Cyprus MiCA CASP License: Complete 2026 Guide to EU Crypto Authorization with CySEC
Updated: March 2026 | Author: Zitadelle AG Regulatory Team
⚠️ Critical 2025–2026 Deadlines:
February 27, 2026 — MiCA application deadline for existing CASPs. CySEC confirmed on December 23, 2025 that existing CASPs authorized under Cyprus's national framework must have submitted a complete MiCA authorization application by this date. Existing CASPs that met the deadline may continue operating until authorization is granted, denied, or until July 1, 2026, whichever occurs first.
July 1, 2026 — End of the transitional period. After this date, operating crypto-asset services in the EU without MiCA authorization is illegal. Transitional-period CASPs cannot passport services to other EU member states — only fully authorized MiCA CASPs can use the EU single passport.
March 2026 — EBA No Action Letter on EMT/PSD2 overlap expired. Businesses providing Electronic Money Token custody and transfer services must now determine whether both MiCA authorization and a PSD2 payment institution/EMI license are required.
Contact Zitadelle AG for urgent guidance on your MiCA authorization position.
The MiCA CASP License issued by the Cyprus Securities and Exchange Commission (CySEC) is the gateway to legally operating crypto-asset services across the entire European Union — under the world's first comprehensive, harmonized crypto regulatory framework. A single MiCA authorization from CySEC allows a licensed business to offer services to clients in all 27 EU member states without obtaining separate national licenses in each country.
For any crypto business with EU clients, EU ambitions, or institutional EU counterparties, MiCA authorization is no longer optional. As of December 30, 2024, operating crypto-asset services professionally in the EU without authorization is illegal. Enforcement is active — ESMA and national competent authorities conducted over 230 audits of crypto businesses in the first half of 2025 alone.
Zitadelle AG is a specialist regulatory consultancy providing end-to-end support for crypto businesses seeking MiCA CASP authorization in Cyprus — from regulatory scoping and business plan preparation through CySEC application, personnel onboarding, and post-authorization compliance management. With offices in Cyprus and deep expertise in EU crypto compliance, Zitadelle AG is your trusted partner for MiCA licensing.
Frequently Asked Questions About the Cyprus MiCA CASP License
What Is MiCA — and Why Does It Matter?
The Markets in Crypto-Assets Regulation (MiCA, Regulation EU 2023/1114) is the EU's landmark legal framework governing crypto-assets, token issuers, and crypto-asset service providers. It entered into force on June 29, 2023, with a phased rollout:
June 30, 2024: Rules for stablecoins (Asset-Referenced Tokens / ARTs and E-Money Tokens / EMTs) became applicable
December 30, 2024: The full CASP authorization regime became mandatory — any business professionally providing crypto-asset services to EU clients must be authorized
MiCA replaces the fragmented patchwork of national crypto regulations across the EU's 27 member states with a single, harmonized framework. Its objectives are to enhance investor protection, promote market integrity, prevent market abuse, and enable regulated crypto innovation with clear compliance obligations.
What MiCA covers:
Crypto-asset service providers (exchanges, custodians, brokers, portfolio managers, advisors, transfer services, trading platform operators)
Asset-Referenced Token (ART) issuers
E-Money Token (EMT) issuers
Issuers of other crypto-assets offered to the public or admitted to trading on EU platforms (whitepaper and disclosure obligations)
What MiCA does NOT cover:
NFTs (unless fractionalized or functionally fungible)
Fully decentralized DeFi protocols with no identifiable issuer or intermediary
Tokenized traditional financial instruments (these fall under MiFID II, AIFMD, and other existing frameworks)
Central Bank Digital Currencies (CBDCs)
Who Needs a MiCA CASP License?
Under Article 62 of MiCA, any person professionally providing one or more crypto-asset services in the EU requires authorization as a Crypto-Asset Service Provider (CASP). This applies regardless of where the business is incorporated — a non-EU firm targeting EU clients must be authorized or risk enforcement.
