MiCA CASP licensing-success forensic analysis

Last reviewed 2026-05-03  ·  Version 1.0.0  ·  Evidence cutoff 2026-05-03

ESMA’s interim MiCA register, as of 24 April 2026, recorded 177 successful CASP authorisations and notifications across the European Economic Area. Read as a positive-control population, it is not a homogeneous set of “crypto licences”. It is a mixed cohort of Article 63 authorisations and Article 60 notifications by already-regulated financial entities. That distinction is the first thing a serious applicant has to internalise — and the second thing supervisory authorities look for.

This analysis treats the 177-record register as the success population, supplements it with public NCA enforcement signals, and maps the patterns that separate higher-probability applicants from weak ones. The forensic graph below is the navigational view of the register itself: every successful entity is a node connected to its home Member State and to its pre-MiCA classification archetype, with service-scope breadth encoded by node size. Filter by jurisdiction × status × scope, or search by entity name, to subset the population. The reference index at the page foot mirrors the same data as crawlable text. The full forensic dataset — cleaned benchmark, archetypes, red-flag checklist, readiness scorecard — is available under briefing scope; contact partnership@finray.tech.

Companion artefact: the failure side of the survival curve — every CASP / pre-MiCA DASP authorisation that was revoked, voluntarily returned, refused, or failed regime transition — sits at MiCA CASP authorisation-withdrawal forensic register. 29 entities across AMF (France), MFSA (Malta) and CySEC (Cyprus); coverage gap for the remaining NCAs surfaced honestly rather than padded.

Population landscape

Germany leads numerically with 51 records, but the German cluster is not a simple crypto-native exchange cluster — it is heavily skewed toward banks, brokers, asset managers and narrow service notifications. Of the 51 DE records, 34 are likely Article 60 notifications by already-regulated financial entities (avg service breadth: 2.18). Malta has the highest average service breadth at 5.67, with 10 of 12 records covering five or more services — a concentration of broad crypto-native exchange models. The Netherlands combines early authorisations (first dated 30 December 2024) with a large crypto-native and broker base. France, Ireland and Luxembourg appear more institutionally selective from the positive-control population.

Volume is not a proxy for low standards or high standards. ESMA’s authorisation briefing is explicit that there are no low-risk CASPs, and that elevated scrutiny applies where size, complexity, cross-border activity, combination of services, outsourcing, group links, supervisory history and business-model novelty are present. A buyer assessing where to apply should read the jurisdiction distribution as evidence of deal-flow gravity, not regulatory permissiveness.

Service mix and what it implies

Custody (Article 3(1)(16)(a)) and transfer services (j) are the dominant rails — appearing in 117 and 107 records respectively. Trading platform operation (b) is rare (14 records) and should be treated as a high-risk service: order-book integrity, market abuse, operational resilience and conflicts management all stack onto an already-substantial Article 63 file. Advice (h, 21 records) and portfolio management (i, 30 records) are also relatively uncommon, reflecting suitability, conflicts and investment-process burdens that crypto-native applicants do not always anticipate.

The most common multi-service pattern is custody plus exchange for funds plus exchange for crypto plus transfer (a c d j) — the core retail exchange / broker custody bundle, present in 14 records. Adding e (execution) gives the next-most-common pattern at 10 records. The presence of b, h or i increases evidential burden disproportionately: any of those three nearly always pulls the applicant into a deeper conduct, market-integrity or fiduciary review.

Timing waves

The early wave starts in the Netherlands on 30 December 2024 and in Malta and Germany in January 2025. The large numerical wave is late 2025, peaking in December at 42 authorisations in a single month. This coincides with national transition deadlines: Lithuania’s central bank publicly stated that its transition period ended on 31 December 2025 and that crypto-asset services without a MiCA licence after that date would be illegal financial activity. France’s DASP cohort transitional period ends 1 July 2026, with AMF reminding applicants that complete files may take up to four months once complete, but original file versions are rarely complete and clarifications often cause additional delay.

Five applicant archetypes

The five status-class anchors in the graph above correspond to the five pre-MiCA archetypes observable in the success population. Counts are exact; probability bands are derived from observable patterns in the positive-control population plus regulator-signal frequency in the weak-control dataset:

• Bank / EMI / IF / other regulated (65 of 177 records — 80–90% success probability where the service is narrow and control evidence is live). Article 60 notification path is the dominant route here. Highest base success probability, but Article 60 is not a waiver of AML/CFT, custody or ICT evidence.
• Existing VASP converted (47 of 177 records — 65–80%). Article 63 conversion path. Risk concentrates in the upgrade gap between VASP-grade and MiCA-grade governance, custody and safeguarding evidence.
• Trading venue / broker / custody specialist (26 of 177 records — 65–85% where institutional-only and evidence is strong). Article 63 path. Risk concentrates in private-key governance, segregation, reconciliation and outsourcing chain. Trading-platform operation (service code b) is the rarest and highest-evidence service in MiCA — only 14 of 177 records include it.
• Pure crypto-native CASP (28 of 177 records — 45–65% as scope widens). Article 63 path. Supervisory scrutiny scales with scope, group complexity and product perimeter.
• Fintech / neobank crypto module (11 of 177 records — 70–85% where narrow and the partner model is clean). Article 60 or 63 hybrid depending on the underlying authorisation. Risk concentrates in perimeter blur and unauthorised partner/custody chain.

