Detailed overview
Luxembourg: CSSF MiCA Authorisation under the Law of 6 February 2025
Luxembourg is a full MiCA jurisdiction. The Luxembourg framework is based on Regulation 2023/1114 and the Luxembourg Law of 6 February 2025.
The Commission de Surveillance du Secteur Financier is the Luxembourg competent authority under MiCA. The CSSF is the main regulator for crypto-asset service provider authorisation, Article 60 notifications, MiCA supervision, Transfer of Funds Regulation supervision and enforcement.
Luxembourg’s legacy VASP regime is now only a transitional route for qualifying providers registered before 30 December 2024. New Luxembourg-facing crypto-asset service activity should be structured through MiCA authorisation, a valid Article 60 route or a valid MiCA passport.
Regulator
The main regulator is the CSSF.
The CSSF receives CASP authorisation applications, receives Article 60 notifications from eligible financial entities, supervises authorised providers, maintains national register information and exercises MiCA supervisory powers.
The CSSF is also the Luxembourg competent authority for Regulation 2023/1113 on information accompanying transfers of funds and certain crypto-assets.
Other Luxembourg and EU regimes may still apply where the activity involves banking, payment services, e-money, asset-referenced tokens, e-money tokens, financial instruments, funds, deposits, insurance products, AML, sanctions, TFR or DORA.
Licensing route
A business that provides crypto-asset services in or from Luxembourg generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into Luxembourg.
The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.
Transfer services are a separate MiCA service and should be included in the service-mapping analysis.
The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, structured deposits, fund interests, payment instruments, non-MiCA e-money arrangements, insurance products or other regulated products require separate legal analysis.
Article 63 authorisation
A standard unregulated Luxembourg CASP applicant applies to the CSSF for MiCA authorisation.
A MiCA-authorised CASP must have a registered office in an EU Member State where it carries out at least part of its crypto-asset services, its effective management in the EU and at least one EU-resident director.
The CSSF expects prospective applicants to contact it before filing. The CSSF may organise an initial meeting to discuss the proposed business model, service map and application approach.
A credible Luxembourg application should include a full service map, legal perimeter analysis, Luxembourg home-state analysis, programme of operations, business plan, diagrams showing client fund and crypto-asset flows through accounts and wallets, information on business partners and service providers, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.
The formal application is submitted through the CSSF MFT system. The applicant must keep the information true, complete, not misleading and up to date, and must inform the CSSF of material changes without undue delay.
Article 60 notification
Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.
The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and alternative investment fund managers.
A financial entity must notify the CSSF before first providing the relevant crypto-asset services and must provide the information required under MiCA and the applicable EU technical standards.
A regulated entity must map each proposed crypto-asset service to its existing authorisation and to the MiCA Article 60 equivalence rules.
A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.
Transitional position
Luxembourg’s MiCA transition is still active, but only for qualifying legacy VASPs.
A VASP registered with the CSSF before 30 December 2024 may continue to provide the services for which it was registered until 1 July 2026 or until MiCA authorisation is granted or refused, whichever occurs earlier.
No new VASP registration is possible under the Luxembourg Law of 6 February 2025.
VASP status is not MiCA authorisation and should not be marketed as such. CSSF supervision of legacy VASPs was limited to AML and counter-terrorist-financing matters.
A new Luxembourg-facing provider should use MiCA authorisation, a valid Article 60 route or a valid MiCA passport.
Passporting and register checks
A MiCA-authorised CASP may provide its authorised services across the EU through the MiCA passport, subject to the required notification process and authorised service scope.
A CASP authorised in another EU Member State may provide services in Luxembourg through the MiCA passport where the relevant notification has been made.
A legacy Luxembourg VASP registration does not itself create a MiCA passport.
Authorised or registered entities are published in the CSSF national register and in the ESMA register. CSSF and ESMA register information should be checked before relying on a provider’s authorisation status, onboarding a counterparty, launching services or publishing any authorisation claim.
Costs
CSSF MiCA fees apply.
The current CSSF fee framework lists EUR 30,000 for authorisation of a new CASP.
Where the applicant is already authorised by the CSSF under another provision, the authorisation fee is EUR 15,000.
The fee for extension of CASP authorisation is EUR 8,000.
The fee for an Article 60 notification is EUR 8,000.
Annual CSSF fees also apply. The current annual lump sum is EUR 40,000 for a Luxembourg-law CASP. Where the CASP is already authorised by the CSSF under another provision, the annual amount is EUR 25,000. A former VASP authorised as a CASP pays EUR 25,000 in the calendar year of authorisation. Operating a crypto-asset trading platform attracts an additional annual fee of EUR 25,000. A significant CASP pays an additional annual fee of EUR 20,000.
