From VASP to CASP: What Crypto Businesses Must Do Before the 1 July 2026 Deadline?

Professional infographic showing a regulatory timeline from VASP regime to CASP authorization under MiCA, highlighting the July 1, 2026 deadline.
Crypto & Digital Assets , , , ,

From VASP to CASP: What Crypto Businesses Must Do Before the 1 July 2026 Deadline?

⏱ MiCA Compliance Guide · 2025–2026

From VASP to CASP: What Crypto Businesses Must Do Before the 1 July 2026 Deadline

The EU's Markets in Crypto-Assets Regulation ends the era of fragmented national VASP registrations across 27 member states. Every crypto exchange, custodian, order book, and portfolio manager operating in the EU must hold CASP authorisation — or exit the market entirely. This guide covers who is in scope, what authorisation actually requires, and what the July 2026 deadline means for your business in practical terms.

📋 Regulation (EU) 2023/1114 📅 Deadline: 1 July 2026 🏛 CASP Authorisation Required 🇪🇺 All 27 EU Member States
Contents — 5 Sections
1
The VASP-to-CASP Transition — What Changed and Why
How MiCA replaces 27 national VASP regimes and creates a single EU licence
2
Who Is In Scope — Which Crypto Businesses Need CASP Authorisation
The 10 regulated crypto-asset services, covered entities, and exemptions
3
CASP Authorisation Requirements — What You Need to Prepare
Capital thresholds, governance, AML, policies, and client asset safeguarding
4
The 1 July 2026 Deadline — Timeline and Transitional Provisions
How grandfathering works, member state variations, and application timing
5
Consequences of Missing the Deadline and Your Action Plan
Enforcement exposure, market access loss, and the 8-step compliance checklist

Section 1 — The VASP-to-CASP Transition: What Changed and Why

Until December 2024, a crypto business operating across the EU had to navigate up to 27 different national licensing regimes — each with its own thresholds, registration requirements, and enforcement approaches. MiCA replaces that fragmentation with a single, harmonised framework. The central concept is the Crypto-Asset Service Provider (CASP): a defined category of regulated entity that requires authorisation once and can then passport its services across the entire EU single market.

The shift from VASP to CASP is not merely a renaming exercise. The FATF-based VASP definition — which most EU national regimes implemented — focused primarily on anti-money-laundering registration. MiCA's CASP framework goes substantially further: it requires full prudential authorisation, capital adequacy, fit-and-proper assessments, mandatory policies, and ongoing supervisory oversight. Companies that hold national VASP registrations are not automatically CASPs — they must apply for CASP authorisation under MiCA before the transitional period expires.

⚠ Before MiCA — The VASP Era
27 national regimes: each member state set its own registration rules, thresholds, and AML requirements — creating an uneven playing field.
No EU passport: a business registered in Lithuania could not use that registration to serve customers in France or Germany. Cross-border operation required separate national registrations.
AML focus only: national VASP regimes were primarily anti-money-laundering registration schemes, not full prudential licensing frameworks. Investor protection obligations were minimal or absent.
Regulatory arbitrage: businesses could choose the most lenient member state for registration, undermining consistent consumer protection across the EU.
✓ Under MiCA — The CASP Framework
Single framework: Regulation (EU) 2023/1114 applies uniformly across all 27 member states. One set of rules, one set of requirements, one supervisory standard.
EU passport: a CASP authorised in any member state can provide services across the EU by notifying the home NCA and the NCA of the host member state — no additional authorisation required.
Prudential authorisation: CASP authorisation requires capital adequacy, governance standards, mandatory policies, and ongoing supervisory compliance — equivalent to financial services licensing.
Level playing field: all CASPs operating in the EU must meet the same baseline standards, regardless of the member state in which they are authorised.

Three Things MiCA Actually Changed for Crypto Businesses

🔐

Registration → Authorisation

National VASP registration was a light-touch AML compliance measure. CASP authorisation is a full financial services licence — with capital requirements, fit-and-proper assessments, mandatory policies, and ongoing regulatory supervision. The bar is materially higher.

🛂

Country-by-Country → EU Passport

Once authorised in a home member state, a CASP can provide services across all EU member states without re-authorisation. Cross-border operation requires only a passporting notification — a significant reduction in regulatory friction for businesses serving EU-wide clients.

⚖️

Fragmented → Uniform Standards

MiCA imposes harmonised investor protection requirements across the EU: disclosure obligations, conflicts of interest rules, client asset safeguarding, and complaint handling. Regulatory arbitrage — choosing the most lenient jurisdiction — is structurally eliminated.

🛂 The EU Passport — How It Works in Practice

A crypto business authorised as a CASP in, say, Germany (by BaFin) can passport its services to France, the Netherlands, Spain, or any other EU member state without applying for a separate licence in each country. The process involves notifying the home NCA (BaFin) of the planned cross-border activities, which then communicates with the host member state's NCA. The host NCA has limited grounds to refuse the passport.

