Authorisation to Conduct Crypto-Asset Business in Poland
An application for authorisation to conduct crypto-asset business under Article 59(1)(a) of Regulation (EU) 2023/1114 is among the most extensive regulatory submissions a financial-sector entity will ever file in Poland. The required documentation is set out in Article 62(2) MiCA, elaborated by a series of regulatory and implementing technical standards and joint EBA–ESMA guidelines.
Practical experience suggests that a substantial proportion of applications filed during the first wave of submissions across the European Union were returned for supplementation at the formal completeness stage. Time lost to such supplementation is, frequently, time the applicant does not have. At the same time, the criminal sanction for conducting business without authorisation after 1 July 2026 stands at PLN 20,000,000 or imprisonment up to 8 years, or both (Article 121 of the Polish Crypto-Asset Market Act), and it applies equally to activity conducted without an authorisation under Article 59 and to activity pursued under the simplified regime of Article 60 of Regulation 2023/1114.
The stakes are sufficiently high to warrant separate treatment of the application methodology. This article addresses documentation, capital, fit-and-proper, and the catalogue of administrative and criminal sanctions. The strategic context — in which scenario one finds oneself after 1 July 2026 — is the subject of a companion article:
MiCA CASP Licence in Poland: The End of the Transitional Period
Legal Basis for the CASP Authorisation: Four Layers
The application for authorisation to conduct crypto-asset business is submitted to the Polish Financial Supervision Authority (PFSA), which acts as the competent authority within the meaning of Article 3(1)(35) MiCA. The normative substrate of the procedure consists of four layers.
The first layer is Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets. The pivotal provisions are: Article 59 (authorisation requirement), Article 60 (simplified procedures for already-regulated entities), Article 62 (content of the application), Article 63 (procedure), Article 67 and Annex IV (capital), Article 68 (members of the management body and qualifying shareholders), and Article 84 (changes in qualifying holdings).
The second layer comprises the technical standards. In 2025, the European Commission adopted a package of RTS and ITS instruments specifying the content of the application, notification templates, and requirements for conflict-of-interest, AML, and ICT policies. The RTS on the content of the application (Article 62(5) MiCA RTS) prescribe the mandatory structure of the documentation; the ITS (Article 62(6) MiCA ITS) prescribe the forms.
The third layer is the joint EBA–ESMA Guidelines of 30 June 2024 (EBA/GL/2024/13) on the assessment of the suitability of members of the management body and qualifying shareholders of CASPs. The Guidelines operate on a “comply-or-explain” basis, and the PFSA applies them directly.
The fourth layer is the Polish Crypto-Asset Market Act (Parliamentary Print No. 2363, enacted on 15 May 2026 and adopted by the Senate without amendment on 22 May 2026). The Act regulates the matter that MiCA leaves to Member States: fees (Article 77 et seq.), ongoing supervision, criminal sanctions (Article 121 et seq.), and the transitional regime (Articles 161 and 162). The Act enters into force fourteen days after promulgation (Article 169), with the exception of Article 70 (safeguarding of client funds), which enters into force four months after promulgation — a delay of operational significance for CASPs commencing business shortly after the Act takes effect.
Simplified Procedure under Article 60 MiCA: Notification in Lieu of Full Authorisation
Credit institutions, investment firms within the meaning of MiFID II, electronic money institutions, UCITS management companies, and managers of alternative investment funds may acquire CASP status by way of notification rather than full authorisation. The mechanism is established by Article 60 MiCA and is materially faster: the PFSA has forty working days in which to assess the notification (Article 60(8) MiCA), as against the full procedure under Article 63. The scope of documentation is also narrower: the applicant does not submit the full Article 62 package, but rather a tailored set comprising, in particular, a programme of operations covering crypto-asset services, a description of ICT systems, custody procedures, conflict-of-interest policies, and evidence that the applicant’s existing regulatory regime covers MiCA requirements in respect of the remaining elements. For already-regulated entities, the notification track is generally both cheaper and faster than the Article 59 route; departures from it tend, in practice, to reflect unawareness rather than calculation.
Corporate Documentation of the CASP Application
The first layer of documentation comprises everything that describes the applicant as a legal person and its ownership structure. The minimum scope is as follows.
