MiCA License Explained: CASP Requirements, Authorization Process, and EU Passporting

TL;DR: The EU’s Markets in Crypto-Assets (MiCA) regulation introduces a unified MiCA license for Crypto-Asset Service Providers (CASPs). Any crypto business offering crypto-asset services in the EU will need this authorization to legally operate across all 27 Member States under a single regulatory framework.

Key Requirements: Obtaining a MiCA license means meeting tough compliance standards, including capital requirements (from €50k up to €150k depending on services), governance with “fit and proper” management, complete AML/KYC measures, and stringent security, custody, and risk management frameworks aligned with EU laws like DORA (Digital Operational Resilience Act). 

Authorization Process: Firms must prepare an application package (including a business plan, policies, and internal controls) and submit it to their national regulator (NCA). Regulators have ± 25 working days to check completeness and ~40 days for review, but in practice the licensing process can take 6–12 months, including Q&A rounds. 

EU Passporting: A MiCA license grants passporting rights, allowing CASPs to provide services across the entire EU market without separate national licenses. After authorization, companies can expand cross-border to reach customers in all Member States.

Why Act Now: MiCA’s main provisions took effect in late 2024, with a transitional period until mid-2026 for some existing providers. Early compliance is crucial. Firms that ensure they meet MiCA’s regulatory requirements ahead of competitors will secure a first-mover advantage in the EU’s regulated crypto market. There is a risk of losing market access or facing enforcement action if you delay, such as heavy fines or shutdowns for operating without a license. 

Introduction

The Markets in Crypto-Assets (MiCA) regulation is the European Union’s landmark legal framework for crypto-assets, ushering in a new era of compliance for crypto companies. At its core, MiCA establishes a single authorization regime, often informally referred to as the “MiCA License,” for crypto businesses known as Crypto-Asset Service Providers (CASPs). 

Any company providing crypto-asset services in or from the EU will be required to obtain this license from a national regulator. It is a major shift from the patchwork of national registrations and licenses that existed before. 

Who needs a MiCA license? Why now? In short, any crypto-asset service provider targeting the EU market. This includes exchanges, wallet custodians, brokers, advisors, and other platforms dealing with cryptocurrencies and tokens. MiCA’s rollout (with main rules effective by December 30, 2024) means that such businesses must comply with unified regulations to continue operating. The reason it’s critical right now is that the clock is ticking. New entrants must already be authorized, and existing crypto firms have a limited transition window until mid-2026 to obtain a license. Those who achieve MiCA compliance early not only avoid legal risk but also gain the ability to passport their services across all 27 EU countries, accessing a market of 450+ million people with a single license.

In the sections below, we’ll break down what the MiCA license is, who must obtain it, the core requirements to qualify, the step-by-step licensing process, how EU passporting works, and practical tips to navigate challenges. Let’s dive in.

Note: None of this information should be considered as legal, tax, or investment advice. While we’ve done our best to ensure this information is accurate at the time of publication, laws and practices may change, so make sure to double-check it.  

What Is a MiCA License and Who Needs It?

Under MiCA, a “license” refers to the authorization granted by an EU Member State's regulator to a Crypto-Asset Service Provider (CASP) that allows that firm to operate legally and provide crypto-asset services across the EU. 

This MiCA license is essentially a pan-European regulatory approval: once obtained in one country (the “home” state), it is valid throughout the EU via passporting. Let’s clarify the basics:

Definition of a MiCA License

A MiCA license is the formal authorization issued under the EU’s Markets in Crypto-Assets Regulation, which came into force in 2023 and became applicable to service providers by the end of 2024. 

Technically, MiCA does not use the word “License” in the text, but it requires that any business engaging in crypto-asset services be authorized as a CASP (Crypto-Asset Service Provider) by the National Competent Authority (NCA) of an EU country. In practice, this authorization is colloquially called the MiCA license. It is comparable to other financial licenses in its scope and rigor. The MiCA license signifies that a company has met all regulatory requirements under MiCA, including prudential safeguards and consumer protection measures, and can therefore operate in the regulated EU crypto industry. 

MiCA is a single, harmonized license across Europe. Instead of requiring separate approvals in each country, a single MiCA authorization covers the entire EU market.

