Navigating the regulatory landscape of the European crypto market requires a clear understanding of the Markets in Crypto-Assets (MiCA) framework. At the heart of this regulation is the mandatory authorisation of Crypto-Asset Service Providers (CASPs), which are defined as legal entities or undertakings that professionally provide one or more crypto-asset services. To operate legally within the EU, a firm must either be authorised as a CASP or be a previously regulated financial institution, such as a credit institution or investment firm.
I. Eligibility and General Requirements
To begin the journey toward authorisation, a firm must establish a solid physical and legal presence within the European Union. Specifically, the applicant must be a legal person or undertaking with its effective management and at least one director resident in the EU. Beyond residency, firms must demonstrate high operational standards by providing comprehensive documentation regarding their risk management, Anti-Money Laundering (AML) protocols, and Information and Communication Technology (ICT) systems.
The services for which authorization is sought must correspond to the 10 regulated services, which include custody and administration, operating a crypto trading platform, exchange (crypto ↔ funds or crypto ↔ crypto), execution of orders, placing of crypto-assets, reception and transmission of orders (RTO), advice, portfolio management, and transfer services.
II. The Authorisation Process Timeline
Competent authorities designate a contact point for receiving CASP applications. The legal person or undertaking submits the application by completing the form provided in the Annex to the regulation.
The timeline for the authority to assess the application is:
| Step | Deadline |
| Receipt acknowledged | 5 days |
| Completeness check | 25 days |
| Missing information allowed | +20 days |
| Assessment & decision | 40 days |
| Notification after decision | 5 days |
Authorization may be refused for prudential, reputational, structural, governance, or AML reasons.
III. Romanian Draft Law on MiCA implementation
In Romania, draft legislation has been introduced to implement MiCA through the Financial Supervisory Authority (ASF). Applicants in this jurisdiction face stringent fit-and-proper requirements. For instance, a CASP must have no outstanding tax liabilities and ensure that its shareholders and directors possess clean fiscal and criminal records.
Furthermore, Romania intends to implement an enhanced regime for Crypto-ATM operators. These operators must obtain technical approvals for their hardware and software from specialised national bodies like the ICI and ADR. To ensure safety, the ASF requires real-time, remote access to transaction data and continuous monitoring through a National Single Register of Crypto-ATMs.
Obtaining authorisation is only the beginning, as CASPs are subject to continuous supervision. Firms must undergo biennial technical audits of their platforms. If a security incident occurs that results in client losses, the frequency of these audits increases to an annual basis for three years. For repeated failures, the sanctions are severe, including the potential suspension of activity for three years, which can only be lifted once affected clients are fully compensated.
To understand this process, think of CASP authorisation as obtaining a pilot’s licence for a commercial airline. It is not enough to simply own the plane; you must prove the aircraft is technically sound (ICT systems), demonstrate that the flight crew is qualified and has a clean record (fit-and-proper requirements), and agree to constant monitoring from air traffic control (ASF supervision) to ensure the safety of every passenger on board.
Based on the last public debate on the romanian legal frame, several structural and practical concerns regarding the proposed Romanian framework were highlighted, particularly in relation to the concentration of supervisory powers, limited investor protection mechanisms, and an unclear and potentially rigid transitional regime. Market participants also pointed to excessive bureaucracy, disproportionate sanctions, unclear tax considerations, and a potential competitive imbalance between local and international operators. Overall, the feedback suggests that, unless further clarified and streamlined, the current approach may create barriers to market entry and development rather than effectively supporting a functional and competitive crypto ecosystem. Until now, no further version of the legal frame was made public.
To be continued
