Home Business
67

How to Get a Crypto License in Europe: Requirements, Costs, and Timeline

On/Off-RampRegulationComplianceApplicationWhite Label
By Konstantin Vasilenko
Updated:
How to Get a Crypto License in Europe: Requirements, Costs, and Timeline
Key Takeaways

  • MiCA creates a single crypto licensing framework across all 27 EU member states. One CASP authorization in any EU country passports across the entire bloc.
  • The statutory review period is 25 working days, but realistic timelines run from 6 to 18 months depending on jurisdiction and application quality.
  • Minimum own funds requirements start at €50,000 and reach €150,000 under MiCA, with additional capital tied to assets under custody.
  • Jurisdiction choice matters. Some national regulators move faster, have more crypto-specific expertise, and are more accessible to new applicants than others.
  • Incomplete applications are the single biggest cause of delays. Regulators do not fix gaps for you. They suspend the clock and wait.
  • Getting licensed is not the end of the process. Annual audits, ongoing reporting, and DORA compliance obligations begin the day authorization is granted.

Getting a crypto license in Europe is complicated. Not complicated in a mysterious way, but demanding in a very specific one. MiCA set a high bar for who can operate in the EU, and most of that difficulty lands before you ever submit. How well you prepare the application is what decides whether you wait six months or eighteen.

The prize at the end is real. One approval covers 450 million people across all 27 EU member states. But an application that gets rejected, or approved with conditions that box the business in, can cost a year of runway. This guide covers what the process actually involves, what it costs, how long it takes, and what separates applications that sail through from those that stall.

What Is a Crypto License in Europe and Why Do You Need One?

A crypto license in Europe is authorization from a national financial regulator to offer crypto-asset services to EU clients. Under MiCA, that authorization is called a CASP licence. If your business provides exchange, custody, payment, or portfolio management services involving crypto to EU clients, you need one.

Before MiCA, the European licensing was a mess. Every EU country ran its own regime. Getting authorized in Germany gave you nothing in Spain. Each market meant a new application, a new regulator, a new set of rules. But that changed in December 2024. Now a single CASP licence from any EU national regulator covers all 27 member states. One application, one regulator for the whole market.

That is the commercial reason to go through the process. The legal reason is more blunt. Operating without a licence while serving EU clients is a violation. Regulators can fine you up to 15% of your total annual turnover and ban you from operating. And beyond the formal risk, unlicensed businesses are getting cut off from banking. Also, regulated financial institutions will not work with you if your platform cannot show regulatory standing. The business case and the legal case both point the same way.

What Are the Core Requirements for a MiCA CASP License?

To get approved as a CASP, you need to pass six separate checks. None of them is optional, and none of them makes up for gaps in the others. The regulator looks at each one on its own terms.

  • A legal entity in the EU. Your business needs to be properly incorporated in an EU member state. A branch of a non-EU company will not work. You need a real, functioning entity in the country where you apply.
  • Fit and proper management. Every director, senior manager, and person in a key role gets assessed individually. The regulator looks at experience, qualifications, any criminal history, and prior regulatory issues. One person who fails this check can block an otherwise complete application. That is why you run this assessment internally before submission, not during it.
  • Minimum capital. How much you need depends on what services you offer. Platforms providing custody or exchange services must hold at least €125,000 in own funds. Narrower service models may qualify for lower thresholds of €50,000 or €75,000. On top of the base figure, you hold additional capital based on the volume of assets under custody. These are minimums. Regulators expect you to hold more.
  • An AML and KYC program. You need a fully documented, risk-based AML program in place before you submit. That means written policies, transaction monitoring procedures, a customer risk rating methodology, and evidence that your staff has been trained on all of it. Regulators have seen thousands of generic templates. If your policy is not built around how your business actually operates, it gets flagged.
  • IT security and operational resilience. You need to show that your technology meets the standards expected of a financial services business. Penetration testing records, incident response procedures, business continuity planning. From January 2025, DORA requirements added more specificity to what regulators want to see here, so this area has only gotten more demanding.
  • Internal governance. A compliance function, a risk management framework, documented internal controls, and a clear structure showing who is accountable for what. For smaller businesses, this does not mean a large team. But it has to be real. A governance framework that lives only in a document and has never been applied will not survive review.

