CySEC CASP Capital Requirements: What Crypto Firms Need to Know

Capital requirements for CySEC-licensed CASPs are frequently approached as a compliance checkbox — identify the minimum threshold, put the money in the account, tick the box. This framing misses the regulatory and operational reality of how capital adequacy actually works under MiCA and how CySEC assesses it.

Capital requirements serve two distinct regulatory functions. First, they act as a filter — ensuring that only entities with genuine financial backing and skin in the game enter the regulated CASP population. Second, they act as a buffer — providing a financial cushion against operational losses, client claims, and the costs of an orderly wind-down if the business fails. CySEC assesses both functions when reviewing capital at application stage and monitoring it on an ongoing basis.

For applicants, the practical implication is that capital planning cannot begin and end with the minimum statutory threshold. CySEC will review your capital position in the context of your business plan — projected revenues, operating costs, transaction volumes, and growth trajectory — and assess whether your capital is adequate not just at the point of authorisation but throughout your first years of operation. A firm with €150,000 in capital and a business plan projecting €800,000 in year-one operating costs will face difficult questions from CySEC about capital adequacy and financial viability.

This article covers the capital requirements framework in full — from statutory minimums through to fixed overhead calculations, qualifying capital instruments, and the practical capital planning questions that matter for a successful CySEC application.

For the full CySEC CASP regulatory framework within which these capital requirements sit, see ComplyFactor’s CySEC CASP complete guide. For the step-by-step application process including how capital evidence is submitted, see ComplyFactor’s CySEC CASP application process guide.

The MiCA Capital Framework: How It Applies to CySEC CASPs

Capital requirements for CySEC-authorised CASPs are set directly by Regulation (EU) 2023/1114 (MiCA), principally under Article 67. Because MiCA is an EU regulation — applying directly in all member states without national transposition — the capital requirements are identical whether a CASP is authorised by CySEC in Cyprus, the AFM in the Netherlands, or the BaFin in Germany.

CySEC cannot impose lower capital requirements than MiCA sets, and cannot generally impose higher ones absent specific supervisory grounds. The practical differentiation between CySEC and other EU competent authorities on capital is therefore not in the statutory minimums but in how CySEC applies the fixed overhead requirement, how it assesses capital adequacy in the context of the business plan, and how it monitors ongoing capital maintenance.

MiCA’s capital framework for CASPs has three components:

Minimum own funds by service class. A flat minimum based on the services the CASP is authorised to provide, regardless of business size. This is the headline figure most applicants focus on.

Fixed overhead requirement. A dynamic requirement based on the CASP’s actual operating costs once it has been operational for a full year — requiring own funds of at least one quarter of the preceding year’s fixed overheads where this exceeds the statutory minimum. This is the component most frequently underestimated by applicants.

Supervisory capital add-ons. CySEC retains discretion under MiCA’s supervisory framework to require additional capital where it identifies specific risks — for example, unusual operational risk concentrations, client asset volume exposures, or cybersecurity risk profiles — that make the standard minimum inadequate.

The Three Capital Classes: Which Applies to You?

MiCA Article 67 organises crypto-asset services into three capital classes based on risk profile and systemic significance. The class a CASP falls into is determined by the services it is authorised to provide — not by its business size, revenue, or client count.

Class 1 — Minimum own funds: €50,000

Class 1 covers the lower-risk advisory and intermediary services:

• Providing advice on crypto-assets
• Reception and transmission of orders for crypto-assets on behalf of clients
• Providing transfer services for crypto-assets on behalf of clients

These services share a common characteristic: the CASP does not hold client assets, does not operate market infrastructure, and does not take principal positions. The risk profile is dominated by conduct risk, advice quality, and operational resilience rather than asset custody or market operation risk — hence the lower capital floor.

Class 2 — Minimum own funds: €125,000

Class 2 covers execution and exchange services:

• Execution of orders for crypto-assets on behalf of clients
• Exchange of crypto-assets for funds (fiat on/off ramp)
• Exchange of crypto-assets for other crypto-assets
• Placing of crypto-assets

These services involve the CASP actively executing transactions in the market — handling client funds momentarily during exchange, executing orders against liquidity providers, or facilitating primary issuances. The risk profile includes settlement risk, counterparty risk, and operational exposure that warrants a higher capital buffer than pure advisory services.

