Detailed overview
Netherlands: AFM and DNB MiCA Framework
The Netherlands is a full MiCA jurisdiction. The Dutch framework is based on Regulation 2023/1114 and Dutch implementation legislation amending the Financial Supervision Act, the Economic Offences Act and AML and transfer-of-funds legislation.
The Dutch Authority for the Financial Markets is the main regulator for crypto-asset service provider authorisation and Article 60 notifications.
De Nederlandsche Bank is responsible for prudential supervision of CASPs, qualifying holdings, and supervision of asset-referenced token and e-money token issuers.
The Netherlands’ transitional regime has expired. New or continuing Netherlands-facing crypto-asset service activity should be structured through MiCA authorisation, a valid Article 60 route or a valid MiCA passport.
Regulator
The main CASP licensing authority is the AFM.
The AFM handles Article 63 CASP licence applications, Article 60 notifications and most regular CASP supervision.
DNB is responsible for regular prudential supervision of CASPs, capital requirements, qualifying holdings, and supervision of ART and EMT issuers.
The AFM is the first point of contact for CASP licence and notification matters. Questions about prudential requirements and qualifying holdings should also involve DNB.
Other Dutch and EU regimes may still apply where the activity involves financial instruments, deposits, payment services, e-money, e-money tokens, asset-referenced tokens, funds, insurance products, AML, sanctions, TFR or DORA.
Licensing route
A business that provides crypto-asset services in or from the Netherlands generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into the Netherlands.
The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.
Transfer services are a separate MiCA service and should be included in the service-mapping analysis.
The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, structured deposits, fund interests, payment instruments, non-MiCA e-money arrangements, insurance products or other regulated products require separate legal analysis.
Article 63 authorisation
A standard unregulated Dutch CASP applicant applies to the AFM for MiCA authorisation.
A MiCA-authorised CASP must have a registered office in an EU Member State where it carries out at least part of its crypto-asset services, its effective management in the EU and at least one EU-resident director.
A credible Dutch application should include a full service map, legal perimeter analysis, Netherlands home-state analysis, programme of operations, business plan, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, self-hosted-address controls, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.
The application is submitted securely to the AFM through Cryptshare.
The AFM acknowledges receipt within five working days. The AFM then performs a completeness check. The statutory completeness period is 25 working days. If information is missing, the AFM may request it and set a deadline. Applications that remain incomplete may be refused for review.
After the application is complete, the statutory assessment period starts. The assessment period is 40 working days. The AFM may request additional information within that period. The AFM then decides whether to grant or refuse the licence and notifies the applicant.
The total statutory period is around five months in a best-case scenario, but practical timing often takes longer where the file is complex, incomplete or requires organisational changes.
Pre-scan
The AFM offers an optional pre-scan for companies preparing a CASP licence application.
The pre-scan is not a substitute for formal authorisation and does not produce approval. It is intended to make the application process more efficient and to build mutual understanding of important issues.
A party should use the pre-scan only if it has determined that its activities fall within MiCA, is certain that it will apply in the Netherlands and is sufficiently advanced to discuss MiCA compliance policies.
The pre-scan can be useful for complex custody, exchange, trading-platform, outsourcing, governance, asset-segregation, DORA, EMT or cross-border models.
Article 60 notification
Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.
The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and alternative investment fund managers.
The financial entity must notify the AFM before first providing the relevant crypto-asset services.
The AFM acknowledges receipt within five working days, conducts a completeness check and may request missing information. The statutory notification period is 40 working days. The AFM may set a deadline of up to 20 working days for missing information.
The entity may not start providing the crypto-asset services while the notification is incomplete.
A regulated entity must map each proposed crypto-asset service to its existing authorisation and to the MiCA Article 60 equivalence rules.
A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.
Transitional position
The Dutch MiCA transition has expired.
Firms registered with DNB before 30 December 2024 as providers of exchange between virtual and regular currencies or providers of custodian wallet services could rely on the Dutch transition only until 30 June 2025.
The Dutch transitional regime ended on 30 June 2025.
There is no simplified MiCA authorisation procedure in the Netherlands for legacy DNB-registered providers.
