Operating a virtual asset service provider (VASP) business in Poland without the correct registration now carries direct enforcement risk. Poland's regime sits inside the European Union, which means the transition to MiCA (Markets in Crypto-Assets Regulation) – the EU-wide CASP authorisation framework supervised by ESMA and national competent authorities – defines the regulatory trajectory for every crypto business with Polish market exposure. Whether you are an exchange operator expanding into Central Europe, a custodian onboarding Polish institutional clients, or a token issuer assessing EU access via a Polish entity, the legal question is the same: what does authorization actually require, and how does the EU passporting mechanism change your cross-border structure? This page maps the regime, the process, and the practical considerations that distinguish a successful Polish market entry from a costly regulatory misstep.
Poland's Regulatory Regime for Virtual Asset Businesses
Poland supervises virtual asset businesses under a national AML-derived VASP registration regime, administered by the Polish Financial Supervision Authority (KNF – Komisja Nadzoru Finansowego), with the General Inspector of Financial Information (GIIF) overseeing the AML/CFT compliance layer. Under the pre-MiCA framework, operators providing exchange, conversion, or custodial wallet services were required to enter the VASP register maintained by the GIIF. That register – and the obligations attached to it – remains operative during the MiCA transition period. Once MiCA's CASP authorisation requirements apply fully to Polish operators, the supervising architecture will shift further toward KNF as the national competent authority under ESMA's coordination umbrella. Businesses entering Poland today must plan for both layers: the current VASP registration obligation and the incoming CASP authorisation requirement. Entering without either is not a defensible position.
The Polish legal basis for VASP registration derives from the national anti-money laundering legislation implementing the EU's successive AML directives. Poland expanded its definition of obliged entities to include VASPs – entities that exchange virtual currencies for fiat or other virtual currencies, intermediate such exchanges, or provide custodial wallet services. The breadth of this definition means that many businesses with a Polish nexus – a Polish entity, Polish users, or a Polish banking relationship – fall inside the perimeter regardless of where the operator is formally domiciled. Regulators in the leading EU hubs increasingly read user-location and service-direction as determinative, not just entity registration.
The MiCA CASP authorisation, once fully operative, will require Polish crypto businesses to obtain formal authorization from KNF as the national competent authority, after which the EU passporting mechanism allows cross-border service provision across all EU and EEA member states from a single authorization. That passporting right is among the most commercially significant features of the EU regime. It is also the principal reason that Poland – alongside Lithuania, Malta, and other EU member states – attracts inbound operators seeking EU market access through a single licensing event.
The FATF Travel Rule – the obligation to pass originator and beneficiary identification data with virtual asset transfers – applies to Polish VASPs under the AML framework. KNF and GIIF expect compliant Travel Rule implementation as a baseline condition of registration and, under MiCA, of CASP authorization. Operators who have not built Travel Rule compliance into their technical architecture before applying will face questions during the review process.
For a scoped assessment of your Polish or EU licensing position, including how the MiCA transition affects your existing structure, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity type, the user base, the service scope, the banking – change the analysis materially.
Who Needs a VASP Registration or CASP Authorisation in Poland?
Any business that provides covered virtual asset services with a Polish nexus is caught by the registration requirement, whether or not the business is incorporated in Poland. The covered services under the current Polish AML framework include exchange between virtual currencies and fiat currency, exchange between virtual currencies, intermediation in such exchanges, and custodial wallet services – holding, storing or transferring private keys on behalf of clients. Under MiCA, the CASP authorisation requirement extends to a broader set of activities: operating a trading platform for crypto-assets, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placement, transfer services, portfolio management, and advice. The direction of travel is toward a wider perimeter, not a narrower one.
The critical question for inbound operators is whether directing services at Polish residents – through a Polish-language interface, Polish payment methods, or active marketing into Poland – creates a Polish registration obligation even when the entity is registered elsewhere. Under the current AML framework, the answer depends on how the Polish authorities assess the factual nexus. Under MiCA, the passporting mechanism means that an operator authorized in any EU member state may serve Polish clients lawfully without a separate Polish authorization. But that EU authorization must exist. An operator relying on a non-EU licence – a BVI FSC registration, a Cayman CIMA registration, a VARA licence from Dubai – cannot passport into Poland or any other EU member state. Those offshore structures require a parallel EU-licensed entity for EU market access.