Class 3 — Minimum own funds: €150,000

Class 3 covers the highest-risk service categories:

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform for crypto-assets

Custody involves holding client assets — creating direct exposure to operational risk, cybersecurity risk, and potential client loss events. Trading platform operation involves running market infrastructure — creating systemic risk exposure and the potential for disorderly markets in the event of platform failure. The €150,000 minimum reflects these elevated risk profiles, though it should be noted that €150,000 is a genuinely modest figure relative to the operational risks of running an institutional-grade custody or exchange business. For larger operations, the fixed overhead requirement will typically produce a materially higher effective capital requirement.

The highest-class rule. Where a CASP is authorised to provide services spanning multiple classes, the highest applicable class determines the minimum. A firm providing advice (Class 1), exchange services (Class 2), and custody (Class 3) is a Class 3 entity with a €150,000 minimum — not the sum of all three thresholds.

Service-by-Service Capital Class Breakdown

The following table maps each MiCA-defined crypto-asset service to its capital class for quick reference:

Crypto-Asset Service	Capital Class	Minimum Own Funds
Advice on crypto-assets	Class 1	€50,000
Reception and transmission of orders	Class 1	€50,000
Transfer services for crypto-assets	Class 1	€50,000
Execution of orders on behalf of clients	Class 2	€125,000
Exchange of crypto-assets for funds	Class 2	€125,000
Exchange of crypto-assets for other crypto-assets	Class 2	€125,000
Placing of crypto-assets	Class 2	€125,000
Custody and administration of crypto-assets	Class 3	€150,000
Operation of a trading platform	Class 3	€150,000
Portfolio management of crypto-assets	Class 2	€125,000

Note: Portfolio management is not explicitly listed in the MiCA Article 67 class breakdown in the same direct manner as other services, but it is generally treated as a Class 2 service based on its risk profile and the MiCA framework. CySEC should be consulted for confirmation in specific cases.

The Fixed Overhead Requirement: When the Minimum Is Not Enough

The statutory minimums — €50,000, €125,000, €150,000 — represent the floor, not the ceiling. For any CASP that has been operational for more than twelve months, the fixed overhead requirement under MiCA Article 67(3) may produce a substantially higher effective capital requirement.

The mechanism. Under MiCA Article 67(3), a CASP must hold own funds of at least one quarter of its fixed overheads from the preceding year, where this amount exceeds the applicable statutory minimum. Fixed overheads are calculated from the firm’s total annual operating expenses minus certain variable and one-off items.

What counts as fixed overheads? Fixed overheads for this purpose typically include: staff costs (salaries, social charges, benefits), office and premises costs, technology and systems costs, professional services costs (legal, audit, compliance), regulatory fees, insurance premiums, and marketing and distribution costs to the extent they are contractually committed. Variable costs tied directly to revenue volume — such as transaction-dependent fees — may be excluded from the fixed overhead base.

Worked example. A CASP operating a crypto exchange (Class 2, €125,000 minimum) with annual fixed overheads of €2,000,000:

• Fixed overhead requirement: €2,000,000 ÷ 4 = €500,000
• Statutory minimum: €125,000
• Effective capital requirement: €500,000 (the higher figure applies)

In this scenario, the statutory minimum is irrelevant — the firm must hold €500,000 in qualifying own funds to meet its MiCA capital obligation. For a custody business (Class 3, €150,000 minimum) with annual fixed overheads of €3,000,000, the effective requirement becomes €750,000.

First-year applicants. For newly incorporated entities applying for CASP authorisation, there is no preceding year of fixed overheads from which to calculate the overhead requirement. The statutory minimum applies at authorisation. However, CySEC will review the business plan’s projected cost base and assess whether the capital at authorisation is adequate relative to projected overheads in years one and two. A firm with €150,000 at authorisation but projecting €2,000,000 in year-one operating costs will face CySEC questions about capital adequacy before the overhead requirement formally kicks in.

Planning implication. Capital planning for a CASP application should not stop at the statutory minimum. Build a three-year projection of fixed overheads alongside your business plan, calculate the overhead requirement for each year, and ensure your capital structure supports the projected effective requirement — not just the current minimum. This is precisely what CySEC’s business plan review will assess.

Qualifying Forms of Capital

Not all money counts as regulatory capital under MiCA. The own funds that satisfy the capital requirement must be held in qualifying instruments — CySEC will verify the form, not just the amount, of capital at the authorisation stage and on an ongoing basis.

MiCA’s own funds requirements draw on the broader EU prudential framework. For CASPs, qualifying own funds instruments include:

Common Equity Tier 1 (CET1) instruments. The highest quality capital — fully paid-up ordinary shares, retained earnings, other comprehensive income, and general reserves. For most CASP applicants, paid-up share capital is the primary CET1 instrument at initial authorisation.