Two anti-pattern archetypes do not appear in the success population by construction and so are not nodes in the graph above. They are documented for completeness: thin local entity with outsourced compliance, broad scope, no real local executives; or offshore-linked retail platform mixing unregulated yield/leverage/staking products with the authorisation perimeter. Both should self-disqualify rather than target a particular jurisdiction.

Failure pattern is structural, not regulatory

There is no public EU-wide rejection register. The negative dataset is a weak-control set: public warnings, non-compliant-register signals, transition attrition and regulator statements about incomplete files. The strongest negative-control signals visible at the time of writing are an AFM warning about a cross-border crypto exchange operating in the Netherlands without the required licence and uncertain entity location (March 2026), and an NBS notice about a crypto-asset service provider continuing to operate in Slovakia without appropriate authorisation, entered under MiCA Article 110 into ESMA’s non-compliant entities register. Aggregate signals from a March 2026 secondary-source register study reported 98 MiCA non-compliant entities, with 96 attributed to Italy’s CONSOB.

Reading these signals as a class: weak applicants fail or stall because they ask the supervisor to trust assertions. Successful applicants supply evidence. A CASP application is not a policy-writing exercise; it is a test of whether the business can operate exactly as described, under an identifiable EU entity, with real people, real systems, real capital and auditable controls.

The hard blockers — in observed-frequency order — are unclear group structure or offshore service perimeter, weak local substance and decision-making outside the home Member State, AML/CFT framework that exists on paper but is not implemented or tested, custody/safeguarding model that cannot evidence segregation or wallet governance, and critical ICT/custody/compliance functions outsourced to third countries without supervisory access. None of these are visible in the public register itself — they surface in pre-application meetings, in NCA question rounds and in supervisory follow-up; the readiness scorecard in the forensic pack maps each blocker to its evidence requirements.

Service-scope realism

Of the 177 records, 125 are narrow or moderate scope. Only five records are very broad (8–10 services). This supports a sequencing lesson: broad “everything at once” applications are the exception, not the norm, and tend to be associated with larger, better-resourced or already-regulated applicants. The sequenced playbook visible across successful applicants is: narrow first; phase trading platform, advice and portfolio later; clean website and marketing before contact; pre-application meeting to test perimeter; regulator-ready governance pack with logs and MI behind every policy.

Application-readiness scorecard

The scorecard is a 10-category weighted instrument with hard-blocker caps. Categories: governance and substance (12), AML/CFT (14), custody and safeguarding (14), ICT/DORA (12), outsourcing (8), financial resources (8), service-scope realism (8), product perimeter and marketing (8), regulatory history and fit-and-proper (8), documentation and evidence quality (8). Hard blockers cap the total even where other categories score well. A score of 85–100 indicates a high-probability applicant assuming no unresolved hard blocker; 70–84 viable but remediation required; 55–69 high delay risk; 40–54 likely stall, withdrawal or refusal; below 40 indicates do-not-apply.

The scorecard, the red-flag checklist, the cleaned benchmark CSV (with confidence-scored business-model classifications), the failure weak-control dataset, the jurisdiction findings table and 10 derived datasets are available as a forensic pack under briefing scope. Email partnership@finray.tech with the subject line “MiCA CASP forensic pack”.

Methodology and caveats

The benchmark population is the ESMA interim MiCA register as of 24 April 2026 (177 records after cleaning). Cleaning steps: whitespace and label normalisation, home jurisdiction resolved from the home Member State field with the LEI country code as a fallback where missing, service codes parsed both from explicit letter prefixes and from free-text service descriptions, passporting country codes normalised, dates parsed as day/month/year, entity type and business model classified from observable register fields and conservative heuristics with per-record confidence scoring.

A record in the register is treated as positive-control evidence of authorisation or notification, but not as evidence that the firm is low risk or free of later supervisory concerns. Article 60 classifications are inferred unless the register comments explicitly state Article 60 or the entity type is very clear from legal name and service scope. Business-model classifications are operational inferences, not legal opinions. Public registers do not expose board composition, custody technical architecture, AML tooling, DORA maturity, outsourcing contracts or NCA question history; these are inferred from observable proxies and regulatory expectations, not asserted as facts.

This analysis is research, not legal advice. Applicants should validate any jurisdictional or service-scope inference against their own counsel and the relevant national competent authority before action. Finray Technologies Ltd is not a bank, payment institution, e-money institution, CASP or licensed financial intermediary of any kind.