Crypto License in Bulgaria
Bulgaria MiCA CASP License
Bulgaria is strategically transitioning from a minimal Anti-Money Laundering (AML) registration model to a comprehensive, financial-grade licensing framework under the European Union’s landmark Markets in Crypto-Assets (MiCA) Regulation. Historically, providers of crypto services (VASPs) were subject only to basic AML/KYC registration with the National Revenue Agency (NRA). Today, all Crypto-Asset Service Providers (CASPs) must secure full Authorization from the Financial Supervision Commission (FSC). This robust authorization is the key to unlocking critical EU-wide “passporting” rights across the entire Single Market.
The move from the NRA’s light-touch oversight to the FSC’s rigorous prudential supervision represents a monumental leap, solidifying Bulgaria’s position as a fully compliant and strategically advantageous FinTech hub within the EU, offering a clear and regulated gateway to the European Economic Area. Crucially, this is combined with a stable and highly competitive 10% Corporate Income Tax (CIT) rate, a primary incentive for international firms choosing their EU regulatory anchor.
The Bulgarian Regulatory Transition: Defining the Shift from AML to MiCA
Bulgaria’s regulatory evolution is characterized by a definitive shift from domestic AML compliance to comprehensive EU financial regulation, encompassing prudential standards, conduct of business rules, and strict investor protection mechanisms. This transition is formally enacted through the Bulgarian Markets in Crypto-Assets Law (MICAL), which designates the FSC as the sole competent authority for MiCA licensing and supervision, mirroring the approach taken by other major EU financial regulators.
The National VASP Registration (Pre-MiCA Regime)
Prior to MiCA, the Bulgarian framework was primarily a reporting mechanism focused on mitigating financial crime risks.
Key Features of NRA VASP Registration:
Primary Regulator: National Revenue Agency (NRA), functioning as the national AML registrar.
Legal Basis: Measures Against Money Laundering Act (MAMLA), based on the 5th EU AML Directive.
Scope: Narrow, focused solely on AML/CFT compliance for basic exchange and custodial services. The key requirements were limited to customer identification, record-keeping, and Suspicious Activity Reporting (SARs). The regime lacked any scrutiny of capital adequacy, market conduct, or operational risk.
Capital Requirement: Nominal, often just $\text{BGN }2 \text{ (}\sim €1)$. This minimal requirement underscored the lack of prudential oversight regarding financial stability.
Limitation: No EU passporting rights. The registration offered no legal recognition outside Bulgaria’s borders and provided no institutional confidence to major European banks.
MiCA CASP Authorization (The New Prudential Regime)
The MiCA framework introduces a holistic regulatory structure, imposing obligations analogous to those of investment firms, demanding financial, organizational, and technical maturity.
Key Features of FSC CASP Authorization:
Primary Regulator: Financial Supervision Commission (FSC), the body responsible for capital markets, insurance, and investment firms.
Legal Basis: MiCA Regulation (EU 2023/1114), directly applicable across the EU, and the national Bulgarian MICAL for specific implementation details.
Scope: Broad and deep, regulating nine specific Crypto-Asset Services (CASs), including Custody, Trading Platform Operation, Execution of Orders, Portfolio Management, and Advisory services. Its required compliance policies cover the entire business lifecycle, from IT governance to client relationship management.
Core Benefit: Grants the EU Crypto Passporting right, essential for scalable, compliant cross-border operations across all 27 EU member states, allowing the CASP to market its services to over 450 million consumers.
Comparative Overview: NRA VASP vs. FSC CASP MiCA
| Feature | NRA VASP Registration (Pre-MiCA) | FSC CASP Authorization (MiCA) |
| Primary Regulator | National Revenue Agency (NRA) | Financial Supervision Commission (FSC) |
| Focus of Regulation | AML/CFT Compliance Only | Prudential, Conduct, and Investor Protection |
| Capital Requirement | Nominal ($\sim €1$) | Tiered, starting at €50,000 (plus 25% FOR) |
| EU Passporting | None | Full EU Passporting |
| Required Expertise | Basic AML Officer | MLRO, CCO, Risk Manager, DORA/ICT Governance |
The MiCA Transitional Period: Critical Deadlines and Grandfathering
The grandfathering provision offers a specific, non-extendable window for existing VASPs to transition, ensuring market stability during the shift.
Legacy VASPs (Registered in NRA before December 30, 2024): These firms benefit from a grandfathering period until July 1, 2026. They must submit their full CASP Authorization application to the FSC before the expiration of this deadline. Failure to do so requires them to immediately cease all CAS activities. The crucial limitation is that grandfathering does not permit EU passporting during the transition period; operations are strictly limited to the territory of Bulgaria.
New Market Entrants: Any firm starting operations after the NRA VASP registration deadline must apply immediately for full MiCA CASP Authorization with the FSC, demonstrating full compliance from the beginning. This includes meeting all capital and organizational requirements.
MiCA CASP Capital Requirements: Minimum Own Funds and Fixed Overheads (FOR)
The tiered MiCA capital structure is a core prudential requirement, ensuring that financial resources are proportionate to the business complexity and inherent risks, protecting both clients and the stability of the firm.
| MiCA CASP Class | Min. Capital | Core Services | Key Prudential Focus |
| Class I | €50,000 | Advice, Reception and Transmission of Orders, Placing. | Management Integrity, Robust Conflicts of Interest Policy. |
| Class II | €125,000 | Custody, Exchange (Fiat/Crypto), & Class I. | Asset Segregation, PII Coverage, Operational Risk Management. |
| Class III | €150,000 | Operation of a Trading Platform, Underwriting, & Classes I/II. | DORA Resilience, Market Surveillance and Governance. |
The Own Funds Maintenance Mandate and Fixed Overheads
The core formula dictates that own funds must equal the higher of the fixed minimum capital (e.g., $\text{€125,000}$ for Class II) or 25% of the preceding year’s fixed overheads (FOR). The detailed FOR calculation includes employee costs, rental costs, utility costs, and depreciation—essentially all fixed expenses necessary to maintain operations. This scaling requirement ensures that a CASP is financially capable of executing an orderly cessation of activities (wind-down) over a period of up to three months without immediately endangering client assets or regulatory compliance.
Custodial Protection and Professional Indemnity
Custodial firms (Class II) face the highest bar for client asset protection, demanding a fusion of legal, insurance, and technological controls:
Segregation and Legal Ownership: The CASP must demonstrate that client assets are held under arrangements that prevent their use or disposal without the client’s express permission, and that in the event of insolvency, the assets are immediately excluded from the liquidation estate, reverting fully to the clients.
Professional Indemnity Insurance (PII): The PII must be sufficient to cover specific risks related to custody and cyber events, including: internal fraud (e.g., rogue employee misuse of keys), external theft (e.g., hacking), and errors/omissions in the CASP’s operational procedures.
Request more information
Detailed Requirements for FSC MiCA CASP Authorization: The Operational and Governance Deep Dive
The application process is a rigorous stress test of the applicant’s internal controls and governance structure, requiring extensive documentation aligned with all relevant ESMA and EBA guidelines.
Corporate and Legal Foundation: Establishing Deep Local Substance
The FSC scrutinizes the concept of local substance to prevent ‘letterbox’ entities:
Effective Management and Staffing: The CASP must prove that core decision-making authority resides in Bulgaria. This means key control functions (CCO, MLRO, Risk Manager) must have their primary office and employment in Bulgaria, with their roles and reporting lines clearly defined within the corporate structure.
ICT Governance: The application must include an ICT Governance Framework detailing how the Management Body oversees the firm’s ICT strategy, approves key technology expenditures, and regularly reviews the effectiveness of the DORA policies.
Management and Governance: Rigour of the Fit and Proper Test
The Fit and Proper assessment is holistic, examining both individual character and collective capability:
Management Body and Non-Executive Directors: The Management Body must include Non-Executive Directors (NEDs) who possess sufficient independence and expertise to challenge executive decisions, particularly regarding risk and compliance.
Internal Audit Function: MiCA mandates an independent internal audit function that is fully separate from the management and operational functions. This function must report its findings on the adequacy and effectiveness of the firm’s internal controls and risk management processes directly to the Management Body and the FSC upon request. The audit plan must cover DORA, AML, and conduct of business compliance annually.
Qualifying Holdings and Influence: The FSC performs a detailed assessment of the financial soundness, criminal record, and business reputation of all persons intending to hold a Qualifying Holding (10% or more), ensuring they do not undermine the prudent management of the firm.
Independence of Key Control Functions: The CCO, MLRO, and Risk Manager must be allocated sufficient resources and authority to perform their duties effectively. Their reporting lines must be explicitly independent of the commercial lines of business, reporting directly to the highest internal authority (e.g., the Board or Audit/Risk Committee).
Comprehensive Compliance Documentation: Policy Suite Breakdown
The policy suite must reflect the firm’s technical, operational, and ethical commitments as an EU financial entity, covering both MiCA and underlying AML/DORA regulations.
AML/KYC and the Technical Travel Rule (TFR) Implementation
The Bulgarian AML regime (via MAMLA and FID) is inextricably linked with the MiCA/TFR requirements:
TFR Implementation Protocol: The procedures must detail the secure cryptographic solution (e.g., specific Travel Rule protocol integration) used for collecting and transmitting the required originator/beneficiary data, ensuring compliance with both the TFR data standards and GDPR principles.
AML/CTF Program Integration: The AML Manual must explicitly detail how the risk-based approach is applied, including the mandatory use of Enhanced Due Diligence (EDD) for all non-EEA clients, transactions involving high-risk jurisdictions, and all politically exposed persons (PEPs).
Automated TM and Analytics: The firm must utilize Automated Transaction Monitoring (TM) systems integrated with On-Chain Analytics tools for continuous, automated monitoring. The compliance team must have a detailed protocol for investigating and resolving all alerts, ensuring a clear, time-stamped audit trail is maintained for all SAR Reporting to the Bulgarian Financial Intelligence Directorate (FID). This process must provide real-time risk scoring for transactions against known illicit activity (sanctioned addresses, darknet activity, mixing services).
DORA Compliance for CASPs: ICT Risk, Security Testing, and Threat Intelligence
DORA compliance is a prerequisite for authorization, requiring financial-grade operational stability and robust ICT controls:
ICT Risk Management Policy and Cryptographic Controls: This policy must detail the strategy for the protection of key cryptographic material using advanced security solutions (HSMs or MPC). A dedicated section must outline the formal Key Ceremony procedures—the documented, multi-party process for the secure generation, storage, backup, and destruction of master keys, which must be auditable.
Vulnerability Management and Remediation: A rigorous policy must outline the process for continuous vulnerability scanning, prioritization based on MiCA/DORA risk criteria, and defined, short Remediation Time Objectives (RTOs) for critical vulnerabilities.
Threat and Vulnerability Management: The CASP must demonstrate procedures for actively sourcing, analyzing, and acting upon external Threat Intelligence (TI), particularly TI related to zero-day vulnerabilities in common blockchain protocols or custodial solutions. This includes subscribing to industry-specific information sharing and analysis centers (ISACs).
Incident Reporting & Classification: The policy must contain the specific DORA criteria for classifying a major ICT-related incident (e.g., financial impact, regulatory impact, reputational damage). The CASP must be able to submit a preliminary report to the FSC within the strict regulatory deadline (often within hours of detection) and provide a final root cause analysis report within a defined period.
Exit Strategy and Discontinuation of Services: MiCA and DORA require a documented plan for the orderly discontinuation of CAS activities. This plan must ensure that client assets are returned or securely transferred to another authorized CASP without disruption, minimizing harm to clients and market integrity. The CASP must provide the FSC with sufficient notice before discontinuing any service.
Client Protection and Conduct of Business Rules
MiCA imposes extensive obligations regarding fair dealing, transparency, and client suitability:
Conflict of Interest Policy: This document must identify, manage, and disclose all conflicts, particularly those arising from proprietary trading vs. client execution, and conflicts related to the selection of execution venues. The policy must detail specific control measures like information barriers and restricted lists.
Best Execution Policy: The CASP, offering execution services, must implement protocols that ensure the best possible result for the client, detailing the methodology used to rank execution factors (price, cost, speed, likelihood) and the process for periodic review (at least annually) of its execution quality and venues.
Client Disclosure Requirements: The firm must provide extensive pre-contractual and ongoing disclosures, including:
Standardized Risk Warnings: Mandatory inclusion of the MiCA-prescribed risk warning regarding the lack of deposit guarantee and the volatility of crypto-assets.
Fee Structure Transparency: A clear, itemized breakdown of all fees, costs, and charges related to each service provided, including any hidden or implicit costs.
MiCA Reverse Solicitation Policy: The policy must detail the strict protocol for verifying and documenting client-initiated service requests (Reverse Solicitation). Any active marketing or subsequent communication that encourages the client to engage in further services will void the exemption, subjecting the CASP to full MiCA authorization requirements in that host state.
Dual Regulation: The Interplay of FSC and BNB (E-Money Tokens - EMT)
A CASP handling fiat-pegged stablecoins (EMT) faces a unique jurisdictional challenge in Bulgaria, requiring parallel compliance with two regulatory bodies.
FSC vs. BNB Jurisdiction: The BNB (Bulgarian National Bank), as the central bank, is the designated competent authority for the authorization and supervision of EMT issuers under MiCA/E-Money Directive, while the FSC regulates the CASPs that provide services (e.g., custody, exchange) related to all crypto-assets.
EMI/PI License Requirement: A CASP providing services related to EMTs may be deemed to be providing “payment services” under PSD2, necessitating the acquisition of an Electronic Money Institution (EMI) or Payment Institution (PI) license from the BNB in addition to the MiCA CASP Authorization from the FSC.
Cumulative Capital Requirement: The firm is legally required to hold the higher of the MiCA capital requirement OR the EMI/PI capital requirement (which is calculated based on payment volume and is often significantly higher for high-volume firms). This demands continuous, complex reporting to both regulators.
Strategic and Economic Advantages of the Bulgarian MiCA License
Bulgaria offers a unique combination of full EU regulatory alignment and highly competitive economic factors, making it a strategic choice for FinTech headquarters.
The EU Passporting Mechanism: Maximizing Market Reach
The passporting right is the single most important strategic advantage for expansion:
Single Regulatory Capital: The capital reserves held in Bulgaria satisfy the prudential requirements for operation across the entire EEA.
FSC as Home Regulator: Dealing with one home regulator (the FSC) simplifies communication, reporting, and crisis management across all 27 host states, significantly reducing cross-border compliance complexity.
Fiscal and Operational Competitiveness
Bulgaria’s fiscal regime is a significant competitive differentiator within the EU:
Flat Corporate Income Tax (CIT): A stable, low flat rate of 10% Corporate Income Tax (CIT).
Low Dividend Withholding Tax: A favorable 5% dividend withholding tax, maximizing returns for international investors.
Operational Efficiency: The availability of highly skilled IT, development, and compliance professionals at competitive salary rates, coupled with lower costs for administrative and physical infrastructure, translates directly into superior operational margins.
Summary of Strategic and Fiscal Benefits in Bulgaria
| Economic Factor | Rate/Advantage | Strategic Value for MiCA CASPs |
| Corporate Income Tax (CIT) | 10% Flat Rate | Highest cost-efficiency among most EU member states. |
| Dividend Withholding Tax | 5% | Maximizes shareholder returns and investment appeal. |
| EU Passporting | Full (Post-Authorization) | Seamless market access to the entire 450M-strong EU Single Market. |
| Talent Pool | Skilled IT/Dev/Compliance | Reduces operational expenditure and speed-to-market. |
Audit and Continuous Oversight: Ensuring Long-Term Compliance
MiCA necessitates a regime of continuous external verification and robust regulatory reporting to maintain the license.
Mandatory Annual External Audit Scope
The external audit must include a specific MiCA compliance module, requiring specialized expertise:
Confirmation of Capital Adequacy: Independent verification that the firm consistently complied with the higher-of minimum capital or 25% FOR requirement throughout the reporting period, a critical check for the FSC.
Operational Control Verification: Assessment of the implementation and effectiveness of the DORA and AML/KYC policies, ensuring they are not just documented but operational in practice.
Regulatory Reporting and Supervisory Review
The CASP is subject to the FSC’s full supervisory authority:
Regular Prudential Reporting: Mandatory quarterly or semi-annual reporting on capital and liquidity positions.
FSC On-site Inspections: The FSC retains the right to conduct unannounced or periodic on-site inspections to verify the operational integrity of the CASP’s IT systems, internal controls, and documentation.
Bulgaria as the Compliant Crypto Gateway to the EU
Bulgaria has firmly established itself as a rigorous and compliant jurisdiction for the crypto industry. The transition from the minimal NRA AML registration to the comprehensive FSC MiCA CASP Authorization ensures that firms meet the highest European standards for investor protection, prudential stability, and operational resilience.
For serious entrepreneurs, the Bulgarian MiCA license offers a unique strategic value: full EU Passporting rights, highly competitive corporate taxation, and a clear, detailed regulatory path overseen by a committed competent authority. Navigating this path requires a substantial, front-loaded investment in capital and compliance infrastructure, particularly in the demanding areas of DORA, the technical Travel Rule, and conduct-of-business protocols. The strategic imperative is clear: the window for grandfathering is closing; the only sustainable path forward is securing the full FSC MiCA Authorization.
FAQ
The Markets in Crypto-Assets Regulation (MiCA) Crypto-Asset Service Provider (CASP) Authorization is the mandatory EU financial license required to legally offer crypto-asset services within the European Union. In Bulgaria, this license is issued by the Financial Supervision Commission (FSC).
Any entity providing services such as custody, exchange, operation of a trading platform, or advisory services related to crypto-assets to EU clients must obtain a CASP license, including firms currently operating under the old national VASP registration.
The old VASP registration with the National Revenue Agency (NRA) was purely an AML/CFT registration and had no EU-wide validity.
The new FSC MiCA CASP Authorization is a full financial license that requires meeting prudential requirements, holding minimum capital, and establishing robust governance. Crucially, it grants the right to EU Passporting, allowing the firm to operate across all EU member states.
Existing Virtual Asset Service Providers (VASPs) that were registered with the NRA before December 30, 2024, benefit from a transitional (grandfathering) period. They may continue operating within Bulgaria without a full MiCA license until July 1, 2026. However, they must submit their full CASP application to the FSC before this date. New market entrants must apply immediately.
The main competent authority for the authorization and supervision of Crypto-Asset Service Providers (CASPs) and issuers of Asset-Referenced Tokens (ARTs) is the Financial Supervision Commission (FSC).
The Bulgarian National Bank (BNB) is the authority responsible for the oversight and authorization of issuers of Electronic Money Tokens (EMTs), which are considered a form of e-money.
The minimum initial capital required depends on the class of services the CASP intends to provide:
This capital must be fully paid up and maintained at the higher of the minimum threshold or 25% of the firm's fixed overheads from the preceding year.
Yes. CASPs that provide custody and administration of crypto-assets on behalf of clients (Class II and III) must hold either:
A professional indemnity insurance policy, or
Sufficient own funds permanently available to cover the liability risks specific to providing custody services.
Bulgaria offers one of the lowest tax burdens in the EU. CASPs operating in Bulgaria benefit from a flat 10% Corporate Income Tax (CIT) rate. Additionally, a low 5% dividend withholding tax is applied upon profit distribution.
Yes. Under MiCA, the applicant must establish a registered office in an EU member state where it carries out at least part of its crypto-asset services. A full CASP license in Bulgaria requires demonstrating sufficient operational substance, including dedicated key staff, a physical office, and internal control functions.
The Fit and Proper test ensures that all members of the CASP's management body (directors, senior executives) and major shareholders have a sound reputation and possess the necessary knowledge, skills, and experience to manage the business responsibly. This is a critical assessment performed by the FSC.
The Digital Operational Resilience Act (DORA) requires financial entities, including most CASPs, to implement comprehensive frameworks for managing IT and security risks. Bulgarian CASPs must submit DORA-aligned policies, including incident management, digital operational resilience testing, and third-party risk management protocols, as part of their MiCA application.
The official timeline mandated by MiCA consists of two phases:
Completeness Check: Up to 25 working days for the FSC to confirm the application is complete.
Compliance Assessment: Up to 40 working days from the date the application is deemed complete for the FSC to issue a final decision.
The preparation phase, including legal documentation and corporate setup, typically takes an additional 2 to 4 months.
Yes. MiCA provides a specific regime for:
Asset-Referenced Tokens (ARTs): Tokens that reference multiple assets (e.g., fiat, commodities, or other crypto-assets).
Electronic Money Tokens (EMTs): Tokens that primarily aim to maintain a stable value by referencing a single fiat currency (i.e., regulated stablecoins).
Issuers of these tokens must meet additional, stringent requirements for reserves, custody, and transparency.
If a CASP only offers services to clients located outside the EU and does not target or solicit clients within the EU, they may be exempt from the MiCA licensing requirement. However, the firm must still comply with national AML/CFT regulations in Bulgaria, and it is strongly advised to seek local legal counsel to confirm exemption status under the reverse solicitation rule, which is interpreted very narrowly by regulators.