Additional Tier 1 (AT1) instruments. Perpetual, subordinated instruments with loss-absorption features. These are rarely relevant for early-stage CASP applicants but become relevant for larger, more complex operations.

Tier 2 instruments. Subordinated debt and similar instruments with a minimum five-year maturity. Again, more relevant for larger operations than typical initial applicants.

For the vast majority of CySEC CASP applicants — particularly at initial authorisation — the practical answer to “what qualifies?” is: fully paid-up share capital and retained earnings. These are the instruments CySEC will look for, and the instruments most readily evidenced through bank statements and corporate accounts.

Key requirements for qualifying capital:

• Fully paid up. Capital must be actually received by the entity — not merely subscribed or committed. Calls on unpaid share capital do not satisfy the requirement.
• Freely available. Capital must be freely available to absorb losses — not encumbered, pledged as security, or tied up in illiquid assets.
• Held by the entity. Capital must be held in the entity’s own accounts — not in a parent company account, a shareholder’s personal account, or a group treasury account.
• Not client funds. Client funds must be segregated from own funds. Capital held in accounts commingled with client money does not qualify.

What Does Not Count as Regulatory Capital

The following are commonly misunderstood as qualifying capital contributions — they do not:

Unsecured shareholder loans. A loan from a shareholder is a liability, not equity. It does not qualify as own funds regardless of the relationship between the lender and the entity. If a shareholder wishes to contribute capital, the mechanism must be a share capital injection or qualifying subordinated debt instrument — not a loan.

Director guarantees or letters of comfort. Personal guarantees from directors or comfort letters from parent companies are not own funds. They provide comfort about the intent to support the entity but do not constitute capital for regulatory purposes.

Committed but uncalled capital. Share capital that has been authorised and subscribed but not yet called and paid does not count. The capital must be in the entity’s bank account.

Revenue projections. Future projected revenues are not capital. CySEC assesses the capital position at the point of assessment — not what the firm expects to earn.

Crypto-asset holdings (generally). Crypto-asset holdings on the firm’s own account are generally not qualifying own funds instruments for MiCA capital purposes — they are assets with volatile valuations and no recognised Tier classification under the prudential framework. This is a common source of confusion for crypto-native founders.

Intercompany receivables. A receivable from a group company is not own funds. Intercompany balances — even where fully expected to be received — are assets subject to counterparty risk and do not qualify as capital.

Capital Planning for New Entities

For entities newly incorporating in Cyprus for the purpose of obtaining a CASP licence, capital planning follows a structured sequence:

Step 1: Determine your capital class. Based on your finalised service scope (see ComplyFactor’s CySEC CASP application process guide), identify your capital class and statutory minimum. If your service scope spans multiple classes, the highest applies.

Step 2: Model your fixed overhead trajectory. Build a three-year operating cost projection covering all fixed cost lines — staff, technology, premises, professional services, regulatory, insurance. Calculate 25% of year-one and year-two projected fixed overheads. Where this figure exceeds the statutory minimum, it is your effective capital target for that year.

Step 3: Stress test your capital position. Apply a reasonable stress scenario — for example, revenues are 30% below projection in year one, and onboarding takes six months longer than planned. Does your capital position remain above the effective requirement under stress? If not, consider a higher initial capital injection or a shareholder commitment mechanism.

Step 4: Structure your capital injection. Determine the timing, mechanism, and source of the capital injection. For paid-up share capital, the shares must be issued and the subscription price received in the entity’s bank account before the capital evidence is submitted to CySEC. Source of funds documentation for the injection — particularly for larger amounts — will be required by CySEC and by the entity’s bank.

Step 5: Maintain documentary evidence. Capital evidence for the application pack typically comprises: management accounts or audited accounts showing the capital position, bank statements confirming the balance, and share register and allotment resolution confirming the share issuance. Ensure these documents are consistent and current at the time of submission.

Step 6: Plan for the overhead requirement trigger. From month 13 of operation, the fixed overhead requirement becomes operational. Ensure your internal capital monitoring framework flags when the overhead-based requirement begins to exceed the statutory minimum, and that the management body receives regular capital adequacy reporting.

Ongoing Capital Maintenance Obligations

Authorisation does not make capital a one-time consideration. CySEC expects CASPs to maintain the required own funds on a continuous basis and has specific obligations around monitoring and breach notification.

Continuous maintenance. The capital requirement must be met at all times — not just at month-end or at the point of annual reporting. CySEC’s supervisory framework allows it to assess capital adequacy at any point, and a CASP operating below its required capital level at any moment is in breach of its regulatory obligations, regardless of whether it is technically above requirement on a quarterly average basis.

