Licentium

Licensing Hub

Spain

Full MiCA jurisdiction with a dual-authority model. CNMV authorises and supervises CASPs (Titles II, V, VI); Banco de España covers ARTs, EMTs and PSD2 overlap (Titles III, IV).

Available licences

CNMV MiCA Crypto-Asset Service Provider Authorisation

CNMV authorisation under MiCA Article 63 for standard CASPs. CNMV is the competent authority for MiCA Titles II, V and VI in Spain: ordinary CASP authorisation, Article 60 notifications, crypto-asset offers other than ARTs and EMTs, most CASP supervision and market-abuse matters. CNMV has published a CASP authorisation application form. Applicant must have registered office in an EU Member State where it carries out at least part of its services, effective management in the EU and at least one EU-resident director. CNMV has stated that applications submitted late in the transitional period will still be reviewed with normal rigour.

Banco de España MiCA Competence (ARTs, EMTs and PSD2 Overlap)

Banco de España is the competent authority for MiCA Titles III and IV (asset-referenced tokens and e-money tokens) and has an important role where EMT-related activity overlaps with payment services and PSD2. Banco de España has stated that e-money tokens are electronic money under MiCA and funds under PSD2. A CASP that provides payment services with EMTs must obtain PSD2 authorisation in addition to MiCA CASP authorisation or partner with an authorised payment service provider. For providers already carrying out relevant EMT payment services, the deadline to request PSD2 authorisation ended on 2 March 2026.

CNMV Article 60 Notification (Eligible Financial Entities)

Notification route for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and AIFMs. CNMV has published an Article 60 notification form. Banco de España may also be relevant where the entity or activity triggers e-money, payment-services, ART or EMT analysis. Non-equivalent services still require full CASP authorisation.

Spanish Marketing, Referrals, Agents and Transitional Sub-Custody Rules

MiCA does not provide for agents acting in the name and on behalf of a CASP. A provider is authorised to market crypto-asset services only where it is authorised as a CASP and includes at least the service of reception and transmission of orders in its authorised scope. Third parties may be used for purely advertising activity but should not perform professional client acquisition or regulated marketing unless authorised. Referral programmes may be possible only where they are limited client reward campaigns, have very limited impact and do not amount to professional activity. A Spanish CASP may use a Banco de España-registered VASP as sub-custodian during the transition only under limited conditions, valid only while the Spanish transition lasts unless the sub-custodian obtains MiCA CASP authorisation.

MiCA Prudential Safeguards, AML/CFT, TFR, DORA and Enforcement Compliance

MiCA prudential safeguards maintained at all times: EUR 50,000 (class 1), EUR 125,000 (class 2), EUR 150,000 (class 3). Spanish CASPs must prepare AML, sanctions, TFR and ICT controls before filing; DORA and ICT readiness are central. New Spanish offers of crypto-assets other than stablecoins may require prior notification to CNMV and a white paper. CASP-related MiCA breaches sanctionable under Spanish financial-markets law. Unauthorised CASP activity, activity outside the authorised scope or non-occasional unauthorised provision can be treated as very serious. Very serious breaches: legal-person fines up to EUR 5,000,000 or 5 percent of annual turnover; natural-person fines up to EUR 700,000. Temporary management-function bans possible. CNMV publishes sanctions decisions.

Detailed overview

Spain: CNMV and Banco de España MiCA Framework

Spain is a full MiCA jurisdiction. The Spanish framework is based on Regulation 2023/1114, Spanish financial-markets legislation and official CNMV and Banco de España supervisory materials.

Spain uses a dual-authority model. CNMV is the main regulator for ordinary crypto-asset service provider authorisation and supervision. Banco de España is responsible for asset-referenced token and e-money token issuer matters and is also relevant where e-money tokens create payment-services issues under PSD2.

Spain's MiCA transition remains active until 1 July 2026, but only for qualifying pre-MiCA providers. New Spain-facing crypto-asset service activity should be structured through MiCA authorisation, a valid Article 60 route or a valid MiCA passport.

Regulator

The main regulator for a standard Spanish CASP application is CNMV.

CNMV is the competent authority for MiCA Titles II, V and VI in Spain. This includes ordinary CASP authorisation, Article 60 notifications, crypto-asset offers other than ARTs and EMTs, most CASP supervision and market-abuse matters.

Banco de España is the competent authority for MiCA Titles III and IV. This includes asset-referenced tokens and e-money tokens. Banco de España also has an important role where EMT-related activity overlaps with payment services and PSD2.

