transition. |
Status / transition | In force; CASP authorisations and ESMA register rolling out; transition from AMLD5 regimes underway at national level. | Long-standing EU regime; unchanged by MiCA–applies in parallel where instruments are financial. | Being superseded for CASPs by MiCA authorisations; remains as AML baseline historically and for non-MiCA contexts. |
Notes that often decide your path (in practice):
If a token meets the MiFID financial instrument test, MiFID II governs the service–even if the token is on-chain; MiCA then does not apply to that instrument/service.
Under MiCA, CASPs must safeguard/segregate client assets and cannot reuse them for own account (e.g., staking on own account is restricted). Expect scrutiny on custody architecture and disclosures.
AML obligations persist across all regimes; the EU Funds/Travel Rule (Reg. 2023/1113) attaches originator/beneficiary info to virtual asset transfers and is enforced alongside MiCA/MiFID.
Once you know which framework governs your asset, the next question is how fiat flows fit in – that’s where PSD2 comes in.
When You Need EMI/PI Under PSD2 (Examples)
MiCA covers crypto-asset services, but it doesn’t touch fiat money.
The moment euros, SEPA transfers, or e-money enter the flow, you’re in PSD2 territory – and you’ll likely need a Payment Institution (PI) or Electronic Money Institution (EMI) licence (or a regulated partner).
You’ll still need MiCA for the crypto component – PSD2 applies in parallel only to fiat services.
Below are practical examples that help founders decide whether a PSD2 layer is required.
Fiat Gateway (On-Ramp / Off-Ramp)
Scenario: You let users buy or sell crypto with euros – via card, SEPA, or bank transfer.
Element | Why PSD2 applies | Typical solution |
Users send EUR → you exchange to crypto | You’re executing payment transactions in fiat | PI licence (payment initiation/execution) |
Users sell crypto → you send them EUR | You’re receiving/holding fiat for clients | PI or EMI, depending on whether you hold balances |
Fiat moves through partner EMI | PSD2 still applies – via the partner’s licence | Partner integration –outsourcing/agent contract |
Decision:
If the fiat ever lands in your account or you move it between users, you need a PI/EMI licence.
If a partner EMI handles all fiat flow and you never touch the funds – document that segregation and oversight carefully.
Custody + Payments (Crypto Wallet with EUR Balance)
Scenario: You run a custodial wallet that also lets users store euros or pay from an integrated fiat balance.
Element | Why PSD2 applies | Typical solution |
Holding client EUR | You’re safeguarding fiat funds | EMI licence (issue e-money / hold funds) |
Transferring between users’ EUR balances | Payment service between clients | EMI licence required |
Using IBANs or SEPA transfers | Accessing payment accounts | EMI or PI (depending on function) |
Decision:
Any feature that allows users to “park” fiat or transfer it under your brand = EMI activity.
Partnering with an existing EMI (Banking-as-a-Service model) can shortcut licensing, but you must still manage operational and compliance risk under MiCA’s outsourcing rules.
Fiat Off-Ramp (Exchange or Settlement Layer)
Scenario: You enable users to withdraw funds from your platform in fiat after selling crypto.
Element | Why PSD2 applies | Typical solution |
You collect fiat proceeds → send to users | You’re executing payments on behalf of clients | PI licence |
You use an EMI to settle payouts | PSD2 applies at partner level | Partner integration + SLA + segregation controls |
Instant withdrawal or stored balance | E-money issuance if you hold fiat before transfer | EMI licence |
Decision:
If you intermediate between the user and the banking system, PSD2 oversight is unavoidable.
NCAs will ask: “Who holds the fiat? Who executes the transfer? Who carries AML risk?” – your documentation must answer that clearly.
Multi-Asset Platform (Crypto + Fiat Accounts)
Scenario: A neobank or super-app lets users hold crypto, fiat, and sometimes stablecoins in the same interface.
Crypto layer: MiCA CASP licence (custody, trading, execution, etc.).
Fiat layer: PSD2 + EMI (hold fiat, issue payment instruments, IBANs).
Bridge layer: Must describe flows, segregation, and reconciliations between fiat/crypto ledgers.
Decision:
Dual licensing (MiCA + EMI) is the norm for this model.
You’ll need two compliance pillars:
MiCA for crypto services
PSD2/EMI for fiat safeguarding, SCA, and payment reporting (EBA Guidelines, RTS SCA & secure communication).
Business model | MiCA | PSD2 (PI/EMI) | Typical structure |
Pure crypto exchange (no fiat) | ✅ | ❌ | CASP-only |
Fiat on/off-ramp | ✅ | ✅ (PI/EMI) | Dual licence or EMI partner |
Crypto + EUR wallet | ✅ | ✅ (EMI) | Dual licence or EMI partner |
Tokenised securities | ❌ (MiFID II) | Possibly (for fiat legs) | Investment firm + PI |
Analytics / DeFi front-end | ❌ | ❌ | Unregulated (case-by-case) |
Founder takeaway:
If money in or out of your platform touches the traditional banking system – expect PSD2.
Plan early whether you’ll build or borrow the licence:
Build: full control, higher cost, longer lead (12–18 months).
Borrow: faster launch, but oversight and dependency risk.
Either way, regulators will ask the same core question:
“Who holds client funds, and under what licence?”
ESMA CASP Register and Transition Timelines (MiCAR)
MiCA gives the EU a single, public source of truth for who’s authorised to provide crypto-asset services – the ESMA CASP Register. It also phases out the old VASP registration model via national transitional regimes. Here’s what you need to know to check counterparts, plan market entry, and avoid operating in regulatory grey zones.
Where to Find the Register; What It Shows
Where it lives: The ESMA Databases and Registers hub hosts the MiCA area (see the ESMA CASP Register) and the public CASP register. ESMA was mandated by Articles 109–110 MiCA to publish a central register of authorised CASPs, crypto-asset white papers, and non-compliant entities (data supplied by NCAs and, for some items, the EBA).
What you can see: At a minimum, the register lists the authorised entity, home supervisor, authorised services, passporting/host states, and related status details. ESMA and EBA materials explicitly note host-state information appears in the register (e.g., for offers/passports).
Grandfathering/Transition Periods and Practical Impacts
Two key dates: MiCA’s CASP provisions apply from 30 December 2024. Member states can allow up to 18 months of transitional operation for pre-existing VASPs – meaning no later than 1 July 2026. During the transition, firms must still comply with national rules and any MiCA-linked expectations their NCA sets.
It’s national – not uniform: Each country sets its own end date inside that 18-month ceiling. Lithuania, for example, confirmed the end of grandfathering on 1 January 2026 (initially earlier, then extended). Plan your pipeline to that hard stop if Lithuania is your base or a key market.
What this means in practice: If you operated under AMLD5/VASP rules before 30 December 2024 and your country granted a transition, you can keep serving clients only until your national deadline or until your MiCA application is decided – whichever comes first.
Clients, banks, and vendors are already using the ESMA register as the trust anchor, so the commercial incentive is to file early and get onto the register, rather than riding the very end of the grace period.
Being on the ESMA register confirms your EU authorisation – but how each country handles supervision still varies in practice.
Once authorised and listed, firms operate under EU passporting rights — yet supervision remains national.
Country Reality Check (EU vs Local Supervisors)
MiCA gives you one EU rulebook–but you’ll still deal with one supervisor at a time.
ESMA sets the guardrails and pushes for convergence, yet national competent authorities (NCAs) retain day-to-day judgment on files, transitional rules, and supervisory style.
In practice, this means two truths can coexist: the legal framework is harmonised, and the path to authorisation still feels different in Paris, Vilnius, Frankfurt, or Luxembourg.
ESMA has issued a supervisory briefing, January 2025, to align NCAs, but it doesn’t erase local interpretation, sectoral risk appetite, or process plumbing (forms, language, completeness checks, Q&A cadence).
EU-wide Framework vs National Practices (What Varies)
Transitional regimes & cross-border use: MiCA lets countries grant up to 18 months of grandfathering to pre-existing VASPs; many chose different lengths (6, 12, or 18 months). During transition, most NCAs restrict firms to operate domestically only–no passporting. Lithuania states this explicitly; ESMA also summarises national choices. Plan to your country’s hard stop, not the EU maximum.
Completeness checks, timelines, and Q&A rhythm: The regulation sets decision clocks, but NCAs differ on what counts as “complete,” on documentary depth for ICT/security, and on how many round-trips they expect with applicants. ESMA is nudging convergence, including on ICT scrutiny, but acknowledges national processes.
Substance & outsourcing stance: Across the EU you must avoid letter-box models. Some NCAs are stricter on local management presence, decision-making, and critical outsourcing (especially cloud/custody). ESMA’s MiCA Q&A also clarifies you can’t use “agents” to deliver CASP services–the third party must itself be a CASP if it provides services. Expect detailed outsourcing registers and control testing.