This is a significant operational advantage over the pre-MiCA regime, where businesses had to maintain separate national registrations in each market they operated in. The passport applies to all services listed in the CASP's authorisation — a business authorised to provide custody and trading services in Germany can passport both services across the EU. Services not listed in the home member state authorisation are not passported and require expansion of the authorisation or separate steps.

📋
Legal Basis Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA) Published in the Official Journal of the EU: 9 June 2023 · Entered into force: 29 June 2023 Title V (CASP provisions) applicable from: 30 December 2024 Transitional provisions (Article 143): VASP grandfathering until 1 July 2026 Competent authority framework: national NCAs + ESMA coordination via Article 95 MiCA

Section 2 — Who Is In Scope: Which Crypto Businesses Need CASP Authorisation

MiCA defines a Crypto-Asset Service Provider (Article 3(1)(16)) as any legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis. The critical question for any crypto business is whether the activities it carries out fall within the 10 regulated crypto-asset services listed in Article 3(1)(16) and Article 60 of MiCA.

CASP authorisation is required per service — not per entity in a binary sense. A business that provides two services (for example, custody and trading platform operation) must be authorised for both. The authorisation covers the specific services listed in the authorisation decision, and the EU passport extends only to those listed services. Expanding into a new service type after authorisation requires an amendment to the authorisation.

The 10 Regulated Crypto-Asset Services Under MiCA

1

Custody and administration of crypto-assets on behalf of clients

Safekeeping or controlling crypto-assets or the means of access to crypto-assets, including private keys. Covers exchanges, wallet providers, and custodians holding client assets.

2

Operation of a trading platform for crypto-assets

Running a multilateral system that brings together buyers and sellers of crypto-assets — including centralised exchanges (CEX) matching buy and sell orders for multiple clients.

3

Exchange of crypto-assets for funds

Buying or selling crypto-assets against fiat currency (EUR, USD, GBP, etc.) using proprietary capital. Covers OTC desks and on/off-ramp services operating with their own capital.

4

Exchange of crypto-assets for other crypto-assets

Buying or selling one crypto-asset in exchange for another using proprietary capital. Distinct from trading platform operation — this is principal trading rather than marketplace operation.

5

Execution of orders for crypto-assets on behalf of clients

Acting to conclude agreements to buy or sell crypto-assets on behalf of clients. Execution-only brokers and agency models executing client trades fall within this category.

6

Placing of crypto-assets

Marketing crypto-assets on behalf of an issuer or offeror to potential buyers, without a firm commitment to acquire the unsold portion. Covers ICO/ITO facilitators and token sale agents.

7

Reception and transmission of orders on behalf of clients

Receiving orders from clients and transmitting them to a third party for execution. Introducing brokers, referral platforms, and B2B order routing businesses are typically within scope.

8

Providing advice on crypto-assets

Providing personalised recommendations to clients on one or more crypto-assets. The "personalised" element distinguishes regulated advice from general market commentary or research.

9

Portfolio management of crypto-assets

Managing portfolios of crypto-assets in accordance with client mandates on a discretionary client-by-client basis. Crypto asset managers and robo-advisers exercising discretion are within scope.

10

Providing transfer services for crypto-assets on behalf of clients

Providing services of transferring crypto-assets from one distributed ledger address or account to another on behalf of a client. Payment-focused crypto transfer apps and crypto payroll services are within scope.

Scope at a Glance — Common Business Models

The following covers how the 10 services map to the most common EU crypto business models and what services they typically trigger:

Centralised Exchange (CEX)
Primary services
Services 1, 2, 3, 4, 5
Authorisation tier
Class 3 — highest capital requirement
Key consideration
Trading platform operation (Service 2) triggers Class 3 status — €150,000 minimum own funds
Custodian / Wallet Provider
Primary services
Service 1, possibly 10
Authorisation tier
Class 2 — €125,000 minimum own funds
Key consideration
Client asset safeguarding obligations are particularly stringent for custodians under Article 70 MiCA
Crypto Asset Manager / Robo-Adviser
Primary services
Services 8 and/or 9
Authorisation tier
Class 2 — €125,000 minimum own funds
Key consideration
Advice (Service 8) must be personalised to be regulated — general newsletters and market commentary are not caught
OTC Desk / Fiat On-Ramp Provider
Primary services
Services 3 and/or 4
Authorisation tier
Class 3 if fiat exchange included — €150,000
Key consideration
Exchange for funds (Service 3) using proprietary capital is distinct from operating a matching platform (Service 2)
Introducing Broker / Referral Platform
Primary services
Service 7
Authorisation tier
Class 1 — €50,000 minimum own funds
Key consideration
Platforms that merely refer users to exchanges without receiving or transmitting orders may not be caught — fact-specific analysis required

Key Exemptions — Who Does Not Need CASP Authorisation

MiCA Article 4 sets out the entities and activities that fall outside the CASP framework. These exemptions are narrowly construed and cannot be relied upon without careful analysis of the actual business model.

