What Is a Crypto-Asset Service Provider (CASP) under MiCA, and Why It Matters for Sanctions

A Crypto-Asset Service Provider, or CASP, is the regulated legal person at the centre of the European Union's harmonised crypto perimeter. Under Article 3(1)(15) of Regulation (EU) 2023/1114 — the Markets in Crypto-Assets Regulation, universally abbreviated to MiCA — a CASP is any legal person or other undertaking whose occupation or business is the professional provision of one or more of ten enumerated crypto-asset services to clients within the EU, and that is authorised to do so by a national competent authority under Title V of the regulation. The definition is narrow, exhaustive and durable: it is the legal floor on which every subsequent EU rule about exchanges, custodians, transfer agents and brokers is built — including, since 23 April 2026, a sectoral prohibition on dealing with the Russian crypto economy. This page is the short methodology reference; the operational walk-through of the sanctions cliff lives in our flagship EU 20th-package CASP-ban briefing.[1][2]

TL;DR

A CASP is a legal person authorised under MiCA Title V to provide one or more of ten enumerated crypto-asset services within the EU.[1] The services are: custody, trading-platform operation, fiat-for-crypto exchange, crypto-for-crypto exchange, order execution, placing, reception and transmission of orders, advice, portfolio management, and transfer services. Issuance of asset-referenced and e-money tokens is regulated in parallel under MiCA Titles III and IV. The CASP regime applied from 30 December 2024 with a national transition period running to 1 July 2026.[3][4] Authorisations are granted by national competent authorities (BaFin in Germany, CNMV in Spain, CSSF in Luxembourg, AFM in the Netherlands, Banca d'Italia in Italy, AMF in France, MFSA in Malta, and equivalents) and listed in a central ESMA register.[5][6][7] Most importantly for OSINT and compliance work, the MiCA CASP perimeter has become the boundary of EU crypto sanctions: Article 5bb of Council Regulation 833/2014, inserted by the EU's 20th sanctions package on 23 April 2026, prohibits EU-domiciled CASPs from facilitating transactions with any CASP or platform established in Russia.[8][9][10]

What MiCA defines as a CASP

MiCA Article 3(1)(15) defines a "crypto-asset service provider" as a legal person or other undertaking that, on a professional basis, provides one or more crypto-asset services to clients and that is authorised to do so in accordance with Article 59. Article 3(1)(16) then enumerates — exhaustively — the ten crypto-asset services that, if provided professionally, require CASP authorisation:[1][2]

  1. Custody and administration of crypto-assets on behalf of clients.
  2. Operation of a trading platform for crypto-assets.
  3. Exchange of crypto-assets for funds (the fiat on-ramp / off-ramp service).
  4. Exchange of crypto-assets for other crypto-assets.
  5. Execution of orders for crypto-assets on behalf of clients.
  6. Placing of crypto-assets.
  7. Reception and transmission of orders for crypto-assets on behalf of clients.
  8. Provision of advice on crypto-assets.
  9. Provision of portfolio management on crypto-assets.
  10. Provision of transfer services for crypto-assets on behalf of clients.

The list is closed. Any business model that maps to one of those ten activities, conducted professionally for clients in the EU, requires authorisation. The list is intentionally modelled on MiFID II investment-services categories so that the regulatory grammar is familiar to securities and banking supervisors. Issuance of asset-referenced tokens (ARTs) and e-money tokens (EMTs) is regulated separately under MiCA Titles III and IV and triggers its own authorisation and white-paper-notification regime — an issuer of an ART or EMT is not a CASP in the strict Article 3(1)(15) sense, but is subject to a parallel MiCA regulated-entity perimeter.[2][6]

The authorisation regime

MiCA Title V (Articles 59 to 74) sets out the authorisation procedure. A prospective CASP applies to the national competent authority of the member state in which it has its registered office and where it intends to provide services. The competent authority must assess governance, capital adequacy, internal controls, the qualifications of management and significant shareholders, the operational resilience of the IT infrastructure, and the AML / counter-terrorist-financing framework. Once authorised, a CASP enjoys EU-wide passporting rights and may provide its authorised services across all 27 member states under the home-state-supervision model.[1][3]

The national competent authorities are the gatekeepers, and the directory is jurisdiction-specific:[5][6][7]

  • Germany — BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht): maintains a public companies database including CASP authorisations.
  • Spain — CNMV (Comisión Nacional del Mercado de Valores): publishes the official CASP register and was among the first NCAs to authorise CASPs under MiCA in 2025.
  • Luxembourg — CSSF (Commission de Surveillance du Secteur Financier).
  • Netherlands — AFM (Autoriteit Financiële Markten) and De Nederlandsche Bank.
  • France — AMF (Autorité des Marchés Financiers), in coordination with the ACPR.
  • Italy — Banca d'Italia / CONSOB.
  • Malta — MFSA (Malta Financial Services Authority).
  • Ireland — Central Bank of Ireland.
  • Lithuania — Bank of Lithuania, host to a material share of CEE-facing CASPs.

MiCA's CASP provisions in Title V applied from 30 December 2024. To prevent abrupt market exit, Article 143(3) permits member states to operate a transitional regime allowing entities that were lawfully providing crypto-asset services under national law before 30 December 2024 to continue doing so until 1 July 2026 (or any earlier date set by the member state). From 1 July 2026 onward, providing crypto-asset services within the EU without a MiCA authorisation is unlawful.[3][4] ESMA maintains a central public register under Article 109 listing all authorised CASPs across the EU, alongside notified white-paper issuers and significant ART/EMT issuers.[6]

Why the CASP definition matters for sanctions

Until April 2026, EU crypto sanctions on Russia were list-based: Article 5b of Council Regulation 833/2014, introduced in the 8th package of October 2022, prohibited EU providers from offering wallet, account or custody services to Russian persons and residents, and named entities were added to the consolidated sanctions list one by one. The EU's 20th sanctions package, adopted on 23 April 2026, restructured the regime entirely. New Article 5bb of Council Regulation 833/2014 introduces a sectoral prohibition on any EU-domiciled CASP engaging, directly or indirectly, in any transaction with any crypto-asset service provider or transfer or exchange platform established in the Russian Federation, with effect from 24 May 2026.[8][9][10][11]

The legal mechanism is straightforward: Article 5bb does not redefine the regulated population. It borrows MiCA's CASP definition wholesale and attaches a prohibition to it. The MiCA boundary becomes the sanctions boundary. Any entity that is a CASP under Article 3(1)(15) is in scope of Article 5bb on the EU side; any Russian-established entity that performs the functional equivalent of one of the ten enumerated services is in scope on the Russian side, irrespective of whether it holds any formal Russian licence. This is why MiCA's definitional choices — what counts as "custody", what counts as a "transfer service", what counts as "established" — are no longer abstract regulatory questions but the operative gates of the sanctions regime. The full operational walk-through, including residency edge cases, the Garantex / Grinex / A7A5 successor architecture, and the 30-day implementation cliff, is in our flagship CASP-ban briefing.[9]

Edge cases the definition strains

Three categories of activity sit awkwardly against the MiCA CASP definition, and each is now a live sanctions question rather than an academic one:

  • Fully decentralised protocols. Recital 22 of MiCA explicitly excludes from scope crypto-asset services provided in a fully decentralised manner without any intermediary. A protocol with no identifiable operator, no governance team, no front-end provider and no treasury falls outside the CASP perimeter. In practice most so-called DeFi protocols have one or more of those attributes, which is why ESMA and the European Commission have signalled that Level 2 measures and Q&A guidance will be required to draw the dividing line. Until that guidance is published, compliance teams must reason from the facts of each protocol's operating arrangements.[12][13]
  • Non-custodial wallet software. Pure software vendors that distribute self-custody wallet applications, without holding any client crypto-asset or controlling any private key, are generally not "providing custody" within Article 3(1)(17). The line blurs when the wallet provider integrates swap, staking, bridging or in-app fiat off-ramp services that are themselves enumerated services. Each integrated function must be assessed on its own terms.[12]
  • Peer-to-peer exchange. Two natural persons trading crypto-asset for crypto-asset directly do not create a CASP. A platform that matches such persons, takes custody, takes a fee, or executes orders on their behalf is engaged in one or more enumerated services and falls inside the perimeter. Marketplaces, OTC desks and "non-custodial" matching engines often sit on this line.[12][14]

