MiCA Passporting: How a CASP Goes Cross-Border in the EU

What the MiCA passport actually grants

MiCA’s EU passport mechanism is the operating mechanic of the EU single market for crypto-asset services. The architecture is straightforward: one authorisation by one home competent authority gives the CASP the right to provide its authorised services across all 27 EU member states.

The mechanism is notification, not re-authorisation. A CASP intending to provide services in another member state submits a notification to its home NCA containing:

• The type of crypto-asset services to be provided cross-border
• The list of EU member states where services will be provided
• The intended commencement date

The home NCA forwards the notification to each host NCA. After 15 working days, the CASP can begin providing services in the host markets. Some host NCAs confirm receipt earlier, allowing earlier commencement.

The role of the host NCA is supervisory notification, not gate-keeping. The host is informed that the CASP is operating in its jurisdiction, enabling supervisory powers — but cannot block the passport on substantive grounds.

Home vs host: the role split

Function	Home competent authority	Host competent authority
Initial authorisation	Yes — single responsibility	No
Notification receipt	Receives from CASP	Receives from home (forwarded)
Authorisation revocation	Yes — only home can revoke	No — can request home action
Ongoing prudential supervision	Yes — primary	No (limited information role)
Conduct supervision in host market	Limited	Yes — for activity in host
AML/CFT supervision	Yes — for home-based activity	Yes — for activity in host (5AMLD/6AMLD allocation)
National consumer-protection law	N/A in host territory	Applies to host activity
Information requests on host activity	Yes	Yes — direct or via home
Power to intervene on serious breaches	Yes (revocation)	Yes (limited, jurisdiction-bound)

The split is calibrated to MiCA’s single-market design. The home NCA bears the primary prudential and gatekeeping role. The host NCA retains conduct supervision over activity in its territory and AML/CFT oversight under the 5AMLD allocation logic.

What needs to be in the notification

The EU passport mechanism lists the minimum content. In practice, home NCAs publish their own notification forms with templated structure:

1. CASP identification — legal name, registered address, group structure
2. Authorisation reference — file number, date, list of authorised services
3. Services to be provided cross-border — by class (1/2/3) and by service type (the 10 Annex IV services)
4. Member states to be served — list of host states; can be added later as the firm expands
5. Commencement date — intended start; cannot precede the 15-working-day window
6. Operational details — typically a description of how services will reach host clients (website, mobile app, host-state marketing channels)
7. Localisation evidence — increasingly common — host-state language versions of client communications, host-state customer support arrangements

The home NCA’s substantive role is verifying the notification is complete and within the firm’s home authorisation. The home NCA does not re-assess the firm’s fitness for the host markets.

What the passport does not solve

The passport delivers MiCA-level operating rights. It does not solve four operational workstreams that remain host-state specific:

1. Language and localisation. Client-facing communications, marketing materials, CoI disclosures, website terms — all need to work in the languages of the host markets. The the conflicts-of-interest rule RTS on conflicts of interest specifically requires CoI disclosures in the languages used to market or communicate. A Lithuanian CASP passporting to Spain and Italy operates a three-language compliance stack.

2. National consumer-protection overlays. Several member states have layered national consumer-protection rules on top of MiCA — France’s PACTE law, Spain’s CNMV crypto-advertising rules, Italy’s Banca d’Italia oversight, Germany’s KMAG provisions. The passport delivers MiCA-level operating rights; it does not displace national consumer-law overlays.

3. AML/CFT host-state engagement. AML supervision under 5AMLD/6AMLD remains local to the host market for activity in the host market. A passporting CASP serving five host states engages with five host-state FIUs. Suspicious-transaction reporting flows to the relevant FIU based on where the suspicion arose.

4. Tax registration and reporting. Host-state tax obligations (DAC8 reporting, VAT registration where applicable, withholding obligations) operate independently of MiCA passporting. Tax compliance is a separate workstream the passport does not cover.

Branch establishment vs free provision of services

The EU passport mechanism covers both modes — but they are notified differently:

Free provision of services (cross-border, remote). The CASP serves host clients remotely from the home base. No physical presence, no host-state employees in operational roles, no host-based senior management. This is the default the EU passport mechanism mode and the lighter notification.

Branch establishment. The CASP establishes a physical branch in the host state — office, host-resident staff in operational roles, host-state senior management. Branch establishment requires additional content in the notification (governance arrangements for the branch, identification of branch management, scope of branch activities) and triggers host-state supervisory engagement that goes beyond pure notification.

The line between the two modes can blur — particularly for hybrid models with remote service provision plus limited host-state customer-support staffing. Counsel review of the operating model is non-optional before filing the notification.

How fragmented is MiCA in practice?

The single-market promise of the EU passport mechanism works as designed for routine cross-border services. Where fragmentation surfaces is in the four areas above — language, consumer-protection overlays, AML host engagement, tax. The 2026 reality of EU crypto operations is:

• The passport delivers legal market access at low operational cost (notification + 15 working days)
• Operational readiness in host markets typically takes 2-4 months per market for proper localisation
• Multi-jurisdiction compliance overlays are heavier than single-jurisdiction operations by a non-trivial multiple
• The ROI of additional host markets diminishes after the first three or four, depending on language and consumer-protection alignment

Material CASPs operating across the EU plan their host-market sequencing as a strategic decision, not a notification batch.

Working with counsel on a passporting strategy

The diagnostic for counsel: ask how the firm’s specific cross-border strategy maps to language, consumer- protection, AML, and tax workstreams in each priority host market. Counsel that gives a generic “MiCA passporting works automatically” answer has not engaged with the operational complexity.

The firms in our index with documented cross-border CASP experience are listed below.