MiCA Crypto License: Luxembourg Compliance Guide 2025
Complete guide to obtaining your VASP/CASP license in Luxembourg under the MiCA regulation. CSSF process, requirements, and timelines.
Updated: December 2025
The MiCA (Markets in Crypto-Assets) regulation harmonizes crypto regulation across the EU. This guide explains how to obtain your license in Luxembourg, Europe's crypto hub.
Understanding MiCA and the Regulatory Landscape
MiCA came into full effect on December 30, 2024. It replaces fragmented national regimes with a unified European framework, offering licensed businesses a "passport" to operate in all 27 member states.
MiCA Timeline
| Date | Event |
|---|---|
| June 2023 | Publication in EU Official Journal |
| June 2024 | Entry into force for stablecoins (ARTs, EMTs) |
| December 2024 | Full entry into force for CASPs |
| July 2026 | End of transitional period (grandfathering) |
Types of Regulated Crypto Services
MiCA defines the following crypto-asset services (CASP - Crypto-Asset Service Provider):
Services Requiring a License
- Custody and administration: Safekeeping of crypto-assets on behalf of clients
- Trading platforms: Operating exchange platforms
- Exchange against fiat: Crypto buy/sell services
- Crypto-to-crypto exchange: Conversion between crypto-assets
- Order execution: Execution on behalf of clients
- Placement: Distribution of crypto-assets
- Reception and transmission of orders
- Crypto-asset advisory
- Portfolio management
- Transfer services
MiCA Capital Requirements
| Service Type | Minimum Capital |
|---|---|
| Advisory, reception/transmission of orders | €50,000 |
| Exchange, placement, execution | €125,000 |
| Custody, trading platform | €150,000 |
Note: These amounts can be replaced by professional liability insurance covering the same risks.
License Acquisition Process in Luxembourg
Step 1: File Preparation (2-4 months)
- Incorporation of Luxembourg company (SARL or SA)
- Drafting detailed business plan
- Development of AML/KYC policies
- Governance setup (qualified directors)
- Technical documentation (cybersecurity, business continuity)
Step 2: Submission to CSSF (1-2 weeks)
The complete file includes:
- Official application form
- Programme of activities
- Organizational structure
- Evidence of capital/own funds
- Policies and procedures (AML, risk, client complaints)
- Director documentation (CVs, criminal records, fitness and propriety)
- Cybersecurity measures
- Business continuity plan
Step 3: CSSF Review (3-6 months)
- File analysis
- Additional questions
- Fitness and propriety verification of directors
- Technical compliance assessment
Step 4: Decision and Authorization
The CSSF has 40 business days to confirm file completeness, then 3 months to render its decision. Longer timelines are possible if additional information is required.
Governance Requirements
Qualified Directors
- Minimum 2 effective directors
- Residence or regular presence in Luxembourg
- Relevant experience in financial services or crypto
- Fitness and propriety (clean criminal record)
- Sufficient time dedicated to the role
Control Functions
- Compliance Officer: Compliance responsibility
- MLRO: AML responsibility (can be combined)
- Risk Manager: Risk management
- CISO: Information security
AML/KYC Obligations
CASPs are subject to enhanced anti-money laundering obligations:
- Client identification: Complete KYC before any business relationship
- Ongoing monitoring: Transaction monitoring
- Travel Rule: Information on origin and destination of transfers
- Suspicious activity reports: Reporting to FIU
- Sanctions screening: Verification against sanctions lists
Cybersecurity and Resilience
Technical Requirements
- Regular penetration testing
- Client data encryption
- Secure private key management (custody)
- Multi-factor authentication
- 24/7 system monitoring
- Incident response plan
DORA Compliance
The DORA (Digital Operational Resilience Act) regulation also applies to CASPs. It imposes additional requirements regarding digital resilience and ICT risk management.
Estimated Costs
| Item | Estimated Cost |
|---|---|
| Company incorporation | €5,000 - €8,000 |
| Minimum capital | €50,000 - €150,000 |
| CSSF file preparation | €30,000 - €80,000 |
| AML compliance (setup) | €15,000 - €40,000 |
| IT/Cybersecurity infrastructure | €20,000 - €100,000 |
| Total Setup | €120,000 - €380,000 |
Annual Recurring Costs
- Compliance Officer / MLRO: €80,000 - €150,000
- External audit: €15,000 - €40,000
- Professional liability insurance: €10,000 - €50,000
- Compliance tools (Chainalysis, etc.): €20,000 - €100,000
Advantages of Luxembourg for MiCA
- Experienced CSSF: First European regulator to have supervised crypto companies
- Developed ecosystem: Banks, auditors, and specialized service providers
- European passport: Access to 27 markets via single license
- Constructive dialogue: Pragmatic regulatory approach
- Legal stability: Predictable legal framework
Frequently Asked Questions
Can I operate during the license application?
If you were registered as a VASP before MiCA, you can continue to operate during the transitional period (until July 2026) while preparing your MiCA application.
Are Luxembourg resident directors required?
Not necessarily residents, but directors must be available and regularly present in Luxembourg. The CSSF expects effective presence.
Is a Luxembourg MiCA license valid throughout the EU?
Yes, this is the European passport principle. Once authorized in Luxembourg, you can offer your services in all member states via notification.
Ready to Take Action?
Found this guide helpful? We can connect you with specialized lawyers to turn your project into reality.