[codicts-css-switcher id=”346″]

Global Law Experts Logo
mica nca application germany

Talk with Our Expert

Jonathon Richards

Global Law Experts

Lead Enquiries Qualification
Delete Article

Mica NCA Application Germany Complete Bafin Authorisation Guide

By Jonathon Richards
– posted 2 hours ago

Since the Markets in Crypto-Assets Regulation (MiCA) became fully applicable on 30 December 2024, every crypto-asset service provider (CASP) operating in Germany must hold or be in the process of obtaining authorisation from the Federal Financial Supervisory Authority (BaFin). The MiCA NCA application Germany route is now the single gateway for exchanges, custodial wallet providers, portfolio managers, brokers and transfer-service operators that wish to serve clients from or within the German market.

With ESMA warning that most transitional windows close on 1 July 2026, the urgency for firms that have not yet filed or that hold legacy Kreditwesengesetz (KWG) authorisations and need to convert is acute. Late filers risk being unable to provide services lawfully in Germany and across the EU single market.

This guide is for founders, compliance officers and in-house counsel who need an actionable, BaFin-specific filing roadmap: step-by-step procedures, document checklists, realistic timelines, fee estimates and fast-track rules for already-supervised entities. For broader context on CASP licensing across the EU, see our full CASP licensing guide.

  • Key takeaway 1: BaFin is both authorisation body and ongoing supervisor for CASPs under MiCA in Germany there is no separate registration track.
  • Key takeaway 2: Legacy KWG crypto-custody licence holders may qualify for a simplified conversion, but must still file a formal MiCA application before the transitional deadline.
  • Key takeaway 3: Substantive review timelines range from three to twelve-plus months; early pre-application engagement with BaFin materially shortens the process.

Quick Summary Pre-Filing Action Checklist

  • ☐ Schedule a pre-application meeting with BaFin discuss scope, business model and any KWG overlap.
  • ☐ Determine your CASP service category custody, exchange, trading platform, portfolio management, transfer, execution or advice.
  • ☐ Prepare corporate governance documents articles of association, group ownership chart, fit-and-proper declarations for management.
  • ☐ Draft or update your AML/KYC programme policies, transaction monitoring systems, MLRO appointment and sanctions screening.
  • ☐ Compile capital adequacy proof audited accounts, shareholder-fund statements and forward-looking capital plan.
  • ☐ Prepare IT security documentation business continuity plan, incident response procedures, penetration-test reports and DORA alignment evidence.
  • ☐ Assemble custody-specific controls (if applicable) private key management policy, segregation model and proof-of-keys documentation.
  • ☐ Engage external advisers legal counsel, auditors and, where required, independent IT security assessors.

What Is MiCA and the Role of BaFin as NCA

MiCA in Brief

Regulation (EU) 2023/1114 commonly known as MiCA establishes a harmonised EU-wide framework for the issuance and offering of crypto-assets and for the provision of crypto-asset services. It covers asset-referenced tokens (ARTs), e-money tokens (EMTs) and other crypto-assets, and creates a uniform authorisation and conduct regime for CASPs. Title V of MiCA requires every CASP to be authorised by the National Competent Authority (NCA) of its home Member State before providing services anywhere in the EU.

BaFin as Germany’s NCA

In Germany, BaFin is designated as the NCA for MiCA purposes. BaFin receives and assesses CASP authorisation applications, grants or refuses authorisations, supervises ongoing compliance, and cooperates with ESMA and the EBA on cross-border matters. Authorised CASPs are entered into ESMA’s Interim MiCA Register, enabling them to passport services across the EU.

Key MiCA Dates and Transitional Windows

MiCA’s stablecoin provisions (Titles III and IV) applied from 30 June 2024; the full regulation including CASP authorisation requirements applied from 30 December 2024. Most Member-State transitional measures allowing existing providers to continue operating without MiCA authorisation expire on 1 July 2026. After that date, any CASP without a valid MiCA authorisation (or a pending application filed before the deadline, where the NCA permits continued operation) must cease services in Germany.

Who Needs BaFin Authorisation? CASP Types and KWG Intersections

CASP Activities Under MiCA

MiCA defines ten categories of crypto-asset services requiring authorisation. The most common activities relevant to a MiCA NCA application Germany filing include:

  • Custody and administration of crypto-assets safekeeping or controlling clients’ crypto-assets or access keys.
  • Operation of a trading platform matching buy/sell orders in crypto-assets.
  • Exchange of crypto-assets for funds or other crypto-assets acting as counterparty or broker.
  • Execution of orders concluding agreements to buy or sell crypto-assets on behalf of clients.
  • Portfolio management discretionary management of clients’ crypto-asset portfolios.
  • Transfer services transferring crypto-assets on behalf of clients.
  • Providing advice on crypto-assets personalised recommendations.

