Skip to content

MiCAR under the microscope - Part 4: The CASP licensing regime

To avoid potential risks to investor protection, as well as to financial stability within the European single market, the Regulation on Markets in Crypto-assets (MiCAR) is about to introduce a harmonised and dedicated  set of rules governing the activities carried out by crypto-asset service providers (the so-called CASPs), as well as a passporting procedure to facilitate the performance of these services within the EU on a cross-border basis or through the right of establishment. 

Therefore, whilst at the date of this publication neither the status of a CASP nor the performance of any services pertaining to and/or linked to crypto-assets triggers licensing requirements or regulatory restrictions, this will no longer be the case once MiCAR becomes fully effective in the European Union. In particular, upon completion of the phase-in regime, the performance of crypto-asset services will be a restricted activity, reserved to duly authorised or passported CASPs, and will also be subject to compliance with, among others, a set of rules of conduct, ongoing reporting requirements, and prudential measures and safeguards.

The fourth instalment of our “MiCAR under the Microscope” bulletin series provides an insight into the newly introduced regulatory status of CASPs, focusing on the scope of the activities these regulated entities may carry out, the main steps of the authorisation and passporting process and procedures, and what the phase-in regime entities that already performed crypto-asset services prior to the entry into force of MiCAR may benefit from.

Who are the CASPs?

In order to enable effective supervision and to defeat the circumvention or evasion of the applicable regulatory regime, MiCAR introduces a clear and comprehensive taxonomy of both the regulatory status of CASPs (i.e. the entities which are eligible to have this status and the relevant pre-conditions and requirements), as well as the services (and relevant characterising features and limits) covered by a CASP licence.   

According to Article 3(1)(15) of MiCAR, a CASP is defined as a “legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis and that is allowed to provide crypto-assets services[…].”

Therefore, according to the combined reading of the above definition and the recitals accompanying MiCAR, the regulatory status of CASPs, upon authorisation, may only be granted to:

(i) legal persons having their registered office in a Member State where they carry out substantive business activities, including the provision of crypto-asset services. To avoid undermining this requirement and to ensure effective supervision by the relevant national competent authority (NCA), MiCAR also provides for a management localisation requirement to be complied with by the CASPs. In particular, CASPs are asked to have, on a permanent/ongoing basis, their place of effective management in the European Union, and at least one of the directors shall be resident in the European Union;

(ii) other undertakings that are not legal persons having their registered office in Member States (e.g. a commercial partnership). Based on their particular legal status, in any event, MiCAR envisages that other undertakings will be permitted to render crypto-asset services, only provided that their legal form ensures a level of protection for third parties’ interests equivalent to that afforded by legal persons and the applicability (and consequent compliance with) of a form of prudential supervision appropriate to their legal form; and

(iii) the following firms that are subject to European acts and regulations on financial services (e.g. regulated entities): credit institutions; central securities depositaries; investment firms; market operators; electronic money institutions; UCITS1management companies; or AIF2 managers. Based on their status as a “regulated entity”, these firms may be permitted to offer crypto-asset services without being required to obtain a prior authorisation, if they notify their home State competent authorities with certain information before providing the crypto-asset services for the first time. In other words, MiCAR envisages that regulated entities may act as a CASP upon the completion of a top-up licence procedure.

What are the CASPs’s in-scope activities?

As set out in our second instalment of this “MiCAR under the Microscope” series, the following crypto-asset services fall within the scope of MiCAR:

a) providing custody and administration of crypto-assets on behalf of clients;

b) operating a trading platform for crypto-assets;

c) exchange of crypto-assets for funds;

d) exchange of crypto-assets for other crypto-assets;

e) execution of orders for crypto-assets on behalf of clients;

f) placing of crypto-assets;

g) reception and transmission of orders for crypto-assets on behalf of clients;

h) providing advice on crypto-assets;

i) providing portfolio management on crypto-assets; and

j) providing transfer services for crypto-assets on behalf of clients.

How does the regulatory process work?

(a) The authorisation procedure for previously unregulated entities

The authorisation procedure provided by MiCAR kicks off with the submission by the CASP of an application, including a pre-determined set of information and accompanying documentation pertaining to, inter alia;

(i) the identity of the applicant CASP and its corporate structure;

(ii) the activities the CASP intends to perform;

(iii) the shareholders’ panel (and relevant compliance with the fit and proper requirements); and

(iv) the technical documentation and security arrangements, whereby the CASP seeking the application will ensure on an ongoing basis the compliance with the requirements provided for by MiCAR.

In addition to this information package, depending on the specific crypto-asset services, further information, details or accompanying documents may also be required.

ESMA shall, in close cooperation with the EBA, develop draft technical standards to further specify the information to be included in the authorisation application and the relevant standard forms, templates and procedures for the information to be included in the application for authorisation by 30 June 2024. ESMA launched a public hearing aimed at adopting the regulatory technical standards (RTS) as to the authorisation application and information package in July 2023. The public consultation ended in September and the final version of the RTS is expected to be published no later than Q1 2024.

