What is a CASP (Crypto-Asset Service Provider)?

A Crypto-Asset Service Provider (CASP) is any legal entity that provides one or more crypto-asset services on a professional basis, as defined under the EU's Markets in Crypto-Assets (MiCA) regulation. MiCA, which came into full effect in December 2024, established the CASP as the standard regulatory category for crypto businesses operating in the European Union, replacing the patchwork of national frameworks that existed before it.

Any business that operates a crypto exchange, provides custody, executes orders, places crypto-assets, or offers portfolio management or advice on crypto-assets in the EU is classified as a CASP and must obtain authorisation from a national competent authority (NCA) in an EU member state before operating.

What services make a business a CASP?

MiCA defines a specific list of crypto-asset services that trigger the CASP classification. A business qualifies as a CASP if it provides any of the following on a professional basis:

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform for crypto-assets
• Exchange of crypto-assets for fiat currency or other crypto-assets
• Execution of orders for crypto-assets on behalf of clients
• Placing of crypto-assets (acting as a distributor in a token offering)
• Reception and transmission of orders for crypto-assets on behalf of clients
• Providing advice on crypto-assets
• Portfolio management of crypto-assets on behalf of clients
• Providing transfer services for crypto-assets on behalf of clients

A business only needs to provide one of these services to fall under the CASP regime.

What is the difference between a CASP and a VASP?

CASP and VASP (Virtual Asset Service Provider) refer to similar categories but come from different regulatory frameworks.

VASP is the term used by the Financial Action Task Force (FATF), the global standard-setter for anti-money laundering and counter-terrorist financing. FATF introduced the VASP category in 2019 as part of its guidance on applying AML/CFT rules to crypto businesses. Many countries adopted the VASP terminology in their national legislation, including the UK, which uses it in FCA registration requirements.

CASP is the term used specifically under MiCA, the EU's comprehensive crypto regulatory framework. MiCA goes further than the FATF VASP definition by adding a full licensing regime with conduct of business rules, capital requirements, and consumer protection obligations, not just AML registration.

In practice, a business operating in the EU that would previously have registered as a VASP will now need full CASP authorisation under MiCA. The two terms overlap significantly in scope but CASP carries heavier regulatory obligations.

What does CASP authorisation involve?

To become an authorised CASP, a business must apply to a national competent authority in an EU member state. The application requirements under MiCA include:

• A programme of operations describing the services to be provided
• A business plan and financial projections
• Evidence of sufficient own funds (minimum capital requirements vary by service type, ranging from €50,000 to €150,000)
• Governance arrangements and internal controls
• Fit and proper assessments for management and shareholders
• AML/CFT policies and procedures
• A custody and safeguarding policy for client assets
• A complaints handling procedure

Once authorised in one EU member state, a CASP can passport its services across all other EU member states without requiring separate authorisation in each country. This passporting right is one of MiCA's most significant practical benefits for crypto businesses expanding across Europe.

Who does the CASP regime apply to?

MiCA's CASP requirements apply to any legal entity established in the EU that provides crypto-asset services. It also applies to businesses established outside the EU that actively solicit EU clients, though the enforcement mechanism for non-EU firms is less clearly defined.

Businesses that were already registered as VASPs under previous national frameworks were given a transitional period to obtain full CASP authorisation. The length of the transitional period varies by member state, with some allowing up to 18 months from MiCA's full application date.

Certain entities are exempt from the CASP regime, including businesses that provide crypto-asset services exclusively to companies within the same corporate group, and persons who provide crypto-asset advice incidentally as part of a regulated professional activity.

Who are CASPs important for?

The CASP framework is relevant to a specific but growing set of businesses and functions.

• Crypto exchanges, custody providers, and wallet operators are the primary entities directly subject to CASP authorisation. If their services fall within MiCA's list, they need to be authorised or operating under a transitional arrangement.
• Fintech companies and neobanks adding crypto features to their products need to assess whether those features trigger CASP classification. Offering crypto buying, selling, or custody to customers within the EU almost certainly does.
• Compliance and legal teams at any business touching crypto-assets in Europe need to map their activities against MiCA's service list and determine whether authorisation is required, and in which member state to apply.
• Payment platforms and PSPs that facilitate transfers of crypto-assets on behalf of clients fall under the CASP transfer services category, meaning payment infrastructure providers operating in the crypto space may need authorisation even if they do not operate an exchange or custody service.

Due provides compliant cross-border payment infrastructure that connects fintechs to both stablecoin rails and traditional banking networks. For businesses navigating CASP authorisation while building payment products, Due's payment API handles the cross-border settlement layer across 80+ countries, so compliance and infrastructure overhead can be addressed separately rather than simultaneously.

‍