Which Companies Are Considered CASPs Under MiCA

MiCA defines a Crypto-Asset Service Provider (CASP) broadly, essentially any legal entity or undertaking that provides one or more crypto-asset services to third parties on a professional/commercial basis. This captures a wide range of crypto businesses. Some examples of companies that fall under the CASP definition and thus need a MiCA license include:

• Cryptocurrency Exchanges. Platforms that enable buying, selling, or swapping of crypto-assets (either for fiat money or other crypto-assets) are CASPs. This covers both centralized exchanges and brokers. Under MiCA, operating an exchange service (either crypto-fiat or crypto-crypto) or a trading platform for crypto-assets is a regulated activity requiring authorization.
• Custodians and Wallet Providers. If a company custodies crypto-assets on behalf of clients (holding private keys and maintaining wallets), it’s a CASP engaged in custody services. Custody providers must meet MiCA’s custody and security standards to obtain a license.
• Crypto Broker-Dealers and Order Execution Services. Firms that execute orders for crypto-assets on behalf of clients or receive and transmit orders (essentially brokerage or dealing services) are considered CASPs.
• Advisory and Portfolio Management Services. Businesses providing investment advice on crypto-assets or portfolio management of crypto portfolios are included. Even if such firms don’t hold client assets themselves, advising on crypto-assets triggers the CASP licensing requirement.
• Crypto-Asset Placement Agents and Transfer Services. MiCA also covers those who place crypto-assets (helping issuers distribute tokens) and those who provide transfer services (transferring crypto-assets on behalf of a client, which could include services akin to crypto payment processors or remittance services). 

In short, any company that intermediates or facilitates crypto transactions or services for users in a business capacity is likely a CASP. 

The regulation lists 10 types of crypto-asset services explicitly, which encompass the common roles in the crypto industry. Notably, MiCA’s scope is focused on services not already covered by existing financial regulations. For example, if a token is a regulated financial instrument, MiFID II rules apply instead. Pure NFT platforms or one-off token issuers might be outside the scope if the assets are unique and non-fungible, but if there’s any doubt, businesses should assume they need authorization unless clearly exempt.

Also, stablecoin issuers are regulated under MiCA, but through a separate process. They aren’t CASPs providing a service to customers, but rather issuers of crypto-assets, which have their own authorization requirements. We’ll touch on that later for clarity, but keep in mind that if your company issues a stablecoin, MiCA will regulate you too, though not under the standard CASP license.

Services Covered by the CASP Authorization

The MiCA regulation enumerates the “crypto-asset services” that require CASP authorization in Article 3(1)(16). If your business performs any of these services in the EU, you must obtain a MiCA license (CASP Authorization). The covered services are:

• Custody and Administration of Crypto-Assets on Behalf of Clients. 
• Operation of a Trading Platform for Crypto-Assets.
• Exchange of Crypto-Assets for Fiat Funds.
• Exchange of Crypto-Assets for Other Crypto-Assets.
• Execution of Orders on Crypto-Assets on Behalf of Clients.
• Placing of Crypto-Assets: Marketing or selling crypto-assets (for an issuer) to investors, e.g., as part of an initial offering or token sale, in a way akin to underwriting or placement of securities.
• Reception and Transmission of Orders for Crypto-Assets.
• Providing Advice on Crypto-Assets.
• Providing Portfolio Management on Crypto-Assets.
• Providing Transfer Services for Crypto-Assets on Behalf of Clients.

If your firm’s activities include any one of the above, you are performing a regulated service under MiCA and thus must be licensed as a CASP. Many crypto businesses engage in multiple of these. 

For a full overview of MiCA’s categories, obligations, and token definitions, read our foundational guide “MiCA and the Main Requirements of the New Crypto Regulatory Framework”.

MiCA CASP Licensing Requirements: Capital, Governance, AML, and Operations

Gaining a MiCA license is far from a rubber-stamp exercise. It entails meeting strict licensing requirements across several domains. The goal is to ensure any authorized CASP operates with sufficient financial soundness, managerial competence, and risk controls to safeguard users and the market. 

MiCA’s requirements for CASPs can be grouped into a few key areas: prudential (capital) requirements; governance and “fit & proper” criteria; AML/KYC obligations; and technical, security, and operational standards. 

Contact AMLBot

Capital Requirements by CASP Type

MiCA introduces prudential capital requirements for CASPs, requiring firms to maintain a minimum capital level at all times. These capital thresholds are set in proportion to the types of services offered, reflecting the risks and potential liabilities associated with those services. According to MiCA’s Article 67 and Annex IV, the base minimum capital levels are:

• €50,000 – for CASPs providing only advisory services. This is the lowest tier, recognizing that pure advisors don’t hold client assets or run trading platforms, so their risk profile is lighter.
• €125,000 – for CASPs operating a trading platform (crypto exchange/marketplace). Running an exchange is considered higher risk, so a higher capital floor is required to ensure resilience.
• €150,000 – for CASPs providing custody or exchange services (and other high-impact services). This top tier applies to those safeguarding client assets or exchanging crypto for fiat/crypto (which includes most full-service exchanges and custodians).

In practice, this covers custody providers, crypto-fiat exchanges, and, likely, portfolio managers or others handling client funds. These figures represent permanent minimum capital, typically in the form of equity or retained earnings, as well as certain high-quality capital instruments. Importantly, the requirement isn’t just to have this capital at startup, but to maintain it continuously.

Governance and “Fit and Proper” Criteria

One of MiCA’s key emphasis areas is the quality of governance in crypto firms. The regulation requires CASPs to have a clear organizational structure and to ensure that those in charge are “fit and proper” to run the business. In practical terms, this means:

• Qualified Management. All members of the CASP’s management body (directors, CEOs, and top executives) must pass a fit-and-proper test conducted by the regulator. 
• Shareholder Suitability. Major shareholders (those with significant stakes, e.g., ≥10% ownership) also need to be of good repute and financially sound. This is to prevent criminals or shadow figures from controlling CASPs. Background checks on ultimate beneficial owners (UBOs) will likely be part of the process.
• Robust Governance Structure. MiCA requires CASPs to establish a governance framework comparable to that of other regulated financial institutions. This includes having a clear organizational structure, defined roles and reporting lines, and independent control functions.
• Internal Policies and Procedures. Part of governance is having documented policies covering key areas, such as risk management, remuneration, conflict of interest, and business continuity. MiCA effectively compels CASPs to follow many “best practices” of corporate governance from traditional finance.
• Fit & Proper Assessments Ongoing: It’s not a one-time thing. CASPs must ensure ongoing compliance with fit-and-proper standards. If there are changes in management or ownership after licensing, additional regulatory approvals might be required. 

In summary, regulators will heavily evaluate the people and governance behind your company. Frame detailed resumes and documentation for each board member and senior manager, highlighting relevant experience. Be honest about any past issues. Hiding negative information is worse than explaining it with mitigating measures. If there are gaps in expertise, consider bringing on seasoned independent directors or advisors.

To understand how MiCA regulates stablecoins and asset-referenced tokens, see our deep-dive analysis “Understanding EU MiCA Regulation: Stablecoins, Compliance Challenges, and Circle Case Study”.

AML/KYC Obligations Under MiCA

Although MiCA itself is primarily a prudential and conduct-of-business regulation, it interlocks with the EU’s broader Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) regime. In fact, once a firm is licensed as a CASP under MiCA, it automatically becomes an “obliged entity” under EU AML laws. This means CASPs must comply with all applicable AML/CFT requirements, just as traditional financial institutions do. Key obligations include:

• Customer Due Diligence (CDD). CASPs must perform KYC (Know Your Customer) checks on their clients, verifying identity, assessing risk, and monitoring for suspicious activity. This includes basic ID collection for all customers and enhanced due diligence (EDD) for higher-risk cases (e.g., clients from high-risk countries or large transactions).
• Ongoing Monitoring. Transactions should be continuously monitored for unusual or suspicious patterns. With crypto, this means implementing blockchain transaction monitoring and screening against sanctions or blacklists. MiCA doesn’t detail this, but EU AML regulations and guidance (including the upcoming AML Regulation and existing AMLD5/6 directives) require it.
• Record-Keeping. CASPs must retain records of customer identification and transactions for at least 5 years, as required by AML laws. This ensures data is available for any investigations.
• Suspicious Activity Reporting. If a CASP detects transactions that may involve money laundering or terrorist financing, they must file Suspicious Transaction Reports (STRs) to the national Financial Intelligence Unit (FIU).
• Travel Rule Compliance (Transfer of Funds Regulation). Critically, the Transfer of Funds Regulation (TFR) now extends the FATF “Travel Rule” to crypto transfers. CASPs must include and exchange originator and beneficiary information with other CASPs when transferring crypto-assets, as in bank wire transfers. For any crypto transfer above EUR 1000 (including self-hosted wallets), CASPs must collect and, if requested, transmit the personal data of the sender and receiver.  
• AML Policies and Training. As part of the licensing process, applicants must submit an internal AML/CFT Policy detailing how they implement these obligations. Regulators will expect it to cover risk assessment, customer onboarding procedures, transaction monitoring, sanctions screening, and related processes. Additionally, CASPs should designate an AML Compliance Officer (which may be mandatory under national laws) and train their staff on AML duties.

Technical, Security, and Custody Requirements

MiCA places heavy emphasis on operational resilience and security, aligning with parallel EU initiatives such as the DORA (Digital Operational Resilience Act). Crypto businesses, often tech startups, will need to meet enterprise-level standards for IT security, data protection, and continuity planning to satisfy regulators. Key requirements in this domain include:

• ICT Risk Management (DORA Compliance). Under MiCA, CASPs are considered financial entities for the purposes of DORA, meaning they must implement robust ICT (Information and Communication Technology) risk management. 
• Custody and Asset Safeguarding Measures. For those holding client crypto-assets, MiCA requires stringent custody arrangements. Client assets (both crypto and fiat) must be segregated from the firm’s own assets. In practice, that means separate crypto wallets for client funds versus company funds, proper bookkeeping segregation, and likely legal arrangements that clarify clients retain ownership. You should have clear procedures for storing private keys and for promptly returning assets to clients upon request. Many regulators will expect detailed descriptions of custody systems and even independent security audits of wallet infrastructure.
• Operational Policies (BCP/DR, etc.). A Business Continuity Plan (BCP) and Disaster Recovery (DR) plan are mandatory. This covers how your business would continue operating if key systems fail or in disaster scenarios, including backup sites, data backups, and recovery time objectives.
• Internal Controls and Risk Management. MiCA obliges CASPs to have internal control mechanisms for operational and security risks. This might include regular system penetration testing, periodic risk assessments, and internal process audits. It also means having clear procedures for handling client complaints, incidents, and errors.
• Insurance and Liability. While not explicitly required under MiCA, many CASPs consider insurance to cover potential losses. Some jurisdictions or regulators might implicitly expect custodians, especially, to demonstrate that client assets have an extra layer of protection.
• Transparency and Disclosure. On the operational side, MiCA also requires fair and transparent client communication. CASPs must provide clear information on fees and the risks associated with their services, and must not mislead customers. This means having proper disclosures on your platform, terms of service, and marketing that isn’t deceptive.

Authorization Process: How to Get a MiCA License Step by Step

It is a multistep journey that requires preparation, interaction with regulators, and careful project management. Below, we outline the general step-by-step process to become an authorized CASP in the EU, from the pre-application phase through final approval.

Preparing the Application Package

Preparation is EVERYTHING. Long before you officially submit an application, you should be assembling a comprehensive application package containing all required documentation. MiCA (in Article 62-63) spells out the contents of an application for a CASP license, and regulators (NCAs) often provide checklists or forms as well.

