MiCA Authorisation Checklist: The 2026 CASP Application Map

TL;DR — MiCA's CASP and stablecoin regimes have been in full application since 30 December 2024, and most Member States' transitional windows are closing through 2026. This is the practitioner authorisation checklist: governance, prudential, conduct, AML, custody, the white papers for ARTs and EMTs, and what to expect from NCAs in 2026.

Table of contents

• Where MiCA stands in 2026
• Who needs CASP authorisation
• Governance requirements
• Prudential requirements
• Conduct requirements
• AML and CTF
• Custody arrangements
• White papers for ARTs and EMTs
• Transitional arrangements
• Three supervisory signals from the first authorisation wave
• The 14-item MiCA authorisation checklist
• How leading firms automate this with Sedric
• FAQ

Where MiCA stands in 2026

Regulation (EU) 2023/1114 — the Markets in Crypto-Assets Regulation — entered into force in June 2023 and has been in staged application since:

• 30 June 2024 — Titles III (ARTs) and IV (EMTs).
• 30 December 2024 — full application, including Title V (CASPs) and the related conduct, market-abuse and supervisory titles.

Member States may have applied a national transitional regime for entities operating before 30 December 2024 under existing national crypto registrations. Article 143(3) sets an EU-level ceiling of 18 months from the application date (i.e., up to 1 July 2026), and Member States that opted in chose shorter periods. Through Q2 2026, those windows are closing one after another. The grandfathering question is no longer "do we have time?" but "is our application live and what is the NCA's queue position?"

NCAs have published their authorisation guidance — AMF in France, BaFin in Germany, CNMV in Spain, the Central Bank of Ireland, Malta's MFSA, Cyprus's CySEC, the Dutch AFM. Process and expectations vary at the margin; the substance of MiCA does not.

Who needs CASP authorisation

A Crypto-Asset Service Provider is any legal person (or other undertaking authorised to perform crypto-asset services under Article 59) whose business is the provision of one or more crypto-asset services as listed in Article 3(1)(16) and Annex I, Section C. The ten crypto-asset services are:

1. Custody and administration of crypto-assets on behalf of clients.
2. Operation of a trading platform for crypto-assets.
3. Exchange of crypto-assets for funds.
4. Exchange of crypto-assets for other crypto-assets.
5. Execution of orders for crypto-assets on behalf of clients.
6. Placing of crypto-assets.
7. Reception and transmission of orders for crypto-assets on behalf of clients.
8. Providing advice on crypto-assets.
9. Providing portfolio management on crypto-assets.
10. Providing transfer services for crypto-assets on behalf of clients.

Existing EU credit institutions and certain other regulated entities benefit from the notification regime in Article 60: they can provide specified crypto-asset services after notifying the NCA, without a full authorisation, provided they meet the relevant MiCA requirements applicable to those services.

For a non-credit-institution firm seeking authorisation, the application goes through Article 62 — content of the application — and the NCA decides within the timeframe set there (40 working days for completeness, then a substantive review).

Governance requirements

Article 68 sets the prudential and organisational requirements for CASPs. The governance backbone has three load-bearing elements.

Management body fit and proper

Article 68(1) requires the management body to be of sufficiently good repute and to possess collectively the appropriate knowledge, skills and experience. Each member is individually fit and proper. The application file includes a fit-and-proper questionnaire for each member; the NCA may interview.

For mid-sized firms this is where the first round of NCA questions tends to land. Build the file expecting that.

Qualifying holders

Article 68(2) requires any person holding 10% or more of the share capital or voting rights — directly or indirectly — to be of good repute. Article 83 covers acquisitions of qualifying holdings post-authorisation.

Organisational structure

Article 68(7) requires sound administrative arrangements, internal control mechanisms, effective risk-management procedures, and effective communication and reporting. The control functions (risk, compliance, internal audit) must be in place and proportionate to the firm's size and complexity. For larger firms, segregation between front-office and control functions is non-negotiable.

