EST · MMXXVI
Home/Insights/Tech/CASP authorisation under mica: What Recent Enforcement Tells Operators
Licensing & Registration

CASP authorisation under mica: What Recent Enforcement Tells Operators

Casp authorisation under mica: What Recent Enforcement Tells Operators. Cross-border digital-asset legal counsel for business – licensing, disputes and structur

CASP Authorisation Under MiCA: What Recent Enforcement Tells Operators

Operating a digital-asset business in the European Union without a valid CASP authorisation (the licence granted to a Crypto-Asset Service Provider under the Markets in Crypto-Assets Regulation, or MiCA) now carries consequences that move faster than most compliance calendars allow. National competent authorities across the EU and ESMA itself have signalled, through supervisory correspondence and early enforcement posture, that the transition period is a runway to compliance – not a grace period for complacency. For exchanges, custodians and token issuers with EU user bases, the question is not whether authorisation is required but how quickly the absence of it becomes an existential problem.

MiCA creates a single, passportable CASP authorisation that, once granted by any national competent authority within the EU/EEA, allows a firm to operate across all member states. That passporting mechanism is the regime's headline commercial benefit. The enforcement reality surrounding it is more demanding: ESMA and the NCAs have made clear that the substance of the application – governance, own funds, AML posture, custody safeguards – is scrutinised against the activity actually conducted, not the activity described on the cover page.

This analysis maps the CASP authorisation process, what enforcement signals say about examiner expectations, the cross-border complications that trip operators at the threshold, and where the structural decisions sit when you are building a business meant to last under the regime.

Who Needs CASP Authorisation Under MiCA?

Any business providing crypto-asset services to clients within the EU/EEA requires a CASP authorisation under MiCA unless a specific exemption applies. The regime is activity-based. MiCA lists the regulated services – exchange services, order execution, custody and administration, portfolio management, advice, transfer services, and the operation of a trading platform – and the obligation attaches to the service, not the label the operator applies to its business.

Several misclassifications recur in our practice. A firm providing custody and administration of crypto-assets on behalf of clients will need authorisation even if it describes its product as a "wallet service." A business executing orders against client instructions is providing an execution service regardless of whether it calls itself a technology provider. The principle is well-established across EU financial regulation and ESMA's early guidance under MiCA confirms that supervisors will look through the product description to the economic substance of what is delivered.

Exemptions exist. Credit institutions authorised under the Capital Requirements Directive may provide certain crypto-asset services under a notification procedure rather than a full CASP authorisation. Investment firms authorised under MiFID II have a comparable route for some activities. But these carve-outs are narrow and conditional. Operators relying on them without a careful analysis of whether their activities align precisely with the exemption's boundaries are exposed.

The cross-border angle matters immediately here. A company incorporated in the Cayman Islands, with servers in Frankfurt and clients across Germany, France and the Netherlands, is providing services within the EU for MiCA purposes. The jurisdiction of incorporation does not determine the MiCA perimeter. Where the client sits determines the territorial reach. Operators who structured themselves outside the EU to avoid earlier VASP registration regimes now find that the regulatory perimeter has followed them to their users.

MiCA's CASP authorisation requirement applies on the basis of where services are provided to clients, not where the entity is incorporated or where its infrastructure is hosted. ESMA has confirmed that territorial scope will be assessed on the facts of each case.

What Does Recent Enforcement Signalling Tell Operators?

Early MiCA supervisory activity points toward a single dominant concern: that operators are not treating the authorisation as a substantive gateway but as an administrative formality to be processed once the business is already live. That assumption is wrong in both directions.

Supervisors are looking at governance architecture first. The requirement to have effective internal controls, a clear management body with demonstrated competence in crypto-asset markets, and documented policies for conflicts of interest, remuneration and outsourcing is not satisfied by importing a generic financial-services compliance manual. Examiners in the leading NCA jurisdictions – including those in Lithuania and Malta, which handled a disproportionate share of the pre-MiCA VASP registration volume – have consistently questioned whether applicants' governance documents reflect the actual operations of the business or a template dropped from a consultant's library.

AML posture is the second pressure point. The Travel Rule – the obligation under FATF Recommendation 15 to pass originator and beneficiary data alongside a virtual-asset transfer – is specifically incorporated into the MiCA supervisory framework through the EU's Transfer of Funds Regulation. Applicants who cannot demonstrate that their systems actually capture, transmit and receive the required data fields at the time of application are encountering information requests and delayed processing. This is not a theoretical gap: in our cross-border practice, we regularly advise firms that built Travel Rule compliance for a single jurisdiction and then discovered the technical specification varies between counterparty platforms in different member states.

