Deep dive into MiCA – The Regulation on Markets in Crypto-Assets (MICA) – Authorization and conducting rules for Crypto-Asset Service Providers (CASP) (Part II)

1. Required Application Documentation

The application requires comprehensive documentation covering identification, operations, governance, prudential safeguards, and service-specific details.

1. Applicant Identification and Footprint

This section acts as the “KYC of the applicant”:

• Legal Identity (Section A): Provide the official corporate name, stable contact details (phone, email), and commercial/trading names. Include the Legal Entity Identifier (LEI) and the designated contact point for the supervisor. Proof of registration, legal form, national ID number, date, and Member State of incorporation must be included.
• Corporate Documents (Section B): Submit constitutional documents, articles of association, and bylaws for verification of governance and share structure.
• Establishment & Footprint (Section C): Specify the Head Office (where management runs the business) and Registered Office (legal seat), and disclose any planned or existing branches.
• Digital Presence (Section D): List all controlled websites, social media accounts, and app landing pages for supervisory review of public-facing claims and marketing.
• Special Cases: If operating a trading platform, include platform-specific identity details (physical address, commercial name). If the applicant is not a legal person, provide extra evidence showing equivalent protection for third parties and tokenholders, especially concerning insolvency, and equivalent prudential supervision.

2. The Programme of Operations (3-Year Plan)

The Programme of Operations functions as the regulatory business plan, demonstrating operational capability, viability, and control.

• Group and Affiliates: Explain how the CASP fits the group structure and strategy, identifying affiliates, their activities, and cross-entity dependencies (to assess contagion and conflict risk).
• Services & Perimeter: Provide a clear matrix of CASP services mapped to specific crypto-asset types (ART/EMT/“other”), client types, channels, and jurisdictions. Disclose any other planned regulated or unregulated activities, such as lending or staking-as-a-service.
• Geography & Clients: Outline the geographic go-to-market plan, including targeted EU Member States and third countries, and segment prospective clients (retail vs. professional, SMEs, etc.).
• Marketing Governance: Explain the marketing operating model, channels used (influencers, affiliates, etc.), client category targeted, asset types promoted, and multilingual accuracy controls.
• Resources & Outsourcing: Show you can run the services by detailing the three-year headcount plan by function, key roles, ICT stack location, and budget. Describe the outsourcing governance, policy, and a summary list of outsourced providers (identifying critical or important functions).
• Financial Forecast & Risk: Include a 3-year financial forecast with stress scenarios (e.g., volume shock, market crash, cyber incident cost). Disclose any own-account crypto activity or interaction with DeFi apps.

3. Prudential Requirements

Applicants must demonstrate that they meet the minimum prudential threshold at the time of application.

• Amount and Calculation: Determine the numerical amount of prudential safeguards, which must be equal to the higher of the permanent minimum capital in Annex IV or one-quarter (¼) of the fixed overheads of the preceding year (or projected overheads for new firms).
• Form of Safeguards: Show the portion covered by:
  • Own Funds: Limited to CET1 instruments (as defined in CRR) after deductions.
  • Insurance/Guarantee: If used, the policy must meet strict qualitative criteria, including a minimum 1-year term, 90-day cancellation notice, EU-wide territorial coverage, and coverage for operational, legal, conduct, system, custody, and liability risks (Art. 75(8)).
• Ongoing Monitoring: Provide a forward-looking calculation of prudential safeguards for the first three years, explaining the planning assumptions and stress scenarios. Describe internal procedures for monitoring capital levels and reacting to breaches.

4. Governance, Key Personnel, and Shareholders

Governance and Internal Controls

• Structure: Describe the organisational structure, reporting lines between the management body, senior management, and internal control functions, using an organisational chart.
• Internal Functions: Provide personal details and CVs of the heads of management, supervisory, and internal control functions to demonstrate adequate expertise relative to the CASP’s complexity.
• Policies: Describe policies and procedures for MiCAR compliance, record-keeping, whistleblowing, and (where relevant) market abuse prevention (Art. 92).
• Conflicts of Interest (Art. 72): Provide a copy of the conflicts of interest policy, explaining how it identifies, prevents, manages, and discloses conflicts, and how remuneration arrangements avoid creating conflicts. Describe arrangements to monitor, assess, and record conflicts.

Management Body

For each member of the management body (executive and non-executive), submit documentation proving fitness and propriety:

• Identity and Reputation: Full identity, address history, nationality, and proof of good repute (e.g., official certificates/declarations on criminal records, sanctions, or regulatory refusals).
• Experience and Time Commitment: A CV covering the last 10 years, highlighting relevant experience (financial services, crypto/DLT/IT), and a list of all other mandates showing estimated time dedicated to the CASP.
• Conflicts: Describe any financial or non-financial relationships that could create conflicts (e.g., shareholdings, loans, PEP status) and how they will be mitigated.
• Suitability: Submit results of the individual and collective suitability assessments.

Shareholders with Qualifying Holdings

• Ownership Structure: Provide a clear ownership chart identifying direct and indirect shareholders with qualifying holdings.
• Qualifying Shareholders: Submit identity, legal form, reputation, integrity, and financial soundness information for each qualifying shareholder.
• Acquisition Structure and Financing: Crucially, explain the strategic intent (long-term vs. portfolio), shareholding before and after the acquisition, and any acting-in-concert arrangements. You must clearly explain the origin of funds used to finance the acquisition, supported by financial statements, tax documents, and AML evidence. If borrowed or generated by the sale of crypto-assets, detailed supporting documentation is required.