The control framework lands close to the prudential expectations under CRD/CRR for credit institutions; firms that already operate under MiFID II find this section less of a build, but it still needs to be MiCA-specific.

Prudential requirements

Article 67 sets the prudential requirements. CASPs must hold own funds at least equal to the higher of:

• The amount of permanent minimum capital set out in Annex IV, depending on the class of services (€50,000 for Class 1, €125,000 for Class 2, €150,000 for Class 3).
• One quarter of the previous year's fixed overheads.

Own funds can be partially substituted by an insurance policy or a comparable guarantee in accordance with Article 67(4) — the conditions are tight.

Article 75 covers business continuity and operational resilience requirements that, post-DORA, are read together with Regulation (EU) 2022/2554. CASPs are in DORA scope; the DORA implementation checklist applies on top of MiCA Title V.

Conduct requirements

Articles 66 to 82 set the conduct backbone. The pieces that matter most operationally:

Honest, fair and professional conduct (Article 66)

The general standard. Acts honestly, fairly and professionally in accordance with the best interests of clients. Familiar from MiFID II Article 24, with the crypto-specific tailoring.

Information to clients (Article 66(3))

Information provided to clients must be fair, clear and not misleading. This is the gateway into the marketing-communication rules (see our dedicated MiCA marketing communication rules piece). The information requirement is service-specific: custody disclosures differ from advice disclosures.

Conflicts of interest (Article 72)

Identify, prevent or manage, and disclose where management is not sufficient.

Outsourcing (Article 73)

CASPs that outsource operational functions must do so in line with Article 73's content requirements — which include sub-outsourcing notification, exit assistance, and cooperation with the NCA. Crypto-asset services to clients must continue to be available to clients to a standard at least equivalent to non-outsourced delivery.

Service-specific obligations (Articles 75 to 82)

Each crypto-asset service has its own article. Custody (Article 75), trading platform (Article 76), exchange (Article 77), execution (Article 78), placement (Article 79), reception and transmission (Article 80), advice and portfolio management (Article 81), transfer services (Article 82). Build the operational policies article-by-article rather than as a single master document — the NCA's reviewers will read them that way.

AML and CTF

MiCA does not displace the AML regime. CASPs remain in scope of the EU AML framework — Directive (EU) 2015/849 as amended, and the AML Regulation (EU) 2024/1624 and the AMLA Regulation (EU) 2024/1620 that came into force in 2024.

The Travel Rule for crypto-asset transfers — Regulation (EU) 2023/1113 — has been in application since 30 December 2024 and requires originator/beneficiary information for crypto-asset transfers regardless of amount, with verification thresholds and self-hosted-wallet detail set out in EBA guidelines.

The MiCA application file typically references the AML compliance officer, the business-wide risk assessment, the customer-due-diligence policies, the transaction-monitoring approach, the Travel Rule implementation, and the SAR/STR governance. NCAs increasingly want to see the AMLA-aligned methodology, even ahead of AMLA's full operational ramp.

Custody arrangements

Article 75 — and the related Title II provisions on the segregation of clients' crypto-assets and funds — is the operational heart of any custody-providing CASP. The bar is:

• Crypto-assets held on behalf of clients must be segregated from the firm's own assets at the level of distributed-ledger-technology positions where technically possible, and at the level of internal records always.
• A custody policy and a register of positions per client.
• Daily reconciliation.
• Insurance or own-funds buffer against the risk of loss.

The 2025 RTS and guidelines published by ESMA — under Article 75(7) and (8) — set the specifics on segregation, position record-keeping and the custody-agreement content. NCAs are reading these closely.

Operational resilience of the custody stack interlocks with DORA. The wallet infrastructure, the key-management system and the connectivity to settlement systems are typically classified as "critical or important functions" under DORA, with the corresponding third-party risk treatment.

