Detailed overview
Portugal: Banco de Portugal and CMVM MiCA Framework under Law No. 69/2025
Portugal is a full MiCA jurisdiction. The Portuguese framework is based on Regulation 2023/1114 and Law No. 69/2025.
Portugal uses a dual-authority model. Banco de Portugal is the main authority for CASP authorisation, prudential matters, ARTs, EMTs and most CASP operating requirements. CMVM is responsible for crypto-asset offers other than ARTs and EMTs, market abuse, conduct rules, complaints-related matters and specific CASP service rules.
The former Banco de Portugal virtual-asset registration regime is now only relevant for transition. New Portugal-facing crypto-asset service activity should be structured through MiCA authorisation, a valid Article 60 route or a valid MiCA passport.
Regulator
The main filing authority for a standard Portuguese CASP application is Banco de Portugal.
Banco de Portugal receives CASP authorisation applications and Article 60 notifications. It coordinates with CMVM on the parts of the application and notification within CMVM competence.
CMVM is responsible for MiCA Title II, MiCA Title VI, service-specific conduct provisions, and certain client and market-facing obligations.
Banco de Portugal is also the point of contact for cross-border cooperation concerning ART issuers, EMT issuers, CASPs and EBA matters. CMVM is the point of contact for market abuse, crypto-asset offers other than ARTs and EMTs, and ESMA matters.
Other Portuguese and EU regimes may still apply where the activity involves financial instruments, payment services, e-money, e-money tokens, asset-referenced tokens, deposits, funds, insurance products, AML, sanctions, TFR or DORA.
Licensing route
A business that provides crypto-asset services in or from Portugal generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into Portugal.
The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.
Transfer services are a separate MiCA service and should be included in the service-mapping analysis.
The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, structured deposits, fund interests, payment instruments, non-MiCA e-money arrangements, insurance products or other regulated products require separate legal analysis.
Article 63 authorisation
A standard Portuguese CASP applicant applies to Banco de Portugal for MiCA authorisation.
A MiCA-authorised CASP must have a registered office in an EU Member State where it carries out at least part of its crypto-asset services, its effective management in the EU and at least one EU-resident director.
The application is submitted through SIRES, Banco de Portugal’s supervised-entity information system.
A credible Portuguese application should include a full service map, legal perimeter analysis, Portugal home-state analysis, programme of operations, business plan, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, self-hosted-address controls, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.
Banco de Portugal coordinates with CMVM and may request additional information. The file should therefore be prepared for both Banco de Portugal’s prudential and governance review and CMVM’s conduct and market-facing review.
Application process
Banco de Portugal assesses the completeness and quality of the application in coordination with CMVM.
The applicant should submit the application through SIRES, preferably with documents in searchable PDF format.
Banco de Portugal may consult other authorities, including the Insurance and Pension Funds Supervisory Authority and foreign counterpart authorities.
The applicant must be notified of the final decision within 40 working days from receipt of the complete application or requested supplementary information, and in any event not later than 60 working days from receipt of the complete application.
If authorisation is granted, the CASP must inform Banco de Portugal of the start date for providing the authorised services.
The CASP must start activity within 12 months after the authorisation decision. If it does not, the authorisation is revoked.
Before Banco de Portugal adopts a refusal decision or authorisation subject to conditions, the applicant has a right to be heard.
Article 60 notification
Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.
The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and alternative investment fund managers.
The notification is submitted to Banco de Portugal. Entities supervised by Banco de Portugal submit the notification through SIRES. Entities supervised by CMVM submit the notification to Banco de Portugal by post or hand delivery in durable digital medium, where possible as searchable PDF.
Banco de Portugal assesses completeness in coordination with CMVM.
If the notification is complete, the financial entity may begin providing the notified crypto-asset services. If the notification is incomplete, the entity may not begin providing the relevant services.
A regulated entity must map each proposed crypto-asset service to its existing authorisation and to the MiCA Article 60 equivalence rules.
A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.
Transitional position
Portugal’s MiCA transition is still active but limited.
A legal entity that was registered with Banco de Portugal on 30 December 2024 under the Portuguese AML framework for virtual-asset activities, and that had already begun and communicated those activities, may continue the virtual-asset activities for which it was authorised until 1 July 2026 or until MiCA authorisation is granted or refused, whichever occurs first.
A registered entity that had not begun and communicated activity by 30 December 2024 lost its registration on that date.
Legacy Banco de Portugal registration is not MiCA authorisation and should not be marketed as such.
Transition does not exempt a provider from the MiCA authorisation process. It does not create a simplified authorisation procedure and it is not a decision granting authorisation.
A new Portugal-facing provider should use MiCA authorisation, a valid Article 60 route or a valid MiCA passport.
Passporting and register checks
A MiCA-authorised CASP may provide its authorised services across the EU through the MiCA passport, subject to the required notification process and authorised service scope.
A Portuguese CASP or Article 60 financial entity that wants to provide services in another Member State must submit the required Article 65 information to Banco de Portugal.
A CASP authorised in another EU Member State may provide services in Portugal through the MiCA passport.
A legacy Portuguese virtual-asset registration does not itself create a MiCA passport.
Banco de Portugal, CMVM and ESMA register information should be checked before relying on a provider’s authorisation status, onboarding a counterparty, launching services or publishing any authorisation claim.
