Passporting, management body requirements, outsourcing, physical presence — practical answers to the most frequently asked questions about obtaining a CASP licence under MiCA.
Practical FAQ for Crypto-Asset Service Providers
European crypto-asset regulation has entered a new era. The MiCA (Markets in Crypto-Assets Regulation) fundamentally changes the rules governing the operation of entities providing crypto-asset services within the European Union and introduces a completely new licensing regime for CASPs (Crypto-Asset Service Providers).
As of January 1, 2026, it will no longer be possible to provide crypto-asset services in the Slovak Republic without the appropriate MiCA license. Many entrepreneurs still have questions regarding the functioning of so-called passporting, the requirements of the National Bank of Slovakia, company staffing arrangements, and the practical steps of the licensing process.
Based on the most common questions from our clients, we have prepared a practical FAQ that summarizes the most important regulatory aspects of obtaining a CASP license.
Is a license in one EU country sufficient?
Yes. One of the most significant advantages of the MiCA regime is “passporting”—a mechanism for cross-border business operations within the European Economic Area.
This means that if a company obtains a CASP license in one EU member state, it can subsequently provide services in other member states without needing to obtain separate licenses in each jurisdiction. However, the CASP must fulfill its notification obligation with respect to the relevant supervisory authority.
Is it possible to operate under a VASP registration?
No.
It is important to emphasize that VASP was never a “license” in the true sense of the word. It was a registration of the business activity without the more extensive regulatory requirements that MiCA now mandates.
The MiCA transition period in Slovakia ended on January 1, 2026. From this date, crypto-asset services may be provided within the EU exclusively by entities holding the relevant MiCA license.
Entities that continue to provide services without a CASP license expose themselves to significant regulatory, sanction, and reputational risks.
How long does the licensing process take?
The duration of the licensing process varies on a case-by-case basis.
Based on practical experience, the entire process from application submission to license issuance can be expected to take approximately 8 months. In some cases, however, it may be shorter or significantly longer.
The duration of the process is primarily influenced by:
- the applicant’s preparedness,
- the quality of the submitted documentation,
- the complexity of the business model,
- the scope of services provided,
- governance arrangements,
- the readiness of internal processes,
- technological infrastructure,
- outsourcing models,
- and the AML and compliance framework.
The NBS also emphasizes the importance of the so-called pre-licensing dialogue. Timely communication with the regulator can significantly reduce the risk of unnecessary delays and repeated requests to supplement documentation.
What requirements apply to the management body?
The management body (“Management Body” or “Executive Board”) is one of the most important organizational components of a future CASP, and the management body consists of the company’s executives. Based on our experience with clients, we strongly recommend that their companies have a collective statutory body, as a single individual is not always objectively capable of covering all responsibilities arising from the MiCA Regulation.
MiCA and the NBS’s regulatory expectations place high demands on CASP managing directors in terms of:
- reputation,
- expertise,
- experience,
- time commitment,
- independence,
- and physical presence in the relevant country.
1. Good Repute
A member of the management body must not have been convicted of criminal offenses related to money laundering, terrorist financing, or other acts that call into question their trustworthiness.
However, the NBS does not consider only final convictions. It also takes into account:
- ongoing investigations,
- regulatory sanctions,
- previous regulatory violations,
- revoked licenses,
- conflicts of interest,
- politically exposed person (PEP) status,
- relationships with other members of management or the group.
2. Professional Knowledge and Experience
Each member of the management body must have adequate knowledge of how crypto-assets function and relevant professional experience.
The NBS typically expects experience in the following areas:
- financial services,
- investment services,
- fintech,
- blockchain technologies,
- cybersecurity,
- digital innovation,
- AML and compliance.
The principle of “collective suitability” is also important, meaning the ability of the management body as a whole to cover all relevant areas of expertise and the compatibility of the functions performed by individual members of the management body with one another.
3. Sufficient time commitment
The regulator also assesses in detail the time commitment of individual members of the management body.
In practice, the following is expected:
- The CEO devotes virtually full-time to the role,
- other members of the management body at least 4 hours per day,
- at least 50% of working time must be devoted to CASP,
- excessive “dual hatting” may be a problem.
The NBS examines all other work and functional commitments of executives and assesses whether they are capable of effectively performing their duties.
4. Local Presence
At least one member of the management body must reside within the territory of the Slovak Republic.
At the same time, it is expected that:
- the company will be effectively managed from within the EU,
- key decisions will not be made outside the EU,
- the company will not operate as a “letterbox entity.”
Which individuals must be present in the company?
Every CASP must have an appropriately established organizational and control structure.
The basic mandatory positions include:
- members of the management body,
- Compliance Officer/person responsible for internal control,
- AML/CFT Officer,
- person responsible for ICT and outsourcing,
The NBS places particular emphasis on the practicality of the organizational structure and the effective functioning of control mechanisms.
Can these functions be outsourced?
Not all of them.
Based on the NBS’s regulatory expectations and the MiCA Regulation, the following functions should be performed internally by employees:
- Compliance Officer,
- AML Officer,
- IT/ICT Manager.
These individuals should be internal employees of the company, and their roles cannot be fully outsourced.
Other support activities may be subject to outsourcing, but only if MiCA conditions are met and the management body retains full responsibility. Outsourcing never transfers regulatory responsibility to an external supplier.
Can key persons be from third countries?
Yes, but the situation is significantly more complex.
In the case of persons outside the EU, the following issues must be addressed, for example:
- residence status,
- work permits,
- Blue Card,
- type of legal relationship,
- scope of activities performed within the territory of the Slovak Republic.
At the same time, the NBS assesses the issue of the actual performance of functions and the ability to effectively participate in the management of the company with great sensitivity.
For key personnel from third countries, it is therefore essential to properly establish both the immigration and corporate structures before submitting an application.
Does the company need to have physical premises?
Yes—at least from the regulator’s perspective.
A virtual office, in and of itself, generally does not appear credible and may not meet the requirements for effective supervision by the NBS.
The regulator expects the company to have a real operational presence, for physical inspections to be possible, and for governance and control mechanisms to function in practice, not merely in form.
Regarding the period prior to the granting of a CASP license and before the commencement of operations, regulatory practice indicates that it is not necessary to have fully equipped physical office space secured at this stage.
Which roles are incompatible?
A fundamental conflict of interest is considered to be, in particular, the combination of the role of company executive and the person responsible for internal control (Compliance Officer). The compliance function must remain independent from executive management.
A CASP license is not just a “piece of paper”
MiCA fundamentally changes the standard of operation for crypto companies in Europe.
The licensing process today represents a comprehensive regulatory project that includes:
- governance,
- compliance,
- AML,
- ICT and cybersecurity,
- outsourcing,
- risk management,
- internal policies,
- corporate structure,
- personnel structure,
- regulatory communication with the NBS.
It is precisely the proper setup of the entire structure before submitting the application that often determines whether the process will be efficient or significantly prolonged.