Key Components: 

1. Application Form and Declarations. Many NCAs will have an official application form to fill in (as referenced by the FMA, for instance). This is typically a questionnaire covering all areas, plus requiring certain signed director declarations.
2. Outsourcing and Partnerships. If you plan to outsource any important function (e.g., using a third-party custodian or an external compliance service), you should provide details and contracts/MoUs. 
3. Operational and Security Infrastructure Description. Prepare documents describing your technical architecture. For example, explain your platform’s components (trading engine, wallet custody system, KYC system, etc.), your cybersecurity measures, and how you will comply with the Travel Rule (TFR) on crypto transfers.
4. Capital Proof and Financials. You need to show evidence that you meet the capital requirements. These could be recent audited financial statements for an existing company or a capital attestation for a new company. If you’re a startup, you might include a bank letter confirming the deposit of the required capital or a shareholders’ resolution to inject capital. Outline your plan for capital maintenance.
5. Internal Policies and Procedures. A full suite of policy documents must be drafted and ready for review. At minimum, regulators will expect: an AML/CFT Policy, a Risk Management Policy, a Conflict of Interest Policy, an Outsourcing/Third-Party Risk Policy (if you outsource any functions), an ICT Security Policy, a Business Continuity/Disaster Recovery Plan, a Custody/Safeguarding of Assets Policy, a Complaint Handling Policy, and possibly an Order Execution Policy (if you execute trades). Each policy should detail procedures and controls in its area. Tailor these to your business. 
6. Organizational Structure & Governance Documents. This includes your company’s legal structure, an organization chart showing key personnel and departments, and information on shareholders. Also include internal governance documents, e.g., Terms of Reference for the Board and any committees, and descriptions of roles such as Compliance Officer.
7. Business Plan / Program of Operations. A detailed description of your planned crypto-asset services, business model, target market, and financial forecasts.

So, compiling this package is a significant effort, often involving hundreds of pages of documentation. It’s wise to assign a project leader (e.g., Chief Compliance Officer or a consultant) to coordinate everything. Make sure you double-check all documents for consistency. A neat, well-organized submission creates a good first impression of a serious, compliant firm.

Submitting the Application to the National Competent Authority (NCA)

Once your dossier is ready, the next step is formal submission to your chosen home country’s NCA – the regulator in the EU Member State where your company is or will be incorporated and has its registered office. Each country has designated an authority for MiCA and typically accepts applications from a specific date onward. For example, some regulators opened applications in late 2024 in anticipation of MiCA’s start date. 

Generally, you’ll need to submit the complete application form and all supporting documents. Expect to pay an application fee as well. Many regulators charge a fee for processing license applications. After submission, the process typically goes as follows:

1. The NCA usually acknowledges receipt of your application, often providing a reference number and, if something obvious is missing, initial feedback.
2. The regulator first examines whether your application file is formally complete. Under MiCA, the NCA has 25 working days to assess completeness. If something is missing or inadequate, they will likely come back with a request for additional information or documents, effectively putting the review on pause until you supply those.
3. If and when the NCA deems your application complete, the official review period starts. They will notify you that the application is complete and under review. From this point, MiCA’s 40-day decision-making clock starts ticking. In theory, the regulator should approve or refuse within that time. However, any time the NCA asks questions or requests more info, the clock stops. 
4. The NCA’s experts will analyze every part of your application. They will likely send you a list of questions or requests for clarification after an initial review pass. This Q&A can go through multiple rounds.
5. Some regulators hold meetings or interviews with applicants during the process. This could be a formal meeting to discuss the business model or even an on-site visit. They might want to meet the CEO, compliance officer, or other key personnel to gauge their competence. In some jurisdictions, a formal “hearing” is part of the process. 
6. Once the NCA has all the information and is satisfied, it will move to a decision. The decision is usually made by a higher committee or board within the authority. If positive, they will issue an authorization decision granting the CASP license, subject to any conditions or restrictions.  If negative, they will issue a refusal letter with reasons.

In conclusion, the entire process from submission to final license can vary widely. While MiCA sets a theoretical ~3-month timeline (25 + 40 working days), the reality seen in other licensing regimes suggests 6 to 12 months is more realistic. 