A current extract from the National Court Register, the articles of association or partnership agreement in their then-current form, and a chart of the ownership structure down to the level of the ultimate beneficial owner. The PFSA expects documentation of all qualifying holdings from the 10 percent threshold upwards, including evidence as to the source of capital at the level of each holding. In the case of structures involving family foundations, trusts, or holding companies in offshore jurisdictions, full documentation of the chain of control is required, including incorporation documents and articles of association of intermediate entities.
Typical pitfalls at this layer include the following.
Inconsistencies between data recorded in the National Court Register and the UBO structure disclosed in the application. These arise most often from delays in updating the register following share transfers or amendments to the articles. The PFSA reads such inconsistencies as evidence of weakness in corporate governance, not as minor clerical errors.
Absence of documentation for intermediate entities within international structures. A holding company in Luxembourg or Malta requires a full document package (current registry extract, articles, latest financial statements, particulars of board members), and a mere reference in the ownership chart will not suffice.
Discrepancies between the disclosed UBO and the Central Register of Beneficial Owners (CRBR) filing. Prior to submitting the application, the CRBR entry should be verified and, where necessary, updated. The CRBR has undergone substantive changes in the 2024–2026 period — affecting the scope of subject entities, the data required, and the sanctions for non-filing, which have been raised to PLN 1,000,000 — so documentation older than two years requires re-examination, not merely a mechanical check that an entry exists.
Institutional shareholders (funds, banks, investment firms) require separate documentation: regulatory authorisations, latest financial statements, statements confirming the absence of disqualifying circumstances. A frequent pitfall: the assumption that the regulated status of a shareholder dispenses with the documentary obligation. It does not.
Programme of Operations and Business Model
The programme of operations is the most significant narrative document of the application. The PFSA reads it first and forms, on its basis, an initial hypothesis as to the applicant’s profile. The document must comprise the following elements.
A list of the crypto-asset services that the applicant intends to provide, mapped against the catalogue in Article 3(1)(16) MiCA. That catalogue identifies nine categories: custody and administration of crypto-assets on behalf of clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds or for other crypto-assets, execution of orders, placement, reception and transmission of orders, advice, portfolio management, and the provision of transfer services. Each service generates its own capital, organisational, and compliance requirements; the selection must be a deliberate one.
A description of the business model: revenue sources, cost structure, three-year financial projection, sensitivity analysis. The PFSA assesses whether the model is viable and whether the applicant has the resources to maintain continuity of operations during the first twenty-four months. A projection premised on 200 percent annual revenue growth, unsupported by operational justification, is a warning signal.
Market strategy: target clients, distribution channels, geography (a single Member State or a Union passport), planned volumes, pricing policy. An element frequently underestimated: the description of competition and positioning. The PFSA wishes to see that the applicant understands the market it is entering.
A pitfall consists in the tendency to register all nine services “for stock,” in anticipation of future expansion. Each additional service expands the documentation to be assessed, raises capital requirements, and prolongs the proceedings. Strategically, it is generally preferable to register a narrow service profile at the outset and to extend it after authorisation has been granted, by way of a change-of-scope procedure under Article 63(13) MiCA.
Capital Requirements: Three Thresholds under Annex IV MiCA
Annex IV of MiCA prescribes three minimum capital thresholds, contingent on the profile of services provided.
| Threshold | Minimum amount | Service profile (simplified) |
|---|---|---|
| Threshold 1 | EUR 50,000 | Advice, portfolio management, reception and transmission of orders (no custody), execution of orders (no custody), placement, transfer services |
| Threshold 2 | EUR 125,000 | Custody and administration of crypto-assets, exchange of crypto-assets for funds or for other crypto-assets, execution of orders involving custody, placement without firm commitment, reception and transmission of orders involving custody |
| Threshold 3 | EUR 150,000 | Operation of a crypto-asset trading platform |
Annex IV MiCA stipulates that the capital requirement constitutes “the higher of” the thresholds applicable to the applicant. If an applicant provides both advisory services (Threshold 1) and custody (Threshold 2), the EUR 125,000 threshold applies — not their sum of EUR 175,000.
The capital requirement may be satisfied (Article 67(1) MiCA) by: own funds (Tier 1 capital within the meaning of CRR), an insurance policy meeting the requirements of Article 67(4) MiCA, a bank guarantee analogous to such a policy, or a combination of the foregoing. The insurance must cover professional civil liability at a level no lower than the minimum capital amount, with specific parameters set out in MiCA and the RTS.
