MiCA CASP License 2026 — EU Crypto-Asset Service Provider Authorization, July Deadline & Complete Guide
The Markets in Crypto-Assets Regulation (MiCA — Regulation (EU) 2023/1114) is the European Union's unified licensing framework for crypto-asset service providers — the most significant piece of crypto legislation enacted anywhere in the world to date. From 30 December 2024, any entity providing crypto-asset services in or from the EU requires a CASP (Crypto-Asset Service Provider) authorization from a national competent authority. A single CASP authorization passports across all 30 EEA member states — 27 EU countries plus Iceland, Liechtenstein, and Norway — without separate national applications. As of June 2026, 204 CASPs hold full MiCA authorization, including Kraken, Coinbase, Binance, OKX, Crypto.com, and Bitstamp. The 1 July 2026 transitional deadline is absolute — no extensions have been granted. Operating without CASP authorization after that date is not a compliance gap: it is a breach of EU law. Non-compliance carries fines of up to 12.5% of annual turnover, license revocation, and personal liability for executives. Zitadelle AG provides MiCA CASP authorization support from our Limassol, Cyprus headquarters — with direct CySEC access and established Bank of Lithuania relationships for Lithuanian applications.
Deadline: 1 July 2026
After 1 July 2026, any entity providing crypto-asset services to EU clients without a MiCA CASP authorization is operating unlawfully. ESMA's April 2026 statement is unambiguous: CASPs without authorization must cease serving EU clients immediately after this date. 204 CASPs are authorized as of June 2026. The window is closing.
If your CASP application has not been submitted: contact Zitadelle AG immediately.
Request emergency CASP consultation →The 1 July 2026 Deadline — What It Actually Means
The MiCA transitional period closes on 1 July 2026. The mechanics matter:
Grandfathering clause (Article 143(3)): Entities that were legally providing crypto-asset services under national law before 30 December 2024 could continue operating while their CASP application was processed. The maximum grandfathering window ran to 1 July 2026.
But national windows varied dramatically — and many have already closed:
| Member State | Transitional window closed |
|---|---|
| Netherlands | Mid-2025 |
| Germany | 31 December 2025 |
| Austria | 31 December 2025 |
| Lithuania | 1 January 2026 |
| Ireland | End 2025 |
| Latvia | 30 December 2025 |
| France | 1 July 2026 |
| Malta | 1 July 2026 |
| Luxembourg | 1 July 2026 |
| Cyprus | 1 July 2026 |
| Italy | 1 July 2026 |
| Belgium | 1 July 2026 |
| Portugal | 1 July 2026 |
If you operate in a jurisdiction whose window has already closed, you cannot wait until 1 July 2026. You need CASP authorization now — or you must cease serving clients in that market. For new applicants (not previously registered under a national regime): MiCA authorization is required from day one — no transitional window applies.
After 1 July 2026: no transitional provisions exist. Any CASP without authorization, a pending grandfathered application (in jurisdictions that allow it), or an Article 60 notification must either hold a CASP authorization or stop serving EU clients immediately.
The Ten MiCA Regulated Services
MiCA Article 3(1)(16) defines ten regulated crypto-asset services. A CASP must be authorized for each service it provides:
| # | Service | Capital class |
|---|---|---|
| 1 | Custody and administration of crypto-assets | Class 2 — €125K |
| 2 | Operation of a crypto-asset trading platform | Class 3 — €150K |
| 3 | Exchange of crypto-assets for fiat | Class 2 — €125K |
| 4 | Exchange of crypto-assets for other crypto-assets | Class 2 — €125K |
| 5 | Execution of orders for crypto-assets on behalf of clients | Class 1 — €50K |
| 6 | Reception and transmission of orders | Class 1 — €50K |
| 7 | Placing of crypto-assets | Class 1 — €50K |
| 8 | Providing advice on crypto-assets | Class 1 — €50K |
| 9 | Portfolio management of crypto-assets | Class 1 — €50K |
| 10 | Providing transfer services for crypto-assets | Class 1 — €50K |
Capital class is determined by the highest-class service in scope. A CASP authorized for Class 3 (trading platform) is automatically authorized for all Class 1 and Class 2 services as well.