Timelines, Review Procedure, and Regulator Interactions

As noted, the MiCA framework gives a structured timeline for application review, but in practice, the timeline is often extended by regulator interactions. Here’s what to expect on timing and how to manage the interaction with the NCA:

• Timeline. Optimistically, a well-prepared application might get through in ~4-6 months. More typically, many are forecasting approval in 9–12 months. 
• Regulator Q&A. It is virtually guaranteed that the NCA will send at least one request for additional information. This is normal and doesn’t mean your application is failing. The questions can range from minor clarifications to major concerns.
• Pause and Resume of Clock. When you receive questions, note if the regulator has formally “paused” the review clock. They will frequently say the review is on hold pending your response. Take the time to answer properly. Incomplete answers will just prompt more questions.
• Interactions and Meetings. Regulators might schedule calls or meetings for discussion. Treat these like an important business meeting. Have your team prepared to explain any aspect of the application. It’s common for regulators to focus on perceived weaknesses.  
• Approval with Conditions. Sometimes an NCA may decide to approve, but with certain conditions attached (e.g., “the CASP must not support privacy coins until further notice” or “an on-site inspection will be conducted 6 months after launch”). Be aware that this can happen. Minor conditions are usually acceptable, but ensure you can live with them.
• If Rejected. In the event of a refusal, the firm can typically address the issues and either reapply or appeal the decision. Obviously, we aim to avoid that by careful preparation.

Common Mistakes and Reasons for Delays

Applying for a MiCA license is complex, and several common mistakes can slow down or derail the process.

• Incomplete Or Generic Documentation. Submitting an application with missing documents or templated, non-specific policies is the fastest way to fail the completeness check and trigger endless questions. Use NCA checklists, tailor every policy to your real operations, and get expert help where needed (for example, for ICT or risk policies).
• Underestimating MiCA Requirements. Treating MiCA as “just paperwork” leads to weak governance and half-baked structures (e.g., no real board, all roles concentrated in one founder). Take MiCA seriously, start preparations early, and involve experienced legal and compliance advisors from day one.
• Insufficient Capital And Weak Financial Plan Trying to apply with capital that isn’t actually in place, or with unrealistic financial projections, undermines credibility. Make sure the required capital is available and verifiable, and support it with a realistic, stress-tested business and funding plan.
• Unqualified Or Overstretched Team. If no one on the team has compliance, financial, or risk experience, or if one person is listed as CEO, Compliance Officer, and Risk Manager at once, regulators will push back. Bring in qualified people for key functions, and show a concrete staffing plan rather than “to be hired later”.
• Poor AML/CTF Setup. Vague KYC procedures, no clear transaction monitoring, and no Travel Rule solution are red flags. Implement a solid AML framework before applying, choose appropriate tools, and document your risk scoring, monitoring, and escalation flows in detail.
• Technical And Security Gaps. If you don’t clearly explain how you protect private keys, ensure uptime, and handle cyber risks, expect delays. Involve your CTO/CISO in the application, document architecture, and controls, and consider an independent security assessment.
• Ignoring National Guidance. NCAs often publish guidance, FAQs, and templates. Ignoring them creates avoidable friction. Study your chosen jurisdiction’s instructions and use them as a checklist.
• Bad Timing. Rushing a filing right before a deadline or relying too heavily on the transition period increases the risk of mistakes and running out of time. Existing VASPs should apply early in the transition window; new projects should aim to be licensed before launch.
• Weak Communication With The Regulator. Slow or incomplete responses to RFIs stall the process. Treat regulator questions as ta op priority, answer thoroughly, and proactively ask for more time if you need it.

If you want to compare MiCA authorization with traditional crypto licensing frameworks, read our guide “How to Get a Crypto License for Your Business — A Complete Guide”.

For insights into how national regulators evaluate crypto businesses, see our Estonia-specific analysis “How Not to Lose the Cryptocurrency License in Estonia”.

EU Passporting: How MiCA Enables Cross-Border Operations in All 27 Member States

One of the most powerful features of the MiCA framework is the ability for a licensed CASP to passport its services across the European Union. 

“Passporting” means that a firm authorized in one EU Member State can operate in other member states without requiring separate licenses in each country. This concept, borrowed from other EU financial regulations, effectively creates a single market for crypto services. 

Let’s explore what passporting entails under MiCA and how crypto companies can leverage it to conduct cross-border business effectively.

What Is Passporting and Why Does It Matter

Passporting under MiCA allows a CASP to treat the entire EU as its playground after obtaining one license. 

In practical terms, if you get your MiCA license in Country A (say, France), you can offer your crypto-asset services to customers in Country B (say, Germany), Country C, etc., without getting any additional authorization from those countries. This drastically reduces barriers and duplication of compliance efforts. Prior to MiCA, a crypto exchange might have needed to register separately in each EU country it wanted to serve. Now, with MiCA, there is one harmonized regime.

