Cyprus MiCA CASP License — CySEC Authorization 2026

What MiCA Is and Why Cyprus

MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) entered into force on 29 June 2023 and became fully applicable on 30 December 2024. It is the first comprehensive, harmonized EU-wide regulatory framework governing crypto-assets and the entities that provide services related to them. MiCA replaces the patchwork of national VASP registration regimes across EU member states with a single unified authorization — the CASP license — that carries full passporting rights across all 30 EEA countries under a single home-country authorization.

Cyprus is the primary EU jurisdiction for MiCA CASP applications for several reasons: CySEC was one of the first EU regulators to accept CASP applications (from November 2024), has deep regulatory experience with crypto businesses dating to the legacy CASP registration regime, and operates in English. Cyprus's corporate tax rate of 15%, established legal infrastructure, and concentration of experienced legal, compliance, and technology service providers makes it the practical default for crypto companies seeking EU authorization. Zitadelle AG's European headquarters is in Limassol, Cyprus — providing direct access to CySEC and the full Cyprus regulatory ecosystem.

The transitional period under MiCA Art. 143(3) allowed entities providing crypto-asset services under national law before 30 December 2024 to continue operating until 1 July 2026 or until their MiCA application was approved or rejected. CySEC set the application deadline for existing CASPs at 27 February 2026. Any CASP operating after 1 July 2026 without MiCA authorization is operating illegally under EU law.

Permitted Activities Under the MiCA CASP Authorization

Under Article 3 and Article 62 of MiCA Regulation, a CySEC-authorized CASP may provide the following crypto-asset services:

• Custody and administration of crypto-assets on behalf of clients — safekeeping of private keys, wallet infrastructure, and administration of client crypto holdings
• Operation of a trading platform for crypto-assets — centralized exchange, order book, and matching engine operations
• Exchange of crypto-assets for fiat currency — on-ramps and off-ramps, fiat-to-crypto conversion
• Exchange of crypto-assets for other crypto-assets — crypto-to-crypto exchange, cross-asset trading
• Execution of orders for crypto-assets on behalf of clients — order execution, best execution obligations
• Placing of crypto-assets — acting as intermediary in token distribution
• Reception and transmission of orders for crypto-assets on behalf of clients — order routing, introducing broker model
• Providing advice on crypto-assets — investment advice specific to crypto-assets
• Providing portfolio management on crypto-assets — discretionary management of client crypto portfolios
• Providing transfer services for crypto-assets on behalf of clients — on-chain transfers, Travel Rule compliance

MiCA CASP Classes — Capital Requirements by Service Type

MiCA establishes minimum initial capital requirements based on the class of services the CASP provides. Capital must be maintained at all times at the minimum level or one-quarter of fixed annual overheads, whichever is greater:

Governance Requirements — The 4-Eyes Principle and Cyprus Substance

CySEC expects that the majority of board members are based in Cyprus and actively involved in day-to-day decision-making. This supports the entity's tax residency status and satisfies CySEC's "mind and management" test — a requirement that the real decisions of the business are made in Cyprus, not by remote management in another jurisdiction. Applications where all significant decisions are made outside Cyprus are rejected.

The 4-eyes principle requires that the CASP is effectively managed by at least two individuals — both of whom must be fit and proper and suitably experienced. For Cyprus, the practical implementation typically involves a minimum of two executive directors resident in Cyprus with relevant financial services, technology, or crypto-asset sector experience. At least half of the board should consist of independent non-executive directors to ensure robust governance and oversight.

CySEC will assess qualifying shareholders, UBOs, directors, and senior managers for fit and proper — reviewing CVs, educational qualifications, relevant experience, criminal records, and insolvency history. Applicants with complex ownership structures must provide a transparent group structure and credible source of wealth documentation. Weak management biographies — particularly where the proposed board has no hands-on experience with custody, exchange operations, AML, or financial regulation — are a common cause of extensive CySEC information requests.

In addition to executive and non-executive directors, the CASP must establish dedicated control functions: Compliance Officer/MLRO (Money Laundering Reporting Officer), Risk Manager, and depending on scale, an Internal Audit function and dedicated ICT/security oversight. Outsourcing of control functions is permitted but the CASP must maintain vendor registers, due diligence documentation, service-level controls, and exit plans for critical providers — it cannot use outsourcing to become an empty shell.

AML/CTF Framework, Travel Rule, and MOKAS Reporting

A Cyprus MiCA CASP license does not replace or reduce AML obligations — it adds to them. CASPs remain fully subject to Cyprus AML law, CySEC AML supervisory expectations, and suspicious transaction reporting obligations to MOKAS (the Cyprus Unit for Combating Money Laundering). The AML framework submitted with the application must be tailored specifically to the CASP's exact channels, client types, geographies, token exposure, and transaction flows. Generic AML manuals copied from forex or EMI templates are one of the fastest ways to trigger extensive regulatory queries during the application review.

The Travel Rule — implemented in Cyprus under Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets — applies to all CASPs processing crypto-asset transfers. CASPs must collect and transmit originator and beneficiary information alongside crypto transfers above threshold limits, implement screening against sanctions lists, and maintain records. Travel Rule technical implementation requires a compliant solution (TRUST, Sygna, Notabene, or similar) that integrates with the CASP's platform infrastructure before operations commence.

DORA (Digital Operational Resilience Act, EU 2022/2554) applies to all MiCA-authorized CASPs and has been mandatory since January 2025. CASPs must implement ICT risk management frameworks, conduct digital operational resilience testing, maintain ICT incident response and reporting procedures, and manage third-party ICT provider risk. CySEC has made clear that applications lacking credible DORA-compliant ICT governance documentation will face significant delays.

