Crypto License in Poland
Poland's Strategic Gateway to EU Compliance
The Republic of Poland, Central Europe’s largest economy and a cornerstone member of the European Union, is rapidly becoming the premier strategic jurisdiction for Digital Asset Service Providers (DASPs) seeking a compliant gateway into the highly regulated European market. Securing a regulatory permit in Poland is not just about local compliance; it is a critical strategic move toward MiCA Passporting across all 27 EU member states, offering unparalleled market reach from a stable, well-regarded jurisdiction that is favored for its robust legal framework and proactive regulatory authorities.
This definitive, in-depth manual provides an exhaustive, phase-by-phase roadmap for successfully navigating both the current national framework—the Polish Act on Counteracting Money Laundering and Terrorist Financing (AML Act)—and the rigorous forthcoming requirements for MiCA Crypto-Asset Service Provider (CASP) Authorization overseen by the Polish Financial Supervision Authority (KNF). We will detail the exact steps, governance mandates, technical requirements (including DORA and Travel Rule compliance), and the ultimate benefits of MiCA Passporting from Poland.
Executive Summary: VASP vs. MiCA CASP
This table summarizes the core regulatory differences and strategic advantages of the two key regulatory stages in Poland:
The National Foundation – How to Obtain VASP Registration in Poland
How to Get Registration as a VASP in Poland
The current foundation of crypto regulation in Poland is the AML Act, which transposes the EU’s Anti-Money Laundering Directives. This legislation mandates the registration of all Virtual Asset Service Providers (VASPs). The system is supervised by the GIIF (Poland’s Financial Intelligence Unit) and administered by the Ministry of Finance.
Step 1: Defining the Scope and Establishing a Polish Legal Entity
The initial step requires precise identification of the services offered, which determines the classification of the entity as a Virtual Currency Activity provider under the Polish AML Act.
Service Identification: Registration is mandatory for any entity providing one or more of the following services, which must be explicitly listed in the application:
Fiat-to-Crypto/Crypto-to-Fiat Exchange Services: Operating platforms for exchanging virtual currencies for fiat currencies (PLN, EUR, etc.) or vice versa.
Crypto-to-Crypto Exchange Services: Facilitating the exchange of one virtual currency for another.
Intermediation in Exchange: Acting as a broker, agent, or intermediary in the exchange services.
Custody Services (Wallet Providers): Services to safeguard or administer private cryptographic keys on behalf of clients, including hosted crypto wallets.
Polish Legal Entity: The applicant must be incorporated in Poland, typically as a Spółka z ograniczoną odpowiedzialnością (Sp. z o.o.)—a Limited Liability Company.
Minimum Share Capital: The statutory minimum for the company is a nominal PLN 5,000 (approx. €1,200). Crucially, while this satisfies the company registration, significant additional capital must be injected later to meet MiCA requirements.
Local Substance: The entity must have a registered office address in Poland. While a full physical office is not strictly mandated for VASP registration, the future KNF authorization requires demonstrable operational control and management from Poland, making a robust virtual or physical presence essential from the start.
Step 2: Personnel Scrutiny and Qualification (Fit and Proper Light)
Polish law enforces a qualification standard for the management and beneficial owners of a VASP, focusing heavily on professional integrity:
Management Board Requirements: Every member of the management board and all Ultimate Beneficial Owners (UBOs) must submit statutory declarations confirming their:
Lack of Criminal Record: Specifically, a declaration confirming no convictions for offenses related to money laundering, terrorist financing, or serious economic crimes. This requirement is non-negotiable and requires recent criminal record checks (typically within the last three months).
Professional Qualification: The applicant must prove that the individuals responsible for the crypto activity possess the requisite knowledge or experience. This is met either by:
Demonstrating at least one year of professional experience in virtual currency activities, OR
Completing a specialized training or course covering the legal and practical issues related to virtual currency activities under the Polish AML Act.
Step 3: Core Compliance Documentation and Submission
The cornerstone of the application is the AML documentation:
Internal AML/CTF Procedure Manual: This comprehensive document (often exceeding 100 pages) must detail the firm’s commitment to a risk-based approach, including:
Enterprise-Wide Risk Assessment (EWRA): A documented assessment of ML/TF risks associated with customers, services, geographic areas, and delivery channels.
Customer Due Diligence (CDD) Procedures: Detailed protocols for client identification, verification, ongoing monitoring, and the use of reliable, independent sources for data.
Source of Wealth/Funds (SOW/SOF) Protocols: Robust procedures for establishing the origin of a client’s wealth (SOW) and the specific funds used in a transaction (SOF)—a major point of regulatory focus.
Submission and Timeline: The application, which includes the corporate data, personnel declarations, and the AML Manual, is submitted electronically to the designated Polish Tax Administrative Chamber.
Statutory Timeline: The Polish authority has a statutory deadline of 14 days to process the application and register the entity in the VASP Register, provided the documentation is complete and free of defects.
Application Fee: The process requires a nominal stamp duty fee, currently PLN 616 (approx. €150).
VASP Post-Registration and Ongoing AML Obligations
Obtaining VASP registration is only the first step. Polish law imposes rigorous, ongoing compliance and reporting obligations that must be maintained diligently until the entity transitions to MiCA. Failure to adhere to these obligations constitutes a serious violation of the AML Act.
The Mandatory GIIF Quarterly Reporting
Since late 2023, the General Inspector of Financial Information (GIIF) has made quarterly statistical reporting mandatory for all registered VASPs in Poland (as announced in Communication No. 67).
Report Scope: This is a comprehensive, electronic report consisting of approximately 300 questions covering detailed operational metrics, including:
Statistical data on client volumes and types (e.g., number of corporate vs. individual clients).
Breakdown of transaction volumes and values by service type (exchange, custody, etc.).
Details on the total value of fiat exchanged and crypto-assets held in custody.
Information on AML/CTF measures taken, including the number of Suspicious Transaction Reports (STRs) filed.
Submission Schedule: Reports must be submitted quarterly within 18 days of the end of the quarter to which the data relates (e.g., Q1 report due by April 18).
Technical Requirement: Submissions are only accepted through the GIIF’s dedicated ICT system. Critically, the submission must be signed using a Qualified Electronic Signature (QES). A simple Polish Trusted Profile is insufficient; a full QES must be acquired and maintained by the designated AML Officer or contact person.
Ongoing AML Duties and Travel Rule Implementation
Beyond statutory reporting, the VASP must continuously enforce its AML/CTF policies:
Risk Assessment Update: The EWRA must be reviewed and updated annually or whenever a significant change in the business model, technology, or regulatory landscape occurs (e.g., a new product launch).
Transaction Monitoring and FATF Travel Rule: The VASP must have systems in place for real-time monitoring of transactions. The Polish regulatory environment is an early and strict adopter of the FATF Travel Rule (TFR), mandating that customer data (name, address, account number, LEI/official identifier) be collected and transmitted for all crypto-asset transfers, regardless of value (zero-threshold). Compliance requires integrating specialized RegTech Travel Rule software into the operational system.
Mandatory Training: All employees, especially those involved in operations and compliance, must undergo mandatory, documented annual AML training specific to Polish law and virtual asset risks.
Request more information
Preparing for MiCA – How to Prepare for KNF CASP Authorization
How to Prepare for MiCA CASP Authorization with the KNF
The transition from a VASP registration to a full MiCA CASP Authorization requires a fundamental shift in corporate structure, financial stability, and governance, as the supervision moves from the GIIF (AML focus) to the Polish Financial Supervision Authority (KNF) (Prudential and Investor Protection focus).
Step 1: The MiCA Capital Injection Requirement
The KNF will not accept an application unless the firm meets the new, substantially higher minimum initial capital requirements:
Own Funds Rule: Following authorization, the CASP must, at all times, maintain Own Funds equal to the greater of the fixed minimum capital OR a quarter (25%) of its Fixed Overhead Requirement (FOR) from the preceding year. This demands continuous liquidity and prudent financial planning, subject to KNF audit.
Step 2: Enhanced Governance and the Fit and Proper Test
The KNF’s scrutiny of management is rigorous, reflecting the standards for traditional investment firms. The “Fit and Proper” assessment applies to management board members, supervisory board members, and qualifying shareholders (holding 10% or more).
Good Repute Assessment (Integrity):
Applicants must provide detailed, recent criminal records and declarations from all relevant jurisdictions.
They must disclose any pending investigations, regulatory enforcement actions, disqualifications, or involvement in insolvency proceedings.
Any past rejections or revocations of licenses/registrations by any financial authority (EU or global) must be fully disclosed and explained.
Knowledge, Skills, and Experience (Competence):
Collective Competence: The management board, as a whole, must possess sufficient knowledge of the crypto-asset market, technology, and EU/Polish regulatory frameworks to effectively govern the CASP.
Individual Competence: Each executive must demonstrate expertise relevant to their function (e.g., the CEO must understand strategy and risk, the Compliance Officer must master AML/MiCA rules).
Local Knowledge: The KNF expects management, particularly the local representative, to have strong knowledge of Polish law and the local financial market context, alongside the overarching MiCA and ESMA guidelines.
Organizational Structure Mandates: The CASP must demonstrate that it is structured as a robust financial institution, including mandatory functions:
A minimum of two members on the management board.
Independent Risk Management Function (dedicated to measuring and mitigating operational, market, and cyber risks).
Independent Internal Audit Function (mandatory for larger firms, or demonstrated control mechanisms for smaller firms).
Mandatory procedures for managing and mitigating Conflicts of Interest.
Step 3: DORA, ICT, and Operational Resilience
The Digital Operational Resilience Act (DORA), which applies to CASPs, introduces a critical technical layer to the KNF’s authorization review. This moves compliance beyond just policies to proven operational durability.
ICT Risk Management Framework: The CASP must establish, document, and maintain a robust framework to manage its Information and Communication Technology (ICT) risk, including:
Identification: Mapping all critical ICT functions and assets.
Protection: Implementing strong security measures, including cryptographic standards and access controls.
Detection & Containment: Systems for detecting threats and containing incidents (e.g., cyberattacks, system failures).
Business Continuity and Disaster Recovery Planning (BCP/DRP):
Mandatory development of detailed BCP/DRP plans that ensure the firm can resume its operations, especially critical services like custody and exchange, following a major disruption.
These plans must be regularly tested (at least annually) and the results documented and presented to the KNF.
Incident Reporting: A clear protocol for classifying and reporting major ICT-related incidents to the KNF in a timely manner, adhering to strict DORA thresholds and timelines.
Strategic Positioning – MiCA Passporting from Poland
The Value of MiCA Passporting from Poland
The ultimate reward for the rigorous KNF authorization process is the MiCA Passport. This status allows the Polish-authorized entity to legally provide its authorized crypto services—from custody and exchange to advice and portfolio management—across all 27 EU member states.
This pan-European operational right is exercised through a simple notification procedure to the KNF, which then informs the competent authorities in the target host member states. This eliminates the need for 27 separate national authorizations, cementing Poland as an exceptionally valuable gateway for European market access.
The MiCA Transition and Strategic Roadmap
The transition period from VASP registration to CASP authorization is not just a regulatory obligation; it is a time-bound strategic opportunity.
-
The Grandfathering Clause: Existing VASPs in Poland are permitted to continue operating under the old national regime until the end of the transition period (expected mid-2026, though Polish law may accelerate the deadline).
-
The Strategic Advantage: Obtaining the current VASP registration now is the single most powerful preparatory step. An existing, GIIF-approved VASP is in a “fast-track” position because:
-
It already possesses the required AML manual and structure.
-
Its management has passed the initial fit and proper assessment.
-
It has established a Polish legal entity and operational history.
-
It demonstrates a track record of compliance and adherence to quarterly GIIF reporting, significantly boosting credibility with the KNF during the CASP application.
-
Oversight and Penalties for Non-Compliance
Compliance failure in the Polish jurisdiction is met with severe penalties under both the current AML Act and the forthcoming MiCA framework, making investment in professional compliance non-negotiable.
-
Penalties under the Polish AML Act (VASP Non-Compliance)
-
Financial Fines for Legal Persons (Companies): Up to €5,000,000 (or 10% of the total annual turnover in the last approved financial statement, whichever is higher).
-
Financial Fines for Natural Persons (Management): Up to PLN 20,868,500 (approx. €4,800,000).
-
Administrative Sanctions:
-
Prohibition from performing managerial duties for the individual responsible for the breach for up to one year.
-
Removal of the entity from the Register of Virtual Currency Activities (effectively a death sentence for the business).
-
-
Criminal Sanctions: In severe cases, particularly involving failure to report suspicious transactions or deliberate falsification, the AML Act provides for criminal sanctions ranging from a fine to imprisonment from 3 months to 5 years.
-
-
Penalties under MiCA (CASP Non-Compliance)
-
Public Censure: The KNF may publicly disclose the breach and the responsible person.
-
Withdrawal of Authorization: The ultimate sanction, resulting in the immediate cessation of all EU-wide crypto-asset services.
-
MiCA Fines: The KNF is empowered to impose administrative fines, which, for a legal person, can reach €5,000,000 or up to 3% of the annual turnover, whichever is higher, for severe infringements.
-
Estimated All-in Costs and Timeframes (Excluding Capital)
The total cost and time for securing the license are substantial investments that should be accounted for in the business plan:
FAQ
Currently, crypto firms must obtain VASP registration under the Polish Act on Counteracting Money Laundering and Terrorist Financing (AML Act). This national system is primarily focused on AML/KYC compliance and the integrity of management, and is overseen by the Ministry of Finance (MoF) and the GIIF (Polish FIU).
Registration is mandatory for entities providing four core services: 1) Fiat-to-Crypto/Crypto-to-Fiat Exchange, 2) Crypto-to-Crypto Exchange, 3) Intermediation in Exchange, and 4) Custody Services (safeguarding private keys, including hosted wallet services).
The primary regulator for the full EU MiCA license (the CASP Authorization) will be the KNF (Polish Financial Supervision Authority). The KNF, which currently oversees banks and capital markets, is designated as Poland's Competent National Authority (CNA) for MiCA.
The two main personnel requirements are: 1) Passing a Fit and Proper Test (confirming no criminal record in economic or financial crimes) for all directors and Ultimate Beneficial Owners (UBOs); and 2) Appointing an experienced AML Compliance Officer (MLRO) who must have at least one year of experience in the sector or relevant training.
MiCA drastically increases the capital requirement. While the current VASP registration requires only a nominal capital (approx. €1,200), MiCA mandates minimum initial capital ranging from €50,000 to €150,000, depending on the service class (e.g., Custody/Exchange requires at least €125,000).
VASPs legally operating in Poland before December 30, 2024, benefit from an EU-level transitional period that allows them to continue operations under their national registration until July 1, 2026. However, they must apply for the full CASP authorization with the KNF within a short grace period (likely 3 months) after the national MiCA law is enacted.
Yes. Poland is a strict enforcer of the FATF Travel Rule via the EU's Transfer of Funds Regulation (TFR). For transfers between CASPs, the rule applies with a zero threshold, meaning mandatory collection and transmission of originator and beneficiary data (name, address, account details) is required for virtually all transactions.