Services requiring MiCA CASP authorization:
Custody and administration of crypto-assets on behalf of clients
Operation of a crypto-asset trading platform
Exchange of crypto-assets for fiat currency
Exchange of crypto-assets for other crypto-assets
Execution of orders for crypto-assets on behalf of clients
Reception and transmission of orders for crypto-assets on behalf of clients
Placing of crypto-assets
Providing transfer services for crypto-assets on behalf of clients
Providing advice on crypto-assets
Providing portfolio management on crypto-assets
The "grandfathering" trap: Businesses that were registered or authorized under a national CASP/VASP regime before December 30, 2024, can continue operating under transitional provisions until July 1, 2026 — but only in their home member state, and only for services already covered by their national authorization. They cannot use the EU single passport to offer services in other member states until they receive full MiCA authorization. The transitional period is a bridge, not a permanent alternative.
Why Obtain a MiCA CASP License in Cyprus Specifically?
Cyprus is one of the EU's most established and MiCA-ready jurisdictions for crypto authorization — for several reasons:
CySEC's regulatory track record. CySEC has regulated investment firms and financial services businesses since 2001 and has been actively supervising CASPs and VASPs since 2021. It has more institutional knowledge of crypto-asset businesses than most EU National Competent Authorities (NCAs).
Lowest corporate tax rate in the EU. Cyprus has a 12.5% corporate income tax rate — the lowest among EU member states. From 2026, Cyprus also introduced a dedicated 8% flat tax on crypto capital gains, simplifying the tax treatment of digital asset businesses.
Favorable operational environment. Cyprus combines an English common-law legal system, a highly educated English-speaking professional workforce, competitive operating costs relative to other EU jurisdictions, and an established ecosystem of legal, audit, compliance, and financial services firms experienced in regulated businesses.
EU passporting — immediate access to 27 markets. A CySEC MiCA CASP license allows your business to notify CySEC of target member states and passport services across all 27 EU countries — without separate national authorizations. This single notification process activates EU-wide market access under a single regulatory framework.
MiCA-ready infrastructure. Cyprus's domestic framework was one of the earliest in the EU to regulate CASPs, providing a larger pool of qualified compliance professionals, experienced local directors, and established advisors familiar with CySEC's specific expectations.
Strategic Mediterranean location. Cyprus's time zone (EET/EEST), proximity to Middle Eastern and African markets, and existing role as a regional hub for financial services make it well-positioned for businesses targeting both EU and near-EU markets.
What Are the Three MiCA CASP License Classes?
Under MiCA as implemented by CySEC, CASP authorizations cover different service scopes. The capital requirement scales with the breadth and risk level of services:
Class | Services Covered | Minimum Initial Capital |
|---|---|---|
Class 1 | Providing advice on crypto-assets; placing of crypto-assets | EUR 50,000 |
Class 2 | Class 1 services PLUS: reception and transmission of orders; execution of orders; exchange of crypto-assets for fiat or other crypto | EUR 125,000 |
Class 3 | Class 2 services PLUS: operation of a trading platform; dealing on own account; providing transfer services; custody and administration | EUR 150,000 |
Important capital rule: The capital requirement is the higher of:
The applicable minimum threshold above, OR
One-quarter of the firm's fixed overheads from the preceding year (reviewed annually)
This means that as a business scales and its fixed cost base grows, its required capital increases in proportion. This is an ongoing capital adequacy obligation — not a one-time threshold.
For token issuers: ART and EMT issuers must meet separate capital and reserve requirements under MiCA Titles III and IV, including 1:1 reserve maintenance, independent custody, and — for "significant" tokens (those reaching systemic relevance as determined by ESMA/EBA) — direct EBA supervision.
What Are the Corporate and Governance Requirements?
CySEC has specific expectations for the governance structure of a Cyprus MiCA CASP — these are substantively more demanding than most non-EU crypto licensing frameworks.