🏛
MiFID-authorised investment firms

Investment firms already authorised under MiFID II to provide investment services may provide equivalent crypto-asset services under MiCA without CASP authorisation — they must notify their NCA of the intention to provide crypto-asset services. This is a notification, not an application, and is subject to conditions set by the NCA.

🏦
Credit institutions (banks)

Credit institutions authorised under the CRD may provide crypto-asset services under MiCA subject only to a prior notification to their NCA at least 40 working days before providing the service. No separate CASP authorisation is required — but the notification must include required disclosures and the services must be within the bank's existing authorisation scope.

🔗
Fully decentralised protocols (no intermediary)

Where a crypto-asset service is provided in a fully decentralised manner without any intermediary, MiCA does not apply. This exemption is narrow in practice: if there is any identifiable legal entity operating a front end, smart contract deployer, fee collector, or governance token holder exercising control, regulators are likely to view there as an identifiable person providing the service.

🖼
Unique and non-fungible crypto-assets (NFTs)

Crypto-assets that are unique and not fungible with other crypto-assets are excluded from MiCA (Article 4(1)(f)). However, NFT collections with large volumes of identical or similar tokens may be reclassified as fungible — a fractionalized or large-edition NFT series faces the same analysis as other crypto-assets. ESMA has published guidance on the boundary between NFTs and fungible crypto-assets.

Mining and validation (proof-of-work / proof-of-stake)

Creating crypto-assets through mining or validation — including staking as a technical consensus mechanism — does not constitute a crypto-asset service under MiCA. However, providing staking-as-a-service on behalf of clients (i.e., where a third party delegates their staking to you) may fall within the transfer or custody service definitions depending on the structure.

Assets not covered by MiCA — outside CASP scope entirely
Financial instruments within MiFID II scope (equity-like or debt-like tokens)
Electronic money (e-money) covered exclusively by the Electronic Money Directive (EMD2)
Deposits as defined under the Deposit Guarantee Schemes Directive
Structured deposits under MiFID II
Insurance products under Solvency II or IDD
Pension products regulated under IORP or national pension law

Section 3 — CASP Authorisation Requirements: What You Need to Prepare

CASP authorisation under MiCA (Articles 62–76) is a full financial services licensing process, not a registration exercise. An application to the national competent authority requires capital adequacy evidence, a comprehensive governance framework, mandatory policies covering AML, cybersecurity, conflicts of interest, and client asset protection, plus a fit-and-proper assessment of all directors. The preparation timeline for a well-organised applicant typically runs four to six months before submission.

Authorisation decisions must be made within 25 working days of a complete application. However, the NCA can request additional information during that period, which suspends the clock. In practice, applicants should budget for six to nine months from initial submission to authorisation decision in most member states — making an application target of Q3–Q4 2025 necessary for businesses that want operational certainty before 1 July 2026.

Capital Requirements — Three Authorisation Classes

Article 67 of MiCA sets minimum own funds requirements based on the services a CASP provides. Where a CASP provides services from multiple classes, the highest applicable threshold applies. As an alternative to minimum own funds, MiCA permits professional indemnity insurance (PII) covering equivalent risk — subject to NCA acceptance.

Class 1 — Advisory and Transmission Services
€50,000
Services covered
Service 7 (reception & transmission), Service 8 (advice on crypto-assets), Service 10 (transfer services)
Capital form
Own funds (CET1 quality or equivalent); OR professional indemnity insurance covering €1.125M per claim / €1.5M aggregate per year
Practical note
Class 1 is the minimum entry point for advice-only and order-routing businesses. Adding any custody, exchange, or execution service elevates the classification to at least Class 2. Businesses should map all current and planned services before choosing a class.
Class 2 — Custody, Execution, and Portfolio Services
€125,000
Services covered
Service 1 (custody), Service 5 (execution of orders), Service 6 (placing), Service 9 (portfolio management) — plus Class 1 services
Capital form
Own funds; OR professional indemnity insurance covering €1.875M per claim / €2.5M aggregate per year
Practical note
Most custody-focused businesses and execution brokers fall within Class 2. The custody service (Service 1) triggers stringent client asset safeguarding obligations under Article 70 — the capital requirement is the minimum; the operational requirements are substantially more demanding.
Class 3 — Trading Platform and Exchange Services
€150,000
Services covered
Service 2 (trading platform), Service 3 (exchange for funds), Service 4 (exchange crypto-to-crypto) — plus Class 1 and 2 services
Capital form
Own funds; OR professional indemnity insurance covering €2.25M per claim / €3M aggregate per year
Practical note
Centralised exchanges (CEX) and OTC desks providing fiat exchange almost always fall within Class 3. €150,000 is a floor, not a ceiling — NCAs may require higher capital based on the scale of the business, projected trading volumes, and systemic importance assessments under Article 67(3).

