The MiCAR transitional period for existing crypto-asset service providers expires on 1 July 2026. If your firm was operating under national law before 30 December 2024, you have until that date to obtain MiCAR authorisation — or cease serving EU clients.

This article provides a structured, article-by-article compliance checklist for CASP authorisation under MiCAR (Regulation (EU) 2023/1114). It is designed for compliance officers and legal teams at crypto firms preparing their applications. Every requirement below is mapped to its source in the regulation.

Before You Start: Determine Your Scope

Before working through the checklist, answer two threshold questions:

1. Do you need standalone CASP authorisation?

Under Article 59, entities that are already authorised as credit institutions (CRD), investment firms (MiFID II), electronic money institutions (EMD2), UCITS management companies, AIFMs, central securities depositories, or market operators may provide certain crypto-asset services without a separate CASP licence — though they must notify their competent authority at least 40 working days in advance (Article 60).

If you do not hold one of these existing authorisations, you need a standalone CASP licence under Article 63.

2. Which crypto-asset services do you provide?

Article 3(1)(16) defines ten crypto-asset services. Your application scope — and your capital requirements — depend on which services you intend to offer:

| # | Service | MiCAR Article | Capital Tier | |---|---------|---------------|--------------| | 1 | Custody and administration of crypto-assets | Article 75 | EUR 50,000 | | 2 | Operation of a trading platform | Article 76 | EUR 150,000 | | 3 | Exchange of crypto-assets for funds | Article 77 | EUR 125,000 | | 4 | Exchange of crypto-assets for other crypto-assets | Article 78 | EUR 125,000 | | 5 | Execution of orders | Article 79 | EUR 125,000 | | 6 | Placing of crypto-assets | Article 80 | EUR 50,000 | | 7 | Reception and transmission of orders | Article 81 | EUR 50,000 | | 8 | Providing advice on crypto-assets | Article 82 | EUR 50,000 | | 9 | Portfolio management on crypto-assets | Article 83 | EUR 50,000 | | 10 | Transfer services for crypto-assets | Article 84 | EUR 50,000 |

If you provide multiple services, the highest applicable capital threshold applies.

Part 1: Corporate and Capital Requirements

1.1 Legal Entity and Registered Office

[ ] Legal person established in an EU Member State (Article 59(1)) — MiCAR authorisation is only available to legal persons with a registered office in the EU
[ ] Registered office and head office in the same Member State — this is a substance requirement; brass-plate arrangements with all decision-making outside the EU are not permitted
[ ] Legal entity identifier (LEI) obtained and current

1.2 Minimum Own Funds (Article 67)

[ ] Identify your capital tier based on the services table above
[ ] Calculate one quarter of fixed overheads from the preceding year — if this amount exceeds your minimum tier, you must hold the higher amount
[ ] Own funds must be permanent capital — equity, retained earnings, or other qualifying instruments (not deposits, not client funds)
[ ] Maintain own funds at all times — this is an ongoing obligation, not just at authorisation
[ ] Document own funds calculation with audited financial statements or certified accounts

1.3 Professional Indemnity Insurance (Article 67(5))

[ ] As an alternative to a portion of own funds, assess whether professional indemnity insurance covering the territories where services are provided is appropriate
[ ] If relying on insurance, ensure the policy covers liability arising from professional negligence across all Member States where you intend to operate

Part 2: Governance and Organisation

2.1 Management Body (Article 68)

[ ] At least two natural persons effectively direct the business — both must be EU-resident
[ ] Fit-and-proper assessment for all members of the management body: sufficient knowledge, skills, experience, and good repute
[ ] Fit-and-proper assessment for qualifying shareholders (persons with 20% or more of share capital or voting rights)
[ ] Diversity policy for the management body — assessed as part of the governance arrangements
[ ] Time commitment — management body members must devote sufficient time to their functions

2.2 Organisational Requirements (Article 68)

[ ] Internal control mechanisms — documented policies on compliance, risk management, and internal audit
[ ] Risk management procedures — identification, measurement, and management of all material risks
[ ] Accounting procedures — reliable financial reporting and record-keeping
[ ] Record-keeping — maintain records of all crypto-asset services, activities, orders, and transactions for at least 5 years (Article 68(9))
[ ] Business continuity arrangements — including ICT disaster recovery (Note: this must also comply with DORA)