Critical: capital must be in qualifying own funds — paid-up share capital, share premium, retained earnings. Crypto-assets held on the balance sheet do not count as regulatory capital under MiCA. A firm with €200,000 in Bitcoin but only €50,000 in paid-up share capital has €50,000 in qualifying capital — not €250,000.
Article 60 — The CIF Shortcut
This is the most commercially significant MiCA provision that competitors rarely explain clearly.
MiCA Article 60 provides a simplified notification procedure — not a full authorization — for entities already licensed under:
A CySEC-licensed Cyprus Investment Firm (CIF) can add the following CASP services through an Article 60 notification rather than a full application:
The notification is submitted to CySEC, processed within a defined timeline, and results in the CIF being added to the ESMA CASP register for the notified services — without the full capital, governance, and application burden of a fresh CASP authorization.
For exchange services (Service 3/4) and trading platform operation (Service 2)/custody (Service 1): a full CASP authorization is required even for existing CIF holders.
Zitadelle AG's Limassol headquarters provides direct CySEC access for both Article 60 notifications and full CASP authorizations. For clients who already hold a CySEC CIF: the Article 60 pathway is typically faster than any alternative and avoids the capital increase that a full CASP authorization for exchange/custody would require.
Jurisdiction Selection — Where to Apply for MiCA CASP Authorization
The choice of jurisdiction determines your NCA, your processing timeline, your substance requirements, and your tax position. MiCA applies identically across the EU — the regulation is the same in every member state — but NCAs interpret and enforce it at different speeds and with different supervisory cultures.
Cyprus (CySEC) — Zitadelle AG's Primary Jurisdiction
Cyprus is Zitadelle AG's home jurisdiction and the jurisdiction where we have direct CySEC regulatory access and relationships.
Why Cyprus for MiCA CASP:
CySEC experience: CySEC has supervised crypto businesses since 2021 under the national CASP regime. This supervisory experience means CySEC reviewers understand crypto business models in a way that less-experienced NCAs do not. Application review quality is higher — and rejection rates for well-prepared files are lower.
English-speaking: CySEC conducts its review in English. All application documentation, regulatory correspondence, and supervisory communications are in English — no translation burden.
Tax: Cyprus CIT 15% with IP Box (~2.5% for qualifying IP income) and 0% withholding on outbound dividends.
Article 60 integration: For operators already holding a CySEC CIF license, adding CASP services through Article 60 notification is straightforward from a Cyprus base.
MiCA application deadline: CySEC required new applications from existing national CASPs by 27 February 2026. New applicants (not previously national CASPs) can apply at any time.
CySEC CASP capital: Class 1 — €50,000; Class 2 — €125,000; Class 3 — €150,000. CySEC may require additional capital based on risk profile.
Timeline: 4–6 months for well-prepared applications.
Lithuania (Bank of Lithuania)
For operators where speed is the primary variable and tax optimization is secondary.
Why Lithuania for MiCA CASP:
Volume: Bank of Lithuania has authorized more CASP and EMI combinations than any other EU NCA.
English-friendly: All substantive correspondence accepted in English.
EMI + CASP dual licensing: For operators needing both a payment license (EU EMI) and a CASP, the Bank of Lithuania provides both — the most integrated dual-license structure in the EU.
Tax: 17% CIT (5% for small companies). 0% on undistributed profits not applicable in Lithuania (that is the Estonian/Latvian model).
Transitional window: Closed 1 January 2026. New applications can still be submitted — the window closure only affects grandfathering of old national registrations.
Timeline: 4–8 months. Bank of Lithuania has a documented applicant guide and published processing expectations.
Other Viable Jurisdictions
Malta (MFSA): English-speaking, experienced with crypto via legacy VFA framework. Predictable timelines. Hosts OKX, Crypto.com, Gemini, Gate, Blockchain.com. Transition window still open to 1 July 2026.
Germany (BaFin): Highest institutional prestige. Slow processing. Requires German-language submissions. ~25% of all EU CASP licenses. Transition window closed 31 December 2025.
Luxembourg (CSSF): Premium institutional reputation. English and French accepted. Strong for institutional models. Transition window open to 1 July 2026.
