Detailed overview
Cyprus: CySEC and CBC MiCA Framework
Cyprus is a full MiCA jurisdiction. The Cyprus framework is based on Regulation 2023/1114 and a national split of supervisory responsibility between the Cyprus Securities and Exchange Commission, CySEC, and the Central Bank of Cyprus, CBC.
Cyprus should not be treated as a continuing AML registration jurisdiction. The former national CASP registration route has closed for new applicants. New Cyprus-facing crypto-asset service activity must be structured through MiCA authorisation, an Article 60 notification route where available, a valid MiCA passport, or a CBC route where the business falls within CBC competence.
Regulator
CySEC is the main regulator for ordinary stand-alone crypto-asset service providers in Cyprus.
CBC is relevant where the applicant is a credit institution, electronic-money institution or payment service provider, where the business involves e-money tokens, where payment-services licensing may be triggered, or where the MiCA competent-authority notification assigns the matter to CBC.
Cyprus’s current competent-authority notification gives CySEC responsibility for standard CASP authorisation applications, except for electronic-money institutions and payment service providers that fall within CBC competence. It also gives CySEC responsibility for Article 60 notifications by specified financial entities such as central securities depositories, market operators, investment firms, UCITS management companies and AIFMs.
CBC is responsible for CASPs that are credit institutions using Article 60, electronic-money institutions using Article 60 or Article 63, and payment service providers using Article 63. CBC is also responsible for e-money token issuers and for certain asset-referenced token issuers that are credit institutions, electronic-money institutions or payment service providers.
The correct regulator must be checked before filing. This is especially important for banking, payments, e-money, EMT, ART and group-regulated structures.
Licensing route
A business that provides crypto-asset services in or from Cyprus generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using the Article 60 notification route or another valid MiCA route.
The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.
Transfer services are a separate MiCA service and should be included in any Cyprus service-mapping exercise.
The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, fund interests, insurance products, payment instruments, e-money outside the relevant MiCA treatment or other regulated products require separate analysis.
Article 63 authorisation
A standard unregulated CASP applicant generally applies for Article 63 authorisation through CySEC, unless CBC competence is triggered.
CySEC now has live MiCA application materials. The Article 62 application form for CASP authorisation is published, together with Article 60 notification materials, cross-border forms, management-body forms, qualifying-holding forms and crypto-address forms.
A credible Cyprus application should include a full service map, legal perimeter analysis, business plan, governance package, management suitability materials, qualifying-holder information, capital and prudential analysis, AML and sanctions framework, transfer-of-funds controls, ICT and security materials, outsourcing framework, business-continuity plan, custody and safeguarding arrangements, complaints procedures, conflicts management, client disclosures, recordkeeping and service-specific policies.
The application should be prepared against the EU technical standards for CASP authorisation applications and CySEC’s published forms.
Article 60 notification
Article 60 is not a general shortcut for unregulated applicants. It is available only to eligible financial entities and only for permitted equivalent crypto-asset services.
In Cyprus, Article 60 notifications may involve CySEC or CBC depending on the entity. CySEC is responsible for specified financial entities including central securities depositories, market operators, investment firms, UCITS management companies and AIFMs. CBC is responsible for credit institutions and certain electronic-money institutions.
A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.
CBC payment-services overlay
A Cyprus CASP should separately assess whether any EMT-related activity triggers payment-services licensing.
CBC has stated that transfers of e-money tokens on behalf of clients and custody and administration of e-money tokens on behalf of clients may qualify as payment services under PSD2. Where that analysis applies, a CASP may need CBC authorisation unless it has a compliant arrangement with an authorised payment service provider.
Existing CASPs offering relevant EMT services had to submit a CBC authorisation application by 20 February 2026. A CASP that has applied but is not yet authorised may face restrictions on marketing and new client onboarding for those EMT-related payment services. A CASP that has not applied or does not meet the relevant conditions may need to cease the activity and offboard affected clients.
This overlay is important for wallets, EMT transfers, EMT custody, settlement models, client balances and payment-like flows.
Transitional position
Cyprus’s transition is now a late-stage route for legacy national-regime CASPs only.
CASPs that were registered under the Cyprus national CASP regime and provided services before 30 December 2024 may continue only until their MiCA application is approved or rejected or until 1 July 2026, whichever occurs first.
