What Is a CASP?

A Crypto-Asset Service Provider, or CASP, is any firm that provides one or more of the ten regulated crypto-asset services defined under Article 3(1)(16) of the EU's Markets in Crypto-Assets Regulation (MiCA). As of 30 December 2024, any firm providing these services to EU residents must hold a CASP authorisation from a national competent authority (NCA) in an EU member state, or operate under a time-limited transitional provision.

The CASP framework is MiCA's equivalent of the MiFID authorisation for traditional financial instruments. It creates a single, passportable licence that grants access to the entire EU single market, replacing the patchwork of inconsistent national crypto registrations that preceded it. A CASP authorised in Belgium, Malta, or Lithuania can serve clients across all 27 EU member states without additional local approvals.

For token projects, the CASP status of your market maker, exchange, and custodian has become one of the most important due diligence criteria in the post-MiCA era. Working with an unlicensed service provider on regulated EU venues creates operational risk that can disrupt your token's European liquidity at short notice.

Official Source CASP authorisation requirements are set out in Title V of MiCA (Articles 59–76). ESMA maintains the public register of all authorised CASPs across EU member states. Source: ESMA — Markets in Crypto-Assets Regulation (MiCA) ↗

The 10 Regulated Crypto-Asset Services

MiCA defines ten specific activities that constitute crypto-asset services under Article 3(1)(16). Any firm providing even one of these services to EU clients must be CASP-authorised. A firm's authorisation specifies exactly which services it is licensed to provide — licences are not generic.

  • Custody and administration of crypto-assets on behalf of clients
  • Operation of a trading platform for crypto-assets
  • Exchange of crypto-assets for fiat currency
  • Exchange of crypto-assets for other crypto-assets
  • Execution of orders for crypto-assets on behalf of clients
  • Reception and transmission of orders for crypto-assets on behalf of clients
  • Providing advice on crypto-assets
  • Portfolio management of crypto-assets on behalf of clients
  • Placing of crypto-assets with or without a firm commitment basis
  • Providing transfer services for crypto-assets on behalf of clients

Market making falls under services 4 and 5, as well as potentially service 2 depending on how the firm quotes. This is why any market maker operating on EU-regulated venues is captured by the CASP requirement — there is no carve-out for proprietary liquidity providers quoting two-sided prices on third-party platforms.

Capital Requirements: Three Tiers

MiCA Article 62(3) sets minimum own funds requirements tied directly to the services a CASP is authorised to provide. Three tiers apply, each covering a defined set of services. Firms must maintain the applicable minimum at all times, not only at the point of authorisation, and must additionally hold own funds of at least one quarter of their fixed overheads from the prior year, whichever figure is higher.

Where a firm is authorised for services across multiple tiers, the highest applicable requirement governs. A firm providing both advisory services and exchange services, for example, is subject to the €150,000 Class 3 minimum, not €50,000.

Tier Minimum Own Funds Services Covered
Class 1 €50,000 Reception and transmission of orders on behalf of clients; providing advice on crypto-assets; transfer services for crypto-assets on behalf of clients
Class 2 €125,000 Execution of orders on behalf of clients; placing of crypto-assets (with or without firm commitment); portfolio management of crypto-assets on behalf of clients
Class 3 €150,000 Exchange of crypto-assets for fiat currency; exchange of crypto-assets for other crypto-assets; operation of a trading platform; custody and administration of crypto-assets on behalf of clients

For market makers, the practically relevant tier is Class 3. Market making involves exchange of crypto-assets for other crypto-assets (service 4) and execution of orders (service 5), which together span both Class 2 and Class 3, placing the governing requirement at €150,000. Firms that additionally provide custody or operate a trading platform remain at Class 3. For a full breakdown of how these requirements reshape CEX liquidity agreements, see our MiCA market making guide →

Important Clarification The capital tiers are not cumulative classes to be "progressed through" — they are service-linked thresholds. A firm applying only for advisory and transfer services applies at Class 1. A firm applying for exchange services applies at Class 3 regardless of whether it also wants to provide advice. Always verify the specific services a firm is authorised for, as the CASP register lists permitted services alongside licence status.

