MiCA License Requirements for CASPs: Costs, Process & ESMA Register
- Apr 10, 2025
- 19 min read
Updated: 4 days ago
~16 min read – A practitioner's roadmap to MiCA licensing, PSD2 overlaps, costs, and CASP authorisation across the EU.
This guide explains the EU CASP licensing requirements under MiCA and how they intersect with PSD2, MiFID II, and national supervisory practices.
Jump to
TL;DR – What You Must Have to Qualify
To qualify for a Markets in Crypto‑Assets Regulation (MiCA) licence as a crypto-asset service provider (CASP) in the EU, your business must meet these requirements.
Governance & fit-and-proper personnel
A clear organisational structure with defined reporting lines, internal controls and oversight functions.
Senior management, directors and significant shareholders who meet "fit & proper" criteria – reputationally clean and qualified to oversee a regulated business.
Presence of local substance in your member state of establishment (for example, EU-resident director, registered office).
Minimum capital / prudential buffer
Capital thresholds depend on your service type – €50k for advisory/execution, €125k for exchange or brokerage, and €150k for custody or trading-platform CASPs.
Own funds must be at least the higher of the fixed-overhead requirement or the service-specific minimum.
Safeguarding & segregation of client assets
If you custody or administer crypto-assets for clients, you must demonstrate how client assets are segregated from your own and how control and return rights are structured.
Documented contracts, wallet architecture, and record-keeping to protect client assets.
Policies, controls & risk frameworks
AML/KYC/CTF policies, outsourcing policies, incident-response, business continuity and disaster-recovery (including ICT resilience).
Conflicts-of-interest, complaints handling, and marketing communications policies – clear, fair, and not misleading.
Audit readiness & application pack
A robust business plan, programme of operations, financial projections and documentation ready for submission (and audit/inspection afterwards).
Expect ongoing reporting obligations, record-keeping, internal audit and supervisory access.
These MiCA authorisation criteria apply EU-wide, regardless of your base country. Once licensed, the real test begins – supervisors will assess whether your governance actually operates, not just whether the policies exist on paper.
For a founder-level readiness self-audit, see MiCA Compliance Checklist: What Founders Must Build Before Applying.
MiCA CASP Licencing Process (Step-by-Step)
Scope services → write down what you actually do for clients (per MiCA service list).
Decide your licensing path → CASP-only or CASP + PSD2 (PI/EMI) if you touch fiat.
Stand up governance & capital → org chart, accountable persons, committees, own funds.
Design safeguarding/segregation → wallet architecture + client money/asset segregation.
Draft core policies → AML/CTF, sanctions, TRF, outsourcing, incidents, complaints, etc.
Assemble application pack → programme of operations (3-year outlook), fit & proper, prudential, ICT/DORA, outsourcing, safeguarding evidence.
Dry-run & evidence → tabletop tests, control walkthroughs, artifacts/screenshots.
Submit & iterate → respond to NCA questions; passport post-authorisation.
Scope Your Services (What You Actually Do for Clients)
Map to MiCA's service taxonomy (custody, trading platform, exchange for funds/crypto, execution, placing, RTO, advice, portfolio mgmt, transfer). Build a simple matrix: feature → client action → underlying MiCA service.
Flag "hidden" services (copy-trading, automated execution bots, robo-advisory): these can equal advice/portfolio mgmt
Describe flows, not buzzwords: write a 1-page client journey for each service: onboarding → deposit → action → reconciliation → withdrawal → complaint handling.
List dependencies: on-chain networks, custodians, fiat partners, analytics, TRF vendors, cloud – and what happens if they fail (continuity plan).
Choose Path: CASP Only vs CASP + EMI/PI Under PSD2
CASP-only if you never hold/transfer fiat for clients; all value stays crypto-native.
CASP + PSD2 if you store EUR balances, initiate SEPA, issue IBANs, or run fiat on-ramps or off-ramps – typically PI for payments or EMI if you issue e-money/hold fiat.
Partner route: you can launch faster by integrating a licenced PI/EMI – but you still need MiCA for the crypto side, robust outsourcing oversight, and clear SLAs.
Tip: Decide this before drafting policies – the PSD2 layer adds safeguarding, SCA, and reporting specifics you’ll want reflected end-to-end.