Governance and Fit-and-Proper Requirements

Article 68 requires that a CASP's management body includes at least two independent directors who meet fit-and-proper requirements. The NCA assesses the knowledge, skills, experience, good repute, and conflicts of interest of all proposed management body members as part of the authorisation assessment.

👥

Minimum two independent directors

The management body must include at least two independent executive directors at all times. A sole director structure is not compliant. The independence requirement means directors must be genuinely independent from significant shareholders — a founder who is also the sole director will need to appoint an additional qualifying director.

Fit-and-proper assessment

All management body members must demonstrate: relevant knowledge and experience (typically financial services, technology, or legal background); good repute (no criminal convictions, regulatory sanctions, or adverse financial history); and absence of conflicts of interest that would compromise independent judgement.

💼

Remuneration policy

MiCA requires a documented remuneration policy that is gender-neutral and promotes sound risk management. The policy must be assessed and approved by the management body annually. Variable remuneration must not create incentives to take risks exceeding the CASP's risk profile, with particular attention to sales-linked bonus structures.

🏢

Place of effective management

At least one of the qualifying directors must be resident in the EU. NCAs in some member states interpret this as requiring effective management to be located in the home member state — a shell company with all management conducted from outside the EU will not meet the standard. Substance requirements are assessed during the authorisation process.

Mandatory Policies and Procedures

The authorisation application must include comprehensive documented policies covering the following areas. Each policy must be tailored to the CASP's specific business model — generic templates are unlikely to satisfy NCA reviewers.

Required policies — Articles 70–76 MiCA + AML/CFT obligations
AML / CFT Policy Customer due diligence, transaction monitoring, suspicious activity reporting — aligned with AMLD6 and the Transfer of Funds Regulation (TFR / Travel Rule)
Conflicts of Interest Policy Identification, management, and disclosure of conflicts — particularly for businesses that trade on own account alongside client services or that hold proprietary crypto positions
Client Complaint Handling Documented procedure for receiving, acknowledging, investigating, and resolving client complaints — with defined response timelines and escalation paths
Business Continuity Plan Documented plan for maintaining critical functions during disruptions — including IT failures, key person risk, and market stress scenarios. Must be tested and reviewed at least annually
Cybersecurity Framework ICT security policies, penetration testing schedule, incident response plan, and access control framework — aligned with the Digital Operational Resilience Act (DORA) requirements applicable to CASPs
Outsourcing Policy Due diligence and oversight requirements for third-party service providers — including cloud infrastructure, custody technology, and KYC/AML service providers. Critical outsourcing requires NCA notification
Market Abuse Prevention Surveillance systems and procedures to detect, prevent, and report market manipulation, insider trading, and wash trading — particularly relevant for trading platforms and execution services
Orderly Wind-Down Plan Pre-approved plan for winding down operations in an orderly manner — protecting client assets and ensuring service continuity or transfer during a cessation of business scenario
🛡 Client Asset Safeguarding — Article 70 MiCA (Custody CASPs)
Segregation: Client crypto-assets must be segregated from the CASP's own assets at all times. Co-mingling client and CASP assets is prohibited. Segregation must be both operationally (on-chain address level) and legally effective (trust or equivalent structure).
No rehypothecation: CASPs must not use client crypto-assets for their own account — including for liquidity provision, lending, or staking — without the express prior consent of the client for each specific transaction.
Omnibus accounts permitted with conditions: Client assets may be held in omnibus on-chain accounts (shared addresses), provided that the CASP maintains internal records that allow individual client entitlements to be identified at all times and on an immediate basis.
Liability for loss: A CASP providing custody services bears strict liability for any loss of client crypto-assets attributable to a malfunction or hack — unless the CASP can demonstrate the loss was caused exclusively by an external event beyond its reasonable control.

Section 3 — Business Models That Work Well on Open LLMs

The commercial success of the Gemma, Llama 3, and Mistral licence families for software businesses is not theoretical — there are well-established archetypes of products that fit cleanly within the licence boundaries while generating defensible revenue. The pattern that runs through every commercially viable open-LLM business model is the same: the model is infrastructure, and the product is built on top. The revenue is derived from what the product does, not from access to the model itself.

The models best suited for commercial products without licence complications are Apache-2.0 licensed models — specifically Mistral 7B and its derivatives — because Apache-2.0 places no commercial restrictions on use, redistribution, or monetization. For products that need higher capability and can work within their licence restrictions, Llama 3 and Gemma are viable for most SaaS and vertical application use cases below the specific restriction thresholds. The key is matching the business model archetype to the model licence's actual constraints.

What Each Model Is Suited For Commercially

🌬️
Mistral 7B (Apache-2.0)
Lowest commercial restriction of any capable open LLM
Best for: any product where legal simplicity is commercially material — regulated sectors, enterprise sales with procurement scrutiny, products approaching fundraising or M&A where IP chain must be clean
Inference APIs: the only major open-weight model family where building an inference API business is commercially straightforward — Apache-2.0 permits redistribution without restriction
Developer tooling: tools sold to developers that surface the model's capability as part of the product — Apache-2.0 permits this without competitor-ban or reselling concerns
Capability trade-off: Mistral 7B is capable for many production tasks but trails Llama 3 70B or Gemma Pro in capability; products requiring frontier-level performance may need to accept the licence restrictions of higher-capability models
🦙
Llama 3
Community licence — restrictions apply above 700M MAU
Best for: vertically focused SaaS products that need strong general capability, are not competing with Meta's AI offerings, and have a clearly defined product layer between customers and the model
Fine-tuned vertical models: building domain-specific models by fine-tuning Llama 3 on proprietary data and offering the resulting capability as a product is straightforwardly permitted at most commercial scales
Enterprise applications: internal productivity tools, code assistants, knowledge management systems — products where the customer never interacts with the model directly and the product's workflow logic creates the value
Avoid: using Llama 3 to build a competing foundation model or AI platform; products with ambitions to reach the 700M MAU threshold without a Meta commercial licence agreement in place
💎
Gemma
Google ToU — API reselling explicitly restricted
Best for: applications in the Google ecosystem, products that pair Gemma with Google Cloud infrastructure, and verticals where Google's investment in safety fine-tuning is commercially relevant to customers
Embedded AI features: Gemma's efficient smaller variants (2B, 7B) are well-suited for on-device or edge deployment where the model runs locally within a product rather than as an external API
Research and education products: the ToU explicitly contemplates research and educational use; products in these verticals have a cleaner licence posture than general commercial products
Avoid: building an inference API or model-access service on Gemma; products whose revenue model could be characterised as providing Gemma as a service to third parties without Google consent

Four Business Model Archetypes That Work

🏢
Vertical SaaS with AI-powered workflow
The dominant commercially safe archetype
Structure: the product is a domain-specific workflow tool — legal contract review, medical documentation, financial analysis, code review — that uses an open LLM to automate or augment the core task; the model is never exposed to customers directly
Revenue model: per-seat SaaS subscription, per-document pricing, or per-organisation licensing — pricing tied to the product's workflow value, not to underlying model consumption
Preferred models: Llama 3 (capability), Mistral 7B (IP simplicity), Gemma (Google ecosystem); model is chosen for task fit and licence compatibility with the specific use case
Why it works: the product's domain knowledge, integrations, training data, and workflow logic create value that is clearly distinct from the underlying model capability; the licence restriction on reselling does not reach products with genuine value-add layers
🔬
Fine-tuned specialist model as a product
Proprietary data creates the moat
Structure: take an open-weight base model (ideally Mistral 7B on Apache-2.0 for maximum IP clarity), fine-tune it on proprietary domain data, and offer the resulting specialised model capability as a product to customers in that domain
Revenue model: subscription to the specialised AI capability (not to "the model"); per-outcome pricing for tasks the specialist model performs — the moat is the fine-tuning dataset, not the base model
IP considerations: fine-tuned weights derived from Apache-2.0 base models are commercially cleanest; fine-tunes on Llama 3 or Gemma inherit their licence restrictions and must not be distributed or monetised in ways those base licences prohibit
Why it works: the proprietary fine-tuning dataset is the commercial IP — customers pay for access to the specialised capability that dataset creates, not for the base model itself; clearly on the "feature" side of the reselling line
🖥️
AI-augmented internal tooling sold externally
Internal use case → commercial product
Structure: tools originally built for internal use — customer support automation, internal knowledge bases, code assistants, document management — packaged and sold to other companies facing the same operational problem
Revenue model: per-organisation licensing, per-seat subscription, or per-deployment pricing; the product is the packaged tool and its implementation, not the AI model
Compliance advantage: these products have organic product logic because they were built to solve a real internal problem; the value-add layer is genuine, which creates a robust answer to any "are you just reselling the model?" question
Why it works: the product was never designed as a model access layer; the model is infrastructure within a tool that has its own integrations, workflows, and institutional knowledge baked in
📱
Consumer or SMB applications with embedded AI
AI as a feature, not the product
Structure: consumer or SMB-facing products — writing tools, productivity apps, research assistants, creative tools — where AI capability is one feature among several and the brand, UX, and distribution are the commercial assets
Revenue model: freemium to paid subscription; premium features may include more AI usage (higher limits) but the pricing unit is the subscription tier, not the AI consumption unit
Model considerations: consumer products typically prioritise on-device capability (Gemma 2B efficient variant, Mistral 7B quantised) or cost efficiency; the Apache-2.0 licence advantage of Mistral 7B is commercially significant at consumer scale
Why it works: the product's brand, distribution, and user experience are the business; the AI model is one component of the product — the same way a database is infrastructure, not the product

Why Apache-2.0 Models Are the Default Choice for Maximum Commercial Freedom

Apache-2.0 commercial advantages vs custom model licences
What Apache-2.0 permits that custom licences restrict
Redistribution without restriction: model weights and derivatives can be redistributed commercially — including as part of products sold to customers — without approval from the model creator
All fields of endeavour: Apache-2.0 cannot discriminate against use cases; building a product that competes with the model creator is fully permitted — no competitor ban
Irrevocability: Apache-2.0 rights cannot be revoked retroactively; a product built on Mistral 7B today cannot have its licence pulled by Mistral AI tomorrow — the rights are permanent
No MAU threshold: there is no scale-based commercial licence trigger; a product can grow to any size without the licence terms changing or requiring a new agreement
Where Apache-2.0 models may require trade-offs
Capability ceiling: Apache-2.0 models currently available (Mistral 7B, early Falcon) trail the capability of Llama 3 70B or Gemma Pro on complex reasoning and instruction-following tasks; capability trade-offs must be assessed per use case
Safety fine-tuning: Apache-2.0 base models typically have less safety fine-tuning than Gemma or instruction-tuned Llama 3 variants; products in regulated or sensitive sectors may need to invest in safety fine-tuning on top of the Apache-2.0 base
Attribution requirement: Apache-2.0 requires attribution notices to be preserved in derivative works; for commercial products, this is a documentation obligation rather than a commercial restriction, but it must be handled correctly
No patent grant from model creator: Apache-2.0 includes a patent licence, but where model training involves third-party IP claims, Apache-2.0's permissive terms do not resolve underlying training data copyright questions

Section 4 — The 1 July 2026 Deadline: Timeline and Transitional Provisions

MiCA's transitional provisions under Article 143 allowed crypto businesses already operating in an EU member state under national law to continue during a grandfathering period without holding full CASP authorisation. That grandfathering period expires on 1 July 2026. After that date, there is no further transition — a business providing crypto-asset services in the EU without CASP authorisation will be operating unlawfully.

The transitional period does not apply automatically and uniformly. Individual member states chose whether to implement it, and some set shorter national transitional deadlines. A business cannot assume it can operate until 1 July 2026 in every EU market without verifying the transitional arrangements in each member state where it provides services.

MiCA Implementation Timeline

9 June 2023
MiCA published in the Official Journal of the EU

Regulation (EU) 2023/1114 entered into force 20 days after publication on 29 June 2023. The 18-month preparation period for Title V (CASP provisions) began. ESMA and EBA began developing the regulatory technical standards (RTS) required under MiCA — over 50 mandates covering authorisation templates, conduct requirements, and prudential standards.

30 June 2024
Title III (ART) and Title IV (EMT) applicable

The asset-referenced token (ART) and e-money token (EMT) issuance provisions became fully applicable. Issuers of stablecoins and other crypto-assets were required to comply with MiCA's issuance and disclosure rules from this date.

30 December 2024
Full MiCA application — Title V (CASP provisions) effective

The CASP authorisation framework became fully applicable. NCAs began accepting CASP authorisation applications from this date. Businesses already providing crypto-asset services under national law became subject to transitional provisions under Article 143. The 18-month transitional period began.

Now — 2025
Application preparation and submission window

The critical window for applicants. Businesses should aim to submit CASP applications by Q3–Q4 2025 at the latest to allow sufficient time for the NCA review process (25 working days for a complete application, plus request-for-information pauses) before 1 July 2026. Applications submitted too close to the deadline risk being incomplete or undecided by the transition end date.

!
1 July 2026 — Hard Deadline
Transitional provisions expire — CASP authorisation required

All transitional grandfathering ends. Any business providing crypto-asset services in the EU without CASP authorisation after this date is operating unlawfully, regardless of its prior national VASP registration status. There is no further extension mechanism in MiCA. Businesses that have submitted an application but have not yet received an authorisation decision will be in an uncertain position — see the note on pending applications below.

How the Transitional Provisions (Article 143) Work

📋 Article 143 MiCA — Transitional arrangements for CASPs
1
Who is eligible: only businesses that were already providing crypto-asset services under national law in a member state before 30 December 2024. Businesses that commenced operations after that date cannot rely on the transitional provisions — they needed CASP authorisation from day one of their operations.
2
What the transition permits: eligible businesses may continue providing the specific crypto-asset services they were already providing before 30 December 2024, subject to the national legal requirements that applied to them at that time. Expanding into new service categories during the transition requires CASP authorisation — the grandfathering covers continuation, not expansion.
3
When it ends — the earlier of: (a) 1 July 2026, or (b) the date on which the business receives a CASP authorisation decision from its national competent authority. Receipt of a positive decision ends the transitional period and brings the business fully under MiCA. A negative decision ends the transition and requires the business to cease operations.
4
Member state implementation is not automatic: Article 143(3) gave member states the option of applying the transitional period for a shorter timeframe — or not at all. A number of member states have applied transitional periods shorter than 18 months. Businesses must verify the transitional arrangements in each member state where they operate, not just their home member state.

Member State Transitional Periods — Key Variations

The following reflects the position across selected member states. Businesses should obtain current legal advice on the transitional position in each relevant jurisdiction, as national implementing measures can change.

🇩🇪

Germany (BaFin)

Germany implemented the full 18-month transitional period. Existing VASPs registered with BaFin before 30 December 2024 may continue under national law until 1 July 2026 while their CASP application is processed. BaFin began accepting applications from December 2024.

Full 18-month transition
🇫🇷

France (AMF)

France implemented the transitional period for PSAN-registered entities (the French national VASP regime). Existing PSANs may continue operating until 1 July 2026, subject to ongoing compliance with French AML requirements during the transitional period. The AMF began the CASP authorisation process from December 2024.

Full 18-month transition
🇳🇱

Netherlands (DNB / AFM)

The Netherlands applied a shorter transitional period — Dutch-registered VASPs had a reduced window compared to the full MiCA 18 months. Businesses operating in the Netherlands should verify the exact end date of the Dutch transitional period with DNB or their legal advisers, as the position may differ from the EU-wide 1 July 2026 deadline.

Shorter national period
🇮🇪

Ireland (CBI)

Ireland implemented the transitional provisions. The Central Bank of Ireland began accepting CASP authorisation applications in late 2024. Existing VASP-registered entities in Ireland may rely on the transitional provisions until 1 July 2026, subject to ongoing compliance with the CBI's VASP requirements and AML/CFT obligations.

Full 18-month transition
🇱🇹

Lithuania (LB)

Lithuania was a popular VASP registration hub under the previous AML-only regime. Lithuanian-registered VASPs must apply for CASP authorisation under MiCA — the Bank of Lithuania accepts applications and applies the Article 143 transitional provisions. Given the volume of VASPs registered in Lithuania, early application is advisable to avoid application processing backlogs.

Check with LB for timing
🇵🇱

Poland (KNF)

Poland has implemented MiCA through the KNF (Polish Financial Supervision Authority). Polish-registered VASPs are subject to the transitional provisions and may continue until 1 July 2026, subject to KNF requirements. Poland's existing national crypto regulation was relatively light-touch — CASP authorisation represents a substantially higher compliance burden for Polish operators.

Full 18-month transition
What happens if your application is pending on 1 July 2026? MiCA is silent on the position of businesses with applications submitted but not yet decided by 1 July 2026. This creates a legal gap. Some NCAs have indicated they will continue to process applications received before the deadline — but operating without a decision after 1 July 2026 carries legal risk. Businesses should not rely on a pending application as an implicit extension of the transitional period. The safest approach is to submit applications early enough that a decision is expected before the deadline — targeting Q4 2025 submission provides a reasonable buffer in most member states.

Section 5 — Consequences of Missing the Deadline and Your Action Plan

Operating as a crypto-asset service provider in the EU after 1 July 2026 without CASP authorisation is not a grey area. It is an unlawful activity in every EU member state, subject to criminal and administrative enforcement. The consequences extend beyond regulatory fines — loss of EU market access, forced wind-down of operations, and reputational damage are material business risks that cannot be managed retrospectively.

The window to act is narrowing. With authorisation timelines of six to nine months from application submission, businesses that have not yet begun their CASP application process need to start immediately. Every month of delay reduces the available buffer before the hard deadline.

What Happens If You Miss the Deadline

Unlawful operation — immediate exposure

Providing any of the 10 CASP services in the EU after 1 July 2026 without authorisation constitutes a violation of Regulation (EU) 2023/1114 in every member state. There is no grace period, no further extension, and no transitional mechanism after that date. The violation is immediate from the first day of operation post-deadline.

🚫

Loss of EU market access

Without CASP authorisation, the EU passport does not exist. A business operating without authorisation cannot lawfully serve EU-resident clients for the covered services, regardless of where the business is incorporated. Regulators in multiple member states may issue simultaneous prohibition orders against an unauthorised provider operating cross-border.

💸

Administrative fines — up to 12.5% of annual turnover

MiCA Article 111 grants national competent authorities the power to impose administrative fines of up to €5 million (or 12.5% of annual turnover, whichever is higher) for the most serious infringements, including providing services without authorisation. These are per-infringement maxima — sustained unlicensed operation creates compounding exposure.

📢

Public disclosure and reputational damage

NCAs are required under MiCA to publish enforcement decisions on their websites, including the identity of the infringing entity and the nature of the violation. Being publicly named as an unlicensed crypto operator has material consequences for customer trust, banking relationships, and future authorisation prospects across the EU.

🏛

Criminal liability in some member states

Beyond MiCA administrative sanctions, several EU member states — including France, Germany, and Lithuania — impose criminal liability on directors and officers of entities providing financial services without authorisation. Personal exposure for management is a distinct risk from the corporate administrative fine exposure.

👥

Forced client asset wind-down

When a prohibition order is issued, an unauthorised CASP must return client assets and cease services — potentially under an NCA-supervised wind-down. An unplanned forced wind-down is operationally costly and commercially damaging, including the reputational impact of informing clients that services must cease due to regulatory non-compliance.

⚠ MiCA Article 111 — Maximum Administrative Sanctions at a Glance
Infringement
Providing services without CASP authorisation
Maximum sanction (natural persons)
€700,000
Maximum sanction (legal persons)
€5,000,000 or 12.5% of annual turnover — whichever is higher
Infringement
Material breach of conduct of business requirements (post-authorisation)
Maximum sanction (natural persons)
€700,000
Maximum sanction (legal persons)
€2,500,000 or 2% of annual turnover — whichever is higher

Your 8-Step CASP Authorisation Action Plan

1
Now

Map your services against the 10 CASP categories

Conduct a structured assessment of every activity your business performs against the 10 regulated crypto-asset services in Article 3(1)(16) MiCA. Include current and planned services — a service you intend to launch before 1 July 2026 must be included in the initial authorisation application. Identify the applicable authorisation class (1, 2, or 3) and the capital threshold.

2
Now

Identify your home member state and national competent authority

Your home member state is the EU member state in which your registered office is located (for legal persons). If you are not yet incorporated in the EU, you must establish a legal entity in an EU member state before applying for CASP authorisation — third-country businesses cannot hold a MiCA CASP authorisation directly. Choose your home member state taking into account the NCA's processing capacity, experience with crypto businesses, and your commercial plans.

3
Now

Verify your transitional period position in each operating member state

Confirm whether you qualify for transitional provisions in each EU market where you currently provide services. Verify the national transitional deadline — not all member states use the full 1 July 2026 date. Confirm that your existing activities fall within the scope of the transitional provisions (continuation of pre-December 2024 services, not expansion). Document your transitional position.

4
Q2–Q3 2025

Prepare governance — appoint qualifying directors

Ensure your management body includes at least two independent directors who meet the fit-and-proper requirements under Article 68. If your current structure has a sole director or directors who do not meet the independence requirement, begin the recruitment or restructuring process now — finding and onboarding qualifying directors takes time, and the NCA will scrutinise the fit-and-proper assessment carefully.

5
Q2–Q3 2025

Draft and implement required policies

Commission the preparation of all mandatory policies: AML/CFT (including Travel Rule / TFR compliance), conflicts of interest, client complaint handling, business continuity, cybersecurity (DORA-aligned), outsourcing, market abuse prevention, and orderly wind-down. Policies must be tailored to your specific business model — NCAs routinely reject applications that contain generic or template policies that do not reflect the actual operations of the applicant.

6
Q3 2025

Meet and evidence capital requirements

Organise and document the minimum own funds required for your authorisation class. If using professional indemnity insurance as an alternative, obtain a qualifying policy from an insurer acceptable to your NCA and verify coverage limits meet the MiCA thresholds. Prepare financial statements and projections demonstrating that capital requirements will be maintained on an ongoing basis, not just at the point of application.

7
Q3–Q4 2025

Prepare and submit the authorisation application

Compile the complete application package using the ESMA standardised application templates. The application must include: corporate documents, business plan, financial projections, policy documentation, management body CVs and fit-and-proper evidence, programme of operations, and AML/CFT framework evidence. Submit no later than Q4 2025 to allow time for NCA review and any request-for-information rounds before July 2026.

8
Q4 2025 – Q2 2026

Manage the NCA review process and respond to information requests

Following submission, the NCA has 25 working days to determine whether the application is complete, then 25 working days to make a decision on a complete application. Information requests pause the clock — respond promptly and completely. Use the review period to finalise operational readiness: systems, controls, and staffing should all be in place before authorisation is granted, not after.

🔏 Crypto Licensing Legal Advice

Need support with your CASP authorisation application?

CASP authorisation under MiCA is a structured legal and regulatory process. The application package, policy framework, governance restructuring, and NCA engagement each carry material risks if not handled correctly. Our crypto licensing team assists crypto businesses across the EU with CASP authorisation strategy, application preparation, and the regulatory engagement required to achieve authorisation before the July 2026 deadline.

Explore Crypto Licensing Services →
Tag
Oleg Prosin

Oleg Prosin is the Managing Partner at WCR Legal, focusing on international business structuring, regulatory frameworks for FinTech companies, digital assets, and licensing regimes across various jurisdictions. Works with founders and investment firms on compliance, operating models, and cross-border expansion strategies.

view all posts

Related Posts