MiCA Article 60 · Notification-only pathway
MiCA Article 60 — When EU Financial Firms Offer Crypto Without a CASP Licence
A credit institution that already holds a CRD/CRR banking licence does not file a fresh CASP authorisation when it wants to offer crypto custody or exchange to its banking clients. It files a notification under MiCA Article 60. The same applies to MiFID investment firms, EMIs, UCITS managers, and AIFMs — each can leverage its existing licence for a specified subset of crypto-asset services.
MiCA Article 60 is the provision that allows credit institutions, investment firms, electronic money institutions (EMIs), UCITS management companies, and alternative investment fund managers (AIFMs) already authorised under their respective sectoral EU regimes to provide specified crypto-asset services in the EU by filing a notification with their national competent authority at least 40 working days before service commencement, rather than going through a fresh CASP authorisation under MiCA Article 63.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | MiCA Article 60 (notification-only path) — distinct from Article 63 (full CASP authorisation) |
| Eligible entities | Credit institutions (CRR), MiFID investment firms, EMIs (EMD2), payment institutions (PSD2), UCITS managers, AIFMs, central securities depositories (CSDR) |
| Notification window | At least 40 working days before service commencement |
| Allowed services per entity type | Annex IV maps each existing-licence category to the crypto-asset services it can provide on notification — full list, custody, exchange, transfer, advisory, portfolio management |
| NCA assessment | Information notification, not authorisation — the NCA reviews completeness and may object during the 40-working-day window if the entity does not meet the conditions |
| Status | The entity is treated as a CASP for the notified services — same conduct rules (Articles 66-73), same prudential rules (Article 67), same supervision |
| Excluded entities | Insurance and reinsurance undertakings under Solvency II; institutions for occupational retirement provision (IORPs); central counterparties under EMIR |
The two-pathway design of MiCA authorisation
MiCA created two parallel entry points to crypto-asset services in the EU:
- Article 63 — full CASP authorisation. The default route. A new entity files a complete application with its NCA, goes through the five-month review, receives a CASP licence covering the specific services in its programme of operations.
- Article 60 — notification by an already-authorised financial firm. A streamlined route for entities that hold a sectoral EU financial-services licence already — banks under CRR, investment firms under MiFID, EMIs under EMD2, payment institutions under PSD2, UCITS managers, AIFMs, and central securities depositories.
The notification path recognises that these entities have already been through a substantive authorisation process. They have governance, risk management, compliance, internal audit, and a competent management body. Adding crypto-asset services to that framework does not require a second authorisation file from scratch.
What Article 60 actually saves
The path saves the application — not the compliance.
Once the notification is complete and the 40-working-day window has passed, the entity is treated as a CASP for the notified services. That means:
- MiCA Article 66’s conduct rules apply
- Article 67’s own-funds requirement applies — calculated on the same higher-of-two methodology (static floor or one-quarter of fixed overheads)
- Articles 68-73 on governance, conflicts of interest, outsourcing, complaints handling, custody, transfer services — all apply
- Articles 76-77 on marketing communications and consumer protection apply
- The AML rulebook applies
The supervisor that already oversees the entity continues to do so. A French bank notifying under Article 60 is supervised by the ACPR for the crypto-asset business — the same supervisor that already oversees its banking activity. There is no second supervisor introduced.
The Annex II mapping
MiCA Annex II maps which crypto-asset services each existing-licence category can provide under Article 60. The mapping reflects the substantive activity the existing licence authorises. A simplified view:
- Credit institutions — full set of crypto-asset services. A bank can custody, exchange, transfer, advise, manage portfolios, operate a trading platform.
- MiFID investment firms — the crypto-asset services that mirror the MiFID services they hold. A firm with the MiFID investment service “execution of orders on behalf of clients” can provide the crypto-asset service “execution of orders for crypto-assets on behalf of clients” via Article 60.
- EMIs — exchange of crypto-assets for funds, transfer of crypto-assets, custody (where it fits the EMD2 service set).
- UCITS managers and AIFMs — investment advice on crypto-assets, portfolio management of crypto-assets (limited to the services that fit collective-portfolio management).
A bank that wants to add a service the mapping does not cover for credit institutions — which in practice is rare given the breadth of credit-institution coverage — needs the Article 63 authorisation path.
The notification mechanics
Article 60 requires the entity to file a notification with its NCA at least 40 working days before commencing the service. The notification must include:
- A description of the crypto-asset services intended to be provided
- The expected commencement date
- A description of the governance and risk-management arrangements specific to the crypto-asset business
- The internal procedures for safeguarding client funds and client crypto-assets
- A description of the IT systems used for the crypto-asset business
- For custody services, the proof-of-reserves arrangements and segregation procedures
- AML/CFT policies and procedures specific to the crypto-asset business
The NCA reviews the notification for completeness and the entity’s eligibility. The NCA cannot block the notification on substantive grounds — Article 60 is an information regime, not an authorisation regime. But it can object on incompleteness, on the entity not meeting the conditions in Annex II for its licence type, or on a substantive governance concern that would justify supervisory action even outside the notification context.
