CASP authorisation in Spain — what CNMV expects under MiCA
CASP authorisation in Spain runs through CNMV — with Banco de España at the table for E-Money Tokens. The legal framework sits in the directly-applicable MiCA Regulation overlaid by Spanish implementing law that designates the competent authorities and the transition rules from the prior PSAN registration regime. This piece walks through who grants what, what the application file needs to contain, how the prior-registration migration works and what changes on day one of operations.
1. Legal basis
- Regulation (EU) 2023/1114 — MiCA, the EU-wide framework, directly applicable across all member states
- Spanish implementing law — designating CNMV as competent authority for Crypto-Asset Service Providers under Title V MiCA, and Banco de España for matters relating to E-Money Tokens (EMTs) and Asset-Referenced Tokens (ARTs) under Titles III and IV
- Prior PSAN registration regime at Banco de España — the registration scheme for crypto-asset service providers in force before MiCA, with transitional provisions for migration
2. Who grants what
| Activity | Competent authority in Spain |
|---|---|
| CASP authorisation under Article 59 MiCA | CNMV |
| ART issuer authorisation | Banco de España |
| EMT issuance | Banco de España (issuer must be CRR-bank or EMI) |
| Prior PSAN registration (legacy) | Banco de España |
| AML supervision | SEPBLAC, with CNMV / BdE inputs |
CNMV is the lead authority for the CASP services catalogue (custody, exchange, trading platform operation, advice, portfolio management of crypto-assets, transfer services). BdE is the lead for tokenised-money issuance. A firm operating an exchange that lists ARTs and EMTs interacts with both.
3. The MiCA services catalogue
Article 3(1)(16) MiCA lists the services a CASP can be authorised to provide:
- Custody and administration of crypto-assets on behalf of clients
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for funds
- Exchange of crypto-assets for other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Placing of crypto-assets
- Reception and transmission of orders
- Provision of advice on crypto-assets
- Portfolio management of crypto-assets
- Transfer services for crypto-assets on behalf of clients
The application specifies which services the CASP intends to provide. The scope drives capital, operational and conduct requirements.
4. Capital and prudential requirements
Article 67 MiCA sets minimum capital floors based on the service set:
- €50,000 — for the lightest category (e.g., reception and transmission of orders, advice, placing, transfer services)
- €125,000 — for exchange, execution, custody, portfolio management
- €150,000 — for the operation of a trading platform
Ongoing own funds must be the higher of the floor and a quarter of the previous year’s fixed overheads. The own-funds calculation is set out in the delegated acts adopted under Article 67(7).
5. What goes in the application file
Core sections of a CASP file at CNMV:
- Programme of operations — the services to be provided, the customer journey, the asset types in scope
- Business plan — three-year financial projections
- Governance map — board, senior management, key function holders, fitness-and-properness
- Internal-control framework — risk, compliance, internal audit
- ICT and operational-resilience framework — aligned with DORA from January 2025
- Custody and segregation — for CASPs offering custody, the segregation model, the use of cold-storage vs hot-wallet split, the key-management framework, sub-custody arrangements
- Market-abuse policy — Articles 88 onwards MiCA introduce specific market-abuse rules for crypto-assets; the policy and monitoring framework must be documented
- AML / CTF programme — including the Travel Rule implementation and self-hosted-wallet attestation flow
- Conduct framework — risk warnings, complaint handling, marketing-communications consistency rules
- White papers — where the CASP also issues tokens, the white paper meeting Annex I or II requirements (see our MiCA white paper piece)
- Shareholder structure — direct and indirect, with fitness-and-properness on qualifying shareholders
6. PSAN migration
Firms registered under the prior PSAN regime at Banco de España are not automatically authorised under MiCA. The transitional provisions in Article 143 MiCA give in-scope firms a defined window during which they may continue to operate while finalising the MiCA authorisation file. In Spain:
- PSAN-registered firms file a CASP application with CNMV
- The application benefits from existing onboarded data — KYC programmes, customer-master, transaction-monitoring frameworks already in place
- The MiCA file is more comprehensive than the PSAN registration was, particularly on governance, ICT/DORA, custody segregation and market-abuse policies
- The transition window has firm dates; missing them means operating without authorisation
7. Realistic timing
Article 63 MiCA sets a statutory review of 25 working days for completeness and a further 40 working days for the substantive decision once the file is deemed complete. End-to-end with pre-application engagement and feedback rounds, realistic timing is six-to-nine months for a first-time applicant. PSAN-migrating firms typically run shorter because much of the underlying programme already exists.
8. What switches on at grant
- Travel Rule compliance on every crypto-asset transfer
- DAC8 reporting from 2026 onwards
- AML and tipping-off obligations under Law 10/2010 with the designated SEPBLAC representative
- Market-abuse monitoring and reporting under Articles 88 onwards MiCA
- Conduct and complaint-handling under Article 66 MiCA
- ESMA / EBA-coordinated supervisory reporting through CNMV
- Passporting notifications where activity extends to other member states
9. FAQ
Do I file with CNMV or Banco de España?
CNMV for the CASP services authorisation. Banco de España for ART issuer authorisation and for EMT issuance (which sits inside an EMI or CRR-bank licence). A firm doing both interacts with both.
If I have a PSAN registration, am I CASP-authorised?
No. PSAN registration was a different regime. MiCA requires a fresh CASP authorisation. The transitional provisions in Article 143 allow continued operation during the file process, within defined windows.
What is the difference between a CASP and an EMI for stablecoin work?
An EMI may issue an Electronic Money Token (EMT) — a stablecoin referenced to one official currency — under MiCA Title IV, sitting inside the EMI licence. A CASP provides crypto-asset services to clients (custody, exchange, etc.) — that is the Title V regime. A firm doing both holds both authorisations.
Are there specific Spanish overlays on MiCA?
MiCA is a directly-applicable Regulation, so the substance is uniform across the EU. Spanish overlays cover procedural matters — the competent-authority designation, language, transitional rules from PSAN. The MiCA substantive rules apply identically.
Can the CNMV reject the application?
Yes, on the grounds set in Article 63(7) MiCA — fitness-and-properness failures, governance deficiencies, AML or operational concerns. Rejections are appealable through the Spanish administrative-litigation route.
Does the CASP authorisation passport into other EU member states?
Yes. Article 65 MiCA passport rules apply. The home authority (CNMV) notifies the host; the host has limited grounds to refuse. See our branch vs Freedom of Services piece for the operational model choice.
10. What to do, today
- Confirm whether your services catalogue triggers CASP authorisation, ART/EMT issuance, or both — and engage the right competent authority early.
- If you hold a PSAN registration, do not assume continuity — start the CASP file inside the transition window.
- Build the custody segregation, market-abuse policy and Travel Rule implementation as core elements of the file, not as add-ons.
- Run pre-application engagement with CNMV before the formal submission.
- Plan post-grant reporting alongside the application — Travel Rule, DAC8, market-abuse monitoring switch on day one.
Related: MiCA white paper drafting · MiCA Travel Rule · DAC8 — EU crypto reporting