The Annex IV capital requirement is a floor. The PFSA may require higher capital where the scale of activity, risk profile, or complexity of the business model so warrant. In practice, for a mid-sized crypto-asset exchange with monthly volumes in excess of EUR 10 million, the EUR 150,000 threshold is a façade — the operational capital actually required begins in the single-digit millions.
A second layer of the capital requirement concerns the maintenance of capital during the course of business (Article 67(2) MiCA): own funds must at all times cover a minimum of 25 percent of the fixed operating costs of the previous financial year. For firms with substantial fixed costs (personnel, ICT infrastructure, licensing), this parameter typically exceeds the nominal Annex IV threshold.
Fit and Proper Assessment of Management and Qualifying Shareholders
The fit-and-proper assessment is the core of the CASP authorisation procedure. Under Article 63(10)(a)–(c) MiCA, the PFSA refuses authorisation where there are objective and demonstrable grounds for believing that the management body poses a threat to the effective, sound, and prudent management of the CASP, that members of the management body fail to satisfy the good-repute criteria of Article 68(1), or that qualifying shareholders fail to satisfy the suitability criteria of Article 68(2).
The joint EBA–ESMA Guidelines EBA/GL/2024/13 articulate five dimensions of the assessment of a member of the management body.
Reputation (good repute): the absence of criminal convictions, the absence of pending criminal or administrative proceedings bearing on professional integrity, and the absence of material regulatory breaches in the past. The Guidelines explicitly contemplate “administrative or criminal proceedings, including pending proceedings” as a factor in the assessment — a point of considerable significance for individuals associated with entities continuing to operate after 1 July 2026.
Knowledge and experience: documented experience in the financial sector, in crypto-assets, or in a management function; familiarity with MiCA, AML, and GDPR; completed industry courses or certifications (CISI, ACAMS, ICA). The absence of experience in the crypto-asset sector is not, in itself, disqualifying, provided that experience in a cognate regulated sector is present.
Independence of mind: the capacity for independent judgment, freedom from conflicts of interest arising from other functions, and independence from the dominant shareholder in respect of day-to-day decisions.
Sufficient time commitment: documented temporal availability. A board member simultaneously holding five other mandates in investment funds is unlikely to satisfy this requirement in respect of the CASP.
Collective suitability: the management body, taken as a whole, must encompass competence in the regulatory, financial, technological, operational, and AML domains. Two distinguished lawyers on a three-member board create a deficit in technological competence.
The most frequent structural pitfall observed in rejected applications is the simultaneous performance, by a single individual, of the roles of UBO, board member, MLRO, and sole operational decision-maker. Such a configuration violates independence of mind in the institutional-check dimension and collective suitability in the dimension of competence segregation. From the perspective of the three-lines-of-defence framework (operations, compliance and risk, internal audit), the concentration of functions in one person eliminates the second line and renders the third illusory. It is likewise a red flag in AML assessment, since the same person generates transactions, monitors them, and reports them to the General Inspector of Financial Information. The PFSA, in authorisation proceedings concerning investment firms and electronic money institutions, has consistently required the segregation of these functions, and there is no basis for anticipating a different practice in respect of CASPs.
A second pitfall concerns nominees. Persons formally listed as board members but not, in fact, taking decisions are identified by the PFSA through supplementary interviews and trigger refusal on the ground that the applicant as a whole fails the good-repute test.
For qualifying shareholders (the 10 percent threshold and above, in accordance with Article 84 MiCA), the assessment addresses financial reputation, source of capital, the absence of links to criminal groups, and income structure. A shareholder who fails to document the source of capital to the PFSA’s satisfaction blocks the application of the entire CASP.
AML, KYC, and Travel Rule Documentation
AML documentation is the most extensive section of the application after the programme of operations. The required substrate is as follows.
An AML policy compliant with Directive 2015/849 and its Polish transpositions (the Anti-Money Laundering and Counter-Terrorist Financing Act), comprising: institutional and customer risk assessment, KYC and CDD procedures incorporating the three levels of due diligence (simplified, standard, enhanced), procedures for the identification of clients’ UBOs, transaction monitoring and screening, procedures for the filing of SARs to the General Inspector of Financial Information, AML training documentation, an independent AML function, and an MLRO procedure.