2.3 Outsourcing (Article 73)

[ ] Documented outsourcing policy with risk assessment for each outsourced function
[ ] No outsourcing of key management functions that would render the CASP a "letter-box entity"
[ ] Contingency plans and exit strategies for all outsourcing arrangements
[ ] Full information available to the NCA — the outsourcing arrangement must not impair supervisory oversight
[ ] Due diligence on service providers — ongoing monitoring of outsourced functions

Part 3: Client Protection

3.1 Client Asset Segregation (Article 70)

[ ] Legal and operational segregation of client crypto-assets from proprietary holdings
[ ] Segregation of client funds from the CASP's own funds — held in separate accounts
[ ] Custody policy documented and disclosed to clients
[ ] Custodian arrangements — if using a third-party custodian, that custodian must itself be an authorised CASP (Article 75)
[ ] Client register — maintain an accurate register of positions held for each client
[ ] Return procedures — documented process for returning client assets promptly in all circumstances, including insolvency

3.2 Complaints Handling (Article 71)

[ ] Complaints handling procedure — documented, effective, and disclosed to clients
[ ] Response timeframes — handle complaints within a reasonable timeframe, keeping clients informed
[ ] Complaints register — record all complaints and the measures taken to resolve them
[ ] Free of charge — no charges for filing complaints

3.3 Conflicts of Interest (Article 72)

[ ] Conflicts of interest policy — identify, prevent, manage, and disclose conflicts
[ ] Annual review of the conflicts of interest policy
[ ] Proprietary trading conflicts — address situations where the CASP trades on its own account alongside clients
[ ] Disclosure to clients — where conflicts cannot be prevented, disclose them clearly before providing the service

3.4 Conduct of Business (Articles 66, 72)

[ ] Act honestly, fairly, and in the best interests of clients
[ ] Clear, fair, and not misleading information and marketing communications
[ ] Pricing and fee transparency — publicly available pricing policies
[ ] Environmental impact disclosures — climate impact information on consensus mechanisms used by the crypto-assets serviced

Part 4: Service-Specific Requirements

Depending on which services you provide, the following additional obligations apply.

4.1 Custody and Administration (Article 75)

[ ] Custody policy covering security, operational procedures, and asset segregation
[ ] Periodic statements to clients on the crypto-assets held
[ ] Liability regime — the CASP is liable for loss of client crypto-assets, including from cybersecurity incidents, up to the market value of the assets lost
[ ] Wind-down plan specific to custody operations

4.2 Trading Platform Operation (Article 76)

[ ] Operating rules — non-discriminatory, transparent, published
[ ] Access criteria — clear and fair rules for who may trade
[ ] Settlement within 24 hours (or same settlement cycle as established)
[ ] Pre- and post-trade transparency — transaction data publicly available
[ ] Order records retained for at least 5 years
[ ] Market abuse detection — systems to detect and report suspected market manipulation (Title VI of MiCAR)

4.3 Exchange Services (Articles 77–78)

[ ] Commercial policy setting out the types of exchange services offered
[ ] Non-discriminatory pricing and transparent price determination methodology
[ ] Volume reporting to the NCA on a periodic basis
[ ] Wind-down plan for exchange operations

4.4 Order Execution (Article 79)

[ ] Best execution policy — execute orders on terms most favourable to the client
[ ] Execution policy disclosure — inform clients about the execution policy before providing the service
[ ] Periodic reporting on execution quality to clients

4.5 Advice and Portfolio Management (Articles 82–83)

[ ] Suitability assessment — assess the client's knowledge, experience, financial situation, and objectives before providing advice or portfolio management
[ ] Qualified personnel — staff providing advice must have the necessary knowledge and competence
[ ] Independence disclosures — if claiming to provide independent advice, disclose the basis for this
[ ] Periodic statements — at least quarterly, detailing portfolio composition, performance, and costs
[ ] Fee restrictions — where providing portfolio management, the CASP may not accept fees, commissions, or monetary benefits from third parties unless fully disclosed

Part 5: AML/CFT Compliance

CASPs are "obliged entities" under the EU AML framework. Your application must include fully developed AML/CFT policies — not placeholder documents.