German KWG Intersections Kryptoverwahrgeschäft

Germany was among the first EU Member States to regulate crypto custody. Since 2020, § 1 (1a) sentence 2 no. 6 of the Kreditwesengesetz (KWG) classified crypto custody (Kryptoverwahrgeschäft) as a financial service requiring BaFin authorisation. Firms already holding a KWG crypto-custody licence interact with MiCA’s regime through Article 143 transitional measures: they may continue operating under their existing licence until the transitional deadline, provided they file for full MiCA authorisation before that date. BaFin offers a simplified conversion pathway for these entities (see the fast-track section below).

Who Is Out of Scope?

Pure non-custodial software wallet providers where the user alone controls private keys and the provider has no access to funds generally fall outside MiCA’s authorisation scope. However, BaFin applies a substance-over-form analysis: if a provider’s architecture gives it the technical ability to execute or block transactions, BaFin may classify the activity as custodial. Entities uncertain about their classification should seek a pre-application discussion with BaFin before concluding they are out of scope.

MiCA NCA Application Germany Step-by-Step BaFin Process and Timeline

Below is the end-to-end application route, from initial engagement to authorisation decision. Each step includes practical timeline ranges based on industry experience with BaFin reviews to date.

Step 1: Pre-Application Engagement with BaFin (2–6 Weeks)

Request a pre-application meeting with BaFin’s relevant department (Wertpapieraufsicht / Financial Services Supervision). Present your business model, proposed CASP activities, corporate structure and any existing KWG authorisation.

Prepare a preliminary information package covering: a concise business plan, draft organisational chart, summary of IT architecture and custody model, AML risk assessment synopsis and capital position overview.

Clarify the regulatory perimeter confirm which MiCA service categories apply and whether any activities also trigger obligations under the German Geldwäschegesetz (GwG), the Securities Trading Act (WpHG) or DORA.

Industry observers note that firms engaging BaFin early before filing typically experience significantly shorter completeness-check phases and fewer deficiency queries.

Step 2: Filing the Application (T0)

Submit the formal application via BaFin’s designated portal, using the prescribed forms. BaFin has published MiCA-specific form templates (including the MiCA-STOR form) and expects filings to follow the ESMA/EBA Implementing Technical Standards (ITS) format where applicable.

Attach all required supporting documents see the detailed document checklist section below. Ensure each document is current, signed where required, and cross-referenced to the relevant MiCA article.

Pay the application fee BaFin charges an upfront fee upon filing (see fees section).

Step 3: Completeness Check (2–8 Weeks)

☐ BaFin issues a completeness statement confirming that the application dossier is formally complete, or a deficiency notice listing missing or insufficient documents.

☐ Common grounds for deficiency include: unsigned fit-and-proper declarations, incomplete group ownership charts, missing independent audit opinions on capital, and insufficient detail in AML/KYC programme documentation.

Cure period: BaFin typically allows a reasonable cure window (often four to six weeks) to remedy deficiencies before deeming the application incomplete.

Step 4: Substantive Review (3–12+ Months)

☐ BaFin conducts an in-depth assessment covering: governance and fitness-and-propriety of management; prudential soundness (capital adequacy, solvency forecasts); IT and operational security (DORA alignment, penetration-test results); AML/CFT controls (GwG compliance, transaction-monitoring capability); custody arrangements (private-key controls, segregation, proof-of-keys); and conduct-of-business rules (conflicts of interest, complaints handling, client disclosures).

☐ Expect multiple rounds of supplementary questions. BaFin may request on-site inspections, third-party audit reports or additional capital stress-test scenarios.

☐ Complex applications such as those involving asset-referenced tokens, multi-jurisdictional custody chains or novel DeFi-interfacing models tend toward the longer end of the timeline range.

Step 5: Decision and Publication (1–6 Weeks Post-Decision)

☐ BaFin issues a formal authorisation decision which may be unconditional, subject to conditions (e.g., phased service rollout), or a refusal with reasons.

☐ Upon authorisation, BaFin notifies ESMA, which updates the Interim MiCA Register. The CASP may then passport its services across the EU via the notification procedure.

What Extends Review Timelines

BaFin reviews tend to take longer where: external audits are pending; the applicant relies on third-party custody sub-custodians; the business model involves complex ART/EMT prudential requirements; or governance structures span multiple jurisdictions. The EBA’s published regulatory technical standards provide detailed templates that, if used correctly, can accelerate the review process.

Document Checklist for a MiCA NCA Application Germany

Corporate and Ownership Structure

  • Articles of association / Gesellschaftsvertrag BaFin looks for clear corporate purpose aligned to proposed CASP activities. Suggested file: Corporate_Articles_v[date].pdf
  • Group ownership chart showing all direct and indirect shareholders with qualifying holdings (≥ 10%). Suggested file: Group_Ownership_Chart.pdf
  • Shareholder due diligence identity documents, source-of-funds declarations and criminal-record certificates for all qualifying holders. Suggested file: Shareholder_DD_Pack.pdf

Governance and Fitness-and-Propriety

  • Management CVs detailed professional history demonstrating relevant experience and qualifications. Suggested file: CEO_CV_FitProper.pdf
  • Fit-and-proper declarations signed declarations covering criminal, regulatory and financial background for each director. Suggested file: FitProper_Declaration_[Name].pdf
  • Outsourcing arrangements register of all material outsourced functions, including sub-custody, IT hosting and compliance. Suggested file: Outsourcing_Register.xlsx

AML/KYC Programme

  • AML/CFT policy comprehensive policy covering customer due diligence, enhanced due diligence, PEP screening and risk assessment, in compliance with the GwG. Suggested file: AML_Policy_v[date].pdf
  • Transaction monitoring framework description of automated monitoring rules, alert-handling workflows and suspicious activity reporting (SAR) procedures. Suggested file: TxMonitoring_Framework.pdf
  • MLRO appointment appointment letter and qualifications of the designated Money Laundering Reporting Officer. Suggested file: MLRO_Appointment.pdf
  • Sanctions screening evidence of integration with sanctions databases (EU, UN, OFAC) and screening frequency. Suggested file: Sanctions_Screening_Spec.pdf

Custody Setup (If Applicable)

  • Custodial model description architecture diagrams, hot/cold wallet split, multi-signature configurations. Suggested file: Custody_Architecture.pdf
  • Private key controls access-management procedures, hardware security module (HSM) details and key-ceremony protocols. Suggested file: Key_Management_Policy.pdf
  • Segregation model evidence of client-asset segregation at the blockchain and operational level. Suggested file: Asset_Segregation_Model.pdf
  • Proof of keys / reserves independent attestation or cryptographic proof-of-reserves report. Suggested file: ProofOfKeys_Report.pdf

IT and Security

  • Business continuity plan (BCP) disaster-recovery procedures, RTO/RPO targets and test results. Suggested file: BCP_Plan.pdf
  • Incident response plan classification matrix, escalation paths, regulatory notification procedures. Suggested file: Incident_Response_Plan.pdf
  • DORA alignment evidence mapping of ICT risk-management framework to DORA requirements. Suggested file: DORA_Alignment_Matrix.xlsx
  • Penetration-test report recent (within 12 months) external pen-test results and remediation evidence. Suggested file: PenTest_Report_[date].pdf

Prudential / Capital and Solvency Proofs

  • Audited financial statements most recent annual accounts, audited by an approved statutory auditor. Suggested file: Audited_Accounts_FY[year].pdf
  • Shareholder funds statement evidence that own funds meet or exceed MiCA minimum capital requirements. Suggested file: OwnFunds_Statement.pdf
  • Capital plan three-year forward-looking capital forecast under base and stress scenarios. Suggested file: Capital_Plan_3yr.xlsx

Policies and Client-Facing Documentation

  • Terms and conditions / client agreements draft client agreements reflecting MiCA conduct-of-business rules. Suggested file: Client_Terms_Draft.pdf
  • Safekeeping policy detailed safekeeping arrangements for client crypto-assets. Suggested file: Safekeeping_Policy.pdf
  • Conflicts of interest policy identification, prevention and management of conflicts. Suggested file: COI_Policy.pdf
  • Complaints-handling procedure client complaint intake, escalation and resolution workflow. Suggested file: Complaints_Procedure.pdf

Expected BaFin Fees and Capital Minima

BaFin Application Fees

BaFin’s fee model comprises an upfront application (authorisation) fee and ongoing annual supervision levies. Application fees for CASP authorisations have historically ranged from approximately €10,000 to €30,000+, depending on the complexity and number of services sought. Ongoing supervision fees are calculated annually based on the firm’s revenue and BaFin’s cost-allocation methodology. Applicants should verify the current BaFin fee schedule at the time of filing, as fees are adjusted periodically.