Travel Rule procedures compliant with Regulation 2023/1113 of 31 May 2023 (the TFR), which extends the requirements for information accompanying transfers of funds to transfers of crypto-assets. The requirement applies to transfers to natural persons and to B2B transfers alike, with no threshold for transfers between CASPs. The technical documentation must describe the manner of transmitting originator and beneficiary data, integration with industry protocols (TRP, OpenVASP), and procedures for transfers to unhosted wallets.
Sanctions procedures compliant with EU regulations and CFSP decisions, with real-time integration of sanctions lists (UN, EU, and OFAC for operations involving US clients).
A professional-secrecy policy (Article 17 of the Crypto-Asset Market Act), specifying the categories of protected information, the circle of obligated persons, and internal sanctions.
Supplementary policies: client complaint handling (Article 71 MiCA), conflict-of-interest management (Article 72 MiCA), outsourcing policy (Article 73 MiCA, subject to the limitations arising from the ESMA statement of 17 April 2026 on custody — the statement restricts the outsourcing of crypto-asset custody functions to entities outside the European Union and to entities without their own CASP authorisation, a constraint that directly bears on business models predicated on global custody infrastructure), and marketing communications policy (Article 74 MiCA).
ICT Documentation and the DORA Framework
Regulation DORA (EU 2022/2554) applies to CASPs in respect of digital operational resilience. The ICT documentation in the application comprises the following.
A description of the technological architecture: front-office, back-office, custody, monitoring, and BCP/DR systems. A data-flow diagram identifying personal data and client data subject to professional secrecy.
A cybersecurity policy compliant with DORA: ICT risk management (Articles 5–15 DORA), incident response and reporting (Articles 17–23), resilience testing (Articles 24–27), and third-party ICT risk management (Articles 28–44).
Custody procedures for entities providing crypto-asset custody: custody model (cold storage / hot wallet split, with ratios), multi-signature procedures, key-generation ceremony, disaster-recovery procedures for private keys, and cyber insurance covering key loss. This is the area in which the PFSA most frequently demands supplementation; generic documentation copied from vendor templates is, to the trained reader, a signal of inadequate familiarity with the operations being described.
A business continuity plan (BCP) and disaster recovery: scenarios involving loss of data centre, ransomware attack, loss of access to private keys, and loss of key personnel. Recovery time (RTO) and recovery point (RPO) documented for each scenario, with tests conducted in the year preceding the application.
Proceedings before the PFSA: Stages and Time-Limits
The procedure derives from Article 63 of MiCA, which we discuss in detail in the article on the end of the MiCA transitional period. Here we note only the operational stages.
Stage 1 — acknowledgement of receipt of the application: 5 working days (Article 63(1)).
Stage 2 — assessment of formal completeness: 25 working days (Article 63(2)). Where deficiencies are identified, the PFSA sets a deadline for supplementation. Failure to meet that deadline permits the PFSA to decline to consider the application (Article 63(3)) — the application thereby fails on procedural grounds and must be resubmitted.
Stage 3 — substantive assessment: 40 working days from confirmation of completeness (Article 63(9)). At this stage the PFSA may issue one request for supplementation, suspending the proceedings for up to 20 working days (Article 63(12)). Subsequent requests do not toll the time-limit.
Stage 4 — notification of the decision: 5 working days from its issuance (Article 63(9), second sentence).
The model scenario: 75 working days (approximately 3.7 months). The realistic scenario, with one substantive request: 95 working days (approximately 4.4 months). The base-case scenario, with supplementation at the completeness stage: approximately 110 working days (5.3 months).
Following a positive decision, the PFSA transmits the information to ESMA within 2 working days (Article 63(13)). ESMA enters the CASP in the public register by no later than the date on which services commence.