Monitoring and internal reporting. CaSPs must establish internal capital monitoring processes — typically a monthly or more frequent capital adequacy calculation, reviewed by the CFO and MLRO, and reported to the management body at each board meeting. The management body is responsible for oversight of capital adequacy under MiCA’s governance requirements.

Breach notification. Where a CASP’s own funds fall below the required level — whether the statutory minimum or the overhead-based requirement — it must notify CySEC without undue delay. CySEC will typically require a capital recovery plan setting out how the shortfall will be remedied and the timeframe for restoration. Failure to notify a capital breach is a standalone regulatory violation, separate from the breach itself.

Recovery planning. CySEC may require CASPs to maintain documented capital recovery plans — describing the mechanisms available to the entity to restore capital in the event of a shortfall, including shareholder injection commitments, asset realisation strategies, and cost reduction measures.

Regulatory reporting. CySEC’s periodic regulatory reporting requirements for CASPs include capital adequacy returns. The frequency and format of these returns are specified in CySEC’s reporting guidance — firms must ensure their financial systems can produce the required data accurately and on schedule.

For firms that need support maintaining the compliance infrastructure required for ongoing capital adequacy monitoring, ComplyFactor’s AML advisory services and global MLRO services include regulatory reporting support as part of broader compliance programme management.

Capital and the Business Plan: What CySEC Looks For

CySEC does not assess capital in isolation — it assesses it in the context of your business plan. Understanding what CySEC’s reviewers are looking for when they review capital alongside the business plan is essential for presenting a credible application.

Viability assessment. CySEC will assess whether the entity is financially viable — whether its projected revenue model is credible, its cost assumptions are realistic, and its capital position is adequate to fund the path to profitability without requiring emergency capital injections. An entity with €150,000 in capital and a three-year path to profitability that requires €2,000,000 in cumulative operating losses will face significant CySEC scrutiny.

Revenue assumption credibility. CySEC reviewers are experienced with crypto business models and will assess whether revenue assumptions are realistic relative to the proposed client acquisition strategy, target market, and competitive environment. Aggressive revenue assumptions without credible supporting analysis are a common weakness in business plans reviewed at CySEC.

Capital adequacy through the projection period. CySEC will calculate whether capital adequacy is maintained throughout the projection period — including at the point where the fixed overhead requirement triggers (typically year two) and under the stress scenarios embedded in prudent planning.

Shareholder support. Where the business plan projects losses in the early years — as many CASP startups do — CySEC will want comfort that shareholders are committed to providing additional capital if required. A shareholder resolution committing to additional capital injections if needed, or a formal shareholder support letter, can strengthen the capital adequacy narrative for loss-making early-stage entities.

Group support. For CASP entities that are part of a wider group, CySEC will assess the group’s financial strength and the structural ability of the group to provide capital support to the Cyprus entity. Group capital support that is structurally blocked by upstream holding structures — for example, where the parent’s assets are illiquid or encumbered — provides limited comfort.

How CySEC CASP Capital Compares to Other Jurisdictions

Understanding where MiCA’s CASP capital requirements sit relative to other jurisdictions is useful for firms evaluating licensing strategy and for those holding multiple licences.

Jurisdiction / Regime	Licence Type	Approximate Capital Requirement
CySEC / MiCA (Cyprus)	CASP — Class 1	€50,000
CySEC / MiCA (Cyprus)	CASP — Class 2	€125,000
CySEC / MiCA (Cyprus)	CASP — Class 3	€150,000
FCA (UK)	Crypto MLR registration	No standalone requirement (current regime)
VARA (Dubai)	Exchange / Custody	~€1,000,000 (AED 4,000,000, indicative)
VARA (Dubai)	Advisory	~€125,000 (AED 500,000, indicative)
ADGM FSRA (Abu Dhabi)	VA licence	Varies materially by licence category and activity — see ADGM published requirements
MAS (Singapore)	DPT licence	SGD 250,000 (~€175,000)

MiCA’s capital requirements are deliberately set at modest levels relative to most comparable international regimes — reflecting the EU’s policy choice to calibrate initial requirements to allow market entry while relying on the overhead requirement to scale capital with business growth. VARA’s materially higher capital thresholds reflect a different regulatory positioning philosophy, as discussed in ComplyFactor’s CySEC CASP vs FCA vs VARA comparison.

For firms operating across multiple jurisdictions — holding both CySEC CASP and VARA authorisation, for example — capital requirements must be met independently in each regulatory entity. There is no capital fungibility between regulatory jurisdictions; capital held in the Cyprus entity does not satisfy VARA’s requirements for the Dubai entity.

