MiCA CASP Passporting: How to Operate Across the EU After July 2026

One of the most consequential features of the Markets in Crypto-Assets Regulation is also one of the least understood: the passporting mechanism. Most crypto companies focus on obtaining their initial CASP authorization. Far fewer have planned for what happens after July 2026, when they want to expand from their home state into additional EU markets.

The answer — a single EU passport — sounds simple. The implementation is considerably more involved. This guide covers exactly what CASP passporting requires, how the notification process works, which NCAs have raised the most procedural requirements, and what ongoing compliance obligations apply once you're operating across borders.

What is CASP Passporting Under MiCA

CASP passporting is the right established under Articles 58–60 of MiCA that allows an authorized Crypto-Asset Service Provider to offer services in any EU member state on the basis of a single authorization granted by its home member state's national competent authority (NCA).

This mirrors the passporting regime that has existed for years in traditional finance under MiFID II (Articles 34–35) and CRD IV. The concept is the same: the EU single market means that an authorization in one member state is recognized throughout the bloc. What's new is that this principle now extends explicitly to crypto-asset services.

The practical significance is substantial. Before MiCA, a crypto exchange wanting to operate legally in France, Germany, and the Netherlands would need to navigate three separate national licensing regimes — France's PSAN framework, Germany's BaFin crypto custody license, and Dutch AFM registration. Under MiCA, a single authorization from any one of those NCAs creates the passport right to notify services into the other two (and all remaining 24 EU member states).

"The MiCA passport is not automatic. It requires a notification process, and the services you can passport are limited to those explicitly covered by your home-state authorization. Scope creep — offering a service in a host state that wasn't authorized at home — is a compliance failure, not a gray area."

The services eligible for passporting are the same 10 CASP service categories defined in Article 3(1)(16) of MiCA: custody and administration of crypto-assets, operation of a trading platform, exchange of crypto-assets for fiat, exchange between crypto-assets, execution of orders, placement, reception and transmission of orders, advisory services, portfolio management, and transfer services. Your passport covers only the services explicitly listed in your home-state authorization.

Home State vs. Host State: How It Works

Under MiCA's passporting architecture, every CASP has a home member state — the EU country where it is authorized and supervised for prudential purposes — and one or more host member states — the countries where it exercises its passport right to provide services.

Home State Responsibilities

Your home state NCA is the primary supervisor. Under Article 97 of MiCA, the home NCA is responsible for:

• Granting and withdrawing CASP authorization
• Ongoing prudential supervision (capital, governance, internal controls)
• Transmitting passporting notifications to host NCAs
• Coordinating enforcement where conduct affects multiple member states
• Maintaining the authorizations register submitted to ESMA

The home NCA's jurisdiction is determined by where the CASP's registered office is located. A CASP with its registered office in Lithuania is supervised by the Bank of Lithuania; one registered in France by the AMF. If your legal entity is incorporated in a non-EU country (e.g., a Cayman Islands holding company), you need an EU-incorporated subsidiary with its registered office in the relevant member state.

Host State Responsibilities

Host state NCAs receive passporting notifications and, under Article 60 of MiCA, have limited grounds to object. They are responsible for:

• Supervising conduct of business rules applicable in their jurisdiction
• Enforcing consumer protection and market abuse rules in their territory
• Monitoring AML/CFT compliance for services delivered to residents
• Issuing any jurisdiction-specific guidance on local implementation

The split between home state prudential supervision and host state conduct supervision is crucial. Your home NCA controls whether you keep your license. Your host NCAs control whether you can continue serving customers in their territory. Both matter, and monitoring obligations apply to both.

For a practical example: if a CASP authorized by the AMF in France passports services into Germany and Poland, it will be subject to BaFin's conduct supervision in Germany and the Polish Financial Supervision Authority (KNF) supervision in Poland, while the AMF retains prudential oversight over the entity itself. See also our guide on MiCA authorization requirements for 2026.

Step-by-Step: The CASP Passporting Notification Process

MiCA Article 58 sets out the notification procedure in detail. The steps are as follows:

Step 1: Prepare the Passporting Notification

The CASP must prepare a notification to its home NCA containing, at minimum:

• The name, address, and authorization number of the CASP
• The member state(s) in which it intends to provide services (one notification can cover multiple host states)
• The specific crypto-asset services it intends to provide in each host state
• Whether services will be provided by establishing a branch or on a pure cross-border basis
• Where a branch is established: the address and the names of the persons responsible for managing the branch
• A programme of operations describing the services to be provided and how they will be organized in the host state

ESMA is developing Implementing Technical Standards (ITS) under Article 58(5) of MiCA specifying the exact notification form and information requirements. Check ESMA's ITS register for the current version before submitting.