Fees: Application Fee and Ongoing Supervisory Charges
Fees are governed by Article 77 et seq. of the Crypto-Asset Market Act. The statutory basis for the application fee for CASP authorisation is Article 77(1)(1)(a), which expressly provides that the fee for granting authorisation under Article 59(1)(a) MiCA shall not exceed the PLN equivalent of EUR 4,500. The maximum rate is thus fixed at the statutory level; an implementing regulation issued by the Prime Minister under Article 81 of the Act may only set a rate equal to or lower than that figure, never higher. Conversion of EUR to PLN is effected at the National Bank of Poland’s mid-rate from the last working day of the year preceding the year in which the fee fell due (Article 80(1)(1)). The delegation to the implementing regulation (Article 81) contains a substantive guideline: the fees “may not materially increase the operating costs of the entities obliged to pay them.”
Ongoing supervisory charges (Article 78(1)) are levied annually on crypto-asset service providers as the product of the average total revenue from the preceding three financial years and a rate not exceeding 0.4 percent, subject to a floor of the PLN equivalent of EUR 500. An analogous construction applies to ART/EMT issuers under Article 79. The construction is broadly comparable to PFSA supervisory charges on investment firms. The charge must be incorporated in the application’s financial projection as a recurring operating cost.
Additional costs borne by the applicant include: legal and advisory fees (running into the hundreds of thousands of Polish zloty for a typical application, and more for complex international structures), the cost of an external audit of the ICT and AML documentation, the cost of guarantee or professional insurance, and translation costs for documents in languages other than Polish.
Administrative and Criminal Sanctions for Breach
The Crypto-Asset Market Act establishes an extensive catalogue of sanctions, divided into criminal sanctions (Chapter 8 of the Act) and administrative sanctions. The figures are higher than in earlier drafts — the PLN 5 million and 5-year figures circulating in commentary in the second half of 2025 reflected versions that were ultimately vetoed.
Article 121(1) — conduct of business without the requisite authorisation: a fine of up to PLN 20,000,000 or imprisonment of up to 8 years, or both. The sanction reaches activity conducted without authorisation under Article 59 of MiCA and activity pursued under the simplified procedure of Article 60 alike — meaning that even already-regulated entities that commence crypto-asset services without the proper notification expose themselves to the full measure of the sanction. Paragraph 2 extends the personal scope to natural persons acting in the name or interest of a legal person: a board member, proxy, or operational director bears personal liability.
Article 122 — breach of professional secrecy (Article 17 of the Act): a fine of up to PLN 1,000,000 or imprisonment of up to 3 years, or both.
Article 123 — unlawful use of designations indicating CASP status (firm name, trading name, advertising, marketing information): a fine of up to PLN 3,000,000 or imprisonment of up to 3 years, or both. This sanction is intended for entities that, after 1 July 2026, continue to employ designations suggesting that they hold an authorisation when, in reality, they do not.
Article 124 — failure to perform, or improper performance of, the duty to furnish information and explanations to the PFSA (Article 38(1)–(3) of the Act): a fine of up to PLN 500,000, restriction of liberty, or imprisonment of up to 2 years. The sanction is intended to safeguard the efficacy of supervision; its addressees include issuers, CASPs, members of their governing bodies, liquidators, receivers, and statutory auditors.
Article 125 — failure to execute a transaction freeze (Article 63 of the Act, in respect of freezes): a fine of up to PLN 3,000,000 or imprisonment of up to 3 years, or both.
Article 126 — obstruction or frustration of an inspection: a fine of up to PLN 1,000,000, restriction of liberty, or imprisonment of up to 2 years.
Criminal sanctions activate the standard set of measures securing criminal proceedings: asset preservation under Article 291 of the Code of Criminal Procedure, freezing of bank accounts, the possible prohibition on conducting business activity (Article 41 of the Criminal Code), and prohibitions on holding office or practising a profession. For board members, personal consequences include entry in the National Criminal Register, the risk of disqualification from corporate office (Article 18 § 2 of the Commercial Companies Code), and loss of good repute for the purpose of fit-and-proper assessments in subsequent authorisation procedures in other EU jurisdictions.
