The licence versus the notification procedure: comparing the two routes
MiCAR basically provides two main market access pathways for parties wishing to offer crypto‑asset services: a full CASP license or a simplified CASP notification. A CASP license is required for new market entrants or entities that do not hold any other relevant financial license. This comprehensive route allows the holder to offer the full range of crypto‑asset services but involves an extensive application process, including strict requirements regarding governance, ICT, anti‑money laundering (AML), and financial soundness.
A CASP notification (the so‑called “top‑up” procedure), on the other hand, is available to already regulated entities, such as EU‑authorised banks or AIFMs, that wish to extend their activities to include crypto‑asset services. This notification route under Article 60 MiCAR is significantly simpler and faster than a full license: submitting the notification is sufficient, provided all conditions are met, to allow a regulated entity to start offering crypto‑asset services without obtaining a completely new license. However, the scope is limited for certain entities, such as AIFMs, which may only offer crypto‑services that are closely related to their existing AIFMD‑regulated activities.
Procedure and requirements for a CASP notification
The notification procedure is intended as an accelerated route for certain authorised financial institutions to begin offering crypto‑asset services on short notice. Before a party, such as a bank or investment firm, may begin, it must submit a notification to the Dutch Authority for the Financial Markets (AFM) at least 40 working days in advance, accompanied by a prescribed set of documents. For credit institutions, the Dutch Central Bank (DNB) is also involved for prudential supervision.
The AFM confirms receipt and assesses whether the file is complete within about 5 working days. Within 25 working days of receipt of an application, the AFM shall assess whether may request additional information if any elements are missing or unclear; the applicant then receives a deadline to provide the requested information. Only once the AFM declares the notification complete may the institution formally start offering crypto‑asset services.
Although the procedure is formally a notification process (not a license application) the AFM still expects a high‑quality and well‑substantiated submission. The AFM has published a notification checklist (Excel) and a standard notification form (Word), both of which must be fully completed.
Required documentation for a CASP notification
A CASP notification requires extensive information on the organisation and the intended crypto‑asset services. Examples include:
- a description of the group structure, strategic objectives, and relevant shareholders
- a detailed business plan for the crypto‑asset services
- a list of the specific crypto‑asset services and categories of crypto‑assets to be offered
- an explanation of the jurisdictions (inside and outside the EU) in which the services will be provided and the type of clients targeted
- an overview of available resources (staff, financial capacity, and IT systems)
- detailed information on IT architecture, ICT security, and compliance with DORA requirements on digital operational resilience
Institutions must also describe the policies and procedures relevant to the specific services offered. For example, for order reception and transmission or placement of crypto‑assets, internal procedures and conflict‑of‑interest policies must comply with Articles 80 and 79 MiCAR. Where applicable, custody arrangements, segregation of client assets, and trading‑platform rules must be explained (admission criteria, trading procedures, price‑transparency measures, and market‑abuse prevention).
A business continuity plan and orderly wind‑down plan are also required, setting out scenarios for controlled termination of services. Finally, the AFM places significant emphasis on AML/CFT and sanctions compliance, requiring items such as a comprehensive ML/TF risk assessment, AML policies (e.g. transaction monitoring, customer due diligence, sanctions screening), reporting procedures for unusual transactions, and details regarding the compliance officer.
Procedure and requirements for a CASP license application
Entities not already subject to financial supervision (or offering services beyond the scope of their current license) must obtain a full CASP license before providing crypto‑asset services. This is a significantly more demanding process. The applicant must submit an extensive application file with the AFM (via Cryptshare). The AFM confirms receipt and begins a formal completeness check (statutory period of approx. 25 working days). If information is missing, the AFM requests additional documents and sets a deadline.
Once the AFM declares the application complete, the substantive assessment begins. During this phase, the AFM may ask further questions or request more information, and assessment timelines may be suspended (up to 20 working days at a time). Ultimately, within three months of a complete application (with possible extensions), the AFM decides whether to grant or refuse the CASP license. Only after the license is formally granted may the applicant begin offering crypto‑asset services.