Competent authorities shall grant or refuse authorisation as a CASP within 40 working days from the receipt of a complete application.

(b) The top-up licence provided for regulated entities/the light touch regime:

As mentioned above, MiCAR provides for a simplified procedure for those entities that are already subject to regulatory and prudential supervision according to pre-existing European and national acts and regulations on financial services.

Should the applicant CASP be a regulated entity, MiCAR provides for a top-up licensing procedure, which substantially derogates from the authorisation process outlined in paragraph (a) above. It may also vary depending on the category of the applicant. .For example:

(i) credit institutions are allowed to perform crypto-asset services, provided that they notify their NCA of a reduced set of information (and pertaining accompanying documents) at least 40 working days before providing those services for the first time;

(ii) a central security depository may only provide custody and administration of crypto-assets on behalf of clients if it notifies its NCA at least 40 working days before providing those services for the first time; and

(iii) an investment firm may provide crypto-asset services equivalent to the investment services and activities for which it is specifically authorised under MiFID if it notifies the competent authority of the home Member State of the set of information listed under Article 60(3) of MiCAR (which may vary depending on the crypto-asset services for which the top-up is being asked) at least 40 working days before providing those services for the first time.

How does the passporting procedure work?

Once authorised by the relevant NCA, a CASP shall be allowed to perform the crypto-asset services covered by its licence throughout the European Union, either on a cross-border basis or through the right of establishment (e.g. through a local branch).

MiCAR, by leveraging the regulatory experience gained under the MiFID universe, provides an easy and streamlined procedure for passporting the licence gained in the home Member State to other States within the European Union.

The relevant CASP is asked to file a passport notification with its home Member State authority notifying a set of information, including, inter alia, the list of crypto-asset services and the Member States where the CASP respectively intends to perform or passport its licence.

Once received, the passport notification will be assessed for its completeness and accuracy, and the home Member State authority will then pass the information package on to the single points of contact of the host Member States, to ESMA and the EBA, and will inform the CASP accordingly.

The CASP is then allowed to start its operations in the Member States covered by the passport notification upon receipt of the communication mentioned above or at the latest from the 15th calendar day after having submitted the passport notification to the home Member State authority.

Are exemptions from the licensing requirements available?

In order not to prevent clients established or residing within the European Union from receiving crypto-asset services from a third-country CASP, in line with the approach provided for under MiFID and MiFIR in relation to investment services and activities, MiCAR codifies the reverse solicitation exemption for the crypto-asset space.

In particular, Article 61 of MiCAR envisages that where a third-country CASP provides crypto-asset services upon the (genuinely) unsolicited own initiative of a person established in the European Union, the crypto-asset service should not be deemed as offered in the European Union and, therefore, a licensing requirement under MiCAR is not triggered.

However, to avoid an unlawful reliance on the reverse solicitation exemption or to limit its perimeter or applicability, further restrictions apply. Among others, MiCAR clarifies that the exemption is not viable where the third-country CASP, regardless of the communication channel adopted, carries out solicitation, marketing or promotion activities targeting (including prospective) clients within the European Union, either directly or through an entity acting on its behalf or having close links with such third-country firm or any other person acting on behalf of such entity. This requirement may not, in any event, be contracted out by the third-country CASP by specific contractual clauses or disclaimers whereby the parties acknowledge and agree that the crypto-asset services are offered on the client’s own exclusive initiative.

Does MiCAR provide for a transitional regime?

To help with the completion of the phase-in regime and to enable entities already providing crypto-asset services to comply with the newly introduced licensing and organisational/operational requirements, MiCAR envisages a transitional regime for those entities that were active in this market field, prior to the entryinto force of MiCAR. The transitional regime applies irrespective of the category which the relevant CASP seeking MiCAR authorisation belongs to.

In particular, CASPs that provided services falling within the definition of “crypto-asset services”, in line with the applicable provisions of law before 30 December 2024, may continue to offer their services until 1 July 2026 or until the point in time when they are granted authorisation under MiCAR, whichever is sooner. However, the viability of this transitional regime will ultimately depend on the Member States discretion. According to MiCAR, national regulators are granted the option to opt out of the transposition of the regime or may discretionally decide to reduce its duration where the pre-existing domestic regulatory regime applicable before 30 December 2024 is less strict than the one laid down by MiCAR.

Similarly, Member States do have the discretion to provide for a less restrictive/light-touch authorisation regime for applications that are submitted between 30 December 2024 and 1 July 2026 by entities that on 30 December 2024 were authorised under national laws to provide crypto-asset services. Irrespective of the decision to make this light-touch regime available for CASPs, Member States shall ensure that CASPs are complying with their obligations when offering their services generally or performing specific crypto-asset services before granting authorisation under MiCAR.


1. Please note that the reference is to “undertakings for collective investment in transferable securities” within the meaning and for the purpose of the European Directive 2009/65/EC, as amended from time to time. 

2. Please note that the reference is to “alternative investment funds” within the meaning and for the purpose of European Directive 2011/61/EU, as amended from time to time, 

3. Please note that reference is made to European Directive 2014/65/EU, as subsequently amended.

Recommended content