In our cross-border practice, we regularly advise exchange operators who assumed that a well-recognized offshore registration was sufficient for EU operations. That assumption is incorrect under the MiCA model. The EU perimeter is defined by the location of the client and the direction of the service, not the location of the server or the entity. Building the correct EU access structure – whether through a Polish CASP application or through a sister-jurisdiction EU authorization with Polish passporting – is a decision that should precede market entry, not follow enforcement.
How Does the VASP Registration and CASP Authorisation Process Work in Poland?
The VASP registration process under the current Polish regime is managed through the GIIF and requires demonstration that the applicant, its beneficial owners, and its key management personnel meet fit-and-proper standards, that the business operates effective AML/CFT policies and procedures, and that the entity meets applicable capital conditions. The GIIF maintains the official register of VASPs; registration is a precondition for lawful operation. Unregistered operation is a criminal and administrative offense under Polish law.
The MiCA CASP authorisation process, once KNF is fully operational as the national competent authority, will require a structured application covering governance arrangements, internal controls, conflict-of-interest management, safeguarding of client assets, complaint-handling procedures, and the required own-funds demonstration for the relevant service category. MiCA distinguishes between authorization requirements by service type – the minimum own-funds required for a custody-only CASP differ from those for a trading platform operator. Because all numeric thresholds remain subject to the applicable legislative text and regulatory guidance as implemented, operators should obtain current figures directly from KNF or through counsel with active regulatory contact rather than relying on secondary sources.
The review period for a MiCA CASP application at a national competent authority is defined under the applicable provisions of MiCA, measured from a complete application. Incompleteness is the most common cause of delay. Regulators in the leading EU hubs – including KNF – have noted that applications submitted without a complete AML/CFT policy pack, without a documented Travel Rule solution, or without properly structured beneficial ownership disclosure are routinely returned for supplementation, resetting the review clock. We have seen the difference between a well-prepared application and a reactive one measured in months of additional elapsed time.
Once authorized under MiCA, the Polish CASP may notify its authorization to other EU and EEA national competent authorities via the ESMA passporting mechanism. That notification triggers the right to provide covered services cross-border without further national authorization. The passporting right is one of the most commercially significant features of the EU regime – it converts a single Polish authorization into EU-wide market access. Operators with a multi-country EU strategy should factor this into the entity and jurisdiction decision early in the structuring process.
Cross-Border Structuring: Poland in the EU Licensing Stack
Poland is not typically the first EU jurisdiction that comes to mind for digital-asset licensing, but it occupies a distinct position in the EU licensing environment for operators with Central and Eastern European market exposure or with a preference for an EU member state that is less crowded than Malta or Lithuania at the post-MiCA authorization stage. For an inbound operator, the decision between licensing jurisdictions within the EU turns on several axes: the pace and approachability of the national competent authority, the local banking environment for crypto businesses, the corporate tax rate and treaty network, and the practical ability to build or contract a local compliance function.
Poland has a developed corporate legal infrastructure, an established banking sector, and is a member of the EU single market. Its corporate tax rate is moderate by EU comparison, and the country has a large talent pool with legal and financial services experience. These factors make it a credible EU licensing base for operators who are prepared to establish a genuine local presence – the substance requirement that regulators under MiCA expect is not fulfilled by a letterbox entity. ESMA and national competent authorities have been explicit that meaningful governance, risk management, and compliance functions must be located within the EU entity, not outsourced wholesale to a non-EU group company.
For an operator already licensed in a non-EU hub – operating under VARA in Dubai, under MAS in Singapore, or under the SFC in Hong Kong – the EU structure sits alongside rather than replaces the home-jurisdiction license. The group's EU entity holds the MiCA CASP authorization; the parent or affiliate retains the relevant non-EU license for operations outside the EU. Intergroup service agreements, fund flows, and data-sharing arrangements between the EU and non-EU entities require careful legal structuring, particularly under MiCA's third-country provisions and the GDPR's data transfer rules.