Governance, Capital, and Responsible Persons
Substance, not shells: local place of effective management, at least one EU-resident director, no “letter-box” outsourcing. Show real decision-making in-house.
Fit & proper: management/body must be competent (incl. technical crypto understanding), of good repute, with time commitment evidenced; assess shareholders with qualifying holdings. Use the Joint EBA/ESMA suitability criteria.
Key functions & committees: compliance (incl. ML/TF), risk, internal control, info-security/ICT, incident mgmt; document roles, escalation, and independence lines.
Own funds: maintain minimum capital per service class and show prudential risk management (capital planning, wind-down).
Safeguarding & Segregation (Wallet Architecture, Client Money)
Crypto-asset segregation: clients’ assets ring-fenced, never rehypothecated; clearly separate omnibus vs. individual wallets; robust key ceremony, access controls, and reconciliation.
Client fiat (if PSD2 layer): safeguarded at credit institutions or via insurance/guarantees per PSD2/EMI rules; daily reconciliation and segregation statements.
Operational detail: show how deposits move from client → warm/cold → reconciliation → withdrawal; include exception handling and timeliness SLAs.
Deep dive → see MiCA VASP Fund Segregation: Best Practices
Why NCAs care: custody = fiduciary duty; NCAs scrutinise segregation/liability, incident playbooks, and audit trails.
Policies & Controls (AML, TRF, Outsourcing, Incidents)
Governance & conduct: Governance Charter; Conflicts of Interest Policy; Remuneration Principles; Staff Knowledge & Competence framework (training/CPD).
Prudential & risk: ICAAP-lite/Capital Policy; Risk Appetite Statement; Enterprise Risk Register; Business & Wind-Down Plan.
Client asset protection: Custody & Segregation Policy; Key Management Standard; Reconciliation SOP; Withdrawal & Freeze SOP.
AML/CTF & Sanctions: AML Policy; ML/TF Business-wide Risk Assessment; CDD/KYC/KYB Procedures; Transaction Monitoring & Case Mgmt (incl. Travel Rule (TRF)); Sanctions Screening & Escalation; STR/SAR Reporting SOP. (NCAs stress ML/TF risk, sanctions, and internal control robustness – see our Three-layered TX Monitoring Approach.
Outsourcing & third-party risk: Outsourcing Framework (materiality tests, due diligence, exit/contingency); Register of Outsourced Functions; Cloud & Critical Vendor Oversight (DORA-aligned).
ICT / Operational resilience: Information Security Policy; Access Control & Key/Secrets Mgmt; Change & Release Mgmt; Business Continuity & Disaster Recovery; Major Incident & Breach Response (incl. notification thresholds); Logging/Monitoring. (Align to DORA expectations referenced by NCAs.)
Market-facing: Complaints Handling (MiCA RTS); Disclosures & T&Cs; Marketing & Fair-Communication Standard; Best-execution/Order Handling (where relevant).
Lithuania-specific note: BoL's expectation letter emphasises high-quality, tailored Lithuanian-language documentation (programme of activities, client-facing docs) and warns against empty-shell setups. Use the expectation letter as your checklist baseline. If you're building your application pack from scratch, our MiCA compliance checklist covers the full evidence set..
Application Pack & Testing (docs, dry runs, evidence)
What “application pack” means: ESMA’s RTS/ITS under MiCA Art. 62 standardise what you file – e.g., programme of operations (Annex I of RTS includes the – programme of operations template) with a 3-year outlook, governance, and F&P files, prudential info (Annex II covers the financial plan and prudential statements), safeguarding model, outsourcing map, complaints procedures, register inputs for ESMA’s public register.
Why “testing” matters (plain English): your NCA isn’t buying promises; they want proof your controls work.
Do tabletop walk-throughs for high-risk flows (onboarding, deposits/withdrawals, freezes, incident).
Capture evidence: screenshots, audit logs, mock tickets, monitoring alerts, reconciliation reports, vendor SLAs, and board minutes approving frameworks.
Run a TRF end-to-end to show interoperability; record the trace.
Produce a BCP mini-drill (e.g., custodian outage) and outcomes.
Pragmatic bar: keep the dry-runs short but real – 60–90 minutes each, with artifacts attached to the application annex.
Timelines & Regulatory Clocks
Regulatory clocks (MiCA): NCAs check completeness within 25 working days, then decide within 40 working days of a complete file. Clocks pause if they ask for more info (typically up to 20 working days). Real timelines depend on application quality and the number of Q&A rounds.
