What is a CASP under MiCA?
A CASP is a crypto-asset service provider authorised under MiCA to offer one or more regulated crypto-asset services in the EU. The term comes from Title V of Regulation (EU) 2023/1114, and it replaces the patchwork of national VASP registrations that member states ran before. If your firm holds client crypto, runs a trading venue, or moves crypto for others, MiCA treats you as a CASP and expects a licence.
The point of the regime is a single rulebook. Instead of registering separately in each country, a firm applies once to a national competent authority (NCA) and gains rights that reach across the whole bloc. That is a real shift from the old model, where a Lithuanian registration meant nothing in France.
Which services does CASP authorisation cover?
CASP authorisation covers a defined list of crypto-asset services, and a firm is licensed only for the ones it applies for. MiCA names them explicitly. They include custody and administration of crypto-assets on behalf of clients, operating a trading platform, exchanging crypto-assets for funds or for other crypto-assets, executing orders, placing crypto-assets, receiving and transmitting orders, providing advice, portfolio management, and providing transfer services.
You do not have to offer all of them. A custody-only wallet business and a full exchange sit under the same regime but carry different obligations. Scope drives almost everything downstream — your capital tier, your governance load, and how hard the assessment gets.
What must a firm evidence to be authorised?
An applicant must show the NCA that it can run the service safely, lawfully and with enough capital behind it. The application is a package, not a form. Regulators want to see substance, not intent.
The core pillars are:
- Prudential capital. MiCA sets minimum own-funds tiers keyed to the services provided. A firm offering higher-risk services, like operating a platform or custody, sits in a higher tier. The figure isn’t one flat number, and it scales with what you actually do.
- AML/CFT function. You need a working anti-money-laundering framework — a named compliance officer, customer due diligence, transaction monitoring, and sanctions screening. The EU Transfer of Funds Regulation (the Travel Rule) applies to crypto transfers, so your systems have to capture and pass originator and beneficiary data.
- Governance and fit-and-proper. Directors and key function holders must be suitable, and the firm needs clear internal control, conflict-of-interest handling, and a management body that can be held to account.
- ICT and operational resilience. DORA (Regulation (EU) 2022/2554) applies to CASPs. That means documented ICT risk management, incident reporting, resilience testing, and control over third-party tech providers.
Segregation of client assets, complaints handling, and a credible wind-down plan round out the file. Gaps here are the usual reason an application stalls.
How does a national competent authority assess the application?
The NCA reviews whether the firm meets MiCA’s standards before it grants authorisation, and it runs to a structured timeline. Once an application is complete, the authority checks it against the prudential, AML, governance and operational requirements above. It can ask for more information, and the clock can pause while you answer. Assessment depth varies by the services requested and the quality of the submission — a thin file gets more questions.
Expect scrutiny of the people, the money and the systems. Regulators are not just reading policies; they want evidence the policies work.
How does passporting work across the EU?
Passporting lets an authorised CASP provide its services in other member states without a fresh licence. After your home NCA authorises you, it notifies the host-state authorities and ESMA, and you can then operate cross-border. This is the commercial payoff of MiCA: one authorisation, EU-wide reach. It also means your home regulator’s standard travels with you, so where you apply matters.
The trade-off is that you carry your home-state supervision everywhere. Choosing an NCA on process speed alone, without weighing its supervisory style, is a common and costly mistake.