Board composition:
Minimum 4 board members:
At least 2 executive directors — based in Cyprus, actively involved in day-to-day management, meeting CySEC's fit-and-proper criteria
At least 2 independent non-executive directors — providing oversight and governance challenge
Majority of board members must be resident in Cyprus and actively involved in decision-making — this is both a regulatory requirement and a tax residency factor
CySEC assesses each director's integrity, competence, relevant experience, and time commitment
Key functions:
Compliance Officer / Money Laundering Compliance Officer (MLCO) — resident in Cyprus; responsible for CySEC regulatory compliance and AML/CFT obligations; may also serve as Risk Manager
Internal Audit function — can be outsourced to a qualified external provider, subject to conditions
Head of Brokerage — required for exchange and brokerage services
Head of Custody / Administration — required for custody activities
Finance & Accounting, IT, and Back Office — may be outsourced subject to DORA-compliant third-party oversight arrangements
Substance requirements: CySEC (and ESMA) explicitly reject letter-box structures. Regulators expect genuine management, decision-making, and risk oversight to take place in Cyprus — not just a registered address. The "effective management" test is applied rigorously in MiCA licensing assessments.
What Are the Full Application Requirements?
A MiCA CASP application to CySEC is a substantial undertaking. The application package typically comprises 40–80+ documents across governance, compliance, technology, and financial dimensions. Key components include:
Corporate documentation:
Cyprus-incorporated Limited Liability Company (LTD) — registration with the Cyprus Registrar of Companies
Articles of Association; shareholder and beneficial ownership records
Organizational chart with reporting lines
Personal documentation (for all directors, senior officers, and qualifying UBOs):
Fit-and-proper declaration and questionnaire
CV and evidence of professional qualifications
Criminal record certificates
Financial soundness declarations
Governance and compliance documentation:
Program of activities — detailed description of all services, target markets, and revenue model
Internal governance policies and risk management framework
Conflicts of interest policy
AML/CTF policies and KYC/KYB procedures, aligned with Cyprus AML Law (Prevention and Suppression of Money Laundering and Terrorist Financing Law)
Travel Rule compliance framework (EU Transfer of Funds Regulation applies from December 30, 2024 — no grace period, no amount threshold)
Sanctions screening program
Technology and operational resilience (DORA-aligned):
ICT risk management framework
Business continuity and disaster recovery plan (tested and documented)
Incident response and reporting procedures
Third-party and ICT service provider oversight documentation
Cybersecurity policies and penetration testing framework
Financial documentation:
Proof of paid-up capital and bank account
3-year financial projections
Capital adequacy plan demonstrating ongoing compliance with the dynamic overhead-based capital floor
Token-specific documentation (if applicable):
For businesses involved in token offerings: MiCA white paper in iXBRL format (mandatory from December 23, 2025 under ESMA's technical standards) — must be submitted with XBRL tagging aligned with ESMA's taxonomy published August 5, 2025
The CySEC MiCA Application Process
Step 1 — Pre-Application Assessment (Optional but Highly Recommended)
From November 13, 2024, CySEC accepts preliminary assessment submissions before the formal process. This allows applicants to submit key documents early and receive CySEC feedback before formal submission. Given the volume of MiCA applications and CySEC's detailed review process, early engagement is strongly recommended.
Zitadelle AG facilitates pre-application meetings with CySEC to clarify expectations, confirm the correct license class, and identify any documentation gaps before formal submission.
Step 2 — Cyprus Company Formation
Register a Cyprus Limited Liability Company with the Cyprus Registrar of Companies. Establish a physical office. Deposit paid-up capital into a Cyprus-based EU credit institution bank account.
Step 3 — Documentation Preparation
Prepare the full application package: business plan, governance policies, AML/CTF framework, DORA-aligned ICT documentation, financial projections, and all personal due diligence for directors and UBOs. This is the most time-intensive phase — and the one that determines application quality and CySEC review speed.
Step 4 — CySEC Portal Submission
Submit the complete application via the CySEC online portal. CySEC acknowledges receipt within 5 working days.
Step 5 — Completeness Check
Within 25 business days of submission, CySEC conducts an initial review to verify document completeness. Incomplete applications are returned with a deadline to provide additional information — this restarts the timeline.
Step 6 — Detailed Compliance Review
CySEC conducts a thorough evaluation covering governance, financial stability, AML/CTF adequacy, operational resilience, and fit-and-proper assessments. CySEC may request additional information or clarifications during this phase — the quality of responses directly affects approval likelihood.