Jurisdiction comparison
| Feature | Cyprus (CySEC) | Lithuania (BoL) | Malta (MFSA) | Germany (BaFin) |
|---|---|---|---|---|
| Language | English | English | English | German |
| CIT rate | 15% | 17% | ~5% eff. | ~30% |
| EMI dual licensing | Yes (CBC) | Yes (BoL) | Yes (MFSA) | Yes (BaFin) |
| CIF Article 60 | Yes — natural | Separate NCA | Separate NCA | Separate NCA |
| Institutional credibility | High | High | High | Highest |
| Timeline | 4–6 months | 4–8 months | 4–8 months | 9–18 months |
| Zitadelle presence | HQ — direct access | Remote advisory | Remote advisory | Remote advisory |
| Transition window | 1 Jul 2026 | Closed Jan 2026 | 1 Jul 2026 | Closed Dec 2025 |
MiCA CASP Requirements — What Every Application Must Contain
MiCA sets a single regulatory standard across all EU NCAs. Every CASP application, regardless of jurisdiction, must address:
Corporate structure:
EU-registered company with registered office in the home member state. At least one EU-resident executive director — NCAs including CySEC, Bank of Lithuania, and BaFin have rejected applications where directors were non-resident or "fly-in" executives attending monthly. Real EU management presence is required.
Capital:
Qualifying own funds of €50,000 (Class 1), €125,000 (Class 2), or €150,000 (Class 3). Must be in paid-up share capital, share premium, or retained earnings — not crypto-assets. Held in a segregated account at an EU credit institution. NCA may require additional capital.
Programme of Operations (PoO):
Detailed description of the CASP's business model, services to be provided, target client categories, geographic scope, marketing approach, technology infrastructure, and 3-year financial projections. NCAs identify generic template PoOs instantly and downgrade these to high-scrutiny review. The PoO must reflect the actual business.
Governance:
Board with at least one EEA-resident executive director. Three-lines-of-defence model. Clear risk and compliance functions reporting to board. Fit-and-proper assessments of all key function holders: CEO, CFO, CRO, MLRO, Head of Custody, Head of IT. Deputies identified for every regulated function.
AML/CFT programme:
Comprehensive AML/CTF programme aligned with EBA Guidelines and 6AMLD: written ML/TF risk assessment covering crypto-specific typologies (mixers, privacy coins, peel chains, self-hosted wallets, NFT wash trading), CDD procedures, EDD triggers, sanctions and PEP screening, transaction monitoring rules, SAR/STR reporting workflow, MLRO appointment and regulatory approval, Travel Rule implementation (IVMS101, self-hosted wallet procedures).
DORA (ICT risk management):
Digital Operational Resilience Act applies to all EU CASPs from January 2025. Application must include an ICT risk management framework, incident reporting procedures (initial notification within 4 hours of major ICT incident classification), DORA-compliant outsourcing contracts for all critical ICT third-party providers (Article 30 requirements: audit rights, exit plan, sub-outsourcing controls), and resilience testing plan.
Client asset safeguarding:
Client fiat received (other than EMTs) must be placed with an EU credit institution or central bank by end of next business day. No use of client assets for own account. Segregated custody accounts, daily reconciliation, clear custody contracts.
Crypto-asset custody (if in scope):
Wallet infrastructure, key management procedures, custody arrangements (hot/cold/warm split), MPC or HSM specifications, insurance coverage, and liability framework for custody losses attributable to the CASP.
Common rejection reasons (from ESMA and NCA published feedback)
The M&A Route — Buy a CASP Authorization
For operators who cannot wait 4–9 months for new authorization, a secondary market has emerged for existing CASP-authorized entities and transitional VASP entities with applications in progress.
What is available
Fully authorized MiCA CASPs: Entities holding completed CASP authorization from an EU NCA. Available for acquisition subject to NCA approval of the change of control. Immediate EU-wide passporting upon acquisition and approval.
Transitional VASP entities with pending applications: Entities registered under national regimes before 30 December 2024 that submitted CASP applications before their national deadline. These entities can continue operating during NCA review — the buyer acquires an operating entity plus a running authorization application. Entities in Cyprus, Malta, France, and Luxembourg with applications submitted before 1 July 2026 are the most commercially valuable.
Pricing (current market, June 2026)
Transitional VASP entities in strong MiCA jurisdictions (Lithuania, Cyprus, Malta) are trading between €200,000 and €600,000 depending on authorization status, service scope, quality of application already submitted, and operational infrastructure.
Fully authorized CASPs command higher premiums reflecting the value of immediate operationality and confirmed passporting rights.
