← Back to guides

MiCA Compliance Checklist for CASPs

2026-04-18 · Web3 Compliance AI

MiCA Overview

The Markets in Crypto-Assets Regulation (EU 2023/1114) establishes a comprehensive framework for crypto-asset issuers and service providers across the European Union. Title V governs Crypto-Asset Service Providers (CASPs). Authorization became mandatory on December 30, 2024, with transitional provisions varying by member state.

MiCA is administered by National Competent Authorities (NCAs) in each member state — including BaFin (Germany), AMF (France), CNMV (Spain), CBI (Ireland), AFM (Netherlands), and others — with supervisory coordination from ESMA (European Securities and Markets Authority) and stablecoin oversight from the EBA (European Banking Authority).

Key advantage: Once authorized in one EU member state, CASPs benefit from passporting rights to operate across all 27 EU member states by notifying the host state NCA — no additional authorization required.

Understanding CASP Service Categories

Before applying, you must identify exactly which services you provide. MiCA defines ten CASP service types, each with specific requirements:

# Service Minimum Capital Description
1 Custody and administration EUR 125,000 Safekeeping or controlling crypto-assets on behalf of clients
2 Operation of a trading platform EUR 150,000 Managing a multilateral system for crypto-asset trading
3 Exchange of crypto-assets for funds EUR 125,000 Buying/selling crypto for fiat currency
4 Exchange of crypto-assets for other crypto-assets EUR 125,000 Crypto-to-crypto exchange services
5 Execution of orders on behalf of clients EUR 125,000 Concluding agreements to buy/sell crypto on behalf of clients
6 Placing of crypto-assets EUR 50,000 Marketing newly issued crypto-assets to buyers
7 Reception and transmission of orders EUR 50,000 Receiving and passing on client orders to another provider
8 Providing advice on crypto-assets EUR 50,000 Personalized recommendations on crypto transactions
9 Providing portfolio management EUR 125,000 Managing portfolios of crypto-assets on a discretionary basis
10 Providing transfer services EUR 125,000 Transferring crypto-assets on behalf of clients

Note: If you provide multiple services, the highest capital requirement applies. Some NCAs may require capital above these minimums based on their assessment of your risk profile.

Pre-Application Phase

Regulatory Strategy

  • Identify all applicable CASP services — Map each product feature to MiCA's ten service categories. A single platform may require authorization for multiple services (e.g., exchange + custody + order execution).
  • Select your home member state — This determines your NCA. Consider:
    • Regulatory capacity and processing speed (BaFin, AMF, and CBI have been among the most active)
    • Local language requirements for the application
    • NCA fees and ongoing supervisory costs
    • Physical presence requirements
    • Local talent pool for compliance staff
  • Determine capital requirements — Calculate the minimum permanent capital for your service combination. Budget for capital above the minimum — NCAs may require more.
  • Check transitional provisions — Some member states allow previously registered CASPs to continue operating during a transitional period (up to 18 months from December 30, 2024). Check your member state's specific transition timeline.
  • Engage local legal counsel — MiCA implementation details vary by member state. Local expertise is essential. Budget EUR 50,000-150,000 for legal fees through authorization.

Pre-Application Meeting

  • Request a meeting with the NCA — Most NCAs offer pre-application engagement. BaFin, AMF, CBI, and others have formal pre-application processes.
  • Prepare a summary of your business model — Services offered, target customers, jurisdictions, technology stack, and expected volumes.
  • Ask about NCA-specific requirements — Processing timelines, supplementary documentation, preferred application format, fee schedules.
  • Document all feedback — NCA guidance during pre-application is invaluable. Record it and address every point in your application.

Corporate and Governance Requirements

Legal Entity

  • Establish or designate a legal entity — Must be registered in your chosen home member state. Branch offices of non-EU entities are generally not acceptable.
  • Registered office and head office in the EU — At least some operations must be conducted in the EU. Regulators will scrutinize arrangements where the EU entity is a shell.

Management Body

  • Appoint at least two directors — Sufficient knowledge, skills, and experience in financial services, technology, and the specific crypto-asset services offered.
  • Fit-and-proper assessments — Each director must pass NCA review covering:
    • Professional qualifications and experience (CV and references)
    • Criminal record check (no convictions for financial crime, fraud, or money laundering)
    • Financial soundness (no personal insolvency)
    • Good repute (no prior regulatory sanctions or enforcement actions)
    • Time commitment (adequate time to devote to the role)
  • Collective competence — The management body as a whole must have adequate collective knowledge. NCAs assess the board composition as a unit, not just individually.

