MiCA CASP application · documentation checklist
MiCA CASP Application Requirements 2026 — Documents Checklist
There is no mystery about what a MiCA CASP application contains. Article 62 lists it, and ESMA's authorisation RTS fills in the detail. The file is a defined pack — governance, capital, AML, ICT, custody, conduct, business continuity. What separates a six-month authorisation from a fifteen-month one is not knowing the list. It's the depth and internal consistency of what you put against each line.
MiCA CASP application requirements are the documentation and information a crypto-asset service provider must submit to its national competent authority to be authorised, set out in Article 62 of Regulation (EU) 2023/1114 and detailed in ESMA's regulatory technical standards. The pack covers the programme of operations, governance, capital, AML/CFT, ICT and security, custody and segregation, conflicts, and complaints handling.
Quick facts
| Parameter | Value |
|---|---|
| Governing provision | MiCA Article 62 (content of the application) + ESMA RTS on authorisation |
| Completeness window | NCA assesses completeness within 25 working days of receipt (Article 63) |
| Statutory decision clock | Five months from a complete file to decision, pausable for information requests |
| Core document count | Roughly 150–250 pages across a dozen-plus policy and procedure documents |
| Capital evidence | Own funds under Article 67 — class floor or one-quarter of fixed overheads, whichever is higher |
| Mandatory named roles | Fit-and-proper management body, compliance officer, and MLRO |
| Common stall point | Information-request rounds on AML, ICT/DORA, and governance depth |
What the MiCA CASP application requirements are
There’s a comforting fact about MiCA authorisation: the requirements aren’t secret. Article 62 of Regulation (EU) 2023/1114 lists what the application must contain, and ESMA’s regulatory technical standards spell out the detail. You can read the whole list before you spend a euro.
So if the list is public, why do timelines range from six to fifteen months? Because knowing the headings is the easy part. The difference between a fast authorisation and a slow one is the depth, the internal consistency, and the fit between the documents and the actual business. A file that names every required policy but describes a generic CASP gets sent back with questions. A file where each policy reflects how this operator really works moves.
This guide is the checklist — and the honest note on where each line tends to fail.
The Article 62 documentation pack
At a high level, the application has to cover the following. Each is a real document or a set of them, not a checkbox.
- Programme of operations — what services the firm will provide, to whom, how, and over what timeline. This anchors everything else; the NCA reads the rest against it.
- Governance arrangements — board composition, reporting lines, the three-lines-of-defence model, and how decisions get made and overseen.
- Identity and fit-and-proper of the management body and qualifying shareholders — who controls and runs the firm, with evidence they’re suitable.
- Internal control mechanisms — risk management, internal audit, compliance monitoring.
- AML/CFT procedures — the written programme: risk assessment, customer due diligence, enhanced due diligence, transaction monitoring, sanctions screening, suspicious-transaction reporting.
- ICT systems and security arrangements — including DORA-aligned ICT-risk management, incident handling, and third-party-risk provisions.
- Custody and segregation policy — for firms holding client crypto-assets, how client assets are safeguarded and kept separate, under Article 75.
- Conflicts-of-interest policy — identifying, preventing, managing, and disclosing conflicts.
- Complaints-handling procedure — how client complaints are received, logged, and resolved.
- Business continuity — how the firm keeps operating, and winds down in an orderly way if it has to.
- Prudential evidence — own funds under Article 67, the higher of the class floor or one-quarter of fixed overheads.
That’s roughly 150 to 250 pages once drafted properly. The page count isn’t the point. The coherence is.
Named roles you have to staff before you file
Three roles need real people, not placeholders, in the application.
The management body must be fit and proper, with the collective experience to run a regulated crypto firm. The compliance officer owns the conduct and ongoing-compliance programme. The MLRO owns AML/CFT and the relationship with the financial intelligence unit. Both function-holders need the right qualifications, direct board access, and — depending on the member state — local residency or substantive engagement.
NCAs scrutinise these appointments. Nominee or thinly-engaged function-holders are a recurring reason for follow-up questions. If the people running compliance can’t credibly run it, the file stalls.
