[codicts-css-switcher id=”346″]

Global Law Experts Logo
MiCA authorisation process Malta 2026

Our Expert in Malta

Step-by-step Mica Authorisation Process in Malta (2026): Prepare, Documents, Timeline & Technical Readiness

By Global Law Experts
– posted 59 minutes ago

The MiCA authorisation process in Malta (2026) is the procedural gateway every crypto-asset service provider must now navigate to operate lawfully within the European Union. Since 1 July 2026, the Markets in Crypto-Assets Regulation (MiCA) is fully enforceable across all EU Member States, meaning any entity offering crypto-asset services, custody, exchange, transfer, advisory or portfolio management, must hold a valid Crypto-Asset Service Provider (CASP) authorisation or cease operations. In Malta, the Malta Financial Services Authority (MFSA) administers this process under both the directly applicable EU regulation and the domestic Markets in Crypto-Assets Act (Cap. 647).

This guide maps each stage of the CASP authorisation process, from eligibility assessment through post-authorisation obligations, aligned with the MFSA’s Circular to the Industry on the Authorisation Process for MiCA Applicants issued on 10 December 2024.

Overview of the MiCA Authorisation Process and Who It Applies To

MiCA establishes a single EU-wide licensing framework for crypto-asset service providers. Before its enforcement, Malta operated under its own Virtual Financial Assets (VFA) framework. That national regime is now superseded by MiCA for services falling within its scope. Any firm wishing to provide one or more of the ten categories of crypto-asset services listed in the regulation must obtain CASP authorisation from the competent authority of its home Member State, in Malta, the MFSA.

The MiCA requirements in Malta apply to entities that provide services such as the operation of a trading platform for crypto-assets, exchange of crypto-assets for funds or other crypto-assets, custody and administration of crypto-assets on behalf of clients, execution of orders, placement of crypto-assets, and advice on crypto-assets. Token issuers offering asset-referenced tokens or e-money tokens face separate authorisation requirements under MiCA’s Title III and Title IV provisions, which are outside the scope of this CASP-focused guide.

The MFSA oversees MiCA readiness from a supervisory perspective through its Crypto-assets division. Applicants should reference the MFSA’s dedicated crypto-assets page and the December 2024 circular as the primary procedural authorities. ESMA’s peer review work has also highlighted supervisory expectations that national competent authorities, including the MFSA, are expected to follow, a factor that shapes the depth of evidence Malta now demands from applicants.

Eligibility and Prerequisites for MiCA Authorisation in Malta

Eligibility checklist

Before initiating the CASP authorisation process, applicants must confirm they meet the following baseline MiCA requirements in Malta:

  • Legal entity in Malta. The applicant must be a body corporate incorporated or registered in Malta, or a branch of an EU or third-country firm established in Malta. A foreign company cannot apply directly without a Maltese corporate presence, it must incorporate a subsidiary or register a branch.
  • Minimum initial capital. MiCA prescribes minimum own-funds requirements that vary by service category, with the MFSA expecting applicants to demonstrate capital adequacy at the point of submission. The precise threshold depends on the services sought (e.g., custody-only versus full-service exchange).
  • Fit and proper management. All members of the management body, qualifying shareholders, and the designated Money Laundering Reporting Officer (MLRO) must satisfy fit-and-proper assessments. The MFSA evaluates reputation, competence, governance experience, and absence of criminal convictions.
  • AML/KYC framework. A fully documented anti-money laundering and counter-terrorism financing framework must be in place before application, including customer due diligence procedures, transaction monitoring mechanisms, and suspicious transaction reporting protocols.
  • IT resilience and custody arrangements. The applicant must demonstrate operational resilience, including system architecture documentation, cybersecurity controls, and, where custody services are offered, a clearly defined custody model with segregation safeguards.
  • Business continuity plan. A documented plan addressing service disruption, data recovery, and orderly wind-down scenarios is required.

Transition from VFA to MiCA

Existing holders of a VFA Services Licence issued under Malta’s former framework face a specific transition path. The MFSA Circular (10 December 2024) requires VFA licence holders to submit a Board resolution confirming their intent to apply for CASP authorisation and to initiate the formal surrender of the VFA licence once MiCA authorisation is granted. The transition from VFA to MiCA is not automatic, a full application is required. Entities that fail to obtain CASP authorisation by the enforcement date must cease providing crypto-asset services.

Step-by-Step CASP Authorisation Process in Malta

The following eight steps map the end-to-end CASP authorisation process as aligned with MFSA procedural expectations and the December 2024 circular. Each step identifies who is responsible and the principal deliverables.

Step 1: Conduct a pre-application assessment and define service scope

The applicant’s legal and compliance team identifies which of MiCA’s ten service categories the business intends to offer. This scoping exercise determines the capital requirements, the technical evidence needed, and the specific conditions the MFSA will attach to the licence. During this phase, many applicants engage with the MFSA informally to clarify expectations and confirm interpretation of the regulation’s service definitions.

Step 2: Complete corporate and governance preparations

The applicant incorporates a Maltese legal entity (if not already established), appoints the management body, designates an MLRO, and passes a Board resolution confirming intent to apply for CASP authorisation. The MFSA Circular (10 December 2024) specifically mandates this Board resolution as a submission item. Qualifying shareholders must be identified and their personal questionnaires prepared for fit-and-proper assessment.

Step 3: Prepare the AML/KYC and compliance framework

The compliance function drafts the full suite of AML/CFT policies: customer due diligence procedures, enhanced due diligence triggers, transaction monitoring rules, suspicious transaction reporting workflows, sanctions screening protocols, and record-keeping policies. These documents must comply with both MiCA’s provisions and Malta’s Prevention of Money Laundering Act. The MFSA MiCA checklist expects these as stand-alone policy documents, not summaries embedded in the business plan.

Step 4: Achieve technical and security readiness

This is where many applications stall. The applicant must produce detailed evidence of IT architecture, cybersecurity controls, and, where applicable, custody model design. Key deliverables include system architecture diagrams, penetration test reports, an ISO 27001 certificate or equivalent attestation of information security management, hardware security module (HSM) documentation for cryptographic key management, and data protection impact assessments. The MFSA increasingly expects evidence of operational resilience aligned with ESMA’s supervisory focus areas, including incident response plans and recovery time objectives.

Step 5: Prepare the application pack and commission third-party reports

The applicant assembles all MiCA application documents into a structured submission. This includes the business plan, programme of operations, financial projections, audited financial statements (or opening balance sheet for new entities), smart contract audit certificates (where the service involves interaction with on-chain protocols), and all policy documents from Steps 2–4. External auditors and technical assessors produce their reports during this phase. The MiCA compliance checklist 2026 should be used to cross-reference every MFSA requirement against the assembled evidence.

Step 6: Submit the application to the MFSA

The complete application pack is submitted to the MFSA through the Authority’s designated submission channel. The applicable filing fee is payable at submission. Applicants should confirm the current fee schedule directly with the MFSA, as fee structures are subject to periodic revision. The MFSA will acknowledge receipt and confirm whether the application is complete or requires supplementary information before formal review begins.

Step 7: Respond to MFSA review queries and follow-up requests

The MFSA conducts a detailed review of the application and will issue queries, typically in writing, addressing gaps, ambiguities, or requests for additional evidence. Industry observers expect the MFSA’s inquiry cycles to be more rigorous in 2026, reflecting ESMA peer review findings that encourage national competent authorities to intensify scrutiny of governance and technical controls. Applicants should allocate dedicated compliance and legal resources to respond promptly; delays in responding can extend the overall MiCA timeline in Malta significantly.

Step 8: Receive the decision and fulfil post-authorisation obligations

If the MFSA is satisfied, it issues the CASP authorisation. The licence specifies which services the entity is permitted to provide. Post-authorisation obligations include ongoing capital adequacy reporting, IT incident notification to the MFSA within prescribed timeframes, annual compliance reports, maintenance of AML/KYC controls, and notification of material changes to governance, ownership, or service scope. For entities transitioning from VFA, the formal surrender of the VFA licence is completed at this stage.

