Fintech Lawyers Poland 2026: Mica, Crypto Licensing & Payment Systems Amendment

Poland’s regulatory landscape for crypto-asset service providers and payment platforms is undergoing its most consequential transformation in over a decade. The convergence of the EU’s Markets in Crypto-Assets Regulation (MiCA), Poland’s Payment Systems Amendment 2026 and evolving PSD2 compliance obligations has created a narrow but high-stakes decision window for exchanges, custodians and token service providers seeking to operate in or passport through the Polish market. For general counsel, compliance officers and founders evaluating time-to-market, engaging experienced fintech lawyers Poland is no longer optional, it is the critical-path dependency that determines whether a firm can legally serve customers by year-end.

This guide provides the practical licensing routes, regulatory timelines, operational checklists and decision frameworks that compliance teams need to act on now.

Quick Decision Checklist

• Choose your licensing route. Determine whether your business model requires a Crypto-Asset Service Provider (CASP) authorisation under MiCA, a national Payment Service Provider (PSP) licence under PSD2, a legacy VASP registration, or a combination of these, each carries different capital, governance and timeline requirements.
• Assess Payment Systems Amendment 2026 impact. If your platform handles fiat on-ramps, off-ramps or settlement through Polish payment infrastructure, evaluate how the new direct-access rules for non-bank entities affect your bank onboarding strategy and technical integration.
• Map the MiCA passporting timeline. If Poland’s competent authority designation is not finalised, consider whether authorisation in another EU Member State with a confirmed regulator, followed by passporting into Poland, offers a faster and more certain route to market.

Poland 2026 Regulatory Snapshot, MiCA, Payment Systems Amendment & PSD2 Overlap

Three regulatory instruments now define the operating environment for fintech and crypto businesses in Poland. Understanding how they interact is essential before selecting a licensing pathway.

MiCA (Regulation (EU) 2023/1114) entered into force across all EU Member States as a directly applicable regulation. Its Title V provisions governing CASPs, including authorisation requirements, prudential standards and conduct-of-business rules, became fully applicable on 30 December 2024. However, Article 143 of MiCA provides transitional arrangements that allow Member States to permit entities already providing crypto-asset services under national law to continue doing so until 1 July 2026, or until they are granted or refused a CASP authorisation, whichever comes first. The critical condition is that each Member State must have designated a national competent authority to receive and process CASP applications.

Poland’s Payment Systems Amendment 2026 reshapes how non-bank financial institutions, including licensed crypto platforms, connect to Polish payment infrastructure. The amendment introduces direct-access provisions for qualifying non-bank entities, modifying the framework under which payment system operators must consider access requests. This has immediate implications for exchanges seeking fiat settlement rails and for payment aggregators integrating with SEPA and card-acquiring networks.

PSD2 compliance Poland obligations continue to apply to any entity providing payment services, including crypto firms that offer fiat payment initiation, account information services or e-money issuance alongside their crypto operations. Firms offering crypto-to-fiat conversion or payment-linked wallet services will in most cases need to hold both a CASP authorisation and a separate PSP licence or operate under an exemption.

Key Dates and What They Mean

Industry observers expect that if Poland does not finalise its competent authority designation before the 1 July 2026 deadline, domestic crypto firms relying on the Article 143 transitional window will face an abrupt loss of their right to continue operating. This scenario would force affected entities to either seek authorisation in another EU Member State and passport back into Poland or suspend services entirely, a contingency that prudent compliance teams should be planning for now.

Crypto Licensing Pathways in Poland: CASP, VASP & PSP Compared

Selecting the correct licensing route, or combination of routes, is the single most consequential decision for any crypto or fintech firm entering the Polish market in 2026. The choice determines not only what services a firm may offer, but also its capital requirements, governance obligations, time-to-market and ability to passport across the EU. This section provides the practical comparison that fintech lawyers Poland advise clients to evaluate before filing any application.

Licensing Route Comparison

When You Need Dual Authorisations (CASP + PSP)

A firm that both custodies crypto-assets and processes fiat payments, for example, an exchange offering direct bank withdrawals or a wallet provider with integrated card payments, will in most cases require both a CASP authorisation under MiCA and a PSP licence (or e-money institution licence) under PSD2. MiCA does not subsume PSD2; the two frameworks operate in parallel. Failing to secure dual authorisations exposes the firm to enforcement action on whichever leg is unlicensed.

Early indications suggest that the most common compliance failure among Polish crypto startups is treating the CASP application as sufficient to cover payment-related activities. Compliance teams should map every revenue-generating activity against both regulatory perimeters and confirm coverage before launch.

Typical Costs and Timeline Estimates

• High-complexity scenario (exchange + custody + fiat payments): Dual CASP + PSP filings; total external legal and compliance costs in the range of €150,000–€350,000; timeline 9–15 months to full operational readiness across both licences.
• Medium-complexity scenario (custody-only CASP): Single CASP filing; costs in the range of €80,000–€180,000; timeline 6–10 months.
• Lower-complexity scenario (payment aggregator, PSP only): PSD2 payment institution application; costs in the range of €50,000–€120,000; timeline 3–9 months, heavily influenced by bank onboarding speed.

Payment Systems Amendment 2026, Practical Impact on Direct Access and Bank Rails

Poland’s Payment Systems Amendment 2026 represents a structural shift in how non-bank financial institutions connect to domestic payment infrastructure. Before this amendment, non-bank entities, including licensed payment institutions and crypto exchanges with PSP authorisations, faced significant practical barriers to obtaining direct access to Polish payment systems. The amendment introduces a formal framework requiring payment system operators to consider access requests from qualifying non-bank entities on objective, non-discriminatory and proportionate criteria.

For crypto platforms and fintech companies, this creates a tangible operational advantage: the possibility of settling fiat transactions without routing through a sponsoring bank’s indirect access arrangement. Direct access reduces settlement latency, lowers per-transaction costs and removes a single point of failure, the sponsor bank, that has historically been a chokepoint for crypto businesses facing de-risking pressure.

Bank Onboarding and Card Acquiring Practicalities

Despite the amendment’s direct-access provisions, the likely practical effect will be incremental rather than immediate for most firms. Payment system operators retain the right to apply risk-based criteria when assessing access requests, and crypto businesses will still need to demonstrate robust AML controls, operational resilience and adequate capitalisation. Bank onboarding for card-acquiring arrangements remains relationship-driven, and firms should expect enhanced due diligence processes, particularly from Polish banks still cautious about crypto-sector exposure.

Industry observers expect that the amendment’s greatest near-term impact will be felt by established payment institutions seeking to expand into crypto-adjacent services, rather than by pure-play crypto startups applying for first-time access. Startups should plan for a bank-engagement timeline of 3–6 months, even after securing the necessary licences, and should maintain relationships with at least two banking partners to mitigate de-risking risk.

Integration Checklist for Exchanges

• Technical readiness: Confirm API compatibility with target payment system operator’s messaging standards (ISO 20022 for SEPA); implement real-time settlement monitoring.
• Compliance documentation: Prepare a comprehensive AML/CFT programme, transaction-monitoring framework and incident-response plan tailored to payment system operator requirements.
• Capital adequacy: Ensure own-funds levels meet both PSP (PSD2) and, where applicable, CASP (MiCA) minimums simultaneously, payment system operators may impose additional buffer requirements.
• Contractual framework: Engage counsel to negotiate access agreements, service-level agreements and liability allocation with the payment system operator, these are bespoke and non-standardised.
• Contingency planning: Maintain an indirect-access arrangement with a sponsor bank as fallback during the direct-access application and onboarding period.

MiCA Implementation Specifics for Poland, CASP Requirements, Competent Authority and Transitional Rules

MiCA’s CASP authorisation framework establishes uniform requirements across the EU, but the practical experience of obtaining that authorisation varies significantly by Member State. For firms targeting MiCA Poland specifically, the key variables are the status of competent authority designation, the national implementing measures that supplement MiCA’s directly applicable provisions, and the operational mechanics of Article 143 transitional rules.

Under MiCA, a CASP must satisfy requirements including minimum capital (ranging from €50,000 for firms providing only advisory or order-transmission services to €150,000 for those operating trading platforms or providing exchange services), governance and fit-and-proper standards for management, operational resilience including business continuity planning, custody segregation (client assets must be held separately from the firm’s own assets), and a comprehensive complaints-handling procedure. These requirements apply regardless of which Member State grants the authorisation.

Designation of Competent Authority, Contingency Planning

Poland’s designation of a competent authority to supervise CASPs under MiCA is the gatekeeping step for the entire domestic licensing pipeline. Without a designated authority, no CASP applications can be formally received, assessed or granted in Poland. The KNF (Komisja Nadzoru Finansowego) is the widely expected designee, given its existing supervisory remit over payment institutions and the financial markets. However, the formal designation requires Polish implementing legislation to be enacted.

Under Article 143 of MiCA, Member States may allow entities that were providing crypto-asset services under national law before 30 December 2024 to continue doing so until 1 July 2026, provided the Member State has elected to apply this transitional provision. If Poland’s competent authority is not operational by that date, providers relying on the transitional window face a legal cliff: their right to continue operating under national law expires, but no domestic authority exists to receive their CASP application.

Prudent firms should already be developing contingency plans. The two primary options are: (1) submit a CASP application in another EU Member State that has a confirmed and operational competent authority, with a view to passporting into Poland post-authorisation; or (2) prepare a fully complete application package so that it can be filed with the KNF immediately upon designation, minimising time-to-authorisation.

Cross-Border Passporting Timeline and Operational Steps

Once authorised as a CASP in any EU Member State, a firm may passport its services into other Member States by notifying its home competent authority, which then communicates with the host state authority. The notification process under MiCA does not require separate host-state approval, but the host authority must be informed. Practically, firms should allow 2–4 weeks for notification processing and should confirm local conduct-of-business requirements (such as language obligations for client-facing disclosures) in the host state before commencing operations.

For firms choosing to authorise in, for example, Lithuania, France or Germany, jurisdictions that have already operationalised their MiCA competent authorities, the total timeline from application to passported operations in Poland could range from 8–14 months, depending on the home-state regulator’s processing speed and the firm’s application readiness.

AML, Custody, PSD2 and Operational Compliance Checklist

Operational compliance is where licensing strategy meets daily business reality. Both MiCA and PSD2 impose substantive ongoing obligations that must be embedded into the firm’s technology stack, governance framework and staff training from day one. This section covers the core requirements that fintech lawyers Poland routinely advise clients to prioritise.

AML Programme Requirements

• Customer due diligence (CDD): Full KYC/KYB procedures for all clients, with enhanced due diligence (EDD) for high-risk categories including politically exposed persons (PEPs), high-value transactions and jurisdictions on the EU high-risk third-country list.
• Transaction monitoring: Automated, real-time monitoring calibrated to crypto-specific risk indicators, including blockchain analytics for on-chain transaction screening, wallet clustering and exposure to sanctioned addresses.
• Suspicious activity reporting: Obligation to file SARs with the Polish General Inspector of Financial Information (GIIF) in accordance with Poland’s AML Act; reports must be filed without delay upon identification of suspicious activity.
• Record retention: All CDD records and transaction data must be retained for a minimum of five years following the end of the business relationship or the date of the transaction.
• Staff training: Regular, documented AML/CFT training for all relevant personnel, including management, front-office and compliance staff.

Custody Models and Segregation

MiCA imposes strict custody obligations on CASPs providing custody and administration of crypto-assets. Client crypto-assets must be segregated from the firm’s own assets at all times. Firms must maintain a custody policy that specifies the types of crypto-assets held, the custody arrangements (including the use of hot wallets, cold storage and any third-party sub-custodians), insurance or comparable guarantee arrangements, and the procedure for returning assets to clients upon request or in the event of the firm’s insolvency.

Industry observers expect that regulators will scrutinise proof-of-reserves mechanisms and demand independent audits of custody arrangements with increasing frequency as the CASP supervision framework matures.

Reporting Obligations and Typical Thresholds

Recommended Technology and Compliance Stack

• Blockchain analytics: Integrate a chain-analysis tool (e.g., Chainalysis, Elliptic or equivalent) for real-time wallet screening and risk scoring.
• KYC/KYB platform: Automated identity verification with document authentication, liveness detection and PEP/sanctions screening, ensure coverage of Polish national ID documents.
• Transaction-monitoring engine: Rules-based and ML-assisted monitoring calibrated to crypto-specific typologies, with auditable alert-management workflows.
• Regulatory reporting module: Automated generation of SAR and large-transaction reports in the format required by GIIF.
• Custody infrastructure: Multi-signature cold-storage architecture with hardware security modules (HSMs), segregated client accounts and auditable key-management procedures.

Decision Matrix: Which Route Is Fastest to Market in 2026

The optimal licensing strategy depends on the firm’s business model, risk appetite and whether it prioritises speed or jurisdictional control. Below are four common profiles and the recommended fastest route for each.

• Startup exchange (crypto-to-fiat + custody): If Poland’s competent authority is not yet operational, the fastest route is CASP authorisation in a Member State with a confirmed regulator (e.g., France’s AMF or Lithuania’s Bank of Lithuania), followed by MiCA passporting into Poland. Expected time to market: 10–14 months. If KNF designation is imminent, filing domestically may save 2–3 months on passporting but introduces uncertainty risk.
• Custody-only provider: Lower capital requirement under MiCA (€50,000 minimum for advisory/order-transmission-only services; higher for full custody). A domestic Polish CASP application, if KNF is operational, offers the simplest path. Expected time to market: 6–10 months. Maintain the cross-border passporting option as contingency.
• Token issuer (asset-referenced or e-money token): Separate MiCA Title III or Title IV requirements apply (distinct from CASP authorisation). Engage specialist counsel early, these authorisations involve more complex capital, reserve and redemption-right requirements. Expected time to market: 9–18 months.
• Payment aggregator (fiat only, crypto-adjacent): PSP / payment institution authorisation under PSD2 from KNF is the established route. No CASP required unless the firm itself holds or transfers crypto-assets. Expected time to market: 3–9 months. Benefit from Payment Systems Amendment 2026 direct-access provisions once operational.

The likely practical effect of the current regulatory uncertainty is that firms with the resources to pursue parallel applications, one domestic, one cross-border, will reach market fastest, because they can pivot to whichever authorisation completes first.

Practical Next Steps: 90–180 Day Legal Project Plan

For firms committing to a Polish or EU-passported market entry in 2026, the following checklist provides a structured project plan across the critical first six months.

Days 1–30: Assessment and strategy

• Conduct a regulatory-perimeter analysis: map all planned activities against MiCA CASP categories and PSD2 service definitions.
• Determine whether single or dual authorisation is required.
• Select primary jurisdiction (Poland if KNF designation confirmed; alternative EU state otherwise).
• Engage fintech lawyers Poland or cross-border regulatory counsel.

Days 31–90: Pre-filing preparation

• Incorporate or restructure the Polish or EU entity to meet governance requirements (management body composition, fit-and-proper documentation).
• Capitalise the entity to meet minimum own-funds requirements.
• Draft AML/CFT policies, compliance monitoring programme and complaints-handling procedure.
• Commission custody infrastructure build (cold-storage architecture, HSM procurement, segregation protocols).
• Begin bank and PSP engagement, submit initial information packages to at least two target banks.

Days 91–180: Filing and operational build-out

• Submit CASP application to the competent authority (with full documentation package).
• If dual-authorised, submit PSP application to KNF in parallel.
• Complete technology stack integration (blockchain analytics, KYC platform, transaction monitoring).
• Conduct staff training and tabletop AML exercises.
• Finalise bank onboarding and direct-access application (if eligible under Payment Systems Amendment 2026).
• Prepare passporting notification package if authorisation is sought outside Poland.

Firms that follow this 180-day plan position themselves to be operationally ready by the time their authorisation is granted, rather than facing a further 3–6 month build-out after licence receipt, a delay that can be commercially fatal in a fast-moving market.

Conclusion

Poland’s 2026 regulatory environment presents both urgent risk and significant opportunity for crypto exchanges, custody providers and payment platforms. The intersection of MiCA, the Payment Systems Amendment 2026 and ongoing PSD2 obligations has created a compliance landscape where the cost of inaction, or of choosing the wrong licensing route, can mean exclusion from the market entirely. Firms that move decisively now, mapping their activities against the correct authorisation framework, preparing dual applications where necessary and building contingency passporting strategies, will secure first-mover advantage in one of Central Europe’s largest fintech markets.

The role of experienced fintech lawyers Poland in navigating this compressed timeline cannot be overstated: from regulatory-perimeter analysis through CASP filing to bank onboarding, specialist counsel converts regulatory complexity into a defined, executable project plan. To explore your licensing options and build a tailored market-entry strategy, connect with a qualified specialist through our Poland lawyer directory.

This article is provided for general informational purposes only and does not constitute legal advice. Regulatory requirements and timelines may change. Firms should seek tailored counsel from a qualified lawyer before making licensing or compliance decisions. Last updated: 9 May 2026.

Sources

1. European Union, MiCA Regulation (EUR-Lex)
2. Polish Financial Supervision Authority (KNF)
3. Global Law Experts, Poland Payment Systems Amendment 2026
4. Dudkowiak & Putyra, MiCA in Poland
5. CGO Legal, Crypto License in Poland
6. European Commission, DG FISMA MiCA Guidance