Abstract 3D document architecture representing a MiCA CASP Programme of Operations application, rendered in navy and electric blue geometric line-art
Back to blog

CASP Business Plan Under MiCA: What EU Regulators Actually Expect

Your MiCA authorisation lives or dies on one document: the Programme of Operations. Regulators across the EU are returning applications that get it wrong. Here is a section-by-section map of what Article 62 and Commission Delegated Regulation (EU) 2025/305 require — and the exact errors that send files back to square one.

Contents

What the Programme of Operations Is — and Why It Is Not a Generic Business Plan

The Programme of Operations is a legally prescribed document required under Article 62(2)(d) of Regulation (EU) 2023/1114 (MiCA). It is not a pitch deck, a funding narrative, or a repackaged investor memo. Its structure and content are now defined with precision by Commission Delegated Regulation (EU) 2025/305, which entered into force on 20 April 2025 and specifies — section by section — every item a National Competent Authority must receive as part of a complete CASP authorisation application. An application is not considered complete until each of those items is addressed. The 25-working-day completeness check under Article 63 MiCA exists precisely to flush out documents that do not meet this threshold before the substantive 40-working-day review even begins.

The distinction from a generic business plan is not semantic. A commercial business plan is written to persuade; the Programme of Operations is written to demonstrate. It must show that the applicant can perform a specific set of crypto-asset services — as defined in Article 3(1)(16) MiCA — safely, on day one of authorisation. That means documented operational workflows, client-onboarding procedures, custody arrangements, conflict-of-interest frameworks, and prudential projections all tied directly to the services applied for. Generalities about market opportunity or growth strategy carry no weight with NCAs and, in several jurisdictions, actively signal that the applicant has not engaged seriously with the regulatory requirements. See our complete CASP licence requirements guide for the full Article 62 checklist.

NCAs across EU member states are explicit about this. Template-copied documents are identified quickly — reviewers compare the described governance, IT infrastructure, and risk controls against the specific services applied for, and inconsistencies or boilerplate language trigger escalation to high-scrutiny review, extending timelines significantly. The Programme of Operations must be forward-looking but grounded: projections need to be credible relative to the applicant's current resources, and any gap between current state and planned operational capacity must be explained with concrete milestones. Regulators are not evaluating ambition — they are verifying that a real, specific business is ready to operate under a specific regulatory perimeter.

Step 1 — Map Your Services to Article 3(1)(16) Before Writing Anything Else

Article 3(1)(16) MiCA defines ten categories of crypto-asset services that trigger CASP authorisation requirements: custody and administration of crypto-assets on behalf of clients; operation of a trading platform; exchange of crypto-assets for funds; exchange of crypto-assets for other crypto-assets; execution of orders on behalf of clients; placing of crypto-assets; reception and transmission of orders on behalf of clients; provision of advice on crypto-assets; portfolio management of crypto-assets; and transfer services for crypto-assets. Before a single word of the Programme of Operations is drafted, every service the applicant intends to offer must be mapped precisely against this list. This is not a formality — the mapping directly determines your capital class under Annex IV, which service-specific annexes you must complete under Commission Delegated Regulation (EU) 2025/305, and which conduct obligations apply. A firm that intends to offer both custody and exchange of crypto-assets for funds, for example, falls into Annex IV Class 2 with a €125,000 minimum own-funds floor, while a firm that adds operation of a trading platform moves to Class 3 at €150,000. Getting the mapping wrong at the outset means the entire capital and compliance architecture of the business plan is built on a false foundation.

The most common drafting failure is listing service categories at a high level of abstraction without describing the operational mechanics of how each service will actually be delivered. NCAs reviewing applications under Article 62 MiCA and the requirements set out in 2025/305 expect to see, for each service: the technical flow of the transaction, the client-facing process, how client assets or orders are handled at each step, and which systems or third parties are involved. A business plan that states "the applicant will offer custody services" without explaining wallet architecture, key management, segregation of client assets, and the reconciliation process will be treated as incomplete. Under Article 63 MiCA, the NCA has 25 working days to confirm completeness — and that clock resets each time supplementary information is requested. Vague service descriptions are one of the most reliable ways to trigger that reset and add months to the authorisation timeline.

A disciplined approach is to create an internal service-mapping table before drafting begins: each Article 3(1)(16) category the firm intends to provide, the specific client interactions it encompasses, the Annex IV capital class it activates, and the corresponding 2025/305 annex requirements. This table then drives every downstream section of the Programme of Operations — financial projections, governance structure, risk framework, and IT systems. For firms planning to apply for CASP authorisation, the service-scope mapping is the single most leveraged document you can produce before engaging with any NCA, because every subsequent regulatory question will trace back to it.

