Ireland CBI CASP Practitioner Guide: How the Central Bank Reviews

Why Ireland is the strict end of the EU spectrum

Ireland has positioned its CASP regime in line with its broader regulatory style. The Central Bank of Ireland (CBI) supervises retail banks, investment firms, and insurance undertakings under European frameworks designed for systemically-relevant institutions — and applies the same governance, fitness-and-probity, and risk-management discipline to non-bank firms that fall under its remit. CASPs sit in that wider supervisory practice.

The legal foundation is straightforward. MiCA itself (Regulation (EU) 2023/1114) is directly applicable in Ireland, and the European Union (Markets in Crypto-Assets) Regulation 2024 (SI 607/2024) designates the Central Bank as the National Competent Authority and provides the domestic mechanics — supervisory powers, penalties, transitional measures. There is no separate Irish CASP statute.

Ireland chose a 12-month transitional period under MiCA’s MiCA rule — until 29 December 2025 — rather than the 18-month default. Existing VASPs who held a Central Bank registration before 30 December 2024 had a shorter window to file a MiCA-shape application than counterparts in Estonia, France, or Czech Republic, all of which used the full 18 months.

What does the CBI actually expect from an applicant?

CBI guidance, published in December 2024 alongside its Q4 2024 opening of formal applications, sets out four principles that CASP applicants should plan around:

1. The CBI is highly sceptical of retail-speculative business models. Specifically, CASPs whose primary business is marketing unbacked crypto-assets to retail investors for speculative purposes attract more intensive review. This does not preclude authorisation — it means the application needs to address consumer protection, marketing communications, and target-market identification with genuine depth.

2. Firm failure risk cannot be eliminated. The CBI is not promising bullet-proof authorisations; it is promising authorisations whose risk profile has been understood and disclosed. Applicants who present a risk-free narrative about their business model lose credibility with reviewers. Honest risk articulation matters.

3. Applicants must be fully transparent about their activities. Marketing materials, white papers (where applicable), affiliated entities, group structure, ownership chains, and intended client base must all be disclosed in the application file. Surface-level disclosure is treated as a deficiency.

4. Existing crypto-services providers must demonstrate they meet all new MiCA requirements. Continuity of prior registration is not a substitute for fresh demonstration of compliance. Documentary sets prepared under the prior CBI VASP register need to be re-engineered for MiCA, not merely uplifted.

How does the CBI authorisation timeline actually work?

The statutory clock is set out in MiCA’s statutory authorisation clock:

• 25 working days for the completeness check (the statutory authorisation clock)
• 40 working days for the substantive assessment (the statutory authorisation clock)
• The 40-day clock cannot formally be paused by information requests under the statutory authorisation clock

In CBI practice, the published expectation is 3-6 months for a clean file with high-quality documentation. That is broadly consistent with the statutory clock plus normal supervisory dialogue and document iteration. Files that arrive without the depth CBI expects can take materially longer — supervisory dialogue extends through the completeness phase, which is where most of the calibration happens.

The practical implication: front-load the documentation effort. Filing a thin file in the hope of iterating during review is a worse strategy than spending another month preparing and filing once. The CBI’s ‘Authorisations Report’ publications spell out the expectations in concrete terms; reading them before preparation begins materially improves outcomes.

What does the substance test look like in practice?

The CBI substance expectation has three operational components:

1. Crypto-competent local executive and board. The senior management of the Irish CASP must be Irish-resident in operationally meaningful terms (not nominees, not weekend-only), and must demonstrate substantive crypto-asset and Irish-regulatory knowledge in fitness-and-probity interviews.

2. Substance and autonomy. The Irish entity must operate as a real firm — staff, leases, IT systems — not as a shell coordinated from a non-EU parent. Where the Irish CASP is part of a global group, the CBI asks for a documented allocation of decision-making authority that gives the Irish entity meaningful autonomy over its regulated activities.

3. Governance comparable to a regulated financial institution. The the governance arrangements governance package — board composition, conflict-of-interest registers, three-lines-of-defence integration, internal-audit charter — should look more like a credit-institution or investment-firm package than a tech-company governance file. This is where global firms used to lighter-touch jurisdictions struggle most.

How does Ireland compare to other strict-end EU jurisdictions?

The strict end of the EU CASP spectrum in 2026 contains Ireland (CBI), Germany (BaFin), Netherlands (DNB), and Estonia (FSA). The four are not interchangeable:

• Ireland (CBI) — strongest emphasis on retail-conduct scepticism, banking-grade governance package, crypto-competence requirement for senior management. Slowest to authorise on average. Strongest reputation for downstream UK and US counterparty access.

• Germany (BaFin) — strong on prudential discipline, similar governance expectations, particularly strict on AML and ICT. The single largest market in the EU. Application fees and counsel costs are the highest.

• Netherlands (DNB) — strict on integrity of senior management and on consumer protection. Shorter transitional window (chose 6 months) suggested fast filing; supervisory practice at the strict end.

• Estonia (FSA) — strict on substance specifically, less explicitly on retail-conduct scepticism. Cheaper to set up than Ireland, faster to authorise. Strong reputation among EU mid-sized jurisdictions.

For applicants choosing among these, the differentiator is usually what reputation matters downstream. Ireland is the natural choice for firms anchoring EU operations to UK/US institutional counterparty access. Germany for the largest single domestic market. Netherlands for pan-EU consumer-facing distribution. Estonia for cost-effective entry into a top-tier reputation jurisdiction.

Working with counsel on a CBI file

The diagnostic for Irish counsel: ask how the firm’s typical CBI file is structured, and whether counsel has processed Q4 2024 to mid-2026 CBI applications. Counsel that gives generic answers — “we comply with applicable requirements” — is often working at the volume that does not generate deep operational knowledge. Counsel that can describe specific CBI feedback patterns on specific application sections has the calibration that matters at the strict end of the spectrum.

The firms in our index with documented Ireland CASP track record are listed below.