Other Spanish and EU regimes may still apply where the activity involves banking, payment services, e-money, e-money tokens, asset-referenced tokens, financial instruments, deposits, funds, insurance products, AML, sanctions, TFR or DORA.

Licensing route

A business that provides crypto-asset services in or from Spain generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into Spain.

The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.

Transfer services are a separate MiCA service and should be included in the service-mapping analysis.

The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, structured deposits, fund interests, payment instruments, non-MiCA e-money arrangements, insurance products, excluded NFTs or other regulated products require separate legal analysis.

Article 63 authorisation

A standard unregulated Spanish CASP applicant applies to CNMV for MiCA authorisation.

A MiCA-authorised CASP must have a registered office in an EU Member State where it carries out at least part of its crypto-asset services, its effective management in the EU and at least one EU-resident director.

CNMV has published a CASP authorisation application form. Applicants should check the current CNMV forms and manuals immediately before filing because CNMV materials may be updated.

A credible Spanish application should include a full service map, legal perimeter analysis, Spain home-state analysis, programme of operations, business plan, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.

CNMV has stated that applications submitted late in the transitional period will still be reviewed with normal rigour. A provider should not assume that a late filing will allow it to continue operating after the transition ends.

Article 60 notification

Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.

The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and alternative investment fund managers.

CNMV has published an Article 60 notification form. Applicants should check the current CNMV notification model immediately before filing because CNMV materials may be updated.

A regulated entity must map each proposed crypto-asset service to its existing authorisation and to the MiCA Article 60 equivalence rules.

A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.

Banco de España may also be relevant where the entity or activity triggers e-money, payment-services, ART or EMT analysis.

Transitional position

Spain's MiCA transition ends on 1 July 2026.

A provider that provided crypto-asset services in Spain in accordance with applicable law before 30 December 2024 may continue during the Spanish transition only within the applicable transitional perimeter and only until 1 July 2026 or until MiCA authorisation is granted or refused, whichever occurs first.

The Banco de España VASP register stopped accepting new registrations when MiCA applied on 30 December 2024. The register remains relevant for verifying entities that were registered for AML and counter-terrorist-financing purposes before MiCA.

Legacy Banco de España VASP registration is not MiCA authorisation and should not be marketed as such.

A non-Spanish provider relying on transition in another Member State does not have a MiCA passport into Spain merely because of that transitional status.

A new Spain-facing provider should use MiCA authorisation, a valid Article 60 route or a valid MiCA passport.

Passporting and register checks

A MiCA-authorised CASP may provide its authorised services across the EU through the MiCA passport, subject to the required notification process and authorised service scope.

A CASP authorised in another EU Member State may provide services in Spain through the MiCA passport.

A Spanish legacy VASP registration does not itself create a MiCA passport.

CNMV publishes a list of crypto-asset service providers, and ESMA centralises EU MiCA authorisation information. CNMV, Banco de España where relevant, and ESMA register information should be checked before relying on a provider's authorisation status, onboarding a counterparty, launching services or publishing any authorisation claim.

Marketing, referrals and agents

Spain-facing marketing and referral models need careful review.

MiCA does not provide for agents acting in the name and on behalf of a CASP.

A provider is authorised to market crypto-asset services only where it is authorised as a CASP and includes at least the service of reception and transmission of orders in its authorised scope.

Third parties may be used for purely advertising activity, but they should not perform professional client acquisition or regulated marketing of crypto-asset services unless authorised.

Referral programmes may be possible only where they are limited client reward campaigns, have very limited impact and do not amount to professional activity.

A Spain-facing CASP should review affiliates, introducers, influencers, call centres, local representatives, referral campaigns and marketing partners before launch.

Sub-custody during transition

A Spanish CASP may use a Banco de España-registered VASP as sub-custodian during the transition only under limited conditions.

That arrangement is valid only while the Spanish transition lasts, unless the sub-custodian obtains MiCA CASP authorisation.

A custody, wallet, exchange, transfer or settlement model should not rely on a legacy VASP sub-custodian as a long-term structure after transition.

Sub-custody arrangements should also be reviewed for custody, outsourcing, operational-risk, AML, TFR, segregation and client-disclosure requirements.

PSD2 and EMT activity

EMT-related activity should be analysed separately.

Banco de España has stated that e-money tokens are electronic money under MiCA and funds under PSD2. This creates overlap between crypto-asset services and payment services.

A CASP that provides payment services with EMTs must obtain PSD2 authorisation in addition to MiCA CASP authorisation or partner with an authorised payment service provider.

