Cyprus | Crypto Asset Service Provider (CASP) License & MiCA Alignment

Overview

Cyprus introduced a formal Crypto Asset Service Provider (CASP) framework in 2021 under the Cyprus Securities and Exchange Commission (CySEC), embedding crypto supervision into an AML/CFT-driven model. This positioned Cyprus as an early EU mover for structured crypto oversight—particularly attractive to firms that value an established supervisory culture and internationally recognized financial-services standards.

As the EU transitions to MiCA, Cyprus is expected to align its national CASP framework with the EU-wide authorization approach, strengthening governance, ICT risk controls, and safeguarding expectations for firms operating in or from Cyprus.

Legal & Regulatory Framework

• Supervisory authority: Cyprus Securities and Exchange Commission (CySEC)
• Regulatory basis: AML/CFT framework and CySEC directives governing CASP registration and ongoing supervision
• License type: CASP registration (national register model with operational requirements)
• Applicability: Required for crypto businesses operating in or from Cyprus (including certain cross-border models depending on client targeting)
• Eligible applicants: Cyprus-incorporated entities (and, where applicable, EU/EEA structures subject to local registration/notification requirements)
• Legal tender: Crypto is not legal tender

Process & Timeline (Indicative)

Stage 1 — Company Incorporation

• Incorporate a Cyprus company (remote formation can be possible with local support)
• Set up local address and governance structure
• Begin banking/EMI onboarding planning early (often the critical path)

Stage 2 — Compliance Preparation

• Draft AML/CFT program, risk assessment methodology, and KYC procedures
• Prepare business plan and internal operations manual (including onboarding, monitoring, reporting, and record-keeping)
• Appoint an MLRO (Money Laundering Reporting Officer) and define escalation/reporting lines
• Build continuity and incident response readiness (especially relevant for MiCA alignment)

Stage 3 — CySEC Application & Review

• Submit CASP application and supporting documentation to CySEC
• Fit-and-proper assessments for directors and key function holders
• Address follow-up questions and requests for information (RFI)

Typical timeline: Commonly several months end-to-end depending on scope and documentation readiness (often cited around ~6 months for fully scoped cases).

License Classes & Capital Requirements

Cyprus commonly applies capital thresholds aligned with EU-style service categories, often referenced in three practical groupings:

• Class 1 — €50,000: Advisory / reception & transmission / certain non-custodial activities
• Class 2 — €125,000: Exchange and execution-related services (crypto–fiat and/or crypto–crypto, order execution)
• Class 3 — €150,000: Custody/safekeeping and higher-risk operating models

Note: Classification is highly dependent on your exact service scope. Define the operational model precisely to avoid reclassification during review.

Minimum Requirements (Typical Expectations)

• Cyprus-incorporated entity (or a qualifying EU/EEA structure where applicable)
• Capital of €50,000–€150,000 depending on service scope/class
• Board and governance structure suitable for the operating model (including executive involvement and clear accountability)
• Fit-and-proper management review by CySEC
• Comprehensive AML/CFT framework (CDD/EDD, PEP/sanctions screening, monitoring, STR workflow)
• KYC, risk management, and record-keeping systems
• Internal operations manual and MLRO appointment
• Application and annual supervisory fees (amounts can vary by scope and CySEC schedules)

Taxation (High-level)

• Corporate tax: 12.5%
• VAT: Crypto exchange services are often treated similarly to financial services; validate case-by-case with advisors
• Crypto trading: Usually treated as ordinary business income when conducted as a business activity
• Capital maintenance: Firms may need to maintain capital above a threshold tied to fixed costs and/or prudential expectations (model-specific)

Ongoing Obligations

• Annual risk assessments and AML/CFT updates
• Conflict of interest framework and governance controls
• Ongoing monitoring of AML system effectiveness and staff training
• Transparent operational records and auditability
• Periodic CySEC reporting and readiness for inspections

Sanctions & Penalties (Conceptual)

• Administrative fines (can be substantial depending on breach type and severity)
• License suspension, amendment, or withdrawal
• Daily penalties for continued non-compliance
• Personal sanctions or bans for responsible individuals
• Public disclosure of enforcement actions

Public Registry

CySEC maintains a public CASP registry that typically includes:

• Active registered CASPs
• Deregistered/removed entities (where applicable)
• Key company identifiers (name, registration number), address, and authorized activity categories

MiCA Alignment

MiCA introduces an EU-wide CASP authorization standard with defined service categories, capital requirements, safeguarding obligations, governance expectations, and ICT risk controls. For Cyprus-based CASPs, the practical impact is a progressive uplift toward:

• Stronger governance: clearer functional separation (risk, compliance, MLRO), fit-and-proper depth, outsourcing controls
• ICT & operational resilience: incident reporting, BCP/DR, security testing, and vendor risk management
• Safeguarding: client asset segregation, reconciliations, disclosures, and operational controls
• EU scalability: improved pathway to EU passporting once fully aligned under MiCA authorization logic

CryptoWisely.io Comment

Disclaimer: Informational only and not legal/tax advice. Always confirm current CySEC requirements and EU MiCA implementation guidance before proceeding.