Prior information assessed by DNB under the old AML registration regime may reduce reassessment of specific matters in some cases, but it does not create a simplified authorisation route.
Legacy DNB registration is not MiCA authorisation and should not be marketed as such.
New or continuing Netherlands-facing crypto-asset service activity should be structured through MiCA authorisation, a valid Article 60 route or a valid MiCA passport.
Passporting and register checks
A MiCA-authorised CASP may provide its authorised services across the EU through the MiCA passport, subject to the required notification process and authorised service scope.
A Dutch CASP that wants to provide cross-border services must submit the Article 65 notification information to the AFM. The AFM then informs the host Member State authority, ESMA and EBA.
The AFM does not charge for outgoing passport notifications.
A Dutch CASP may start providing services in another Member State from receipt of the notification, or no later than 15 calendar days after submitting the correct information to the AFM.
A legacy Dutch VASP registration does not create a MiCA passport.
The AFM crypto register lists CASPs that have obtained authorisation or notification from the AFM or another EU supervisory authority and are permitted to offer specified services in the Netherlands.
AFM and ESMA register information should be checked before relying on a provider’s authorisation status, onboarding a counterparty, launching services or publishing any authorisation claim.
Costs
Dutch CASP fees are time-based.
The AFM charges EUR 200 per hour for processing a CASP licence application, capped at EUR 100,000.
The AFM charges EUR 200 per hour for processing an Article 60 CASP notification, capped at EUR 50,000.
Fit-and-proper testing also attracts fees. The properness assessment fee is EUR 700 per person. The standard suitability assessment fee is EUR 2,900 per person.
Reduced suitability fees may apply where an individual was previously assessed by DNB under the former AMLD5 registration regime and the conditions for the reduced fee are met.
These fees are not the full cost of authorisation. Applicants should also budget for legal, governance, AML, sanctions, TFR, self-hosted-address controls, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.
The fee framework should be checked before filing because Dutch fee rules may be amended.
Prudential safeguards
A CASP must maintain MiCA prudential safeguards at all times.
The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.
The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.
Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.
Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.
Class 3 includes class 2 services plus operation of a crypto-asset trading platform.
Where a provider offers services in more than one class, the highest applicable class applies.
Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.
DNB is the primary Dutch prudential contact for capital requirements and qualifying-holding matters.
AML, Wwft, sanctions and TFR
Dutch CASPs must prepare AML, sanctions, TFR and self-hosted-address controls before filing.
The Dutch AML framework now covers providers of crypto-asset services by reference to MiCA, with the exception of advice on crypto-assets for the specific Dutch AML definition.
The old separate Dutch categories for custodian wallet providers and fiat-crypto exchange providers have been replaced.
Core controls include customer due diligence, beneficial ownership analysis, AML and terrorist-financing risk assessment, sanctions screening, transaction monitoring, suspicious-activity escalation, travel-rule procedures, treatment of self-hosted addresses, outsourcing oversight, recordkeeping and staff training.
For transfers to or from self-hosted addresses, CASPs must have internal policies, procedures and controls to identify and assess AML and terrorist-financing risks and must take proportionate risk-mitigation measures. These may include risk-based identification and verification, additional information on the origin and destination of crypto-assets, enhanced monitoring and other risk-mitigation steps.
CASPs also have reporting obligations relating to sanctions, TFR, suspicious transactions or orders, DORA incidents and material changes.
DORA and ICT
DORA and ICT readiness are central to Dutch CASP authorisation.
CASPs are within the scope of DORA. The AFM expects applicants to prepare for DORA and to include ICT, security, business continuity and operational-resilience materials in the application.
A Dutch CASP application should include ICT governance, cybersecurity controls, incident-management procedures, business-continuity planning, DORA mapping, ICT third-party risk assessment, outsourcing oversight and operational-resilience evidence.
After authorisation, serious ICT-related incidents, new ICT service-provider agreements and cyber threats must be reported through the AFM Portal.
Custody and asset segregation
Dutch custody and wallet models require careful legal and operational segregation analysis.
There is no Dutch crypto-specific statutory segregation framework equivalent to the securities-bank-giro framework for banks and investment firms.
