Crypto-asset service providers (CASPs)

Business scope

Under Regulation (EU) 2023/1114 (Markets in Crypto-Assets Regulation, MiCAR), the following activities are considered crypto-asset services:

providing custody and administration of crypto-assets on behalf of clients;
operating a trading platform for crypto-assets;
exchanging crypto-assets for funds for fiat currency;
exchanging crypto-assets for other crypto-assets;
executing orders for crypto-assets on behalf of clients;
placing crypto-assets;
receiving and transmitting orders for crypto-assets on behalf of clients;
providing advice on crypto-assets;
managing crypto-asset portfolios;
transferring crypto-assets on behalf of clients.

Crypto-asset service providers (CASPs) fall into two main categories:

specialized CASPs: operators that are specifically authorized under MiCAR to provide one or more of the above services;
other licensed financial intermediaries: existing supervised entities - such as credit institutions, investment firms (SIMs), payment institutions (PIs), e-money institutions (EMIs), asset management companies (SGRs), central securities depositories, and regulated market operators - that intend to expand their operations to include crypto-asset services.

The provision of crypto-asset services is governed not only by the MiCA Regulation but also by a set of regulatory technical standards (RTS) and implementing technical standards (ITS). These are adopted by the European Commission based on a proposal from the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA). Where permitted by directly applicable EU rules, Banca d'Italia and CONSOB issue implementing provisions in accordance with their respective competences (see the Legal framework section below). ESMA also publishes Q&As on its website to provide clarifications on current provisions for crypto-asset service providers.

As the rules on the provision of crypto-asset services introduced by MiCAR are harmonized, once a provider is licensed in one Member State, it may provide crypto-asset services in other Member States, subject to notification to the competent authority of the home Member State (see FAQs on cross-border operations).

Licensing and notification process

CONSOB and Banca d'Italia are the competent authorities responsible for licensing crypto-asset service providers and receiving notifications from supervised intermediaries wishing to provide these services. For an overview of the distribution of responsibilities between Banca d'Italia and CONSOB, please refer to the note of 29 October 2024.

The current provisions (MiCA Regulation and Legislative Decree 129/2024) distinguish between services that may be provided after submitting a simple notification (notifiable services) and services that may be provided with prior authorization (non-notifiable services). The competences and licensing procedures vary depending on the type of intermediary (for a summary, please see this table):

Banca d'Italia receives notifications from credit institutions, electronic money institutions and asset management companies for the provision of notifiable services; in consultation with CONSOB, Banca d'Italia also authorizes electronic money institutions to provide non-notifiable services and payment institutions to provide crypto-asset services;
CONSOB receives notifications from investment firms (SIMs), central securities depositories and regulated market operators for the provision of notifiable services; in consultation with Banca d'Italia, CONSOB authorizes specialized CASPs and SIMs (other than Class 1 SIMs) to provide non-notifiable services.

The exchange of information between the authorities during the licensing procedure is governed by a CONSOB-Banca d'Italia Memorandum of Understanding (only in Italian).

There is no standard template for notifications, which must be drawn up in accordance with Article 60 of the MiCA Regulation and Implementing Regulation (EU) 304/2025. All applications must be completed using the appropriate form (see the Downloads section). Notifications and applications, along with any annexes, must be submitted to CONSOB or Banca d'Italia by certified email (PEC, see the Contacts section).

Before submitting a notification or an application, operators may contact CONSOB or Banca d'Italia (see the Contacts section) and request a meeting to present their project. These meetings, while not mandatory, are intended to help operators and do not affect the deadlines of the licensing process.

The licensing process

The total duration of the licensing process (see infographic below) is 40 working days, starting from the date the complete application is received.

Procedimento per l'autorizzazione dei prestatori di servizi per le cripto-attività

Banca d'Italia and CONSOB assess the completeness of the application within 25 working days from the date of receipt (unless the procedure is suspended). If the application is incomplete, the authority responsible for issuing the authorization will set a deadline for the applicant to provide the missing information. If the application is still incomplete after that deadline, it may be archived.

If the application is complete, the competent authorities will immediately inform the applicant and have 40 working days to make a decision. During this period (and no later than the 20^th working day) the authorities may request additional information to complete the assessment. In such cases, the assessment period is suspended from the date of the request until the information is received (this suspension may not exceed 20 working days). The final decision is notified to the applicant within the following 5 working days.

Notification process

Notifications must be submitted to the competent authority (Banca d'Italia or CONSOB) at least 40 working days before starting operations.

Procedura di notifica dei prestatori di servizi per le cripto-attività

The competent authority will assess, within 20 working days of receiving the notification, whether all required information has been provided. If a notification is incomplete, the notifying entity will be immediately informed and a deadline will be set for that entity to provide the missing information. This deadline must not exceed 20 working days from the date of the request for information. While the notification remains incomplete, the intermediary is not allowed to provide crypto-asset services.

The following procedural indications shall apply to the licensing process and to notifications:

Regulation (EU) 2023/1114;
Legislative Decree 129/2024 (only in Italian);
Memorandum of Understanding between CONSOB and Banca d'Italia (only in Italian).

For further details on the administrative procedure, please consult the FAQ section.

Requirements

Crypto-asset service providers are legal persons or other undertakings established in the European Union, including intermediaries already supervised, licensed under the MiCA Regulation.