CySEC’s deadline for national-regime CASPs to apply for MiCA authorisation was 27 February 2026. CASPs that did not apply by that deadline are required to submit a wind-down plan. Continued activity after 1 July 2026 is conditional on obtaining MiCA authorisation.
A legacy national registration is not a MiCA licence. It should not be marketed as MiCA authorisation.
Grandfathered CASPs remain subject to the national Cyprus rules and Regulation 2023/1113 while they remain registered. This includes transfer-of-funds and crypto-asset transfer information obligations.
Cross-border grandfathering is limited. A Cyprus transitional CASP may provide services into another EU Member State during transition only where the host Member State permits this under its national law and has adopted or allows the relevant grandfathering regime.
Costs
CySEC fees are service-specific and commercially material.
The Article 60 notification fee for specified financial entities is EUR 10,000.
Article 62 CASP application fees include EUR 10,000 for custody and administration, EUR 30,000 for operating a crypto-asset trading platform, EUR 5,000 for exchange of crypto-assets for funds, EUR 5,000 for exchange of crypto-assets for other crypto-assets, EUR 8,000 for execution of orders, EUR 8,000 for placing, EUR 8,000 for reception and transmission of orders, EUR 8,000 for advice, EUR 8,000 for portfolio management and EUR 5,000 for transfer services.
A management-body change notification fee of EUR 2,000 applies. A proposed qualifying-holding acquisition notification fee of EUR 8,000 applies.
Annual CySEC supervision fees include fixed service-based amounts and a variable turnover surcharge. The fixed annual component includes EUR 10,000 for custody, EUR 20,000 for operating a trading platform, EUR 5,000 for exchange, execution, placing, reception and transmission and transfer services, and EUR 8,000 for advice and portfolio management.
The variable annual surcharge applies where crypto-asset-service turnover exceeds EUR 500,000. The scale is 1 percent, 0.4 percent, 0.3 percent and 0.1 percent across increasing turnover bands. The annual supervisory fee is capped at EUR 500,000.
The fee schedule should be checked before filing because fee instruments may be amended.
Ongoing obligations
A Cyprus CASP must comply with MiCA, applicable EU technical standards, Cyprus competent-authority requirements, AML and sanctions obligations, and Regulation 2023/1113.
Core obligations include governance, management suitability, qualifying-holder controls, own funds or insurance, internal controls, risk management, compliance, complaints handling, conflicts management, outsourcing oversight, business continuity, ICT and security controls, recordkeeping, client disclosures, custody safeguards, trading-platform rules, exchange rules, execution rules, order reception and transmission rules, advice and portfolio-management rules and transfer-service duties.
AML, sanctions, transaction monitoring, travel-rule implementation and restrictive-measures controls should be treated as core licensing and operational controls.
Marketing and cross-border activity
A Cyprus CASP should not describe national registration or transitional status as MiCA authorisation.
A transitional CASP should also avoid assuming that it may serve customers across the EU. During transition, cross-border activity depends on the host Member State’s national law and the host State’s treatment of grandfathering.
A MiCA-authorised CASP can use the MiCA passporting route for cross-border services, subject to the relevant notification process and service scope.
Enforcement risk
Cyprus is not a light-touch route.
CySEC and CBC may exercise the supervisory powers available under MiCA and the Cyprus framework. CySEC has stated that provision of crypto-asset services will no longer be permitted after the end of the transitional period unless the relevant MiCA authorisation is obtained.
The main enforcement risks are operating after 1 July 2026 without MiCA authorisation, presenting national CASP registration as a MiCA licence, using Article 60 without a proper equivalence analysis, ignoring CBC competence, providing EMT-related payment services without assessing CBC authorisation, relying on cross-border grandfathering where the host Member State does not allow it, and launching services outside the authorised scope.
The exact sanction exposure depends on the breach, the responsible authority, the current Cyprus implementing legislation and the facts.
Practical assessment
Cyprus is suitable for firms that want a MiCA authorisation in a jurisdiction with a developed financial-services regulator, published MiCA forms and an established pre-MiCA CASP market.
It is not suitable for firms looking for a paper registration, indefinite grandfathering, or a low-substance continuation of the former AML registration regime.
The main execution risks are choosing the wrong regulator, missing CBC payment-services issues, misclassifying EMT-related flows, treating Article 60 as a general shortcut, underestimating CySEC documentation expectations, relying on transition after the deadline, and failing to prepare AML, transfer-of-funds, governance, ICT, custody, complaints, conflicts and service-specific materials before filing.