How to Apply for a CySEC CASP Licence: Step-by-Step Application Process

The CySEC CASP application process under MiCA is not a form-filling exercise. It is a substantive regulatory assessment of whether your business — its governance, its people, its capital, its systems, and its compliance programme — is genuinely ready to operate as an authorised crypto-asset service provider in the EU.

Firms that approach the application with that understanding — and invest the preparation time accordingly — move through the process at regulatory speed. Firms that submit prematurely and iterate through rounds of Requests for Information (RFIs) from CySEC routinely add three to six months to their timeline and significantly increase their total advisory cost.

The first question to answer honestly is not “how do we get through the application?” but “are we actually ready for this?” The following checklist frames that readiness assessment across the five dimensions CySEC will scrutinise:

• Legal entity: Do you have a Cyprus-incorporated company with a genuine registered office and resident executive management?
• Management body: Does your board collectively cover the competencies required for your proposed services, and can every member pass CySEC’s fit and proper assessment?
• Capital: Do you have the minimum own funds required for your service scope, held in qualifying form, available at the point of authorisation?
• AML/CFT programme: Have you built a genuinely tailored AML/CFT programme — not a template — that reflects your specific business model, client base, and risk profile?
• Systems and controls: For exchange, custody, or trading platform applicants, do you have the IT infrastructure, cybersecurity controls, and operational resilience documentation that CySEC expects?

If the answer to any of these is “not yet,” the right move is to address the gap before submitting — not to submit and hope CySEC does not notice. CySEC will notice.

For context on the full framework within which this application sits, ComplyFactor’s CySEC CASP complete guide covers the regulatory architecture, service categories, capital tiers, and ongoing obligations in detail. This article focuses specifically on the application mechanics.

Step 1 — Define Your Service Scope

The first substantive decision in your application is defining the precise scope of crypto-asset services for which you are seeking authorisation. This decision has cascading implications across capital requirements, governance structure, systems requirements, and the depth of documentation CySEC will expect.

MiCA defines ten categories of crypto-asset services under Article 3(1)(16):

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform for crypto-assets
• Exchange of crypto-assets for funds
• Exchange of crypto-assets for other crypto-assets
• Execution of orders for crypto-assets on behalf of clients
• Placing of crypto-assets
• Reception and transmission of orders on behalf of clients
• Providing advice on crypto-assets
• Providing portfolio management of crypto-assets
• Providing transfer services for crypto-assets on behalf of clients

Your authorisation will list specifically which of these services you are permitted to provide. You can only provide services listed in your authorisation — providing services beyond your authorised scope is a regulatory breach.

The strategic question at this stage is scope calibration. Applicants sometimes seek authorisation for the broadest possible range of services — reasoning that it is better to have permission they may not immediately use than to need to amend the authorisation later. CySEC’s assessment, however, is proportionate to scope: a firm seeking authorisation for five services must demonstrate governance, capital, and systems adequate for all five simultaneously.

For most applicants, a focused initial scope — covering the services you will actually launch with — followed by a planned amendment application once operational, is a more efficient path. Scope amendments after authorisation, while requiring CySEC approval, follow an expedited process relative to initial authorisation.

Your service scope also determines your capital class under MiCA Article 67:

• Class 1 (€50,000): Advice, reception/transmission of orders, transfer services
• Class 2 (€125,000): Execution of orders, exchange for funds or crypto, placing
• Class 3 (€150,000): Custody and administration, operation of trading platform

Where your services span multiple classes, the highest threshold applies. A firm providing both advisory services (Class 1) and custody (Class 3) is a Class 3 entity.

Step 2 — Establish Your Cyprus Legal Entity

CySEC authorises Cyprus-incorporated legal entities. If you do not already have a Cyprus entity, establishing one is a pre-condition of the application — not something that can run in parallel.

The standard structure is a private company limited by shares incorporated under the Cyprus Companies Law, Cap. 113. Incorporation is handled through the Cyprus Registrar of Companies and typically takes two to four weeks for standard applications, or can be expedited.

Key requirements for the entity structure:

Registered office. The entity must have a registered office address in Cyprus. This must be a genuine operational address — not simply a nominee address or a virtual office used as a brass plate. CySEC’s substance assessment looks for evidence of genuine operational presence at the registered address.

Executive management. At least one executive director must be resident in Cyprus. CySEC has been consistent in requiring that executive decision-making is not entirely offshore. The Cyprus-resident director must be a genuine executive with operational authority — not a local nominee appointed to satisfy the residency requirement while management is conducted from elsewhere.

Share structure. The share structure must be documented and transparent. Beneficial ownership must be clearly disclosed — CySEC will trace ultimate beneficial ownership through any holding structures and assess all qualifying shareholders (10% or above) under fit and proper requirements.

Company secretary and statutory registers. Cyprus companies require maintenance of statutory registers — members, directors, charges — and annual filing requirements with the Registrar of Companies. These administrative obligations run from incorporation and must not be neglected during the application period.

For firms establishing a Cyprus entity for the first time, the interaction between corporate establishment timelines and the application preparation timeline should be planned carefully. The entity needs to be established before the application is submitted, but corporate setup and application preparation can largely run in parallel, saving four to six weeks of elapsed time.

Step 3 — Build Your Management Body

The management body — your board of directors — is one of the two most scrutinised elements of a CASP application (the other being the AML/CFT programme). CySEC’s fit and proper assessment is thorough, and weaknesses in management body composition are among the leading causes of application delays and refusals.

Collective competence requirement. MiCA Article 68 requires that the management body collectively possesses sufficient knowledge, skills, and experience to understand the CASP’s activities and the principal risks to which it is exposed. CySEC assesses this at the board level — individual directors need not be expert in every dimension, but the board as a whole must cover the key competency domains relevant to your business model.

For a crypto exchange applicant, the board should collectively cover: crypto-asset operations and technology, financial services regulation, risk management, and financial/accounting oversight. For a custody-focused applicant, the emphasis shifts toward technology, security, and operational risk. CySEC will map proposed directors against these domains and identify collective gaps.

Individual fit and proper requirements. Each member of the management body — and each qualifying shareholder — must individually satisfy CySEC’s fit and proper criteria:

• Repute: Clean criminal record, no prior regulatory sanctions or adverse supervisory findings in any jurisdiction, no unresolved bankruptcies or significant financial judgments
• Competence: Relevant professional qualifications or experience in financial services, crypto-assets, technology, law, or other relevant disciplines
• Time commitment: Ability to devote sufficient time to the role — CySEC will scrutinise directors holding positions across multiple entities and may require confirmation that time commitments are manageable

Documentation for fit and proper assessment. For each director and qualifying shareholder, CySEC requires:

• Detailed CV (minimum 10 years of professional history)
• Criminal record certificate from all jurisdictions of residence and citizenship (typically required to be apostilled and translated where not in Greek or English)
• Declaration of regulatory history — all prior roles in regulated entities and any adverse findings
• Declaration of financial standing — any bankruptcies, insolvencies, court judgments
• CySEC prescribed questionnaire (Personal Questionnaire form)

Criminal record certificates from some jurisdictions take four to eight weeks to obtain. This documentation requirement is frequently underestimated in application preparation timelines.

The MLRO. CySEC requires designation of a Money Laundering Reporting Officer at management level. The MLRO must be notified to CySEC and must have direct reporting access to the management body. The MLRO role cannot be entirely outsourced — the named MLRO must be a genuine officer of the firm with operational authority. ComplyFactor’s global MLRO services provide practitioner-level MLRO capability within this constraint, including for firms that need to demonstrate MLRO substance while building out their internal compliance function.

Compliance officer. Separate from the MLRO, CySEC expects a dedicated compliance officer with relevant regulatory expertise. In smaller firms, the MLRO and compliance officer roles may be held by the same individual, but CySEC will scrutinise whether that individual has the time and expertise to discharge both functions effectively.

Step 4 — Develop Your AML/CFT Programme

An AML/CFT programme for CySEC purposes is not a document set — it is a functioning compliance system, evidenced by documentation. CySEC has become increasingly sophisticated in distinguishing genuine AML programmes from compliance theatre, and an AML programme that reads as a template — regardless of how polished it looks — will generate significant RFI activity during the substantive review.

The AML/CFT programme documentation required for a CASP application includes:

Business-wide risk assessment (BWRA). A comprehensive, quantitative assessment of your firm’s ML/TF risk exposure across: client base and onboarding channels, products and services, geographic exposure, delivery channels, and transaction typologies. The BWRA must be specific to your business — not a generic crypto sector risk assessment. It must be dated, version-controlled, and show evidence of board approval.

AML/CFT policies and procedures manual. Documented policies covering:

• Customer Due Diligence (CDD) — identity verification standards, beneficial ownership determination, reliance arrangements
• Enhanced Due Diligence (EDD) — triggers, additional measures, sign-off requirements
• Ongoing monitoring — transaction monitoring parameters, alert handling, periodic review
• Suspicious Transaction/Activity Reporting — internal escalation, MLRO decision process, external reporting to MOKAS (Cyprus FIU)
• Sanctions screening — lists screened, frequency, match handling, escalation
• Politically Exposed Persons — identification, risk classification, EDD requirements
• Record-keeping — retention periods, format, retrieval
• Staff training — frequency, content, delivery, records
• Independent audit — frequency, scope, reporting

MLRO procedures. Documented procedures for the MLRO’s function — including the internal STR process, MLRO decision log requirements, and escalation to the management body.

Sanctions policy. Standalone sanctions screening policy covering EU consolidated sanctions list, UN sanctions, and any additional lists applicable to the firm’s jurisdiction exposure.

Travel Rule compliance framework. Documentation of how the firm will comply with the EU’s Transfer of Funds Regulation (TFR) zero-threshold Travel Rule requirement for crypto-asset transfers — including the technical solution for originator/beneficiary data transmission and the policy for unhosted wallet interactions. For a practical implementation guide, see ComplyFactor’s Travel Rule guide.

On-chain analytics. For CASPs conducting crypto-asset exchanges or transfers, documentation of the blockchain analytics solution to be deployed — including the provider, integration architecture, alert categories, and handling procedures.

The AML/CFT programme must be approved by the management body before submission and must reflect the firm’s actual proposed operations — not a hypothetical future state. CySEC reviewers are experienced at identifying programmes built to satisfy an application rather than to actually manage risk.

ComplyFactor’s AML compliance programme services and complete AML programme blueprint provide a framework for building a programme that genuinely meets CySEC’s expectations — not just a documentation exercise.

Step 5 — Prepare Your Governance and Operational Documentation

Beyond the AML/CFT programme, MiCA Articles 68–76 require CASPs to demonstrate robust governance and operational arrangements. CySEC’s application assessment covers these in detail, and applicants frequently underestimate the documentation depth required in this area.

Programme of operations. A detailed description of your proposed services, business model, revenue model, target client segments, marketing approach, and geographic scope. This is not a marketing document — it is a regulatory submission that must be precise, internally consistent, and aligned with every other element of the application. Inconsistencies between the programme of operations and other application components are a common RFI trigger.

Three-year business plan. Financial projections for years one through three, including: revenue model and assumptions, projected transaction volumes, operating cost base, staffing plan, and capital adequacy projections. The business plan must demonstrate that the entity is financially viable and will maintain regulatory capital throughout the projection period.

Organisational structure. Documented organisational chart showing reporting lines, key function holders (CEO, CFO, MLRO, compliance officer, CTO), governance committees, and the relationship between the Cyprus entity and any group structure. Where the applicant is part of a wider group, the group structure must be described and CySEC must understand where decision-making authority sits.

IT systems and cybersecurity documentation. For all CASPs, and particularly for exchange and custody applicants, CySEC expects:

• System architecture documentation — describing the core technology stack, custody architecture (for custodians), matching engine (for exchanges), and API/integration points
• Cybersecurity policy — covering access controls, encryption standards, vulnerability management, and incident response
• Penetration testing records — evidence of recent external penetration testing of production or pre-production systems
• Business continuity plan (BCP) — covering failure scenarios, recovery time objectives, and backup systems
• Disaster recovery plan (DRP) — testing records and recovery procedures

Client asset protection. For custody CASPs, detailed documentation of client asset segregation arrangements — including the legal basis for segregation, wallet architecture (hot/cold/warm split), key management procedures, and a legal opinion confirming that client assets are protected in the event of the CASP’s insolvency.

Complaints handling procedure. A documented procedure meeting MiCA’s requirements, with a named responsible officer, escalation paths, and response timeframes.

Conflicts of interest policy. A written policy identifying potential conflicts inherent to the business model — particularly relevant for firms combining proprietary trading, market-making, or own-account activities with client-facing services.

Outsourcing arrangements. Where material functions are outsourced — including cloud infrastructure, payment processing, compliance support — a documented outsourcing policy and individual outsourcing agreements demonstrating that oversight, audit rights, and termination provisions are in place.

Step 6 — Secure Your Capital

Capital must be in place — not merely committed — at the point of authorisation. CySEC will verify that the required minimum own funds are held in qualifying form before issuing the authorisation decision.

Qualifying forms of capital under MiCA include: paid-up share capital, retained earnings, and other qualifying own funds instruments as specified. Capital cannot be held in client funds — segregation of own and client funds is a regulatory requirement, not a matter of accounting preference.

For new entities — where there are no retained earnings — the minimum capital is typically provided through paid-up share capital on incorporation or through a shareholder capital injection timed to the application process. The capital must be evidenced through:

• Audited accounts or, for newly incorporated entities, management accounts and bank statements confirming capital position
• Confirmation that capital is held in the entity’s own accounts (not in a parent or related party account)
• Where capital is sourced from a shareholder injection, source of funds documentation for the injection

The fixed overhead requirement under MiCA Article 67(3) — requiring CASPs to hold own funds of at least one quarter of the preceding year’s fixed overheads where this exceeds the minimum threshold — becomes relevant once the CASP has been operational for a full year. At initial authorisation, the minimum capital thresholds apply, but CySEC may ask applicants to demonstrate that their business plan projections support ongoing capital adequacy as overheads grow.

For firms seeking Class 3 authorisation (custody or trading platform) with the €150,000 minimum, the capital requirement itself is not the primary constraint for most serious applicants. The constraint is demonstrating that the capital position will be sustained alongside the operational cost base projected in the business plan.

Step 7 — Pre-Application Engagement with CySEC

Before submitting a formal application, experienced CASP applicants engage CySEC’s authorisation team informally to: confirm the regulatory scope of their proposed services, clarify any jurisdiction-specific expectations that may not be immediately apparent from published guidance, and surface any structural concerns before significant application preparation costs are committed.

CySEC does facilitate pre-application meetings for CASP applicants, though these are not mandatory and are not always granted. The value of a pre-application meeting is primarily in confirming that your application strategy — your proposed service scope, management body structure, and governance approach — is aligned with CySEC’s current expectations.

Pre-application meetings are not, however, an opportunity to seek informal approval for an underprepared proposal. CySEC reviewers will not pre-approve elements of your application — they will clarify scope and process questions. Applicants who enter these meetings with a well-developed application strategy get significantly more value from the engagement than those seeking to test whether a shortcut is acceptable.

If a pre-application meeting is not granted, the alternative is a thorough review of CySEC’s published application guidance, MiCA’s directly applicable requirements, and any relevant ESMA technical standards and guidelines — of which there are now a significant number covering conduct, disclosure, and operational requirements for CASPs.

Step 8 — Compile and Submit the Application Pack

The formal application is submitted through CySEC’s electronic portal. The application pack comprises the documents prepared across Steps 1–6, assembled into a structured submission aligned with CySEC’s prescribed application format.

The core components of the CASP application pack are:

Company and corporate documents

• Certificate of incorporation
• Memorandum and Articles of Association
• Certificate of registered office
• Register of directors and shareholders
• Corporate structure chart (including group structure where applicable)
• Beneficial ownership declaration

Management body documents (per director and qualifying shareholder)

• Detailed CV (minimum 10 years)
• Criminal record certificate (apostilled where required)
• CySEC Personal Questionnaire
• Declaration of regulatory history
• Declaration of financial standing
• Proof of identity and address

Regulatory and business documents

• Programme of operations
• Three-year business plan and financial projections
• Organisational chart with reporting lines
• Description of governance arrangements and committees

AML/CFT programme documents

• Business-wide risk assessment
• AML/CFT policies and procedures manual
• MLRO designation letter and CV
• Travel Rule compliance framework
• Sanctions screening policy
• On-chain analytics documentation (where applicable)

Technical and operational documents

• IT system architecture documentation
• Cybersecurity policy
• Penetration testing records
• Business continuity and disaster recovery plans
• Outsourcing register and material outsourcing agreements
• Client asset segregation documentation (for custody CASPs)
• Legal opinions (where applicable)

Capital documentation

• Audited accounts or management accounts confirming capital position
• Bank statements evidencing capital held
• Source of funds documentation for shareholder capital injections

Insurance

• Professional indemnity insurance evidence (for advisory and portfolio management CASPs per MiCA Article 70)
• Details of any comparable client protection arrangements for other service categories

The application must be submitted in English (or Greek). All foreign-language documents must be accompanied by certified translations. Documents requiring apostille — criminal record certificates, foreign corporate documents — must be apostilled before submission.

CySEC conducts an initial completeness check after submission. Incomplete applications are returned without substantive review — a setback that can cost four to eight weeks. Pre-submission review of the application pack against CySEC’s published checklist is a worthwhile final step before formal submission.

Step 9 — Managing the Substantive Review and RFIs

Once CySEC confirms completeness, the substantive review begins. The 40 working day statutory decision clock starts from the completeness confirmation date. During this period, CySEC’s authorisation division conducts a detailed assessment of every component of your application.

The primary dynamic to manage during substantive review is the Request for Information (RFI) process. When CySEC requires clarification or additional documentation on any aspect of the application, it issues a written RFI. The 40 working day clock pauses from the date of the RFI until the date CySEC receives a complete response. This pause mechanism means that the total elapsed time from submission to decision is a function of both CySEC’s processing speed and the number and complexity of RFIs generated.

Effective RFI management involves three disciplines:

Respond completely. A partial response to an RFI that requires a follow-up RFI is the most common source of extended timelines. Each RFI response should be treated as a mini-application component — complete, internally consistent, and cross-referenced to existing application documents where relevant. Before submitting any RFI response, review it against the original question to confirm every point has been addressed.

Respond promptly. CySEC does not publish a strict deadline for RFI responses, but prolonged response times signal to the regulator that the applicant lacks the organisational capacity to manage regulatory engagement — not the impression you want to create. Target responses within 10 to 15 working days of receipt for standard RFIs, and communicate proactively if additional time is needed for complex queries.

Anticipate RFI themes. Based on the known patterns of CASP application assessments, the highest-frequency RFI areas are: AML programme specificity (particularly the BWRA), management body competency gaps, IT/cybersecurity documentation (particularly for exchange and custody applicants), and business plan financial assumptions. Pre-empting these areas with proactive depth in the initial application is the most effective RFI reduction strategy.

If CySEC issues a Minded to Refuse notice — signalling that it is considering refusing the application — applicants have a right of response before the final decision. This is a serious escalation and typically requires engagement with legal counsel alongside compliance advisory support. The right of response window is an opportunity to address CySEC’s concerns directly, but it is a significantly harder position to recover from than addressing weaknesses earlier in the process.

Step 10 — Authorisation Decision and Post-Authorisation Steps

CySEC’s decision takes one of three forms:

Authorisation. Full authorisation for the requested service scope. The CASP may commence operations for the authorised services.

Authorisation with conditions. Authorisation granted subject to specific conditions — typically requiring the CASP to remediate identified weaknesses within a specified period before commencing certain services, or to report specific matters to CySEC within a defined timeframe. Conditions are common for first-time applicants with certain governance or operational gaps that CySEC deems manageable post-authorisation.

Refusal. Application refused. CySEC provides written reasons. Applicants have appeal rights under Cyprus administrative law, though appeal processes are lengthy and the preferable path is generally to address the identified deficiencies and reapply.

Upon receiving authorisation, several immediate post-authorisation steps are required:

CySEC register notification. CySEC publishes an updated register of authorised CASPs. Verify that your entry on the register is accurate — including the services listed — and notify CySEC of any discrepancies.

MLRO and compliance officer activation. Ensure that MLRO and compliance officer appointments are formally active, with CySEC notification confirmed for the MLRO.

Passporting notifications. If you intend to provide services in other EU member states on a cross-border basis, submit passporting notifications to CySEC for each target member state before commencing services in those markets.

Operational readiness. Activate AML/CFT programme controls — transaction monitoring systems, CDD procedures, sanctions screening — before onboarding the first client. CySEC expects that the programme described in your application is operational from day one of client-facing activity.

Regulatory reporting calendar. Establish your internal calendar for CySEC periodic reporting obligations, ensuring the systems and processes are in place to produce accurate returns on schedule.

For ongoing compliance support post-authorisation, ComplyFactor’s AML audit services, fractional MLRO, and AML training programmes provide the operational compliance infrastructure that CySEC-authorised CASPs need to maintain regulatory standing.

Realistic Timelines: What to Expect at Each Stage

The following timeline is based on a well-prepared applicant with no significant fit and proper issues, adequate capital, and a genuine AML programme. Poorly prepared applicants should add three to six months across the preparation and review phases.

Phase	Activities	Realistic Duration
Pre-application preparation	Entity setup, management body assembly, AML programme development, documentation preparation	3–6 months
Pre-application CySEC engagement	Meeting request, engagement, any pre-submission clarifications	4–8 weeks (if pursued)
Application pack compilation	Document assembly, translation, apostille, pre-submission review	4–6 weeks
CySEC completeness check	CySEC initial review and completeness confirmation	4–8 weeks
Substantive review — first RFI cycle	CySEC assessment and first RFI (if any)	6–10 weeks
RFI response and subsequent review	Applicant response, CySEC further assessment	4–8 weeks per RFI round
Decision	CySEC authorisation decision	Per statutory 40 working day clock from completeness (MiCA Article 64)
Total (well-prepared applicant)		5–9 months from preparation start
Total (underprepared applicant)		10–18+ months

The MiCA statutory timeline — 40 working days from completeness confirmation — applies only to the decision phase. Preparation, submission, and completeness review are outside this clock. Total elapsed time from “we’ve decided to apply” to “we have our authorisation” ranges from approximately five months at the optimistic end for exceptionally well-prepared applicants to eighteen months or more for those who underinvest in preparation.

The Most Common Application Mistakes

Drawing on the patterns visible across the CySEC supervisory landscape and broader EU CASP authorisation experience, the following mistakes are the most persistent and most avoidable:

Treating the AML programme as a documentation exercise. The single most common and consequential mistake. An AML programme built to satisfy the application checklist rather than to actually manage risk is identifiable to an experienced regulator within minutes of review. It generates extensive RFI activity and, at worst, is grounds for refusal.

Underestimating management body documentation lead times. Criminal record certificates from some jurisdictions — particularly outside the EU — can take six to twelve weeks to obtain, must be apostilled, and may require certified translation. Starting this process late is the most common cause of preventable application delays.

Submitting with inadequate IT documentation. For exchange and custody applicants, IT system architecture documentation, cybersecurity policies, and penetration testing records are non-negotiable. Applications submitted without these, or with documentation that is clearly generic or incomplete, generate significant RFIs in the technical review.

Seeking an overly broad initial service scope. Applying for all ten MiCA service categories without the governance, systems, and capital to demonstrably support all ten simultaneously. A focused initial scope with a planned expansion path is strategically sounder and operationally more honest.

Inconsistencies between application components. The programme of operations, business plan, organisational chart, and AML programme must be internally consistent. Inconsistencies — different client volumes in the business plan versus the BWRA, different service descriptions in the programme of operations versus the AML policy — signal a hastily assembled application and generate avoidable RFIs.

Missing apostille requirements. Foreign corporate documents and criminal record certificates that require apostille and arrive without it will fail the completeness check. Cyprus is a party to the Hague Convention — apostilled documents from other Hague Convention countries are accepted without further legalisation, but the apostille itself must be present.

Leaving MLRO appointment to the last minute. CySEC requires a named, notified MLRO. Identifying, engaging, and onboarding an MLRO — and preparing their notification documentation — takes time. Applications that arrive at submission with the MLRO role unfilled or the notification documentation incomplete create an immediate gap.

For a comprehensive understanding of what CySEC’s ongoing AML supervisory expectations look like post-authorisation, ComplyFactor’s AML audit services and AML compliance officer roles guide provide the operational framework. Understanding where the bar is set post-authorisation helps calibrate how the initial programme needs to be built.

Frequently Asked Questions

Can we start the application before our Cyprus entity is fully incorporated?

No. CySEC’s application portal requires the Cyprus company registration number and entity details. Incorporation must be complete before formal application submission. However, application pack preparation — management body documentation, AML programme development, IT documentation — can and should proceed in parallel with incorporation to avoid sequential delays.

Do all directors need to be Cyprus residents?

Not all directors — but at least one executive director must be resident in Cyprus. Non-executive directors and supervisory board members may be based outside Cyprus, subject to demonstrating sufficient time commitment to the role and meeting fit and proper requirements.

What happens if a director fails the fit and proper assessment?

CySEC will typically issue an RFI requesting additional information or clarification on the concern identified. Where a director cannot satisfy the fit and proper requirements, the options are: provide additional evidence addressing the concern, replace the director before the application decision is made, or — in the most serious cases — face application refusal on grounds of management body suitability. Early identification of potential fit and proper issues through a pre-application internal review is strongly recommended.

Can we use a template AML programme?

Template AML programmes — even high-quality ones — are not acceptable as submitted. They can serve as a structural starting point, but every element of the programme must be tailored to your firm’s specific business model, client base, product suite, and geographic exposure. CySEC reviewers are experienced at identifying template-based programmes.

How does ComplyFactor support CASP applicants through this process?

ComplyFactor provides end-to-end CASP application support across all ten steps described in this article — including pre-application gap analysis, AML programme development from scratch, management body fit and proper preparation, application pack compilation, RFI management, and post-authorisation compliance infrastructure. Our team includes practitioners with direct CySEC regulatory experience and deep EU AML/CFT expertise. Contact us to discuss your application timeline and where you are in the preparation process.

What is the difference between a CySEC CASP licence and the pre-MiCA CASP registration?

The pre-MiCA CASP registration was Cyprus’s national registration regime for crypto-asset service providers under the amended AML law, established ahead of MiCA’s full application. It provided domestic permission to operate and was a precursor to the full MiCA authorisation regime. Entities registered under the pre-MiCA regime benefit from an 18-month transitional period (through June 2026) during which they can continue operating while pursuing full MiCA authorisation. New applicants today apply for MiCA-compliant CASP authorisation — a more demanding standard but one that provides EU-wide passporting rights.

How does the CASP application interact with other regulated activities — for example, if we are also seeking an EMI licence?

Where a CASP is also authorised as an e-money institution or credit institution, certain MiCA provisions allow notification rather than full authorisation for some crypto-asset services. This is a nuanced area under MiCA Articles 60-63 that requires specific legal analysis for your business model. ComplyFactor can advise on the optimal regulatory structure for firms with overlapping regulated activities.