How the application is assessed — and where the clock really runs
The procedure under Article 63 has two phases that applicants routinely confuse.
First, completeness. The NCA has 25 working days from receipt to check the file contains all the required elements. Pass this and the file is complete — which is not the same as approved.
Then the five-month statutory clock starts. During it, the NCA assesses the substance and can issue information requests, each of which pauses the clock. This is where the real timeline variance lives. A clean, consistent file with two light information rounds lands near six months. A file with substance gaps and four heavy rounds drifts past a year.
The lesson: completeness is the start line, not the finish.
Where applications actually stall
Three areas generate most of the friction.
AML depth. Generic AML manuals that don’t reflect the firm’s products and customer base draw detailed questions. The NCA wants to see a risk assessment that maps to the real business.
ICT and DORA. The resilience evidence is heavy, and venture-stage tech operations often underbuild it. Incident classification, third-party-risk provisions, and a real ICT-risk-management framework are not optional.
Governance substance. Boards that look thin on financial-services experience, or ownership structures that obscure control, get probed. The NCA needs to be satisfied it can supervise the entity effectively.
None of these are about the document list. They’re about whether what’s in the documents holds up.
Practical takeaways
Three things to get right before you file.
Write to your actual operation. Every policy should describe how this firm works, not a generic CASP. Template packs are the surest route to information-request rounds.
Front-load AML, ICT, and governance. These are where files stall. Build them deep before you submit, not in response to the NCA’s questions.
Pre-engage the regulator. Pre-application meetings surface concerns early and shorten the information-request phase. Use the CASP cost calculator and the how-long guide to plan budget and runway around a realistic timeline.
For corrections, updates, or counsel referrals on MiCA CASP application preparation, email [email protected].
Pitfalls and nuances
1 Submitting generic, off-the-shelf policies
The fastest way to trigger information-request rounds is a policy pack that reads like a template. NCAs assess whether the AML programme, the ICT framework, and the governance arrangements actually fit the applicant's business model, products, and risk profile. A reverse-engineered manual that names the right headings but doesn't reflect how the firm operates gets sent back. The documents have to describe the real operation, not a generic CASP.
2 Treating completeness as the finish line
Passing the 25-working-day completeness check only starts the five-month clock. Completeness means the file has all the pieces, not that the substance satisfies the supervisor. The real assessment — and the information requests — come after. Applicants who celebrate completeness as approval misread the procedure and underestimate the remaining timeline by months.
3 Underbuilding the ICT and DORA evidence
DORA applies to CASPs alongside MiCA, and the ICT-resilience evidence is one of the heaviest parts of the file. A thin ICT-risk-management framework, no incident-classification process, and no third-party-risk provisions draw detailed follow-up. Operators migrating from a venture-stage tech setup feel this hardest. Budget the ICT documentation as a major workstream, not an annex.
4 Filing before pre-engagement
Cold-filing a complex CASP application without pre-meeting the NCA is technically possible and usually slower. Pre-engagement lets the supervisor flag concerns about the model, the substance, or the ownership before the file lands, which shortens the information-request phase. Most experienced applicants run pre-application meetings. Skipping them rarely saves time and often costs it.
Frequently asked questions
What documents does a MiCA CASP application require?
A programme of operations, governance and internal-control policies, fit-and-proper evidence, AML/CFT procedures, ICT and security documentation, custody and segregation policy, conflicts policy, complaints handling, and capital evidence — per Article 62.
How long does a CASP application take to assess?
The NCA checks completeness within 25 working days, then a five-month statutory clock runs to decision. Information requests pause the clock, so real timelines reach six to fifteen months.
What is the hardest part of the CASP application?
Depth and consistency on AML, ICT/DORA resilience, and governance. The document list is public; applications stall when policies are generic, internally inconsistent, or not matched to the actual business model.
Do I need named compliance officers for the application?
Yes. A fit-and-proper management body, a compliance officer, and an MLRO are required, with evidence of their qualifications, residency where applicable, and direct access to the board.
Where do I prove regulatory capital in the file?
In the prudential section. You evidence own funds under Article 67 — the higher of the Annex IV class floor or one-quarter of fixed overheads — and show the capital is held and available.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →