Cyprus CASP Licence Under MiCA: The 2026 Authorisation Guide for Crypto-Asset Service Providers
The Markets in Crypto-Assets Regulation (MiCA) is now the single legal framework governing crypto-asset services across the European Union, and Cyprus has emerged as one of its most active authorising jurisdictions. The deadline for existing Cyprus crypto-asset service providers to lodge a MiCA application with CySEC closed on 27 February 2026. Firms that filed in time may continue to operate under the prior Cyprus national regime until 1 July 2026 or until CySEC decides their application, whichever comes first. After 1 July 2026, only firms holding a CySEC-issued Cyprus CASP licence under MiCA may provide crypto-asset services from a Cyprus base.
Table of Contents
- What MiCA Brought to Cyprus
- The 1 July 2026 Transitional Deadline
- Crypto-Asset Services Covered by a CASP Licence
- CASP Classes and Capital Requirements
- Governance, Substance and Fit-and-Proper
- AML, DORA and the Travel Rule
- The CySEC Application Pathway
- Passporting a Cyprus CASP Licence Across the EU
- Frequently Asked Questions
- Speak to Connor Legal
This guide explains what the post-transition Cyprus regime now looks like, the capital and governance bar a CASP must clear, the documentary set CySEC expects with every application, and the pitfalls that have caused the most application withdrawals during the first MiCA review cycle. It is written for crypto-asset firms considering a Cyprus base, in-house counsel preparing applications, and founders evaluating whether the firm’s existing national authorisation will survive the transitional cut-off.
The legal picture is moving quickly. Where this guide refers to a specific Cyprus statute, a CySEC directive, or a delegated MiCA standard, the link is to the current published version. Always verify with Cyprus counsel before relying on any position for a regulated activity.
What MiCA Brought to Cyprus
Regulation (EU) 2023/1114 — the Markets in Crypto-Assets Regulation — entered into force on 29 June 2023 and applied in full from 30 December 2024 in respect of crypto-asset services. MiCA replaces national crypto licensing regimes across the EU with one harmonised authorisation, one rulebook for issuers of asset-referenced and e-money tokens, and one passport for cross-border activity. CySEC was designated the competent authority for Cyprus and has positioned itself, alongside the regulators of Malta, Ireland and Lithuania, as a primary EU MiCA gateway.
The Cyprus national crypto-asset services framework that pre-dated MiCA — built on the Prevention and Suppression of Money Laundering and Terrorist Financing Law as amended in 2021 — is being decommissioned in parallel. Firms registered under the national regime cannot continue to operate solely on that basis once the transitional period closes; the national register exists to provide an orderly transition into MiCA authorisation, not as a permanent alternative.
The 1 July 2026 Transitional Deadline
CySEC’s regulatory cadence for 2026 is built around two dates. The first, 27 February 2026, was the cut-off for existing CASPs already registered under the Cyprus national regime to lodge a complete MiCA authorisation application. The second, 1 July 2026, is the end of the EU-wide transitional period prescribed by Article 143(3) MiCA. A firm that did not file by 27 February 2026 must submit a wind-down plan and cease crypto-asset services no later than 1 July 2026. A firm that filed in time may continue operating until CySEC rules on its application, but in any event must hold a MiCA licence by 1 July 2026 to keep transacting.
Firms that hold a Cyprus Investment Firm authorisation under MiFID II already cover certain in-scope crypto-asset services through a streamlined notification procedure under Article 60 MiCA, rather than a fresh authorisation. The interaction between MiFID II and MiCA matters in practice because many existing Cyprus CIFs are extending product scope to include qualifying crypto-assets — see the related framework analysis in our CySEC Class 2 licensing guide.
Crypto-Asset Services Covered by a CASP Licence
Article 3(1)(16) MiCA defines the regulated crypto-asset services. A Cyprus CASP licence will authorise the firm to provide one or more of: custody and administration of crypto-assets on behalf of clients; operation of a trading platform for crypto-assets; exchange of crypto-assets for funds or for other crypto-assets; execution of orders for crypto-assets on behalf of clients; placing of crypto-assets; reception and transmission of orders; provision of advice on crypto-assets; portfolio management of crypto-assets; and the provision of transfer services for crypto-assets.
Each service has its own conduct, organisational and capital implications, and not every firm needs the full set. The application defines a perimeter, and adding a further service after authorisation requires a variation application and, where relevant, additional capital. Scoping the perimeter accurately at the outset is one of the highest-leverage decisions in the entire process.
CASP Classes and Capital Requirements
MiCA Article 67 sets minimum capital requirements for CASPs by reference to three classes that map to the riskiness of the services offered. Class 1 covers advice, reception-and-transmission, placement, execution, transfer services and portfolio management; minimum capital is €50,000. Class 2 adds custody, administration and exchange; minimum capital is €125,000. Class 3 adds the operation of a trading platform; minimum capital is €150,000. These are floor amounts. CySEC may require additional own funds where the firm’s risk profile, client base or projected volumes justify a higher buffer.
Capital must be in qualifying own funds instruments — paid-up share capital, share premium, retained earnings — not in crypto-assets held on the balance sheet. A firm capitalised with €500,000 in Bitcoin and €100,000 in paid-up share capital has €100,000 in qualifying regulatory capital, not €600,000. Counting non-qualifying assets toward the threshold is the single most common error in first-round applications.