Reality check: clean, well-evidenced applications commonly land in 4–9 months end-to-end (prep → Q&A → decision), faster for simple scopes, slower for multi-service groups. (ESMA also encourages elevated scrutiny for higher-risk profiles.)
See [MiCA License Cost](#mica-license-cost) below for the full cost breakdown by jurisdiction and advisory tier.
For broader context on how the market got here, see VASP Market Evolution.
Post‑Authorization Obligations (Reporting, Audits, Changes)
These obligations mirror what you committed to during authorisation – now regulators test whether they actually work.
Ongoing compliance: you must operate to your authorised scope, maintain minimum own funds, keep controls live, and evidence staff competence (training logs).
Change management: notify/seek approval for material changes (services, outsourcing of critical functions, senior management, qualifying holdings, safeguarding model, tech stack with risk impact). Keep a Regulatory Change Log.
Outsourcing oversight: retain operational control, assess concentration/geography risk
Complaints & client comms: run MiCA-compliant complaints handling with metrics and board reporting; keep disclosures/ToS aligned with actual operations.
AML/CTF & sanctions: keep BWRA current, re-calibrate TM models, test TRF interoperability, file STRs/SARs, and evidence sanctions screening efficacy.
ICT/DORA resilience: incident thresholds, 24/7 monitoring proportional to risk, DR tests, vulnerability mgmt, and third-party ICT risk oversight.
Reporting & audits: respond to NCA data calls, prudential and governance attestations, and periodic independent reviews (internal audit or external assurance); remediate findings with dated action plans.
Post-authorisation is where the real operational test begins. For a deeper dive on building the governance layer that survives supervisory scrutiny – decision rights, operating rhythm, named ownership, audit trails, and board-level reporting – see our guide on post-authorisation operational governance.
EU CASP Licensing Requirements: MiCA vs MiFID II vs AMLD5
The following table clarifies where MiCA, MiFID II, and AMLD5 overlap and diverge – and which regime applies to your business.
Dimension | MiCA (MiCAR) | MiFID II | AMLD5 (VASP) |
Primary scope | Crypto-assets not already regulated as financial instruments; CASP activities (custody, trading platform, exchange crypto↔funds, execution, placing, RTO, advice, portfolio mgmt, transfer). | Investment services in financial instruments (e.g., tokenised equity/bonds/derivatives). If your token is a financial instrument, MiFID II applies.
| Registration-onlyAML/CTF regime for VASPs (pre-MiCA), focused on KYC/AML–not prudential or conduct licensing.
|
Regulatory outcome | Authorisation (licence) as a CASP by an NCA; EU-wide passporting once authorised | Authorisation as an investment firm; passporting across the EU. | Registration with local AML supervisor; no passporting; limited to AML/CTF obligations. |
When you fall in | You perform a listed crypto-asset service and the asset is not a MiFID financial instrument. | Your product involves MiFID financial instruments (incl. tokenised), or you provide investment services (execution, dealing on own account, advice, portfolio mgmt). | You operate pre-MiCA or in contexts still requiring AML registration; you provide VASP services with remuneration. |
Core obligations | Governance, fit & proper, own funds, client-asset safeguarding/segregation, complaints handling, conduct rules, disclosures, outsourcing oversight, ongoing reporting. | Investor protection (suitability/appropriateness, best execution), conduct, organisational requirements, capital, conflicts, product governance, transparency. | AML/CTF programme: BWRA, CDD/KYC/KYB, TM/sanctions, STR/SAR, governance of AML function. |
Key trigger test | What service you provideunder MiCA’s list – whether the token is not a financial instrument. | Is the token a financial instrument? If yes → MiFID II (even if on-chain). | Do you provide VASP services (as defined) and get remunerated? Then registration required. |
Typical use cases | Centralised exchange (non-security tokens); custodial wallet; brokerage/execution for crypto; advice/portfolio mgmt for crypto-assets; transfer service. | Tokenised securities venue/broker; STO platforms; investment advice/portfolio mgmt in security tokens/derivatives. | Legacy/pre-MiCA VASP footprints; jurisdictions that used AMLD5 registration pending full MiCA transition. |
Status / transition | In force; several hundred CASPs authorised and listed on the ESMA register (check register for current count). National transitions from AMLD5 largely complete. | Long-standing EU regime; unchanged by MiCA–applies in parallel where instruments are financial. | Superseded for CASPs by MiCA authorisations. Remains as the historical AML baseline for non-MiCA contexts. |
What decides your path in practice:
If a token meets the MiFID financial instrument test, MiFID II governs the service – even if the token is on-chain; MiCA then does not apply to that instrument/service.