Step 2 — Prudential Safeguards: Annex IV Capital Class, the Fixed Overheads Requirement, and the Insurance Alternative

Article 67(1) requires that a CASP's prudential safeguard equals the higher of two figures: the fixed minimum set by Annex IV, or one quarter of fixed overheads of the preceding year — the Fixed Overheads Requirement ("FOR"). Annex IV classes are cumulative; the highest class triggered by the firm's service mix governs. Class 1 (€50,000) covers reception and transmission of orders, execution of orders, placing of crypto-assets, investment advice, portfolio management, and transfer services for crypto-assets. Class 2 (€125,000) covers all Class 1 services plus custody and administration of crypto-assets on behalf of clients, exchange of crypto-assets for funds, and exchange of crypto-assets for other crypto-assets. Class 3 (€150,000) covers all of the above plus operation of a trading platform. A firm providing only execution and transfer services needs €50,000, not €125,000 — correctly identifying the applicable class in the Programme of Operations matters because over-capitalisation and mis-classification are both flags for reviewers. See our complete CASP licence requirements guide for the full service-category matrix.

For firms operating for less than one year, Article 67(2) requires the FOR to be calculated using projected fixed overheads — not a prior-year figure that does not yet exist. On the composition of those overheads, ESMA Q&A 2349 (Commission answer dated 18 February 2026, published 27 February 2026) is authoritative: the FOR must be calculated from all overhead expenses — both fixed and variable — using the applicable accounting framework. Only the four deductions listed in Article 67(3)(a)–(d) are permitted; the list is exhaustive. NCAs have no discretion to allow additional deductions, and firms cannot engineer the FOR downward by reclassifying variable costs. Your Programme of Operations must show the gross overhead base, each 67(3) deduction applied, the resulting FOR, and a clear statement of which figure — Annex IV floor or FOR — is the higher and therefore governs. Build this as a two-column comparison under every 12-month growth scenario in your financial projections; if the FOR overtakes the Annex IV floor mid-year in any scenario, that transition point must be explicitly addressed.

A critical and frequently omitted point: own funds are not the only permitted prudential safeguard. Article 67(4) expressly allows a CASP to meet the requirement through an insurance policy covering all Union territories where crypto-asset services are provided, or through a comparable guarantee — as an alternative to holding own funds composed of CET1 instruments under Arts 26–30 of Regulation (EU) 575/2013 after the deductions required by Art. 36 of that Regulation. Insurance characteristics and minimum coverage conditions are set out in Article 67(5) and 67(6). Presenting a business plan that discusses only the CET1 own-funds route, without acknowledging the insurance alternative, is a compliance error — it signals either incomplete legal analysis or a misunderstanding of the regulation's structure. If your firm intends to rely on own funds, state that explicitly and explain why; if the insurance route is under consideration, the Programme of Operations must map the policy terms against the 67(5)/(6) requirements. For more on capital planning in context, see our MiCA compliance deadlines 2026 guide.

Step 3 — Governance Section: Management Body, Fit-and-Proper, and Organisational Structure

Under Article 62(2)(g) MiCA and the application-content requirements set out in Commission Delegated Regulation (EU) 2025/305, every member of the management body must be documented individually. That means full identity details, criminal record certificates, disclosure of any pending civil, administrative, or professional liability proceedings, a quantified time commitment to the role, and a skills-and-experience matrix covering the specific crypto-asset services the firm intends to provide. NCAs do not accept generic CVs. If a proposed board member sits on four other boards and can commit two days per month to your firm, expect that appointment to be challenged directly.

Article 68 MiCA sets the substance requirements for the management body itself. At least one executive director must be resident in the EU and must hold genuine, day-to-day decision-making authority — not a nominal title with authority exercised from outside the jurisdiction. NCAs across multiple member states, including the MFSA in Malta and BaFin in Germany, have publicly rejected so-called "fly-in" director arrangements where the individual attends a monthly board call but has no operational presence. The organisational chart submitted with the Programme of Operations must make the reporting lines unambiguous: a segregated three-lines-of-defence model is expected, with named Heads of Compliance and Risk (not "TBC"), clear escalation paths, and a conflict-of-interest policy that maps directly to the obligations in Article 72 MiCA. Any dual-hatting of the compliance and risk functions — common in early-stage firms — requires explicit justification and NCA acceptance is not guaranteed.

ESMA and EBA have published joint guidelines on the suitability of members of the management body of financial institutions; NCAs are increasingly applying these as a de-facto assessment checklist for CASP applications, even where the guidelines were not originally drafted for crypto-asset service providers. Separately, Article 81 MiCA requires that staff who provide advice or information to clients possess adequate knowledge and competence — and the Programme of Operations must address this directly with a documented training and continuing professional development framework. A bare statement that "staff will be trained before go-live" is insufficient. The framework should specify role-by-role competency standards, the training programme, assessment methods, and how ongoing CPD will be tracked. For a detailed breakdown of Article 81 requirements, see our MiCA Article 81 staff knowledge and competence guide.