Getting all six of these right before submitting is the single most reliable predictor of a smooth application. Most delays and rejections come back to one of these areas being underprepared.

Which EU Jurisdictions Can You Apply In?

Because the CASP licence covers the whole EU, where you apply does not limit where you operate. What it determines is which regulator you deal with during the application and for all ongoing supervision afterwards. That makes this a real decision worth thinking through carefully, not just an administrative one.

A few things are worth weighing:

  • How well does the regulator know crypto? Some national regulators have been handling crypto applications for years and have specialist teams for it. Others are newer to it. A regulator with real crypto experience asks sharper questions, moves with more confidence, and is a better long-term counterpart.
  • How busy are they? A regulator with a smaller pipeline may process your application faster than one dealing with hundreds of submissions, even if the statutory timelines look the same on paper.
  • What does it cost to set up there? Incorporating and maintaining a legal entity varies a lot across EU countries. If you are setting up an EU entity specifically for licensing purposes, this matters to the budget.
  • Do they require the local language? Some regulators want applications in the national language. Others work in English throughout. For international teams, that has a direct effect on preparation time and professional services costs.
  • Do you already have infrastructure there? If you have banking, legal, or operational presence in a particular EU country, applying there reduces friction both during the process and in the ongoing relationship.

Latvia has become an active licensing jurisdiction. The Bank of Latvia handles MiCA CASP applications and has a clear track record with international crypto businesses. Lithuania, Ireland, and the Netherlands are also well-established options with regulators that have real crypto licensing experience.

One thing that does not change by jurisdiction: the requirements themselves. MiCA is a European regulation, and every national regulator applies the same rulebook.

What Does the CASP Application Process Look Like Step by Step?

The MiCA application process has a defined structure. How smooth it feels in practice depends almost entirely on how prepared you are when you enter.

  • Pre-application meeting. Most regulators offer a meeting before you submit formally. Use it. You can confirm their specific expectations on points that matter to your business, surface any concerns early, and start building a working relationship before the clock starts. Going in cold is not required and is rarely a good idea.
  • Setting up the entity. Your EU legal entity needs to be incorporated and operational before or during the application. This is not something you sort out after approval. The regulator is authorizing a specific legal entity. That entity needs to exist, have a local bank account, and show genuine activity in the jurisdiction.
  • Building the application package. This is where most of the time and money goes. The application covers your full governance structure, background checks and biographical information for all key people, your AML program documentation, your IT security setup, your capital position, and your internal controls. Everything needs to be ready before you submit. What arrives incomplete does not get fixed by the regulator. It gets sent back.
  • Formal submission. You submit through the regulator’s official process along with the application fee. The regulator then checks whether your application is complete before starting the formal review clock.
  • Completeness check. The regulator confirms that all required elements are present. If anything is missing, they ask for it. The clock pauses and does not run again until the response is accepted. This is where underprepared applications lose months.
  • The review itself. Once the application is accepted as complete, the regulator does the full assessment. Follow-up questions during this phase are normal. Respond promptly and fully. Slow responses add time and say something about how the ongoing relationship will go.
  • The decision. The regulator approves, approves with conditions, or refuses. A conditional approval sets out what you need to do before or after the licence is operational. A refusal comes with written reasons, and you have the right to appeal. In most cases, fixing the issues and reapplying is faster and cheaper than the appeals process.

How Much Does a Crypto License in Europe Cost?

Most discussions about cost start with the application fee and stop there. That number barely scratches the surface.

  • Application fees sit between €5,000 and €25,000 depending on the jurisdiction and the scope of services you are applying to offer. That is the smallest line item.
  • Legal and advisory costs are where the real spend is. A solid CASP application needs experienced regulatory lawyers, compliance consultants, and often a specialist IT security reviewer. For a first-time applicant, total professional services typically run between €80,000 and €250,000, depending on how complex your business model is and how much of the compliance infrastructure needs to be built from scratch.
  • Setting up and running the EU entity covers incorporation, a registered office, local bank accounts, and a nominal local management presence. Depending on the jurisdiction, annual maintenance adds €15,000 to €40,000 per year.
  • The minimum capital of €125,000 for most exchange and custody businesses must sit in the entity’s accounts. That money is tied up. It is not available for operations.
  • Ongoing compliance costs start from day one of authorization. Annual audits, transaction monitoring software, Travel Rule infrastructure, and the compliance function itself all feed into the annual operating cost from the first year.