CASPs in the Netherlands often use a separate entity, frequently a foundation, to segregate client crypto-assets and funds from the CASP’s own assets.
The separate entity should act solely in clients’ interests, and the CASP should remain responsible and liable for custody and management. The arrangement should be reflected in the CASP’s risk and control procedures.
A Dutch custody, wallet, exchange or transfer model should address legal structure, custody agreement, bankruptcy scenario, register of positions, reconciliation, powers of attorney, conflicts, liability and operational controls.
PSD2 and EMT activity
EMT-related activity should be analysed separately.
A CASP may need an additional PSD2 licence if it provides certain payment services involving e-money tokens.
A PSD2 licence or partnership with an authorised payment service provider is required where a CASP provides EMT transfer services on behalf of clients.
A PSD2 licence or PSP partnership is also required where custody and administration of EMTs involves a wallet that enables sending and receiving EMTs to and from third parties, making the service a payment service and the wallet a payment account.
DNB is the primary Dutch supervisor for PSD2 scope issues.
Wallets, EMT transfers, EMT custody, settlement models, payment-like flows and client-balance models should be assessed for payment institution, e-money institution or PSP-partnering requirements in addition to MiCA.
Token issuance and white papers
CASP authorisation and token-offer compliance are separate.
White papers for crypto-assets other than ARTs and EMTs must be notified where MiCA requires notification. Operators of trading platforms must ensure that white papers for relevant crypto-assets admitted to trading before 30 December 2024 are drawn up, notified and published by 30 December 2027.
White-paper obligations for crypto-assets other than ARTs and EMTs admitted after 30 December 2024 apply without a transitional period.
White paper notification and approval are free of charge in the Netherlands.
Title II and Title IV white papers are notified rather than approved. Marketing statements implying authority approval can be incorrect or misleading.
A CASP licence should not be treated as covering public offers, admission to trading, ART issuance, EMT issuance or white-paper obligations.
Ongoing obligations
A Dutch CASP must comply with MiCA, Dutch implementation law, AFM and DNB supervisory requirements, the Dutch AML framework, sanctions rules, TFR and DORA.
Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, self-hosted-address controls, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.
CASPs must immediately inform the AFM of material changes to the circumstances under which the licence was granted. Changes may include business operations, services, shareholders, legal form, articles of association, outsourcing or termination of outsourcing.
Enforcement risk
The Netherlands is not a light-touch jurisdiction.
The Dutch supervisor may prohibit or suspend crypto-asset services, offers, trading and advertising.
The supervisor may require immediate cessation of unauthorised crypto-asset services without prior warning or deadline.
The supervisor may require transfer of existing contracts, require amendments to white papers or advertising, publish non-compliance and require rectification of incorrect or misleading information.
The supervisor may also require online-interface measures, including content removal, access restriction, hosting-provider blocking or domain-name measures.
Dutch law also incorporates MiCA infringements into administrative fine categories and the Economic Offences Act. Management-function bans may apply for serious MiCA infringements.
The main enforcement risks are operating without MiCA authorisation, relying on expired DNB VASP registration, presenting legacy status as MiCA authorisation, using Article 60 without eligibility or a complete notification, providing services outside authorised scope, weak AML or TFR controls, weak self-hosted-address controls, weak DORA readiness, custody segregation failures, ignoring PSD2 or EMT overlap and misleading authorisation or marketing claims.
Practical assessment
The Netherlands is suitable for firms that want MiCA authorisation through a sophisticated EU financial market with a clear AFM and DNB twin-peaks model, operational AFM application process and mature supervisory expectations.
It is not suitable for firms looking for a paper registration, continued reliance on DNB legacy registration, a simplified VASP-to-CASP conversion or a low-substance market-entry route.
The main execution risks are incorrect service classification, missing transfer services, treating Article 60 as a general shortcut, relying on expired transition, underestimating AFM and DNB documentation expectations, failing fit-and-proper review, inadequate prudential evidence, weak AML or TFR controls, insufficient self-hosted-address controls, weak DORA or ICT evidence, problematic custody segregation, PSD2 or EMT issues and filing before governance, complaints, conflicts, outsourcing and service-specific controls are ready.