White papers for ARTs and EMTs

MiCA's Title III governs Asset-Referenced Tokens (ARTs) — tokens that aim to maintain a stable value by referencing any value or right, or a combination thereof, including currencies. Title IV governs E-Money Tokens (EMTs) — tokens that aim to stabilise their value by referencing a single official currency.

Asset-Referenced Tokens (Article 16 et seq.)

To offer an ART to the public or seek admission to trading, the issuer must:

• Be a legal person established in the EU (or a credit institution).
• Be authorised by its NCA (Article 21).
• Publish an approved crypto-asset white paper with the content specified in Article 19 and Annex II.
• Maintain a reserve of assets fully backing the token, segregated from the issuer's own assets (Article 36).
• Have governance, conflicts-of-interest, conduct, redemption and complaints-handling arrangements per the Title III articles.

The white paper is the load-bearing disclosure document. It must include the issuer's identity and governance, the rights and obligations attached to the token, the underlying technology and risks, and information on the reserve of assets. NCAs review and approve.

Significant ARTs designated by the EBA under Article 43 are subject to enhanced own-funds, governance and liquidity requirements, and direct EBA supervision.

E-Money Tokens (Article 48 et seq.)

EMTs can only be issued by credit institutions or e-money institutions. Article 51 requires a white paper to be notified to the NCA at least 20 working days before publication (no NCA approval, but the NCA may object). Holders have a redemption right at par value at any time (Article 49).

Significant EMTs designated under Article 56 are similarly subject to enhanced requirements and direct EBA supervision.

The 2025 RTS and guidelines on the white-paper content, the reserve-of-assets composition, and the recovery and redemption plans bring the level of detail to where NCAs can hold issuers to the line. The first ART authorisations have been granted; the queue is moving.

Transitional arrangements

Article 143 sets the transitional regime. The two windows that matter in 2026:

Article 143(3) — national transitional regime for CASPs

Member States could allow entities operating under national crypto regimes before 30 December 2024 to continue providing crypto-asset services without MiCA authorisation, for a period the Member State sets, up to a maximum of 18 months from 30 December 2024 — i.e., to 1 July 2026.

Member States chose shorter periods. France set 18 months (the maximum). Germany set 12 months. Italy set 14 months. The Netherlands set 12 months. Several smaller Member States set 12 months. Check the local NCA's publication for the exact date.

What this means in May 2026: in many jurisdictions, the window is already closed, and the firms still operating are either authorised, in the middle of a substantive review, or winding down their EU business. Those still inside the window should not assume their NCA has slack capacity.

Article 143(6) — fast-track simplified procedure

NCAs could, before 30 December 2024, designate a simplified procedure for firms already authorised under MiFID II or another EU regime to receive CASP authorisation. Where this was offered, the route involved a reduced documentation set focused on the MiCA-specific elements not already covered by the existing authorisation. The route has been used by several investment firms and credit institutions.

ART and EMT transitional

Article 143(4) and (5) cover the ART and EMT side. ARTs issued before 30 June 2024 continue until 1 July 2026 unless the issuer obtains authorisation. EMT issuers had no transition: issuance had to comply from 30 June 2024.

Three supervisory signals from the first authorisation wave

• Governance and fit-and-proper are the slowest items. NCAs across the EU have flagged that fit-and-proper questionnaires and interviews are the most common cause of delay. Several large applicants restructured their boards during the review.
• Custody policies need more than a "we use a qualified custodian" line. NCAs have returned custody-policy drafts asking for the technical detail — multisig structure, key-ceremony evidence, sub-custody chain, insurance terms. Read the 2025 ESMA guidelines on custody before submitting.
• Marketing communications are reviewed as part of authorisation, not after. Several NCAs ask for representative marketing materials — websites, app screenshots, paid campaigns — as part of the application. See MiCA marketing communication rules for the operational detail.