For providers already carrying out relevant EMT payment services, the deadline to request PSD2 authorisation ended on 2 March 2026.

A Spain-facing CASP with EMT transfers, EMT custody, wallets, settlement models, payment-like flows or client-balance functionality should assess PSD2, e-money and PSP-partnering requirements before launch.

Costs

A fixed Spanish CASP authorisation fee was not verified from official sources in this session.

Applicants should check current CNMV and Banco de España fee materials immediately before filing.

Even where public regulatory fees are limited or unclear, the total cost of authorisation can be substantial. Applicants should budget for legal, governance, AML, sanctions, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.

Prudential safeguards

A CASP must maintain MiCA prudential safeguards at all times.

The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.

The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.

Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.

Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.

Class 3 includes class 2 services plus operation of a crypto-asset trading platform.

Where a provider offers services in more than one class, the highest applicable class applies.

Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.

AML, TFR and DORA

Spanish CASPs must prepare AML, sanctions, TFR and ICT controls before filing.

Core controls include customer due diligence, beneficial ownership analysis, AML and terrorist-financing risk assessment, sanctions screening, transaction monitoring, suspicious-activity escalation, travel-rule procedures, outsourcing oversight, recordkeeping and staff training.

DORA and ICT readiness are also central. A Spanish application should include ICT governance, cybersecurity controls, incident-management procedures, business-continuity planning, outsourcing controls, wallet and custody technology controls, operational-resilience evidence and ICT third-party risk management.

CNMV supervisory reporting should also be considered. CNMV may require information on activity, financial and prudential position, auditors' reports, crypto-asset services, investment services and other data needed to perform its supervisory functions.

Token issuance and white papers

CASP authorisation and token-offer compliance are separate.

New Spanish offers of crypto-assets other than stablecoins may require prior notification to CNMV and a white paper. A white paper is also required where a crypto-asset is admitted to trading under MiCA.

ARTs and EMTs have separate MiCA treatment. Banco de España is the Spanish authority for Titles III and IV, including ART and EMT issuer matters.

A CASP licence should not be treated as covering public offers, admission to trading, ART issuance, EMT issuance or white-paper obligations.

Stablecoin, wallet, exchange, settlement and payment-like structures should be reviewed separately for EMT, ART, e-money and payment-services implications.

Ongoing obligations

A Spanish CASP must comply with MiCA, Spanish financial-markets legislation, CNMV supervisory requirements, Banco de España requirements where relevant, AML and counter-terrorist-financing obligations, sanctions controls, TFR and DORA.

Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.

A CASP should also maintain processes for reporting to CNMV, communicating material changes and responding to supervisory information requests.

Enforcement risk

Spain is not a light-touch jurisdiction.

CASP-related MiCA breaches are sanctionable under Spanish financial-markets law.

Unauthorised CASP activity, activity outside the authorised scope or non-occasional unauthorised provision can be treated as very serious.

For serious MiCA breaches, sanctions may include a public statement, a cease order and fines. For very serious breaches, legal-person fines may reach EUR 5,000,000 or, for CASP-related breaches, 5 percent of annual turnover. Natural-person fines may reach EUR 700,000.

CASP-related breaches may also result in a temporary ban preventing responsible management-body members or other responsible natural persons from exercising management functions in a CASP.

Sanctions decisions may be published on the CNMV website.

The main enforcement risks are operating without MiCA authorisation, relying on legacy VASP registration beyond transition, presenting VASP status as MiCA authorisation, using Article 60 without eligibility, providing services outside authorised scope, using unauthorised third parties for marketing or client acquisition, ignoring PSD2 and EMT overlap, weak AML or TFR controls, weak DORA readiness, inadequate custody or segregation controls and misleading authorisation or marketing claims.

Practical assessment

Spain is suitable for firms that want MiCA authorisation in a major EU market with CNMV as the main CASP regulator and a defined Banco de España role for ARTs, EMTs and payment-services overlap.

It is not suitable for firms looking for a paper registration, automatic conversion from Banco de España VASP status, indefinite grandfathering or informal reliance on another Member State's transition.

The main execution risks are incorrect service classification, missing transfer services, treating Article 60 as a general shortcut, relying on transition without meeting Spanish conditions, filing too late before the 1 July 2026 backstop, using unauthorised marketing or referral structures, relying on transitional sub-custody after transition, ignoring EMT and PSD2 issues, failing to evidence prudential safeguards and filing before AML, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts and service-specific controls are ready.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started