Capital Minima by CASP Category

MiCA prescribes minimum own-funds requirements that vary by service type. The following table summarises conservative estimate ranges; exact thresholds are defined in the EBA’s regulatory technical standards and MiCA Article 67:

CASP Activity Minimum Own Funds (Indicative) Notes
Custody and administration €125,000 Higher where combined with other services
Operation of a trading platform €150,000 Scaled by volume; EBA RTS may impose add-ons
Exchange / execution of orders €150,000 May be higher for principal-dealing models
Portfolio management / advice €125,000 Lower base but conduct-risk capital buffers apply
Transfer services only €125,000 Simplest capital profile

Note: These figures reflect MiCA statutory minima. BaFin may require higher own funds based on the applicant’s risk profile, projected volumes and stress-test outcomes. Applicants should consult the latest EBA prudential RTS and BaFin guidance at the time of filing.

Common BaFin Review Questions and How to Respond

During substantive review, BaFin typically raises supplementary questions. The following are the most frequently encountered topics, with model response approaches:

  1. Segregation of client assets Provide an architecture diagram showing on-chain segregation (individual vs omnibus wallets), reconciliation frequency and independent audit confirmations.
  2. Private key controls Detail HSM specifications, multi-signature thresholds, key-ceremony protocols and access-logging mechanisms.
  3. Continuity of operations Present BCP test results, recovery-time evidence, and contingency plans for key-person risk and technology-vendor failure.
  4. AML transaction monitoring Demonstrate rule calibration, false-positive management metrics, SAR filing statistics and blockchain-analytics tool integration.
  5. Capital adequacy evidence Supply auditor-confirmed own-funds calculations, stress-test outputs under three scenarios and a liquidity contingency plan.
  6. Governance independence Show clear separation of first-line (business), second-line (compliance/risk) and third-line (audit) functions with independent reporting lines.
  7. Third-party service contracts Provide executed agreements with sub-custodians, IT hosting providers and outsourced compliance functions, including SLA terms and audit-right clauses.
  8. Incident reporting processes Map your notification chain against MiCA and DORA timelines (e.g., initial notification within four hours of classification for major ICT incidents) and provide sample incident-report templates.

A best-practice approach is to pre-populate an evidence matrix cross-referencing each expected BaFin query to a specific document, page number and responsible officer and submit it alongside the application dossier.

Fast-Track and Grandfathering Rules for Existing Supervised CASPs

Article 143 of MiCA provides transitional measures for entities already authorised under national law before 30 December 2024. In Germany, this primarily applies to firms holding a KWG Kryptoverwahrgeschäft licence under § 1 (1a) KWG.

These entities may continue operating under their existing BaFin authorisation until the end of the applicable transitional period in most cases, 1 July 2026 provided they file a MiCA authorisation application before that date. ESMA has emphasised that last-minute applications risk not being processed before the transitional window closes, leaving the firm in regulatory limbo.

BaFin applies a simplified assessment for already-supervised entities: where documentation such as AML programmes, governance structures and capital proofs is already on file from the KWG authorisation, BaFin accepts cross-references rather than requiring full re-submission. The result is a materially shorter completeness-check phase and a streamlined substantive review, typically two to four months faster than a de novo application.

Practical Timeline Examples and Estimated Costs

Case A: Small Custodial Wallet Provider

Profile: Germany-registered GmbH, single custody product, five employees, no KWG legacy licence.
Preparation: 8–12 weeks (governance documentation, AML programme build, IT security audit).
Substantive review: 3–6 months.
Estimated advisory and filing costs: €40,000–€100,000 (legal, audit and consultancy fees combined).
Key risk factor: Pen-test remediation and independent custody-model audit can add four to eight weeks.

Case B: Cross-Border Exchange Migrating to BaFin

Profile: Multi-jurisdiction group relocating its EU hub to Germany, offering exchange, execution and custody complex custody chain involving third-party sub-custodians.
Preparation: 3–6 months (corporate restructuring, group ownership due diligence, multi-jurisdiction AML harmonisation).
Substantive review: 6–12+ months.
Estimated advisory and filing costs: €150,000–€400,000.
Key risk factor: Sub-custodian contract negotiations and cross-border data-protection assessments frequently extend timelines.

Case C: Legacy KWG Custodian MiCA Conversion (Fast-Track)

Profile: Firm holding a KWG Kryptoverwahrgeschäft licence since 2021, established BaFin supervisory relationship, existing AML and governance frameworks.
Preparation: 4–8 weeks (gap analysis against MiCA, supplementary document preparation).
Substantive review: 2–4 months.
Estimated conversion costs: €25,000–€80,000.
Key risk factor: Firms that delay beyond early 2026 risk bottleneck effects as BaFin processes a surge of conversion applications approaching the 1 July 2026 deadline.

Note: All cost estimates are indicative and depend on audit scope, third-party opinion requirements, capital proof complexity and bespoke IT remediation needs. Conservative budgeting is advisable.

Downloadable Checklist and Templates

To support your MiCA NCA application Germany filing, the following resources are available for download:

  • GLE-MiCA-BaFin-Checklist.pdf one-page pre-filing and document checklist covering all sections above.
  • GLE-Document-Index-MiCA.xlsx detailed document index with BaFin cross-references, responsible-officer fields and status tracker.
  • GLE-Management-CV-Template.docx sample management CV template aligned to BaFin’s fit-and-proper requirements.

Service Comparison Typical Costs and Timelines by Provider Type

Provider Type Typical Service Cost Range Typical Time to Authorisation Typical Scope
Large international law firm €100,000–€500,000+ 6–18 months Full filing, regulatory liaison, post-authorisation support
Boutique regulatory law firm €50,000–€200,000 4–12 months Full filing and advisory; may lack cross-border network
Compliance consultancy €30,000–€150,000 Advisory only (no filing) Document preparation, gap analysis, remediation
Global Law Experts network Competitive tailored to scope 3–12 months (full support) End-to-end: jurisdictional coverage, regulatory templates, post-authorisation compliance

The principal differentiator for applicants choosing specialist support is access to BaFin-specific regulatory templates, realistic timeline management and integrated post-authorisation compliance monitoring areas where a multi-jurisdictional network offers significant practical advantages.

Compliance Requirements by CASP Category Comparison

Requirement Custody / Administration Exchange / Execution Portfolio Management
Minimum own funds €125,000 €150,000 €125,000
Custody / private-key controls Full (core activity) If holding client assets If holding client assets
AML/KYC programme (GwG) Full Full Full
Segregation of client assets Mandatory Mandatory if custodial Mandatory if custodial
Fit-and-proper (management) Required Required Required
IT / DORA alignment Required Required Required
Conflicts of interest policy Required Required Enhanced (suitability obligations)
White-paper obligations If issuing/offering tokens If listing new tokens Generally not applicable
Ongoing reporting to BaFin Quarterly + ad hoc Quarterly + ad hoc Quarterly + ad hoc

Appendix: Key Forms, Registers and Regulatory Resources

Sources

FAQs

What is a BaFin licence?
A BaFin licence is a formal authorisation issued by Germany’s Federal Financial Supervisory Authority permitting a firm to conduct regulated financial activities — including, under MiCA, the provision of crypto-asset services such as custody, exchange and portfolio management — within Germany and, via passporting, across the EU.
Businesses must file a formal MiCA NCA application with BaFin, including comprehensive documentation on governance, capital adequacy, AML controls, IT security and custody arrangements. The process involves a pre-application meeting, a completeness check, a substantive review lasting three to twelve-plus months, and a final authorisation decision. Full details are set out in the step-by-step process section above.
Yes. Under Article 143 of MiCA, entities already authorised under national law — such as holders of a KWG Kryptoverwahrgeschäft licence — may benefit from a simplified conversion process. BaFin accepts cross-references to documentation already on file, resulting in faster completeness checks and substantive reviews typically two to four months shorter than de novo applications.
BaFin requires a comprehensive dossier including: articles of association, group ownership charts, shareholder due diligence, management CVs and fit-and-proper declarations, an AML/KYC programme, custody architecture documentation, IT security evidence (BCP, incident response, pen-test reports, DORA alignment), audited financial statements, capital plans, client-facing terms and conflicts-of-interest policies. The detailed document checklist section above provides a complete list with suggested file names.
BaFin’s completeness check typically takes two to eight weeks. The substantive review then ranges from three to twelve-plus months, depending on the complexity of the business model, the quality of the filing and whether supplementary information is needed. Applications involving multi-jurisdictional custody chains, ART/EMT components or late-filed applications approaching the transitional deadline tend toward the longer end of the range.
Yes. Germany has regulated crypto-asset activities since 2020, when crypto custody (Kryptoverwahrgeschäft) was classified as a financial service under the Kreditwesengesetz (KWG). Since 30 December 2024, MiCA has applied as the overarching EU-wide regulatory framework, with BaFin serving as Germany’s NCA for all CASP authorisations. AML obligations are governed by the Geldwäschegesetz (GwG).

Our Expert

Jonathon Richards

Global Law Experts

how to get a civil marriage in Abu Dhabi 2026
By Global Law Experts

posted 13 hours ago

icc arbitration rules bangladesh
By Global Law Experts

posted 13 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

Mica NCA Application Germany Complete Bafin Authorisation Guide

Send welcome message

Custom Message