Building a board memo around MiCA compliance? The first question is always the same: what does a CASP license actually cost? The regulatory minimum is €125,000 in own funds. That number isn’t the answer. It’s the deposit.
The real figure for a typical EU crypto business runs between €300,000 and €700,000 in year one, before a single user transaction. Years two and beyond add €150,000–€250,000 annually just to hold the license. Most founders and CFOs who work through the line items end up choosing a different path. What follows is the full breakdown: what each item is, where it comes from, and how the totals shift by service class.
Two Routes to MiCA Compliance#
The CASP license is one way to offer crypto-asset services to EU clients. Not the only way. A high-level comparison:
|
Apply for own CASP |
Plug into licensed partner |
|
|---|---|---|
|
Upfront capital |
€125K–€150K locked as own funds |
No upfront capital |
|
Year 1 total cost |
€300K–€700K |
Volume-based fee |
|
Time to market |
12–24 months |
1-week integration |
The rest of this article is the detail behind the left column.
Capital Requirements by Service Class#
MiCA Article 67 sets minimum own funds by service type. Three classes exist, and a firm’s required capital is determined by the highest class it operates in.
Class 1 — Advisory and order transmission. Minimum own funds: €50,000. This covers providing advice on crypto-assets and receiving and transmitting client orders to other CASPs for execution. No exchange function, no custody. A crypto advisory firm or signal service might land here, but most commercial products won’t.
Class 2 — Exchange and order execution. Capital floor: €125,000. Adds exchange against fiat and other crypto-assets, execution of client orders, and placing. Most trading-facing businesses land here: spot exchanges, OTC desks, crypto-to-fiat ramps.
Class 3 — Custody. Capital floor: €150,000. Adds custody and administration of crypto-assets on behalf of clients. Any firm holding client private keys, running a custodial wallet, or letting users keep a balance on-platform is providing custody. Most full-product crypto companies are Class 3 whether or not they planned it.
The class floor is not the effective capital requirement in most cases. Under Article 67(1)(b), own funds must equal the higher of the class floor and one quarter of the preceding year’s fixed overhead. A Class 2 firm with €600,000 in annual overhead needs to hold €150,000, regardless of which services it runs. The overhead-based calculation overtakes the class floor as the business scales, without any change to the product.
One cost that rarely appears in fee schedules: opportunity cost of the locked capital. €150,000 in a segregated own-funds account earns nothing and can’t be redeployed. For an early-stage operator watching runway, that’s money permanently unavailable for product development, hiring, or customer acquisition.
The Legal and Advisory Bill#
Getting a CASP application through a national competent authority without specialist legal support isn’t realistic. The application documentation runs to several hundred pages: Programme of Operations, governance structure, AML/CFT programme, ICT risk framework, capital evidence, a three-year business plan, fit-and-proper dossiers for each key function holder, and client-facing policy documents.
Legal advisory fees for a complete application package run €40,000–€100,000. That range reflects real jurisdictional variation. Lithuania’s Bank of Lithuania has a well-documented regulatory framework and predictable processing; a clean Class 2 application there anchors the low end. A Class 3 application to BaFin in Germany is a different project entirely: the application file typically exceeds 200 pages before first feedback, processing takes twelve to twenty-four months, and supplemental information requests are routine.
Germany is an outlier. Total advisory costs for a BaFin application, including legal preparation, responses to NCA feedback rounds, and compliance consulting through to authorization, regularly run €80,000–€200,000. Lithuania and the Netherlands sit meaningfully lower.
Legal costs are sunk from the moment the advisor begins drafting. NCA rejections don’t come with refunds. Budget for the top of the range if the application involves a complex business model, multi-jurisdiction operations, or anything DeFi-adjacent.
Most operators at this stage read how ItisPay solves this without your own license rather than absorbing a €40K–€100K advisory spend on an uncertain 12–24 month authorization process.
Compliance Personnel: The Fixed Cost That Never Goes Away#
Two roles are mandatory under MiCA: a Chief Compliance Officer and a Money Laundering Reporting Officer. In most EU member states, these are separate named individuals, both on payroll, both with direct board access, both cleared on fit-and-proper before the application goes in.
The CCO requires relevant financial services credentials, a clean regulatory record, and EEA residency. Base salary for that profile in an EU jurisdiction runs €80,000–€120,000 per year. The role can’t be delegated to outside counsel or shared with a revenue function. The CCO has to be a CASP employee, operational before submission.
The MLRO sits alongside the CCO as a distinct position in most jurisdictions. The MLRO needs documented authority to file Suspicious Activity Reports independently, without routing through operations or commercial leadership. Salary for a standalone EU-resident MLRO position runs €70,000–€110,000 annually.
Neither role ends at authorization. NCAs expect both individuals to remain in post after the license is granted, with evidence of active involvement in annual supervisory interactions. They’re recurring line items with no natural sunset.