The 14-item MiCA authorisation checklist

1. Scope of activity mapped against the Annex I, Section C service list.
2. Pre-application engagement with the chosen NCA documented.
3. Programme of operations and three-year financial plan finalised.
4. Management body fit-and-proper questionnaires and CVs compiled.
5. Qualifying-holder file complete, including indirect holdings up to ultimate beneficial owner.
6. Own-funds calculation per Article 67 with evidence.
7. Governance, risk, compliance and internal audit policies — service-by-service.
8. AML / CTF policies and Travel Rule implementation evidence.
9. Custody policy aligned to the 2025 ESMA technical standards (if custody is in scope).
10. ART or EMT white paper drafted, with reserve-of-assets evidence (if applicable).
11. DORA framework, including the ICT risk register and the Register of Information.
12. Outsourcing policy aligned to Article 73, with the DORA third-party risk overlay.
13. Marketing communications policy and a representative sample pack.
14. Transitional position confirmed in writing with the NCA.

How leading firms automate this with Sedric

MiCA authorisation packs are heavy. Even a focused application — say, custody and exchange for crypto-assets only — runs to hundreds of pages across the governance, prudential, conduct, AML, custody, outsourcing and operational-resilience policies. The risk is not effort. It is consistency. NCAs find their findings in the gaps between the AML policy and the custody policy, between the outsourcing policy and the DORA Register of Information, between the white paper and the marketing materials.

Sedric's compliance-dedicated LLM reads the full application file as a single corpus, flags inconsistencies between policies, and ties every clause to the underlying MiCA article, ESMA/EBA technical standard or NCA guidance. Marketing materials that contradict the white paper are surfaced before the NCA finds them. Overrides are logged with the reviewer's reasoning, so when the NCA's question lands six weeks later the decision rationale is on file.

For firms running marketing alongside authorisation — the great majority — our free Marketing Comms Audit accepts up to ten assets (website pages, app screens, social posts, paid creatives) and returns a scored report against the MiCA Article 7 / Article 53 / Article 66 marketing-communication rules, the underlying ESMA guidelines, and the most common NCA findings.

FAQ

When did MiCA enter full application?

30 December 2024 for Title V (CASPs) and the related titles. Titles III (ARTs) and IV (EMTs) applied from 30 June 2024.

Who can issue an EMT?

Only credit institutions or e-money institutions authorised under Directive 2009/110/EC.

Is the white paper for ARTs approved by the NCA?

Yes (Article 19). EMT white papers are notified (Article 51), not approved, but the NCA may object.

Do existing MiFID II investment firms need a separate CASP authorisation?

Investment firms can use the Article 60 notification regime for specified crypto-asset services. The notification is service-specific; not every service is available via Article 60.

Are CASPs in scope of DORA?

Yes. CASPs are listed in DORA Article 2. The full ICT risk, incident, testing and third-party regime applies. See the DORA implementation checklist.

What is the transitional window in my Member State?

Check your NCA's published implementation timetable. Article 143(3) caps the window at 18 months from 30 December 2024 — i.e., 1 July 2026 — but most Member States set shorter periods.

How do the AML obligations sit alongside MiCA?

CASPs remain in full AML scope. The Travel Rule (Regulation (EU) 2023/1113) applies from 30 December 2024. The AML Regulation (EU) 2024/1624 and AMLA come into operational reality through 2027.

Where to go next

The marketing side of CASP operations has its own dedicated rules — read MiCA marketing communication rules. Operational resilience under DORA applies to every CASP — start with the DORA implementation checklist and the DORA third party risk piece. UK-based readers running cross-border activity should also see our crypto financial promotion checklist for the FCA side of the line.

Closing CTA

If you are running paid acquisition, website copy or app messaging while finalising the authorisation file, get the marketing side checked before the NCA does. Upload up to ten assets to our free Marketing Comms Audit and we will return a scored report against MiCA's marketing-communication rules — Article 7 for ARTs, Article 53 for EMTs, Article 66 for CASPs — in 24 hours.