5.1 Core AML Obligations

[ ] AML/CFT policy framework — documented policies and procedures for customer due diligence, ongoing monitoring, suspicious transaction reporting, and record-keeping
[ ] Money Laundering Reporting Officer (MLRO) appointed — member of senior management
[ ] Risk assessment — enterprise-level ML/TF risk assessment covering customers, products, geographies, and delivery channels
[ ] Customer due diligence (CDD) — identity verification, beneficial ownership identification, ongoing monitoring
[ ] Enhanced due diligence (EDD) — for high-risk customers, PEPs, complex or unusual transactions, and high-risk third countries
[ ] Suspicious transaction reporting — procedures to detect and report to the Financial Intelligence Unit (FIU)
[ ] Record-keeping — retain CDD and transaction records for at least 5 years after the business relationship ends
[ ] Staff training — regular AML/CFT training for all relevant staff

5.2 Travel Rule Compliance (Regulation (EU) 2023/1113)

[ ] Originator and beneficiary information must accompany crypto-asset transfers
[ ] No minimum threshold — the Travel Rule applies to all transfers, regardless of amount
[ ] Technical implementation — ensure your systems can transmit and receive Travel Rule data
[ ] Screening procedures — screen originator and beneficiary data against sanctions lists

5.3 AMLA Supervision

[ ] Be aware that the new EU Anti-Money Laundering Authority (AMLA) may assume direct supervisory responsibility for high-risk CASPs operating cross-border from 2028 onwards
[ ] Ensure AML/CFT policies meet the standards of the AML Regulation (Regulation (EU) 2024/1624), which applies directly across the EU

Part 6: ICT and Operational Resilience (DORA Alignment)

CASPs are financial entities within the scope of DORA (Regulation (EU) 2022/2554). Your MiCAR application should demonstrate DORA compliance from the outset.

6.1 ICT Risk Management (DORA Articles 5–16)

[ ] ICT risk management framework — documented, approved by the management body, reviewed annually
[ ] ICT systems inventory — register of all ICT assets and dependencies
[ ] Protection and prevention — network security, encryption, access controls
[ ] Detection capabilities — continuous monitoring for anomalous activities
[ ] Response and recovery plans — tested ICT business continuity and disaster recovery plans

6.2 Incident Reporting (DORA Articles 17–23)

[ ] Incident classification — process for classifying ICT incidents using DORA's 7-criteria framework
[ ] Reporting procedures — ability to submit initial notification within 4 hours of classification, intermediate report within 72 hours, final report within 1 month
[ ] Incident register — maintain a log of all ICT-related incidents

6.3 Third-Party ICT Risk (DORA Articles 28–44)

[ ] Register of ICT third-party providers — information register as required by Article 28(3)
[ ] Contractual arrangements meeting DORA Article 30 requirements — including audit rights, data access, exit clauses
[ ] Concentration risk assessment — evaluate dependency on critical ICT providers

6.4 Digital Operational Resilience Testing (DORA Articles 24–27)

[ ] Testing programme — regular testing of ICT tools, systems, and processes
[ ] Threat-led penetration testing (TLPT) — if classified as a significant financial entity, conduct TLPT at least every 3 years

Part 7: Application Documentation (Article 62)

Your formal application to the NCA must include the following:

[ ] Company details — registered office address, articles of association, LEI
[ ] Programme of operations — detailed description of each crypto-asset service you intend to provide, types of crypto-assets covered, target markets
[ ] Governance arrangements — organisational chart, internal control framework, risk management procedures, accounting procedures, outsourcing arrangements
[ ] Management body information — identity, CV, fitness-and-propriety documentation for all directors and qualifying shareholders
[ ] Own funds evidence — audited accounts or certified financial statements demonstrating compliance with Article 67
[ ] Business continuity plan — including orderly wind-down plan (Article 74) and ICT recovery procedures
[ ] ICT security description — ICT systems architecture, security arrangements, DORA alignment evidence
[ ] AML/CFT documentation — complete AML/CFT policy framework, risk assessment, CDD procedures, Travel Rule implementation
[ ] Client asset segregation — detailed description of custody and segregation arrangements
[ ] Complaints handling procedures — documented and ready for implementation
[ ] Conflicts of interest policy — identifying all potential conflicts and mitigation measures

Part 8: Timeline and Practical Considerations

8.1 NCA Processing Timeline

Under Article 63, the competent authority must:

Acknowledge receipt within 5 working days
Assess completeness within 25 working days — if incomplete, the NCA requests additional information and the clock resets
Make a decision within 40 working days of a complete application (extendable to 60 working days)

Realistic total: 4-6 months from submission to decision, accounting for supplementary information requests.