Step 7 — Decision
CySEC issues a reasoned decision within 3 business days of completing the assessment. Approved CASPs are added to the EEA CASP Register, enabling EU-wide passporting.
Timeline
Application quality | Estimated total timeline |
|---|---|
Well-prepared, complete application | 3–6 months |
Applications requiring multiple rounds of clarification | 6–12 months |
CySEC's published statutory timeframe under Article 63 of MiCA is approximately 3 months from receipt of a materially complete application. In practice, response times depend on application volume and quality.
EU Passporting: Accessing 27 Markets from One License
One of MiCA's most commercially valuable features is the EU single passport. Once authorized by CySEC, a Cyprus CASP can offer its licensed services across all 27 EU member states through a streamlined notification process:
The CASP notifies CySEC of target member states and specific services
CySEC notifies the relevant National Competent Authorities (NCAs) within 10 business days
The CASP may begin offering services in the target member state within 15 calendar days of CySEC's notification
Passported authorizations appear on ESMA's public MiCA register — providing visible regulatory credibility for banking due diligence, institutional partnerships, and client onboarding.
Important passporting caveat: Transitional-period CASPs operating under grandfathered national authorizations cannot passport to other EU member states. Only full MiCA authorization unlocks EU-wide market access.
Regulatory shopping risk: In September 2025, French, Austrian, and Italian regulators published a joint position paper calling for ESMA direct supervision of "significant CASPs" — citing concerns about regulatory arbitrage across member states. This is a developing area to monitor. Significant CASPs (defined as those reaching 15 million+ active EU users) may in future be subject to direct ESMA oversight rather than purely national NCA supervision.
Ongoing Obligations for Authorized CASPs
MiCA authorization is the foundation of a continuous compliance obligation, not a one-time achievement. Authorized Cyprus CASPs must maintain:
Capital adequacy — ongoing compliance with the higher of the minimum threshold or one-quarter of annual fixed overheads. Annual review and recalculation required.
AML/CTF compliance — active program, regular reviews, updated customer risk assessments, transaction monitoring, suspicious transaction reporting to the Cyprus Financial Intelligence Unit (MOKAS).
Travel Rule (EU Transfer of Funds Regulation) — collect and transmit originator and beneficiary information for all crypto-asset transfers involving a CASP, regardless of amount. No de minimis threshold applies.
DORA compliance — ongoing ICT risk management, regular resilience testing, incident reporting to CySEC within defined timeframes, third-party risk management, and contractual alignment with ICT service providers.
CySEC reporting — periodic regulatory reports, notification of material changes (ownership, services, key personnel, business model), annual capital adequacy review.
Governance maintenance — maintaining the required board composition, active director presence in Cyprus, updated fit-and-proper assessments for any changes to key personnel.
Market abuse prevention — MiCA requires CASPs to monitor for insider trading, market manipulation, and false market signals, and report suspicious activity. These obligations mirror traditional financial markets conduct standards.
Consumer protection — mandatory disclosures, complaints handling procedures, conflicts of interest management, and transparent fee disclosure.
iXBRL white papers — any token issuance or offering activities require ESMA-compliant white papers in iXBRL format (mandatory from December 23, 2025).
Annual contributions — CySEC annual contribution of up to 0.5% of revenue (minimum EUR 750).
Enforcement risk — MiCA fines can reach up to 5% of annual worldwide turnover or EUR 5 million per breach, whichever is higher, plus CySEC's domestic procedural penalties.
MiCA and DORA: The Compliance Stack Every Cyprus CASP Needs
MiCA does not operate in isolation. Every Cyprus CASP authorized under MiCA must simultaneously comply with:
DORA (Digital Operational Resilience Act) — effective from January 17, 2025. Applies to all MiCA-authorized CASPs. Requires:
Documented ICT risk management framework
Classification and reporting of major ICT incidents to CySEC
Digital operational resilience testing (including threat-led penetration testing for larger firms)
Third-party ICT service provider oversight — including contractual requirements for cloud providers, data centers, and software vendors
Information security policies and controls
EU AML Package / AMLA — the new EU Anti-Money Laundering Authority is operational. It will expand to directly supervise approximately 40 high-risk financial entities (including crypto firms) by 2028. The EU is moving toward a single AML rulebook applicable across all 27 member states — significantly reducing the ability to exploit national AML/CTF variations.
