CySEC CASP Licence: The Complete Guide to Crypto-Asset Service Provider Authorisation in Cyprus

Why Cyprus for Your CASP Licence?

Cyprus occupies a strategically singular position in the European crypto-asset regulatory landscape. As a full EU member state, a CySEC-authorised CASP licence grants access to the EU single market through MiCA passporting — the mechanism under Regulation (EU) 2023/1114 that allows crypto-asset service providers authorised in one member state to offer services throughout the bloc.

Beyond the passporting value, Cyprus brings a number of structural advantages that have made it the jurisdiction of choice for hundreds of investment firms, fintechs, and now crypto-asset businesses seeking a credible EU regulatory home:

• Established regulatory infrastructure. CySEC has been regulating investment firms under MiFID II since 2004. Its supervisory processes are well-documented, its application pipelines are established, and its regulatory engagement culture — while increasingly rigorous — is navigable for well-prepared applicants.
• Tax efficiency. Cyprus offers one of the EU’s lowest corporate tax rates at 12.5%, alongside an extensive double tax treaty network, making it attractive for holding and operating structures simultaneously.
• Cost competitiveness. Compared to Luxembourg, Ireland, or the Netherlands, operational costs in Cyprus — legal, compliance staffing, office — remain competitive without sacrificing EU regulatory standing.
• MiCA transition pathway. CySEC moved early to establish a CASP registration regime ahead of MiCA’s full application, creating a population of registered and licensed entities that benefit from transitional provisions under MiCA.
• English-language regulatory environment. CySEC publishes guidance, circulars, and application requirements in English, reducing friction for international applicants.

For crypto-asset firms evaluating EU licensing options, Cyprus sits alongside Lithuania and the Netherlands as a tier-one jurisdiction — and for firms prioritising operational presence over pure passporting, it frequently wins outright.

The global regulatory environment for crypto-assets is tightening considerably. FATF’s 2026 offshore VASP risk report — analysed in ComplyFactor’s guide to FATF’s oVASP risk framework — makes clear that unregulated or lightly supervised crypto operations face growing correspondent banking pressure, deplatforming risk, and enforcement exposure. A CySEC CASP licence is increasingly not optional for firms with genuine EU client exposure.

What Is a CySEC CASP Licence?

A CySEC CASP licence is a formal authorisation issued by the Cyprus Securities and Exchange Commission permitting a legal entity to provide crypto-asset services within the meaning of the Cyprus Law on the Prevention and Suppression of Money Laundering and Terrorist Financing (Law 188(I)/2007, as amended) and, from 30 December 2024, under the Markets in Crypto-Assets Regulation (MiCA).

The CASP regime in Cyprus evolved through two distinct phases:

Phase 1 — Pre-MiCA Registration (2021–2024). CySEC established a national CASP registration regime under amendments to the AML law, creating a register of entities permitted to provide crypto-asset services in Cyprus. Registration required AML/CFT programme approval, fit and proper assessments, and basic organisational requirements. This regime served as the pre-MiCA supervisory framework.

Phase 2 — MiCA Full Authorisation (from 30 December 2024). With MiCA fully applicable from 30 December 2024, the CASP authorisation regime transitioned. New applicants now apply for MiCA-compliant CASP authorisation under CySEC’s framework implementing Regulation (EU) 2023/1114. Entities registered under the pre-MiCA regime benefit from an 18-month transitional period running through June 2026 — Cyprus exercised its member state discretion under MiCA Article 143(3) to adopt the full 18-month window, during which registered entities may continue operating while seeking full MiCA authorisation.

The distinction matters practically: firms applying today are applying for MiCA-aligned CASP authorisation, not the legacy registration. The requirements are materially more demanding — higher capital thresholds, more detailed governance requirements, and comprehensive conduct obligations — but the output is a licence that provides EU-wide passporting rights, not merely domestic permission.

CySEC CASP vs MiCA: How They Interact

MiCA is an EU regulation — it applies directly in all member states without national transposition. CySEC’s role is therefore not to create a parallel regime but to function as the competent authority responsible for authorisation, supervision, and enforcement of MiCA obligations within Cyprus.

This means:

• The substantive requirements for CASP authorisation — capital, governance, conduct, disclosure — are set by MiCA and are identical regardless of which EU member state you apply in.
• CySEC adds national-layer requirements primarily in the AML/CFT space, where member states retain competence under the EU’s AML directives and national AML law.
• CySEC’s application process, processing timelines, supervisory culture, and practical expectations are Cyprus-specific and represent the primary area where choosing Cyprus over another member state creates differentiation.

For a detailed breakdown of MiCA’s overarching framework, ComplyFactor’s MiCA Regulation Guide 2026 covers the full regulation comprehensively. This article focuses specifically on CySEC’s implementation — what Cyprus adds, how its application process works, and what firms need to know beyond the MiCA baseline.

Who Needs a CySEC CASP Licence?

Any legal entity incorporated in Cyprus — or wishing to use Cyprus as its EU home member state for MiCA passporting purposes — that provides one or more crypto-asset services as defined under Article 3(1)(16) of MiCA must obtain CySEC CASP authorisation.

The crypto-asset services defined under MiCA that trigger the licensing obligation are:

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform for crypto-assets
• Exchange of crypto-assets for funds (fiat on/off ramp)
• Exchange of crypto-assets for other crypto-assets
• Execution of orders for crypto-assets on behalf of clients
• Placing of crypto-assets
• Reception and transmission of orders for crypto-assets on behalf of clients
• Providing advice on crypto-assets
• Providing portfolio management of crypto-assets
• Providing transfer services for crypto-assets on behalf of clients

Importantly, the obligation attaches to the provision of these services to clients — not merely to the underlying technology. A firm operating a non-custodial DEX protocol may fall outside scope; a firm operating a centralised exchange or custody wallet for retail or institutional clients sits squarely within it.

Firms already regulated under other EU financial services frameworks — CIFs, EMIs, credit institutions — may provide certain crypto-asset services under a notification procedure rather than full CASP authorisation, subject to conditions under MiCA Articles 60-63. This is a nuanced area that warrants specific legal advice.

CASP Licence Categories and Permitted Services

Unlike the CIF regime which has distinct licence categories (e.g., Category 1, 2, 3), MiCA does not create tiered CASP licence categories in the same structural sense. Instead, a CASP’s permitted services are defined by the specific services listed in its authorisation.

A firm may apply for authorisation to provide one, several, or all of the services listed above. CySEC’s application process requires firms to specify the services sought and demonstrate that their governance, systems, controls, and capital adequately support each service.

In practice, applicants typically fall into recognisable business model clusters:

Business Model	Core Services Typically Sought
Crypto exchange (CEX)	Exchange for funds, exchange for crypto, trading platform operation, order execution
Custody provider	Custody and administration
Crypto broker	Reception/transmission of orders, execution of orders
Crypto advisory / portfolio mgmt	Advice, portfolio management
Payment / transfer layer	Transfer services for crypto-assets
Full-service platform	Multiple or all services

The services authorised determine the applicable capital requirement tier, the conduct obligations that apply, and the scope of passporting notifications required when expanding into other EU member states.

Capital Requirements for CySEC CASPs

MiCA Article 67 establishes three tiers of minimum capital requirements based on the services a CASP is authorised to provide:

Class 1 — €50,000 minimum own funds Applies to CASPs providing: advice on crypto-assets; reception and transmission of orders; and transfer services for crypto-assets on behalf of clients.

Class 2 — €125,000 minimum own funds Applies to CASPs providing: execution of orders on behalf of clients; placing of crypto-assets; and exchange of crypto-assets for other crypto-assets or for funds.

Class 3 — €150,000 minimum own funds Applies to CASPs operating a trading platform or providing custody and administration of crypto-assets on behalf of clients.

Where a CASP is authorised to provide services spanning multiple classes, the highest applicable threshold applies.

In addition to these minimum own funds requirements, CySEC — following MiCA Article 67(3) — may require CASPs to hold additional capital based on a fixed overhead requirement equal to one quarter of the preceding year’s fixed overheads, if this exceeds the minimum own funds threshold. This is particularly relevant for larger or more complex operations.

Capital must be held in one of the qualifying forms specified under MiCA: paid-up share capital, retained earnings, or other qualifying instruments — not client funds, which must be segregated.

