In Focus: CASP Authorisation and Competency Requirements

Key Guidance Published by ESMA

The European Securities and Markets Authority (“ESMA”) has published key guidance for any firm contemplating an application for authorisation as a crypto-asset service provider (“CASP”) under the Markets in Crypto-Assets Regulation (“MiCAR”).

• The first is ESMA’s Supervisory Briefing on the Authorisation of CASPs, published on 31 January 2025, which offers guidance to national competent authorities (“NCAs”) on how they should evaluate CASP applications.
• The second is ESMA’s Guidelines on the criteria for the assessment of knowledge and competence under MiCAR, published on 28 January 2026, which sets out the standards expected of CASP staff who provide information or advice to clients.

Read together, these publications paint a detailed picture of the practical expectations that applicant firms will need to meet. The key themes are clear: genuine substance in the EU, robust governance, rigorous internal controls, and appropriately qualified staff.

This update draws out the most important points that prospective applicants should bear in mind.

No Such Thing as a “Low-Risk” CASP

Perhaps the single most important message from ESMA’s Supervisory Briefing is that there are no “low-risk” CASPs. Every application will receive a meaningful level of scrutiny, and no applicant should expect a light-touch review on the basis that its activities are modest in scale. As ESMA sees it, CASPs — even smaller ones — often deal directly with retail investors and have a limited track record of regulatory compliance, which means they should be regarded as constituting a higher risk than entities operating in more established financial sectors.

That said, certain characteristics will trigger an elevated level of scrutiny beyond this already thorough baseline. These include significant size (CASPs with more than 1,000,000 yearly active users in the EU or a balance sheet exceeding EUR 3 billion), complex group structures, substantial cross-border activity (more than 200,000 yearly active users outside the home Member State), a prominent role in the broader crypto ecosystem, the combination of multiple crypto-asset services, and the combination of issuer and CASP activities.

ESMA considers the risk of money laundering and terrorist financing to be generally high for CASPs, given the cross-border nature of crypto-asset transfers, the speed at which value can be moved, and the potential for anonymity in certain transactions. This area will receive special attention during the authorisation process, and applicants should expect detailed questioning on their AML controls.

Substance and Governance: Demonstrating Real Presence in the EU

ESMA places considerable weight on the need for CASPs to demonstrate genuine substance and autonomous decision-making capacity within the EU, rather than simply establishing a shell presence.

At its core, this means the CASP must have the power to make decisions on its EU policy independently of any parent or group entity. Reporting lines should clearly demonstrate that autonomous decision-making capability exists at the EU level.

NCAs are expected to verify that at least one executive management board member is located in the jurisdiction of authorisation (with limited exceptions for small Member States), and that a significant local team is present.

The expectations around time commitment are stringent. The chief executive officer should, as a rule, devote 100 per cent of his or her time to the CASP. Other executive management board members should be able to devote at least half of their time to the CASP. Dual-hatting with a parent company is possible but should not impair the independence of the chair or the board’s ability to function effectively.

Executive management board members should possess strong local knowledge of both national and EU rules and should have relevant prior work experience — ideally in the same sector and ideally within the EU.

A business set-up where more functions are performed outside the EU than within it will be critically assessed. NCAs will look at both the number and importance of functions performed outside the EU, as well as the proportion of total costs spent on functions located outside the EU — a useful quantitative indicator of where real operational activity resides.

Internal Controls, Risk Management and Compliance

Applicants must establish a robust internal control framework that encompasses the entire organisation, including outsourced activities.

The framework must encompass, at a minimum, three distinct functions: risk management, compliance, and internal audit, each with clear roles and lines of responsibility. Combining risk management or compliance functions with internal audit will attract elevated scrutiny, as doing so may undermine independence and effectiveness.

However, ESMA recognises that for smaller or lower-risk CASPs, combining risk management and compliance may be acceptable where maintaining separate functions would be disproportionate.

On risk management, the expectations are thorough. The risk management framework should incorporate comprehensive policies and procedures, define a clear risk appetite, and establish limits and controls for the ongoing identification, measurement, assessment, monitoring, management, mitigation, and reporting of risks. CASPs should maintain a risk register and develop targeted mitigation strategies for each identified risk, assigning a risk owner with sufficient mandate and knowledge.

The compliance function must have sufficient independence, capacity, and competency, and CASPs should appoint at least one dedicated person to this role. Importantly, the compliance function should not be siloed as a back-office check; it should be involved in key strategic decisions, such as the choice of crypto-assets for which services will be offered and the selection of third parties with which to cooperate. A yearly compliance plan and regular reporting to the executive management board are expected.

Outsourcing: Avoiding the “Letter-Box Entity”

ESMA is clear that outsourcing arrangements must not result in the CASP becoming a “letter-box entity” firm that exists in name within the EU but whose real operations lie elsewhere. Several principles emerge from the guidance.

A situation where more functions are outsourced outside the EU than are operated inside the EU should be carefully assessed, with NCAs examining both the number and importance of those outsourced functions. Outsourcing to jurisdictions where NCAs would be unable to obtain information from the outsourced entity is incompatible with MiCAR.

The outsourcing of AML functions is restricted, and responsibility for AML compliance must always remain with the CASP itself.