In parallel with the criminal sanctions, the Act provides for an extensive catalogue of administrative sanctions. The provision of central importance to CASPs is Article 105(1): for breach of Articles 65–82 of Regulation 2023/1114 and certain other obligations, the PFSA may impose on a crypto-asset service provider a pecuniary penalty of up to PLN 30,000,000 or the equivalent of 5 percent of total annual turnover (where that amount exceeds PLN 30,000,000), and, on the natural person responsible for the breach, a penalty of up to PLN 5,000,000. Article 105(3) further provides that where the amount of profit obtained or loss avoided can be ascertained, the penalty may be imposed up to twice that amount — a ceiling which, for entities of meaningful scale, is in practice more material than the PLN 30 million figure. Independently of the pecuniary penalty, the PFSA may prohibit the provision of services (Article 105(2)), order cessation of the breach (Article 105(5)(1)), and prohibit the responsible person from holding office in the bodies of a CASP for a period of between one month and one year, and, in the case of a repeated breach, between 10 and 15 years (Article 105(5)(2)). By way of comparison, for issuers of asset-referenced tokens and e-money tokens, Article 104(2) provides for a penalty of up to PLN 30,000,000 or the equivalent of 12.5 percent of annual turnover — a ceiling that does not apply to CASPs. The remainder of the framework comprises: Article 102 (up to PLN 25,000,000 for obstructing an inspection), Article 103 (up to PLN 7,000,000 on the entity and up to PLN 4,000,000 on the natural person responsible for failing to comply with a PFSA order), withdrawal of the authorisation (Article 64 MiCA), and public statement of breach (Article 113), which in practice frequently proves more damaging than the pecuniary penalty.
The Most Common Causes of Requests for Supplementation
Practice in authorisation proceedings in the financial sector (drawing on analogies from investment firms and electronic money institutions) yields recurring categories of deficiency.
Inconsistencies of figures between different documents: the programme of operations cites a different FTE count from the financial projection, declared capital differs from capital in the financial statements, and the UBO structure differs from that recorded in the CRBR. The PFSA reads the application systemically; an inconsistency is read as evidence of a deficit in internal control.
AML documentation drafted generically, without reference to the specifics of crypto-assets: the absence of procedures for unhosted wallets, the absence of specific transaction-monitoring thresholds calibrated for digital assets, the absence of Travel Rule procedures.
Custody documentation inconsistent with the declared model: a declaration of 95 percent cold storage absent procedures for the key ceremony, the absence of documented disaster-recovery testing, the absence of cyber insurance covering custody risk.
A business continuity plan absent of testing: a BCP requires at least an annual testing cycle with documented results. A plan drafted for the purposes of the application, without a testing history, is a typical reason for a supplementation request.
Inconsistency between the programme of operations and the capital requirement: registration of the trading-platform service with capital of EUR 50,000 (in lieu of the requisite EUR 150,000) is an error immediately apparent on the face of the application.
Deficiencies in the fit-and-proper documentation: the absence of CVs in the required format, the absence of certificates of no criminal record, the absence of conflict-of-interest declarations, and incomplete documentation of the source of capital of qualifying shareholders.
Strategic Context
For entities currently on the Polish register of activity in respect of virtual currencies, the CASP authorisation application is situated within the context of the MiCA transitional period, which expires on 1 July 2026. PFSA proceedings will extend beyond that date in every realistic scenario, with the consequence that the mere filing of the application does not obviate the need to design a wind-down protocol for the period between 1 July 2026 and the date of the PFSA’s decision. Exit strategies, passporting from another EU Member State, mergers with authorised entities, and the controlled cessation of activity are addressed in a separate analysis — to which we refer the reader: “CASP Licence in Poland: The End of the MiCA Transitional Period and the Hard Deadline of 1 July 2026.”
A material distinction warrants attention: the Act establishes two distinct transitional regimes. Article 161 addresses entities providing crypto-asset services that did not constitute activity in respect of virtual currencies under the prior law (that is, services that did not previously require VASP registration) and were already being provided on 29 December 2024. Such entities may continue to operate on the prior terms until 1 July 2026. Article 162 addresses entities registered on the register of activity in respect of virtual currencies as at the date on which the Act enters into force. The same 1 July 2026 deadline applies, but with a material qualification: Article 162(2) introduces additional grounds for removal from the register during the transitional period, including two failures to respond to inspection requests, the absence of a current address in the National Court Register, and two AML failures notified by the General Inspector of Financial Information. Removal from the VASP register before the deadline extinguishes the transitional regime — the entity loses the basis for continuing activity on the prior terms as of the date of removal, regardless of 1 July 2026. For registered operators, the assumption that current operational discipline is a matter of secondary concern relative to the preparation of the authorisation application is an error with potentially existential consequences.