These amounts are not the full cost of authorisation. Applicants should also budget for legal, governance, AML, sanctions, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.
The fee framework should be checked before filing because CSSF fee rules may be amended.
Prudential safeguards
A CASP must maintain MiCA prudential safeguards at all times.
The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.
The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.
Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.
Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.
Class 3 includes class 2 services plus operation of a crypto-asset trading platform.
Where a provider offers services in more than one class, the highest applicable class applies.
Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.
Governance and suitability
Luxembourg applicants should prepare suitability materials early.
The CSSF applies the relevant EBA and ESMA suitability framework for management-body members, key function holders, shareholders and qualifying holders.
The application should evidence good repute, competence, experience, time commitment, governance role, conflicts management, source of funds and group transparency where relevant.
A group structure with complex ownership, third-country links, extensive outsourcing or unclear control rights is likely to require additional explanation.
AML, TFR and DORA
Luxembourg CASPs must prepare AML, sanctions, TFR and ICT controls before filing.
The Luxembourg Law of 6 February 2025 implements the recast Transfer of Funds Regulation into Luxembourg law. The CSSF has also adopted the EBA Guidelines on information requirements for transfers of funds and certain crypto-assets.
Core controls include customer due diligence, beneficial ownership analysis, AML risk assessment, sanctions screening, transaction monitoring, suspicious-activity escalation, travel-rule procedures, treatment of self-hosted addresses where relevant, outsourcing oversight, recordkeeping and staff training.
DORA and ICT readiness are also central. A Luxembourg application should include ICT governance, security documentation, incident management, business continuity, outsourcing controls and operational-resilience evidence.
Legacy VASP AML status does not replace MiCA authorisation or full CASP compliance.
ARTs, EMTs and token issuance
CASP authorisation and token-offer compliance are separate.
A CASP licence does not itself cover public offers, admission to trading, ART issuance, EMT issuance or white-paper obligations.
Luxembourg has separate CSSF fee entries for white papers for crypto-assets other than ARTs and EMTs, ART issuer authorisation, ART white-paper approval or notification and EMT white-paper notification.
There is no EMT transition equivalent to the VASP transition. Services involving ARTs or EMTs should be reviewed before launch, and non-compliant ARTs or EMTs should not be offered or supported.
Stablecoin, wallet, exchange, settlement and payment-like structures should be reviewed separately for EMT, ART, e-money and payment-services implications.
Ongoing obligations
A Luxembourg CASP must comply with MiCA, Luxembourg implementation law, CSSF supervisory requirements, AML and counter-terrorist-financing obligations, sanctions controls, TFR and DORA.
Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.
A CASP must keep information submitted to the CSSF current and must communicate material changes without undue delay.
Enforcement risk
Luxembourg is not a light-touch jurisdiction.
The CSSF may request information, suspend crypto-asset services, prohibit crypto-asset services, require publication of essential information, publicly disclose non-compliance, require transfer of client contracts after withdrawal of authorisation and order immediate cessation where unauthorised crypto-asset services are suspected.
The CSSF may also require online-interface measures, including removal of content, restriction of access, deletion of a domain name or steps preventing registration of a new domain name.
Sanctions may include warnings, reprimands, public statements, cease-and-desist orders, benefit-based sanctions, management bans and monetary penalties.
For CASP-related MiCA breaches, natural-person fines may reach EUR 700,000. Legal-person fines may reach EUR 5,000,000 or, for relevant CASP infringements, 5 percent of annual turnover.
CSSF sanctions decisions may be appealed to the Administrative Tribunal within one month.
The main enforcement risks are operating without MiCA authorisation, relying on VASP status beyond the limited transition, presenting VASP registration as MiCA authorisation, using Article 60 without eligibility, providing services outside authorised scope, weak AML or TFR controls, weak DORA readiness, inadequate custody or segregation arrangements and misleading marketing or authorisation claims.
Practical assessment
Luxembourg is suitable for firms that want MiCA authorisation in a major EU financial centre with an experienced financial-sector regulator, a structured pre-application process and clear CSSF application mechanics.
It is not suitable for firms looking for a light registration, automatic conversion from VASP status, indefinite grandfathering or a low-substance gateway.
The main execution risks are incorrect service classification, missing transfer services, treating Article 60 as a general shortcut, relying on VASP transition without meeting the Luxembourg conditions, underestimating CSSF documentation expectations, failing to evidence prudential safeguards, overlooking ART or EMT issues and filing before AML, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts and service-specific controls are ready.