Setting Up a Crypto Company in Cyprus Under the MiCA Framework

Anyone weighing where to base a European digital asset venture tends to arrive at a short list of jurisdictions, and Cyprus keeps appearing on it. The reasons are not mysterious. The island is an EU member, which matters enormously now that one authorisation can carry a firm across all 27 member states. It has a deep professional services sector built over decades of serving international clients. And, perhaps less obviously, its financial regulator has spent years supervising investment firms, so the supervisory machinery for a crypto regime was not built from nothing.

There is also a quieter advantage. Fewer than twenty firms have secured full MiCA authorisation on the island so far. For a founder considering timing, that scarcity cuts both ways: the field is open, and early entrants tend to be well remembered by counterparties and banking partners who are still nervous about the sector.

That said, “near the top of the list” is not the same as “easy.” The work involved in obtaining authorisation is substantial, and a fair amount of this page is spent being honest about that. This material reflects the regulatory position as it stands in 2026, after a significant round of Cyprus tax reform and well into the MiCA transition window.

Quick Answer: CASP Licensing in Cyprus Under MiCA

For readers who want the essentials before the details:

Cyprus applies the EU Markets in Crypto-Assets Regulation through CySEC supervision, layered on national anti-money-laundering law.
A digital asset firm serving the public generally needs CASP authorisation to operate lawfully.
CASP authorisations fall into three classes, scoped to the specific services a firm provides.
Minimum capital ranges from €50,000 to €150,000, subject to a fixed-overhead test that may raise the figure.
A Cyprus CASP can passport its services across the European Union once notification procedures are met.
The grandfathering period for legacy national registrations closes on 1 July 2026.
A typical authorisation timeline runs six to twelve months from the date of complete filing.

The sections below expand on each of these points and add the parts that rarely appear on competitor pages: what the regulator actually tests, the banking reality, and the Article 60 route for existing investment firms.

What a Crypto-Asset Service Provider Actually Is

Under the EU’s Markets in Crypto-Assets framework, known by its shorthand MiCA, a regulated digital asset business is called a crypto-asset service provider, or CASP. The label is not optional branding. It is a legal status; a firm either holds it or does not.

A CASP is any entity authorised to offer one or more defined services involving crypto-assets to the public. Those services include custody, operating an exchange, running a trading platform, executing client orders, placing tokens, transfer services, portfolio management, and advice. If a venture touches any of those activities for third parties, it almost certainly falls within the perimeter.

What changed under MiCA is consolidation. Before the regulation, member states ran their own national registers, and a firm authorised in one country could not simply operate in another. The earlier VASP-style national authorisations are being phased out. In their place sits a single, unified regulatory framework that applies directly across the bloc. One CASP authorisation, properly passported, opens the whole EU. The technical standards underpinning the regime are developed by ESMA, the European Securities and Markets Authority, which gives national regulators a common rulebook to apply.

Is Crypto Regulated in Cyprus?

Yes, and the regulation is not light-touch. The island applies MiCA in full, layered on top of national anti-money-laundering legislation and the supervisory directives issued by CySEC, the Cyprus Securities and Exchange Commission. A crypto firm operating here without authorisation is not in a grey area; it is operating unlawfully. The flip side is that a properly licensed firm gains something valuable: a defensible, recognised status that clients, auditors, and banking partners can verify.

Who Needs CASP Authorisation in Cyprus?

This is worth stating plainly, because founders sometimes assume their model sits outside the rules when it does not. A firm generally requires CASP authorisation if it does any of the following for clients:

Holds or administers crypto-assets, or the means of access to them, on behalf of clients
Exchanges crypto-assets for funds
Exchanges crypto-assets for other crypto-assets
Operates a trading platform for crypto-assets
Executes orders for crypto-assets on behalf of clients
Provides transfer services for crypto-assets
Provides portfolio management on crypto-assets
Provides advice on crypto-assets
Places crypto-assets, or receives and transmits orders

If a venture performs even one of these activities for third parties, it is almost certainly inside the MiCA perimeter. Operating without authorisation risks breaching both MiCA and Cyprus AML legislation, with the enforcement consequences that follow. The harder cases tend to be at the edges, for instance, certain decentralised arrangements or pure software provision, and those genuinely warrant a considered legal view rather than a guess.

The Three CASP Classes and What Each Permits

MiCA does not issue a single, one-size license. Instead, authorisation is scoped to the specific services a firm intends to provide, and those services map onto three classes. The class a firm lands in is decided by what it does, not by how large it is. A tiny startup running a trading venue still needs Class 3 standing.