Under MiCA, CASPs must safeguard/segregate client assets and cannot reuse them for own account (e.g., staking on own account is restricted). Expect scrutiny on custody architecture and disclosures.
AML obligations persist across all regimes; the EU Funds/Travel Rule (Reg. 2023/1113) attaches originator/beneficiary info to virtual asset transfers and is enforced alongside MiCA/MiFID.
Once you know which framework governs your asset, the next question is how fiat flows fit in – that’s where PSD2 comes in.
When You Need EMI/PI Under PSD2 (Examples)
MiCA covers crypto-asset services, but it doesn’t touch fiat money.
The moment euros, SEPA transfers, or e-money enter the flow, you’re in PSD2 territory – and you’ll likely need a Payment Institution (PI) or Electronic Money Institution (EMI) licence (or a regulated partner).
You’ll still need MiCA for the crypto component – PSD2 applies in parallel only to fiat services.
Below are practical examples to determine whether a PSD2 layer is required.
Fiat Gateway (On-Ramp / Off-Ramp)
Scenario: You let users buy or sell crypto with euros – via card, SEPA, or bank transfer.
Element | Why PSD2 applies | Typical solution |
Users send EUR → you exchange to crypto | You’re executing payment transactions in fiat | PI licence (payment initiation/execution) |
Users sell crypto → you send them EUR | You’re receiving/holding fiat for clients | PI or EMI, depending on whether you hold balances |
Fiat moves through partner EMI | PSD2 still applies – via the partner’s licence | Partner integration –outsourcing/agent contract |
Decision:
If the fiat ever lands in your account or you move it between users, you need a PI/EMI licence.
If a partner EMI handles all fiat flow and you never touch the funds – document that segregation and oversight carefully.
Custody + Payments (Crypto Wallet with EUR Balance)
Scenario: You run a custodial wallet that also lets users store euros or pay from an integrated fiat balance.
Element | Why PSD2 applies | Typical solution |
Holding client EUR | You’re safeguarding fiat funds | EMI licence (issue e-money / hold funds) |
Transferring between users’ EUR balances | Payment service between clients | EMI licence required |
Using IBANs or SEPA transfers | Accessing payment accounts | EMI or PI (depending on function) |
Decision:
Any feature that allows users to “park” fiat or transfer it under your brand = EMI activity.
Partnering with an existing EMI (Banking-as-a-Service model) can shortcut licensing, but you must still manage operational and compliance risk under MiCA’s outsourcing rules.
Fiat Off-Ramp (Exchange or Settlement Layer)
Scenario: You enable users to withdraw funds from your platform in fiat after selling crypto.
Element | Why PSD2 applies | Typical solution |
You collect fiat proceeds → send to users | You’re executing payments on behalf of clients | PI licence |
You use an EMI to settle payouts | PSD2 applies at partner level | Partner integration + SLA + segregation controls |
Instant withdrawal or stored balance | E-money issuance if you hold fiat before transfer | EMI licence |
Decision:
If you intermediate between the user and the banking system, PSD2 oversight is unavoidable.
NCAs will ask: “Who holds the fiat? Who executes the transfer? Who carries AML risk?” – your documentation must answer that clearly.
Multi-Asset Platform (Crypto + Fiat Accounts)
Scenario: A neobank or super-app lets users hold crypto, fiat, and sometimes stablecoins in the same interface.
Crypto layer: MiCA CASP licence (custody, trading, execution, etc.).
Fiat layer: PSD2 + EMI (hold fiat, issue payment instruments, IBANs).
Bridge layer: Must describe flows, segregation, and reconciliations between fiat/crypto ledgers.
Decision:
Dual licensing (MiCA + EMI) is the norm for this model.
You’ll need two compliance pillars:
MiCA for crypto services
PSD2/EMI for fiat safeguarding, SCA, and payment reporting (EBA Guidelines, RTS SCA & secure communication).