Fit and Proper Requirements

MiCA Article 68 requires that members of the management body of a CASP are of sufficiently good repute and possess sufficient knowledge, skills, and experience. CySEC applies these requirements rigorously and has historically been one of the stricter EU competent authorities on fit and proper assessments, carrying practices developed through years of CIF supervision.

For management body members (directors), CySEC assesses:

• Criminal record — absence of convictions for financial crime, fraud, dishonesty, or relevant regulatory offences
• Regulatory history — absence of prior regulatory sanctions, licence revocations, or adverse supervisory findings across all jurisdictions
• Financial history — no unresolved bankruptcies, insolvencies, or significant unpaid judgments
• Competence — relevant professional qualifications, experience in financial services, crypto-assets, or regulated industry
• Time commitment — ability to dedicate sufficient time to the role, with CySEC scrutinising directors holding excessive board positions

For qualifying shareholders (holding 10% or more of shares or voting rights):

• Source of funds for the acquisition
• Good repute assessment broadly equivalent to management body requirements
• No conflicts of interest likely to prejudice sound management

The management body must collectively demonstrate competence across the firm’s business model. For a CEX, this typically means the board should collectively cover crypto-asset operations, financial services regulation, risk management, and technology. Boards composed exclusively of founders without demonstrable regulated-industry experience are a recurring application weakness.

CySEC requires the appointment of a permanent, dedicated compliance officer with relevant AML/CFT and regulatory expertise — this role cannot be outsourced in its entirety, though firms may engage external compliance consultants to support the function. ComplyFactor’s fractional MLRO services are structured to support CySEC CASPs in meeting this requirement within practical budget constraints.

Organisational and Governance Requirements

MiCA Articles 68-76 set detailed organisational requirements for CASPs. CySEC’s application assessment focuses closely on whether these requirements are genuinely met — not merely documented.

Substance requirements. Cyprus requires that CASP applicants have genuine substance in Cyprus. This means a registered office in Cyprus, at least one executive director resident in Cyprus, and operational decision-making taking place in Cyprus. Shell structures where management and operations are entirely offshore with a Cyprus registration address will not pass CySEC’s substance assessment.

Systems and controls. CASPs must demonstrate robust IT systems, cybersecurity controls, and operational resilience. CySEC expects applicants to provide:

• Business continuity and disaster recovery plans
• IT security policies and penetration testing records
• Incident response procedures
• System architecture documentation for any exchange, custody, or trading platform

Client asset protection. For CASPs providing custody services, detailed client asset segregation arrangements are required — including legal opinions confirming that client assets are protected in the event of insolvency.

Complaints handling. A documented complaints handling procedure meeting MiCA’s requirements must be in place, with a named responsible officer.

Conflicts of interest. A written conflicts of interest policy identifying, managing, and disclosing conflicts — particularly relevant for firms combining proprietary trading with client services.

Insurance or comparable guarantee. Under MiCA Article 70, CASPs providing crypto-asset advice or portfolio management services must hold professional indemnity insurance or a comparable guarantee covering liabilities to clients. For other CASPs, equivalent client protection arrangements are expected by CySEC as a matter of supervisory good practice, and the adequacy of client protection measures is assessed during the authorisation review.

AML/CFT Obligations for CySEC CASPs

This is where CySEC’s national layer sits over and above MiCA. While MiCA sets the financial services framework, AML/CFT obligations for CySEC CASPs are governed by:

• The Prevention and Suppression of Money Laundering and Terrorist Financing Law (Law 188(I)/2007), the Cyprus AML statute implementing the EU’s AML directives
• CySEC AML circulars specifically addressing CASP AML/CFT expectations, published on an ongoing basis
• FATF Recommendation 15 and its interpretive note on virtual assets
• The forthcoming EU AML Regulation (AMLR) and establishment of the Anti-Money Laundering Authority (AMLA), which is expected to begin direct supervision of selected large CASPs from approximately 2027-2028 (subject to AMLA’s implementation timeline)

Core AML programme requirements for CySEC CASPs:

Business-wide risk assessment. CASPs must conduct and document a comprehensive risk assessment of their exposure to ML/TF risks, covering: client base, products and services, geographic exposure, delivery channels, and transaction typologies. The risk assessment must be reviewed at least annually and updated on material change.