Step Who does it Typical duration
1. Pre-application assessment & scope definition Applicant (legal & compliance team) 2–4 weeks
2. Corporate & governance preparations Applicant (board, company secretary) 2–6 weeks
3. AML/KYC framework preparation Applicant (MLRO, compliance) 3–6 weeks
4. Technical & security readiness Applicant (CTO/IT team, external auditors) 4–8 weeks
5. Application pack assembly & third-party reports Applicant, external auditors, technical assessors 3–6 weeks
6. Submit application to MFSA Applicant 1–2 weeks
7. MFSA review & Q&A MFSA; applicant responds 10–18 weeks
8. Decision & post-authorisation onboarding MFSA (decision); applicant (compliance) 4–8 weeks

Required MiCA Application Documents

The MFSA expects a comprehensive set of documents structured in a logical order that mirrors the regulatory requirements. The following table lists the principal MiCA application documents the MFSA requires, drawing from the December 2024 circular and the Authority’s crypto-assets guidance.

Document Notes
Board resolution Signed resolution confirming the entity’s intent to apply for CASP authorisation; mandatory per MFSA Circular (10 Dec 2024).
Programme of operations / business plan Describes planned crypto-asset services, target markets, projected volumes, and revenue model. Must include three-year financial projections.
Organisational chart and governance structure Identifies management body members, MLRO, compliance officer, qualifying shareholders, and group structure (if applicable).
Personal questionnaires (fit and proper) Completed for each member of the management body, MLRO, and qualifying shareholders. Includes CVs, criminal record certificates, and declarations of good standing.
AML/CFT policy suite Stand-alone documents covering CDD, EDD, transaction monitoring, sanctions screening, STR procedures, and record-keeping. Must comply with Malta’s Prevention of Money Laundering Act.
Complaints handling procedure Documents the internal process for receiving, investigating, and resolving client complaints in line with MiCA requirements.
Custody and segregation policy Required where custody/administration services are offered. Must describe segregation of client and proprietary assets, private key management, and sub-custodian arrangements.
IT system architecture diagram Visual representation of the technology stack, including servers, APIs, blockchain node infrastructure, and data flows.
Cybersecurity and ICT risk assessment Narrative and evidential report addressing threat landscape, vulnerability management, access control, and incident response procedures.
ISO 27001 certificate or equivalent attestation Issued by an accredited certification body. Demonstrates compliance with international information security management standards.
Penetration test report Conducted by an independent third-party security firm. Must cover web application, API, and network layers. Dated within 6 months of submission.
Business continuity and disaster recovery plan Covers service disruption, data backup, recovery time objectives, and orderly wind-down procedures.
Smart contract audit report Required where the applicant’s service interacts with or deploys smart contracts. Conducted by an independent auditor; covers code logic, vulnerabilities, and compliance with specification.
Audited financial statements or opening balance sheet Audited accounts for existing entities; opening balance sheet for newly incorporated entities. Must demonstrate minimum own-funds compliance.
VFA licence surrender letter Required only for entities transitioning from VFA to MiCA. Submitted in parallel with CASP application per MFSA Circular (10 Dec 2024).

Applicants should treat this as a minimum list. The MFSA may request supplementary evidence during the review phase, particularly on technical assurance matters such as HSM key ceremony documentation, source code attestations, and data protection impact assessments. All documents should be submitted in English or Maltese and, where relevant, in PDF format with clear version control.

MiCA Timeline in Malta: Key Deadlines and Realistic Durations

Understanding the MiCA timeline in Malta is critical for planning. The entire process, from initial scoping through to authorisation decision, typically spans 6 to 12 months, depending on the complexity of the applicant’s service model, the completeness of the initial submission, and the volume of MFSA queries. The table below provides a detailed phase-by-phase breakdown.

Phase Who does it Typical duration
Pre-application scoping and MFSA informal engagement Applicant; MFSA (informal) 2–6 weeks
Compliance stack preparation (AML, governance, policies) Applicant (compliance, legal counsel) 4–8 weeks
Technical assurance and third-party audits (ISO, pentest, smart contract) Applicant (CTO); external auditors 3–6 weeks
Application assembly and submission to MFSA Applicant 1–2 weeks
MFSA initial completeness check MFSA 2–4 weeks
MFSA substantive review MFSA 8–12 weeks
Applicant responses to MFSA queries Applicant 2–6 weeks
Final decision and licence issuance MFSA 4–8 weeks

The critical deadline that overshadows the entire process is 1 July 2026, the date from which MiCA is fully enforceable. Entities providing crypto-asset services without authorisation after that date are operating unlawfully. For VFA licence holders, the transition from VFA to MiCA must be completed before the VFA framework ceases to have effect. The likely practical effect of compressed timelines in 2026 is that the MFSA may process a higher volume of applications, potentially extending review windows. Applicants are strongly advised to initiate the process as early as possible and to validate expected timelines directly with the MFSA during pre-application engagement.

Costs, Fees, and Financial Considerations

The cost of obtaining CASP authorisation in Malta comprises MFSA filing fees, external professional costs, and ongoing operational expenditure. The MFSA publishes its fee schedule separately and applicants should verify the current filing fee directly with the Authority before submission, as fee levels are subject to revision.

Item Estimated range Notes
MFSA application / filing fee Verify with MFSA Payable at submission; check current MFSA fee schedule.
Legal counsel (application preparation) €30,000–€80,000 Varies by firm, service complexity, and number of CASP categories sought.
Compliance consultant (AML/KYC framework) €15,000–€40,000 Includes policy drafting, MLRO support, and transaction monitoring design.
ISO 27001 certification €10,000–€30,000 Depends on scope and existing security maturity; includes certification body audit fees.
Penetration testing €5,000–€20,000 Independent third-party assessment; must be recent (within 6 months of submission).
Smart contract audit €8,000–€50,000 Required only where the applicant deploys or interacts with smart contracts; price depends on code complexity.
Custody infrastructure setup €15,000–€60,000 HSM procurement, key management design, sub-custodian agreements.
Minimum own-funds / capital requirement Per MiCA thresholds Varies by service category; must be held throughout the licence period.
Annual MFSA supervisory fee Verify with MFSA Ongoing annual fee payable post-authorisation.

Industry observers expect total all-in costs for a straightforward single-service CASP application to range from approximately €100,000 to €250,000 including the first year of operational expenditure, rising considerably for multi-service platforms with complex custody models.

What Changes in 2026 for the MiCA Authorisation Process in Malta

Three developments converge in 2026 to reshape the regulatory landscape for crypto-asset service providers seeking authorisation in Malta.

Full MiCA enforcement from 1 July 2026. The Markets in Crypto-Assets Regulation is directly applicable across all EU Member States from this date. Entities that have not obtained CASP authorisation, or that are not covered by a transitional arrangement, must cease providing crypto-asset services. This is not a soft deadline; enforcement action is available to the MFSA from day one.

MFSA Circular (10 December 2024) introduces Malta-specific submission requirements. The circular sets out the MFSA’s procedural expectations for MiCA applicants, including the mandatory Board resolution confirming intent to apply, the formal VFA licence surrender procedure for transitioning entities, and enhanced technical assurance evidence. These items supplement MiCA’s own application requirements and reflect the MFSA’s interpretation of its supervisory obligations under the new framework.

ESMA peer review sharpens supervisory scrutiny. ESMA has identified opportunities to strengthen MiCA authorisation processes across Member States, with particular focus on the quality of governance assessments, AML controls, and technical resilience evidence. Early indications suggest that national competent authorities, including the MFSA, are responding by intensifying inquiry cycles and demanding more granular documentation on custody arrangements, HSM key management, and operational resilience testing.

The combined effect for applicants is a compressed preparation window, higher documentation standards, and less tolerance for incomplete submissions. Firms that began the transition from VFA to MiCA before mid-2025 will have a significant advantage; late entrants face the risk of processing backlogs and potential service interruptions.

Common Pitfalls and How to Avoid Them

  • Incomplete AML/KYC framework. Submitting summary-level AML policies rather than stand-alone, fully detailed procedural documents is a frequent reason for MFSA queries. Draft each policy as a complete, auditable document before submission.
  • Weak or missing technical evidence. Applicants that cannot produce a current penetration test report, ISO 27001 certificate, or detailed system architecture diagram face delays. Commission these deliverables early, they often have lead times of 4–8 weeks.
  • Omitting the Board resolution or VFA surrender letter. The MFSA Circular (10 December 2024) makes the Board resolution a mandatory submission item. VFA licence holders must also initiate the surrender process. Missing either document will halt the application.
  • Underestimating response time to MFSA queries. The MFSA’s review generates detailed follow-up questions. Allocate a dedicated team to draft responses within days of receipt; delays of even 2–3 weeks per query round can add months to the overall timeline.
  • Insufficient smart contract audit scope. Where the service interacts with on-chain protocols, a cursory code review is inadequate. The audit must cover logic errors, reentrancy vulnerabilities, access control, and economic attack vectors.
  • Failing to validate timelines with the MFSA. Published estimates are indicative. The only reliable way to understand the current processing queue is to engage with the MFSA during the pre-application phase.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Anton Dalli at A2CO, a member of the Global Law Experts network.

Sources

  1. Malta Financial Services Authority, Circular to the Industry on the Authorisation Process for MiCA Applicants (10 December 2024)
  2. Malta Financial Services Authority, Crypto-Assets
  3. EUR-Lex, Markets in Crypto-Assets Regulation (MiCA)
  4. European Commission, Markets in Crypto-Assets (MiCA)
  5. European Securities and Markets Authority (ESMA), MiCA Authorisations Peer Review
  6. Malta Government Legislation, Markets in Crypto-Assets Act (Cap. 647)

FAQs

What are the steps to apply for MiCA/CASP authorisation in Malta?
The process follows eight principal stages: (1) pre-application scoping, (2) corporate and governance preparation including a Board resolution, (3) AML/KYC framework design, (4) technical and security readiness, (5) application pack assembly with third-party reports, (6) submission to the MFSA with applicable fees, (7) MFSA review and response to queries, and (8) receipt of the authorisation decision and fulfilment of post-licence obligations. The full procedure is detailed in the step-by-step section above.
The MFSA expects a comprehensive pack including the Board resolution, programme of operations, organisational chart, personal questionnaires for the management body and MLRO, the full AML/CFT policy suite, custody and segregation policy (where applicable), IT system architecture diagrams, cybersecurity risk assessments, ISO 27001 certification, penetration test reports, business continuity plans, smart contract audit reports (where relevant), and audited financial statements. VFA licence holders must additionally submit a VFA licence surrender letter. The required documents table in this guide provides the complete list with notes on format and validity.
From initial scoping to final decision, the end-to-end process typically spans 6 to 12 months. The preparation phase (Steps 1–5) accounts for approximately 3–6 months, while the MFSA review and decision phase (Steps 6–8) takes a further 3–6 months. Timelines can extend if the initial submission is incomplete or if the applicant is slow to respond to MFSA queries. Applicants should validate expected durations with the MFSA during pre-application engagement.
At a minimum, applicants must have: a complete AML/CFT framework with CDD, EDD, transaction monitoring and STR procedures; a defined custody model with segregation of client assets and documented private key management (including HSM protocols where applicable); an ISO 27001 certificate or equivalent information security attestation; a current penetration test report; an IT incident response plan with defined recovery time objectives; and a business continuity and disaster recovery plan. The MFSA may request additional evidence such as HSM key ceremony documentation and data protection impact assessments.
A foreign company cannot apply directly for CASP authorisation without a Maltese corporate presence. It must either incorporate a subsidiary under Maltese law or register a branch in Malta. The legal entity in Malta becomes the applicant and the licence holder. All governance, capital, and compliance requirements apply to the Maltese entity. Group-level resources can support the application, but the MFSA assesses the Maltese entity on a stand-alone basis.
Failing to respond to MFSA queries within the timeframes indicated can result in the application being deprioritised, placed on hold, or ultimately refused. In the context of the 1 July 2026 enforcement deadline, delays carry the additional risk that the applicant may be unable to operate lawfully while the application remains pending. The MFSA expects prompt, substantive responses. Where additional time is genuinely needed, applicants should communicate proactively with the Authority and provide a realistic timeline for the response.
delaware vs wyoming llc

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

Step-by-step Mica Authorisation Process in Malta (2026): Prepare, Documents, Timeline & Technical Readiness

Send welcome message

Custom Message