AML/Travel Rule expectations: AML sits outside MiCA’s prudential core but drives authorisation outcomes. Local supervisory culture varies (e.g., analytics on unhosted-wallet flows or enhanced due diligence triggers). Germany’s practice illustrates higher scrutiny of private-wallet transfers and analytics tooling.
Documentation language & format: All NCAs require the MiCA programme of operations and core policies; some insist on local-language versions for client-facing docs and board artefacts. AMF, BaFin, CSSF and others publish MiCA pages with process specifics; check them early to avoid translation-loop delays.
Market conduct & perimeter guardrails: Several NCAs publish public notes warning against using non-EU execution venues to sidestep MiCA scope or fragment services across entities. If your model relies on “global” pipes, expect questions about how EU clients are protected and which entity is responsible.
Bottom line: MiCA standardises what you must have; your NCA still shapes how you prove it.
Treat the local supervisor like your primary stakeholder: read their MiCA page, align on transition cut-offs, clarify outsourcing and ICT expectations up front, and design your evidence pack to their completeness checklist–not just the regulation.
Among all NCAs, the Bank of Lithuania offers one of the most structured and transparent MiCA processes. Here’s what the Lithuanian path looks like in detail.
Lithuania Spotlight: Documents, Costs, Timelines
If you’re planning to apply in Lithuania, here’s what the process, cost, and pitfalls look like.
Lithuania remains one of the EU’s most pragmatic gateways for crypto businesses – but also one of the most structured and documentation-heavy.
The Bank of Lithuania (Lietuvos bankas, BoL) is the single competent authority under MiCAR Title V, responsible for both authorisation and supervision of CASPs. Its tone is practical but firm: no empty shells, no shortcuts, and no English-only applications.
BoL’s MiCA law transposes the EU framework directly, covering the full CASP service list – custody, trading platforms, exchanges, execution, placing, reception & transmission, advice, portfolio management, and transfer. Lithuania’s transitional period ends on 1 January 2026, meaning every AMLD5-registered VASP must either obtain authorisation or cease MiCA-covered activity by that date.
Need support preparing your MiCA application in Lithuania? Contact ASD Labs for a compliance readiness audit.
Regulator & Scope
BoL supervises through its Markets and Payment Services Department. In practice, you’ll deal with two main channels:
Licensing Division – for MiCA applications, completeness checks, and correspondence.
Supervision Division – for post-authorisation monitoring, incident reports, and ongoing prudential/outsourcing notifications.
The regulator encourages early dialogue and a single, well-structured submission – one that demonstrates governance maturity, operational readiness, and local substance.
Typical Document Set
BoL aligns with MiCAR Article 62(2) and ESMA’s RTS/ITS on CASP authorisation, while layering in Lithuanian-specific expectations. Many core documents must be in Lithuanian or accompanied by certified translations.
Governance & organisation – Programme of Activities (Lithuanian), org chart, board and SMF CVs, fit-and-proper forms, shareholding & source-of-funds proofs.
Prudential & risk – Capital statement, liquidity forecast, wind-down plan, and high-level risk-management framework.
Safeguarding & custody – Wallet architecture (hot/warm/cold), segregation model, key-management SOPs, reconciliation evidence, and fiat-fund safeguarding if relevant.
Compliance & conduct – AML/CFT & BWRA, sanctions/Travel-Rule policies, conflicts, complaints, outsourcing (vendor oversight, right-to-audit, exit plan), ICT/DORA resilience, BCP/DR, and Lithuanian-language client disclosures & T&Cs.
Operational evidence – Vendor list and due-diligence files, sample TM alerts, reconciliation logs, key-ceremony screenshots, and board minutes approving each framework.
BoL repeatedly warns against copy-pasted templates – documentation must tie back to your actual control environment and produce audit-ready artefacts.
Common Pitfalls and How to Avoid Them
Language gap: filing English-only policies where Lithuanian versions are mandatory.
Empty-shell risk: decision-makers abroad, functions outsourced entirely to vendors. BoL wants in-house leadership.
Weak safeguarding: no reconciliations, generic wallet diagrams, or missing key-management evidence.
Opaque ownership: complex shareholder webs or unverified funding sources.
Scope drift: embedding fiat features without a PSD2 strategy (PI/EMI licence or partner).
Each of these usually triggers “clock-stopping” queries during BoL’s completeness check. Address them early.
