How long does MiCA CASP authorisation take?

MiCA CASP authorisation timelines vary between 6 and 18 months depending on the national competent authority (NCA). Under MiCA Article 60, NCAs have 25 business days to acknowledge receipt and 3 months to reach a decision from a complete application. However, incomplete applications are returned, and NCA processing capacity varies significantly across member states.

Which jurisdiction is best for MiCA CASP authorisation?

There is no single best jurisdiction. The optimal choice depends on processing capacity, local transitional regime, business model fit, language requirements, and whether the firm has local substance. German BaFin, Dutch AFM, Irish CBI, and Luxembourg CSSF are commonly considered. Some NCAs have published faster processing timelines but require greater local substance.

What does a MiCA white paper need to contain?

A MiCA white paper must contain the mandatory content set out in MiCA Articles 5, 19, or 51 depending on the token type, and comply with the ESMA regulatory technical standards (RTS) on white paper content published in Q4 2024. It must include a liability statement, right of withdrawal provisions for retail purchasers (14 days under Article 14), and be notified to the home state NCA before publication.

What are the prudential requirements for MiCA CASPs?

Under MiCA Article 67, CASPs must hold minimum own funds of €50,000, €125,000, or €150,000 depending on the type of crypto-asset service provided. CASPs providing the widest range of services must hold €150,000. These are minimum floors, NCAs may require higher amounts based on business model risk.

MiCA CASP Licensing: Jurisdiction Selection, NCA Timelines and What the Application Actually Requires, Arca Compliance

The MiCA Landscape in 2026

The Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114) has been fully in force since 30 December 2024. Crypto-asset service providers offering any of the ten regulated services to clients in the EU must be authorised, or operating under a transitional arrangement, by their home state national competent authority (NCA).

The picture in early 2026 is uneven. Several NCAs are processing efficiently and have published authorisation decisions. Others are working through significant backlogs. Some member states' transitional periods have already expired; others extend into late 2026. The practical consequence is that the jurisdiction decision is now as commercially significant as the quality of the application itself.

What we are seeing

Firms that selected their MiCA jurisdiction based on geographic proximity or existing corporate structure, rather than on NCA processing capacity and local requirements, are now facing 12–18 month waits. In some cases, the wait is longer than the firm's operational runway. Jurisdiction selection needs to happen earlier, and it needs to be based on current data, not assumptions.

Jurisdiction Selection, The Decision That Shapes Everything

Under MiCA Article 60, a CASP must be authorised in its home member state, defined as the member state where it has its registered office, or where it provides the most significant portion of its services. Once authorised, it may passport services across the EEA via simple notification. The home state authorisation decision is therefore the critical one.

What to assess when selecting jurisdiction

NCA processing capacity and current timelines, the single most important variable. Some NCAs received far more applications than anticipated and are working through queues. Published timelines often reflect aspiration, not current reality.
Transitional period status, member states were permitted to grant transitional periods of up to 18 months from December 2024. Some have expired; others run to mid-2026. If you are already operating in an EU member state, the transitional status in that jurisdiction affects your timeline significantly.
Local substance requirements, some NCAs require demonstrable local substance: physical presence, local senior managers, or locally incorporated entities. The level of substance required varies and is not always published clearly.
NCA supervisory culture, some authorities take a more principles-based approach to application review; others are highly prescriptive. Neither is inherently better, but understanding the style allows you to calibrate the application accordingly.
Language requirements, some NCAs require applications in local language. Machine-translated applications are typically identifiable and not treated favourably.
Business model fit, certain NCAs have greater familiarity with specific business models (e.g. custody-heavy structures, DeFi-adjacent services). A regulator that understands the model will process more efficiently and ask more targeted questions.

A note on reverse shopping

ESMA has issued guidance discouraging jurisdiction selection driven solely by regulatory arbitrage, choosing the NCA perceived as least demanding. NCAs now coordinate more closely on application standards, and an application that passes muster in a lenient jurisdiction may still be scrutinised by host state NCAs when passporting. The quality of the authorisation matters as much as obtaining it.

NCA Processing, What the Timelines Actually Look Like

MiCA Article 60 sets a formal timeline: NCAs have 25 business days to acknowledge receipt of a complete application and must reach a decision within 3 calendar months. In practice, the clock does not start until the NCA deems the application complete, and requests for additional information stop the clock entirely.

