Crypto License in Czech Republic
MICA CASP AUTHORIZATION IN THE CZECH REPUBLIC
Executive Summary: Core Strategy for European Authorization
The regulatory environment for Crypto-Asset Service Providers (CASPs) in the Czech Republic requires MiCA authorization from the Czech National Bank (CNB). Our comprehensive proposal ensures impeccable compliance and automatic EU Passporting.
| Requirement | Our Solution (Service Objective) |
| Regulator | CNB (The Supervisory Authority). Full management of the application submission and communication process. |
| Capital Requirements | Structuring and verification of the initial capital: €50,000, €125,000, or €150,000. |
| Process and Timeline | 6–8 months from submission. Preparation of all Governance, DORA, and ICT policies. |
| Key Benefit | Automatic EU Passporting. Immediate access to all 30 EU/EEA countries. |
| Operational Focus | Full compliance with the Digital Operational Resilience Act (DORA) and strict IT security standards. |
Strategic Foundations: Authorization and Requirements
Comprehensive Consulting Services
Our proposed engagement is a total project management and regulatory advisory service, extending far beyond simple document generation. We manage the end-to-end authorization process for Exchanges, Custody Providers, and Advisory firms, ensuring their successful transition to a pan-European operational footing.
MiCA Service Classification (Advanced Analytical Framework): We initiate the process with a rigorous, multi-factor analysis (MFA) framework, assessing core business activities against the ten defined MiCA service classes. The analysis meticulously covers: 1) Functional Classification (e.g., operating a trading platform vs. providing advice), 2) Asset Classification (E-money Tokens, Asset-Referenced Tokens, other crypto-assets), and 3) Risk Profile (systemic importance and volume). This precise classification is paramount as it dictates the required initial capital (e.g., €50k, €125k, or €150k) and the scope of mandatory prudential and conduct of business requirements. The final classification must be justified to the Supervisory Authority with detailed business forecasts and capital expenditure projections.
Corporate Setup and Substance (Regulatory Necessity): Securing regulatory approval necessitates demonstrating genuine operational presence (substance), a strict requirement of the local Supervisory Authority to prevent “letterbox” entities. We manage the registration of the legal entity (s.r.o.) and ensure the leased physical local office possesses adequate, verifiable infrastructure (secure data room, access controls, biometric security). Documentation must include long-term lease contracts (minimum 2 years) and formalized employment agreements for local key personnel, including the compliance manager and a senior officer, proving that the entity is managed and controlled from the Czech Republic, supported by a clear organizational chart detailing local reporting lines.
Full Documentation Package (Adherence to ESMA Guidelines): The documentation suite is not merely a collection of policies but an integrated operational manual. We develop over 20 mandatory policies (AML/CFT, Governance, Risk Management, DORA-compliant ICT), all cross-referenced with the latest draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) from the ESMA (European Securities and Markets Authority). The final package serves as the blueprint for internal control mechanisms and must prove to the CNB that the firm can operate safely, soundly, and in compliance with all relevant EU law, including a detailed implementation schedule for all required controls.
Fit & Proper Support (Governance Integrity): The assessment by the CNB focuses intensely on the collective suitability of the management body (Board of Directors, CEO, MLRO, CCO, CIO). Our support includes meticulous preparation of personal declarations, conflict of interest matrices, and comprehensive background checks. We structure the CVs and experience logs to highlight competence in the three regulatory pillars: 1) Financial/Prudential Management, 2) Regulatory Compliance/Law, and 3) ICT Risk/Cybersecurity. Any deficiency in one area must be compensated by expertise in another, a factor crucial for passing the CNB’s governance test, along with evidence of mandatory annual training completion in these areas.
Official Communication (Regulatory Dialogue Management): The licensing process is an iterative dialogue. We manage all formal correspondence, including detailed responses to official “deficiency letters” which typically contain technical queries regarding the ICT infrastructure or ambiguities in the AML framework. Our role is to act as the primary interface, ensuring that all communications are prompt, legally precise, and align with the initial application strategy, including preparation for any potential on-site inspections by the CNB.