The Authorisation Process

CASP authorisation requires a formal application to the national competent authority (NCA) of the firm's chosen EU home member state. The application is substantive — regulators treat it as a full prudential and operational review, not a registration formality.

1

Choose Your Home Member State

Select an EU member state as your regulatory home. This NCA will grant authorisation and remain your primary supervisor. Passporting then allows EU-wide operations without additional licences. Choice of jurisdiction affects the speed, cost, and style of the regulatory review.

2

Prepare the Application Package

The application must include: a programme of operations and business plan; governance structure and senior management fitness/propriety files; internal control and risk management framework; AML/CFT policies including Travel Rule compliance; ICT and cybersecurity plan (aligned with DORA); business continuity and disaster recovery plan; outsourcing arrangements; draft client agreements and disclosures; and conflict of interest policies.

3

Completeness Review (25 Working Days)

The NCA has 25 working days from receipt to assess whether the application is complete. If it is not, the NCA will request missing information and the clock restarts. Firms should expect several rounds of clarification on complex applications.

4

Substantive Review and Decision (~40 Working Days)

Once the file is complete, the NCA has approximately 40 working days to reach a decision. In practice, for complex multi-service applications, the full process from submission to authorisation typically takes four to six months, depending on the NCA and the quality of the application.

5

Passporting Notification

Once authorised, the CASP notifies its home NCA of the services it intends to provide in each target member state and the date it plans to begin. ESMA publishes authorised CASPs in its public register. The ESMA CASP Register (CSV) ↗ is updated weekly.

EU Passporting: One Licence, 27 Markets

The passporting mechanism is one of MiCA's most commercially significant features. A CASP authorised in any EU member state can provide its licensed services across all 27 member states without applying for additional local approvals. This replaces a previous reality where firms needed separate registrations in each country they wished to operate in.

With CASP Licence

Full EU Market Access

Operate legally on regulated venues across all 27 member states. Notify home NCA of target states, specify services, and begin. Single ongoing supervisor. No additional licence fees per country.

Without CASP Licence

Restricted to Non-EU Venues

Cannot provide services on regulated EU venues. May face removal from exchanges enforcing CASP requirements. Ineligible for EU client access as transitional periods expire. Risk of NCA enforcement action.

To passport, the authorised CASP submits to its home NCA: the list of services to be provided cross-border, the list of target EU member states, and the intended start date. The home NCA notifies the NCAs of each target state. The CASP can begin operating in target states within a defined notification period, without waiting for approval from the host state NCA.

Ongoing Obligations After Authorisation

CASP authorisation is not a one-time event. It carries a continuous set of prudential, conduct, and operational obligations that apply for the duration of the licence. Failure to maintain compliance can result in licence suspension or withdrawal by the home NCA.

  • Capital maintenance: minimum own funds must be maintained at all times, not just at the point of authorisation
  • DORA compliance: from 17 January 2025, all EU-regulated financial entities, including authorised CASPs, are subject to the Digital Operational Resilience Act, covering ICT risk, incident reporting, and third-party technology risk management
  • AML/KYC obligations: CASPs must implement continuous customer due diligence, transaction monitoring, sanctions screening, and suspicious activity reporting to the home member state FIU under AMLD5/AMLD6
  • Travel Rule compliance: transfer services must transmit originator and beneficiary information alongside crypto-asset transactions above applicable thresholds
  • Conflict of interest management: documented policies for identifying and managing situations where the firm's proprietary activity conflicts with client interests
  • Best execution: firms executing orders on behalf of clients must document how they achieve best execution including order routing and execution criteria
  • Client asset safeguarding: client crypto-assets must be segregated from firm assets and held with appropriate custodial controls
  • Record-keeping: transaction records and client communications retained for a minimum of five years, accessible to the NCA on request
  • Regulatory reporting: ongoing reporting to the home NCA on capital levels, significant incidents, material changes to the business, and any circumstances that may affect the licence

Which Firms Are Exempt?

MiCA contains a number of exemptions from the full CASP authorisation requirement, most relevant to firms already regulated under existing EU financial legislation.