Add it all together, and the realistic first-year cost for a new applicant building the infrastructure and establishing the EU entity sits between €300,000 and €600,000. Businesses with existing compliance setups and experienced teams land at the lower end. Greenfield applicants without prior regulatory experience tend toward the higher end.

How Long Does It Take to Get a Crypto License in Europe?

MiCA gives the regulator 25 working days to decide once they accept your application as complete. That number is accurate. It is also not a useful planning figure on its own.

Preparation alone takes most businesses three to six months. If you have a mature AML program and experienced management already in place, you can compress this. If you are building the compliance infrastructure while writing the application at the same time, budget toward the longer end.

After submission, the completeness check can add weeks if anything needs to be supplemented. The review period itself involves follow-up questions in almost every case. Each exchange adds time depending on how quickly you respond.

In practice, from starting preparation to holding authorization, most businesses should plan for six to twelve months. Applications with complex business models, or those that run into completeness issues, regularly stretch to eighteen months.

The two most effective ways to shorten the timeline are preparation quality and jurisdiction selection. Applications that arrive complete and well-built move faster at every stage. Regulators with smaller pipelines and strong crypto expertise tend to process applications more predictably.

What Are the Most Common Reasons Applications Get Rejected or Delayed?

Most applications that fail or stall do so for reasons that were visible before submission. These are not surprises. They are the result of specific preparation gaps that could have been caught and fixed in advance.

  • Incomplete documentation. The most common cause of delay by far. The regulator issues a completeness check, pauses the clock, and waits. An application with missing AML policies or vague IT security documentation can sit for months while you pull the missing pieces together.
  • A key person who fails the fit and proper check. One director or senior manager with a disqualifying criminal record, a prior regulatory sanction, or insufficient relevant experience can block the whole application. Run this check internally before you submit, not after.
  • A generic AML program. Regulators reviewing applications can tell immediately if an AML policy is a template rather than a document built for the specific business. If your customer risk methodology does not reflect how your business actually operates, it will be challenged.
  • Capital that is not yet in the entity. The minimum own funds must be in the entity’s accounts and verifiable at the time of submission. Applying before the capital is there wastes everyone’s time and results in a straightforward rejection.
  • Governance that only exists on paper. The regulator will probe whether your governance actually functions. If the compliance officer has no real authority, if the board has not held any meetings, or if the risk framework has never been applied, that becomes clear during review.
  • Thin IT security documentation. Describing your technology stack is not the same as documenting a security architecture. Regulators want to see penetration testing records, incident response plans that have actually been tested, and evidence that you have genuinely assessed your operational risks.

What Ongoing Obligations Come After Authorization?

Authorization is not the finish line. It is where the obligations of running a licensed financial business in the EU begin in full.

Annual audits are required from year one. External auditors review your financial statements, your AML program, and the adequacy of your internal controls. Material findings go to the board and, in some cases, to the regulator directly. The compliance infrastructure you built to get the licence needs to be good enough to pass that scrutiny every year.

Regulatory reporting runs continuously. Most regulators require periodic submissions covering transaction volumes, incident reports, and business changes. The frequency varies by jurisdiction, but the obligation to report does not.

Major changes to the business trigger notification requirements. A new service line, a change in senior management, a significant technology change, or an ownership transfer all need to be reported within defined timeframes. Running material changes without notification is a licence condition breach.

DORA applies from January 2025 to all CASPs. The Digital Operational Resilience Act sets specific requirements around IT risk management, third-party vendor oversight, and incident reporting. Significant IT-related incidents must be reported to the regulator within strict timeframes, and your IT risk framework needs to be reviewed and updated on an ongoing basis.

The bottom line is this: the compliance function you built to get the licence becomes the infrastructure for staying licensed. It is not a one-time build. It is how the business runs. For a full breakdown of what those ongoing obligations look like in practice, the crypto exchange regulations guide covers each requirement in detail.

How Does Paybis Support Licensed and Pre-Licensed Businesses?

Two types of businesses typically reach out to Paybis for infrastructure support. The first is going through the licensing process and needs a regulated partner in the meantime. The second has decided that direct licensing is not the right path and wants to offer crypto capabilities through a regulated partner instead.

