This is Part 1 of our "MiCA in Practice" series — a practical guide to the activities that crypto-asset service providers must undertake to achieve and maintain compliance under the Markets in Crypto-Assets Regulation.
MiCA (Regulation (EU) 2023/1114) has been fully applicable since 30 December 2024. The transitional period — during which Member States could allow existing providers to continue operating under national regimes — expired on 1 July 2026 at the latest (with some jurisdictions opting for earlier deadlines). If you are providing crypto-asset services in the EU without a MiCA authorisation, you are now operating unlawfully.
This article walks through the practical steps of obtaining a CASP licence: what to prepare, what national competent authorities (NCAs) look for, and where most applicants stumble.
Step 1: Determine Which Services Require Authorisation
MiCA defines ten categories of crypto-asset services in Article 3(1)(16). Before preparing your application, you must map your current and planned activities against these categories:
- Custody and administration of crypto-assets on behalf of clients
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for funds (fiat)
- Exchange of crypto-assets for other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Placing of crypto-assets
- Reception and transmission of orders on behalf of clients
- Providing advice on crypto-assets
- Providing portfolio management of crypto-assets
- Providing transfer services for crypto-assets on behalf of clients
Each service has specific prudential requirements. An exchange platform (services 2–4) faces higher capital requirements (€125,000 minimum own funds) than a provider offering only advice or order reception (€50,000). If you operate multiple services, the highest applicable threshold applies.
Step 2: Prepare the Application Dossier
Article 62 of MiCA specifies the information that must accompany an authorisation application. NCAs have issued supplementary guidance, but the core requirements are consistent across jurisdictions:
Corporate and Governance Documentation
- Articles of association and corporate structure chart
- Identity and CV of all members of the management body, demonstrating good repute and adequate knowledge, skills, and experience (Art. 68)
- Identity and background of shareholders or members with qualifying holdings (10%+)
- Proof of registered office in an EU Member State
- Internal governance arrangements, including conflict-of-interest policies
Business Plan and Financial Projections
- Three-year business plan detailing the services to be provided, target markets, and marketing strategy
- Financial forecasts (income statements, balance sheets, capital adequacy projections)
- Evidence of own funds meeting the applicable threshold (or, alternatively, an insurance policy per Art. 67(2))
Operational and Technical Documentation
- IT systems architecture and cybersecurity arrangements
- Business continuity and disaster recovery plans
- Outsourcing arrangements (including any third-party technology providers)
- Client asset safeguarding procedures (for custody providers)
- Complaints-handling procedure
AML/CFT Programme
- AML/CFT policies and procedures aligned with AMLD6 and the Transfer of Funds Regulation
- Appointment of a designated AML Compliance Officer
- Risk assessment methodology (business-wide and customer-level)
- Transaction monitoring and suspicious activity reporting systems
- Sanctions screening programme
Common Application Gaps
- Weak demonstration of management body's collective crypto expertise — NCAs reject applications where the board lacks verifiable experience in digital assets or financial services
- Generic AML policies not tailored to crypto-specific risks (e.g., mixer exposure, cross-chain laundering, DeFi interactions)
- Missing or inadequate business continuity plans — particularly around private key management and wallet recovery
- Insufficient evidence of operational substance in the home Member State (shell company concerns)
Step 3: The NCA Review Process
Once you submit your application, the NCA has 25 business days to acknowledge receipt and confirm completeness (Art. 63(1)). If the application is incomplete, the NCA will request additional information, and the clock resets.
After acknowledging completeness, the NCA has 40 business days (approximately three calendar months) to issue a fully reasoned draft decision. This period can extend significantly in practice, particularly where:
- The NCA issues requests for information (RFIs) — each RFI typically stops the clock
- The management body assessment requires cross-border verification
- The applicant's AML/CFT programme requires substantive revisions
NCAs typically assign a case officer who will conduct a desk-based review, followed by one or more rounds of clarification meetings. Some jurisdictions (notably France's AMF and Germany's BaFin) have indicated that they expect on-site visits before granting authorisation, particularly for custody and trading platform providers.
Step 4: Post-Authorisation Obligations
Obtaining the licence is not the end — it is the beginning of an ongoing compliance relationship with your NCA. Post-authorisation, CASPs must:
- Notify material changes — any change to the management body, qualifying shareholders, or scope of services requires prior NCA approval or notification (Art. 65)
- Maintain minimum own funds at all times, with regular capital adequacy reporting
- Submit periodic regulatory reports — the content and frequency are defined by ESMA's technical standards and vary by service type
- Cooperate with supervisory inspections — NCAs have the power to conduct on-site inspections, request records, and interview staff
- Report security incidents — under DORA (Regulation (EU) 2022/2554), CASPs must report significant ICT-related incidents to their NCA
How BlockchainAnalysis Strengthens Your Application
NCAs assess not just your policies, but your operational capacity to implement them. Demonstrating that your compliance infrastructure is production-ready — not aspirational — significantly strengthens your application.
BlockchainAnalysis provides the operational backbone that NCAs expect: real-time wallet screening against 297+ sanctions and risk data sources, continuous transaction monitoring across 80+ blockchains, and audit-ready compliance reports that demonstrate your programme is functioning, not just documented. Several CASP applicants have included our platform documentation in their NCA dossiers as evidence of their technical compliance capabilities.
CASP Licensing Checklist
- Map all current and planned services against MiCA's ten CASP categories
- Identify the applicable minimum capital requirement (€50K / €125K / €150K)
- Assemble a management body with demonstrable crypto and financial services expertise
- Draft a three-year business plan with realistic financial projections
- Build a crypto-specific AML/CFT programme (not a generic bank template)
- Prepare IT architecture documentation, including cybersecurity and key management
- Engage with your target NCA early — many offer pre-application guidance
- Budget 3–6 months for the review process, with possible extensions
Next in the series: MiCA in Practice #2 — Building Your AML/KYC Programme, where we cover the practical steps for designing a compliance programme that meets both MiCA and AMLD6 requirements.
BlockchainAnalysis provides the compliance infrastructure that NCAs expect to see in your CASP licence application — from screening to monitoring to audit-ready reporting.
Screen wallets, monitor entities, and generate compliance reports with 1B+ labeled addresses and 305+ data sources.
See Compliance Solutions