MiCA licensing in the EU: how to become an authorised CASP

MiCA is Regulation (EU) 2023/1114, the Markets in Crypto-Assets Regulation. It is the European Union's first comprehensive, directly-applicable framework for crypto-assets that fall outside existing financial-services law. Because it is a Regulation rather than a Directive, it applies uniformly across all member states without national transposition, which means the core rules are the same whether a firm is based in Tallinn, Paris or Dublin.

MiCA entered into application in two phases. The rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) applied from 30 June 2024. The rules for crypto-asset service providers and the broader regime applied from 30 December 2024. From that second date, providing crypto-asset services to clients in the EU has required authorisation under MiCA.

MiCA covers the issuance, public offering and admission to trading of crypto-assets, and the provision of crypto-asset services. It does not cover assets already regulated as financial instruments, deposits or e-money under other EU law, which is why scoping the right regime is the first task in any licensing project.

A CASP, or crypto-asset service provider, is any entity that provides crypto-asset services to clients in the EU under Regulation (EU) 2023/1114. The defining test is the activity and the client base, not the location of the company, so a provider established outside the EU that actively serves EU clients still falls within scope.

MiCA lists a closed set of crypto-asset services. A firm should map its business model against this list before anything else, because the services it offers determine both the authorisation class and the minimum capital it must hold.

Yes. Any provider that offers crypto-asset services to clients in the EU needs MiCA authorisation, regardless of where it is based. MiCA does not contain a general third-country passport, so a non-EU firm that wants to serve EU clients on an ongoing basis typically establishes an authorised entity within the EU.

There is a narrow exception, often called reverse solicitation, where a client in the EU approaches a third-country provider entirely on their own initiative. This carve-out is interpreted strictly and cannot be used to market or solicit EU clients, so it is unsafe as the foundation of a business plan.

MiCA sets minimum own-funds requirements in Annex IV, organised by class of service. A CASP must hold at least the higher of the fixed minimum for its class or one quarter of its fixed overheads from the previous year. Where a firm spans several classes, the highest applicable minimum applies.

These figures are a floor, not a budget. In practice a credible application also evidences enough working capital, governance and operational substance to run the business safely, which is what the supervisor actually assesses.

A MiCA licence is granted by a national competent authority (NCA) in the member state where the firm is established. Once authorised, a CASP can passport its services across the entire EU and EEA by a home-to-host notification, without applying for a new licence in each country. At EU level, ESMA and the EBA coordinate supervision, with the EBA overseeing significant asset-referenced and e-money tokens.

In Estonia the national competent authority is Finantsinspektsioon, the Financial Supervision and Resolution Authority, which took over crypto-asset licensing in 2025. Estonia targets a decision on a complete CASP application within roughly 40 working days, with a completeness check in around 25, although these are targets rather than guarantees. The combination of a single-market passport and an EEA seat is why many founders treat Estonia as a launchpad into the wider European market.

Firms that were already operating legally under national law before 30 December 2024 may continue under a transitional regime until they are authorised or refused, or until 1 July 2026 at the latest, whichever comes first. Member states set different lengths within that window, so the practical deadline depends on the country. In practice, 1 July 2026 is the outer limit rather than a guaranteed runway: an individual member state may set an earlier cut-off, so a firm should confirm the exact deadline that applies in its target jurisdiction before relying on the transitional regime.

Estonia illustrates the point. VASP licences previously issued by the national Financial Intelligence Unit are valid only until 1 July 2026 and do not convert automatically into a MiCA authorisation. A provider that applied to Finantsinspektsioon before that date but has not yet received a decision is not treated as unauthorised, but typically may not enter new customer contracts until the decision is made.

Operating without authorisation after the applicable deadline is not a grey area. For legal persons, administrative fines can reach up to EUR 5 million or 3% of total annual turnover, whichever is higher, and the activity itself is unlawful. The case for preparing the application early is straightforward: the transitional clock is finite and the downside is severe.

Authorisation is won on the quality of the file, not on the intention to comply. A strong MiCA application reads as a coherent picture of a business that the supervisor can trust, which is where most of the real work sits.

Stablecoins follow a separate track and should not be confused with a CASP licence. E-money tokens, which reference a single official currency such as a euro stablecoin, may only be issued by an authorised credit institution or electronic money institution. Asset-referenced tokens require their own authorisation as an ART issuer. Both require a published crypto-asset white paper, so a firm that issues a token as well as providing services has two regimes to manage.