Applying for a CASP license in Europe? ESMA just told you how to get it right

Are you planning to apply for a CASP (Crypto-Assets Service Providers) license in the EU and wondering what regulators are actually looking for?

On July 10, 2025, the European Securities and Markets Authority (ESMA) published a peer review focused on how the Malta Financial Services Authority handled a CASP authorization. On the surface, it looks like a local review. In reality, it’s a clear signal to all EU local regulators on how they’re expected to approach MiCA (Markets in Crypto-Assets Regulation) authorizations.

So what does this mean for you? 3 things stand out:

1. Your business model needs to make regulatory sense.

It’s not just about ticking boxes. National authorities will be digging deep into how your business actually works, from revenue streams, customer base, and how your services fit (or don’t) within MiCA’s scope. Avoid ambiguity, as it won’t work. You will need to explain your model clearly and back it up.

2. Your tech stack has to be more than functional; it has to be purpose-built.

ESMA wants regulators to assess whether your ICT systems can actually support secure, resilient operations. Possible red flags for ESMA could be sloppy or improvised IT infrastructure, or similar. Your infrastructure will be judged not just on what it does, but how well it supports long-term operational stability, especially under DORA.

3. DORA matters from day one.

Even though MiCA and DORA are separate frameworks, ESMA makes it clear: if you’re applying to be a CASP, you are expected to have digital operational resilience. This includes incident response, third-party risk management, and business continuity. There’s no “we will get to that later” option.

Here’s the big picture:

MiCA licensing isn’t going to be a uniform, low-friction process. But ESMA is pushing for a common standard across all EU regulators, whether you apply in Luxembourg, Germany, France, Ireland, or Malta. This means every firm needs to walk in with a complete, credible strategy covering commercial viability, governance, tech infrastructure, and compliance readiness.

Remember: MiCA gives you EU-wide passporting, but your authorisation starts with a single regulator. Choose that authority strategically and be ready to meet this evolving EU-level standard. If you apply in Luxembourg, the CSSF takes an engaged approach, inviting applicants to an initial in-person meeting, not merely to review formalities, but to understand the business and its objectives.

Time to stress-test your business model, get your governance tight, and make sure your infrastructure won’t fall apart under scrutiny. This isn’t just about clearing a regulatory hurdle but rather showing maturing in the crypto world. Depending on where you are in that journey, it might be worth asking a local expert rather than going it alone.

About MAQIT

Founded in 2015 in Luxembourg, MAQIT is a Regulatory IT & AML powerhouse, blending Advisory, Managed Services, and Smart Tools to simplify compliance challenges.

MAQIT specialises in expert technology solutions, empowering companies to confidently achieve and maintain compliance in a complex regulatory landscape.