Article 68 adds a third person requirement: at least one EEA-resident executive director who genuinely lives and works in the authorization jurisdiction. For a founder relocating, that cost is absorbed. For a business hiring externally, it adds another compensation line.
ICT and DORA: Building the Technical Foundation#
From January 17, 2025, MiCA-regulated CASPs fall under DORA, the Digital Operational Resilience Act. MiCA requires an ICT security framework as a condition of authorization. DORA specifies what’s in it.
Building a DORA-compliant ICT framework from scratch, operational before the NCA submission, runs €30,000–€80,000. That covers gap assessment against DORA’s five pillars, ICT risk management policy development, business continuity and disaster recovery planning with annual test documentation, a third-party vendor registry with contractual due diligence for cloud providers and key tech suppliers, and incident classification and reporting procedures.
For “significant” CASPs above NCA-defined size thresholds, DORA Articles 24–27 require Threat-Led Penetration Testing on a three-year cycle, conducted by approved external providers. First TLPT engagement runs €30,000–€80,000. Smaller CASPs typically avoid TLPT in year one but need to plan for it in year three.
NCAs want operational evidence, not documentation. Firms that arrive with policy templates and no test records or incident logs get rejected in the first formal review round.
Most crypto businesses already run infrastructure that creates DORA exposure. Cloud providers, SaaS KYC tools, third-party custody technology — each one needs a documented vendor risk assessment, contractual audit rights, and a written exit strategy. Retrofitting this to an existing tech stack costs time beyond the initial framework build. Teams that run legal prep and DORA build in parallel save months on the overall timeline.
External Audit, Supervisory Fees, and the Year 2 Run-Rate#
Authorization doesn’t end the regulatory spend. It locks it in permanently.
Annual external audit is a hard requirement. Independent audits of financial statements and compliance frameworks run €20,000–€50,000 per year for a newly authorized small-to-mid CASP.
Supervisory fees vary by NCA. Germany’s fees for mid-sized CASPs can reach €50,000–€100,000 annually. Lithuania and smaller jurisdictions charge significantly less; the Bank of Lithuania’s fees for smaller operators run in the low thousands per year.
Ongoing compliance tooling adds another layer. Travel Rule compliance software, blockchain transaction monitoring, and KYC/KYB infrastructure together cost €20,000–€60,000+ annually, depending on volumes and vendor choices.
A compliance legal retainer for ongoing regulatory correspondence, supervisory interactions, and policy maintenance runs €15,000–€40,000 per year.
Add it up: CCO and MLRO salaries, audit, supervisory fees, and basic compliance tooling lands at €150,000–€250,000 annually for a lean licensed CASP. That’s before any product development or commercial activity.
For teams without the appetite for a year-one outlay and an open-ended recurrence, see the software-layer alternative to applying.
Year 1 Summary: What the Ledger Actually Shows#
Line items for a Class 3 CASP authorization in the Netherlands or Lithuania:
|
Line item |
Cost range |
|---|---|
|
Minimum regulatory own funds (Class 3) |
€150,000 (locked) |
|
Legal advisory — application preparation |
€40,000–€100,000 |
|
Chief Compliance Officer — year 1 salary |
€80,000–€120,000 |
|
MLRO — year 1 salary |
€70,000–€110,000 |
|
ICT & DORA framework setup |
€30,000–€80,000 |
|
External audit |
€20,000–€50,000 |
|
NCA supervisory fees (year 1) |
€5,000–€30,000 |
|
Office, director, substance costs |
€20,000–€50,000 |
|
Year 1 total (capital + opex) |
€415,000–€690,000 |
The minimum scenario — Lithuania, Class 3, lean team, clean file — lands around €300,000 excluding locked capital. Including capital: €415,000 at the low end. A BaFin application in Germany adds €50,000–€100,000 in additional legal costs and stretches the timeline by twelve or more months.
Year 2 drops the one-off items (legal advisory, ICT setup) but retains personnel, audit, fees, and tooling at €150,000–€250,000 per year. The three-year total cost of ownership for a German CASP application, including capital, typically exceeds €1,000,000.
These figures exclude product development, banking relationships, and the opportunity cost of €150,000 sitting in a segregated account generating no return.
The Decision the Numbers Drive#
Run the totals and the use case becomes clear. €300,000–€700,000 in year one, then €150,000–€250,000 every year after that, with 12–24 months before the first authorized transaction. That’s a reasonable investment for a well-capitalized exchange or custodian that’s building a long-term institutional EU franchise and has the people and runway to carry an 18-month pre-revenue period.
It’s the wrong trade for a product company trying to move in 2026. The compliance overhead alone exceeds most seed-stage operating budgets.
If building your own compliance stack isn’t the right move right now, plug into a licensed CASP + PI partner instead — that’s exactly what itispay.com/mica is built for.
This article is for informational purposes only and does not constitute legal or regulatory advice. Verify with qualified counsel before acting.