Jurisdiction	NCA	Reported Timeline	Substance Requirement	Notes
Germany	BaFin	6–10 months	High	Strong track record on crypto licensing. Prescriptive application process. Local senior managers expected.
Netherlands	AFM	8–14 months	Medium–High	Detailed review process. AFM has been active in MiCA guidance. DNB handles AML separately.
Ireland	CBI	10–18 months	Medium	High volume of applications from English-language preference. Queue has extended timelines.
Luxembourg	CSSF	8–12 months	Medium	English accepted. CSSF has financial services experience. Some efficiency for fund-adjacent structures.
France	AMF	8–14 months	Medium	French language required. AMF ran the voluntary PSAN regime pre-MiCA, experienced but backlogged.
Lithuania	Lietuvos Bankas	6–10 months	Low–Medium	Historically faster processing. English accepted. Popular pre-MiCA for EMI licensing.
Malta	MFSA	8–16 months	Medium	Pre-MiCA crypto licensing experience (VFA regime). Transitioning firms may have advantage.

Timelines are indicative and subject to change based on NCA capacity and application quality. Verify current timelines before selecting jurisdiction.

Confirming the Scope of Your CASP Authorisation

MiCA Article 3 defines ten crypto-asset services requiring authorisation. The permission set you apply for must match your actual business model precisely, over-application triggers additional scrutiny; under-application risks operating outside scope post-authorisation.

The ten services are: custody and administration; operation of a trading platform; exchange of crypto-assets for funds; exchange of crypto-assets for other crypto-assets; execution of orders on behalf of clients; placement of crypto-assets; reception and transmission of orders; providing advice; portfolio management; and provision of transfer services. Many CASP business models touch more than one, each triggers its own specific organisational and capital requirements.

Common scoping error

Firms providing staking services often underestimate their MiCA scope. Depending on whether the staking arrangement involves the CASP taking custody of assets, pooling, or exercising discretion, it may engage custody, portfolio management, or reception and transmission. Each must be separately assessed against the MiCA Article 3 definitions, not assumed to be captured by a general "digital asset services" description.

White Paper Requirements, What MiCA Actually Mandates

For CASPs that also issue crypto-assets, the white paper is a mandatory pre-market document. Its content requirements differ by token type: Article 5 governs other crypto-assets; Article 19 governs asset-referenced tokens (ARTs); Article 51 governs e-money tokens (EMTs). ESMA published final regulatory technical standards (RTS) on white paper content in Q4 2024, these are now the operative standard.

What every white paper must contain

A detailed description of the issuer, the crypto-asset, and the rights and obligations attached to it
Technology and protocol description, including smart contract audits where applicable
Risk factors, specific and not generic; boilerplate risk factors have been criticised by NCAs
Liability statement, the issuer takes legal responsibility for the white paper content
Right of withdrawal, retail purchasers have 14 days from purchase to withdraw under MiCA Article 14, and this must be reflected in the white paper and offering terms
The financial information required by ESMA RTS, including reserve assets for ARTs

Notification before publication

White papers must be notified to the home state NCA at least 20 working days before publication. For ARTs and EMTs, NCA approval is required, not just notification. The white paper cannot be published or marketed until the notification or approval process is complete. This timeline is frequently underestimated in product launch planning.

Prudential Requirements, Capital Minimums and What They Actually Mean

MiCA Article 67 sets minimum own funds requirements for CASPs. The minimums are €50,000, €125,000, or €150,000 depending on the services provided. CASPs providing the broadest range of services must hold at least €150,000. These are regulatory floors, NCAs may require higher amounts based on a risk-based assessment of the specific business model.

Own funds under MiCA must be held in specific forms: paid-up capital, retained earnings, or specific reserve instruments. They must be maintained on an ongoing basis, not just at point of authorisation. Firms must model their ongoing capital requirements against projected business volumes and ensure that, under stress scenarios, minimum own funds remain satisfied.

The capital trap

A number of applicants have modelled their prudential requirements against the minimum threshold only, without stress-testing the ongoing position. An NCA reviewing a three-year financial projection that shows the firm operating at or near the minimum own funds floor throughout the projection period will treat this as a capital adequacy concern, not just a number to satisfy.

Insurance as an alternative

MiCA Article 67(3) permits CASPs to hold a professional indemnity insurance policy as an alternative or supplement to own funds, subject to NCA acceptance. The insurance must be appropriate to the risks of the specific services provided and meet the coverage requirements in ESMA RTS. Not all NCAs have taken a consistent view on this and the position should be verified in the target jurisdiction before relying on it.

