MiCA / CASP Authorisation

MiCA generally requires authorisation as a crypto-asset service provider (CASP) if you provide crypto-asset services to EU customers — trading, custody, exchange, advice, and more. As with the other EU regimes, serving European users from abroad doesn’t put you outside it by default.

So the first question is simple to ask and consequential to answer: do your activities fall within MiCA’s defined services, and for EU customers? Confirm this before anything else, because it determines whether the rest of the path applies to you at all.

MiCA’s whole compliance path branches off how your asset is classified, so this is where the work starts — not where it ends. Get it wrong and you build toward the wrong regime entirely.

• Utility token — provides access to a good or service on your platform.
• Asset-referenced token (ART) — aims to hold value by referencing several assets, currencies, or a basket.
• E-money token (EMT) — references a single official currency; the stablecoin-style category.
• Financial instrument — some assets fall under existing financial-markets rules instead of MiCA, with a different rulebook altogether.

Authorisation as a CASP is a substantive application, assessed against requirements that mirror other regulated-firm regimes. The core areas supervisors scrutinise:

• Governance — a sound structure with people genuinely accountable for the firm.
• Capital — meeting the prudential requirements that attach to your services.
• Custody — how client assets are held, segregated, and protected.
• The submission pack — assembled and evidenced the way your chosen authority expects.

Tailor it to your business type. The shape of the application differs by what you are. Exchanges and trading platforms, token issuers running a launch, and RWA / tokenisation platforms each carry their own emphasis and their own pressure points — a one-size pack doesn’t survive review.

MiCA is an EU-wide regime, and authorisation in one member state can passport across the others — which makes where you apply a real strategic decision, not an afterthought. The right home depends on your operations, your timeline, and how a given regulator handles firms like yours.

The aim is to authorise once, well, in a place that lets you serve your actual EU markets — rather than collecting permissions piecemeal or picking a jurisdiction that doesn’t fit how you operate.

CASP authorisation runs alongside AML obligations, including the Travel Rule for crypto transfers. These can’t be bolted on at the end — supervisors expect a credible financial-crime framework as part of the application, and it has to match how your product actually moves value.

Treat AML and Travel-Rule controls as part of the authorisation workstream from the start, coordinated with the rest of your compliance build rather than run as a separate, later project.

MiCA is already in force, and the transitional windows that let unlicensed firms keep operating are closing across member states through 2026 — with some national cut-offs already set. Firms that pass their deadline without authorisation risk having to stop EU activity.

That makes timing as important as substance. Because classification, the application build, and financial-crime alignment all take real time, the firms that move early are the ones that stay live through the transition. Working backwards from the cut-off that binds you is the difference between a planned authorisation and a forced pause.