Step 2: Home NCA Review and Transmission

Your home NCA has 10 working days from receipt of a complete notification to transmit it to the competent authority of the host member state. The home NCA does not approve or reject the passporting at this stage — it transmits the notification and simultaneously updates ESMA's register of authorized CASPs to reflect the intended cross-border activity.

If the notification is incomplete, the home NCA will request the missing information. The 10-day clock does not start until the notification is deemed complete, so getting the submission right the first time matters for timing.

Step 3: Host NCA Assessment Window

Once the host NCA receives the notification from the home NCA, it has 30 working days to assess the notification and raise objections. During this window, the host NCA will review:

• Whether the services described are within the scope of the home-state CASP authorization
• Whether the programme of operations is coherent with host state market conditions
• Whether there are specific AML/CFT concerns relating to the host state's legal framework
• Where a branch is established: the suitability of the proposed branch management

Step 4: Commencement of Services

If no objection is raised within the 30 working day window, the CASP may begin providing services in the host member state immediately after the 40 working day total period has elapsed. The CASP does not need to wait for explicit confirmation — silence within the 40-day window equals permission.

However, before providing services, the CASP should:

• Verify that the host NCA has updated the local register of CASPs operating in that territory
• Implement host-state-specific consumer disclosures required under local transposition of MiCA
• Ensure AML/CFT procedures account for the host state's local AML rules (which may go beyond MiCA's minimum requirements)
• Confirm that any marketing materials comply with host state advertising standards

If you're planning to passport into multiple states simultaneously, managing this across different timelines and host NCA requirements is a significant operational challenge. This is where a comprehensive CASP licensing guide and regulatory monitoring infrastructure become essential.

The 40-Day NCA Window Explained

The 40 working day total passporting window is one of MiCA's most operationally important timelines. Understanding exactly how it's structured — and where it can be disrupted — is essential for planning market entries.

The 40 days break down as follows:

• Days 1–10 (working days): Home NCA review and transmission to host NCA. Starts when the home NCA receives a complete notification.
• Days 11–40 (working days): Host NCA assessment window. Starts when the host NCA receives the transmitted notification from the home NCA.

In practice, 40 working days is approximately 8 calendar weeks. However, there are several ways this timeline can extend:

• Incomplete notification: If the home NCA requests additional information, the 10-day clock pauses until the CASP provides the requested documents. A poorly prepared notification can add weeks.
• Host NCA objection: If the host NCA objects within the 30-day window, the CASP cannot begin services in that jurisdiction while the objection is being resolved. There is no fixed timeline for resolving objections, though ESMA guidance recommends expedited handling.
• ESMA mediation: If the home and host NCAs cannot resolve a dispute about a passporting notification, either NCA may refer the matter to ESMA under Article 97(9) of MiCA. ESMA's mediation can add months to the timeline in contested cases.
• Public holidays: "Working days" excludes public holidays in both the home and host member states. A notification spanning August — when many European NCAs have reduced staffing — can take considerably longer in calendar terms.

For compliance teams, the key implication is: do not assume 8 calendar weeks. Plan for 12–16 weeks to account for real-world processing, potential information requests, and holiday periods. If you're targeting a specific market entry date, work backward from that date to determine when the notification must be submitted.

Ongoing Compliance Obligations After Passporting

The passporting notification is not a one-time event. Once a CASP is operating across multiple EU member states, it has ongoing compliance obligations that multiply with each jurisdiction it enters.

Home State Obligations

Your home NCA expects:

• Annual prudential reporting (capital adequacy, own funds, risk assessments)
• Notification of material changes to services, governance, or organizational structure under Article 56 of MiCA
• Notification of any new services added to the authorization (which then require new passporting notifications for host states)
• Ongoing ICT risk management and business continuity reporting aligned with DORA requirements (applicable to all MiCA-authorized entities)
• AML/CFT supervisory cooperation with the national Financial Intelligence Unit

Host State Obligations

For each host state in which you passport services, you must:

• Comply with conduct of business rules in that jurisdiction, including any consumer disclosure requirements that exceed MiCA's minimum standards
• Maintain records sufficient for the host NCA to supervise your activities in that territory
• Respond to host NCA information requests promptly — failure to cooperate can result in the host NCA requesting your home NCA to investigate or restrict your activities
• Monitor any host-state-specific guidance on crypto-asset services that applies to passported entities
• Ensure Travel Rule compliance under the Transfer of Funds Regulation for transactions involving customers in that jurisdiction

Changes Requiring Re-notification

Under Article 59 of MiCA, CASPs must notify their home NCA at least one month before implementing any material change to the information provided in the original passporting notification. Material changes include:

• Adding new crypto-asset services in a host state
• Changes to branch address or branch management
• Significant changes to the programme of operations in a specific host state
• Cessation of services in a host state

If the home NCA objects to the proposed change within one month, the CASP must not implement the change until the objection is resolved. The re-notification obligation means that a CASP expanding its product offering must treat each host state as a separate compliance project, not simply an automatic extension of its home-state authorization.

