top of page
ChatGPT Image May 25, 2025, 07_06_54 PM.png

Licensing regime for crypto‑asset activities in Luxembourg

 

Luxembourg’s Law of 6 February 2025 embeds the EU Markets in Crypto‑Assets Regulation (MiCA, EU 2023/1114) and the new Transfer‑of‑Funds Regulation for crypto‑assets (TFR, EU 2023/1113) in national law. It designates the Commission de Surveillance du Secteur Financier (CSSF) as sole competent authority for all crypto‑asset issuers and service providers and aligns the national financial‑sector statutes, AML law and payment‑services law accordingly. The law therefore makes the MiCA licence a fully domestic authorisation: a startup must obtain it from the CSSF before conducting any of the MiCA‑defined crypto‑asset services or issuing asset‑referenced or e‑money tokens from Luxembourg. 

  • a. When to apply – A startup must file its MiCA application before commencing any in‑scope activity; transitional registrants must file in time to obtain the licence before the 1 July 2026 sunset. 

    b. Application package – The CSSF will only accept a complete file that mirrors MiCA Title VI requirements. In practice the dossier must contain:

    1. A programme of operations describing intended services, target users, jurisdictions, and a detailed business plan.

    2. A structural chart with ultimate beneficial owners, plus documentation evidencing that those owners and each board member or senior manager are fit, proper and of good repute.

    3. Proof of initial own funds corresponding to the highest amount required for the service(s) sought (MiCA sets four capital tiers; provide evidence of fully paid‑up capital in an EU credit institution or Luxembourg account).

    4. Governance and internal‑control framework: board composition, risk‐management, compliance, internal audit, complaint‑handling, outsourcing controls and ICT security.

    5. Safeguarding and custody arrangements for clients’ crypto‑assets and fiat funds, including segregation and insolvency protection.

    6. AML/CFT policies adapted to crypto‑asset risks, including procedures for transfers to/from self‑hosted (auto‑hosted) addresses and enhanced diligence for high‑risk correspondent relationships.

    7. ICT resilience, incident reporting and data‑protection measures.

    8. Draft standard client agreements and, where relevant, a white paper for any planned public offer of crypto‑assets. 

    c. Review & decision – The CSSF is empowered to:

    • confirm completeness, ask follow‑up questions or require additional documents;

    • suspend the review if the applicant fails to respond;

    • refuse authorisation where prudential, conduct, AML or consumer‑protection concerns persist.

    The authority may also carry out on‑site inspections of the startup’s premises (or those of technology/outsourcing partners) as part of the assessment. 

    d. Post‑authorisation publication – Once licensed, the firm will appear on the CSSF’s public MiCA register and may passport its services throughout the EU in accordance with MiCA passporting rules. 

    1. Capital & liquidity – Maintain the higher of the own‑funds floor appropriate to each service and a percentage of fixed overheads; adjust dynamically as business grows.

    2. Segregation & safeguarding – Hold clients’ crypto‑assets and cash separate from the firm’s own; maintain robust keys management and recovery procedures.

    3. Governance – Board and senior management must remain fit and proper; CSSF may order removal of individuals who jeopardise sound management.

    4. Disclosure & marketing – All marketing must be fair, clear, not misleading and consistent with the white paper; CSSF can order suspension of promotional communications.

    5. Record‑keeping & reporting – Store order‑ and transaction‑level data; supply regular reports in formats set by the CSSF.

    6. Market integrity – Prohibit insider dealing, unlawful disclosure and market manipulation in crypto‑assets.

    7. AML/CFT – Treat transfers above EUR 1,000 and those involving self‑hosted wallets as higher‑risk; implement risk‑based identification, monitoring and sanctions screening. 

  • The CSSF may at any time: demand information, order suspension or prohibition of services, trading or offers, require amendments to white papers or marketing, impose position limits, freeze assets, or order third‑party hosting services and domain registrars to block infringing websites.

  • Crypto‑asset service providers are now fully “obliged entities”. They must:

    • perform customer due‑diligence on all clients and beneficial owners;

    • implement enhanced checks for cross‑border correspondent relationships involving crypto‑asset services;

    • identify and mitigate ML/TF risks linked to transfers to self‑hosted wallets, using additional information requests, enhanced monitoring or other proportionate measures;

    • retain records for at least five years and make them available to the CSSF upon request.

    1. Decide scope of services and confirm they fall within MiCA.

    2. Incorporate a Luxembourg entity and arrange initial own funds at the appropriate level.

    3. Draft the application file: programme of operations, organisational arrangements, policies, capital evidence and fit‑and‑proper proofs.

    4. Submit to CSSF and respond promptly to any information requests or inspection notices.

    5. Prepare operational readiness (IT, custody, AML, reporting) so the business can launch immediately once authorisation is received.

    6. Budget & pay supervisory fees upon invoice.

    7. Monitor ongoing compliance with prudential ratios, disclosure duties, transaction recording, AML and market‑integrity rules; file all required periodic reports.

    8. Update governance and shareholder information to the CSSF without delay whenever changes occur.

See MICAR Requirements

MiCA already grants legal certainty and future passporting rights, but a startup must earn those benefits: first by qualifying for (or coping without) the transitional window, and then by securing full authorisation under EU-wide standards.

Behind Licentium

Our Edge

Licentium is a specialized platform that connects crypto-asset issuers and service providers with an international network of lawyers, regulatory consultants, and former supervisors. Projects can map applicable rules in key jurisdictions through a single interface, obtain jurisdiction-specific launch advice, arrange the drafting of white papers and licensing applications, and schedule ongoing compliance health-checks. The platform’s curated expert pool spans financial services, data protection, and corporate law, enabling founders to address cross-border requirements—from MiCA in the EU to securities, AML, and consumer-protection regimes elsewhere—within coherent project timelines and budgets.


Ready to Launch Legally Worldwide?

Book a free 30-minute consult and walk away with a personalised roadmap.

client logo
bottom of page