A third signal concerns white-label and outsourced models. Operators who run their order-matching, custody or settlement through a third-party infrastructure provider and then apply for a CASP authorisation as if they are operating the technology themselves have faced pointed questions about whether the authorisation seeker genuinely controls the regulated activity. The principle is structural: a CASP licence is granted to the entity that controls and is accountable for the service. If that entity is a shell with a subcontract to the real operator, the NCA will look through it.

The process above describes the standard examination. Your facts – the entity structure, the user base, the subcontracting arrangements – change the analysis materially.

To map your authorisation position before regulators raise the question, contact OBOLUS at info@oboluslaw.com. The process above describes the standard examination path. Your entity structure, user geography and outsourcing arrangements all change where the risks sit.

How Does the CASP Authorisation Process Actually Work?

A CASP authorisation begins with the selection of a home member state – the EU jurisdiction in which the applicant will seek its licence and from which it will passport its services. That choice has consequences beyond processing speed. The home NCA will be the ongoing supervisor, and the supervisory relationship, resourcing and appetite of different NCAs vary. Once MiCA authorisation is granted, the firm may notify NCAs in other member states and begin providing services there, typically within a defined notice window, without repeating the full authorisation process.

The application itself is submitted to the relevant NCA and must address a detailed list of programme-of-operations information. This includes: the legal and ownership structure of the applicant; the identity and regulatory history of qualifying shareholders; the composition, credentials and time commitment of the management body; the internal governance policies; the own-funds position and how it will be maintained relative to the applicable minimum by service category; the IT and security arrangements; the business continuity plan; and – for custody services specifically – the safeguarding and segregation arrangements for client assets.

Timeline is qualitative by registry discipline: the applicable provisions set an assessment window that begins only when the NCA has declared the application complete. Incomplete applications – missing one governance document, an unexplained gap in a director's regulatory history, an IT security assessment that does not cover the full service scope – restart or pause the clock. In practice, operators who submit incomplete files have seen the process extend significantly beyond the standard window. We have seen well-prepared applications move through efficiently; poorly prepared ones can stall for months.

The home member state selection decision also interacts with tax and banking. A CASP seated in one EU member state will have its banking relationships, its corporate tax position and its employment arrangements anchored there. An operator choosing Lithuania for its historically streamlined NCA process may encounter different banking access and VAT treatment than one choosing Malta or the Netherlands. Those variables need to be modelled before the filing, not after the licence is issued.

A recent matter in our practice illustrates this concretely. A payments technology company sought a CASP authorisation in a mid-tier EU jurisdiction to serve clients across Western Europe. The application was substantively strong – the governance was well-documented, the management team experienced. What stalled the process was a gap in the Travel Rule technical specification: the firm's Treasury system passed originator data correctly but could not receive beneficiary data from non-EU counterparties in the required format. The NCA issued an information request. We worked with the firm's technology team to implement a compliant data-capture layer and resubmitted the relevant section. The authorisation was granted in the following review cycle. The cost was additional time – a window during which the firm could not passport into two target markets.

Does Token Classification Affect Which Authorisation You Need?

Token classification is a threshold question that must be resolved before selecting the authorisation pathway, because MiCA creates distinct regimes for different token types and the wrong classification means the wrong application. MiCA distinguishes between asset-referenced tokens (ARTs), which reference a basket of assets or currencies; e-money tokens (EMTs), which reference a single fiat currency and function as electronic money; and all other crypto-assets. Services involving ARTs and EMTs attract specific issuer-side obligations on top of the CASP regime, including own-funds requirements for the issuer and reserve asset rules.

The classification question is also where the securities law boundary sits. A token that confers rights resembling equity, debt or a collective investment scheme interest will be a financial instrument under MiFID II rather than a crypto-asset under MiCA. If that is the correct characterisation, the applicable authorisation pathway is not a CASP licence but a MiFID investment firm authorisation – a materially different process with different capital requirements, different conduct rules and a different supervisory relationship. Operators who misclassify a security token as a utility token, obtain a CASP authorisation, and then attract supervisory attention face the prospect of operating a financial instrument exchange without the correct licence, which is a serious regulatory violation.

In our cross-border practice, we regularly advise token issuers at the classification stage before any application is filed. The question is not whether the token was designed to be a utility token. The question is whether, on its actual terms, it confers rights that a regulator would characterise as financial instrument features. ESMA has reinforced this point in technical guidance: the label does not drive the classification; the economic substance of the rights conferred does.

The FINMA token taxonomy – distinguishing payment, utility and asset tokens by the rights and purpose embedded in the token – provides a useful reference framework alongside the MiCA classification, particularly for operators structuring token sales into both EU and non-EU markets simultaneously.

What Cross-Border Complications Do CASP Applicants Encounter?

Most operators seeking a CASP authorisation are not purely EU businesses. They have holding structures in the BVI or Cayman Islands, banking in non-EU jurisdictions, technology teams in jurisdictions outside Europe and user acquisition campaigns that reach beyond the EU perimeter. Each of those cross-border threads creates a complication in the authorisation file.