In practice, NCAs use the window to engage with the entity — asking for additional governance detail, clarifying the boundary between the existing business and the crypto-asset business, sometimes requiring a separate internal audit charter. The 40-working-day floor often becomes a 60-80 calendar day reality.
When Article 60 is the right route
The notification path is the right route for:
- Established banks adding crypto custody as a service to existing private-banking clients
- MiFID firms layering crypto-asset trading on top of their existing execution venues
- EMIs adding crypto-asset transfer services to their existing payment business
- Asset managers offering portfolio management of crypto-assets to professional clients alongside traditional asset classes
It is the wrong route for:
- A non-financial corporate group setting up a new crypto-asset venture — they would need to acquire a financial-services licence first, which is heavier than going straight for Article 63
- A pure crypto exchange or wallet provider with no traditional financial-services footprint — Article 63 is faster
- An entity that wants to provide a crypto-asset service outside the Annex II mapping for its licence type — Article 63 is required
The supervisory landscape
ESMA’s Q&A on MiCA confirms that Article 60 entities sit on the same supervisory map as Article 63 CASPs for purposes of cross-border supervisory cooperation. Both classes appear in the ESMA-maintained register of CASPs. The host supervisors that receive Article 65 passport notifications for Article 60 entities engage with them on the same basis as fully-authorised CASPs.
The conceptual point — and it is one that several NCAs have emphasised in their first-year MiCA implementation papers — is that Article 60 is not a regulatory carve-out. It is a recognition that already-authorised entities have done the substantive work. The compliance lift to operate as a CASP applies regardless of which authorisation path got the entity there.
Pitfalls and nuances
1 Reading Article 60 as a substantive exemption
The most common misreading. Article 60 is a notification-only path through authorisation. Once notified, the entity is subject to MiCA's full substantive rulebook for the crypto-asset services it provides — conduct, prudential, AML, conflicts of interest, marketing, complaints handling. The notification path saves the application file, not the operating compliance.
2 Treating the 40-working-day window as the start of the operating clock
The clock counts working days, not calendar days, and starts from when the NCA confirms receipt of a complete notification. NCAs routinely come back with information requests during the window, which stops the clock. A realistic end-to-end estimate is 60-80 calendar days from first submission to operational start.
3 Assuming the home NCA's confirmation extends to host markets
Article 60 governs the relationship with the home NCA. To provide cross-border crypto-asset services into other EU member states, the entity still uses the Article 65 passport notification — the same mechanism a CASP authorised under Article 63 uses. The notification stack is two-layered for cross-border activity.
4 Ignoring the AML supervisor mapping
Article 60 leaves the AML/CFT supervisor map untouched. A bank notifying under Article 60 has its banking AML supervisor extend coverage to the crypto-asset business — the same supervisor, same engagement model. For investment firms and EMIs the same logic applies. The Article 60 path simplifies prudential authorisation, not AML supervisory engagement.
5 Underestimating governance fit for non-banking crypto services
A bank that has historically provided lending and deposit services has the governance maturity to add crypto custody to its existing risk-management framework. A UCITS manager moving into crypto-asset advisory needs a much larger framework upgrade — UCITS governance was not built for spot-crypto-asset operations. NCAs scrutinise the governance gap during the notification window.
Frequently asked questions
Can a bank offer crypto custody to its clients without a CASP licence?
Yes — under MiCA Article 60 a credit institution authorised under the CRR can offer the full set of crypto-asset services by filing a 40-working-day notification with its NCA, not a fresh CASP application.
Does Article 60 mean the bank skips MiCA's conduct rules?
No. The notification path covers authorisation, not substance. The bank is treated as a CASP and complies with MiCA's conduct, prudential, AML, and consumer-protection rules — Articles 66 through 84 apply.
What services can a MiFID investment firm provide under Article 60?
MiFID firms can passport into the crypto-asset services that mirror their existing investment-services authorisation — execution of orders, reception/transmission, portfolio management, investment advice, and operating a multilateral trading facility, mapped via Annex II of MiCA.
Is the Article 60 notification revocable?
The notification stands as long as the underlying sectoral licence remains in force. Loss of the banking, MiFID, or EMI licence terminates Article 60 service permission automatically. The CASP-equivalent obligations continue until termination.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA), Article 60 and Annex II — regulation
- ESMA Q&A on MiCA — interaction with sectoral regimes — regulator
- EBA Final Report — Guidelines on the assessment of crypto-asset services under MiCA Article 60 — regulator
- Linklaters Financial Regulation — MiCA Article 60 analysis — industry publication