Authorisation to Conduct Crypto-Asset Business: Frequently Asked Questions
When will the PFSA begin accepting CASP authorisation applications?
The PFSA becomes the competent authority within the meaning of Article 3(1)(35) MiCA upon entry into force of the Crypto-Asset Market Act. The Act enters into force fourteen days after promulgation (Article 169), which, assuming prompt presidential signature and publication in the Official Journal of Laws, places entry into force in the indicative window between 8 and 20 June 2026. Applications may be filed from the first day on which the Act is in force. In communications issued in 2024 and 2025, the PFSA encouraged the preparation of documentation in advance, so that applications might be submitted immediately upon the Act’s entry into force.
What is the cost of the CASP application fee to the PFSA?
The maximum rate of the fee is fixed by statute in Article 77(1)(1)(a) of the Crypto-Asset Market Act: not more than the PLN equivalent of EUR 4,500. An implementing regulation issued by the Prime Minister under Article 81 may set a rate equal to or lower than that amount, but it may not exceed it. Conversion of EUR to PLN is effected at the National Bank of Poland’s mid-rate from the last working day of the year preceding the year in which the fee fell due (Article 80(1)(1)). Independently of the application-fee rate, the aggregate costs of preparing the application (legal advice, ICT audit, AML documentation, insurance) substantially exceed the fee itself. A separate and recurring cost is the ongoing supervisory charge under Article 78, of up to 0.4 percent of average annual revenue over three years, subject to a floor of EUR 500 per annum.
Can my investment firm obtain CASP status through a simplified procedure?
Yes. Article 60 MiCA provides for a notification track for already-regulated entities: credit institutions, investment firms within the meaning of MiFID II, electronic money institutions, UCITS management companies, and managers of alternative investment funds. The PFSA has 40 working days in which to assess the notification, and the scope of required documentation is narrower than under full authorisation under Article 59. The notification track encompasses, in particular, a programme of operations covering crypto-asset services, a description of ICT and custody systems, conflict-of-interest policies, and evidence that the existing regulatory regime covers MiCA requirements in respect of the remaining elements. For entities eligible under Article 60, the full-authorisation route is generally both slower and more expensive.
What corporate documents are required for the CASP application?
Corporate documents comprise: a current extract from the National Court Register, the articles of association or partnership agreement in their then-current form, a chart of the ownership structure with documentation of all qualifying holdings from 10 percent upwards, beneficial-ownership documentation aligned with the CRBR, for institutional shareholders their constitutive documents and financial statements, and for group entities in offshore jurisdictions full documentation of the chain of control. The PFSA requires that the structure be transparent and fully documented down to the level of the natural person.
What are the fit-and-proper requirements for CASP board members?
The requirements are set out in Article 68(1) MiCA and in EBA–ESMA Guidelines EBA/GL/2024/13. The assessment encompasses five dimensions: reputation (good repute, the absence of criminal convictions and of pending criminal proceedings bearing on professional integrity), knowledge and experience in the financial or regulated sector, independence of mind, sufficient time commitment, and the collective suitability of the management body as a whole. The Guidelines expressly take into account pending administrative and criminal proceedings, a point of significance for persons associated with entities continuing to operate without authorisation after 1 July 2026.
May a CASP authorisation application be filed on a pre-application basis?
MiCA does not provide for a formal pre-application track analogous to the procedures employed by certain national competent authorities in Germany or the Netherlands. In communications issued in 2025, the PFSA indicated that it is amenable to informal consultative meetings prior to filing, although such meetings do not form part of the procedure under Article 63 MiCA and have no bearing on the running of time. A consultative meeting does not dispense with the obligation to file a complete application, nor does it generate any legitimate expectations as to the content of the subsequent decision.
What capital is required for a crypto-asset trading platform?
Operating a crypto-asset trading platform requires minimum capital of EUR 150,000 (Threshold 3 of Annex IV MiCA). That is the nominal floor. The second parameter (Article 67(2) MiCA) requires own funds to be maintained at no less than 25 percent of the fixed operating costs of the preceding year. For a trading platform with substantial ICT infrastructure and a compliance and AML team, this latter parameter typically exceeds the nominal floor. In practice, for an operator of genuine scale, real operational capital begins in the single-digit millions of euro.
What sanctions apply to board members personally?