Common Capital Structuring Mistakes

The following capital structuring errors are the most frequent across CASP applications and ongoing compliance:

Leaving the capital in the parent or shareholder account. Capital must be held by the Cyprus entity in its own accounts. Capital sitting in a parent company account or a founder’s personal account — even with a written commitment to transfer — does not qualify at application stage.

Mixing client funds with own funds. Client funds must be segregated. Capital adequacy calculations that inadvertently include client balances overstate the entity’s own funds position and will be caught by CySEC’s review. Establish segregated accounts for client funds from day one of operations.

Treating the statutory minimum as the target. For any firm with meaningful operating costs, the fixed overhead requirement will produce a higher effective requirement within the first full year of operation. Targeting only the statutory minimum at authorisation creates a predictable capital gap at month 13.

Funding capital with a shareholder loan. A shareholder loan is not equity. It does not qualify as own funds. If the shareholder wants to contribute capital, the mechanism must be a share issuance at the contribution amount — not a loan that the company simultaneously records as a liability.

Failing to notify CySEC of a capital breach. Capital falls below requirement — perhaps due to an operational loss, a cost overrun, or a timing gap between cash outflows and the next shareholder injection. The obligation to notify CySEC is triggered immediately upon identification of the breach — not at the next reporting date. Delayed notification is a separate regulatory failing from the breach itself and typically results in more severe supervisory consequences.

Assuming crypto treasury counts as regulatory capital. The firm’s holdings of Bitcoin, Ethereum, or stablecoins on own account are not qualifying own funds instruments. If the firm wishes to use treasury assets to support its capital position, they must first be converted to fiat and contributed as qualifying equity — at which point they are no longer crypto-assets.

For a broader view of the compliance obligations that run alongside capital requirements — including AML programme management, MLRO obligations, and independent audit — see ComplyFactor’s complete AML programme blueprint and AML audit services.

Frequently Asked Questions

What is the minimum capital required for a CySEC CASP licence?

It depends on your service scope. Under MiCA Article 67, the minimum own funds requirement is €50,000 for Class 1 services (advice, order reception/transmission, transfer services), €125,000 for Class 2 services (execution, exchange, placing), and €150,000 for Class 3 services (custody and trading platform operation). Where your authorisation spans multiple classes, the highest threshold applies. Note that once operational for a full year, the fixed overhead requirement under MiCA Article 67(3) — one quarter of preceding year fixed overheads — may produce a materially higher effective requirement.

Can the capital be in cryptocurrency rather than fiat currency?

No. Qualifying own funds under MiCA must be in recognised own funds instruments — primarily paid-up share capital and retained earnings denominated in fiat currency. Crypto-asset holdings on the firm’s own account are not qualifying own funds instruments and do not satisfy the capital requirement.

Does the capital have to remain locked in a specific account?

The capital must be held in the entity’s own accounts and must be freely available to absorb losses. It does not need to be held in a dedicated locked or ring-fenced account (distinct from the client asset segregation requirement for client funds). However, it must not be pledged, encumbered, or otherwise unavailable to the entity on demand.

What happens if our capital falls below the required minimum after authorisation?

A capital shortfall must be notified to CySEC without undue delay. CySEC will typically require a capital recovery plan — a documented plan for how and when the shortfall will be remedied. Operating below the required capital level without notifying CySEC is a regulatory breach that may result in supervisory sanctions, including in severe cases suspension or revocation of the CASP authorisation.

How does CySEC verify capital at application stage?

CySEC requires documentary evidence of the capital position as part of the application pack — typically management accounts or audited accounts, bank statements confirming the balance held in the entity’s accounts, and corporate documents confirming the share issuance. Where capital is sourced from a shareholder injection, source of funds documentation for the injection will be required.

Does CySEC require a capital adequacy model to be submitted with the application?

Not as a formal prescribed document, but effectively yes — the three-year business plan must demonstrate that capital adequacy is maintained throughout the projection period, which requires modelling the interaction between projected overheads and the fixed overhead requirement. CySEC reviewers will conduct this calculation themselves; submitting a proactive capital adequacy analysis alongside the business plan demonstrates preparation and pre-empts RFIs.

How does ComplyFactor help with capital planning and the application?

ComplyFactor supports CASP applicants with capital planning — including fixed overhead modelling, capital adequacy stress testing, and the preparation of the business plan and financial projections submitted to CySEC. We also support the broader application across AML programme development, management body documentation, and application pack compilation. Contact us to discuss your specific situation.