Policies, procedures and controls. Documented AML/CFT policies covering: CDD/EDD, transaction monitoring, STR/SAR obligations, sanctions screening, record-keeping, training, and independent audit. These must be approved by the management body and reviewed regularly.

Customer Due Diligence. Full CDD on all clients — identity verification, beneficial ownership determination for corporate clients, source of funds/wealth for higher-risk clients. EDD triggers for PEPs, high-risk jurisdictions, unusual transaction patterns, and large or complex transactions.

Transaction monitoring. CASPs must implement automated transaction monitoring appropriate to the scale and complexity of their operations. Manual monitoring is not acceptable for firms with significant transaction volumes. On-chain analytics tools (Chainalysis, Elliptic, TRM Labs, or equivalent) are expected for crypto-native transaction screening.

Travel Rule compliance. CySEC CASPs are subject to the Travel Rule under the EU’s Transfer of Funds Regulation (TFR), which from 30 December 2024 applies to crypto-asset transfers. This requires originator and beneficiary information to travel with crypto-asset transfers above €0 (the EU adopted a zero-threshold approach). ComplyFactor’s Travel Rule compliance guide covers the practical implementation requirements.

MLRO appointment. CySEC requires designation of a Money Laundering Reporting Officer (MLRO) at management level, with direct access to the management body and sufficient authority and resources to perform the role. The MLRO must be CySEC-notified.

Training. Annual AML/CFT training for all relevant staff — documented, role-appropriate, and covering the firm’s specific risk profile. ComplyFactor’s AML training programmes are structured specifically for CASP and regulated entity staff.

Independent AML audit. CySEC expects CASPs to commission independent AML effectiveness reviews at appropriate intervals — not merely internal reviews. ComplyFactor’s AML audit services provide the independent assurance CySEC expects, delivered by practitioners with direct regulatory experience.

For a comprehensive understanding of VASP AML obligations more broadly, ComplyFactor’s Ultimate Guide to VASP Compliance provides the global framework context within which CySEC’s requirements sit.

The CASP Application Process: Step by Step

CySEC’s CASP authorisation process under MiCA follows a structured sequence. Understanding each stage — and what CySEC is actually looking for at each point — is critical for managing timelines and avoiding the back-and-forth that turns a 3-month process into a 12-month one.

Step 1: Pre-application engagement

Before submitting a formal application, experienced applicants engage CySEC informally to clarify the scope of authorisation sought and confirm any jurisdiction-specific expectations. CySEC does facilitate pre-application meetings for CASP applicants, though these are not mandatory. The value is in surfacing any structural or qualification concerns before significant application preparation costs are incurred.

Step 2: Corporate establishment

The applicant entity must be incorporated in Cyprus as a private company limited by shares under the Cyprus Companies Law, Cap. 113. The registered office must be in Cyprus and operational substance must be demonstrable. Nominee director structures are not acceptable for CASP purposes — CySEC requires genuine executive presence.

Step 3: Application pack preparation

The formal application to CySEC comprises an extensive documentation set. Based on CySEC’s published requirements and MiCA Article 62, the application pack includes:

• Application form (CySEC prescribed format)
• Programme of operations — detailed description of services, business model, target markets, revenue projections
• Business plan — financial projections for three years, staffing plan, technology architecture
• Governance arrangements — management body composition, organisational chart, reporting lines
• Fit and proper documentation — CVs, criminal record certificates, regulatory history declarations for all management body members and qualifying shareholders
• AML/CFT programme documentation — policies, procedures, risk assessment, MLRO notification
• Capital evidence — audited accounts or confirmation of paid-up capital
• IT and cybersecurity documentation — system architecture, security policies, BCP/DR
• Client asset protection arrangements (for custodians)
• Professional indemnity insurance evidence
• Legal opinions where applicable (client asset segregation, regulatory scope)

Step 4: Formal submission

Applications are submitted through CySEC’s electronic portal. CySEC acknowledges receipt and conducts an initial completeness check — incomplete applications are returned without substantive review.

Step 5: Substantive review

CySEC’s authorisation division conducts a substantive assessment. During this phase, CySEC will typically issue Requests for Information (RFIs) — written queries seeking clarification or additional documentation. The number and nature of RFIs is the primary variable affecting processing time. Well-prepared applications with minimal gaps generate few RFIs; poorly prepared applications can generate multiple rounds.