The first tier covers advisory and transmission activities, where the firm never holds client assets. The second covers active execution: exchanging crypto-assets for funds, exchanging them for other tokens, executing orders, and placing instruments. The third, the most demanding, covers custody and the operation of a trading platform.

Here is the practical summary, including the minimum capital each class is required to hold under Article 67 of the crypto-assets regulation.

CASP Class	Representative Services	Minimum Capital (Art. 67)	Holds Client Assets?
Class 1	Advice, reception and transmission of orders, transfer services, portfolio management	€50,000	No
Class 2	Execution of orders, exchange of crypto for funds, exchange of crypto for crypto, placing	€125,000	Briefly, during transactions
Class 3	Custody and administration, operation of a trading platform	€150,000	Yes

A point worth flagging, because it trips up a lot of applicants: the capital figures above are floors, not targets. Article 67 also requires a firm to hold its own funds equal to at least one quarter of the previous year’s fixed overheads, whichever is higher. A firm with €800,000 in annual running costs faces a €200,000 prudential requirement regardless of the class it sits in. Treating the headline minimum as the answer is one of the more common and costly planning errors.

What Cyprus Offers a Digital Asset Business Beyond the License Itself

The authorisation is the headline, but it is rarely the whole story for a founder choosing a base. A few things tend to matter once the firm is actually running.

EU passporting. A Cyprus CASP authorisation, once the notification procedures are followed, allows a firm to serve clients across all member states without reapplying. For a venture with European ambitions, this single feature can justify the jurisdiction on its own.
A regulator with relevant experience. CySEC has supervised investment firms for many years. The fit-and-proper assessments, the governance expectations, and the internal-controls scrutiny; none of this is new ground for the authority, which makes its expectations more predictable.
A working professional ecosystem. Auditors, corporate administrators, compliance specialists, and tax advisers who already understand regulated financial entities are available locally. A crypto firm is not asking the island to learn something unfamiliar.
Competitive, recently reformed taxation. More on this below, because the numbers changed at the start of 2026, and a great deal of online content has not caught up.
English-language administration. Filings, registration documents, and regulatory correspondence are handled in English, removing a layer of friction for international founders.

Is the island perfect? No. Banking remains genuinely hard for crypto firms, and we will not pretend otherwise. But as a balance of access, cost, and credibility, it is difficult to beat within the EU.

How to Get a CASP Licence in Cyprus: The Process, Step by Step

The path from idea to authorised CASP runs through several distinct stages. They overlap in practice, but it helps to see them laid out.

Step One: Incorporate the Cyprus Entity

A CASP applicant must be a legal entity, and in practice, that means a private limited company in Cyprus. This is where the company formation work begins: appointing directors, defining the shareholding, and establishing a registered office. The corporate vehicle has to exist before any application can be filed. For founders who want the groundwork handled properly, our Cyprus company incorporation services cover this first stage end-to-end.

Step Two: Lock the Service Scope

Before drafting anything substantive, a firm has to decide precisely which crypto-asset services it will offer. This decision drives everything downstream: the capital class, the policies required, the staffing, and the depth of regulatory scrutiny. Vague scope is the enemy here. CySEC wants a firm that knows exactly what it intends to do.

Step Three: Build the Application Dossier

This is the heavy stage. A complete MiCA application typically includes a three-year business plan, financial projections, a detailed description of governance arrangements, descriptions of IT systems and operational processes, and a full programme of internal policies. The dossier has to be coherent. A file that contradicts itself, where the business plan describes one operation and the IT description another, invites delay.

Step Four: Develop the Internal Policy Framework

CySEC expects an applicant to arrive with a genuine policy architecture, not placeholders. That framework spans AML and counter-terrorist-financing controls, risk management, outsourcing supervision, conflicts of interest, complaints handling, business continuity, incident response, and IT security. Each of these has to be operational, not aspirational.

Step Five: Submit to CySEC and Pay the Fee

Once the dossier is ready, the firm files with the regulator and pays the application fee. CySEC then conducts a structured review that includes fit-and-proper checks on the people involved and a prudential assessment of the firm’s capital and plan. The authority will almost always come back with questions; a prompt, well-organised response keeps the file moving.

Step Six: Authorisation and Ongoing Obligations

If the review succeeds, the firm becomes an authorised CASP and is entered on the register. Authorisation is the start of a relationship, not the end of a process. Ongoing reporting, capital maintenance, and compliance duties continue for the life of the firm.