Key Regulatory Shifts and Legal Compliance Correction
The transition from a simple local registration regime to the comprehensive MiCA authorization represents a paradigm shift from registration to prudential licensing. The former system relied on notification under The Czech Trade Licensing Act (Živnostenský zákon), which regulated VASP registration primarily for AML/CFT purposes. MiCA, however, introduces systemic financial and operational oversight.
Prudential Supervision: MiCA mandates supervision over financial resilience, operational safety, and consumer protection, moving far beyond the simple AML checks of the former regime. This requires the Supervisory Authority to actively monitor the firm’s capital adequacy, governance structure, and ICT architecture on an ongoing basis, utilizing ongoing reporting metrics.
Correct Jurisdictional Terminology: Our documentation strictly uses the term “The Czech Trade Licensing Act (Živnostenský zákon)—which previously regulated VASP registration prior to MiCA” to avoid any legal ambiguity or jurisdictional conflict.
Financial Requirements and Substance
The minimum required capital is strictly mandated by MiCA and corresponds directly to the level of risk the CASP poses to consumers and the financial system:
| MiCA Service | Service Type | Required Initial Capital (Min) |
| Class 1 | Advising on, or Transferring Orders related to, crypto-assets | €50,000 |
| Class 2 | Operating Trading Platform, Custody & Administration (Non-E-money/ART) | €125,000 |
| Class 3 | Execution of Orders, Placing crypto-assets | €150,000 |
The capital must be fully subscribed, paid up, and unencumbered by any third-party claims. Furthermore, the Supervisory Authority requires evidence that this capital is held in a segregated account at a reputable EU credit institution, proving liquidity and immediate accessibility to cover regulatory requirements.
Compliance Core: AML/CFT and Governance
Comprehensive AML/CFT Policy
Our AML/CFT policy serves as the core defense against financial crime, integrating national laws with EU Directives and the specific requirements of the FAU.
Governance and Roles (Operational independence): The policy formalizes the roles of the MLRO and CCO, specifying their mandate, resources, and independence. The MLRO is granted the legal authority to suspend or block transactions deemed suspicious, and their compensation and tenure must be independent of business performance metrics to ensure objective decision-making. Their direct line of reporting to the Board of Directors is crucial for demonstrating effective oversight and mitigating conflicts of interest.
Enterprise-Wide Risk Assessment (EWRA: Quantitative Methodology): We implement a robust EWRA methodology that utilizes a quantitative scoring model where risk factors (Product, Geography, Client Type, Delivery Channel) are weighted and scored, producing an objective Composite Risk Score (CRS) for each client and activity.
Product Risk (Depth): Assessment includes the asset’s anonymity level (e.g., Zcash vs. Bitcoin), its liquidity profile, its vulnerability to market manipulation, and the maturity of its underlying protocol’s governance.
Geographical Risk (FATF Integration): Automated screening against the latest FATF high-risk and monitored jurisdictions, supplemented by internal assessment of local corruption levels (e.g., Transparency International indices) and judicial independence to determine appropriate country risk weightings, which triggers mandatory EDD.
Behavioral Risk (Crypto-Specific Typologies): The policy details specific red flag typologies unique to crypto, such as the use of lightning networks, sudden large deposits from newly created wallets, or interactions with decentralized exchanges (DEXs) known for lax KYC/AML controls, establishing threshold triggers for manual review.
CDD, KYC, and UBO (Procedural Enforcement): Procedures require a multi-layered approach: 1) Identity Verification (using certified third-party identity verification providers for biometric authentication and liveness checks), 2) UBO Identification (tracing ownership to the natural person using commercial registries and documented shareholder structures), and 3) Source of Wealth/Funds (SoW/SoF) Verification. For high-value accounts (e.g., those exceeding €100,000 in turnover), SoW requires documentary evidence (tax returns, audited financial statements) proving the legitimacy of the entire capital base.
Transaction Monitoring (Blockchain Analytics Integration): Implementation of an advanced, rule-based and behavioral-based monitoring system. This system must be integrated with specialized blockchain analytics software (e.g., Chainalysis, Elliptic) to perform real-time and post-transaction graph analysis, identifying links to known illicit entities (sanctioned wallets, darknet markets, malware addresses) and continuously monitoring sanctions lists updates.
