Crypto License in Bulgaria
Mastering the Bulgarian Crypto License Landscape: VASP Registration and the MiCA Transition
SANS Oversight and the EU Gateway Strategy
The Bulgarian crypto regulatory environment serves as a crucial, low-cost entry point into the European Union. Regulation is strictly governed by the national implementation of EU Anti-Money Laundering (AML) law, specifically requiring Virtual Asset Service Provider (VASP) registration under the Measures Against Money Laundering Act (MAMLA). This regime is uniquely supervised by the State Agency for National Security (SANS), emphasizing national security and AML/CTF prevention priorities.
The Bulgarian VASP registration is purely an AML compliance mechanism—it is not a financial services license and does not grant passporting rights. The strategic imperative for any entity is to use the low-cost, AML-centric VASP status as Phase I before proactively preparing for Phase II: the full Crypto-Asset Service Provider (CASP) license under the Markets in Crypto-Assets Regulation (MiCA), which will grant full EU passporting rights, confirming Bulgaria’s status as a key EU entry point for crypto operators.
The Foundational Requirement: VASP Registration under MAMLA
The core legal framework is the Measures Against Money Laundering Act (MAMLA), which fully transposes the 5th and 6th EU AML Directives. This comprehensive law mandates the registration of all Virtual Asset Service Providers (VASPs) operating within the Bulgarian jurisdiction.
Defining Regulated Virtual Currency Activities
MAMLA provides a comprehensive definition of VASP activities that are subject to registration and ongoing supervision:
Exchange Services: Encompasses exchange between virtual currencies and fiat currencies, or between different types of virtual currencies.
Custody Services: Covers the safekeeping, holding, and administration of virtual currencies, or the control of private cryptographic keys on behalf of clients.
Transfer Services: Facilitating or executing the transfer of virtual assets on behalf of another person.
The Unique and Highly Specific Roles of NRA and SANS
The regulatory oversight for the VASP regime involves a distinction between registration and ongoing supervision:
Historical Registration (NRA): Historically, VASP registration was often managed by the National Revenue Agency (NRA) as the initial point of entry for tax and basic administrative purposes.
Operational AML Supervision (SANS): The competent authority for ongoing VASP supervision, AML enforcement, and vetting is the State Agency for National Security (SANS), which functions as the Financial Intelligence Unit (FIU). The selection of SANS underscores that the regime’s focus is overwhelmingly on the prevention of financial crime, terrorist financing, and threats to national security.
Professional Prerequisites and Corporate Establishment
Applicants must demonstrate robust corporate and personal integrity:
Legal Form and Structure: The entity must be officially incorporated in Bulgaria (OOD or AD) and registered with the Commercial Register.
Management Attestation: Key individuals, including senior management and beneficial owners, must submit extensive attestations regarding their clean criminal records and professional competence. Demonstrating the requisite professional competence of the designated Compliance Officer is paramount during the SANS review process.
AML/CTF Compliance: SANS Due Diligence and Operational Backbone
Obtaining and maintaining VASP status requires the establishment of a robust, dynamic AML/CTF program fully compliant with MAMLA, subjected to continuous and strict SANS review.
Mandatory Internal Procedures and Risk Assessment Documentation
Compliance documentation forms the backbone of the application and ongoing adherence:
Enterprise-Wide Risk Assessment (EWRA): A mandatory, highly specific risk assessment detailing the VASP’s comprehensive exposure to money laundering and terrorist financing risks.
Internal AML Manual: A comprehensive manual detailing Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), detailed protocols for Suspicious Transaction Reporting (STR) to SANS, and stringent requirements for record retention (five-year minimum period).
Ongoing Compliance and Reporting Requirements
Compliance Officer (CO) Role: A designated, appropriately qualified CO must be appointed, bearing personal responsibility for the implementation of the AML program and serving as the direct, official liaison with SANS.
The Travel Rule Compliance: The VASP must strictly implement protocols derived from the FATF’s Travel Rule to collect, store, and transmit required originator and beneficiary information for all virtual asset transfers exceeding the prescribed threshold. SANS actively scrutinizes the integrity and technological reliability of the solution used for Travel Rule compliance.
Reporting: All suspicious transactions (STRs) must be reported to SANS immediately.
Key Ongoing Compliance Pillars
| Compliance Pillar | Mandatory Requirements |
| AML/CTF Program | Continuous monitoring of Risk Assessment, regular updates to the AML Manual, and mandatory staff training tailored to evolving crypto risks. |
| CDD/KYC | Verification of identity, determination of beneficial ownership, and rigorous application of EDD for high-risk clients. |
| Transaction Monitoring | Automated system for real-time and post-transaction screening of all transactions and associated wallet addresses against global sanctions lists. |
| Reporting | Immediate Suspicious Transaction Reporting (STR) to SANS and full adherence to the FATF Travel Rule for virtual asset transfers. |
The MiCA Imperative: Preparing for the CASP License
The full application of the EU’s Markets in Crypto-Assets Regulation (MiCA), expected in 2024/2025, represents a fundamental regulatory shift, making the proactive transition to the full CASP License mandatory for business longevity.
Scope Expansion and Regulatory Shift
Loss of National Status: Current VASP registration is purely national, focused on AML, and does not grant EU passporting rights. It will be fully superseded by the MiCA framework for licensed CASPs.
New Regulator: The licensing and prudential supervision mandate will shift from the AML agency (SANS) to the Financial Supervision Commission (FSC) or the Bulgarian National Bank (BNB) for specific tokens (e.g., E-Money Tokens).
Passporting Right: The Bulgarian MiCA CASP license will grant full EU Passporting rights, allowing the entity to offer its regulated crypto-asset services across all 27 EU/EEA bloc countries.
MiCA Transition Strategy: VASP $\to$ CASP
Bulgarian VASPs must initiate the transition now by addressing MiCA’s core prudential requirements:
Capital Adequacy: Accumulating the minimum initial capital ranging from €50,000 to €150,000, based on the scope and class of service offered.
Professional Indemnity Insurance (PII): Securing mandatory PII or equivalent prudential guarantees to cover professional and operational liability risks.
Governance Upgrade: Establishing formal, independent control functions for Risk Management and Internal Audit.
Technology and Operational Resilience: DORA High-Level Overview
The transition to MiCA CASP status, reinforced by the direct application of the Digital Operational Resilience Act (DORA), mandates institutional-grade technological resilience and security for all Bulgarian CASPs.
DORA Compliance: Foundational Requirements
DORA requires CASPs to implement a comprehensive digital operational resilience risk management framework to identify, manage, and mitigate all risks related to their Information and Communication Technology (ICT) systems. This framework mandates rigorous testing, detailed incident reporting, and strict oversight of third-party dependencies, setting the standard for institutional IT security.
Technicalities of Custody and Asset Segregation
For any entity providing custodial services, the system must ensure the legal and technical segregation of client crypto-assets from the Bulgarian CASP’s operational funds. Key management must utilize high-security, tamper-proof methods and implement multi-signature schemes to prevent any single point of failure in asset control.
Taxation and Corporate Structure in Bulgaria
Bulgaria’s favorable corporate tax structure and clear legal treatment of crypto assets are a significant strategic advantage.
Corporate Tax (CIT) Advantage
Rate: Bulgaria maintains the lowest Corporate Income Tax (CIT) rate in the EU, a flat 10% on realized profits.
Taxable Event: Profits derived from VASP/CASP activities, including exchange fees, commissions, and proprietary trading gains, are subject to this favorable 10% rate.
VAT Treatment
Exchange Exemption: Following the ECJ Skaraborg ruling, the core activity of exchanging fiat currency for virtual currency is exempt from VAT.
VAT Liability: Fees charged for non-exchange services, such as custody and wallet services, are generally subject to the standard Bulgarian VAT rate of 20%.
Legal Substance and Arbitrage Avoidance
Regulators demand demonstrable substance to prevent regulatory arbitrage:
Effective Management: Key decision-makers must be physically based in Bulgaria, with the effective management and strategic decisions regarding the regulated activity centered in the Bulgarian office.
Intercompany Agreements: All agreements with foreign parent or sister entities must clearly define the Bulgarian CASP entity as the ultimate controller and liability holder for the regulated EU services, preventing any cross-jurisdictional leakage of control.
MiCA Prudential Requirements: Capital Adequacy Calculation
The MiCA regulation imposes mandatory prudential requirements that dictate the ongoing financial stability of the Bulgarian CASP, moving far beyond the simple initial capital.
Initial Capital and Ongoing Capital
The initial capital (€50,000 to €150,000) is the hurdle to clear for licensing. However, the CASP must maintain at all times an ongoing level of own funds equal to the highest of the following three:
Initial Capital Requirement (ICR): The minimum amount required based on the services provided.
Fixed Overhead Requirement (FOR): $1/4$ (one quarter) of the CASP’s fixed overheads of the preceding year. This is a critical metric that forces CASPs to hold capital relative to their operational scale.
PII Calculation: The amount covered by the Professional Indemnity Insurance (PII) must meet a specific threshold.
Calculation of Fixed Overheads (FOR)
The FOR is calculated based on the audited annual financial statements, encompassing all administrative and operational expenses excluding variable or extraordinary costs. The CASP must have systems in place to forecast and monitor this value quarterly. If a CASP expands rapidly, its required capital buffer must increase proportionally, preventing undercapitalization during growth phases.
Role of Professional Indemnity Insurance (PII)
PII is a prudential safeguard. The insurance policy must be secured from an authorized EU insurer and structured to cover:
Operational Risks: Losses from fraud, errors, or negligence, including system failures and data breaches.
Custody Liability: Specific coverage for the strict liability imposed on custodians.
Measurement: The PII policy coverage amount is often determined by a percentage of the annual revenue, or a dynamic calculation based on Assets Under Custody (AUC) for custody providers, ensuring the cover reflects the potential exposure to client losses.
CASP Preparedness Checklist: Mitigating Administrative Risk
A proactive approach to the MiCA transition minimizes the risk of enforcement actions by the Bulgarian competent authority.
| Area of Preparation | Key Action for Risk Mitigation | |
| Governance Structure | Revise internal structures to establish independent Compliance, Risk Management, and Internal Audit roles (MiCA mandatory). | |
| Capital Readiness | Secure sufficient capital buffers (€50K – €150K) to meet the minimum initial capital and ongoing prudential safeguard requirements. | |
| IT Audit & Security | Conduct an independent, DORA-compliant audit of IT systems and conduct penetration testing. | |
| Insurance Policy | Secure quotations and initial agreements for Professional Indemnity Insurance (PII) to cover operational liability risks (especially for custody). | |
| Client Disclosure | Prepare MiCA-compliant White Papers and enhanced risk disclosure documents for all crypto-assets offered. | |
| Technical Readiness | Implement and test multi-signature and Quorum Requirements for private key management (custody). |
Request more information
Governance, Internal Audit, and Fit and Proper Standards
The transition demands a profound shift in corporate governance, moving Bulgarian CASPs toward the standards of regulated financial institutions.
MiCA’s Rigorous Fit and Proper Assessment
The Fit and Proper Test will be applied by the FSC to a broad group of key personnel.
Scope Expansion: The assessment covers all members of the Management Body, the Supervisory Body, and key function holders.
Competence and Integrity: Regulators assess integrity and the collective competence of the Management Body to oversee DLT, cybersecurity, and financial risks. Bulgarian regulators specifically look for a strong blend of local operational expertise and international crypto experience.
The Mandatory Internal Control Functions
MiCA mandates dedicated, independent control functions to ensure robust oversight:
Internal Audit Function (IAF): The IAF must be permanently established and functionally independent, responsible for reviewing the effectiveness of all internal control systems.
Risk Management Function (RMF): The RMF is responsible for the continuous identification, measurement, and monitoring of all material financial and non-financial risks (e.g., liquidity, market, operational, and settlement risk).
Separation of Functions: MiCA strictly requires the clear separation of the Compliance, Risk Management, and Internal Audit functions to eliminate any conflicts of interest within the firm’s hierarchy.
Remuneration Policy and Conflict Management
CASPs must establish a sound Remuneration Policy and implement comprehensive procedures for identifying, managing, and mitigating conflicts of interest.
Legal Responsibility and Administrative Penalties
The regulatory evolution ensures that non-compliance is met with escalating penalties, reflecting the seriousness of financial market infringements.
Sanctions under MAMLA
Under the current AML Act (MAMLA), SANS imposes financial penalties up to BGN 1 million and holds the power to impose penalties on responsible members of the management body, alongside the severe sanction of withdrawal of the VASP registration.
FSC-Level Enforcement under MiCA
Once MiCA is fully applied, the FSC will enforce penalties benchmarked against the highest EU standards:
| Violation Category | Maximum Administrative Penalty (Legal Entity) |
| Organizational/Governance Failure | €5 Million or up to 3% of the total annual turnover (whichever is higher). |
| Market Abuse/Consumer Protection | Substantially higher fines, reflecting the need to maintain market integrity and investor trust. |
This significant increase in potential fines underscores the urgency for Bulgarian VASPs to proactively upgrade controls and documentation to avoid severe financial and reputational damage.
DLT Regulatory Sandboxes and Innovation Facilitation
Bulgaria actively seeks to position itself as a supportive FinTech hub, offering official channels to support innovative DLT projects and complex business models.
Bulgarian National Bank (BNB) Initiatives
The BNB is crucial in regulating payment instruments and innovative finance, playing a dual role under MiCA:
E-Money Tokens (EMT): The issuance of EMTs will fall under the supervision of the BNB, requiring adherence to stringent requirements similar to the existing Electronic Money Directive (EMD). This necessitates a separate licensing path for stablecoin issuers.
Dialogue and Guidance: Both the BNB and the FSC engage in dialogue with FinTech firms to provide regulatory guidance on classification for novel DLT models.
The Importance of Early Regulatory Dialogue
For startups developing non-standard crypto-financial instruments, engaging in early regulatory dialogue with Bulgarian authorities is essential to pre-validate their business model. Proactive communication signals a commitment to transparency, which favorably influences the regulator’s disposition during the formal CASP licensing application.
Tax Optimization and Advanced Accounting for CASPs in Bulgaria
This extensive section covers the strategic utilization of Bulgaria’s tax structure and the complex accounting requirements for a CASP.
Corporate Tax (CIT) Optimization: Deductions and Transfer Pricing
While the 10% CIT rate provides the strategic baseline, financial optimization relies heavily on maximizing legitimate cost deduction and strict adherence to international tax rules.
Deductible Expenses: The Bulgarian tax authorities allow deductions for all documented operational costs essential for a CASP, including significant expenditures on blockchain analytics software, mandatory IT security audits (DORA), PII premiums, and salaries.
Arm’s Length Principle: For multinational groups, all intercompany agreements must strictly adhere to the arm’s length principle to prevent complex transfer pricing disputes with the National Revenue Agency (NRA).
Accounting Treatment of Virtual Assets
Bulgarian accounting standards generally follow IFRS (International Financial Reporting Standards), demanding careful classification and measurement of virtual assets:
Inventory vs. Intangible Asset: The CASP’s proprietary crypto holdings must be classified correctly: as assets held for sale (Inventory) or for long-term investment (Intangible Assets).
Impairment Testing: CASPs must perform mandatory, regular impairment testing on their crypto and intangible assets.
Segregation in Financial Statements: Crucially, the CASP must clearly and auditably differentiate between client assets (held off-balance sheet) and proprietary assets (on-balance sheet) in their financial statements for the FSC/BNB.
Advanced VAT Considerations
The VAT exemption covers only the exchange function. CASPs must meticulously track and apply the standard Bulgarian VAT rate of 20% to all related, non-exempt services.
Taxable Services: Fees for hot/cold wallet custody, advisory/consulting fees, and certain technical support services are generally subject to VAT.
Place of Supply: For B2B services, CASPs must accurately determine the place of supply under EU VAT rules to correctly apply the reverse charge mechanism.
Technical Resilience
The technical and operational requirements under MiCA and DORA are the most complex aspects of the CASP application, requiring institutional-grade investment.
The Mandated DORA Framework and Testing
DORA requires CASPs to adopt and maintain a comprehensive ICT Risk Management Framework (ICT RMF).
Risk Documentation: The ICT RMF must be fully documented, regularly reviewed, and formally approved by the Management Body.
Resilience Testing: CASPs must perform regular, documented testing of their operational resilience, including:
Vulnerability Assessments and Penetration Testing: Mandatory annual testing of the platform, APIs, network, and security infrastructure.
Digital Operational Resilience Testing (DORT): Larger CASPs must conduct advanced threat-led penetration testing (TLPT) every three years.
Business Continuity and Incident Reporting: CASPs must have tested Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). DORA mandates a stringent process for classifying and reporting major ICT-related incidents to the competent authority (FSC/BNB) within tight deadlines.
Managing Third-Party Risk (TPRM) under DORA and Outsourcing
DORA imposes strict rules on Third-Party Risk Management (TPRM) for all external providers. This is critically linked to MiCA’s outsourcing rules.
Critical/Important Functions: CASPs must identify and maintain a register of all third-party providers (TPPs) performing critical or important functions, such as cloud hosting, security services, or core trading technology.
Contractual Review and Audit Rights: Contracts for critical functions must ensure the Right to Audit for the CASP and the FSC/BNB. This ensures the regulator can inspect the TPP’s systems, even if they are located outside Bulgaria.
Geographical Outsourcing Restrictions: CASPs planning to outsource critical operational functions to non-EU jurisdictions (e.g., key management, core IT) must receive prior approval from the FSC. The FSC will verify that the oversight of the outsourced service is not impaired and that it does not undermine the CASP’s operational continuity or the regulator’s supervision.
Exit Strategies: Clear, tested Exit Strategies and transition plans must be in place to ensure service continuity if a provider fails or must be replaced.
Advanced Custody and Client Asset Segregation
Custody services carry the highest regulatory burden under MiCA, triggering the highest minimum capital (€150,000) and strict liability rules for the Bulgarian CASP.
Strict Liability and Insurance Requirements
A custody CASP faces strict liability to the client for the loss of any crypto-assets resulting from its own negligence, fraud, or internal system failures.
Loss Responsibility: The CASP must cover losses unless they are demonstrably due to an external event beyond its control.
Mandatory PII: The Professional Indemnity Insurance (PII) must be specifically and sufficiently calibrated to cover this strict liability risk.
Technical Segregation and Key Management Protocols
The technical audit rigorously focuses on proving the highest global standards for key security and asset separation.
Segregation and Legal Ownership: The CASP must maintain legal ownership records and ensure technical segregation using dedicated, unique cryptographic keys or wallets for each client or clearly identifiable batches.
Hot vs. Cold Storage Policy: Regulatory expectations mandate a policy of minimizing hot storage (online) funds to the greatest extent possible (often a small percentage, e.g., below 5% of Assets Under Custody). Access to hot wallets must be managed by automated controls and strict operational limits.
Key Generation Ceremony: The CASP must have a fully documented and audited process (a “Key Ceremony”) for generating, backing up, and distributing private key shares. This process must involve:
Multi-Signature and Quorum: Mandatory implementation of $N$ out of $M$ multi-signature schemes.
Geographical Dispersion: Storing key shares in geographically dispersed, highly secure, tamper-proof environments (e.g., vaults or high-grade HSMs).
Audit Trail: Maintaining an immutable audit trail of every key generation, backup, and retrieval event.
HSM Usage: Audited use of high-security Hardware Security Modules (HSMs) for securing the majority of private keys in cold storage environments.
Cross-Border Legal and Token Classification
The MiCA license requires meticulous legal analysis to avoid inadvertent breaches of other EU financial laws, particularly the MiFID II framework.
MiCA vs. MiFID II: The Token Classification Methodology
The single most critical step is obtaining a formal legal opinion confirming that the crypto-assets offered are not a MiFID II Financial Instrument. The FSC will demand this.
Substance Over Form: Classification is based on the substance of the asset’s rights and structure, not the name (e.g., a “Utility Token” that offers profit participation is a security).
The Four Categories: The legal analysis must clearly place the asset into one of MiCA’s four categories:
E-Money Tokens (EMT): Regulated by BNB.
Asset-Referenced Tokens (ART): Regulated by FSC/BNB (complex stability mechanisms).
Crypto-Assets (MiCA General): Utility or basic payment tokens that fall under the general CASP services.
Financial Instruments (MiFID II): Requires a separate, higher-capital Investment Firm license.
Specific Requirements for EMTs and ARTs
The Bulgarian CASP must adhere to strict requirements if it deals with stablecoins or linked tokens:
EMT: Requires specific authorization from the BNB (Bulgarian National Bank), similar to an E-Money Institution, with rules on the issuance, redemption, and custody of underlying reserve funds.
ART: Requires robust, independently audited reserve management policies and a stability mechanism that is clearly detailed in the white paper, subject to approval by the FSC.
Cross-Border Legal Issues
The MiCA passport is conditional on compliance with local consumer protection and jurisdictional rules:
Jurisdiction and Conflict of Laws: CASPs must comply with the EU’s conflict-of-laws rules (Rome I & II). For contracts with consumers, the choice of Bulgarian law may be overridden by mandatory consumer protection rules of the consumer’s domicile.
Dispute Resolution: Under the Brussels I Regulation, a consumer generally has the right to sue the Bulgarian CASP in the courts of their domicile.
MiCA Conduct of Business and Client Protection
MiCA introduces comprehensive Conduct of Business Rules equivalent to those in traditional finance, enforceable by the FSC.
Fair, Honest, and Professional Dealing
The CASP must act honestly, fairly, and professionally in accordance with the best interests of its clients. This is the overarching principle governing all client interactions.
Mandatory Client Disclosures and White Papers
Information Quality: All information on costs, fees, risks, and the CASP’s authorization status must be clear, fair, and not misleading. Marketing materials are subject to the same strict scrutiny as the legal documents.
White Paper Liability: The CASP is liable for damages caused to a client who relied on misleading or inaccurate information within the White Paper, highlighting the need for rigorous due diligence before publication.
Best Execution Obligation
For CASPs executing client orders, there is a legal obligation to take all sufficient steps to obtain the best possible result for the client, considering price, costs, speed, likelihood of execution, and settlement.
Best Execution Policy: CASPs must establish, implement, and monitor a documented Best Execution Policy, detailing the execution venues used and the criteria for selecting them.
Order Handling: Client orders must be executed promptly, accurately, and sequentially, with a detailed system for time-stamping and recording all order aggregation and allocation decisions.
Suitability and Appropriateness Assessments
If the CASP provides advice on crypto-assets or certain types of services (e.g., portfolio management), it must perform a suitability test, assessing the client’s knowledge, experience, financial situation, and investment objectives. For non-advised services, an appropriateness test is required to ensure the client understands the risks.
Operational Due Diligence: Banking, Payments, and Local Infrastructure
Successful CASP operation hinges on access to reliable fiat payment rails and robust local infrastructure, demanding operational due diligence.
The Challenge of Banking for Crypto-Assets
Obtaining banking services in the EU for crypto-related businesses remains the primary bottleneck due to banks’ extreme caution regarding AML/CTF liability.
-
Bank De-Risking: Traditional Bulgarian banks often limit services or impose stringent limits on crypto operators, even those with full CASP status.
-
Required Documentation: To open and maintain corporate bank accounts, the Bulgarian CASP must provide the full Regulatory Dossier (SANS VASP and FSC CASP licensing documentation), detailed Source of Wealth/Funds (SoW/SoF), and Technical Audit Reports.
-
Dedicated Compliance Channels: Establishing direct contact between the CASP’s Compliance Officer and the bank’s own AML unit for seamless STR coordination.
Payment Infrastructure and E-Money Institutions (EMI) Integration
Due to the reluctance of traditional banks, many Bulgarian CASPs rely on partnerships with Payment Institutions (PIs) or E-Money Institutions (EMIs) for fiat processing.
-
EMI/PI Partnerships: CASPs integrate with EMIs licensed under the BNB or in other EU countries for IBAN Issuance and SEPA/SWIFT Access.
-
Regulatory Interplay: The FSC/BNB will scrutinize partnership agreements to ensure the CASP does not illegally delegate its primary AML/KYC regulatory obligations.
Local Infrastructure and Operational Hub Requirements
Regulatory substance demands more than a virtual office:
-
Physical Office and Effective Presence: The FSC and SANS require a genuine, physical office space in Bulgaria, hosting the Management Body and the key Control Functions (Risk Management, Compliance).
-
Local Expertise and Talent: The CASP must demonstrate the capacity to hire and retain qualified local talent, particularly for the Chief Compliance Officer (CCO) and IT Security/DORA personnel.
-
Data Sovereignty and Storage: All critical client data and operational records must be stored securely and redundantly, with full access rights granted to Bulgarian regulators.
Investor and Consumer Dispute Resolution Mechanisms
Bulgarian CASPs must implement formal, transparent mechanisms for resolving client complaints and disputes.
-
Internal Complaints Procedure: A mandatory, documented internal procedure must be established.
-
External Alternative Dispute Resolution (ADR): CASPs must ensure clients have access to an external Alternative Dispute Resolution (ADR) entity in Bulgaria or an EU jurisdiction.
-
Investor Compensation Schemes (ICS): The Bulgarian entity must clearly and unequivocally disclose the lack of ICS protection for client crypto-assets in all contracts and disclosures, as MiCA does not mandate participation in these schemes.
FAQ
The Markets in Crypto-Assets Regulation (MiCA) Crypto-Asset Service Provider (CASP) Authorization is the mandatory EU financial license required to legally offer crypto-asset services within the European Union. In Bulgaria, this license is issued by the Financial Supervision Commission (FSC).
Any entity providing services such as custody, exchange, operation of a trading platform, or advisory services related to crypto-assets to EU clients must obtain a CASP license, including firms currently operating under the old national VASP registration.
The old VASP registration with the National Revenue Agency (NRA) was purely an AML/CFT registration and had no EU-wide validity.
The new FSC MiCA CASP Authorization is a full financial license that requires meeting prudential requirements, holding minimum capital, and establishing robust governance. Crucially, it grants the right to EU Passporting, allowing the firm to operate across all EU member states.
Existing Virtual Asset Service Providers (VASPs) that were registered with the NRA before December 30, 2024, benefit from a transitional (grandfathering) period. They may continue operating within Bulgaria without a full MiCA license until July 1, 2026. However, they must submit their full CASP application to the FSC before this date. New market entrants must apply immediately.
The main competent authority for the authorization and supervision of Crypto-Asset Service Providers (CASPs) and issuers of Asset-Referenced Tokens (ARTs) is the Financial Supervision Commission (FSC).
The Bulgarian National Bank (BNB) is the authority responsible for the oversight and authorization of issuers of Electronic Money Tokens (EMTs), which are considered a form of e-money.
The minimum initial capital required depends on the class of services the CASP intends to provide:
This capital must be fully paid up and maintained at the higher of the minimum threshold or 25% of the firm's fixed overheads from the preceding year.
Yes. CASPs that provide custody and administration of crypto-assets on behalf of clients (Class II and III) must hold either:
A professional indemnity insurance policy, or
Sufficient own funds permanently available to cover the liability risks specific to providing custody services.
Bulgaria offers one of the lowest tax burdens in the EU. CASPs operating in Bulgaria benefit from a flat 10% Corporate Income Tax (CIT) rate. Additionally, a low 5% dividend withholding tax is applied upon profit distribution.
Yes. Under MiCA, the applicant must establish a registered office in an EU member state where it carries out at least part of its crypto-asset services. A full CASP license in Bulgaria requires demonstrating sufficient operational substance, including dedicated key staff, a physical office, and internal control functions.
The Fit and Proper test ensures that all members of the CASP's management body (directors, senior executives) and major shareholders have a sound reputation and possess the necessary knowledge, skills, and experience to manage the business responsibly. This is a critical assessment performed by the FSC.
The Digital Operational Resilience Act (DORA) requires financial entities, including most CASPs, to implement comprehensive frameworks for managing IT and security risks. Bulgarian CASPs must submit DORA-aligned policies, including incident management, digital operational resilience testing, and third-party risk management protocols, as part of their MiCA application.
The official timeline mandated by MiCA consists of two phases:
Completeness Check: Up to 25 working days for the FSC to confirm the application is complete.
Compliance Assessment: Up to 40 working days from the date the application is deemed complete for the FSC to issue a final decision.
The preparation phase, including legal documentation and corporate setup, typically takes an additional 2 to 4 months.
Yes. MiCA provides a specific regime for:
Asset-Referenced Tokens (ARTs): Tokens that reference multiple assets (e.g., fiat, commodities, or other crypto-assets).
Electronic Money Tokens (EMTs): Tokens that primarily aim to maintain a stable value by referencing a single fiat currency (i.e., regulated stablecoins).
Issuers of these tokens must meet additional, stringent requirements for reserves, custody, and transparency.
If a CASP only offers services to clients located outside the EU and does not target or solicit clients within the EU, they may be exempt from the MiCA licensing requirement. However, the firm must still comply with national AML/CFT regulations in Bulgaria, and it is strongly advised to seek local legal counsel to confirm exemption status under the reverse solicitation rule, which is interpreted very narrowly by regulators.