Governance, Substance and Fit-and-Proper
MiCA imports the governance discipline familiar from MiFID II and CRD: a clear allocation of responsibilities at board level; a two-management-body model with senior managers physically resident in Cyprus; documented risk, compliance and internal-audit functions; conflicts-of-interest and outsourcing policies; and ongoing fit-and-proper certification of directors, senior managers and qualifying shareholders. CySEC’s review of substance is thorough — applications that rely on a single resident director with no operational team in Cyprus are routinely returned for completion.
For firms relocating their operational centre to Cyprus to secure a MiCA licence, the corporate ground-work runs in parallel with the application. Our guide to Redomiciliation to Cyprus in 2026 sets out the corporate steps for a foreign holding company moving its seat to Cyprus, and our briefing on Corporate Governance and Company Secretariat Services covers the board architecture CySEC expects to see in the application file.
AML, DORA and the Travel Rule
A CASP licence does not stand alone. Three parallel regimes apply and form part of the same application file. First, the AML framework — Cyprus law transposing the EU AML Directives and, from 2027, the directly applicable AML Regulation — imposes obligations on customer due diligence, beneficial-ownership identification and suspicious-transaction reporting that bind every CASP from day one. Second, the EU Transfer of Funds Regulation, commonly known as the Travel Rule, extends to crypto-asset transfers and requires originator and beneficiary information to accompany every transfer above the de minimis threshold. Third, the Digital Operational Resilience Act (DORA), in force from 17 January 2025, imposes ICT risk-management, incident-reporting and third-party-risk obligations on all CASPs, regardless of size.
CySEC examines the AML, Travel-Rule and DORA frameworks during the authorisation review and may issue supplementary requests on each. Engaging a compliance lead with crypto-specific experience before the file is lodged shortens the review timeline substantially.
The CySEC Application Pathway
A complete CASP application file runs to several hundred pages. The core documents are: the prescribed CySEC application form; a detailed business plan setting out the firm’s strategy, three-year financial projections, and the perimeter of crypto-asset services applied for; a programme of operations describing systems, controls and operational set-up; corporate documents including memorandum, articles, shareholder structure and ultimate beneficial owner declarations; CVs, criminal-record certificates and fit-and-proper questionnaires for each director, senior manager and qualifying shareholder; the suite of policies and procedures (compliance, AML, risk management, conflicts of interest, outsourcing, complaints handling, ICT and DORA); and proof of capital, with a confirmation from a Cyprus credit institution that the regulatory capital is on deposit in a segregated account.
CySEC has up to forty working days to confirm the file is complete, then up to six months from the date of completeness to decide the application. In practice, two or three rounds of follow-up questions are typical. A practical implication for cash-flow planning: the Cyprus bank account holding the regulatory capital must be opened before the application is filed — our guide to opening a business bank account in Cyprus sets out the realistic timeline for a foreign-owned applicant.
Passporting a Cyprus CASP Licence Across the EU
A Cyprus CASP licence is an EU passport. Once authorised, the firm may provide its in-scope services in any other EU member state by lodging a passporting notification with CySEC, which in turn notifies the host competent authority. Passporting may be effected through the establishment of a branch or under the freedom to provide services on a cross-border basis. There is no separate host-state authorisation, no host-state capital requirement, and — for in-scope services — no host-state conduct overlay beyond MiCA itself.
The tax treatment of a Cyprus CASP is governed by the Cyprus corporate tax regime and, from 1 January 2026, by the headline rate of 15% introduced by the Cyprus Tax Reform 2026. The Cyprus IP Box, the non-domicile regime for senior executives and the EU Parent-Subsidiary Directive remain available subject to the usual conditions.
Frequently Asked Questions
Does a Cyprus CASP licence cover all crypto-asset services across the EU?
Yes — within the perimeter applied for. A Cyprus CASP licence is an EU passport. After authorisation, the firm may notify CySEC and provide its in-scope services in any other EU member state without obtaining a separate licence in that state, either through a branch or under the freedom to provide services.
What happens to a Cyprus CASP that missed the 27 February 2026 deadline?
A CASP registered under the prior Cyprus national regime that did not file a complete MiCA application by 27 February 2026 cannot continue crypto-asset services from a Cyprus base after 1 July 2026. CySEC requires those firms to submit a wind-down plan. A late application is treated as an application by a new entrant, with no transitional protection during the assessment.
How much regulatory capital does a Cyprus CASP need?
The MiCA floor is €50,000 (Class 1), €125,000 (Class 2) or €150,000 (Class 3), depending on the services offered. Capital must be paid-up qualifying own funds held in a Cyprus credit institution at the date of application. CySEC may set a higher figure where the firm’s risk profile, client base or projected volumes warrant it.
Can a Cyprus Investment Firm (CIF) under MiFID II provide crypto-asset services?
Yes — to a limited extent. A Cyprus CIF may offer certain in-scope MiCA services via a streamlined notification under Article 60 MiCA, rather than a fresh authorisation. The scope of the notification mirrors the equivalent MiFID II investment service for transferable securities. Specialist crypto-only services such as custody and the operation of a trading platform require a full CASP authorisation.
How long does the CySEC CASP application process take?
CySEC has up to forty working days to confirm the application is complete and up to six months from the date of completeness to decide the application. In the current cycle, well-prepared applicants are seeing decisions in nine to twelve months from the original filing date, including follow-up questions. Incomplete files routinely add several months.
Speak to Connor Legal
If your firm is preparing a Cyprus CASP application, considering relocating an existing crypto business to a MiCA jurisdiction, or assessing whether an existing CIF authorisation can be extended to cover crypto-asset services, our regulated-financial-services team at Connor Legal can map the route, draft the application file and represent the firm in dialogue with CySEC. Contact us to arrange an initial discussion.
