Detailed overview
Germany: BaFin MiCA Supervision under the German Markets in Crypto-Assets Act (KMAG)
Germany is a full MiCA jurisdiction. The German framework is based on Regulation 2023/1114 and the German Financial Market Digitalisation Act package, including the German Act on the Supervision of Markets in Crypto-Assets.
The German Federal Financial Supervisory Authority, BaFin, is the competent authority for MiCA supervision in Germany.
Germany should not be treated as a continuing pre-MiCA crypto custody or legacy licence jurisdiction. The German grandfathering period has expired. Germany-facing crypto-asset service activity now requires MiCA authorisation, a valid Article 60 notification route, or a valid MiCA passport.
Regulator
The main regulator is BaFin.
BaFin is the German competent authority under MiCA. It receives and assesses CASP authorisation applications, receives Article 60 notifications, supervises authorised providers and exercises German MiCA supervisory powers.
Other German and EU regimes may still apply where the activity involves banking, payment services, e-money, asset-referenced tokens, e-money tokens, crypto-securities, qualified crypto custody, fund units, financial instruments, AML, sanctions, TFR or DORA.
Licensing route
A business that provides crypto-asset services in or from Germany generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into Germany.
The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.
Transfer services are a separate MiCA service and should be included in the service-mapping analysis.
The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, crypto-securities, fund units, deposits, structured deposits, payment instruments, non-MiCA e-money arrangements, insurance products or other regulated products require separate legal analysis.
Article 63 authorisation
A standard unregulated German CASP applicant applies to BaFin for MiCA authorisation.
A MiCA-authorised CASP must have a registered office in an EU Member State where it carries out at least part of its crypto-asset services, its effective management in the EU and at least one EU-resident director.
BaFin expects the applicant to use the standard MiCA authorisation form and evidence compliance with the authorisation requirements in the application.
A credible German application should include a full service map, legal perimeter analysis, programme of operations, business plan, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.
BaFin assesses whether the application is complete and may require additional information. The practical timing depends heavily on file quality, ownership structure, service scope, outsourcing, AML/TFR controls, ICT readiness, custody model and market-abuse controls.
Article 60 notification
Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.
The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, e-money institutions, UCITS management companies and alternative investment fund managers.
The financial entity must notify BaFin at least 40 working days before first providing the relevant crypto-asset services.
The notification package must include detailed information on the proposed services, programme of operations, AML and counter-terrorist-financing controls, business continuity, ICT and security, client-asset segregation and service-specific arrangements.
A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.
Transitional position
Germany’s MiCA transitional period has expired.
Germany applied a 12-month grandfathering period. Old-law permissions lapsed no later than 31 December 2025.
Legacy German permission is not a current substitute for MiCA authorisation. A provider should not market old crypto custody permission, transition status or a pending transition file as MiCA authorisation.
A new Germany-facing provider must use MiCA authorisation, a valid Article 60 route, or a valid MiCA passport.
The simplified procedure was a legacy transition route for specified pre-MiCA German-regulated firms. It is not a general market-entry route for new applicants.
Passporting and register checks
A MiCA-authorised CASP may provide its authorised services across the EU through the MiCA passport, subject to the required notification process and service scope.
A legacy German permission or transitional status does not provide a MiCA passport.
BaFin and ESMA register information should be checked before relying on a provider’s authorisation status, onboarding a counterparty, launching services or publishing any authorisation claim.
Costs
BaFin fees are time-based.
The current German fee schedule lists the fee for CASP authorisation, Article 60 notification and authorisation extension as charged according to time spent.
This means the public filing fee is not a fixed simple amount. Applicants should budget for BaFin time-based fees as well as legal, governance, AML, sanctions, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.
The fee schedule should be checked before filing because German fee rules may be amended.
Prudential safeguards
A CASP must maintain MiCA prudential safeguards at all times.
The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.
The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.
Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.
Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.
Class 3 includes class 2 services plus operation of a crypto-asset trading platform.
Where a provider offers services in more than one class, the highest applicable class applies.
Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.
AML, TFR and DORA
German CASPs are within the German AML framework.
Germany’s Money Laundering Act treats providers of crypto-asset services and certain asset-referenced token issuers as obliged entities. CASPs must therefore build AML and counter-terrorist-financing controls into the business before filing.
Core controls include customer due diligence, beneficial ownership analysis, risk assessment, AML officer arrangements where required, sanctions screening, transaction monitoring, suspicious activity reporting, recordkeeping, TFR travel-rule procedures, treatment of self-hosted addresses, outsourcing oversight and staff training.
DORA and ICT readiness are also central. A German CASP application should include ICT governance, security documentation, incident management, business continuity, outsourcing controls and operational-resilience evidence.
Crypto custody and adjacent German regimes
Germany has important adjacent regimes.
MiCA CASP authorisation does not automatically resolve every German digital-asset perimeter issue.
A business involving crypto-securities, crypto fund units, qualified crypto custody, payment services, e-money, banking activity, tokenised securities or financial instruments may require separate analysis under German and EU law.
Wallet, custody, settlement, trading, tokenisation and securities-register models should be reviewed before launch.
Ongoing obligations
A German CASP must comply with MiCA, KMAG, applicable German supervisory requirements, the German Money Laundering Act, TFR, DORA and applicable sanctions rules.
Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.
Enforcement risk
Germany is not a light-touch jurisdiction.
BaFin may suspend or prohibit crypto-asset services where there is suspected or established breach of MiCA or German law. BaFin may also intervene where an eligible financial entity provides crypto-asset services without submitting the required Article 60 information before commencement.
German law contains criminal provisions for specified MiCA breaches, including unauthorised provision of crypto-asset services contrary to MiCA Article 59.
German law also contains administrative-offence provisions for MiCA breaches, including Article 59 and Article 60 matters. MiCA requires Member States to provide administrative measures such as public statements, cease-and-desist orders, benefit-based fines, natural-person fines and legal-person fines.
The main enforcement risks are operating without MiCA authorisation, continuing after the expiry of the German transition without authorisation, presenting old-law permission as a MiCA licence, using Article 60 without eligibility or complete notification, providing services outside authorised scope, weak AML or TFR controls, weak DORA readiness, and misleading marketing or authorisation claims.
Practical assessment
Germany is suitable for firms that want MiCA authorisation in a major EU financial centre with an experienced financial supervisor and a developed pre-MiCA crypto regulatory history.
It is not suitable for firms looking for a paper registration, indefinite grandfathering, continued reliance on old German crypto custody permission, or a low-substance entry route.
The main execution risks are incorrect service classification, missing transfer services, underestimating BaFin documentation expectations, treating Article 60 as a general shortcut, failing to evidence prudential safeguards, relying on expired transition, overlooking qualified crypto custody or crypto-securities issues, and filing before AML, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts and service-specific controls are ready.