Shareholders and Qualifying Holdings

  • Identify all qualifying holders — Any person or entity with 10%+ direct or indirect ownership or voting rights.
  • Qualifying holder assessments — Each must demonstrate:
    • Good repute
    • Financial soundness (no history of insolvency or financial distress)
    • No risk of money laundering or terrorist financing
  • Notify changes — Any subsequent change in qualifying holdings above 10%, 20%, 30%, or 50% thresholds must be pre-notified to the NCA.

Organizational Structure

  • Clear organizational chart — Lines of responsibility from board to operational teams.
  • Three lines of defense — First line (business operations), second line (compliance and risk management), third line (internal audit).
  • Adequate internal controls — Segregation of duties, approval authorities, reconciliation procedures.
  • Risk management framework — Documented risk appetite, risk identification and assessment processes, risk mitigation measures.
  • Business continuity plan — Documented procedures for operational disruptions, including IT system failures, key personnel loss, and external events.
  • Outsourcing policy — If outsourcing critical or important functions:
    • Written outsourcing agreement
    • Due diligence on the service provider
    • NCA must be able to supervise the outsourced function
    • Contingency plan if the outsourcing arrangement fails

AML/CFT Compliance

MiCA CASPs must comply with both MiCA-specific requirements and the EU AML framework (AMLD6, Transfer of Funds Regulation).

  • AML/CFT policies and procedures — Written, board-approved policies covering:
    • Customer due diligence (CDD, EDD, SDD)
    • Transaction monitoring
    • Suspicious transaction reporting (STR) to national FIU
    • Sanctions screening (EU Consolidated Financial Sanctions List, UN list)
    • Record-keeping (minimum five years)
  • Compliance officer (MLRO) — Appointed Money Laundering Reporting Officer with appropriate authority, resources, and direct reporting to the management body.
  • Business-wide risk assessment — ML/TF risk assessment covering customers, products, geographies, delivery channels, and transactions. Updated at least annually.
  • Transfer of Funds Regulation compliance — Travel Rule applies to ALL crypto-asset transfers (no de minimis threshold). Full compliance mandatory since December 30, 2024. Must collect and transmit originator and beneficiary information for every transfer. See our Travel Rule Implementation Guide.
  • Sanctions screening — Real-time screening of customers and transactions against EU, UN, and relevant national sanctions lists. Screening must cover crypto addresses as well as names and identifiers.
  • Independent AML audit — Annual independent testing of the AML program by internal audit or external firm.

Technical and Operational Requirements

IT Security and Cybersecurity

  • IT security policy — Board-approved, covering:
    • Access controls and identity management
    • Encryption standards (data at rest and in transit)
    • Vulnerability management and penetration testing (at least annually)
    • Incident detection and response procedures
    • Secure software development lifecycle
    • Network security and monitoring
  • ICT risk management — Aligned with DORA (Digital Operational Resilience Act, effective January 2025). CASPs must identify, protect against, detect, respond to, and recover from ICT-related incidents.
  • Third-party ICT risk — Assessment and monitoring of ICT risks from third-party service providers (cloud, data centers, software vendors).

Data Protection

  • GDPR compliance — Crypto businesses handle significant personal data through KYC. Ensure:
    • Data processing agreements with all third-party processors
    • Data Protection Impact Assessments (DPIAs) for high-risk processing
    • Data subject rights procedures (access, erasure, portability)
    • Data retention schedule aligned with both GDPR (minimize) and AML (minimum five years)
    • Appointed Data Protection Officer (DPO) where required

Customer Protection

  • Complaints handling procedure — Published, free-of-charge procedure for receiving and resolving customer complaints. Maintain a complaints register. Report complaint statistics to the NCA.
  • Conflicts of interest — Written policy identifying, preventing, managing, and disclosing conflicts. Must cover:
    • Personal trading by employees
    • Proprietary trading vs. client order execution
    • Related-party transactions
    • Inducements and commissions
  • Client asset segregation — If providing custody:
    • Client crypto-assets must be segregated from proprietary assets at all times
    • Separate wallets and separate accounting
    • Clear legal structure ensuring client assets are protected in the event of CASP insolvency
    • Liability regime for loss of client crypto-assets (MiCA Article 75)
  • Record-keeping — Maintain records of all services, transactions, and orders for at least five years. Records must be sufficient for the NCA to reconstruct each transaction.