Business model | MiCA | PSD2 (PI/EMI) | Typical structure |
Pure crypto exchange (no fiat) | ✅ | ❌ | CASP-only |
Fiat on/off-ramp | ✅ | ✅ (PI/EMI) | Dual licence or EMI partner |
Crypto + EUR wallet | ✅ | ✅ (EMI) | Dual licence or EMI partner |
Tokenised securities | ❌ (MiFID II) | Possibly (for fiat legs) | Investment firm + PI |
Analytics / DeFi front-end | ❌ | ❌ | Unregulated (case-by-case) |
Takeaway:
If money in or out of your platform touches the traditional banking system – expect PSD2.
Plan early whether you’ll build or borrow the licence:
Build: full control, higher cost, longer lead (12–18 months).
Borrow: faster launch, but oversight and dependency risk.
Either way, regulators will ask the same core question:
“Who holds client funds, and under what licence?”
MiCA License Cost: What to Budget For
Total MiCA licensing cost depends on three variables: jurisdiction, service scope, and how much you build in-house versus outsource. Here's the breakdown.
Application Fees (Paid to the NCA)
NCA application fees are the smallest line item. Ranges vary by jurisdiction:
Lithuania (BoL): ~€1,000–€3,000 depending on service
Germany (BaFin): higher, fee schedule linked to service complexity
France (AMF): variable by category
Netherlands (AFM): published fee schedule, typically €2,000–€5,000
NCA fees change – check the regulator's website directly rather than relying on published figures.
Minimum Capital (Regulatory Requirement)
MiCA Article 67 sets own-funds requirements by service type:
Service category | Minimum own funds |
Advisory, execution, placing, RTO | €50,000 |
Exchange, brokerage | €125,000 |
Custody, trading platform operation | €150,000 |
Own funds must be at least the higher of the service-specific minimum or the fixed-overhead requirement (1/4 of prior-year fixed overheads). This is capital you must hold permanently – not a one-off application fee.
Professional & Legal Fees (The Largest Variable)
This is where costs diverge dramatically. Typical EU ranges based on current market practice:
Tier | What you get | Typical range |
Template pack | Recycled docs, light on substance; expect rework and NCA pushback | €10k–€20k |
Bespoke documentation | Policies and programme of activities tailored to your model (no PM/leadership) | ~€60k |
Managed submission | Docs + project management, workshops, vendor coordination, Q&A support | ~€90k |
Strategic leadership to decision | Full design, testing, NCA engagement, remediation cycles; multi-entity/multi-service scope | €120k+ |
Ongoing Annual Cost (Post-Licence)
Licensing costs are only the first layer. Ongoing compliance costs for a small-to-mid CASP:
Compliance officer / MLRO: €60k–€120k/year (in-house or outsourced function)
External auditor: €10k–€30k/year
Transaction monitoring & analytics tools: €15k–€50k/year
Regulatory reporting, training, policy updates: €10k–€30k/year
Rough total ongoing budget: €80k–€200k/year, depending on team structure and service complexity
A Note on Jurisdiction Arbitrage
Cheaper to apply in one jurisdiction does not mean cheaper to operate under MiCA. Passporting extends your licence across the EU, but your home NCA remains your supervisor – and their expectations follow you. Choose jurisdiction based on NCA capacity, expertise, and processing times – not just fee levels.
MiCA License List: ESMA Register, Current Data & How to Use It
MiCA gives the EU a single, public source of truth for who's authorised to provide crypto-asset services – the ESMA CASP Register. It replaced the fragmented national VASP registration model under AMLD5.
What Happened: The Transition Is Over
The MiCA transition period (grandfathering) allowed former VASPs to continue operating under national registration while their MiCA applications were processed. Most EU member states set their deadline for 30 December 2024, with some extending to mid-2025 or – in a few cases – as late as 1 July 2026 (the MiCA maximum). For the majority of jurisdictions, that window is now closed.
The result: entities that applied and received MiCA authorisation are on the ESMA register. Entities that did not apply, were refused, or withdrew have exited the EU market – or are operating illegally. The market went from 11,000+ registered VASPs to 378 licensed CASPs. That contraction is not a failure of the system – it's the system working as designed.
For the full history of the VASP-to-CASP transition, see our VASP market evolution post.