Step 4 — The Eight Substantive Sections Regulators Score in Your Programme of Operations

Article 62(2) MiCA and the implementing technical standards in Commission Delegated Regulation (EU) 2025/305 define the mandatory content of a Programme of Operations. NCAs do not treat this document as a narrative overview — they score it section by section for internal consistency, completeness, and regulatory plausibility. The eight substantive areas below are the ones that generate the most completeness queries and re-submissions.

  • Business model and strategy. Define target client categories (retail, professional, eligible counterparty), geographic scope, revenue model, and marketing approach. 2025/305 explicitly requires disclosure of digital-channel marketing, influencer arrangements, affiliate programmes, and gamification mechanics. Vague descriptions like "pan-European retail platform" without country-by-country rollout sequencing will draw a query.
  • Three-year financial projections. Submit a full P&L, balance sheet, and capital runway that models both the applicable Annex IV fixed minimum and the Fixed Overheads Requirement (FOR) under Article 67 MiCA — whichever is higher governs. Pre-revenue firms must use projected fixed overheads under Article 67(2); most NCAs require these projections to be auditor-signed or independently validated. Own funds must be composed of CET1 instruments as defined in Articles 26–30 of CRR (EU) 575/2013 after Article 36 deductions. Note that Article 67(4) permits an insurance policy or comparable guarantee covering EU territories where services are provided as an alternative to own funds — a route worth modelling explicitly if the firm's capital structure makes it relevant. See our full CASP capital requirements guide for worked examples.
  • Operational capacity. Document the technology stack, key vendor contracts, wallet architecture, and HSM or key-custody arrangements. Regulators want to see that operational infrastructure exists — or has a credible, contracted path to existence — before authorisation is granted.
  • Internal controls and risk management. Provide written policies covering operational, market, liquidity, and cyber risk. The risk appetite statement must be consistent with the geographic scope and client categories described in section one — a mismatch here is a primary trigger for completeness queries.
  • AML/CFT framework. Include a firm-level risk assessment, CDD and EDD procedures, a Travel Rule compliance workflow under Regulation (EU) 2023/1113, and SAR escalation procedures. NCAs increasingly cross-check the AML risk appetite against the stated client base and jurisdictions — inconsistencies stall applications.
  • Business continuity and ICT/DORA mapping. Article 62(2)(i) MiCA requires a business continuity plan. Map it explicitly to Commission Delegated Regulation (EU) 2025/299 and your broader DORA compliance framework. Recovery time and recovery point objectives must be defined, not aspirational.
  • Outsourcing. All material outsourcing contracts must comply with DORA Article 30, including audit rights, exit plans, and sub-outsourcing controls. Submitting draft contracts without audit-right clauses is a common and avoidable cause of rejection.
  • Client-facing policies. Submit complaints-handling procedures aligned to Regulation (EU) 2025/294, conflicts-of-interest disclosure, and best-execution policies where applicable. These are often prepared last and show it — thin drafting here signals organisational unreadiness to NCAs.

The single most common cause of completeness queries is not a missing section — it is contradictions between sections. A P&L projecting aggressive retail volume in five EU markets, an AML risk appetite rated "low," and a geographic scope narrative that omits three of those markets will generate multiple simultaneous queries. Build the Programme of Operations as one integrated document, not eight separate workstreams stitched together at submission.

Step 5 — Service-Specific Annexes: What Custody, Exchange, and Trading Platform Applicants Must Add

Commission Delegated Regulation (EU) 2025/305 — the RTS on authorisation application content under Article 62 MiCA — does not allow a single generic annex to cover all crypto-asset services. Where your programme of operations lists more than one service category, each service with a distinct regulatory profile requires its own discrete annex. Regulators treat missing or thinly drafted service-specific annexes as an incompleteness ground, not a deficiency to be cured by correspondence. That triggers a fresh 25-working-day completeness clock under Article 63, setting your timeline back to zero.

Custody and administration applicants must address Article 62(2)(m) requirements in full. That means: a wallet architecture description covering both hot and cold storage, key management procedures, and access controls; a client asset segregation policy that is legally enforceable in the applicant's home jurisdiction; daily reconciliation procedures with documented exception-handling; and a client asset return policy. On return policy, the position under ESMA Q&A 2320 is unambiguous — clients are entitled to receive back the same type of crypto-asset held on their behalf, not a cash equivalent. Any operational or insolvency scenario that would result in cash settlement instead of in-kind return must be disclosed and justified. Trading platform applicants face the most document-intensive annex requirements under Article 62(2)(n): platform operating rules, order-matching logic and priority rules, the full fee schedule, a market abuse surveillance framework aligned to Title VI MiCA, and pre- and post-trade transparency data disclosures required under Commission Delegated Regulation (EU) 2025/417. Exchange services applicants — those providing exchange of crypto-assets for funds or for other crypto-assets — must submit an execution policy covering price formation, order routing, and a best-execution equivalent standard, even though MiCA does not import MiFID II best execution verbatim.