Which EU Countries Are Best for CASP Authorization

The choice of home member state is one of the most strategically significant decisions a crypto company will make under MiCA. Factors that matter in practice:

Processing Speed

Lithuania (Bank of Lithuania) has built a reputation for efficient financial services licensing. Its dedicated fintech team and established crypto registration framework mean MiCA authorization applications may be processed more quickly here than in larger member states. The Bank of Lithuania has explicitly targeted the fintech segment.

France (AMF) established a voluntary PSAN registration framework in 2019, giving it more crypto licensing experience than most NCAs. However, the AMF has also been one of the more rigorous NCAs in terms of documentation requirements.

Germany (BaFin) requires German-language applications and is known for thorough review processes. Processing times can extend beyond the 3-month target. However, Germany's market size makes a BaFin authorization particularly credible with institutional clients.

Ireland (CBI) and Luxembourg (CSSF) are established hubs for international financial services and have developed MiCA processing capacity. Both offer English-language processes and deep pools of local regulatory counsel.

Malta (MFSA) was an early mover in crypto regulation and has processing infrastructure in place. However, Malta has faced AML-related scrutiny at the EU level, which some CASPs factor into reputational assessments.

Local Regulatory Infrastructure

Beyond processing speed, consider the availability of local regulatory counsel, banking partners willing to serve CASPs, and the depth of the local compliance talent market. An authorization from a smaller NCA may process quickly but leave you with fewer local resources to manage ongoing obligations.

For a detailed breakdown of authorization requirements by jurisdiction, see our CASP licensing guide and the MiCA compliance checklist for 2026.

Tax and Corporate Considerations

The home member state for MiCA purposes is the registered office of the CASP entity. This will typically align with your corporate tax domicile. Companies structuring for tax efficiency should work with advisors who understand both the MiCA authorization requirements and the tax implications of each jurisdiction — these don't always point in the same direction.

Monitoring MiCA Updates Across Jurisdictions

MiCA is not a static regulation. Once you've achieved authorization and begun passporting operations, the regulatory landscape continues to evolve on at least three dimensions simultaneously.

ESMA-Level Updates

ESMA publishes technical standards, guidelines, Q&As, and supervisory convergence tools on an ongoing basis. Key publications to monitor include:

• ITS on passporting notifications (Article 58(5) mandate) — specifies the exact content and format of notification submissions
• RTS on conflicts of interest (Article 72 mandate) — relevant to CASPs providing multiple services across jurisdictions
• Guidelines on customer disclosures — host states may implement these differently, creating jurisdiction-specific obligations
• ESMA supervisory briefings — indicate where ESMA will focus cross-border supervision coordination in the coming period

NCA-Level Updates

Every NCA in every member state where you are authorized or passported may publish guidance that affects your obligations. A French CASP passported into 10 member states needs to track 11 NCA publication streams — including the AMF plus BaFin, the Bank of Lithuania, the AFM (Netherlands), the FCA-equivalent bodies in each jurisdiction, and so on. This is not a manageable task without tooling.

Host NCAs have published jurisdiction-specific guidance on topics including:

• Local registration requirements for passported CASPs (some require notification in addition to the MiCA process)
• Advertising and marketing standards for crypto-asset services
• Local AML/CFT requirements that go beyond the EU Regulation baseline
• Data localization requirements for customer records

MiCA Review Clauses

MiCA itself includes review provisions that may result in amendments. The European Commission is required under Article 141 of MiCA to submit reports to the European Parliament on the functioning of the regulation, including potential amendments to the passporting framework. Compliance teams monitoring only the current text of MiCA are not monitoring the full regulatory risk.

RegPulse tracks ESMA, EBA, and all 27 EU national competent authorities in real time. When a host NCA publishes updated guidance on passported CASP operations, your compliance team knows the same day. For teams operating across multiple EU jurisdictions, that kind of systematic monitoring is no longer optional — it's the foundation of staying compliant.