Who Holds a MiCA License Today
As of 12 March 2026, 378 entities hold a MiCA CASP authorisation across 20 EU/EEA jurisdictions.
Jurisdiction | NCA | Licenced CASPs |
Germany | BaFin | 51 |
the Netherlands | AFM | 27 |
France | AMF | 13 |
Malta | MFSA | 13 |
Cyprus | CySEC | 11 |
Ireland | CBI | 11 |
Austria | FMA | 9 |
Czech Republic | CNB | 7 |
Slovakia | NBS | 7 |
Spain | CNMV | 5 |
Finland | FIN-FSA | 5 |
Liechtenstein | FMA | 5 |
Luxembourg | CSSF | 5 |
Lithuania | BoL | 4 |
Denmark | Finanstilsynet | 3 |
Slovenia | ATVP | 3 |
Latvia | Latvijas Banka | 2 |
Belgium | NBB | 1 |
Bulgaria | FSC | 1 |
Sweden | Finansinspektionen | 1 |
Germany leads with 51 licensed CASPs, followed by the Netherlands (27) and France (13). Lithuania's drop from 300+ VASPs to 4 licensed CASPs is the starkest example of the transition's impact – see the Lithuania Spotlight below.
How to Use the Register
The ESMA CASP register is published as a downloadable CSV at the ESMA Databases and Registers hub under the MiCA section. The direct CSV link: https://www.esma.europa.eu/sites/default/files/2024-12/CASPS.csv
Key columns in the CSV:
ae_lei_name / ae_commercial_name: Legal and trading names
ae_homeMemberState: Home jurisdiction (NCA that issued the licence)
ac_serviceCode: Which MiCA services the entity is authorised for
ac_serviceCode_cou: Passporting – which countries the entity can serve
ac_authorisationNotificationDate: When the licence was granted
Practical note: The register is the authoritative source. Third-party lists (news articles, crypto industry trackers, "top 10 MiCA exchanges" blog posts) are often outdated within weeks. Always go to the ESMA register directly to verify a counterparty's licence status before onboarding or partnering.
What the Register Shows – and What It Doesn't
What you can see: Authorised entity, home supervisor, authorised services, passporting/host states, and authorisation date. Under Articles 109–110, the register also covers crypto-asset white papers and non-compliant entities.
What it doesn't show: Pending applications, firms in the Q&A phase, or entities that were refused or withdrew. It also does not show compliance quality, supervisory findings, or enforcement actions – only that a licence was granted and (so far) not revoked.
Being on the register is the minimum – not a quality stamp. It confirms the NCA reviewed the application and granted authorisation. How well the firm operates post-licence is a separate question – and the one supervisors are now focused on.
Country Reality Check: EU vs Local Supervisors
MiCA gives you one EU rulebook – but you'll still deal with one supervisor at a time. ESMA sets the guardrails and pushes for convergence, yet national competent authorities (NCAs) retain day-to-day judgment on files, transitional rules, and supervisory style. In practice, this means two truths coexist: the legal framework is harmonised, and the path to authorisation still feels different in Paris, Vilnius, Frankfurt, or Luxembourg.
ESMA issued a supervisory briefing in January 2025 to align NCAs, but it doesn't erase local interpretation, sectoral risk appetite, or process plumbing (forms, language, completeness checks, Q&A cadence).
Jurisdiction Comparison
Jurisdiction | Transition status | Key Characteristics |
Germany | Completed | Largest CASP count. Strong banking-sector participation. Higher scrutiny on ICT/DORA, AML analytics, and private-wallet transfers. German-language requirements for many documents. |
the Netherlands | Complete | Institutional-heavy. AMF was an early mover with its DASP regime pre-MiCA. French-language requirements for client-facing docs. |
France | Complete | Institutional-heavy. AMF was an early mover with its DASP regime pre-MiCA. French-language requirements for client-facing docs. |
Malta | Complete | Preferred by major global exchanges. MFSA has experience from its earlier VFA framework. |
Cyprus | Complete | Large financial services ecosystem. Strong focus on conduct of business and cross-selling risks. |
Ireland | Complete | Pragmatic but thorough. English-language jurisdiction – attractive for US-origin firms. |
Luxembourg | Complete | Deep fund and securities infrastructure. Preferred by firms seeking institutional credibility. |
Lithuania | Complete | Formerly the EU's largest VASP hub. Structured, documentation-heavy process. See Lithuania Spotlight below. |
What Still Varies in Practice
Completeness checks, timelines, and Q&A rhythm: The regulation sets decision clocks, but NCAs differ on what counts as "complete," on documentary depth for ICT/security, and on how many round-trips they expect with applicants. ESMA is nudging convergence, including on ICT scrutiny, but acknowledges national processes.