Timeline & Cost Ranges
Phase | Expected duration | What happens / deliverables |
Preparation & drafting | 1 – 3 months | Gap analysis, governance setup, policy drafting, translations |
Submission & completeness check | ≈ 1 month | BoL acknowledges or requests missing info (25 working-day window) |
Q&A & review | 2 – 6 months | Iterative regulator feedback, evidence uploads, refinements |
Decision & registration | 40 working days from completeness (clock may pause once) | Formal licence decision + ESMA register entry |
Below are indicative market ranges for MiCA project support in Lithuania:
€10k – €20k → “template packs” – cheap, generic, high rewrite risk.
≈ €45k → bespoke policy set + programme of activities.
≈ €70k → full project management and evidence assembly.
€100k + → strategic leadership through to decision (CASP vs CASP + PSD2 path, safeguarding design, dry-runs).
BoL evaluates operational readiness, not paperwork volume. Cheaper templates may check boxes, but they rarely survive regulator scrutiny.
Figures are based on current market practice across Lithuanian advisory firms; official state fees are lower.
Timeline Anchor for Lithuania
Now → Dec 2025: submit a complete, well-evidenced MiCA application and resolve Q&A.
By 1 January 2026: transition ends – if unauthorised, you must cease CASP activities in Lithuania (and lose passporting rights).
In short: prepare early, localise thoroughly, and invest in substance. Lithuania rewards well-organised applicants with predictable timelines – and penalises shortcuts with endless questions.
Conclusion - Build With Regulation, Not Against It
MiCA isn’t just another compliance hurdle – it’s the foundation of a unified European crypto market.
Firms that approach it as paperwork will struggle; firms that treat it as infrastructure will scale faster, partner easier, and survive longer.
In Lithuania and across the EU, regulators are no longer asking whether you comply – they’re assessing how well you operate.
They expect governance that functions, safeguards that can be audited, and documentation that reflects real processes, not borrowed templates.
The takeaway is simple:
Map your services early – know whether you’re pure-crypto (MiCA) or also handling fiat (MiCA + PSD2).
Design for supervision – build traceability into every decision, log, and control.
Invest in substance – local management, clear policies, working safeguards.
See licensing as leverage – not a burden, but a trust signal that opens banks, investors, and markets.
By the time the MiCA transition clocks expire in 2025–2026, the EU will separate firms that merely registered from those that truly operate like financial institutions.
Building with regulation, not against it, is how you end up on the right side of that divide.
Below are the most common founder questions about MiCA licensing – straight answers in one place.
FAQ
What are the MiCA licence requirements for CASPs?
To get authorised as a Crypto-Asset Service Provider (CASP) under MiCA, you must meet EU-wide standards on governance, capital, safeguarding, and compliance. That includes a fit-and-proper management team, minimum own funds (depending on the services offered), segregation of client assets, AML/CTF controls, clear organisational structure, and audited policies for risk, outsourcing, and incident management. Once licenced in one EU country, a CASP can passport its services across the EU
Do I also need an EMI/PI licence under PSD2?
You’ll need a Payment Institution (PI) or Electronic Money Institution (EMI) licence if your crypto business also handles fiat money – for example, SEPA transfers, euro balances, or e-money issuance. MiCA covers crypto-asset services, while PSD2 governs fiat payments. Many platforms operate under both regimes (CASP + EMI/PI) or partner with a licenced EMI to use their payment rails.
Where can I find the ESMA CASP register?
The ESMA CASP Register is published on the European Securities and Markets Authority (ESMA) website under “Databases and Registers → MiCA”. It lists every authorised CASP in the EU, showing their home regulator, authorised services, and passporting countries. Use it to verify a provider’s licence status before onboarding or partnering.
What is MiCAR and how does it relate to MiCA?
MiCAR stands for the Markets in Crypto-Assets Regulation – it’s the full legal text that establishes the MiCA framework. In short, MiCAR is the law, and MiCA licensing is the practical regime it creates. Together they set harmonised rules for crypto-asset issuers and service providers across the EU, replacing fragmented national VASP registrations under AMLD5.
How long does a CASP licence take and what does it cost?
From submission to decision, expect 4 – 9 months for a well-prepared MiCA application. Costs vary widely:
€10k–20k for off-the-shelf templates (usually insufficient),
€45k–70k for bespoke documentation and managed submission,
€100k + for full project leadership through to authorisation.
Timelines depend on the regulator, your readiness, and how often the file goes through Q&A rounds.
Contact ASD Labs to audit your current setup or map your MiCA transition plan.
Comments