Required documentation CASP license
A CASP license application requires highly detailed documentation covering all aspects of the business. Requirements include:
- statutory and organisational documents (extracts, articles of association, organisational chart, contact details, group entities, branches)
- a detailed programme of operations describing all crypto‑asset services, their legal basis, a multi‑year business plan, and financial forecasts (including stress tests)
- governance and internal‑control information, including organisational structure, division of responsibilities, CVs and fitness/integrity of board members, control frameworks (such as reporting and complaints handling), and market‑abuse prevention measures
The application must also demonstrate compliance with MiCAR’s prudential requirements, such as sufficient own funds, proper insurance coverage, and prudent risk management. AML/CFT requirements must be set out in detail, including the integrity risk assessment, sanctions policies, and the structure of the compliance function and training programme. Each daily policymaker and supervisory director is subject to an AFM fitness and propriety assessment.
Technical infrastructure requirements are equally demanding: the AFM expects a complete ICT and information‑security file (aligned with DORA), including cybersecurity reports (e.g. penetration tests and IT audits) and incident‑management and fallback procedures. Applicants must also provide detailed arrangements for secure custody and segregation of client assets (both crypto‑assets and fiat), such as separate wallets and bank accounts, and clear rights‑of‑return procedures. If operating a trading platform, applicants must provide detailed trading rules and market‑abuse monitoring measures. An orderly wind‑down plan is also mandatory. The AFM provides templates, including a license application form and a checklist.
A lighter route still requires a robust file
Our experiences with both notification and license procedures indicate that the AFM applies strict quality standards to submitted files. Although a CASP notification is theoretically a lighter regime, the AFM does not treat it as a mere administrative formality. In practice, the AFM expects a thorough and substantively robust submission. The notification form must be completed in full and include explanatory text rather than mere references to internal documents; the AFM evaluates whether the operational setup is genuinely sound.
The AFM pays particular attention to the operational organisation of the proposed crypto‑asset services. Applicants are expected to provide clear process descriptions and flowcharts of transaction flows to demonstrate how the services will function in practice. The AFM also values clarity about governance structures and internal accountability; reporting lines must be transparent and logical.
A further challenge for qualifying institutions using the notification route is integrating MiCAR-specific obligations into the existing policy and control framework without creating unnecessary duplication. In many cases, the better approach is not to build a parallel crypto policy stack, but to identify where MiCAR requirements can be embedded into existing governance, compliance, risk management, conflicts of interest, complaints handling, outsourcing, ICT security and AML/CFT procedures. This requires an upfront mapping of MiCAR obligations against the institution’s legacy policies and processes, followed by targeted updates, crypto-specific addenda or new procedures only where the existing framework does not sufficiently cover the relevant requirement. Done well, this makes the notification file more coherent and, more importantly, helps ensure that the new crypto-asset services can operate within the institution’s existing control environment from day one.
Another recurring focus is the use of third parties and outsourcing. Applicants must map out collaborations with external service providers and determine whether these qualify as outsourcing arrangements. The AFM checks whether DORA obligations apply to all engaged third parties and whether an up‑to‑date DORA information register is available. Crypto‑specific risks must be appropriately identified and mitigated. For many qualifying institutions, this may well be the first time their DORA framework is being subjected to full supervisory review.
In short: applicants must submit a complete, transparent, and well‑substantiated file. The reward for this thoroughness is a smoother review process and, ultimately, a faster approval of the notification or license.
Key takeaways for market participants
MiCAR marks a new era for crypto‑asset service providers. The ability to choose between a notification and a full license gives existing financial institutions a more efficient route to launch crypto‑asset services, while new entrants must undergo a comprehensive license procedure. Early experience shows, however, that “light” does not mean “easy”: high‑quality submissions are essential. Market participants should therefore start preparing early, regardless of the chosen route. Ensure completeness and detail across all elements of the submission, from business plans and IT security to outsourcing contracts and AML policies. Proactive engagement with the regulator: for example, a pre‑application meeting with the AFM on complex issues such as IT systems or asset segregation, is recommended.
To conclude
MiCAR offers new opportunities for crypto‑asset service providers, but comes with strict requirements. Early experiences with notification and licensing processes show that the AFM expects clear documentation, solid governance and robust risk management. Thorough preparation, supported by AFM checklists and templates, is essential for a smooth process.
In case of questions or concerns, please do not hesitate to contact your trusted Loyens & Loeff adviser.