Entity Type MiCA Treatment Condition
MiFID investment firms May provide certain CASP services via notification, not full authorisation Services must fall within MiFID scope equivalents
Credit institutions Exempt from CASP authorisation for certain services under Article 60 Must notify NCA and comply with MiCA conduct rules
Genuinely decentralised protocols Outside MiCA scope where no identifiable central operator exists ESMA monitoring ongoing; scope subject to future guidance
Transitional regime firms May continue operating under national law provisions until 1 July 2026 Must have been registered under national law before 30 December 2024
Transitional Deadline: 1 July 2026 Firms operating under transitional national provisions must obtain CASP authorisation or cease providing regulated services by 1 July 2026, or earlier if their application is granted or refused before that date. This deadline is firm and applies across all EU member states regardless of when their specific transitional window opened.

What This Means for Token Projects

Token projects seeking liquidity on EU exchanges are not CASPs themselves unless they provide regulated services. However, every service provider in your ecosystem, your market maker, your listing exchange, your custodian, needs to be CASP-authorised if they serve you on EU-regulated venues.

The practical due diligence checklist for any token project operating in or targeting Europe:

  • Market maker: confirm CASP authorisation status and that market making (exchange of crypto-assets, execution of orders) is listed among their licensed services. See how leading firms compare in our 2026 market maker ranking →
  • Listing exchange: confirm the venue holds CASP authorisation for operation of a trading platform, and whether it enforces CASP requirements on admitted market makers
  • Custodian: confirm CASP authorisation for custody and administration of crypto-assets on behalf of clients
  • Verify directly: check the ESMA CASP Register (CSV) ↗, updated weekly, or request a copy of the authorisation letter from the firm's home NCA

Frequently Asked Questions

Does a CASP licence cover all EU member states automatically?
Not automatically, but through a simple notification process. Once authorised, the CASP notifies its home NCA of the states it wishes to passport into and the services it will provide there. The home NCA then notifies the host state NCAs. The CASP can begin operating in target states within the notification period without requiring approval from each host state regulator.
Can a firm operate in the EU with just an application pending?
Only under the transitional regime. Firms that were registered under national crypto law in an EU member state before 30 December 2024 may continue operating in that member state until 1 July 2026 or until their CASP application is decided, whichever comes first. This transitional right is specific to the member state where the national registration was held and does not grant the full EU passporting rights of an authorised CASP.
How long does CASP authorisation take in practice?
The regulation sets a 25-working-day completeness review followed by approximately 40 working days for a decision. In practice, most complex applications, especially those covering multiple service types, take four to six months from submission to authorisation. Some member state NCAs are processing applications faster than others. Malta, Lithuania, and the Czech Republic have emerged as faster jurisdictions; Belgium and France tend to apply more detailed scrutiny with correspondingly longer timelines.
What is the difference between a CASP licence and a MiFID authorisation?
A MiFID authorisation covers investment services in relation to traditional financial instruments, such as shares and bonds. A CASP authorisation covers the same categories of services but applied to crypto-assets. Some services overlap in structure (custody, portfolio management, order execution), but they are legally distinct licences covering different asset classes. Firms already holding MiFID authorisation can provide certain equivalent CASP services via notification rather than a separate application, but only where the service type maps directly to their existing MiFID permissions.
Does DORA apply to CASPs?
Yes. DORA, the Digital Operational Resilience Act, applies to all entities regulated under EU financial services law, including authorised CASPs, from 17 January 2025. CASPs must implement ICT risk management frameworks, establish incident classification and reporting procedures, conduct regular operational resilience testing, and manage third-party ICT provider risk. DORA compliance is assessed as part of the ongoing supervisory relationship with the home NCA, not as a separate registration.
Can a token project itself become a CASP?
A token project is not a CASP simply by virtue of issuing tokens. Token issuance is covered by the white paper and disclosure provisions of MiCA Titles II, III, and IV. A token project would only need CASP authorisation if it also provides one or more of the ten regulated services, for example if it operates a trading platform, provides custody, or manages client portfolios. Most token projects that only issue and do not provide services fall outside CASP scope, though they may have other MiCA obligations depending on their token classification.