The ownership and qualifying shareholder requirement is the one most frequently underestimated. An NCA reviewing a CASP application will require information about every entity and individual in the ownership chain above the applicant, up to and including the ultimate beneficial owner. A holding chain that runs through the BVI to the Cayman Islands and then to a trust structure needs to be unwound and documented to the NCA's satisfaction. If the beneficial owner has any prior regulatory finding in any jurisdiction, that history must be disclosed. Gaps in this documentation are one of the most common causes of completeness rejections.

Banking is a parallel problem. A CASP authorised in Lithuania or Malta still needs banking to operate. EU banks have their own compliance and onboarding requirements for crypto businesses, which are often more demanding than the CASP authorisation process itself. We have seen firms receive their CASP authorisation and then spend additional months unable to open a Euro account. The banking relationship should be pursued in parallel with, not after, the authorisation.

For operators with activities in multiple regimes simultaneously – say, a firm that holds a MAS licence in Singapore and is now seeking a CASP authorisation in the EU – the interaction between the two regimes creates reporting and governance obligations that must be reconciled. The MAS Payment Services Act licence for digital payment token services and the MiCA CASP authorisation are not interchangeable or mutually exclusive, but they impose overlapping AML/CFT obligations that need to be serviced by a governance structure that is coherent across both.

Similarly, operators regulated by the SFC in Hong Kong under the VATP licensing regime, or by VARA in Dubai for mainland activities, face the question of whether the governance and compliance infrastructure built for one regime can be extended to satisfy MiCA's requirements or whether a parallel, EU-specific build is needed. The answer is almost always: the infrastructure can be adapted, but not simply copy-pasted. The specific requirements of each regime differ at the margin in ways that matter to examiners.

If a prior application stalled or a banking relationship collapsed mid-process, a structural review can identify the root cause and the route forward. The reasons are rarely random.

If your CASP application has encountered a completeness rejection or a sustained information-request cycle, write to info@oboluslaw.com. A second read of the file frequently surfaces the structural issue that is holding the process.

Contrasting Positions: EU CASP vs. Non-EU Entry Strategies

Not all operators conclude that a CASP authorisation is the right next step. The contrasting position – licensing in a non-EU jurisdiction and geo-blocking EU users – remains viable for businesses where EU revenue is genuinely marginal. But it is a position that requires regular reassessment as the MiCA perimeter is interpreted and as NCAs begin looking at marketing and app-store availability as evidence of EU service provision even in the absence of a formal EU entity.

The ADGM/FSRA regime in Abu Dhabi and the VARA regime in Dubai offer credible regulated environments for digital-asset businesses that are primarily serving a non-EU user base. The AIFC/AFSA framework in Kazakhstan provides a common-law regulated environment within a rapidly developing digital-asset hub. Singapore's MAS Payment Services Act licence remains a benchmark for Asia-Pacific reach. Each of these creates a credible regulated base from which an operator can serve non-EU markets without the MiCA compliance overhead.

The risk is structural: if the business subsequently grows EU revenue above the threshold at which geo-blocking becomes commercially unsustainable, the operator faces a catch-up authorisation process while already operating – a much harder position than filing proactively. NCAs are less sympathetic to applicants whose EU presence has already been established without authorisation.

A decision matrix for the most common operator profiles looks as follows in practice:

Profile A – EU-first exchange or custody platform: A CASP authorisation in a home member state with a clear passporting plan is the correct instrument. The indicative timeline to a complete, well-prepared application being declared complete and assessed varies – plan for a process measured in months, not weeks. The key risk is governance documentation that does not match the actual operations of the business.

Profile B – Emerging-market operator with incidental EU traffic: A non-EU primary licence, rigorous geo-blocking, and a monitored EU revenue threshold is a defensible position for now. The key risk is that "incidental" traffic grows without a corresponding compliance escalation trigger.

Profile C – Global exchange seeking EU access alongside existing regulated hubs: A CASP authorisation is required. The structural question is whether the existing governance model – built for MAS, SFC or VARA – can be adapted for MiCA or whether a purpose-built EU subsidiary with its own management body and own-funds is needed. The answer turns on how the parent entity's operations are structured and how much of the actual service delivery can be attributed to the EU entity.

Profile D – Token issuer with EU whitepaper obligations: The authorisation pathway depends on token classification. An ART or EMT issuer requires a specific authorisation on the issuer side before public offering. A CASP authorisation for custody or exchange services layered on top of that is a separate filing. Conflating the two tracks is a common and time-consuming mistake.

What Are the Most Common Mistakes in CASP Applications?

The mistakes we see most frequently do not arise from ignorance of the regulatory requirements. They arise from the gap between what the compliance manual says and what the business actually does. Examiners are experienced at closing that gap.