EU Transfer of Funds Regulation (TFR) / Travel Rule — effective December 30, 2024, no grace period. Unlike the FATF Travel Rule in some jurisdictions, the EU TFR applies to all crypto transfers involving a CASP with no amount threshold.
PSD2 / PSD3 overlap — businesses issuing or distributing EMTs (euro-pegged stablecoins) may require both MiCA authorization (CySEC) and payment institution / EMI authorization (Central Bank of Cyprus). The interaction between MiCA and PSD2/PSD3 for stablecoin-related payment services remains a complex and evolving area.
Cyprus vs. Other EU MiCA Jurisdictions: Why Choose Cyprus?
As of early 2026, Germany leads EU MiCA CASP authorizations (18 licenses), followed by the Netherlands (14). Cyprus has authorized fewer CASPs under MiCA so far — but this reflects the pace of its transition process, not a lack of regulatory readiness.
Factor | Cyprus | Germany | Netherlands | Malta | Ireland |
|---|---|---|---|---|---|
Corporate tax rate | 12.5% (lowest EU) | 30%+ | 25.8% | 35% (with refund scheme) | 12.5% |
CySEC/NCA experience with crypto | High (since 2021) | High | High | High | Moderate |
English-language infrastructure | Yes | Partial | Partial | Yes | Yes |
Operational cost vs. Western Europe | Lower | Higher | Higher | Lower | Higher |
Geographic positioning | Mediterranean/MENA/Africa crossroads | Central Europe | Western Europe | Mediterranean | Atlantic Europe |
Existing financial services ecosystem | Very deep | Very deep | Deep | Moderate | Deep |
MiCA licenses issued (2025–2026) | Low (growing) | 18 | 14 | Small | Small |
Cyprus's combination of the EU's lowest corporate tax rate, deep financial services infrastructure, English-language environment, CySEC's established crypto regulatory track record, and favorable operational costs makes it one of the most commercially compelling MiCA jurisdictions — particularly for businesses that are not already embedded in the German or Dutch financial ecosystems.
How Zitadelle AG Supports Your Cyprus MiCA CASP Application
Zitadelle AG provides end-to-end support for businesses seeking MiCA CASP authorization in Cyprus. Our Zitadelle AG Cyprus practice includes:
Regulatory scoping and service classification — determining the correct CASP license class for your business model; identifying whether additional authorizations (DORA obligations, PSD2/EMI for stablecoin services) apply; and assessing whether your token activities require whitepaper filings.
Pre-application engagement with CySEC — we facilitate early CySEC engagement through the preliminary assessment process, allowing you to receive regulator feedback before formal submission. This materially reduces the risk of completeness rejections and timeline delays.
Cyprus company formation — coordinated with application preparation to minimize overall timeline.
Full application package preparation — business plan, governance policies, AML/CTF framework, DORA-aligned ICT documentation, financial projections, fit-and-proper packages for all directors and key personnel, and iXBRL white paper preparation where required.
Key personnel sourcing and onboarding — through our HR network and HRFinease platform, we source and introduce qualified Cyprus-based executive directors, compliance officers, and MLCOs with CySEC experience and established regulatory relationships.
Regulatory compliance framework build-out — bespoke AML/CTF policies, KYC/KYB procedures, Travel Rule compliance architecture, market abuse monitoring framework, and DORA ICT risk management documentation.
CySEC portal submission and liaison — end-to-end management of the CySEC application process including submission, completeness query responses, detailed compliance review responses, and approval tracking.
Post-authorization compliance support — ongoing CySEC reporting, annual capital adequacy review, AML/CTF program maintenance, DORA ICT obligation management, Travel Rule compliance monitoring, and passporting notifications to target EU member states.
MiCA + DORA integration — for businesses needing a unified MiCA and DORA compliance architecture, Zitadelle AG builds integrated frameworks that satisfy both regulatory regimes from a single compliance infrastructure.
