By July 1, 2026, every firm providing crypto-asset services in the EU must hold a MiCA CASP authorization. No exemptions, no extensions. How many operators will actually make it through is a different question.
Not many, based on current data. As of spring 2026, roughly 130–140 CASPs have received full MiCA authorization across all 27 EU member states. Hundreds of firms that were lawfully operating under pre-MiCA national VASP registrations are still waiting, or never filed at all. Italy held over 150 VASP registrations pre-MiCA; France had 104. Virtually none have converted.
The gap isn’t just a backlog. MiCA’s requirements were built for regulated financial entities, not crypto startups. A €5 billion exchange and a 10-person wallet product face identical capital, governance, and ICT demands. That symmetry is where most applications break down.
Three Service Classes, Three Capital Floors#
MiCA Article 67 ties capital requirements directly to services offered. Three classes exist, and a firm’s minimum own funds are set by whichever class it operates in:
Class 1 covers advisory services and reception and transmission of orders. Minimum own funds: €50,000. Narrow scope — no exchange function, no custody. Firms offering information or signal services land here.
Class 2 adds exchange against fiat and other crypto-assets, execution of client orders, and placing. Capital floor: €125,000. Spot trading platforms, OTC desks, and aggregators sit here.
Class 3 adds custody and administration of crypto-assets on behalf of clients. Capital floor: €150,000. Any firm holding client private keys, running a custodial wallet, or administering client positions is Class 3.
The numbers look modest. They aren’t, for two reasons.
The capital must be held as regulatory own funds — not working capital, not client deposits. It has to be segregated and available to the NCA on demand. For a seed-stage operator, locking €125K–€150K permanently is a real constraint.
Article 67(1)(b) also requires own funds equal to the higher of the class floor and one quarter of the preceding year’s fixed overhead. A firm with €600K in annual overhead needs €150K regardless of what services it runs. Scale the business and the overhead-based calculation overtakes the class floor with no change to the product.
Upgrading between classes isn’t a form update. A Class 2 firm adding custody needs a fresh Class 3 supervisory review. Services can’t be switched on mid-authorization.
Most crypto businesses building a full product — exchange plus custody — are Class 3 by default, whether or not custody is the revenue center. A firm that lets users hold a balance after a trade is providing custody. The €150,000 floor and the full Class 3 governance stack apply from day one.
Governance Isn’t a Checkbox — Article 68 Means Structure#
Capital is the entry price. Articles 68 through 71 determine whether the application actually gets through.
Article 68 requires the management body to have “sufficiently good repute” and “adequate knowledge, skills and experience” relative to the CASP’s complexity. NCAs want at least one EEA-resident executive director who actually lives and works in the EU. Flying in for board meetings doesn’t pass the substance test at the Bank of Lithuania, the AFM, or BaFin.
ESMA’s RTS under Article 68 require that core internal control functions have named owners, documented responsibility scopes, and verified structural independence. The three-lines-of-defence model is expected. A compliance function that reports to the COO, who also runs revenue and business development, fails the independence test at most NCAs. The CCO reports to the board, not to operations.
Every key function holder also gets a fit-and-proper assessment: CEO, CFO, Head of Compliance, MLRO. In many jurisdictions, Head of IT and Head of Custody too, if those roles touch regulated activity. Each person submits professional history, qualifications, and a criminal background check. If one individual fails, the whole application freezes until it’s resolved.
Articles 69 through 71 add: a complaints procedure with defined escalation paths and response timeframes; client communications standards covering clarity and transparency; and a written conflicts of interest policy with periodic board review.
The MLRO role gets its own rules. Most EU member states require it as a named, dedicated position — distinct from the CCO — with board access and documented authority to file Suspicious Activity Reports independently. Delegating that function to outside counsel on a retainer doesn’t pass. The MLRO has to be on payroll.
None of this is technically difficult to understand. Building it from scratch takes six months minimum, and the NCA will check that it actually functions, not just that policy documents exist.
Most operators at this stage read how ItisPay solves this without your own license rather than spending 12 months building a compliance organization before they know whether the NCA will approve it.
ICT and DORA: The Technical Layer Most Operators Underestimate#
From 17 January 2025, MiCA-regulated CASPs also fall under the Digital Operational Resilience Act (DORA). MiCA requires an ICT security framework as a condition of authorization. DORA specifies what’s inside it.
The DORA submission — filed as part of the MiCA application — must cover:
- An ICT risk management framework with written policies across identification, protection, detection, response, and recovery
- Incident detection, classification, and reporting procedures. Major ICT incidents go to the NCA within defined hours of detection
- A business continuity plan, tested annually
- A third-party ICT risk register for all material vendors and cloud providers, with a written exit strategy for each
- Incident response drills on a defined cycle
For “significant” CASPs above NCA-defined size thresholds, DORA Articles 24–27 require Threat-Led Penetration Testing every three years, using approved external providers. A first TLPT engagement — scoping, execution, remediation reporting — typically runs €30K–€80K.
Building a DORA-compliant ICT framework from scratch takes six to twelve months. The application doesn’t ask for a policy template; it asks for a live, operational structure. NCAs want test records and incident logs. Firms that arrive with documentation but no underlying operational evidence get rejected in the first formal review round.
Third-party risk requirements hit hard for crypto businesses running on cloud. Every material dependency — hosting providers, KYC vendors, blockchain data providers, custody technology suppliers — needs documented due diligence, contractual audit rights, and a written exit plan. A firm that can’t show a credible exit from AWS, Google Cloud, or Fireblocks won’t clear DORA’s concentration risk threshold.