Notification Procedure Between NCAs

Passporting under MiCA is not entirely automatic. It involves a notification process to ensure regulators are aware of cross-border activity. When you, as a CASP, plan to start offering services in another Member State (outside your home State), you must notify your home regulator (NCA) of your intention to passport. Typically, you’ll provide information such as which services you will offer in the host country, how you will offer them, and maybe the target market segment. The home NCA then communicates this to the host country’s NCA and to ESMA (the European Securities and Markets Authority, which will maintain a central register of CASPs).

It’s important to note that no additional license or authorization is required from host countries, but CASPs must still comply with any local consumer laws or conduct rules. For instance, if a country has specific marketing disclosure requirements or tax reporting obligations, those still apply. Passporting doesn’t exempt you from all local laws. It primarily means no licensing barrier.

Also, if a CASP wants to establish an actual branch office in another country, the notification will include branch details. Branch establishment might require a bit more information and coordination with the host regulator, but still no license. The host NCA might take a bit more interest in a branch, but it cannot block it except under unusual circumstances.

ESMA’s role will be to keep a register of authorized CASPs and their passported activities, which will be publicly available. So if a customer in Italy wants to verify that a French crypto exchange is legitimately authorized and passported to Italy, they can check the ESMA register.

Allowed and Restricted Activities

Under passporting, a CASP is allowed to perform in other Member States only the activities it is authorized to perform under its home license. This means if your MiCA license covers, say, custody and exchange services, you can passport those services abroad, but you cannot start providing a new service abroad that you weren’t authorized to do at home. For example, if you didn’t include advisory service in your original license scope, you can’t suddenly offer investment advice in another country without going back to your home NCA to extend your authorization. So, the passport covers the specific crypto-asset services listed on your authorization.

Another point is that passporting is meant for the services under MiCA. If your business also engages in activities outside MiCA’s scope, those might require separate consideration. For instance, offerings of security tokens in other countries would fall under securities laws, not MiCA passporting. Or if you decide to start offering payment services, you might need a separate payment institution license, which has its own passporting. So the MiCA passport is powerful but limited to MiCA-regulated services.

Allowed activities via passport include servicing clients in other countries, marketing your services, onboarding customers remotely or through local agents, and even setting up a local office or team to support your business. 

The key is you don’t have to get a new license for that local presence, as long as it’s the same legal entity extending its operations.

Although passporting removes licensing barriers, there are a few things to be aware of. 

1. Host countries often insist that any marketing to their consumers is done in the local language and in compliance with local advertising standards. Ensure translations of your app/website and marketing materials are accurate and not misleading.
2. Some host regulators might require notifications when you hit certain milestones just for their info. They may also coordinate supervisory actions via the home regulator if needed.
3. As noted, if you engage in activities such as issuing stablecoins (ART or EMT), that’s a separate regime. An ART issuer authorization or an e-money institution license doesn’t automatically passport under MiCA CASP rules. Though ART/EMT issuance also has EU-wide aspects. Basically, make sure any line of business you expand is covered by some passportable authorization.

Overall, the allowed scope is broad. Essentially, full freedom to provide your licensed services anywhere in the EU. This extends to online services accessible EU-wide and to physically operating in other states. MiCA even simplifies that physical presence is not required in host states at all. You could run everything from one country and still serve the rest remotely.

Key Challenges and Practical Recommendations for CASPs Applying Under MiCA

Transitioning into the MiCA regime and successfully obtaining a license will undoubtedly present challenges. Both new startups and established crypto businesses will need to adapt to meet the high regulatory bar. 

In this section, we discuss key challenges CASPs are likely to encounter when applying under MiCA and provide practical recommendations to improve the chances of a smooth authorization and subsequent compliance.

Compliance Preparation Tips

The breadth of MiCA’s requirements can be overwhelming, especially for startups. Companies might not know where to begin or may underestimate the compliance work needed.