Costs
Banco de Portugal states that the CASP authorisation process and maintenance of authorisation do not currently have associated costs.
This does not mean that authorisation is cost-free. Applicants should budget for legal, governance, AML, sanctions, TFR, self-hosted-address controls, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.
The fee position should be checked before filing because Banco de Portugal, CMVM or other Portuguese authorities may adopt fee or supervisory-cost rules in the future.
Prudential safeguards
A CASP must maintain MiCA prudential safeguards at all times.
The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.
The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.
Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.
Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.
Class 3 includes class 2 services plus operation of a crypto-asset trading platform.
Where a provider offers services in more than one class, the highest applicable class applies.
Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.
Banco de Portugal is the Portuguese authority responsible for MiCA prudential requirements for CASPs.
AML, TFR and self-hosted addresses
Portuguese CASPs must prepare AML, sanctions, TFR and self-hosted-address controls before filing.
Portuguese AML law now includes CASPs as obliged entities, with definitions linked to MiCA.
CASPs must treat transfers to or from self-hosted addresses as a specific AML/CFT risk area. Enhanced measures should be proportionate to the risk and may include risk-based identification and verification of the originator or recipient, beneficial-owner checks, additional information on the origin and destination of crypto-assets, continuous enhanced monitoring and other risk-mitigation controls.
Policies, procedures and internal controls for restrictive measures in funds and crypto-asset transfers must be integrated into the AML/CFT control framework.
Legacy transitional providers are also treated as CASPs for TFR and AML/CFT purposes during transition.
A Portuguese CASP filing should include AML/CFT risk assessment, customer due diligence, beneficial ownership controls, sanctions screening, transaction monitoring, suspicious-activity escalation, travel-rule procedures, self-hosted-address controls, outsourcing oversight, recordkeeping and staff training.
Complaints and consumer ADR
Portuguese CASPs must prepare complaints and consumer dispute-resolution arrangements.
Banco de Portugal and CMVM must provide procedures for clients and other interested parties to submit complaints about alleged MiCA infringements.
CASPs and ART or EMT issuers must provide consumers with access to effective and adequate out-of-court complaint and dispute-resolution mechanisms.
CASPs must join at least two alternative dispute-resolution entities within three months after starting activity.
CASPs must notify CMVM of the entities joined within 15 days after joining.
Cross-border disputes must be routed to FIN-NET where relevant.
ARTs, EMTs and token issuance
CASP authorisation and token-offer compliance are separate.
MiCA regulates issuance, public offer and admission to trading of crypto-assets as well as CASP activity.
Banco de Portugal is responsible for MiCA Titles III and IV, which cover asset-referenced tokens and e-money tokens.
CMVM is responsible for MiCA Title II, which covers crypto-assets other than ARTs and EMTs.
A CASP licence should not be treated as covering public offers, admission to trading, ART issuance, EMT issuance or white-paper obligations.
Stablecoin, wallet, exchange, settlement and payment-like structures should be reviewed separately for EMT, ART, e-money and payment-services implications.
Ongoing obligations
A Portuguese CASP must comply with MiCA, Law No. 69/2025, Law No. 70/2025, Portuguese AML law, Banco de Portugal and CMVM supervisory requirements, sanctions controls, TFR and DORA.
Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, self-hosted-address controls, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.
A CASP should also maintain clear processes for communicating material changes, handling complaints and coordinating with Banco de Portugal and CMVM.
Enforcement risk
Portugal is not a light-touch jurisdiction.
Unauthorised provision of crypto-asset services, provision without the legally required permission or provision outside the authorised scope is a very serious administrative offence.
Very serious offences may attract fines of up to EUR 5,000,000 for legal persons and natural persons. Serious offences may also attract substantial fines.
The maximum fine may be increased by reference to the economic benefit obtained, including avoided losses.
Accessory sanctions may include publication of the decision, restitution of profits obtained or losses avoided, management bans, and bans on own-account trading for responsible persons.
Portuguese authorities may impose precautionary measures, including preventive suspension, conditions on activity, seizure and freezing of values and crypto-assets and preventive closure of establishments where unlawful activity is carried out.
Sanctions decisions may be published on the website of the competent authority.
The main enforcement risks are operating without MiCA authorisation, presenting legacy Banco de Portugal registration as MiCA authorisation, using Article 60 without eligibility or complete notification, providing services outside authorised scope, weak AML or TFR controls, weak self-hosted-address controls, insufficient prudential safeguards, weak governance, inadequate complaint arrangements and misleading authorisation or marketing claims.
Practical assessment
Portugal is now suitable for firms that want MiCA authorisation through an operational national framework with Banco de Portugal as the main filing authority and CMVM involvement for conduct and market-facing matters.
It is not suitable for firms relying on the old statement that Portugal had no MiCA law or no filing route. That position is now outdated.
It is also not suitable for firms looking for automatic conversion from legacy Banco de Portugal registration, indefinite grandfathering or a simplified transition into MiCA.
The main execution risks are incorrect service classification, missing transfer services, treating Article 60 as a general shortcut, relying on transition without meeting the Portuguese conditions, underestimating the Banco de Portugal and CMVM split, failing to evidence prudential safeguards, weak AML or TFR controls, inadequate self-hosted-address procedures, weak complaint and ADR arrangements and filing before governance, custody, outsourcing, ICT, conflicts and service-specific controls are ready.