Substance & outsourcing stance: Some NCAs are stricter than others on local management presence, decision-making, and critical outsourcing (especially cloud/custody). ESMA's MiCA Q&A clarifies you can't use "agents" to deliver CASP services – the third party must itself be a CASP if it provides services. Expect detailed outsourcing registers and control testing.
Bottom line: MiCA standardises what you must have; your NCA still shapes how you prove it. Treat the local supervisor like your primary stakeholder: read their MiCA page, clarify outsourcing and ICT expectations up front, and design your evidence pack to their completeness checklist – not just the regulation.
If you're still designing your entity structure and licensing path, see our guide on building a regulated crypto operating model.
Lithuania is ASD Labs' home market – here's what the path looks like in detail.
Lithuania Spotlight: Documents, Costs, Timelines
Lithuania has a structured and documentation-heavy licensing process – and a track record as one of Europe's largest VASP hubs before MiCA. The Bank of Lithuania (Lietuvos bankas, BoL) is the single competent authority under MiCAR Title V, responsible for both authorisation and supervision of CASPs. Its tone is practical but firm.
BoL's MiCA law covers the full CASP service list. Lithuania's transitional period ended on 1 January 2026 – every AMLD5-registered VASP that did not obtain authorisation by that date had to cease MiCA-covered activity. Of the 300+ entities previously registered, only 4 hold MiCA CASP licences today.
Regulator & Scope
BoL supervises through its Markets and Payment Services Department. In practice, you’ll deal with two main channels:
Licensing Division – for MiCA applications, completeness checks, and correspondence.
Supervision Division – for post-authorisation monitoring, incident reports, and ongoing prudential/outsourcing notifications.
The regulator encourages early dialogue and a single, well-structured submission – one that demonstrates governance maturity, operational readiness, and local substance.
Typical Document Set
BoL aligns with MiCAR Article 62(2) and ESMA’s RTS/ITS on CASP authorisation, while layering in Lithuanian-specific expectations. Many core documents must be in Lithuanian or accompanied by certified translations.
Governance & organisation – Programme of Activities (Lithuanian), org chart, board and SMF CVs, fit-and-proper forms, shareholding & source-of-funds proofs.
Prudential & risk – Capital statement, liquidity forecast, wind-down plan, and high-level risk-management framework.
Safeguarding & custody – Wallet architecture (hot/warm/cold), segregation model, key-management SOPs, reconciliation evidence, and fiat-fund safeguarding if relevant.
Compliance & conduct – AML/CFT & BWRA, sanctions/Travel-Rule policies, conflicts, complaints, outsourcing (vendor oversight, right-to-audit, exit plan), ICT/DORA resilience, BCP/DR, and Lithuanian-language client disclosures & T&Cs.
Operational evidence – Vendor list and due-diligence files, sample TM alerts, reconciliation logs, key-ceremony screenshots, and board minutes approving each framework.
BoL warns against copy-pasted templates – documentation must produce audit-ready artefacts.
Common Pitfalls and How to Avoid Them
Language gap: filing English-only policies where Lithuanian versions are mandatory.
Empty-shell risk: decision-makers abroad, functions outsourced entirely to vendors. BoL wants in-house leadership.
Weak safeguarding: no reconciliations, generic wallet diagrams, or missing key-management evidence.
Opaque ownership: complex shareholder webs or unverified funding sources.
Scope drift: embedding fiat features without a PSD2 strategy (PI/EMI licence or partner).
Each of these usually triggers “clock-stopping” queries during BoL’s completeness check. Address them early.