Disclosure and Transparency

  • Website disclosures — Publish on your website:
    • Name, legal form, registered office, and authorization details
    • Service descriptions and applicable fees
    • Complaints handling procedure
    • Risk warnings
    • Member state of authorization and NCA contact details
  • Pre-contractual information — Before establishing a client relationship, provide:
    • Clear description of services offered
    • Risks associated with crypto-assets (including risk of total loss)
    • Fee schedule (all costs, including spread, withdrawal fees, and commissions)
    • Applicable law and dispute resolution mechanisms
  • Marketing communications — All marketing must be:
    • Fair, clear, and not misleading
    • Clearly identifiable as marketing
    • Consistent with pre-contractual information
    • Include risk warnings
    • Comply with ESMA marketing guidelines

Application Submission

  • Complete NCA application form — Attach all required documentation per the NCA's checklist.
  • Programme of operations — Detailed business plan covering:
    • Services to be provided
    • Target market and customer segments
    • Marketing and distribution strategy
    • Financial projections (typically three to five years)
    • Organizational resources and staffing plan
  • Capital evidence — Bank statements or auditor confirmation showing minimum permanent capital is in place.
  • Professional indemnity insurance — Or comparable guarantee, if applicable to your service type. Must cover potential liability from errors, omissions, or breaches.
  • All governance documentation — Organizational chart, fit-and-proper applications for directors, qualifying holder notifications, policies and procedures.
  • AML/CFT documentation — Full AML policy, risk assessment, compliance officer appointment, Travel Rule solution documentation.
  • IT documentation — Security policy, DORA compliance assessment, penetration test reports (if available), business continuity plan.

NCA Review Process

After submission, expect:

  1. Completeness check — NCA confirms all required documents are present (typically 5-25 business days).
  2. Substantive review — NCA reviews the application in detail. May issue information requests (RFIs). Each RFI adds weeks to the timeline.
  3. Fit-and-proper interviews — NCAs may interview directors and qualifying holders.
  4. Decision — Authorization granted (possibly with conditions), or refused with reasons.

NCA decision deadline: MiCA requires NCAs to decide within 40 working days of receiving a complete application (extendable to 25 additional working days for information requests). In practice, the clock resets each time the NCA requests additional information.

Post-Authorization Obligations

Authorization is the beginning. Ongoing compliance includes:

  • Ongoing regulatory reporting — Periodic returns as required by your NCA (quarterly or annual transaction data, customer counts, complaints data, financial statements).
  • Material change notifications — Notify the NCA before making material changes to:
    • Services offered
    • Directors or qualifying holders
    • IT infrastructure or outsourcing arrangements
    • Registered office or head office location
  • Annual financial audit — Financial statements audited annually by an approved statutory auditor.
  • Supervisory cooperation — Respond to NCA information requests, facilitate on-site inspections, participate in supervisory reviews.
  • Passporting notifications — To operate in other EU member states, notify your home NCA, which will inform the host state NCA. Allow 15 working days before commencing services.
  • Continuous compliance monitoring — Monitor regulatory developments (ESMA and EBA guidance, RTS/ITS updates, NCA circulars) and update your program accordingly.
  • ESMA register — Verify your authorization is listed in the ESMA register of authorized CASPs.

Common Pitfalls

  1. Applying before policies are written — NCAs expect complete, operational policies, not drafts or frameworks-in-progress.
  2. Underestimating the Transfer of Funds Regulation — The no-threshold Travel Rule catches many applicants off-guard. Demonstrate a working Travel Rule solution in your application.
  3. Directors without crypto experience — NCAs assess collective competence. At least one director should have demonstrable crypto industry experience.
  4. Ignoring DORA — The Digital Operational Resilience Act applies to CASPs. IT resilience requirements go beyond basic cybersecurity.
  5. Assuming capital requirements are static — NCAs may require capital above the minimums based on their risk assessment. Budget conservatively.
  6. Failing to plan for passporting — The passporting notification process requires preparation. Plan your EU expansion timeline in advance.

Resources