AML Requirements Under MiCA and AMLD6

MiCA incorporates AML/CTF obligations for CASPs by reference to the EU's broader AML framework. CASPs are obliged entities under AMLD5 and the forthcoming EU AML Package (AMLA Regulation and AMLD6). The EU AML Package, expected to be fully transposed by member states by 2026, extends mandatory CDD requirements, expands predicate offences, and introduces criminal liability for legal persons for AML failures.

For CASP applicants, the AML programme must be built and documented before authorisation, not after. The NCA will review the AML/KYC framework as part of the application, a credible AML programme covering customer risk assessment, CDD/EDD procedures, transaction monitoring (including on-chain analytics), MLRo designation, and staff training is a prerequisite, not a post-authorisation deliverable.

The EU Transfer of Funds Regulation, No De Minimis

The EU Transfer of Funds Regulation (TFR, Regulation 2023/1113) extended the Travel Rule to all crypto-asset transfers on 30 December 2024. Unlike the UK regime, which applies a £1,000 threshold for fiat transfers, the EU TFR has no de minimis threshold for crypto-asset transfers. Every crypto-asset transfer, regardless of value, must be accompanied by originator and beneficiary information.

What this requires operationally

Originator information transmitted with every crypto-asset transfer, name, account details, and address
Beneficiary information collected and verified before transfers are processed
VASP counterparty verification, confirming that the counterparty VASP is itself subject to AML/CFT obligations
Unhosted wallet due diligence, where transfers involve wallets not held at a regulated VASP, enhanced due diligence is required for transfers above €1,000
Sunrise issue management, protocols for handling transfers to or from jurisdictions where the Travel Rule is not yet implemented

ESMA and EBA guidance

ESMA and EBA have published joint guidelines on the Travel Rule under MiCA, clarifying expectations on VASP verification procedures, unhosted wallet risk assessment, and the treatment of self-hosted wallets used for business purposes. These guidelines are part of the application assessment, NCAs will ask how the firm has implemented them.

Passporting, Serving Clients Across the EEA

Once authorised in the home member state, a CASP may provide services across the EEA by notifying its home state NCA, which then informs the host state NCA. Under MiCA Article 85, the home NCA must transmit the notification within 15 business days of receipt. The CASP may begin providing services in the host state once the notification has been transmitted.

Passporting does not eliminate host state obligations. Host state NCAs retain supervisory powers in respect of conduct and consumer protection within their jurisdiction. A CASP operating in multiple member states via passport must monitor regulatory developments in each host state, conduct rules can differ from those of the home state on certain matters.

Third-country access, the reverse solicitation trap

CASPs established outside the EU may serve EU clients only where the client has exclusively initiated the contact on their own initiative, known as reverse solicitation. Active marketing, advertising, or digital targeting of EU clients triggers the MiCA perimeter regardless of where the CASP is incorporated. ESMA has taken a narrow view of reverse solicitation, the burden of demonstrating it is on the CASP, and the defence does not survive any form of proactive outreach.

Timeline Planning, What a Realistic Schedule Looks Like

Working from the application readiness stage, a realistic timeline for a well-prepared MiCA CASP application in a mid-tier jurisdiction is 9–14 months from submission to authorisation decision. Add 2–4 months for application preparation, and the total journey from commencing preparation to authorised operation is typically 12–18 months.

The preparation milestones that cannot be compressed

Jurisdiction selection and local substance design, 4–6 weeks; cannot begin application build without confirming the target NCA
Corporate structure and management body, confirming local directors, completing fit and proper documentation for each management body member
AML/KYC programme documentation, BWRA, CDD/EDD procedures, TM calibration, Travel Rule framework; 6–10 weeks depending on starting position
White paper drafting and legal review, where applicable; must be complete before NCA notification, which must occur 20 working days before any marketing
Financial model and prudential assessment, 3-year projections with own funds stress testing; typically 2–3 weeks with financial modelling support
Policies and procedures suite, operational policies covering custody, client order handling, conflicts, complaints, and outsourcing

How Arca Compliance Can Help

Arca Compliance advises fintech and digital asset businesses through the MiCA CASP authorisation process, from jurisdiction selection and scope analysis through to AML programme build, white paper review coordination, and application management. We work alongside specialist EU cryptoasset legal counsel through our legal partner network where formal legal opinions are required.

We work on defined engagements with clear scope and deliverables. Engagements are taken by introduction. If you have a specific matter to discuss, the right next step is a direct introduction through Galore.club.