Step 6: Decision

CySEC issues its decision — authorisation, authorisation with conditions, or refusal — within the timeframes set under MiCA (discussed below). Conditions attached to authorisation typically require remediation within a specified period before commencement of certain services.

Timelines and CySEC Processing

Under MiCA Article 64, CySEC must:

• Acknowledge receipt of the application within 25 working days of submission
• Assess completeness and notify the applicant within 25 working days of acknowledgement, requesting any missing information
• Issue a decision within 40 working days of confirming that the application is complete

The 40 working-day clock only starts once CySEC confirms the application is complete — and the clock pauses during any period when CySEC is awaiting information from the applicant in response to an RFI.

In practice, end-to-end timelines from initial submission to authorisation decision range from approximately 4 to 9 months for well-prepared applications, with complexity, service scope, and RFI volume as the primary variables. Firms entering the process with inadequate governance documentation, unresolved fit and proper issues, or immature AML programmes should anticipate the higher end of that range.

Passporting and EU Market Access

One of the primary commercial rationales for CySEC CASP authorisation is EU passporting — the ability to provide crypto-asset services in other EU member states without seeking separate national authorisation.

Under MiCA Article 65, a CySEC-authorised CASP wishing to provide services in another EU member state on a cross-border basis must:

1. Notify CySEC of its intention, providing details of the member states where services will be provided and the services to be offered
2. CySEC must forward the notification to the competent authority of the host member state within 15 working days of receipt
3. The CASP may commence providing services in the host member state from the date CySEC communicates the notification to the host NCA — making timely CySEC processing the practical determinant of when cross-border services can begin

This is a notification process — host member state competent authorities cannot block passporting. They may however apply national consumer protection or AML requirements. The passport covers the services listed in the authorisation; additional services require either amendment of the authorisation or a new passporting notification.

For firms establishing a physical branch in another EU member state, a separate branch establishment procedure applies under MiCA Article 65(4).

The passporting mechanism is what makes CySEC — and Cyprus — strategically significant for crypto firms targeting the EU market. A single CySEC authorisation unlocks 26 additional EU markets through notification. For firms that have been navigating the patchwork of pre-MiCA national regimes across countries like Poland, Lithuania, and the Czech Republic — each covered in ComplyFactor’s MiCA country guides — the consolidation that MiCA passporting provides is transformative. See ComplyFactor’s analysis of MiCA in the Netherlands, Poland, and Lithuania for context on the pre-MiCA landscape that passporting replaces.

Ongoing Compliance Obligations

Authorisation is the beginning, not the end. CySEC-authorised CASPs carry a continuous compliance burden across several dimensions:

Regulatory reporting. CySEC prescribes periodic reporting requirements for CASPs, including financial returns, incident notifications, and statistical data. Firms must maintain the systems to produce accurate regulatory data on demand.

Notification obligations. CaSPs must notify CySEC promptly of material changes to the information provided at authorisation — changes to management body composition, qualifying shareholders, business model, or material outsourcing arrangements. Failure to notify is a standalone regulatory breach.

Annual AML review. CySEC expects CASPs to conduct annual reviews of their AML/CFT programme effectiveness, with independent audit commissioned at appropriate frequency. See ComplyFactor’s AML audit services for how independent review is structured in practice.

Capital maintenance. CaSPs must continuously maintain the minimum own funds requirement and notify CySEC if capital falls below threshold. CySEC may require recovery plans where capital adequacy is at risk.

MLRO continuity. Changes to the MLRO must be notified to CySEC. There can be no gap in MLRO coverage — succession arrangements must be in place. ComplyFactor’s global MLRO services include interim MLRO provision to ensure continuity during transitions.

Conduct obligations. Ongoing compliance with MiCA’s conduct requirements — client communication standards, marketing compliance, best execution, suitability assessments for advisory services — must be monitored and documented continuously.

Sanctions screening. CySEC CASPs must screen clients and transactions against relevant sanctions lists — EU consolidated sanctions list, UN sanctions, and Cyprus national designations — on an ongoing basis with appropriate escalation procedures.

For firms operating across multiple jurisdictions, ComplyFactor’s AML compliance programme services support the design and maintenance of integrated compliance frameworks that meet CySEC requirements alongside obligations in other regulated jurisdictions.