Particular attention should be paid to the outsourcing of ICT infrastructure, where NCAs will cross-refer to the requirements of the Digital Operational Resilience Act.

Where intra-group outsourcing is proposed, NCAs will assess whether this significantly affects the CASP’s ability to make autonomous decisions on its EU activities — the driving principle being that the best interests of the EU entity should take precedence over those of other group members.

The custody of client assets can only be outsourced to entities authorised under Article 59 of MiCAR or those operating under a grandfathering period.

Fit and Proper Assessment

The bar for board suitability is commensurate to the significance of the CASP. Larger, more complex, and more systemically important CASPs will be expected to have executive board members with higher levels of specific skill and experience.

Prior supervisory transgressions will be investigated, and while they do not automatically disqualify a board member, they may elevate the authorisation to a higher risk level and invite closer questioning.

NCAs will also consider any ongoing criminal proceedings involving the entity itself, members of its management body, shareholders, or persons directly or indirectly holding qualifying holdings.

Given the relative youth of the crypto-asset sector, all executive management board members must have at least a good level of understanding of the technical workings of crypto-assets and the services provided.

Board members with less management experience may be compensated for by other members with deeper management experience in the regulated finance industry, reflecting ESMA’s pragmatic acknowledgement that the talent pool in crypto is still maturing.

Business Plan

The business plan submitted alongside an application should be realistic and should contain projections of activity over a three-year period with clearly defined intermediate points, allowing NCAs to track projections against reality.

Crucially, NCAs will require applicants to demonstrate that they have considered how the continuity of their operations might be affected if revenues fall well below projections — in other words, firms must plan for pessimistic scenarios, not just favourable ones.

Staff Knowledge and Competence

ESMA’s Guidelines on knowledge and competence will apply six months after their publication in all official EU languages. They establish a framework that distinguishes between two categories of staff: those giving information about crypto-assets or crypto-asset services, and those giving advice. Staff giving advice are held to a higher standard.

Staff giving information must understand the key characteristics, risks, and features of the crypto-asset services offered, including the functioning of distributed ledger technology and the relevant protocols. They must also understand costs and charges, how crypto-asset markets function, the impact of economic events on crypto-asset values, and the differences in investor protection between the MiCAR and MiFID II frameworks.

To demonstrate competence, such staff must have obtained, prior to providing information, either a professional qualification of at least 80 hours together with six months of supervised experience, or at least one year of supervised experience.

A minimum of 10 hours of continuous professional development (“CPD”) per year is expected for staff giving information on a limited range of the least complex crypto-assets, with increased CPD requirements for those covering more complex products.

Staff giving advice must, in addition to the above, understand the total costs and charges in the context of advice, the suitability requirements under Article 81 of MiCAR, and portfolio management fundamentals including diversification.

Qualification pathways for advisory staff are more demanding and include: a three-year tertiary degree with one year of supervised experience; a secondary education degree and a three-year professional formation with one year of supervised experience; a professional formation of at least 160 hours with one year of supervised experience; or two years of prior advisory experience under MiFID II or the Insurance Distribution Directive with six months of supervised crypto experience.

A minimum of 20 hours of CPD per year is expected for staff advising on the least complex crypto-assets, again with higher requirements for more complex products.

Where information or advice is provided in an automated or semi-automated manner, these guidelines apply to the staff responsible for determining the content of the information or advice delivered to clients.

Organisational Requirements for Knowledge and Competence

CASPs must ensure a clear distinction between the roles of giving advice and giving information in their internal organisational structures and job descriptions. An internal or external review of staff development and experience needs must be carried out on at least an annual basis, and records concerning staff knowledge and competence must be maintained and available for submission to the NCA on request.

Staff who have not yet acquired the necessary knowledge and competence may work under supervision for a maximum period of four years, unless a shorter period is determined by the NCA. During this period, the supervisor must take responsibility for the relevant services as if the supervisor were providing them directly to the client.

Next Steps

Firms considering a MiCAR authorisation application should review these ESMA publications carefully and begin assessing their governance structures, staffing arrangements, outsourcing models, internal control frameworks, and staff training programmes against the expectations outlined above.

Early engagement with the relevant NCA is strongly advisable, given the comprehensive nature of the assessment process and the clear absence of any “low-risk” pathway. We would be happy to discuss these requirements in further detail and assist with the preparation of an application.

How Maples Group Can Help

We have successfully guided many clients through the Central Bank of Ireland’s (the “CBI”) authorisation process across all industry sectors.

We have a good understanding of how best to map proposed services to regulatory permissions, ensure permissions are broad enough to cover planned operations in the first 12 to 18 months post-authorisation and how to clearly demonstrate and document a robust model in the application documents filed with the CBI to make the process as smooth and efficient as possible.

Further information on our Irish Financial Services Regulatory Group and the services we provide is available on our website¹ and in our FSR² and FinTech³ brochures.

If you would like further information, please liaise with your usual Maples Group contact or the persons listed.

---

¹ https://maples.com/en/services/specialty-services/irish-financial-services-regulatory
² https://maples.com/wp-content/uploads/2025/02/Financial-Services-Regulatory-Core-Services.pdf
³ https://maples.com/wp-content/uploads/2023/10/FinTech-June-2021.pdf