How to verify a counterparty's CASP status

Four-step verification procedure

  1. Identify the legal entity. Establish the counterparty's exact legal name, legal form, registered office and member state of establishment. The CASP authorisation attaches to a specific legal person, not to a brand, domain or trading name. Pull the company-registry extract or LEI record to confirm.
  2. Check the national CASP register. Open the register maintained by the national competent authority of the member state of establishment — BaFin's companies database for Germany, the CNMV register for Spain, the CSSF supervised-entities register for Luxembourg, the AFM register for the Netherlands, the Banca d'Italia / CONSOB registers for Italy, the AMF / ACPR registers for France, and the equivalents for each member state.[5][7]
  3. Cross-check the ESMA central register. ESMA publishes a central register of authorised CASPs and notified white-paper issuers under Article 109 of MiCA. Cross-check the national-register entry against the ESMA central record to detect inconsistencies and to confirm passporting status.[6]
  4. Document the result. Capture a dated screenshot and a PDF copy of the register entry, and file the evidence with the counterparty risk record. If the counterparty does not appear on the register, document the negative result and apply the unauthorised-provider escalation under your AML / sanctions policy.

Limitations

Two structural limitations of the CASP perimeter are worth flagging up-front. First, third-country CASPs serving EU users without authorisation are outside MiCA's direct authorisation regime but are not therefore outside the reach of EU sanctions: a non-EU exchange serving Russian-counterparty flows that touch EU infrastructure may be reached through facilitation, anti-circumvention and indirect-exposure tests, even where it holds no MiCA authorisation. The same logic applies to non-EU intermediaries that route flows through EU venues. The reverse-solicitation carve-out under MiCA Article 61 is narrow and does not extend to active marketing.[1][13]

Second, the Article 5bb "established in Russia" test is a venue test on the Russian side, not a counterparty-residency test. It captures legal entities that are domiciled, registered, headquartered or principally operated out of the Russian Federation. It does not by itself capture a Kyrgyz, UAE, Kazakh, Belarusian or Turkish intermediary that handles Russian-counterparty flows without being itself established in Russia — those routes are reached only through Article 5b's services-to-Russian-persons regime, the EU consolidated sanctions list, the 50-Percent Rule on indirect ownership, and the AML / TFR enhanced-due-diligence framework. The MiCA definition is a precise instrument, and a precise instrument has predictable edges.[9][10]

Related references

Sources and further reading

  1. Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA). Official Journal of the European Union, OJ L 150, 9 June 2023.
  2. Markets in Crypto-Assets Regulation (MiCA). European Securities and Markets Authority (ESMA), overview and Level 2 technical standards.
  3. Markets in crypto-assets regulation: implementing and delegated acts. European Commission, Directorate-General for Financial Stability, Financial Services and Capital Markets Union.
  4. Statement on MiCA transitional measures. European Securities and Markets Authority (ESMA), transitional provisions and timeline under Article 143.
  5. Crypto-assets — supervision and CASP authorisation. Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), Germany.
  6. ESMA registers and data — central register of authorised CASPs. European Securities and Markets Authority.
  7. Register of Crypto-Asset Service Providers (CASPs). Comisión Nacional del Mercado de Valores (CNMV), Spain.
  8. Russia's war of aggression against Ukraine: 20th round of stern EU sanctions hits energy, military-industrial complex, trade and financial services, including crypto. Council of the EU press release, 23 April 2026.
  9. EU Adopts 20th Russia Sanctions Package. Skadden, Arps, Slate, Meagher & Flom LLP, 5 May 2026.
  10. EU Adopts 20th Package Against Russia & Parallel Sanctions on Belarus. Mayer Brown, 24 April 2026.
  11. EU Adopts 20th Sanctions Package on Russia — Including a Sweeping Ban on All Crypto Asset Transactions With Russian and Belarusian Providers. TRM Labs, April 2026.
  12. Lexology — MiCA scope of application: the CASP perimeter and DeFi exclusion. Lexology compendium of practitioner analyses, 2024-2026.
  13. The EU's 20th sanctions package targets the architecture of crypto sanctions evasion. Elliptic, April 2026.
  14. MiCA explained: how the EU's new crypto regulation works. Chainalysis, 2024 update.
  15. Sanctions Tracker: EU's 20th sanctions package targets energy revenues, the shadow fleet and financial circumvention. Herbert Smith Freehills Kramer, May 2026.

Need to verify the CASP status of a counterparty, or to scope your exposure to the Article 5bb perimeter?

We build counterparty-CASP exposure inventories that cross-reference the ESMA central register, national NCA registers, MiCA authorisations and the EU and OFAC consolidated sanctions records, and we trace the corporate-establishment evidence behind each counterparty against the Article 5b / 5bb / MiCA perimeter. Pair with our Sanctions Compliance service for the full screening workflow.

Request a CASP-perimeter review