The most consequential error is submitting an application before the governance build is complete. It is tempting to file early to begin the clock. But an NCA that finds a material gap – a management body with insufficient time commitment, a missing AML policy for a specific service activity, a custody safeguarding model that is described but not yet implemented – will issue a completeness rejection or a substantive information request. Both outcomes reset or extend the timeline and put the application on a more scrutinised track.

A related mistake is failing to map the business activities to the correct licence categories before filing. MiCA lists the regulated services, and the application must address each service the business actually provides. An operator that files for exchange services but is also providing custody as part of its user account model – holding client private keys as part of the product – has filed for the wrong scope. When the NCA's reviewers identify the mismatch, the applicant faces the choice of amending the application (extending the timeline) or defending the position that the custody activity is incidental (a difficult argument to sustain on the facts).

A common assumption is that a thorough application guarantees a fast outcome. It does not. The NCA's own resourcing, the volume of applications in the queue and the complexity of the applicant's ownership chain all affect timeline. What a thorough application guarantees is that the timeline is determined by those external factors rather than by correctable gaps in the file.

The own-funds position at the time of application is also frequently misunderstood. The requirement is not simply that the entity has the minimum capital on a balance sheet. The applicant must demonstrate that the own-funds position is sustainable relative to the projected activity of the business and that the governance arrangements will maintain it on an ongoing basis. An entity formed two months before filing with a minimal balance sheet and no documented capital maintenance policy will face pointed questions about the relationship between its capitalisation and its business plan.

Self-Assessment: Are You Ready to File?

Before a CASP application is submitted, an operator should be able to answer the following questions affirmatively. If any answer is uncertain, the gap should be resolved before filing, not after.

First: has every service the business provides been mapped to a specific MiCA category, and has the token classification for every asset in scope been confirmed? Second: is the management body fully constituted, with documented evidence of each member's time commitment and their relevant experience in the crypto-asset markets? Third: do the governance policies – AML/CFT, conflicts of interest, outsourcing, business continuity, safeguarding – reflect the actual operations of the business as it will run on the first day after authorisation, not a theoretical model? Fourth: is the Travel Rule technical implementation in place and tested, including for counterparty platforms outside the EU? Fifth: is the own-funds position documented and is there a capital maintenance policy that links the firm's capitalisation to its projected activity levels?

Sixth – and this is the one that most frequently requires external counsel: has the ownership chain above the applicant been documented in full, and has every qualifying shareholder and member of the management body confirmed they have no adverse regulatory history in any jurisdiction? A single undisclosed finding in any regulator's records can halt an application entirely.

For the cross-border operator: has the interaction between the CASP authorisation and the operator's obligations in every other jurisdiction where it holds a licence been modelled? The compliance architecture needs to be coherent across all of them – not because regulators routinely communicate in real time, but because the applicant's governance documentation in each jurisdiction will be reviewed on its own merits.

Related at OBOLUS

FAQ

How long does a crypto licence take to obtain?

Timeline varies by jurisdiction and application quality. Under MiCA, the NCA's assessment window begins only once the application is declared complete – incomplete filings can add months before the clock formally starts. A well-prepared CASP application in a well-resourced NCA jurisdiction is measured in months rather than weeks. Other regimes, such as the BVI FSC VASP registration or an AIFC/AFSA digital-asset licence, may move on different timelines. The operative variable in every case is preparation quality before submission.

Which jurisdiction is best for licensing my crypto business?

There is no universal answer. The correct jurisdiction depends on where your users are located, what services you provide, your ownership structure and your banking requirements. An EU-facing exchange needs a CASP authorisation, with the home member state choice turning on NCA resourcing, tax and banking access. A firm primarily serving Asian markets may look to MAS in Singapore or the SFC in Hong Kong. A business with a global footprint typically needs more than one licence. We map the full stack – operating, custody and payment layers – across all relevant jurisdictions before advising on structure.

Do I need a separate custody licence?

Under MiCA, custody and administration of crypto-assets on behalf of clients is a regulated service. If your business holds client assets – meaning you control private keys or have access to client wallets as part of your product – you need to include that activity in your CASP authorisation scope. Running an exchange and holding client assets under the same authorisation is permissible, but both activities must be addressed in the application. In some jurisdictions outside the EU, such as under VARA or the MAS Payment Services Act, custody may require a separate licence category. The answer is always fact-specific.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the whole of our practice. We structure licensing, banking and tax as one mandate rather than three disconnected workstreams – mapping the licence stack across operating, custody and payment layers before you commit, so the architecture holds under regulatory scrutiny. To discuss your situation, contact info@oboluslaw.com.

By Roman Levitt, Technology & DeFi Counsel – specialising in regulatory structuring for crypto-asset platforms, token classification analysis and the intersection of MiCA compliance with multi-jurisdictional technology architectures.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours