Cyprus CASP License Under MiCA (2026): Crypto Exchange & Wallet Provider Setup, Capital & Timeline

From 30 December 2024 the Markets in Crypto-Assets Regulation (MiCA) replaced the patchwork of national crypto regimes across the EU with a single authorisation framework for Crypto-Asset Service Providers. In Cyprus, the Cyprus Securities and Exchange Commission (CySEC) is the competent authority. For firms already operating under the national CASP register created in 2021, the clock to migrate to a MiCA licence runs out on 1 July 2026. For new entrants, a full MiCA licence is the only path to operating an exchange, custody service or wallet provider in or from Cyprus.

This article is written for founders considering a Cyprus-based crypto exchange, custodian, wallet provider, brokerage or trading platform. It covers what is regulated, what is not, how much capital you actually need, who you need to hire, how long the process takes, and how a Cyprus CASP is taxed once it is live.

What a CASP licence actually is

A Crypto-Asset Service Provider is a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis. Under MiCA, any entity providing such services in or from the EU must be authorised as a CASP — there is no longer a lighter-touch "registration" route for professional market participants. The Cyprus regulator for CASPs is CySEC, which also supervises investment firms, funds and insurance intermediaries and which brings to the job its existing MiFID II / IFD-IFR prudential toolkit.

A CASP licence is conceptually similar to a MiFID II investment firm licence adapted for the crypto perimeter. The authorisation covers the legal entity, its services, its people and its systems. A client-facing product that falls outside the eight authorised services is still outside scope of MiCA itself — but in most jurisdictions it will be caught by the financial instruments regime (MiFID II) if the asset is a transferable security, or by AML law if the activity is fiat-to-crypto exchange.

MiCA and the Cyprus transition

The MiCA calendar that matters in April 2026:

Member States could set their transitional window at anything up to 18 months from 30 December 2024 (so up to 1 July 2026). Cyprus chose the full 18 months. In practice that means every Cyprus national-register CASP is operating on borrowed time right now, and a MiCA application takes long enough that starting the process by Q1 or Q2 2026 is essential to avoid a gap between the end of the national regime and the start of the MiCA authorisation.

The eight authorised CASP services

MiCA defines eight regulated CASP services. Your licence is scoped to the services you apply for; you cannot offer services outside the scope of your authorisation.

1. Custody and administration of crypto-assets on behalf of clients.
2. Operation of a trading platform for crypto-assets (the exchange itself).
3. Exchange of crypto-assets for funds (fiat) or for other crypto-assets (on a principal basis — the "OTC desk").
4. Execution of orders for crypto-assets on behalf of clients.
5. Placing of crypto-assets (acting for the issuer).
6. Reception and transmission of orders for crypto-assets.
7. Advice on crypto-assets.
8. Portfolio management of crypto-assets.

A typical retail exchange will combine operation of a trading platform, exchange of crypto for funds and other crypto, execution, and custody. A pure non-custodial DEX front-end arguably operates no regulated service, though the analysis is fact-specific and has been a live issue under MiCA since late 2024.

Minimum capital: the three classes

MiCA sets three capital classes. A CASP must hold initial capital at least equal to the amount for the highest-class service it provides. The capital must be permanent, paid-up and available to absorb losses.

The headline figures are modest compared with a MiFID investment firm (EUR 75,000 / 150,000 / 750,000), but they are a floor, not the actual capital the business needs. In practice, a credible exchange will capitalise at multiples of the regulatory minimum to cover operational losses during the ramp and to satisfy CySEC that the business plan is viable for the first three years.

Ongoing own funds requirements

Initial capital is only the starting point. On an ongoing basis, the CASP must hold own funds at least equal to the higher of:

• the relevant class minimum (EUR 50,000 / 125,000 / 150,000); or
• one quarter of the fixed overheads of the preceding year.

The "fixed overheads" concept is the same as in the IFD / IFR prudential framework for investment firms: total operating expenses from the most recent audited accounts less a list of permitted deductions (variable staff compensation, discretionary bonuses, non-recurring items). For a mature exchange with EUR 4m of annual fixed overheads, own funds must sit at EUR 1m, well above the EUR 150,000 tier floor.

Custodial CASPs face an additional consideration: custody of client crypto-assets does not, by itself, trigger a separate K-factor the way custody of client financial instruments does under IFR, but the programme of operations must demonstrate adequate insurance, cold-storage architecture, segregation from proprietary assets, and business-continuity arrangements proportionate to custody volumes.

People: management body, AMLCO, IT risk

MiCA and CySEC look closely at the human side of a CASP application. A minimum organisational chart:

• Management body: at least two persons of sufficiently good repute who effectively direct the business. Collectively they must possess adequate knowledge, skills and experience in crypto-assets and related financial services. CySEC requires CVs, fit-and-proper questionnaires and criminal-record certificates for each member.
• Compliance officer / AMLCO: a dedicated money-laundering reporting officer based in Cyprus, with direct reporting to the Board, authority to freeze transactions, and independence from commercial functions.
• Risk / ICT risk function: MiCA and the Digital Operational Resilience Act (DORA), which also applies to CASPs, demand a formal ICT risk-management framework and nominated owners.
• Internal audit: required for larger CASPs, may be outsourced for smaller ones with CySEC non-objection.
• Shareholders with qualifying holdings (10%+) require fit-and-proper approval; indirect holdings at 20% / 30% / 50% thresholds equally require notification.

CySEC will typically expect the two heads of business, the AMLCO and at least one senior ICT person to be physically resident in Cyprus and available for on-site supervision.

The CySEC application: documents and fees

A complete MiCA CASP application to CySEC includes:

• Application form (Form MiCA-CASP-1) and schedules for each authorised service.
• Programme of operations for the first three years: services, target clients, geographic scope, onboarding flow, order-handling model, order book, liquidity providers, wallet architecture.
• Business plan with P&L projections, break-even analysis and capital plan.
• Description of internal controls, IT architecture, outsourcing arrangements and ICT risk-management policy.
• AML / CFT policy and procedures, travel-rule compliance, sanctions screening and transaction-monitoring rules.
• Complaints-handling, conflicts-of-interest, best-execution, and client-assets policies.
• Proof of paid-up initial capital.
• Fit-and-proper files for management, AMLCO, key function holders and qualifying shareholders.
• White-paper strategy for listed assets (for platform operators).
• Evidence of professional indemnity insurance or equivalent cover.

CySEC fees for MiCA CASP applications are set by Decision and run, as of 2026, to EUR 10,000–15,000 for the initial application depending on the class, plus an annual supervision fee in the same bracket. Legal, drafting and consulting fees for the full file commonly run multiples of that.

Timeline: submission to authorisation

The MiCA statutory timeline is strict on paper: CySEC has 25 working days for completeness review, then up to 40 working days on the merits (extendable by 20 working days), with the clock paused each time information is requested. In practice the real clock in 2026 looks like this:

Cross-border passporting in the EU

Once authorised, a Cyprus CASP can passport its services into any other EU/EEA Member State by filing a notification with CySEC. The notification sets out the services, the Member State(s) and the means of provision (freedom to provide services vs. establishment of a branch). Host-state authorities cannot refuse the passport on substantive grounds; they can only apply host-state conduct-of-business and marketing rules.

For founders with EU-wide ambitions, Cyprus plus the passport is typically the most cost-efficient entry point into the single market. Only Germany (BaFin) and France (AMF) rival Cyprus for depth of regulatory experience, and both are meaningfully slower and more expensive to navigate.

How the CASP itself is taxed

A Cyprus-resident CASP is taxed as any other Cyprus company:

• Corporate income tax at 15% from 2026 on worldwide profits (the 2026 reform raised the rate from 12.5% to 15%).
• No withholding tax on outbound dividends, interest or royalties paid to non-residents (except royalties used in Cyprus).
• Participation exemption on dividends received and on gains from the sale of shares (except shares in companies whose value derives mainly from Cyprus real estate).
• VAT: supply of crypto-exchange services between fiat and crypto is generally VAT-exempt (following the Court of Justice decision in Hedqvist); custody and execution fees follow exchange treatment. Advisory services to business clients may be zero-rated by reverse charge.

Where a CASP develops and owns the software that powers its own matching engine, wallet infrastructure or risk systems, and where that software is genuinely R&D-heavy, it may be possible to allocate a portion of the profit stream to qualifying IP income under the Cyprus IP Box — see our IP Box regime guide. The headline fee income from matching client orders is, however, generally not itself qualifying IP income.

Founders drawing dividends from a Cyprus CASP benefit from the standard non-dom stack: 0% Special Defence Contribution on dividends for 17 years, plus 2.65% GESY (capped). See our non-dom status guide.

Consumer protection and white papers

MiCA consumer-protection obligations bite at the CASP level. Key items:

• Best execution for client orders in crypto-assets, with a documented execution policy and periodic quality reports.
• Client-asset segregation: custody CASPs must segregate client crypto from proprietary assets and keep accurate books of entitlement. MiCA imposes strict liability for loss of client assets except where the loss is due to an external event beyond reasonable control.
• Complaints handling with statutory response timelines.
• Market-abuse regime specific to crypto — insider dealing, unlawful disclosure, market manipulation — with the CASP obliged to detect and report suspicious orders and transactions.
• White-paper regime for issuers and offerors of crypto-assets other than asset-referenced tokens and e-money tokens. A trading-platform CASP must, before admitting an asset, ensure a compliant white paper is in place (or that the asset qualifies for an exemption, for example Bitcoin).
• Stablecoins (asset-referenced tokens and e-money tokens) have their own authorisation and ongoing regime under MiCA Titles III and IV. Issuing a stablecoin from Cyprus is a separate authorisation from being a CASP.

Practical roadmap to launch

1. Legal structure: incorporate a Cyprus private limited company, paid-up to the relevant capital tier, with appropriate object clauses and nominal shareholder structure.
2. Team: recruit or second into Cyprus the two management heads, AMLCO and ICT lead. Residence permits for non-EU personnel handled in parallel.
3. Pre-application engagement: book the first CySEC meeting. Present the business model, governance, technology stack and wallet architecture. Invite feedback before drafting.
4. Documentation: draft the programme of operations, AML policy, risk framework, ICT policy, best-execution policy, client-asset policy and outsourcing policy. Assemble fit-and-proper files.
5. Submission: file the complete application with CySEC. Pay application fees. Respond to clarifications promptly.
6. Authorisation and go-live: on receipt of the licence, file passporting notifications, open client-funds accounts, finalise banking and PSP partners, and onboard the first users.
7. Ongoing: annual audited accounts, quarterly prudential returns, periodic AML and execution-quality reports, board meetings held physically in Cyprus, and continued engagement with CySEC supervisors.