Banking remains the most persistent practical challenge for crypto businesses in Poland, as it is across the EU. Polish banks apply varying levels of risk appetite to VASP and CASP clients. Some have developed crypto-business onboarding programs; others have formal exclusions. Operators approaching Polish banking without a complete regulatory and compliance pack – including VASP registration or CASP authorization, AML/CFT documentation, and a clear business model presentation – will find the process significantly longer and less certain. We map the banking approach as part of the overall licensing strategy, not as an afterthought.
AML, Travel Rule, and Ongoing Compliance Obligations
Every registered VASP and authorized CASP in Poland must maintain an AML/CFT compliance program that meets the standards set by the applicable EU AML directives as implemented into Polish law, and – under MiCA – the additional conduct and operational requirements imposed by the CASP regime. The GIIF is the Polish financial intelligence unit responsible for receiving suspicious activity reports (SARs) and coordinating with law enforcement. VASPs and CASPs are obliged entities for SAR purposes.
The Travel Rule – derived from FATF Recommendation 15 – requires that originator and beneficiary identification data accompany virtual asset transfers above the applicable threshold. In Poland, as across the EU, the Travel Rule has been integrated into the AML legislative framework. The threshold applicable to a specific transfer type and the technical interoperability requirements are matters that operators must address at the system-design stage, not retrospectively. Regulators do not treat Travel Rule non-compliance as a technical deficiency that can be corrected after the fact; it goes to the fitness of the compliance program as a whole.
Ongoing KNF supervision under MiCA will include periodic reporting obligations, notification requirements for material changes to the business (ownership changes, new service lines, changes in key management), and the possibility of on-site inspections. The CASP authorisation is not a one-time event. It is a continuing regulatory relationship, and the resource cost of maintaining that relationship – through a qualified compliance function, regular internal audit, and responsive engagement with the regulator – should be factored into the business case before the application is filed.
In a recent registration matter, a payment technology company with Central European operations sought VASP registration in Poland as part of a broader EU market-entry plan. We structured the entity governance, drafted the AML/CFT policy suite, and coordinated the beneficial ownership disclosure in the format expected by the GIIF. The application proceeded to registration without a supplementation request – a materially better outcome than the operator's prior self-led attempt, which had stalled on the compliance documentation.
How Does Poland Compare for an Inbound Operator?
For a business choosing between EU licensing jurisdictions, Poland sits in a middle position: more established than some newer entrants to the CASP authorization process, less internationally profiled than Malta or Lithuania. The practical comparison for an inbound operator turns on the following considerations.
Versus Lithuania: Lithuania established an early reputation as a fast VASP registration destination under the pre-MiCA AML regime. Under MiCA, Lithuanian registration becomes CASP authorization under the Bank of Lithuania as the national competent authority – on broadly equivalent terms to KNF. The competitive differentiation between the two now turns more on banking access, local talent, and regulator approachability than on the legal framework, which is harmonized at the EU level. Operators who built their EU structure in Lithuania before MiCA should assess whether their authorization process and local substance remain adequate under the CASP standard.
Versus Malta: Malta's MFSA operated the VFA (Virtual Financial Assets) framework, which is transitioning to MiCA CASP authorization. Malta has more institutional experience with crypto-specific licensing than Poland, but its market is smaller and banking access has historically been more constrained for VASPs. For operators whose EU client base is concentrated in Central and Eastern Europe, a Polish or Lithuanian authorization may be more operationally convenient than a Maltese one.
Versus a non-EU jurisdiction: An operator considering Poland must weigh the EU CASP authorisation against the alternatives – a Dubai VARA licence, a Singapore MAS DPT license, or a BVI VASP Act registration. None of those alternatives provides EU market access. They may be appropriate for serving non-EU clients, for group holding structures, or for specific product types that do not require EU authorization. But for EU market access – including the Polish market – an EU CASP authorization is the only compliant path under MiCA.
The decision matrix for a typical inbound operator looks like this. An exchange or custody business targeting EU retail and institutional clients with substantial Central European exposure should consider Poland or Lithuania as the primary EU authorization hub, using the MiCA passporting mechanism to serve the full EU/EEA market from a single authorization. A business with a global client base and a non-EU operational center should consider a parallel structure: a non-EU license for non-EU operations and an EU CASP for EU operations, with proper intergroup agreements between the two entities. A token issuer launching a crypto-asset that falls under MiCA's whitepaper and authorization requirements must obtain authorization in at least one EU member state before offering to EU clients, regardless of where the issuer is incorporated.
If your structure straddles multiple jurisdictions and you have hit a regulatory or banking obstacle, a second read of your architecture often surfaces the issue. Write to OBOLUS at info@oboluslaw.com to scope the analysis.
A Common Assumption: One Offshore Licence Is Enough
A common assumption among founders and some in-house teams is that a well-regarded offshore VASP registration – in the BVI, Cayman Islands, or a comparable jurisdiction – is sufficient to serve clients in the EU, including in Poland. That assumption has not been correct since MiCA's entry into force. MiCA is explicit: operators providing covered services to EU-resident clients must hold a MiCA CASP authorization from an EU national competent authority. The offshore entity may continue to serve non-EU clients under its home-jurisdiction registration. It cannot lawfully direct covered services at EU clients without the EU authorization.
The risk of operating without the EU authorization is not merely theoretical. KNF and other EU national competent authorities have the power to impose restrictions on operations, issue public warnings, and refer matters for criminal prosecution. More immediately damaging for most businesses is the banking consequence: Polish and other EU banks are required to apply enhanced due diligence to crypto business clients and will, in most cases, refuse or terminate accounts for businesses that cannot demonstrate regulatory authorization. Operating without the right licence risks enforcement, frozen banking rails, and the loss of EU market access at precisely the moment the business has built a user base that depends on it.
The fix is structural, not administrative. It requires the right EU entity, the right authorization, the right local substance, and the right intergroup agreements between EU and non-EU operations. It is a project measured in months, not days – which is why it should begin before the business enters the EU market, not after a banking termination forces the issue.
Related at OBOLUS
- Licensing & Registration for Digital-Asset Businesses – how we scope and manage the full licence stack across operating, custody and payment layers
- Digital-Asset Licensing in South Africa – the South African regulatory regime for VASPs and how it interacts with cross-border structures
- Worldwide Freezing Orders in Lithuania – the Lithuanian court's jurisdiction to grant interim asset-preservation relief in digital-asset disputes
FAQ
How long does a crypto licence take to obtain?
The timeline varies by jurisdiction and licence type. Under the current Polish VASP registration regime, a well-prepared application is typically processed within a matter of weeks; an incomplete application resets the clock. Under MiCA CASP authorization, the applicable review period is defined in the legislation and runs from the date a complete application is accepted. Incompleteness – missing AML documentation, unresolved beneficial ownership disclosure, absent Travel Rule compliance evidence – is the most common source of material delay across all EU authorization processes.
Which jurisdiction is best for licensing my crypto business?
There is no single answer. The right jurisdiction depends on your client base, service scope, product type, banking needs, and operational substance. For EU market access, a MiCA CASP authorization in any EU member state – including Poland – provides passporting across the full EU and EEA. For non-EU markets, VARA (Dubai), MAS (Singapore), SFC (Hong Kong), or BVI and Cayman registrations may be appropriate depending on where your clients and operations sit. Most cross-border businesses need more than one authorization. We map the full stack before you commit.
Do I need a separate custody licence?
Under MiCA, custody and administration of crypto-assets is a distinct regulated service requiring its own CASP authorization – separate from authorization to operate a trading platform or provide exchange services. A business providing both custody and exchange services must demonstrate compliance with the requirements applicable to each activity. Some operators structure the custody and exchange functions in separate entities; others seek a combined CASP authorization covering both. The right structure depends on the business model, the client type, and the capital and operational resource available.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We map the licence stack across operating, custody and payment layers before you commit – so the structure is right from day one, not rebuilt after an enforcement event. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com.
By Aisha Tan, Licensing & Jurisdictions Analyst – specialising in EU and cross-border VASP and CASP authorization strategy for exchanges, custodians and token issuers.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.