Every crypto company operating in Spain faces the same hard deadline: July 1, 2026. From that date, the EU's MiCA regulation enters full enforcement. Operating without a CASP (Crypto-Asset Service Provider) license issued by the CNMV is a criminal offense in all 27 EU member states, with fines of up to €5 million per violation.
The Banco de España VASP registry — which governed Spanish crypto operators since 2021 — was formally abolished on December 30, 2024. The old registration is no longer sufficient. Every exchange, custodian, wallet provider, and crypto advisory firm in Spain needs a MiCA CASP authorization before the deadline.
This checklist covers every requirement. Use it to assess your current compliance status and prioritize what to tackle first.
| Deadline | Milestone |
|---|---|
| Jul 1, 2026 | MiCA Full Enforcement |
| Mar 31, 2027 | Modelo 173 Annual Filing |
| Sep 30, 2027 | DAC8 Implementation |
What Is a CASP License?
A CASP license is a full financial services authorization under MiCA (EU Regulation 2023/1114). It replaces the former VASP registration and grants an EU passport — meaning one CNMV authorization lets you operate in all 30 EEA countries without separate national applications.
The key difference from the old Banco de España registration: a CASP license requires minimum capital, segregated client assets, whitepaper disclosures, market abuse surveillance, and ongoing regulatory reporting. It is not an AML registration — it is a license equivalent to a brokerage or payment institution authorization.
Bit2Me (BITCOINFORME S.L.) became the first Spanish-speaking fintech to receive CNMV CASP authorization in July 2025. Criptan followed in March 2026. The CNMV application queue is growing — earlier applications receive earlier reviews.
Step 1: Determine Which CASP Services You Provide
MiCA authorizes specific crypto-asset services. Your license covers only the services you apply for. Identify every service your firm currently offers or plans to offer:
- Custody and administration of crypto-assets on behalf of clients
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for funds (fiat-to-crypto, crypto-to-fiat)
- Exchange of crypto-assets for other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Placing of crypto-assets (without firm commitment)
- Reception and transmission of orders for crypto-assets on behalf of clients
- Providing advice on crypto-assets
- Providing portfolio management of crypto-assets
- Providing transfer services for crypto-assets on behalf of clients
Step 2: Meet Minimum Capital Requirements
Capital under MiCA is a permanent floor — not a one-time deposit. Your firm must maintain it continuously and report to CNMV if it falls below threshold.
| Services | Minimum Capital |
|---|---|
| Advice + order reception/transmission only | €50,000 |
| Execution, exchange, portfolio management | €125,000 |
| Custody and safekeeping | €150,000 |
| Operating a trading platform | €150,000 |
- Verify current paid-in capital meets the threshold for your service mix
- Establish capital monitoring process (monthly reconciliation)
- Document capital adequacy in board minutes
- Identify trigger for immediate CNMV notification if capital falls below minimum
Step 3: Build Your Governance Framework
MiCA requires a "robust organizational structure" before the CNMV will approve an application. This is typically the longest step for startups and fintechs that have grown informally.
- Define a clear organizational chart with separate compliance and risk functions
- Appoint a MLRO (Money Laundering Reporting Officer) — must be a natural person, Spanish resident or EU-authorized
- Appoint at least two directors with sufficient crypto and financial services experience
- Establish a board-level Risk and Audit Committee (or equivalent oversight body)
- Draft and adopt internal policies: conflict of interest, remuneration, safeguarding, complaints
- Implement business continuity and IT disaster recovery plans
- Document all material outsourcing arrangements (cloud providers, third-party custodians)
CNMV applications are most frequently rejected or delayed due to insufficient governance documentation — specifically, the absence of a dedicated compliance officer and undocumented conflict-of-interest policies. Address these before submitting.
Step 4: Client Asset Segregation
MiCA prohibits CASPs from using client assets for their own account. Segregation must be operational, documented, and auditable before the CNMV review.
- Open segregated bank accounts for client fiat funds — separate from firm operating accounts
- Use separate wallets or sub-addresses for client crypto-assets vs. firm reserves
- Implement daily reconciliation of client balances vs. custodied assets
- Document the segregation methodology in writing (board-approved policy)
- Ensure your banking partner acknowledges the segregated nature of the accounts in writing
Step 5: AML/KYC Framework (SEPBLAC)
Under MiCA, licensing supervision moved to CNMV — but AML/KYC supervision remains with SEPBLAC under Law 10/2010. Both must be satisfied simultaneously. SEPBLAC has been actively fining crypto firms for KYC deficiencies since 2024.
- Implement a risk-based KYC procedure covering all customer categories (retail, institutional, PEPs)
- Apply Travel Rule for all crypto transfers above €1,000 (mandatory from Jun 2025)
- Deploy real-time transaction monitoring with SEPBLAC-reportable threshold alerts
- Maintain SAR (Suspicious Activity Report) filing process with 30-day response capability
- Conduct annual AML risk assessment and document findings
- Train all staff with client-facing or transaction-monitoring roles annually
- Register with SEPBLAC as a Subject Obligated Entity if not already done
Step 6: Whitepaper Requirements
If your platform issues tokens, runs an ICO, or is the first to admit a crypto-asset to trading, MiCA requires a whitepaper. This is separate from the CASP license application but enforced simultaneously.
- Classify each token you issue or admit: utility token, e-money token (EMT), or asset-referenced token (ART)
- Draft whitepaper per ESMA template (iXBRL format mandatory from Dec 23, 2025)
- Submit whitepaper to CNMV 20 working days before public offering or admission to trading
- Whitepaper must include: issuer details, technology description, rights and obligations, risk factors, fees
- Update whitepaper within 5 working days of any material change
Step 7: Ongoing Reporting Obligations
A CASP license is not a one-time event. It creates permanent reporting obligations to three Spanish authorities. Failure to file on time attracts automatic penalties.
AEAT Tax Reporting (Modelo 172/173/721)
- Modelo 172: Quarterly report of all crypto transactions (buy/sell/exchange/transfer) for Spanish tax residents. First filing covers Q1 2026, due April 30, 2026.
- Modelo 173: Annual summary of crypto transactions. First filing covers FY 2026, due March 31, 2027.
- Modelo 721: Annual report of foreign-held crypto-assets for clients with holdings above €50,000. Due March 31 annually.
- All filings require machine-readable XML format. Manual submission is not accepted for volumes above 10,000 records.
CNMV Prudential Reporting
- Submit annual audited financial statements within 4 months of year-end
- Report capital adequacy quarterly (ongoing)
- Notify CNMV of any material operational incidents within 24 hours
- Report major holdings changes (>10% shareholder threshold) within 5 working days
DAC8 (EU Cross-Border Reporting) — effective Sep 2027
- Implement reporting infrastructure to exchange customer transaction data with other EU tax authorities
- DAC8 covers: crypto-asset exchanges, transfers, ICO proceeds, crypto lending, staking income
- AEAT will publish technical specifications by Q4 2026 — monitor and implement
Step 8: Submit to CNMV
The formal CNMV application requires a specific set of documents. Incomplete applications are returned — the 3-month review clock does not start until the CNMV confirms completeness.
- Complete CNMV Application Form for CASP Authorization (published on cnmv.es)
- Business plan covering 3 years: services, revenue model, projected volumes, risk management
- Description of organizational structure and governance (with org chart)
- CVs and criminal record certificates for all directors and qualifying shareholders
- AML/KYC program documentation (SEPBLAC compliance manual)
- IT and cybersecurity assessment (penetration test report, incident response plan)
- Client asset safeguarding policy and bank confirmation of segregated accounts
- Evidence of minimum capital (audited balance sheet or bank statement)
- Fee: See the current CNMV fee schedule at cnmv.es
The formal CNMV review is 3 months. Preparation of a complete application typically takes 6–12 months. If you have not started, the July 1, 2026 deadline is functionally out of reach for a first-time applicant. Focus immediately on what you can control: capital adequacy, governance appointments, AML framework, and engaging a MiCA-specialized legal advisor.
Post-License: Ongoing Compliance
Receiving a CASP license is not the finish line. MiCA compliance is a continuous operation:
- ESMA/EBA regulatory monitoring — new guidelines, Q&A, and technical standards are published regularly. ESMA issued 47 regulatory updates in 2025 alone.
- National circular monitoring — CNMV and SEPBLAC publish national-level guidance that supplements EU-level rules.
- Automatic filing triggers — any new crypto-asset admitted, any new service added, any material system change requires CNMV notification.
- Annual compliance review — internal audit of all MiCA obligations against current operations.
Most firms underestimate post-license compliance costs. A dedicated compliance FTE costs €60,000–€90,000/year in Spain. Automated monitoring infrastructure (like SENTINEL) runs a fraction of that while covering more regulators and jurisdictions.
Frequently Asked Questions
What is the deadline to obtain a CASP license in Spain?
July 1, 2026. After that date, unauthorized operation is a criminal offense in all 27 EU member states. Fines reach €5 million per violation. Firms that had VASP registrations with the Banco de España before December 30, 2024 may operate under the transitional regime until they are granted or denied a CNMV CASP license.
What is the minimum capital requirement for a CASP license in Spain?
Capital requirements vary by service: €50,000 for advice and order reception/transmission; €125,000 for execution, exchange, and portfolio management; €150,000 for custody and trading platforms. These are permanent capital floors maintained continuously.
Which authority issues CASP licenses in Spain?
The CNMV (Comisión Nacional del Mercado de Valores) is the competent authority for CASP licensing under MiCA. AML/KYC supervision remains separately with SEPBLAC under Law 10/2010.
Can a company registered with Banco de España continue operating after July 2026?
No. The Banco de España VASP registry was abolished on December 30, 2024. Companies registered before that date operate under transitional rules only — they must obtain a CNMV CASP license before July 1, 2026, or cease operations.
How long does the CNMV CASP license application take?
The formal CNMV review period is 3 months from a complete application. In practice, preparation takes 6–12 months. Firms targeting the July 1, 2026 deadline should have submitted complete applications by Q1 2026 at the latest.
What tax reporting obligations come with a CASP license in Spain?
CASPs in Spain must file Modelo 172 (quarterly transaction reporting), Modelo 173 (annual transaction summary), and Modelo 721 (foreign crypto-asset holdings disclosure) with the AEAT. All require machine-readable XML format. DAC8 cross-border reporting applies from September 2027.
Does a CASP license from CNMV let me operate across the EU?
Yes. A CNMV CASP authorization is an EU passport under MiCA, valid in all 30 EEA countries. You notify the relevant national competent authority in each country you plan to operate — no additional full license applications required.