Article 121(2) of the Crypto-Asset Market Act extends the criminal sanction (a fine of up to PLN 20 million, imprisonment of up to 8 years, or both) to natural persons acting in the name or interest of a legal person. The provision reaches board members, proxies, and persons in management positions responsible for the area in which the breach occurred. A conviction entails entry in the National Criminal Register, the risk of disqualification from corporate office (Article 18 § 2 of the Commercial Companies Code), and loss of good repute for fit-and-proper purposes in other authorisation procedures. The administrative sanction on a natural person responsible for breach of CASP obligations is up to PLN 5,000,000 (Article 105(1)(2)), with the possibility of a prohibition on holding office in CASP bodies of up to 15 years for a repeat breach (Article 105(5)(2)). Article 103(1)(2) further provides for a penalty of up to PLN 4,000,000 on a natural person responsible for failing to comply with a PFSA order. The personal sanction is a decisional factor that corporate delegation-of-responsibility structures rarely accommodate with appropriate weight.
May a CASP application be withdrawn after filing?
MiCA does not expressly regulate the withdrawal of an application by the applicant. Polish administrative procedure (Article 105 § 2 of the Code of Administrative Procedure) permits a party to withdraw its request during the proceedings, with the consequence that the proceedings are discontinued. In supervisory practice, the withdrawal of an application prior to its consideration is not associated with formal negative consequences in subsequent procedures, although every such instance will be known to the PFSA upon resubmission. The position is different where withdrawal follows a request for supplementation that has exposed serious deficiencies — a context that may be assessed in good-repute terms.
Does a PFSA refusal preclude resubmission?
Not formally. MiCA does not provide for any cooling-off period following a refusal. In practice, resubmission is meaningful only after every basis of the prior refusal has been removed. A refusal grounded in board members’ fit-and-proper failings requires a change in the composition of the body; a refusal grounded in capital requires recapitalisation; a refusal grounded in AML deficiencies requires a reconstruction of the compliance function. The PFSA will treat the history of the refusal as an element in assessing the applicant’s good faith upon resubmission. Strategically, it is far more efficient to refine the first application to an approvable state than to adopt a “file fast, fix later” approach.
Does the PFSA conduct consultations prior to filing?
In communications issued in 2025, the PFSA indicated that it is open to informal consultative meetings for entities preparing CASP applications. The meetings are informational in character, do not form part of the procedure, and do not bind the PFSA at the stage of considering the application. An analogous practice operates in relation to investment firms and electronic money institutions. A consultative meeting is a rational instrument for applicants with an atypical profile (cross-border structure, combination of regulated and unregulated services, custody under an unusual model), allowing the identification of areas requiring particular elaboration in the documentation prior to formal filing.
Robert Nogacki – licensed legal counsel (radca prawny, WA-9026), Founder of Kancelaria Prawna Skarbiec.
There are lawyers who practice law. And there are those who deal with problems for which the law has no ready answer. For over twenty years, Kancelaria Skarbiec has worked at the intersection of tax law, corporate structures, and the deeply human reluctance to give the state more than the state is owed. We advise entrepreneurs from over a dozen countries – from those on the Forbes list to those whose bank account was just seized by the tax authority and who do not know what to do tomorrow morning.
One of the most frequently cited experts on tax law in Polish media – he writes for Rzeczpospolita, Dziennik Gazeta Prawna, and Parkiet not because it looks good on a résumé, but because certain things cannot be explained in a court filing and someone needs to say them out loud. Author of AI Decoding Satoshi Nakamoto: Artificial Intelligence on the Trail of Bitcoin’s Creator. Co-author of the award-winning book Bezpieczeństwo współczesnej firmy (Security of a Modern Company).
Kancelaria Skarbiec holds top positions in the tax law firm rankings of Dziennik Gazeta Prawna. Four-time winner of the European Medal, recipient of the title International Tax Planning Law Firm of the Year in Poland.
He specializes in tax disputes with fiscal authorities, international tax planning, crypto-asset regulation, and asset protection. Since 2006, he has led the WGI case – one of the longest-running criminal proceedings in the history of the Polish financial market – because there are things you do not leave half-done, even if they take two decades. He believes the law is too serious to be treated only seriously – and that the best legal advice is the kind that ensures the client never has to stand before a court.