Common Reasons for CASP Application Rejection

Drawing on CySEC’s supervisory practice and the patterns visible across the broader EU CASP authorisation landscape, the following are the most frequent grounds for application refusal or material delay:

Inadequate substance. Applications where the proposed Cyprus entity lacks genuine operational presence — no Cyprus-resident executive, decision-making clearly occurring offshore, nominal registered address only — fail CySEC’s substance test.

Management body deficiencies. Boards lacking collective competence across the firm’s business model; individual directors failing fit and proper assessments; insufficient time commitment from non-executive directors.

Immature AML programme. An AML programme that is clearly templated, not tailored to the firm’s specific risk profile, or that lacks credible implementation evidence. CySEC has become increasingly sophisticated in distinguishing genuine AML programmes from compliance theatre.

Undercapitalised or unclear capital structure. Insufficient own funds, capital held in ineligible form, or a capital structure that does not clearly evidence the required minimum at the point of authorisation.

Inadequate IT and cybersecurity documentation. For exchange and custody applicants, thin IT documentation — particularly absence of penetration testing records, BCP/DR plans, or system architecture documentation — is a recurring weakness.

Scope creep without proportionate controls. Applications seeking authorisation across a wide range of services without demonstrating proportionate governance, systems, and capital for each service. Firms are better served by a focused initial authorisation with planned expansion than an ambitious initial scope that exceeds demonstrable capability.

Frequently Asked Questions

Can an existing CySEC-registered CASP (pre-MiCA) continue operating during the MiCA transition?

Yes. Entities registered under CySEC’s pre-MiCA CASP regime benefit from an 18-month transitional period under MiCA Article 143, running from 30 December 2024 through June 2026. During this period, they may continue providing their registered services while pursuing full MiCA authorisation. Post-June 2026, continued operation without MiCA authorisation is not permitted.

Does CySEC accept applications from foreign-incorporated entities?

No. CySEC authorises Cyprus-incorporated legal entities only. Foreign entities wishing to use Cyprus as their EU home member state must first establish a Cyprus subsidiary or branch structure. For branches, specific provisions under MiCA apply.

Can the MLRO function be fully outsourced?

No. CySEC requires a named, CySEC-notified MLRO who is part of the firm’s management structure and has direct access to the management body. External compliance consultants can support the MLRO but cannot wholesale replace the function. ComplyFactor’s fractional MLRO model is structured to provide substantive MLRO capability within this constraint.

What triggers a CySEC supervisory visit post-authorisation?

CySEC conducts both scheduled thematic examinations and risk-triggered supervisory visits. Triggers for specific firm visits include: STR patterns suggesting internal control weaknesses, AML audit findings communicated to CySEC, client complaints, material incident notifications, and regulatory intelligence suggesting non-compliance. Firms with robust internal controls and a proactive reporting culture are substantially lower risk for adverse supervisory attention.

How does CySEC CASP authorisation interact with VARA or FCA registration?

These are separate regimes with no mutual recognition. A CySEC CASP licence provides EU passporting; it provides no exemption from UK FCA registration requirements or UAE VARA authorisation if services are provided into those jurisdictions. For a comparative analysis, see ComplyFactor’s forthcoming article on CySEC vs FCA vs VARA. Firms with multi-jurisdictional exposure should also review ComplyFactor’s analysis of UK regulatory changes for 2026 and UAE crypto regulation.

What are the consequences of operating as a CASP in Cyprus without authorisation?

Operating without CySEC CASP authorisation where authorisation is required constitutes a criminal offence under Cyprus law and a regulatory violation under MiCA. Consequences include: administrative sanctions and fines imposed by CySEC, criminal prosecution, public naming, and — from the banking side — accelerating pressure on correspondent and payment banking relationships. The FATF oVASP report has further elevated the risk profile of unregulated crypto operations internationally.

How does ComplyFactor support CASP applicants?

ComplyFactor provides end-to-end CASP application support: regulatory gap analysis, AML programme development, MLRO appointment and ongoing fractional MLRO services, governance documentation, and application pack preparation. Our team combines direct CySEC regulatory experience with practitioner-level AML/CFT expertise across the EU, UK, UAE, and Canada. Contact us to discuss your CASP authorisation timeline and requirements.