Paybis covers both. The MiCA CASP licence and the Payment Institution (PI) licence under PSD2, both issued by the Bank of Latvia in May 2026, sit alongside FinCEN MSB registration in the US, FINTRAC registration in Canada, VASP registration in Poland, and FCA authorization in the UK. These are the credentials you put in front of your own regulators and auditors when they ask about counterparty due diligence.

For businesses that want to embed crypto buy, sell, or swap functionality for their end customers, the Paybis on/off-ramp is a white-label, browser-based integration that requires no SDK installation. It is available inside mobile apps as well as on the web. Paybis handles the KYC flows on the integration side, which means your licensing process does not have to pause your business.

For institutional and corporate clients needing direct access to crypto and fiat liquidity at scale, the Paybis Corporate On/Off Ramp supports transactions up to $5M, covers 25 fiat currencies across 140+ countries, and includes bank rails such as SEPA and SWIFT. Paybis handles all compliance on this product including KYB, AML, and transaction monitoring.

For businesses that need to send crypto to multiple recipients globally, Paybis Send handles global crypto payouts for businesses.

The on/off-ramp guide for businesses covers how integration works in practice. For the context behind the Paybis licensing process, the EU licensing announcement is worth reading alongside this guide. The Paybis MiCA content hub covers ongoing developments and what they mean for platform operators.

Bottom Line

Getting a crypto license in Europe means passing six distinct regulatory checks. You need to choose the right jurisdiction and submit an application thorough enough that the regulator has nothing to send back. The process costs more and takes longer than most first-time applicants expect. And the obligations do not end at authorization. They begin there. If you want to move quickly or skip the licensing overhead entirely, partnering with a MiCA-authorized provider is a legitimate and compliant path. If you’re building toward your own regulatory standing, knowing the full picture before starting is the most reliable way to get through it.

FAQ

Do I need a separate licence for each EU country I operate in?

No. A CASP licence from any EU national regulator covers all 27 member states and the broader EEA. You apply once to one regulator in one country. Once authorized, you notify the regulator of which other member states you plan to serve, and they handle the notification to those regulators. You do not repeat the application in each country. Before MiCA, you had to. That changed in December 2024.

Can a non-EU company apply for a crypto license in Europe?

Not directly. MiCA requires the applicant to be a legal entity incorporated in an EU member state. A non-EU parent company needs to set up a subsidiary in the EU before applying. That entity needs genuine substance in the jurisdiction: a real office, local management, and actual operational activity. Shell entities with no real presence are not accepted. The EU entity is the licence holder and gets supervised on an ongoing basis.

What is the difference between a MiCA CASP licence and a VASP registration?

A VASP registration is an AML-focused notification that your business exists and commits to anti-money laundering rules. A MiCA CASP licence is a full financial services authorization. The regulator reviews your governance, capital, management, AML program, IT security, and operational resilience before granting it. VASP registrations are being replaced by MiCA across the EU. The practical difference is significant: a licensed CASP has been examined and approved. A registered VASP has simply confirmed it exists.

What happens to my existing EU registration once MiCA is fully in force?

Businesses that held national VASP or crypto registrations before MiCA applied were given a transition window to convert to full CASP authorization. The length of that window varied by country. Once it expires in your jurisdiction, operating on the old registration becomes illegal. If you have not converted yet, treat this as an immediate priority, not something to address at the next planning cycle.

Is it worth getting a crypto licence if I can just partner with a licensed provider?

It depends on what you are trying to build. Partnering with a licensed provider works well when crypto is a feature rather than the core product, or when volumes do not yet justify the cost of licensing. Getting your own licence makes sense when you want direct regulatory standing, plan to expand your own regulated offering, or have a business model that a partnership structure cannot replicate. The two paths are not mutually exclusive. Many businesses run on a licensed partner while their own application is in progress, then operate independently once they are authorized.

Disclaimer: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 mins to learn more at: https://go.payb.is/FCA-Info

Written by

Post author
Konstantin Vasilenko
Konstantins is a blockchain and digital payments executive with over 20 years of IT experience. He co-founded Paybis in 2014, helping build it into a global crypto platform serving users across 180+ countries. He brings deep technical and business expertise to Paybis' growth and partnership strategy. He is also a co-founder of the Latvian Blockchain Association and is a regular speaker at major industry events, where he represents Paybis' vision of making crypto accessible and useful for both individuals and businesses worldwide.