Reporting (Regulatory Timeline Adherence): The policy strictly defines the process and timeline for the MLRO to file Suspicious Activity Reports (SAR/STR) to the FAU. This includes maintaining detailed records of all internal considerations leading to the decision, ensuring the non-tipping off requirement is never breached, and providing follow-up reports upon further investigation, with documented evidence of training on the non-disclosure mandate.
Governance: Structure and Fit & Proper Testing
The governance framework must demonstrate that the CASP is managed with integrity and competence, focusing on systemic control.
Fit & Proper Criteria (Evidencing Competence): Beyond checking for a clean criminal record, the CNB requires evidence of relevant collective experience. We prepare detailed skills matrices for the Management Body, ensuring verifiable expertise in IT Security, Legal Compliance, and Financial Management. This includes referencing past roles, professional certifications (e.g., CRISC, CAMS), and relevant regulatory exposure, alongside a commitment to continuous professional development.
Separation of Duties and Internal Controls: Formal documentation of the Three Lines of Defense Model (Operational Management, Risk/Compliance Function, Internal Audit). The policy strictly prohibits the same individual from occupying a position in two different lines of defense for critical functions, ensuring adequate checks and balances are in place.
Internal Audit (Independent Assurance): The mandate of the Internal Audit Function must be formally approved by the Board. Its scope extends to assessing the design and operating effectiveness of the entire control environment, including the DORA framework and the MiCA Conduct of Business requirements. Audit reports must be presented directly to the independent directors, ensuring that identified weaknesses are addressed promptly and without managerial interference, with a formalized tracking mechanism for audit findings remediation.
Operational Resilience and Technology
Business Continuity (BCP/DRP) and Incident Management (DORA Alignment)
DORA shifts the focus from simple recovery to end-to-end digital operational resilience.
Business Impact Analysis (BIA) and Metric Rationale: The BIA involves calculating the maximum acceptable downtime (MAD) for each critical service and setting the corresponding RTO and RPO. For high-frequency trading platforms and client key signing services, the rationale for RPO approaching zero (no data loss tolerated) must be technically substantiated, typically via synchronous replication across geographically separated data centers. RTO must be justifiable (e.g., less than 1 hour for critical services) to avoid systemic disruption, and must be documented in the resilience plan.
BCP/DRP Development (Tiered Recovery Strategy): The DRP outlines a tiered recovery strategy. Tier 1 (Critical): Immediate automated failover (e.g., Active-Passive cluster). Tier 2 (Important): Recovery within 2-4 hours from immutable backups. The DRP includes detailed activation procedures, communication protocols (to staff, clients, and the Regulator), and designated roles and responsibilities for the recovery team, including clear criteria for declaring a disaster event.
Incident Management (DORA Reporting Mandate): The policy details the classification criteria for ICT-related incidents (e.g., impact on client trust, financial loss, service downtime). Crucially, it sets clear thresholds and procedures for immediate reporting to the CNB (DORA mandate), including the initial report, intermediate updates, and the final Root Cause Analysis (RCA) report, ensuring compliance with strict regulatory timelines (e.g., initial notification within hours), and establishing a dedicated Incident Response Team (IRT).
Mandatory Testing (Advanced Simulation): The annual testing mandate must include Red Teaming (ethical hacking) exercises and Full Interruptive Simulations where the CASP intentionally disables its primary infrastructure to validate the BCP/DRP under stress. The results of these tests, including identified weaknesses and remediation plans, must be formally reported to the Regulator, alongside evidence that corrective actions have been prioritized.
DORA Detailed: ICT Supply Chain Management
DORA emphasizes the management of risk introduced by third-party providers (TPPs).
Identification and Criticality Assessment (Risk Exposure): The CASP must maintain a dynamic inventory of all third-party ICT service providers. The criticality assessment relies on both impact analysis (consequences of TPP failure) and substitutability analysis (difficulty in replacing the TPP). Services involving core trading engines, client data storage, or key management are inherently critical.
Due Diligence and Contractual Mandates (Legal Requirements): Due diligence involves continuous monitoring of the TPP’s security certifications (e.g., ISO 27001), financial health, and adherence to geographical data residency rules. Mandatory contractual clauses required by DORA include:
Right of Termination: CASP’s right to terminate the agreement if the TPP poses a risk to the CASP’s operational resilience.
Clear SLAs: Specific, measurable, and enforceable Service Level Agreements (SLAs) with defined penalty structures for non-performance and clear performance indicators (KPIs).
Data Access Rights: Unrestricted right for the CASP to access data held by the TPP, including the right of the Regulator to conduct on-site inspections.
Exit Strategy (Feasibility and Testing): The Exit Strategy must be comprehensive, detailed, and periodically tested. This includes technical steps for migrating data (e.g., key backups, transaction logs) and functions to an alternative TPP or back in-house, demonstrating the CASP’s operational independence from a single critical provider, including a documented timeline for transition.
Client Asset Safeguarding Policy
This policy is the cornerstone of trust for any custody provider.
Principle of Segregation (Legal and Technical): Requires not only legal separation of client assets from proprietary assets but also technical separation at the blockchain level (dedicated addresses) and the institutional level (separate accounting records). The policy must detail the reconciliation process performed daily to ensure client asset holdings match recorded liabilities, with any discrepancies immediately investigated and reported to the MLRO/CCO.
Technical Key Management (HSM and Cryptographic Primitives): Mandating the use of FIPS 140-2 Level 3 certified HSMs ensures physical and logical tamper-evidence. The policy specifies cryptographic primitives used (e.g., ECC curves) and the implementation of M of N quorum schemes for key access and signature generation, eliminating the single key holder vulnerability.
MPC and Multi-Sig Protocols (Quorum Control): The policy mandates the use of Multi-Party Computation (MPC) or Multi-Signature solutions to distribute control over private key material among geographically separated and independently managed parties (e.g., internal directors, third-party fiduciaries). This is a critical control for mitigating insider risk, with a formal protocol for quorum member changes.
Insurance and Compensation (MiCA Liability): MiCA holds CASPs liable for losses of client crypto-assets (including private keys) due to operational faults, hacking, or internal fraud. The policy must evidence adequate insurance coverage (e.g., Crime, Cyber, Professional Indemnity) or sufficient capital buffers designated specifically to cover this liability, detailing the coverage limits and conditions.
Financial Resilience and Capital Structuring
Legal Transition and Grandfathering Regime
The regulatory transition requires meticulous planning to maintain legal continuity.
Grandfathering Regime (Compliance Window): Eligible CASPs operating under the former The Czech Trade Licensing Act (Živnostenský zákon) benefit from the grandfathering period, allowing continued operation until the CNB processes their MiCA application. However, the application must be complete and submitted within the compliance window (e.g., 2024-2025). We manage the process to ensure the application is submitted as a fully complete package to prevent its rejection and the subsequent loss of grandfathering rights, providing a detailed legal opinion confirming eligibility.
EU Passporting Mechanism (Regulatory Notification): Once the CNB grants the authorization, the CASP is automatically granted the right to “passport” its services across the EU/EEA. This is achieved by submitting a formal notification package to the CNB, detailing the member states where services will be provided and the corresponding governance structure. The CNB then notifies the competent authorities of the host member states within a defined period, enabling the CASP to commence operations legally across the bloc.
Financial Resilience and Internal Capital Adequacy
MiCA imposes prudential standards to ensure the CASP can withstand financial shocks.
Operational Capital Buffer (Liquidity and Accessibility): The requirement for a reserve of at least 6 months of operational expenditures is essential for continuity. This buffer must be held in assets considered low-risk and highly liquid (e.g., Tier 1 assets under traditional banking definitions). The policy details the methodology for calculating this six-month expenditure and the rules governing its permitted use, with mandatory monthly recalculation.
Internal Capital Adequacy (ICAAP) Methodology (Pillar 2 Rationale): We develop the ICAAP methodology, which identifies and quantifies all risks not adequately covered by the minimum MiCA capital (Pillar 1). This process effectively creates the Pillar 2 buffer to cover residual risks:
Operational Risk: Including financial losses from ICT system failures (DORA-related risk), process failures, and internal/external fraud, quantified using statistical methods (e.g., loss distribution approach).
Reputational Risk: Quantifying the financial impact of negative publicity or major security breaches, often modeled as loss of future revenue or increased funding costs.
Liquidity Risk: Assessing the ability to meet short-term liabilities under stressed market conditions (e.g., sudden, massive client withdrawal requests), using a scenario-based model.
Stress Testing (Scenario Analysis): The ICAAP requires rigorous stress testing. We define and model severe, yet plausible, scenarios: 1) Market Shock (e.g., 70% drop in asset prices), 2) Operational Catastrophe (e.g., loss of a critical data center), and 3) Credit Shock (e.g., failure of a key banking partner). These simulations determine the amount of Pillar 2 capital needed to ensure survival, with results reviewed annually by the Board.
Key Management and Cyber Resilience
Cyber Resilience Architecture and Technical Mandates
The CASP’s cryptographic architecture is subject to intense scrutiny.
Security Architecture (Key Ceremony Protocol): Beyond FIPS 140-2 Level 3, the policy details the Key Generation Ceremony protocol, which is a multi-step, auditable process performed in a secured environment, requiring multiple security personnel. The resulting key material (seed phrases) must be split and dispersed across secure, geographically disparate locations, utilizing cryptographic techniques like Shamir’s Secret Sharing.
Access Management (Role-Based Access Control – RBAC): The Zero-Trust model is implemented via strict Role-Based Access Control (RBAC). Permissions are tied to the specific job role (e.g., “Transaction Approval,” “System Administration,” “Compliance Review”), are reviewed quarterly, and require mandatory Just-In-Time (JIT) access granting for elevated privileges, minimizing the window for abuse.
Cryptographic Agility and Sunset Clauses: The policy defines a mechanism for evaluating and migrating away from outdated or compromised cryptographic algorithms (e.g., setting a sunset date for SHA-1 or older key lengths) and incorporating new standards, such as Post-Quantum Cryptography (PQC) monitoring.
Risk Matrix for Storage (Cold/Hot Segregation): The policy mandates precise thresholds for asset allocation between Cold Storage (air-gapped, majority of funds) and Hot Storage (online, minimal operational liquidity). Withdrawal mechanisms from Cold Storage must involve multiple, time-delayed, manual steps (e.g., 48-hour delay), and transactions must be signed by members of the key quorum.
Advanced Cyber Security Measures
FinOps and Cloud Governance: Integration of the FinOps methodology for managing cloud provider costs and risks (DORA). Ensuring Geographical Redundancy (Geo-Redundancy) for critical data and services across different cloud regions and providers to mitigate concentration risk.
Post-Quantum Cryptography (PQC) Strategy: Development of a formal strategy for monitoring NIST standards and creating a phased transition plan towards Hybrid Cryptographic Methods to protect long-term data holdings and existing key material from future quantum threats, with clear milestones for implementation.
Security Information and Event Management (SIEM): Implementation of a centralized SIEM system to aggregate and analyze security logs. The SIEM must be configured to detect crypto-specific threats, generate alerts based on behavioral anomalies, and integrate threat intelligence feeds from industry sources.
Continuous Vulnerability Management: Policy mandating automated, continuous scanning of all network applications and infrastructure, followed by a prioritized patching and remediation procedure, governed by a dedicated Vulnerability Management Committee.
Request more information
HR, Training, and Risk Culture
The human element is recognized by DORA and MiCA as a primary source of operational risk.
Training Mandates and Competence Assessment
Mandatory Security Training: Policy mandating compulsory, role-specific, and annual cyber security awareness training for all personnel. This includes specialized training for IT and compliance staff on secure coding practices and regulatory reporting. Training modules must be tracked and completion logged for audit purposes.
Phishing Simulation and Testing: Implementation of an ongoing, randomized testing regime, including phishing simulation campaigns, to measure and document staff susceptibility to social engineering attacks. Results must be reported to the Board of Directors, and targeted retraining must be provided to failing employees.
Competence and Certification: Requirement that personnel in critical roles (MLRO, CCO, key IT personnel) possess and maintain relevant professional certifications (e.g., CISA, CISSP) and demonstrate continuous professional development, supported by a formal budget allocation for external courses and conferences.
Whistleblowing Policy and Internal Governance
Whistleblowing Policy: Creation of a secure, confidential, and non-retaliatory internal channel for staff to report actual or suspected breaches of AML, DORA, or internal governance policies. The policy must ensure reports are handled by an independent function (e.g., Internal Audit), guaranteeing anonymity where requested.
Risk Culture Framework: Development of a formal framework to define and promote a strong, institution-wide Risk Culture. This includes integrating risk management and compliance metrics into performance appraisals and ensuring that risk awareness is embedded in decision-making processes, from the Board down to the operational level.
Market Integrity and Trading Rules
This chapter addresses the specific MiCA requirements for CASPs operating trading platforms, focusing on fair and orderly markets.
Fair, Orderly, and Transparent Trading
Trading Rules and Protocols: Establishment of detailed, publicly available Trading Rules that govern order execution, matching logic, and fee structures. These rules must ensure fair and non-discriminatory access to the platform for all participants.
Best Execution Policy: Implementation of a Best Execution Policy requiring the CASP to take all sufficient steps to obtain the best possible result for its clients when executing orders, considering price, costs, speed, likelihood of execution and settlement, and any other relevant factors. The policy details the process for continuous monitoring of execution quality.
Pre- and Post-Trade Transparency: Maintaining stringent Transparency Requirements. This includes: 1) Pre-trade transparency (publishing bid and ask prices and depths for relevant crypto-assets before execution) and 2) Post-trade transparency (publishing transaction volume, price, and time immediately after execution, where technically feasible).
System Capacity and Scalability: Mandatory stress testing of the trading platform’s capacity and scalability to handle peak trading volumes and high volatility without experiencing systemic outages, with results reported to the CNB.
Prohibition of Market Abuse and Surveillance
Market Abuse Surveillance System: Implementation of an automated, real-time Market Abuse Surveillance System designed to detect and prevent insider dealing (unlawful disclosure of inside information) and market manipulation (e.g., wash trading, spoofing, layering). The system must monitor trading patterns across multiple metrics.
Insider List Maintenance: Maintenance of a detailed, updated Insider List of all persons having access to Inside Information relating to the crypto-assets traded on the platform or the CASP itself. The list must be provided to the Regulator upon request.
Training on Market Abuse: Compulsory training for all trading, compliance, and IT staff on the MiCA rules concerning market abuse and the use of inside information.
Conflict of Interest and Employee Conduct
This chapter ensures the CASP’s internal structure protects clients from conflicts arising from the dual roles inherent in financial services.
Conflict of Interest Policy
Identification and Management: Development of a comprehensive Conflict of Interest Policy that identifies potential conflicts between: 1) The CASP and its clients, 2) Clients themselves, and 3) The CASP’s employees and the CASP/clients. Identified conflicts must be categorized (e.g., material, non-material).
Disclosure and Mitigation: Mandatory requirement to disclose any material conflict of interest to the client before providing the service. Where disclosure is insufficient, the CASP must implement robust structural measures (e.g., information barriers/Chinese Walls) to mitigate the conflict, ensuring client interests are prioritized.
Personal Trading Policy: Strict policy governing the personal trading of crypto-assets by all employees, especially those with access to price-sensitive information or operational control. This policy includes mandatory pre-clearance of trades, black-out periods, and restrictions on short-term trading.
Employee Code of Conduct and Gifts/Inducements
Code of Conduct: Establishment of a formal, documented Employee Code of Conduct covering ethical behavior, confidentiality requirements, and the handling of client information (MiCA, GDPR, and AML compliance). Violations result in mandatory disciplinary action.
Gifts and Inducements: Clear rules on the acceptance of gifts, entertainment, or non-monetary benefits (inducements) from third parties. Any inducement must be assessed to ensure it does not compromise the employee’s duty to act in the best interest of the client. Thresholds for reporting and mandatory rejection must be defined.
Advanced Prudential Reporting and Regulatory Dialogue
This chapter details the mechanisms for ongoing communication and mandatory financial reporting to the CNB.
Prudential and Conduct of Business Reporting
Periodic Reporting: Mandatory submission of Prudential Reports (quarterly or semi-annually) detailing the CASP’s compliance with initial capital requirements (Pillar 1), the Pillar 2 capital buffer, liquidity metrics, and financial forecasts.
Conduct of Business Reporting: Regular reporting on key client protection metrics, including the volume and nature of client complaints, results of the best execution monitoring, and compliance with suitability/appropriateness testing procedures.
Annual Compliance Statement: Submission of an Annual Compliance Statement signed by the CCO and CEO, attesting that the firm has adhered to all relevant MiCA, DORA, and AML/CFT regulations during the preceding year.
Regulatory Communication and Change Management
Material Change Notification: Mandatory pre-notification to the CNB of any material changes to the business plan, ownership structure, governance body (management changes), outsourcing arrangements (DORA), or the services provided.
Data Requests and Inspections: Establishing a protocol for responding promptly and accurately to ad-hoc data requests from the CNB or the FAU. This includes procedures for facilitating on-site inspections, ensuring that requested documents and personnel are readily available.
Client Protection, DLT Risk, and Maintenance
Client Protection and Disclosure Requirements
White Paper Disclosure: For crypto-asset issuers: preparation and mandatory publication of the MiCA White Paper. The document must contain exhaustive, verified information about the issuer, the asset, its underlying technology, all material risks, and, where applicable, environmental impact.
Suitability and Appropriateness: For services involving advising or complex assets, the CASP must conduct a robust Suitability/Appropriateness Test. This test uses a formal risk tolerance assessment and financial profile analysis to ensure the client understands the risks and the service aligns with their investment objectives.
DLT/DeFi Risk Management and Smart Contracts
Smart Contract Audit: A clear requirement that all Smart Contracts used for managing or interacting with client assets must undergo independent, reputable security audits prior to deployment.
DLT Interaction and Liability: Policy for identifying, measuring, and mitigating risks arising from interaction with external DLT/DeFi protocols (e.g., Oracle attack risk). The policy must clearly define the boundaries of CASP liability regarding protocol failure.
Post-Licensing Compliance and Reporting Maintenance
AML/CFT Updates: Annual review and update of the Enterprise Risk Assessment (EWRA) and continuous filing of SARs/STRs with the FAU.
DORA Notifications: Documented procedures for classifying and immediate reporting of major ICT incidents.
Complaints Handling and ADR: Formal procedures for the swift and impartial handling of client complaints. The CASP must inform clients about the availability of an Alternative Dispute Resolution (ADR) mechanism.
FAQ
The MiCA CASP license is the mandatory pan-European authorization. As of 2026, it is issued and supervised exclusively by the Czech National Bank (CNB), replacing the old VASP registration.
No. The transitional period (grandfathering rights) has concluded. Operating solely under the old Trade License registration is illegal as of 2026, and any non-authorized entity will face severe consequences.
The minimum initial capital requirement is tiered: €50,000, €125,000, or €150,000, depending on the class of services you intend to provide.
The total process, from submission to final authorization, typically takes between 6 to 8 months. The pre-application preparation phase is also intensive.
Once the CNB grants the license, the provider can automatically "passport" its authorized services to all other EU and EEA Member States without needing separate local licensing.
You must appoint at least two Fit & Proper management board members. A qualified MLRO (Money Laundering Reporting Officer) and CCO (Compliance Officer) must also be appointed, with the CNB rigorously assessing their integrity and competence.
Yes, but indirectly. The CASP license covers services related to issuance (e.g., placing/advice). However, the token issuance itself requires a separate MiCA White Paper approval from the CNB for that specific token, unless an exemption applies (e.g., small offering or utility token exemption).
Regulatory Fees: CNB fees are generally modest. The primary cost stems from specialized legal, compliance, and IT consulting/auditing fees required to draft the comprehensive policy documentation, typically ranging from €50,000 to €150,000, depending on the firm’s complexity and the required MiCA class.
MiCA governs regulation, not taxation. Crypto activities remain subject to standard Czech corporate and income tax laws. The CNB license increases the compliance burden but does not change the favorable tax treatment of capital gains on crypto (0% VAT applies to exchange/trading services).
| Outsourcing is permitted but requires strict contractual safeguards. The contract must grant the CNB and the CASP’s internal auditors full, unrestricted access to the service provider’s data and facilities for inspection. The CASP management remains fully accountable for the outsourced function's compliance. |