Documents Required for a Cyprus CASP Application

Founders preparing to file should expect to assemble a substantial evidence pack. While the exact list depends on the service scope, a CASP application to CySEC generally includes:

A detailed three-year business plan and financial projections
A full description of the governance structure and management arrangements
Shareholder and ultimate beneficial owner documentation
Fit-and-proper questionnaires and supporting evidence for directors, senior managers, and UBOs
A complete set of AML and counter-terrorist-financing policies and procedures
Risk management, conflicts of interest, and complaint-handling policies
A description of IT systems, cybersecurity arrangements, and operational resilience measures
Outsourcing agreements and the policy governing them
Evidence of the minimum capital appropriate to the chosen class
A description of the crypto-asset services to be offered and how client assets are safeguarded

Preparing these well in advance materially shortens the process. A common pattern is that incorporation finishes quickly, only for the firm to spend weeks assembling documents it could have started months earlier.

What CySEC Actually Tests

It is one thing to submit a dossier; it is another to satisfy the assessment behind it. Drawing on CySEC’s approach to these files, a few areas warrant close attention.

Genuine local substance. The regulator is looking for a firm that is actually run from the island, not a nameplate. That means a real management presence, at least two directors with effective local control, and key control functions, especially AML oversight, genuinely operated from Cyprus. Outsourcing is permitted for some tasks, but accountability cannot be exported.

Fit-and-proper standing of the people. Directors, senior managers, and ultimate beneficial owners face detailed scrutiny of their reputation, competence, experience, and integrity. Expect questionnaires and supporting documentation. A criminal record touching financial crime is, in practical terms, disqualifying.

A credible, stress-tested capital position. As noted, CySEC assesses capital against the filed business plan, not against the bare statutory floor. A firm projecting rapid growth needs a capital story that survives that growth.

An AML programme built for the realities of crypto. Customer due diligence, continuous transaction monitoring, suspicious activity reporting, risk assessments, and Travel Rule compliance must all be demonstrably in place. The Travel Rule itself reflects standards set internationally by the Financial Action Task Force, so this is not a Cyprus-specific quirk; it is a global expectation applied locally. The programme has to reflect how cryptocurrency actually moves rather than reading like a generic financial services template. Firms that want this element built correctly from the outset often engage our anti-money-laundering and regulatory compliance team early in the process.

The MiCA Deadline That Founders Cannot Ignore

There is a date that should be circled in red. Cyprus operates a transitional, or grandfathering, period for firms that held national authorisation under the old regime. That period ends on 1 July 2026.

After that date, legacy national authorisation no longer suffices. A firm wishing to continue offering crypto-asset services in or from Cyprus must hold a full MiCA CASP authorisation. For a firm starting fresh today, there is no transitional comfort at all; the only route is straight to full MiCA authorisation. Given that the review itself commonly runs six to twelve months, the arithmetic is not forgiving. A firm that begins planning late in 2026, expecting to operate that year, has, frankly, miscalculated.

A Route Many Pages Miss: the Article 60 Path for Investment Firms

Here is something the typical competitor guide skips entirely. If a firm already holds, or intends to hold, a Cyprus Investment Firm authorisation under MiFID II, it does not necessarily need a separate, standalone CASP application.

MiCA’s Article 60 allows an existing investment firm to add crypto-asset services to its permissions through a simplified notification rather than a full authorisation from scratch. The national authority has a defined window to object. For larger or more complex groups, this can meaningfully compress the timeline. It is not the right answer for every venture, and a standalone CASP authorisation is often cleaner for a pure crypto operation. But any founder who already has exposure to investment firms should at least ask the question before committing to the longer road.

The two routes differ in ways that matter. The table below sets out the broad comparison.

Factor	Standalone CASP Authorisation	Article 60 Notification (Existing CIF)
Starting point	A new or non-regulated entity	An existing MiFID II investment firm
Process type	Full authorisation review	Simplified notification, the regulator may object within a set window
Typical speed	Six to twelve months from a complete filing	Generally faster, since the entity is already regulated
Best suited to	A pure crypto-asset venture	A regulated firm adding crypto services to an existing book
Capital treatment	MiCA Article 67 tiers apply	Assessed alongside existing prudential requirements

This is exactly the kind of structural decision worth raising with an adviser before filing, because choosing the wrong route can add months.

Cyprus Tax After the 2026 Reform: Get the Numbers Right

This deserves its own section because a striking amount of online material is simply out of date. Major tax reform took effect on 1 January 2026, and several figures that crypto founders rely on have changed.

The headline corporate income tax rate is now 15%, not the 12.5% figure still quoted across much of the web. For most digital asset firms, this is the rate that applies to trading profit. Separately, the reform introduced a flat 8% tax on gains from the disposal of crypto-assets, a specific treatment that did not exist before. The Special Defence Contribution on dividends fell sharply; dividend distribution was deemed abolished for profits arising from 2026 onward; the loss carry-forward window was extended from five to seven years; and stamp duty on corporate transactions was removed.

A note of caution. Tax treatment of crypto activity is complex, and the right answer depends on the specific structure and nature of each revenue stream. The figures above are current as of early 2026. Still, anyone making a structuring decision should verify the position against current guidance from a Big Four Cyprus office or qualified Cyprus tax counsel rather than relying on general web results. Outdated numbers are everywhere, and a structuring decision built on a stale rate is an expensive mistake.

The Banking Reality No One Should Sugar-Coat

If there is a single stage where crypto ventures stumble, it is not incorporation, nor is it even the CASP application. It is opening a bank account.

Financial institutions treat digital asset firms as higher-risk. Traditional banks apply enhanced due diligence as a matter of course, scrutinising ownership, expected transaction flows, counterparties, and the firm’s own compliance controls. Many crypto firms end up working with electronic money institutions or specialist fintech providers rather than high-street banks, simply because their risk appetites differ.

The practical lesson: plan banking in parallel with licensing, not after it. A firm that arrives at the banking stage with a clean compliance file, a clear business description, and credible transaction-flow projections has a far smoother experience than one treating the account as an afterthought.

Which Crypto Is MiCA Compliant?

This question is phrased slightly off, and the correction matters. MiCA does not “approve” individual cryptocurrencies the way a regulator might approve a drug. It regulates the issuers of certain token types and the providers of services related to crypto-assets. The framework distinguishes among asset-referenced tokens, e-money tokens, and other crypto-assets, each carrying different obligations. So compliance is a property of the firm and its conduct, and in the case of stablecoin-type tokens, of the issuer, rather than a stamp on a coin itself. A trading platform can be fully MiCA-compliant while listing assets whose issuers face their own separate obligations.

A Realistic View of Cost and Timeline

Founders understandably want a single number. The honest answer is that the total cost depends on the scope of services, the chosen capital class, the readiness of the firm’s documentation, and the complexity of the structure. The components, though, are predictable: the regulator’s application fee, the minimum capital appropriate to the class, professional fees for building the dossier, incorporation and registered-office costs, and ongoing items such as audit, accounting, and AML staffing.

Two recurring costs deserve a specific mention, because they catch founders off guard. First, an authorised CASP falls within the scope of the EU’s Digital Operational Resilience Act. Hence, it pays CySEC an annual ICT oversight fee scaled to company size, ranging from roughly €3,000 for a microenterprise to around €20,000 for a large entity. Second, a firm that issues its own token and must publish a MiCA crypto-asset white paper pays a € 1,000 CySEC notification fee to process the filing; this is separate from and additional to the costs of CASP authorisation itself.

On timing, the stages break down roughly as follows.

Stage	Typical Duration
Company incorporation	1 to 2 weeks
Dossier and policy preparation	1 to 3 months
CySEC review and follow-up questions	4 to 9 months
Banking or EMI onboarding	1 to 4 months

These stages overlap, so the totals do not simply add up. Still, the full registration and authorisation process typically takes six to twelve months from the date of complete filing. It is the dossier preparation, the review cycle, and the banking onboarding that absorb the months. A firm that builds in that reality from the start avoids a great deal of frustration later.

Common Reasons CySEC Applications Stall or Get Rejected

A few patterns recur often enough to be worth naming. Most rejected or badly delayed files fail for avoidable reasons.

Treating the capital minimum as the capital plan. The fixed-overhead test frequently bites harder than the headline floor, and a firm that ignores it files an under-capitalised application.
Defining the service scope loosely. Ambiguity about what the firm will actually do forces CySEC to ask, and every round of questions adds weeks.
Bringing placeholder policies. An AML or risk policy that reads like a template rather than a description of how this specific firm operates signals that the firm is not ready.
Weak local substance. A structure that resembles a nameplate, with management and control functions offshore, struggles to meet the regulator’s substance expectations.
Leaving banking until the end. As covered above, this is the single most common cause of a stalled launch.
Relying on outdated tax figures. The 2026 reform changed real numbers; structuring on the old ones creates problems that surface later, when they are harder to fix.

Can a Foreign Founder Open a Crypto Company in Cyprus?

Yes. Full foreign ownership of a Cyprus company, including an authorised CASP, is permitted, and a large share of applicants are international founders. The ownership can sit anywhere. What cannot be purely offshore is the firm’s operating reality: CySEC expects genuine management presence, locally exercised control, and key functions to be run from the island. A non-resident founder is on entirely workable ground, provided the substance is real rather than cosmetic.

How C. Savva & Associates Supports Crypto Ventures in Cyprus

Setting up an authorised digital asset firm on the island is a multi-disciplinary exercise. It draws on corporate, compliance, tax, and regulatory expertise simultaneously, and the stages must be sequenced sensibly rather than tackled in isolation.

C. Savva & Associates works with founders across that whole arc: incorporating the Cyprus entity, scoping the CASP class, building the application dossier, developing the internal policy framework, and planning the tax structure around the post-2026 rules. The firm’s focus is on getting the foundations right so that the CySEC review is as smooth as the process allows.

C. Savva & Associates is not a law firm. For matters requiring legal expertise, the firm collaborates with its partner law firm Nicholas Ktenas & Co., LLC, which provides legal counsel on corporate and commercial law, banking and finance, data protection, intellectual property, employment law, and trusts.

Speak to Our Team About Your Cyprus Crypto Project

Thinking through a CASP authorisation, a capital class, or the right structure for a digital asset venture? A short conversation early on tends to save months later. C. Savva & Associates can assess your plans, map the realistic path and timeline, and help you avoid the missteps that delay so many applications. Contact our team to arrange a consultation and get the process off to a solid start.

Frequently Asked Questions

What is a crypto-asset service provider under MiCA?

A crypto-asset service provider is a legal entity authorised under the EU’s MiCA regulation to offer defined crypto-asset services to third parties. Those services include custody, exchange, operating a trading platform, executing orders, placing tokens, transfer services, portfolio management, and advice. The status is granted by a national regulator and is scoped to the specific activities a firm intends to provide. Holding it allows a firm to operate lawfully and, through passporting, to serve clients across the European Union under a single authorisation rather than seeking separate approval in each member state.

How much does a CASP licence cost in Cyprus?

Total cost depends on the service scope, capital class, documentation readiness, and structural complexity, so that a single figure would be misleading. The predictable components are the regulator’s application fee, the minimum capital tied to the class, professional fees for dossier preparation, incorporation costs, and recurring items such as audit and AML staffing. Two ongoing charges catch founders out: an annual DORA ICT oversight fee scaled by company size, and, for token issuers, a €1,000 white paper notification fee. Founders should budget for the capital floor as a starting baseline only.

How long does CASP authorisation in Cyprus take?

From the point at which a complete application reaches CySEC, the review typically takes six to twelve months. The exact duration depends on how complex the proposed structure is, how well-prepared the dossier is, and how quickly the firm responds to follow-up questions. Incorporating the underlying company is far quicker, often around two weeks. Founders should plan against the longer figure and begin well ahead of any commercial launch date, particularly given that the transitional period for legacy authorisations closes on 1 July 2026.

What is the best country to register a crypto company?

There is no single correct answer, because the best jurisdiction depends on the venture’s target market, service mix, and risk appetite. Within the EU, Cyprus, Malta, Lithuania, and others each attract crypto firms for different reasons. Cyprus tends to appeal because it combines EU passporting, an experienced financial regulator, a competitive post-2026 tax position, English-language administration, and a deep professional services sector. A firm targeting European clients with serious compliance ambitions often finds the island a strong fit, though banking remains a genuine challenge everywhere in the sector.

Do I need a separate licence for each crypto service?

No, but the authorisation is scoped. A single CASP authorisation can cover multiple services, yet it only permits the specific activities that CySEC has approved and mapped to the relevant capital class. A firm authorised for advice and order transmission cannot suddenly begin offering custody without varying its permissions. The practical implication is that service scope should be defined carefully at the outset. Adding activities later is possible but requires an additional regulatory process, so founders benefit from thinking ahead about which services the business will realistically offer.

Related-reading / next-topic block for the bottom:

Link to existing posts (already live)