5. Risk, Systems, and Client Protection

AML/CFT

Demonstrate capability to identify, manage, and control risks in line with the EU AML framework.

• Risk Assessment: Explain how risks are assessed based on clients, services, access channels, and operating jurisdictions.
• Mitigation: Describe measures including the AML risk assessment process, Customer Due Diligence (KYC), transaction monitoring, and suspicious activity reporting.
• Accountability: Provide the identity, knowledge, experience, and qualifications of the person responsible for AML/CFT (e.g., MLRO).
• Compliance: Provide copies of AML/CFT policies and procedures, and explain how staff receive regular training.

ICT Systems and Security

Show that the IT, DLT, and cybersecurity setup is safe, resilient, and controlled, complying with DORA and GDPR.

• ICT Framework: Explain the ICT systems and DLT infrastructure, detailing how the ICT risk management framework protects the security, availability, integrity, and confidentiality of data.
• Critical Services: Identify critical or important ICT services (in-house or third-party) and provide compliance with MiCAR Article 73 (outsourcing) and DORA Chapter V (ICT third-party risk).
• Security & Audits: Describe incident detection/response/recovery processes. Provide results or summaries of independent cybersecurity audits (penetration tests, smart-contract reviews, etc.), even if some are only planned.

Business Continuity

Submit a written Business Continuity Plan (BCP) covering all services:

• Plan Scope: Show clear steps ensuring service continuity and orderly recovery after incidents.
• Testing and Review: Confirm the BCP is proportionate to size/services, regularly reviewed, and periodically tested.
• Critical Functions: Explain how continuity is ensured if an outsourced critical function fails.
• Key Personnel: Address continuity if a key person is unavailable, including succession and back-ups.

Segregation and Safekeeping

If providing custody, the applicant must demonstrate that client assets and funds are protected, separate, and never used for the CASP’s own account.

• Crypto-Assets: Describe cryptographic key management (creation, storage, multi-signature use) and segregation between the CASP’s and clients’ wallets.
• Fiat Funds: Detail the procedure ensuring clients’ fiat funds are deposited with a central bank or credit institution by the end of the next business day, in accounts clearly separate from the CASP’s own accounts.

Complaints-Handling

Procedures must ensure clients can easily file complaints, which are handled fairly and promptly.

• Procedures and Resources: Explain staff/IT tools used, identify the responsible person for complaints, and describe how procedures comply with MiCAR technical standards (e.g., defining a complaint, clear timelines, free-of-charge filing).
• Communication: Explain how clients are informed about the procedures, how decisions are communicated, and how clients are informed about available remedies (e.g., escalation options) if unsatisfied.

6. Service-Specific Annexes

If the applicant intends to offer any of the following services, specific documentation must be provided:

• Custody and Administration: Submit the standard custody agreement and client-facing summary (Art. 75(1)/(3)). Detail the custody policy, demonstrating how misuse, loss, or unauthorised access is avoided, and how assets are returned in stress scenarios.
• Operating a Trading Platform: Provide the full operating rules, explaining admission rules for crypto-assets, listing approval processes, execution rules, safeguards for orderly trading (Art. 76(7)), transparency of trading data, and the fee structure. Detail systems to detect and prevent market abuse (Art. 92).
• Exchange Services: Describe the commercial policy and explain the pricing methodology, including reference markets, spreads, mark-ups, and how market volatility affects pricing (Art. 77(2)).
• Execution of Orders: Provide the execution policy, explaining how client consent is obtained. List execution venues, the selection criteria (Art. 78(6)), and how the decision takes into account price, costs, speed, and likelihood of settlement to achieve the best possible result for the client.
• Advice/Portfolio Management: Explain how you ensure advisers and managers have the necessary knowledge and expertise, are regularly supervised, and possess the skills required to carry out suitability assessments (Art. 81(1)).
• Reception & Transmission of Orders (RTO): Include procedures demonstrating compliance with Art. 80, covering order intake controls, recording, timestamping, and conflicts controls.
• Placing of Crypto-Assets: Include procedures for identifying/managing conflicts and arrangements to comply with Art. 79 and relevant RTS, such as the allocation policy and due diligence gates.
• Transfer Services: Specify which crypto-assets are supported, and explain arrangements (ICT/human resources) to comply with Art. 82, focusing on controls to address operational failures and cybersecurity risks.

Download our Authorisation Application Checklist

Coming Up Next in Our MiCA Deep Dive Series

With the CASP framework covered, the next article turns to one of MiCA’s most sensitive areas: stablecoins.

Article 3 — EMTs & ARTs: The New Era of Regulated Stablecoins will examine how MiCA reshapes the issuance and use of e-money tokens (EMTs) and asset-referenced tokens (ARTs). We will clarify the legal distinction between the two, the conditions under which they may be issued, and the strict rules on stabilisation, reserves, governance and redemption rights.

The article will also look at the supervisory role of national authorities, central banks and the EBA, the special regime for significant tokens, and why many existing stablecoins on the market today struggle to meet MiCA’s requirements without major structural changes. Practical references to instruments such as USDT, USDC and EUROe will illustrate these points.

If Article 2 focused on who may operate under MiCA, Article 3 focuses on which stablecoins may exist at all in the EU.