The Zitadelle advantage
Zitadelle AG lists available CASP-authorized and MiCA-transitional entities on Financial License Market — our dedicated marketplace for licensed financial businesses. This is the same platform where we have completed 7+ South African FSP acquisitions and multiple other regulated entity transactions.
Ongoing Compliance After Authorization
CASP authorization is not a one-time event. Ongoing obligations begin immediately and are supervised by the home NCA on a continuous basis:
Capital maintenance: Own funds must remain above the applicable class threshold at all times. Quarterly own funds reports to NCA.
Annual audit: Financial statements audited by an independent EU-registered auditor.
Crypto-asset whitepaper: Required for CASPs placing crypto-assets (Service 7) — regulated document with prescribed content, liability framework, and NCA notification requirements.
NCA regulatory reporting: Periodic reports to the home NCA on client numbers, transaction volumes, complaints, incidents, and governance changes.
DORA ongoing obligations: Annual ICT risk management framework review, resilience testing (vulnerability assessments, network security tests, TLPT for larger CASPs), third-party ICT provider register maintenance.
Travel Rule: Continuous IVMS101 data collection and transmission for qualifying transfers, counterparty VASP/CASP identification, self-hosted wallet procedure implementation. Compliance with Regulation (EU) 2023/1113.
AML/CTF ongoing: Transaction monitoring, FIU reporting, customer risk reassessment, annual risk assessment update, MLRO annual report to board.
Material change notifications: NCA prior approval required for material changes to services, governance, ownership (change of control), or business model. Non-notified material changes can result in NCA enforcement action.
Zitadelle AG provides full ongoing MiCA CASP compliance management — annual audit coordination, NCA reporting, DORA framework maintenance, AML/CTF annual updates, and change notification management.
Zitadelle AG — Complete MiCA CASP Service
CASP Authorization (new applicants): Cyprus (CySEC) application — primary jurisdiction with direct regulatory access. Lithuania (Bank of Lithuania) application — for EMI+CASP dual structures. Corporate structuring, EU director sourcing, capital structuring. Complete Programme of Operations drafting. AML/CTF programme preparation (crypto-specific typologies, Travel Rule, self-hosted wallet procedures). DORA ICT risk management framework. CySEC/NCA submission and full application management. Regulatory correspondence and examiner engagement.
Article 60 Notification (existing CIF holders): Simplified notification preparation and submission for CySEC CIF licensees adding CASP services. Scope analysis — which services can be added via Article 60 vs requiring full authorization. Timeline: typically faster than full CASP authorization.
M&A / CASP Acquisition: Identification of suitable CASP-authorized or transitional entities via Financial License Market. Transaction structuring, NCA change of control notification, regulatory approval management.
Ongoing Compliance: Annual audit coordination, NCA regulatory reporting, DORA maintenance, AML/CTF annual review, Travel Rule compliance programme, change notification management.
Frequently Asked Questions
Ready to obtain your MiCA CASP authorization before the July 2026 deadline?
Zitadelle AG provides end-to-end MiCA CASP authorization support from our Limassol, Cyprus headquarters — direct CySEC access, Bank of Lithuania relationships, the Article 60 CIF shortcut, and CASP acquisition via Financial License Market. The window is closing — act now.
Related Services & Resources
Related Licenses
Cyprus CIF License (CySEC)
CySEC Cyprus Investment Firm — the natural base for the MiCA Article 60 notification pathway to add crypto-asset services without full CASP authorization.
Cyprus Payment Institution (CBC)
Cyprus Payment Institution licensed by the Central Bank of Cyprus — complements a CASP for fiat on/off-ramp and EU payment services.
Lithuania EMI License
Bank of Lithuania Electronic Money Institution — the most integrated EU EMI + CASP dual-license structure for crypto operators needing both.
Mauritius VASP License (VAITOS)
FSC Mauritius VASP — offshore alternative with ~3% effective tax and 46+ DTAAs. Often paired with an EU CASP for global structures.
This page is provided for informational purposes only and does not constitute legal or regulatory advice. MiCA (Regulation (EU) 2023/1114), DORA, and national competent authority requirements continue to evolve. Always consult a qualified advisor before initiating a CASP authorization, Article 60 notification, or acquisition process. Last updated: June 2026.