Frequently Asked Questions (FAQ)
Can a non-EU company obtain a MiCA CASP license in Cyprus? Yes, but a Cyprus-incorporated entity is required. Non-EU groups typically establish a Cyprus subsidiary (LTD) as the licensed entity. 100% foreign ownership is permitted, subject to fit-and-proper assessments of UBOs and directors.
What is the minimum capital for a Cyprus MiCA CASP license? EUR 50,000 for Class 1 (advisory/placing); EUR 125,000 for Class 2 (adds brokerage/exchange); EUR 150,000 for Class 3 (adds trading platform/custody/dealing on own account). The ongoing capital requirement is the higher of the class minimum or one-quarter of annual fixed overheads — this scales upward as the business grows.
How long does the Cyprus MiCA CASP application take? 3–6 months for well-prepared, complete applications. Applications requiring multiple rounds of clarification can take 6–12 months. Pre-application engagement with CySEC and submission-ready documentation preparation by Zitadelle AG minimizes timeline risk.
What is the CySEC application fee? Approximately EUR 4,500 in licensing fees, plus annual contributions of up to 0.5% of revenue (minimum EUR 750). Additional costs include Cyprus company formation, capital deposit, and professional advisory fees.
Does a Cyprus MiCA CASP license allow me to serve clients in Germany, France, and other EU countries? Yes — this is the EU single passport. Once authorized by CySEC, you notify CySEC of target member states and services, and CySEC notifies the relevant NCAs. The passporting notification process takes approximately 15–25 calendar days, after which you may legally offer services in those countries.
Can I still operate under my national CASP registration past July 1, 2026? No. The transitional period for nationally registered CASPs ends July 1, 2026. After this date, operating crypto-asset services in the EU without MiCA authorization is illegal, regardless of prior national registration status.
Does MiCA cover DeFi protocols? MiCA does not directly regulate fully decentralized protocols with no identifiable issuer or intermediary. However, DeFi protocols with any intermediary element, front-end operator, or governance body may fall within scope. ESMA has signaled that the boundary between decentralized and centralized will be assessed on substance, not labeling.
Is DORA compliance required for a MiCA CASP? Yes. DORA applies to all EU-regulated financial entities including MiCA CASPs from January 17, 2025. Compliance is a non-negotiable element of any Cyprus MiCA CASP application — CySEC will assess your ICT risk management and operational resilience framework as part of the authorization review.
What is the "significant CASP" threshold? A CASP is deemed "significant" if it reaches 15 million or more active users within the EU. Significant CASPs must notify their competent authority within 2 months of reaching this threshold, and may be subject to direct ESMA supervision in addition to national NCA oversight.
Can Zitadelle AG help with both MiCA and DORA compliance? Yes. Zitadelle AG provides integrated MiCA + DORA compliance frameworks as part of its Cyprus CASP licensing service, ensuring that ICT risk management, incident reporting, and third-party oversight obligations are addressed alongside the core MiCA authorization requirements.
Ready to Obtain Your MiCA CASP License in Cyprus?
MiCA has closed the door on unregulated crypto operations targeting EU clients. The only way to legally serve EU users, access EU banking relationships, partner with EU institutional counterparties, and passport services across 27 markets is through full MiCA authorization.
Cyprus — with CySEC's regulatory expertise, the EU's lowest corporate tax rate, a deep financial services infrastructure, and a pragmatic, commercially aware regulatory environment — is one of the most strategically and commercially compelling MiCA home jurisdictions available.
Contact Zitadelle AG today for a free, no-obligation consultation. We will assess your business model, determine the correct CASP license class, identify any intersecting regulatory obligations (DORA, Travel Rule, PSD2/EMT), and design the most efficient path to CySEC MiCA authorization.
📞 Call / WhatsApp / Telegram: +357 96 649654 🌐 Website: www.zitadelleag.com 📅 Book a Free Consultation
This article is provided for informational purposes only and does not constitute legal or regulatory advice. MiCA regulatory requirements and CySEC guidance continue to evolve. Always consult a qualified advisor — such as Zitadelle AG — before initiating a licensing process. Last updated: March 2026.
Compare This License With Other Jurisdictions:
Related Services from Zitadelle AG:
