Regulatory February 2026 8 min read

MiCA & CASP
Authorization:
What You Need to Know

The EU's Markets in Crypto-Assets Regulation came into full effect on 30 December 2024. For any firm providing crypto-asset services in Europe, authorization is no longer optional. Here is what the process looks like — and where most applicants fall short.

By Georgios Petropoulos  |  LINXS Advisory
10
Regulated crypto-asset services under MiCA
6–12
Months realistic end-to-end authorization timeline
€150K
Maximum minimum capital requirement
or ¼ of fixed overheads from the preceding year

01 What Is a CASP?

A Crypto-Asset Service Provider (CASP) is any legal entity providing crypto-asset services professionally to third parties. Under Regulation (EU) 2023/1114, authorization is mandatory for any of the ten regulated services — from custody and trading to portfolio management and transfer services.

Custody & Administration
Safekeeping and administration of crypto-assets on behalf of clients.
Trading Platform Operation
Operating a multilateral system for the exchange of crypto-assets.
Exchange Services
Exchange of crypto-assets for fiat currency or for other crypto-assets.
Order Execution
Executing orders for the purchase or sale of crypto-assets on behalf of clients.
Advisory & Portfolio Management
Providing advice on crypto-assets and managing portfolios of crypto-assets.
Transfer Services
Providing services for transfers of crypto-assets on behalf of clients.

02 Capital Requirements

MiCA Article 67 sets out tiered minimum capital requirements based on the nature of the services provided. Capital must be verified through audited financials, a capital attestation, and a maintenance plan with financial projections — both baseline and stress scenarios.

€50K
Advisory services only
€125K
Trading platform operation
€150K
Custody, exchange & portfolio management
¼
Or one quarter (25%) of fixed overheads from the preceding year, reviewed annually

03 Authorization Timeline

The statutory process is structured but rarely linear. Regulators stop the clock during information requests, meaning the realistic end-to-end timeline is typically six to twelve months from initial submission.

1
Completeness Assessment
25 working days
Regulator confirms the application is complete and ready for substantive review. Missing documents restart the clock.
2
Substantive Review
40 working days
Full assessment of the application against MiCA requirements. Q&A rounds are common and pause the timeline.
3
Clock Stops
Variable
The regulatory clock pauses during information requests and Q&A rounds. Firms should be prepared to respond promptly and comprehensively.
4
Realistic End-to-End
6–12 months
Well-prepared applications with experienced management teams and complete documentation tend to move fastest.

04 Governance, Fit & Proper & AML

Regulators scrutinise three interconnected areas: the governance structure, the fitness and propriety of management, and the robustness of the AML/CFT framework. Weaknesses in any one area are sufficient grounds for refusal.

Governance Structure
Clear org chart, board composition and committee structure, separation of management and control functions, risk appetite statement approved by the board, and documented escalation procedures.
Fit & Proper Criteria
Professional qualifications relevant to crypto, financial services or technology experience, understanding of regulatory requirements, background checks, no insolvency history, clean AML record.
AML/CFT Framework
Customer Due Diligence procedures, Enhanced Due Diligence for high-risk clients, transaction monitoring, sanctions screening against EU and international lists, STR procedures to the Financial Intelligence Unit.
Travel Rule (EU 2023/1113)
Originator and beneficiary information required for all transfers. Enhanced data collection for transfers above €1,000. Technical solution for secure information exchange with self-hosted wallet procedures.

05 Technical & Operational Requirements

The technical bar is high. Regulators expect detailed architecture documentation, evidence of operational readiness, and demonstrated compliance with DORA — the EU's Digital Operational Resilience Act — alongside MiCA's own custody and asset protection standards.

Technical Architecture
System architecture diagrams, trading engine specifications and capacity planning, cybersecurity controls, independent penetration testing, encryption standards at rest and in transit.
Custody & Asset Protection
Complete segregation of client assets, hot/warm/cold wallet infrastructure, multi-signature protocols, daily blockchain reconciliation, insurance against theft and loss, hard fork procedures.
DORA Compliance
ICT risk management framework, incident detection and classification, major incident reporting obligations to NCAs, operational resilience testing, third-party ICT provider risk management.
Key Management
Documented wallet custody infrastructure, authorisation protocols for key access, procedures covering hard forks and airdrops, data retention and storage capabilities.
Assessor Insight
Regulators apply requirements consistently while considering specific business models. Proportionality based on size, complexity, and risk is a principle — but it does not excuse incomplete documentation or weak controls. The firms that move fastest through authorization are those that treat the process as an operational readiness exercise, not a compliance form-fill.

06 Why Applications Are Refused

Understanding the most common rejection reasons is the single most effective way to improve authorization outcomes. These are not edge cases — they represent the majority of refusals.

Incomplete or generic policy documentation — templates lifted from other jurisdictions without adaptation to the specific business model.
Insufficient capital or unrealistic financial projections — stress scenarios that do not reflect genuine operational risk.
Management team lacking qualifications or experience — particularly where key individuals cannot demonstrate relevant financial services or technology backgrounds.
Inadequate AML/CFT framework or no Travel Rule solution — a complete AML programme is non-negotiable under MiCA.
Technical security gaps or missing architecture documentation — vague descriptions of systems are insufficient; regulators expect evidence.
Unclear beneficial ownership structures — complex or opaque ownership chains are a significant red flag for any NCA.
Lack of operational readiness — firms that cannot demonstrate they are ready to commence activities on day one face refusal regardless of their documentation quality.

07 Post-Authorization & EU Passporting

Authorization is the beginning, not the end. Ongoing supervision obligations are significant, and the EU passporting framework — while commercially valuable — requires careful management.

Ongoing Supervision
Regular reporting and annual compliance attestations, periodic on-site inspections, incident and breach notification obligations, pre-approval required for significant business model changes.
EU Passporting
Authorized CASPs may passport services across EU Member States. Services must match the authorized scope, host NCAs must be notified, and the ESMA central register must be updated.

Navigating MiCA for your firm?

LINXS Advisory works with financial services firms and crypto-asset businesses on regulatory strategy, authorization readiness, and ongoing compliance. We translate complex requirements into practical action.

Get in Touch Visit LINXS Advisory