Country by Country: Timelines Are Not Equal#
MiCA is EU-wide. Authorization happens nationally, and the spread across member states is significant.
Lithuania is the fastest. The Bank of Lithuania typically completes full CASP authorization in six months, sometimes less for clean files. Lithuania’s grandfathering period ended January 1, 2026. Any firm still operating on transitional status there is already exposed. For applications filed by February 2026 with complete documentation, Lithuania is the only jurisdiction that could theoretically deliver a license before July.
The Netherlands is the second hub. The AFM issued its first MiCA licenses on December 30, 2024, and had authorized 26 CASPs by early May 2026. Processing runs nine to twelve months. Substance requirements are strict: registered office, genuine local staff, real operational presence. Shell structures get flagged early.
BaFin is the most demanding. Processing takes twelve to twenty-four months. A complete BaFin application file typically exceeds 200 pages before the first feedback round. Germany leads with 53 authorized CASPs as of May 2026 — a figure that reflects its existing licensed financial sector, not an easy path for new entrants. Without real German operational substance, a BaFin application is a multi-year project.
France (AMF) and Italy (Banca d’Italia / Consob) run twelve to eighteen months. Malta (MFSA) published detailed MiCA rulebook guidance in March 2025 and positioned itself as fintech-friendly, though authorization volumes remain lower than the three larger markets.
For teams that haven’t filed, the math is simple: no jurisdiction delivers a CASP authorization before July 1, 2026 unless the application is already deep in NCA review. The window has closed everywhere except, marginally, Lithuania.
Poland: The Open Regulatory Gap#
Poland is a different situation. On December 1, 2025, President Karol Nawrocki vetoed the Act on the Crypto-Assets Market — the law Poland needed to implement MiCA’s CASP authorization process domestically.
The objections were specific. The president’s office flagged a provision allowing the KNF to block VASP websites unilaterally, and another letting KNF freeze crypto-asset accounts for up to 96 hours in insider trading cases, extendable to six months without prior judicial oversight.
The result: no competent authority in Poland currently accepts CASP applications. Firms operating under Poland’s pre-MiCA VASP registration are in legal limbo. MiCA’s direct applicability in Poland isn’t in question — the regulation carries force of law across all EU member states. Without a designated NCA and national procedural rules, though, there’s no file to submit.
As of May 2026, no revised bill has passed. Firms with Polish operations face a harder version of the July 1 problem than operators anywhere else in the EU. The available paths are re-legislation, re-authorization in another jurisdiction, or departure from the market.
The Real Blockers Behind the Numbers#
The capital floor is rarely what kills an application. The real problem is five requirements that arrive simultaneously, and none of them yield to workarounds.
The compliance officer can’t be shared. NCAs reject applications where the compliance function is combined with a revenue role or split across entities. A dedicated CCO with relevant EU credentials and EEA residency costs €80K–€120K per year minimum. Not a law firm retainer — a full-time employee on payroll from the day the application is filed.
The application package is not a form. A complete MiCA authorization file covers: governance policies and org chart, AML/CFT programme, DORA ICT framework, capital evidence and projections, a three-year business plan, fit-and-proper dossiers for each key function holder, client assets safeguarding policy, complaints procedure, conflicts of interest policy, and a MiCA-compliant whitepaper where applicable. Several hundred pages, typically. Most NCAs issue at least one supplemental information request, which pushes the review clock back by months.
The capital stays locked. Regulatory own funds must be maintained throughout the life of the authorization. For a startup that needs capital flexibility, the own funds requirement competes directly with runway.
Timelines aren’t binding. NCAs can extend review at their discretion. No jurisdiction provides a contractual processing deadline. A firm that built a product roadmap around a Q3 2026 launch can’t schedule around a license still in first-round review.
Supervision isn’t a one-time fee. Once live, annual supervisory fees, ongoing ICT testing, audit requirements, and compliance staff to maintain the posture run €150K–€250K per year. The first-year cost is the deposit, not the total.
For teams without the appetite for a €300K–€500K first year and an open-ended timeline, see the software-layer alternative to applying.
Three Paths After July 1, 2026#
For firms that won’t hold a CASP authorization by July 1, three operational paths exist.
Cease EU operations. Withdraw from EU-facing services until authorization comes through. The fully compliant option, and financially painful for any firm with an active EU user base or payment flows through European banking rails.
Operate under a licensed group entity. A parent or affiliate holding a CASP authorization in one EU member state can extend services across all member states through MiCA’s passporting mechanism. Real corporate restructuring is required — shared branding or technology isn’t enough. The licensed entity needs genuine economic substance. Passporting notifications must be filed with and accepted by both home and host NCAs. For groups that don’t already have an authorized entity, getting one means either acquiring it or building from scratch, which restarts the authorization queue entirely.
Access licensed infrastructure through a partner. Firms needing to offer exchange, transfer, or custody services to EU clients can route through a CASP and EU-licensed Payment Institution that already holds the relevant authorizations. The licensed partner carries the regulatory exposure. The client-facing product stays under the operator’s brand.
If building your own compliance stack isn’t the right move right now, plug into a licensed CASP + PI partner instead — that’s exactly what itispay.com/mica is built for.
This article is for informational purposes only and does not constitute legal or regulatory advice. Verify with qualified counsel before acting.