Timeline & Cost Ranges
Phase | Expected duration | What happens / deliverables |
Preparation & drafting | 1 – 3 months | Gap analysis, governance setup, policy drafting, translations |
Submission & completeness check | ≈ 1 month | BoL acknowledges or requests missing info (25 working-day window) |
Q&A & review | 2 – 6 months | Iterative regulator feedback, evidence uploads, refinements |
Decision & registration | 40 working days from completeness (clock may pause once) | Formal licence decision + ESMA register entry |
Advisory fee ranges for Lithuania mirror the EU-wide tiers in the MiCA License Cost section above (€10k–€120k+ depending on scope). The Lithuania-specific variable: BoL's insistence on Lithuanian-language documentation and operational evidence adds translation and localisation costs that other jurisdictions may not require.
BoL evaluates operational readiness, not paperwork volume. Cheaper templates may check boxes, but they rarely survive regulator scrutiny.
In short: localise thoroughly, and invest in substance. Lithuania rewards well-organised applicants with predictable timelines – and penalises shortcuts with endless questions.
Conclusion - Build With Regulation, Not Against It
MiCA replaced 27 national registration regimes with a single authorisation standard. The market has contracted accordingly – and regulators are no longer asking whether you comply. They're testing how well you operate.
What matters now:
Map your services and licensing path early – CASP-only or CASP + PSD2.
Design for supervision from day one – traceability in every decision, log, and control.
Invest in substance – local management, working safeguards, documentation that reflects your actual control environment.
The licence is what gets you bank accounts, institutional counterparties, and passporting. Treat the application as the foundation for all of those.
Getting the MiCA licence is the beginning, not the end. For what comes next – the operational governance that supervisors will test after you're authorised – see our guide on [post-authorisation operational governance](/post/mica-compliance-operational-governance).
FAQ
How do you get a MiCA license?
Apply to the national competent authority (NCA) in your chosen EU member state. The application requires: a detailed business plan, governance documentation (board, MLRO, risk manager), minimum capital (€50k–€150k depending on services), AML/CTF programme, safeguarding arrangements, IT security documentation, and evidence of operational readiness. Processing times vary by NCA – typically 3–6 months once the file is complete, but total elapsed time including preparation is usually 9–18 months. See the step-by-step process above.
How many companies have a MiCA license?
As of 12 March 2026, 378 entities are listed on the ESMA CASP register across 20 EU/EEA jurisdictions. This is a fraction of the 11,000+ VASPs registered across the EU before MiCA – most either did not apply, withdrew, or were refused. The register is updated regularly and is the authoritative source: check the [ESMA CASP register for the current count.
Which crypto exchanges are MiCA compliant?
MiCA-compliant exchanges are those holding a CASP authorisation from an EU NCA and listed on the ESMA register. See the Notable Licensed Entities table and ESMA register link above for the current list. Compliance status is not self-declared – it requires authorisation, not marketing claims.
What are the requirements for a CASP under MiCA?
Key requirements under MiCA Title V: legal entity established in the EU, minimum own funds (€50k–€150k depending on services), fit-and-proper governance (management body, MLRO, compliance officer), AML/CTF programme, client asset safeguarding, conflicts of interest policy, complaints handling, outsourcing governance, and ICT security under DORA overlap. Post-authorisation, you must maintain these requirements on an ongoing basis – not just at application.
How much does a MiCA license cost?
Total cost depends on jurisdiction, services, and readiness. Application fees to NCAs: €1,000–€5,000 (varies widely). Legal and advisory fees: typically €30k–€120k+ for a full application. Minimum capital: €50k–€150k depending on services. Ongoing compliance costs: €80k–€200k/year. Lithuania is often cited as a cost-efficient jurisdiction, but adviser fees are the largest variable regardless of country. See our detailed [MiCA License Cost breakdown above.
What is the difference between VASP and CASP?
VASP (Virtual Asset Service Provider) was a registration category under AMLD5, primarily focused on AML/CTF compliance. CASP (Crypto-Asset Service Provider) is the MiCA authorisation category – a full regulatory licence with capital requirements, governance obligations, conduct rules, and ongoing supervision. Former VASPs operating in the EU had to transition to CASP status by the end of the transitional period (December 2024 for most jurisdictions). Most did not make it – see the MiCA license list for current numbers.
What is the MiCA transitional period?
MiCA included a grandfathering provision allowing existing VASPs to continue operating under national registration while seeking MiCA authorisation. The length varied by member state – most set deadlines for 30 December 2024, with some extending to mid-2025 or as late as 1 July 2026. For the majority of jurisdictions, that period is now closed. Entities without MiCA authorisation must cease regulated activity in the EU.
Comments