Recommendations:

1. Start Early with a Gap Analysis. Begin by thoroughly reading the MiCA regulation to map out obligations. Conduct a gap analysis comparing each requirement to your current state. Identify areas of major change. E.g., do you have a formal internal control system? If not, that’s a gap to fill. Starting this in advance is crucial. Don’t wait until the last minute. The transition timeline might seem long, but the workload is heavy.
2. Engage Experts or Advisors. If you lack in-house regulatory expertise, consider consulting with legal firms or compliance advisors who specialize in crypto regulation. A brief introductory consultation can highlight blind spots. They can also help interpret provisions and advise how other firms are handling them.
3. Train Your Team. Ensure that key team members (founders, CTO, CFO, etc.) understand what MiCA will require of them. Provide training or workshops on compliance basics, AML responsibilities, and related topics. A more aware team will make fewer mistakes and can contribute to crafting compliant processes.
4. Prioritize Critical Areas. Not all compliance tasks are equal. Focus on high-priority items: capital, governance, and AML. If these core areas are solid, you can refine less critical aspects as you go.
5. Monitor Regulatory Updates: MiCA is a Regulation, but Level 2 technical standards were still being finalized through 2024. Keep an eye on ESMA/EBA releases. They might publish application templates or provide more specific guidance on what to include. Being up to date ensures your application aligns with the latest expectations.
6. Leverage Transitional Period. If you’re an existing VASP with a national registration, use the grandfathering period wisely. Not to procrastinate, but to keep operating while you prepare the MiCA application. Remember, the transitional relief ends at the latest by July 2026, and it doesn’t allow expansion/passporting in the meantime. So apply early in that window.

Documentation and Auditor Expectations

Preparing the full MiCA documentation package is resource-heavy, especially for startups with no prior regulatory experience. Use templates only as a starting point, then customize them to reflect your real operations. Ensure all documents are consistent with one another. If needed, prepare brief explanatory notes to help regulators navigate your files. Involve auditors early, especially for capital verification, financial statements, or IT readiness.

Technical Architecture and Security Gaps

Many crypto firms have strong tech teams but lack formal IT documentation, security controls, or disaster recovery plans. Regulators expect clear system diagrams, explanations of custody mechanisms, cybersecurity measures, access controls, and redundancy. A penetration test or third-party security review helps prove readiness. Highlight how compliance tools are integrated into your architecture.

Avoiding Common Regulatory Red Flags

Regulators look for patterns that signal risk: unclear ownership or offshore structures, unrealistic business claims, weak AML focus, or questionable founders. Ensure full transparency about shareholders, funding sources, governance, and past activities. Avoid marketing hype and clearly acknowledge risks and how you mitigate them. Demonstrate a compliance mindset, not just paperwork, and show long-term operational sustainability, not short-term speculations.

Conclusion: Why Early MiCA Readiness Defines EU Market Success

The introduction of the MiCA license regime represents a significant milestone for the European crypto industry. Compliance and regulatory authorization are no longer optional or an afterthought – they are the ticket to play in the EU’s vast market. As we’ve explored, achieving a MiCA license requires effort and rigor, but it also unlocks tremendous opportunity through passporting and enhanced credibility.

Early MiCA readiness is poised to separate the winners from the laggards. Those crypto companies that anticipate the regulation, invest in strong compliance programs, and secure their licenses early will be positioned to capture market share across Europe. They’ll be able to legally serve customers in multiple countries, form partnerships with traditional financial institutions, and gain the trust of users and investors. A MiCA-authorized CASP can proudly signal that it meets high standards of financial stability, security, and consumer protection, which can be a competitive advantage in a sector that has seen its share of scandals and failures.

By 2025 and especially after 2026, unlicensed operations targeting the EU will face enforcement and a loss of business to licensed competitors. We may also see consolidation. Smaller players might merge or get acquired by those who successfully navigate MiCA. For investors and venture capital in crypto, a key due diligence item will be “Do you have a path to a MiCA license?” —  those without a clear plan might struggle to raise funds.

In conclusion, the MiCA license is a strategic asset. Yes, the journey to authorization is challenging, but the reward is the ability to operate in the world’s largest single market with a framework that ensures fair competition and consumer confidence. The time to get ready is NOW – early movers are likely to be the early winners in the new era of regulated crypto finance.

FAQ