Without prejudice to the specific sectoral rules applicable to supervised financial intermediaries wishing to provide crypto-asset services, the requirements for CASPs are listed in Articles 60 and 62 of MiCAR and include, inter alia:

the legal requirements for shareholders with direct or indirect qualifying holdings;
the legal requirements for directors;
the prudential requirements to be met through own funds and/or an insurance policy (or comparable guarantee);
the requirement to adopt governance and organizational structures that are appropriate for the business overall;
the requirements for the safekeeping and safeguarding of client funds;
specific requirements, depending on the crypto-asset services provided.

All notifications and applications must be accompanied by specific documents, as set out in the relevant legislation (see the Legal framework section) and in the application form (see FAQs).

The competent authorities shall reject a licensing application if:

there are objective and demonstrable grounds to believe that sound and prudent management and business continuity would be compromised, or that serious AML/CFT risks would arise;
the applicant fails to meet, or is likely to fail to meet, the regulatory requirements for qualified administrators or participants, and/or any of the requirements laid down in Title V of the MiCA Regulation;
close links between the applicant CASP and other natural or legal persons (or third-country provisions applicable to these persons) prevent the effective exercise of supervisory functions.

Contacts

If you wish to submit applications and notifications (via certified PEC email only) or request an informal discussion or clarification, please contact Banca d'Italia and CONSOB at the following email addresses:

for Banca d'Italia,
- Supervisory Institutional Relations Directorate, New Banks and Financial Intermediaries Division:
  email: Servizio.Riv.Costituzioni@bancaditalia.it
  PEC: riv@pec.bancaditalia.it
- for entities already supervised by Banca d'Italia, please contact the units normally responsible for supervision (SB1, SB2, SIF Directorates or the relevant branch), using the contact details provided in the Operational Guidelines of 13 September 2024;
for CONSOB, please use the contact details available on its website.

Please note: questions relating to matters already covered on Banca d'Italia's website will not be answered.

Post-licensing requirements

Licensed crypto-asset service providers are entered in ESMA's Register. CONSOB - designated as the single point of contact for cross-border administrative cooperation with ESMA - provides ESMA with the necessary information.

Once licensed, crypto-asset service providers must commence operations within 12 months and comply with the reporting requirements set out in the applicable provisions.

For audits falling under Banca d'Italia's remit, crypto-asset service providers are assigned to the relevant supervisory unit of Banca d'Italia and are subject to the supervisory powers established by Legislative Decree 129/2024.

Regulation (EU) 2023/1114 (MiCAR)
Regulation (EU) 2023/1113 (Transfer of Funds Regulation Recast)
Commission Delegated Regulation (EU) 2024/1507
(RTS on criteria and factors to be taken into account by ESMA, EBA and competent authorities in relation to their powers of intervention)
Commission Implementing Regulation (EU) 2024/2494
(ITS on standard forms, templates and procedures for cooperation and exchange of information between competent authorities and EBA and ESMA)
Commission Implementing Regulation (EU) 2024/2545
(ITS on standard forms, templates and procedures for cooperation and exchange of information between competent authorities)
Commission Implementing Regulation (EU) 2024/2861
(ITS on technical means for the appropriate public disclosure of inside information and for delaying the public disclosure of that information)
Commission Implementing Regulation (EU) 2024/2984
(ITS on forms, formats and templates for white papers on crypto-assets)
Commission Delegated Regulation (EU) 2025/292
(RTS on a template document for cooperation arrangements between competent authorities and supervisory authorities of third countries)
Commission Delegated Regulation (EU) 2025/294
(RTS on requirements, templates and procedures for the handling of complaints by crypto-asset service providers)
Commission Delegated Regulation (EU) 2025/299
(RTS on continuity and regularity in the performance of crypto-asset services)
Commission Delegated Regulation (EU) 2025/300
(RTS on information to be exchanged between competent authorities)
Commission Delegated Regulation (EU) 2025/303
(RTS on information to be included by certain financial entities in the notification of their intention to provide crypto-asset services)
Commission Implementing Regulation (EU) 2025/304
(ITS on standard forms, templates and procedures for the notification by certain financial entities of their intention to provide crypto-asset services)
Commission Delegated Regulation (EU) 2025/305
(RTS on information to be included in an application for authorization as a crypto-asset service provider)
Commission Implementing Regulation (EU) 2025/306
(ITS on standard forms, templates and procedures for the information to be included in the application for authorization as a crypto-asset service provider)
Commission Delegated Regulation (EU) 2025/414
(RTS on the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in a crypto-asset service provider)
Commission Delegated Regulation (EU) 2025/416
(RTS on the content and format of order book records for crypto-asset service providers operating a trading platform for crypto-assets)
Commission Delegated Regulation (EU) 2025/417
(RTS on how crypto-asset service providers operating a trading platform for crypto-assets are to present transparency data)
Commission Delegated Regulation (EU) 2025/421
(RTS on data required for the classification of white papers on crypto-assets and practical arrangements to ensure that such data is machine-readable)
Commission Delegated Regulation (EU) 2025/422
(RTS on the content, methodologies and presentation of information in relation to sustainability indicators with regard to adverse impacts on the climate and other environment-related adverse impacts)

Menu

Crypto-asset service providers (CASPs)

Business scope

Licensing and notification process

The licensing process

Notification process

Requirements

Contacts

Post-licensing requirements

Related sites

Links

Information on this website

Further legal information

Contact Us

Crypto-asset service providers (CASPs)

Business scope

Licensing and notification process

The licensing process

Notification process

Requirements

Contacts

Post-licensing requirements

Sezione di approfondimento

Downloads

Useful links

Legal framework - EU legislation

Legal framework - National regulations

FAQs