The MiCA authorisation process in Malta (2026) is the procedural gateway every crypto-asset service provider must now navigate to operate lawfully within the European Union. Since 1 July 2026, the Markets in Crypto-Assets Regulation (MiCA) is fully enforceable across all EU Member States, meaning any entity offering crypto-asset services, custody, exchange, transfer, advisory or portfolio management, must hold a valid Crypto-Asset Service Provider (CASP) authorisation or cease operations. In Malta, the Malta Financial Services Authority (MFSA) administers this process under both the directly applicable EU regulation and the domestic Markets in Crypto-Assets Act (Cap. 647).
This guide maps each stage of the CASP authorisation process, from eligibility assessment through post-authorisation obligations, aligned with the MFSA’s Circular to the Industry on the Authorisation Process for MiCA Applicants issued on 10 December 2024.
MiCA establishes a single EU-wide licensing framework for crypto-asset service providers. Before its enforcement, Malta operated under its own Virtual Financial Assets (VFA) framework. That national regime is now superseded by MiCA for services falling within its scope. Any firm wishing to provide one or more of the ten categories of crypto-asset services listed in the regulation must obtain CASP authorisation from the competent authority of its home Member State, in Malta, the MFSA.
The MiCA requirements in Malta apply to entities that provide services such as the operation of a trading platform for crypto-assets, exchange of crypto-assets for funds or other crypto-assets, custody and administration of crypto-assets on behalf of clients, execution of orders, placement of crypto-assets, and advice on crypto-assets. Token issuers offering asset-referenced tokens or e-money tokens face separate authorisation requirements under MiCA’s Title III and Title IV provisions, which are outside the scope of this CASP-focused guide.
The MFSA oversees MiCA readiness from a supervisory perspective through its Crypto-assets division. Applicants should reference the MFSA’s dedicated crypto-assets page and the December 2024 circular as the primary procedural authorities. ESMA’s peer review work has also highlighted supervisory expectations that national competent authorities, including the MFSA, are expected to follow, a factor that shapes the depth of evidence Malta now demands from applicants.
Before initiating the CASP authorisation process, applicants must confirm they meet the following baseline MiCA requirements in Malta:
Existing holders of a VFA Services Licence issued under Malta’s former framework face a specific transition path. The MFSA Circular (10 December 2024) requires VFA licence holders to submit a Board resolution confirming their intent to apply for CASP authorisation and to initiate the formal surrender of the VFA licence once MiCA authorisation is granted. The transition from VFA to MiCA is not automatic, a full application is required. Entities that fail to obtain CASP authorisation by the enforcement date must cease providing crypto-asset services.
The following eight steps map the end-to-end CASP authorisation process as aligned with MFSA procedural expectations and the December 2024 circular. Each step identifies who is responsible and the principal deliverables.
The applicant’s legal and compliance team identifies which of MiCA’s ten service categories the business intends to offer. This scoping exercise determines the capital requirements, the technical evidence needed, and the specific conditions the MFSA will attach to the licence. During this phase, many applicants engage with the MFSA informally to clarify expectations and confirm interpretation of the regulation’s service definitions.
The applicant incorporates a Maltese legal entity (if not already established), appoints the management body, designates an MLRO, and passes a Board resolution confirming intent to apply for CASP authorisation. The MFSA Circular (10 December 2024) specifically mandates this Board resolution as a submission item. Qualifying shareholders must be identified and their personal questionnaires prepared for fit-and-proper assessment.
The compliance function drafts the full suite of AML/CFT policies: customer due diligence procedures, enhanced due diligence triggers, transaction monitoring rules, suspicious transaction reporting workflows, sanctions screening protocols, and record-keeping policies. These documents must comply with both MiCA’s provisions and Malta’s Prevention of Money Laundering Act. The MFSA MiCA checklist expects these as stand-alone policy documents, not summaries embedded in the business plan.
This is where many applications stall. The applicant must produce detailed evidence of IT architecture, cybersecurity controls, and, where applicable, custody model design. Key deliverables include system architecture diagrams, penetration test reports, an ISO 27001 certificate or equivalent attestation of information security management, hardware security module (HSM) documentation for cryptographic key management, and data protection impact assessments. The MFSA increasingly expects evidence of operational resilience aligned with ESMA’s supervisory focus areas, including incident response plans and recovery time objectives.
The applicant assembles all MiCA application documents into a structured submission. This includes the business plan, programme of operations, financial projections, audited financial statements (or opening balance sheet for new entities), smart contract audit certificates (where the service involves interaction with on-chain protocols), and all policy documents from Steps 2–4. External auditors and technical assessors produce their reports during this phase. The MiCA compliance checklist 2026 should be used to cross-reference every MFSA requirement against the assembled evidence.
The complete application pack is submitted to the MFSA through the Authority’s designated submission channel. The applicable filing fee is payable at submission. Applicants should confirm the current fee schedule directly with the MFSA, as fee structures are subject to periodic revision. The MFSA will acknowledge receipt and confirm whether the application is complete or requires supplementary information before formal review begins.
The MFSA conducts a detailed review of the application and will issue queries, typically in writing, addressing gaps, ambiguities, or requests for additional evidence. Industry observers expect the MFSA’s inquiry cycles to be more rigorous in 2026, reflecting ESMA peer review findings that encourage national competent authorities to intensify scrutiny of governance and technical controls. Applicants should allocate dedicated compliance and legal resources to respond promptly; delays in responding can extend the overall MiCA timeline in Malta significantly.
If the MFSA is satisfied, it issues the CASP authorisation. The licence specifies which services the entity is permitted to provide. Post-authorisation obligations include ongoing capital adequacy reporting, IT incident notification to the MFSA within prescribed timeframes, annual compliance reports, maintenance of AML/KYC controls, and notification of material changes to governance, ownership, or service scope. For entities transitioning from VFA, the formal surrender of the VFA licence is completed at this stage.
| Step | Who does it | Typical duration |
|---|---|---|
| 1. Pre-application assessment & scope definition | Applicant (legal & compliance team) | 2–4 weeks |
| 2. Corporate & governance preparations | Applicant (board, company secretary) | 2–6 weeks |
| 3. AML/KYC framework preparation | Applicant (MLRO, compliance) | 3–6 weeks |
| 4. Technical & security readiness | Applicant (CTO/IT team, external auditors) | 4–8 weeks |
| 5. Application pack assembly & third-party reports | Applicant, external auditors, technical assessors | 3–6 weeks |
| 6. Submit application to MFSA | Applicant | 1–2 weeks |
| 7. MFSA review & Q&A | MFSA; applicant responds | 10–18 weeks |
| 8. Decision & post-authorisation onboarding | MFSA (decision); applicant (compliance) | 4–8 weeks |
The MFSA expects a comprehensive set of documents structured in a logical order that mirrors the regulatory requirements. The following table lists the principal MiCA application documents the MFSA requires, drawing from the December 2024 circular and the Authority’s crypto-assets guidance.
| Document | Notes |
|---|---|
| Board resolution | Signed resolution confirming the entity’s intent to apply for CASP authorisation; mandatory per MFSA Circular (10 Dec 2024). |
| Programme of operations / business plan | Describes planned crypto-asset services, target markets, projected volumes, and revenue model. Must include three-year financial projections. |
| Organisational chart and governance structure | Identifies management body members, MLRO, compliance officer, qualifying shareholders, and group structure (if applicable). |
| Personal questionnaires (fit and proper) | Completed for each member of the management body, MLRO, and qualifying shareholders. Includes CVs, criminal record certificates, and declarations of good standing. |
| AML/CFT policy suite | Stand-alone documents covering CDD, EDD, transaction monitoring, sanctions screening, STR procedures, and record-keeping. Must comply with Malta’s Prevention of Money Laundering Act. |
| Complaints handling procedure | Documents the internal process for receiving, investigating, and resolving client complaints in line with MiCA requirements. |
| Custody and segregation policy | Required where custody/administration services are offered. Must describe segregation of client and proprietary assets, private key management, and sub-custodian arrangements. |
| IT system architecture diagram | Visual representation of the technology stack, including servers, APIs, blockchain node infrastructure, and data flows. |
| Cybersecurity and ICT risk assessment | Narrative and evidential report addressing threat landscape, vulnerability management, access control, and incident response procedures. |
| ISO 27001 certificate or equivalent attestation | Issued by an accredited certification body. Demonstrates compliance with international information security management standards. |
| Penetration test report | Conducted by an independent third-party security firm. Must cover web application, API, and network layers. Dated within 6 months of submission. |
| Business continuity and disaster recovery plan | Covers service disruption, data backup, recovery time objectives, and orderly wind-down procedures. |
| Smart contract audit report | Required where the applicant’s service interacts with or deploys smart contracts. Conducted by an independent auditor; covers code logic, vulnerabilities, and compliance with specification. |
| Audited financial statements or opening balance sheet | Audited accounts for existing entities; opening balance sheet for newly incorporated entities. Must demonstrate minimum own-funds compliance. |
| VFA licence surrender letter | Required only for entities transitioning from VFA to MiCA. Submitted in parallel with CASP application per MFSA Circular (10 Dec 2024). |
Applicants should treat this as a minimum list. The MFSA may request supplementary evidence during the review phase, particularly on technical assurance matters such as HSM key ceremony documentation, source code attestations, and data protection impact assessments. All documents should be submitted in English or Maltese and, where relevant, in PDF format with clear version control.
Understanding the MiCA timeline in Malta is critical for planning. The entire process, from initial scoping through to authorisation decision, typically spans 6 to 12 months, depending on the complexity of the applicant’s service model, the completeness of the initial submission, and the volume of MFSA queries. The table below provides a detailed phase-by-phase breakdown.
| Phase | Who does it | Typical duration |
|---|---|---|
| Pre-application scoping and MFSA informal engagement | Applicant; MFSA (informal) | 2–6 weeks |
| Compliance stack preparation (AML, governance, policies) | Applicant (compliance, legal counsel) | 4–8 weeks |
| Technical assurance and third-party audits (ISO, pentest, smart contract) | Applicant (CTO); external auditors | 3–6 weeks |
| Application assembly and submission to MFSA | Applicant | 1–2 weeks |
| MFSA initial completeness check | MFSA | 2–4 weeks |
| MFSA substantive review | MFSA | 8–12 weeks |
| Applicant responses to MFSA queries | Applicant | 2–6 weeks |
| Final decision and licence issuance | MFSA | 4–8 weeks |
The critical deadline that overshadows the entire process is 1 July 2026, the date from which MiCA is fully enforceable. Entities providing crypto-asset services without authorisation after that date are operating unlawfully. For VFA licence holders, the transition from VFA to MiCA must be completed before the VFA framework ceases to have effect. The likely practical effect of compressed timelines in 2026 is that the MFSA may process a higher volume of applications, potentially extending review windows. Applicants are strongly advised to initiate the process as early as possible and to validate expected timelines directly with the MFSA during pre-application engagement.
The cost of obtaining CASP authorisation in Malta comprises MFSA filing fees, external professional costs, and ongoing operational expenditure. The MFSA publishes its fee schedule separately and applicants should verify the current filing fee directly with the Authority before submission, as fee levels are subject to revision.
| Item | Estimated range | Notes |
|---|---|---|
| MFSA application / filing fee | Verify with MFSA | Payable at submission; check current MFSA fee schedule. |
| Legal counsel (application preparation) | €30,000–€80,000 | Varies by firm, service complexity, and number of CASP categories sought. |
| Compliance consultant (AML/KYC framework) | €15,000–€40,000 | Includes policy drafting, MLRO support, and transaction monitoring design. |
| ISO 27001 certification | €10,000–€30,000 | Depends on scope and existing security maturity; includes certification body audit fees. |
| Penetration testing | €5,000–€20,000 | Independent third-party assessment; must be recent (within 6 months of submission). |
| Smart contract audit | €8,000–€50,000 | Required only where the applicant deploys or interacts with smart contracts; price depends on code complexity. |
| Custody infrastructure setup | €15,000–€60,000 | HSM procurement, key management design, sub-custodian agreements. |
| Minimum own-funds / capital requirement | Per MiCA thresholds | Varies by service category; must be held throughout the licence period. |
| Annual MFSA supervisory fee | Verify with MFSA | Ongoing annual fee payable post-authorisation. |
Industry observers expect total all-in costs for a straightforward single-service CASP application to range from approximately €100,000 to €250,000 including the first year of operational expenditure, rising considerably for multi-service platforms with complex custody models.
Three developments converge in 2026 to reshape the regulatory landscape for crypto-asset service providers seeking authorisation in Malta.
Full MiCA enforcement from 1 July 2026. The Markets in Crypto-Assets Regulation is directly applicable across all EU Member States from this date. Entities that have not obtained CASP authorisation, or that are not covered by a transitional arrangement, must cease providing crypto-asset services. This is not a soft deadline; enforcement action is available to the MFSA from day one.
MFSA Circular (10 December 2024) introduces Malta-specific submission requirements. The circular sets out the MFSA’s procedural expectations for MiCA applicants, including the mandatory Board resolution confirming intent to apply, the formal VFA licence surrender procedure for transitioning entities, and enhanced technical assurance evidence. These items supplement MiCA’s own application requirements and reflect the MFSA’s interpretation of its supervisory obligations under the new framework.
ESMA peer review sharpens supervisory scrutiny. ESMA has identified opportunities to strengthen MiCA authorisation processes across Member States, with particular focus on the quality of governance assessments, AML controls, and technical resilience evidence. Early indications suggest that national competent authorities, including the MFSA, are responding by intensifying inquiry cycles and demanding more granular documentation on custody arrangements, HSM key management, and operational resilience testing.
The combined effect for applicants is a compressed preparation window, higher documentation standards, and less tolerance for incomplete submissions. Firms that began the transition from VFA to MiCA before mid-2025 will have a significant advantage; late entrants face the risk of processing backlogs and potential service interruptions.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Anton Dalli at A2CO, a member of the Global Law Experts network.
posted 10 minutes ago
posted 34 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 2 hours ago
posted 3 hours ago
posted 5 hours ago
posted 7 hours ago
posted 9 hours ago
posted 9 hours ago
posted 9 hours ago
posted 10 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message