8.2 Critical Path to 1 July 2026

| Milestone | Target Date | Notes | |-----------|-------------|-------| | Pre-application meeting with NCA | Now | Most NCAs offer this; strongly recommended | | Appoint EU-resident directors | Immediately | Substance requirement | | Complete application documentation | April 2026 | Allow 6-8 weeks for thorough preparation | | Submit application to NCA | April-May 2026 | Earlier is better | | NCA completeness assessment | +25 working days | Respond to queries immediately | | NCA substantive decision | +40 working days | Application submitted = you can continue operating | | Transitional period expires | 1 July 2026 | Must have submitted before this date |

8.3 Jurisdiction-Specific Considerations

Netherlands (AFM): The AFM has published detailed application guidance. Existing VASPs registered under the Wwft must apply for full CASP authorisation. The AFM conducts pre-application assessments and has indicated high scrutiny on governance substance.

Germany (BaFin): BaFin has published MiCAR application forms and guidance. Existing crypto custody licence holders under the KWG must transition to MiCAR. BaFin requires German-language documentation for governance arrangements.

Luxembourg (CSSF): The CSSF has established a dedicated MiCAR team. Luxembourg's position as a fund domicile means particular scrutiny on custody arrangements for tokenised fund interests.

France (AMF): AMF-registered DASPs must apply for MiCAR authorisation. France was among the first Member States to regulate crypto-asset services, so existing licensees may have a head start on documentation.

Ireland (CBI): The CBI has published its approach to MiCAR supervision. Ireland's importance for payment services means CBI will focus on compliance infrastructure.

Part 9: Post-Authorisation Obligations

Authorisation is not the end — it is the beginning of ongoing compliance.

[ ] Ongoing capital maintenance — own funds must be maintained at all times, not just at authorisation
[ ] Regulatory reporting — periodic reporting to the NCA on financial condition, client assets, and service volumes
[ ] Notification of material changes — any change to the information in the application must be notified to the NCA (Article 64)
[ ] Annual compliance review — review and update all policies and procedures at least annually
[ ] ESMA public register — your authorisation details are publicly available; ensure they remain accurate
[ ] Passporting notifications — if expanding to new Member States, notify the home NCA under Article 65
[ ] Market abuse monitoring — ongoing obligation to detect and report suspected market abuse under Title VI

How financialregulations.eu Can Help

Our platform covers MiCAR in full — every article, every recital, every RTS and ITS published to date. Use it to:

Query specific requirements: Ask about any Article referenced in this checklist and get a cited answer grounded in the regulatory text
Review draft documents: Upload your governance framework, AML policies, or application documentation and get them analysed against MiCAR requirements
Cross-reference with DORA: Understand how DORA's ICT requirements interact with MiCAR's authorisation conditions
Track regulatory updates: Monitor for new ESMA guidance, RTS publications, and NCA interpretations relevant to your application

Start your MiCAR compliance analysis — free

Frequently Asked Questions

What happens if my application is pending on 1 July 2026?

If you have submitted a valid, complete application before the transitional deadline, you may continue operating while the NCA processes it. The critical requirement is to have the application submitted — not merely started — before the deadline. Article 143(5) of MiCAR makes this clear: the transitional arrangement continues until the NCA grants or refuses authorisation.

Can I apply in one country and serve the entire EU?

Yes. MiCAR provides full EU passporting rights under Article 65. Once authorised by your home NCA, you notify them of the Member States where you intend to provide services. No separate licence is needed in each country. Choose your home Member State based on regulatory relationship, language, and supervisory approach.

What if I provide both crypto-asset services and financial instrument services?

You need both a MiCAR CASP authorisation and a MiFID II licence (or equivalent). The boundary depends on whether the token qualifies as a financial instrument under MiFID II Annex I, Section C, or as a crypto-asset under MiCAR Article 3(1)(5). ESMA has published classification guidance — see our MiCAR vs MiFID II comparison for details.

How does MiCAR interact with the new AML package?

CASPs are obliged entities under the AML Regulation (Regulation (EU) 2024/1624) and AMLD6 (Directive (EU) 2024/1640). The AML package applies directly — your AML/CFT obligations are not dependent on national transposition for core requirements. The Travel Rule for crypto-asset transfers (Regulation (EU) 2023/1113) applies to all transfers with no minimum threshold.

Is DORA compliance required for MiCAR authorisation?

Yes. CASPs are in scope of DORA (Article 2(1)(t) of Regulation (EU) 2022/2554). NCAs assess ICT resilience as part of the MiCAR authorisation decision. Your application should demonstrate that you have implemented — or have a credible plan to implement — a DORA-compliant ICT risk management framework. See our DORA compliance guide for fund managers for the five-pillar framework.