The final step has now been completed – the European Markets in Crypto-Assets Regulation, abbreviated as MiCAR, has been applicable in full since the end of 2024. The requirements regarding the authorisation and supervision of crypto-asset service providers (CASPs), for example, set out in Title V of MiCAR, have been applicable since 30 December 2024.

A crypto-asset is a digital representation of an asset or a right that can be electronically transferred between users and stored. The transfer is carried out by means of distributed ledger technology (DLT) or similar technology.

First comprehensive European regulatory framework

The background: MiCAR constitutes the first harmonised European regulatory framework for crypto-assets and CASPs (see info box “What does MiCAR regulate?”). The objective of MiCAR is to increase investor protection, prevent money laundering and terrorist financing, ensure the functioning of the markets and maintain financial stability. The Regulation also creates legal certainty for innovations in the field of distributed ledger technology.

New responsibilities for BaFin

A number of the new MiCAR requirements regarding the authorisation and supervision of CASPs had already been incorporated into the German Banking Act (Kreditwesengesetz – KWG) before MiCAR came into force. However, MiCAR also stipulates new, additional requirements in this area. Furthermore, MiCAR now allows for CASPs to be supervised on a basis harmonised at the European level. These CASPs include, for example, crypto custodians, operators of crypto-asset trading platforms and companies that provide customers with advice on crypto-assets, transfer crypto-assets or manage crypto-asset portfolios for their customers.

Applying for authorisation

Anyone intending to operate in Germany as a CASP must apply to BaFin for authorisation under MiCAR. There is no need for CASPs to make separate applications in every member state: once authorised under MiCAR, they are able to provide services throughout the EU on the basis of EU passporting. In Germany, service providers wishing to make use of this option must submit a passporting notification to BaFin (as the home supervisory authority). BaFin will then inform the host member state that the crypto-asset services are to be provided on a cross-border basis.

Simplified procedure for institutions already supervised by BaFin under the KWG

Institutions already supervised by BaFin must also apply for authorisation under MiCAR. These are institutions that were already allowed to provide financial services with crypto-assets before MiCAR because they had been authorised to do so under the KWG and had hitherto been supervised by BaFin under the KWG. However, these institutions may benefit from the simplified procedure offered under a transitional regulation. This allows them to continue providing crypto-asset services on the basis of their existing KWG authorisation until the decision has been taken on their application for authorisation under MiCAR. They are not yet able to benefit from the advantages of EU passporting, however, as this is only possible once authorisation under MiCAR has been granted.

BaFin’s gap analysis on MiCAR and the KWG

A gap analysis carried out by BaFin forms the basis for the simplified procedure. In this analysis, BaFin compared the MiCAR requirements with the previous requirements under the KWG and determined that institutions with KWG authorisation must only demonstrate compliance with requirements not prescribed under the KWG at the time authorisation was granted. In other words, they must prove that they comply with the requirements that have changed as a result of MiCAR. BaFin’s objective is to swiftly incorporate institutions already supervised by BaFin into the European supervisory regime.

Besides initially being able to continue offering crypto-asset services on the basis of the KWG authorisation, these institutions will have another advantage: the preparation and review of their MiCAR authorisation applications is likely to involve less work.

An additional factor expected to considerably speed up the application process for these institutions is the knowledge already accumulated over the years that will help them to meet the MiCAR requirements. This is particularly the case with the requirements regarding business organisation.

Challenges facing new MiCAR applicants

BaFin recommends that institutions intending to apply for the first time for authorisation as CASPs give thorough consideration to the regulatory requirements in the course of preparing their applications. The more thoroughly and professionally an application has been prepared, the greater the likelihood that BaFin will issue a positive authorisation notification. The reason is that MiCAR sets comparatively short deadlines for the supervisory authorities to examine and take decisions on applications. This narrows BaFin’s leeway for requesting further information and thereby avoiding application rejections.

MiCAR makes clear specifications in this regard – if an application is incomplete, inconsistent or, with regard to form and scope, not adequate, and if the applicant is unable to resolve the issue within the short deadline specified under MiCAR, supervisory authorities such as BaFin will have to reject the application.

Documentation to be submitted

MiCAR, in conjunction with the Regulatory Technical Standard on Article 62(5) of MiCAR and the Implementing Technical Standard on Article 62(6) of MiCAR, sets out the documentation and information required for an authorisation application; both technical standards are currently still under consultation.

The documentation must clearly indicate, for example, that the company has a viable business model and that it meets the IT requirements. Information on this can be found on the DORA (Digital Operational Resilience Act) landing page of the BaFin website.

Initial information about MiCAR can be found on the MiCAR landing page of the BaFin website.