The Application Package — What CySEC Requires

Based on the MiCA Regulation requirements and CySEC's application framework, the full application package includes:

• Completed CySEC application forms — submitted via the CySEC online portal (operational from January 2025)
• Personal questionnaires — for all shareholders, directors, and UBOs — with supporting personal documentation (passport, proof of address, CVs, criminal record certificates, source of wealth)
• Board of Directors minutes — documenting the management decision to apply for CASP authorization
• Business plan and financial projections — 3-year financial model covering revenue assumptions, capital adequacy projections, and overhead cost analysis
• Internal Operations Manual (IOM) — custom-built operational procedures manual covering all proposed CASP services
• AML/CTF Manual — comprehensive AML/CFT policies tailored to the CASP's specific services, client types, and geographies
• Organizational structure chart — detailed chart of all departments, control functions, reporting lines, and key personnel
• Proof of capital — evidence of minimum initial capital deposited in an EU credit institution
• CySEC application checklists — completed and signed
• Preliminary assessment submission — CySEC accepts pre-application documents from November 2024 for feedback before formal submission

Other supporting policies:

• Business Continuity Plan (BCP) and Disaster Recovery Plan
• Conflicts of Interest Policy
• Custody and Administration Policy (for custodian CASPs)
• Client Assets Segregation Policy
• ICT Risk Management Framework (DORA-compliant)
• Cybersecurity Policy
• Travel Rule Implementation Documentation
• Token/Crypto-Asset Admission Policy (for trading platform operators)

Cyprus MiCA CASP Application Process — Step by Step

EU Passporting — What It Means and How It Works

A Cyprus MiCA CASP authorization provides passporting rights across all 30 EEA member states (27 EU member states plus Iceland, Liechtenstein, and Norway). Unlike offshore VASP licenses — Mauritius, Seychelles, El Salvador — the MiCA CASP passport allows a Cyprus entity to actively provide crypto-asset services to retail and professional clients across the entire EU single market without requiring separate national authorization in each country.

Passporting is activated by notification. Once CySEC authorizes the CASP, the entity notifies CySEC of each target EEA jurisdiction and the specific services it intends to provide there. CySEC forwards the notification to the host state competent authority. The host state has limited grounds to object and cannot impose additional licensing requirements. The CASP can commence operations in the notified jurisdiction within a defined period after notification. This notification-based passporting model — familiar from MiFID II for investment firms — makes the Cyprus MiCA CASP the most commercially scalable EU crypto authorization structure available.

DORA Compliance — Digital Operational Resilience from Day One

The Digital Operational Resilience Act (DORA, EU 2022/2554) has applied to all MiCA-authorized CASPs since January 2025. CySEC has been explicit that applications lacking credible DORA-compliant ICT governance documentation face significant delays. DORA requirements include: an ICT risk management framework; ICT-related incident classification and reporting to CySEC; digital operational resilience testing including vulnerability assessments and penetration testing; and third-party ICT provider risk management — including vendor registers, due diligence, contractual requirements, and exit plans.

For many crypto operators — particularly those with cloud-native infrastructure and third-party custody or exchange technology — DORA compliance means reviewing and potentially renegotiating contracts with all critical ICT providers, implementing incident reporting workflows to CySEC, and conducting resilience testing before going live. CySEC may also request an independent third-party cybersecurity or information security audit as part of the application review process. Planning for DORA compliance should begin at the same time as the compliance framework preparation — not as an afterthought in the activation phase.

Post-Authorization Ongoing Obligations

• Maintain minimum capital (initial capital minimum or one-quarter of fixed overheads, whichever is greater) at all times
• Submit regular prudential reports to CySEC — capital, client assets, and operational data
• Annual audited financial statements — prepared by an independent Cyprus-registered auditor
• AML/CFT ongoing compliance — suspicious transaction reporting to MOKAS, client due diligence, Travel Rule implementation
• DORA compliance — annual ICT resilience testing, incident reporting, third-party provider monitoring
• Notify CySEC of any material changes — directors, shareholders, UBOs, services scope, business model changes — all require prior CySEC approval or notification
• Annual compliance report to CySEC
• Client asset safeguarding — client funds and crypto-assets must remain segregated from company assets at all times
• Client disclosures and agreements — website policies, terms and conditions, and white papers (where applicable) maintained in compliance with MiCA standards

MiCA CASP vs Offshore VASP — When Cyprus Is the Right Choice

How Zitadelle AG Assists with Cyprus MiCA CASP Authorization

• Business model assessment — CASP class determination, services scope, capital planning, and passporting strategy
• Cyprus company incorporation — including Memorandum and Articles of Association update for CASP activities
• Management team sourcing — Cyprus-resident executive directors and independent non-executive directors where needed, sourced via HRFinEase
• Compliance Officer / MLRO appointment — experienced Cyprus-based AML professionals with crypto-asset sector experience
• Full application package preparation — Internal Operations Manual, AML/CTF Manual, Business Plan and financial projections, all supporting policies
• CySEC preliminary assessment coordination — pre-submission engagement to identify documentation gaps
• CySEC formal application submission and management — all CySEC correspondence handled by Zitadelle AG
• RFI (Request for Information) response management — rapid, comprehensive responses to CySEC queries during review
• Capital confirmation — EU credit institution bank account arrangement and capital evidence documentation
• DORA compliance framework — ICT risk management documentation, vendor register, incident reporting procedures
• Travel Rule implementation guidance — compatible technical solution selection and integration planning
• Activation phase support — website policies, client disclosures, client agreements, MiCA-compliant documentation
• Post-authorization compliance management — ongoing CySEC reporting, annual audits, AML monitoring, capital maintenance
• Independent non-executive director sourcing — for applicants who do not have sufficient independent board members