The practical discipline here is to map every service listed in your programme of operations to its corresponding annex before submission. A firm that lists custody in its scope but submits only a trading platform annex will receive an incompleteness ruling on custody — regardless of how strong the rest of the application is. NCAs in several jurisdictions have made clear that scope-annex mismatches are among the most frequent causes of first-round rejection. If you are building your application document set, the complete CASP licence requirements guide provides a checklist cross-referenced to 2025/305 annex obligations by service type.

The NCA Review Process: Completeness Check, Decision Clock, and What Triggers a Restart

Under Article 63 MiCA, the NCA has 25 working days from receipt of an application to confirm whether it is complete. Once completeness is confirmed, a separate decision clock starts: the NCA must grant or refuse authorisation within 40 working days. If the NCA needs supplementary information during the completeness phase, it issues a request and that phase restarts from day one — firms that receive even a single supplement request can lose several weeks before the 40-working-day decision clock begins at all. The NCA may also extend the decision period by up to 20 working days where the complexity of the application justifies it. Understanding this sequencing matters: the completeness check and the substantive review are legally distinct phases, and conflating them is a common source of timeline miscalculation in project plans.

The most frequent triggers for a completeness failure are predictable and avoidable. Missing or arithmetically inconsistent prudential safeguard calculations under Article 67 are the single most common cause. Beyond that, NCAs routinely flag: unaddressed service-specific annexes (a firm applying for custody services that omits the custody-specific governance documentation, for example); management body files with gaps in criminal-record declarations or professional experience evidence; and AML/CFT frameworks that rely on generic bank-sector typologies without addressing crypto-specific risks — mixers, privacy coins, NFT wash-trading patterns, and cross-chain obfuscation techniques are all expected to appear in the risk assessment if those asset types are in scope. An AML framework that reads as if it were adapted from a payment-institution template will not survive completeness review at any serious NCA. See also the staff-competence requirements under Article 81 covered in our Article 81 staff knowledge and competence guide.

Commission Delegated Regulation (EU) 2025/305 and the accompanying ITS (EU) 2025/306 standardise the form and content of CASP authorisation applications across all member states. NCAs are not permitted to require information that goes beyond what (EU) 2025/305 prescribes — this is a meaningful protection against gold-plating, but it also means there is now a clear, enforceable checklist against which every application will be measured. In practice, the most active CASP authorisation hubs as of mid-2026 — Lithuania (Bank of Lithuania), Malta (MFSA), the Netherlands (AFM/DNB), Germany (BaFin), and France (AMF) — each run pre-application engagement meetings, and attending one before submitting is strongly advisable. These sessions surface NCA-specific documentation preferences and flag structural issues before the formal clock starts. For a full picture of licence requirements across jurisdictions, see our complete CASP licence requirements guide and the Malta MFSA-specific guide.

Six Programme of Operations Errors That Cause NCA Returns (and How to Fix Them)

Most NCA returns are not caused by missing documents — they are caused by documents that fail to demonstrate operational reality. The six errors below account for the overwhelming majority of Programme of Operations rejections seen across EU member states since MiCA authorisation opened. Each has a specific structural fix.

  • Generic template. NCAs see hundreds of applications and recognise boilerplate instantly. A business plan that describes custody or order execution in abstract terms — without naming the firm's actual technology stack, liquidity arrangements, or onboarding flow — signals that the applicant has not thought through operational readiness. Fix: replace every generic paragraph with firm-specific evidence: named custody infrastructure, identified liquidity counterparties, and a workflow diagram for each service actually offered.
  • Capital class mismatch. The cumulative rule in Annex IV of Regulation (EU) 2023/1114 means the highest applicable class governs. Class 2 (€125,000) covers custody and administration plus exchange of crypto-assets for funds or other crypto-assets. Class 3 (€150,000) applies to operation of a trading platform. A firm offering custody and exchange alongside a trading platform must meet the Class 3 threshold — not Class 2. Fix: build an explicit service-to-class mapping table in the prudential section, showing each planned service, its Annex IV class, and the resulting capital floor.
  • Fixed Overheads Requirement calculation error. Many applicants treat "fixed overheads" as a narrow accounting category and strip out variable costs before applying the 25% multiplier under Article 67. Per ESMA Q&A 2349 (Commission answer, 18 February 2026), the base for the Fixed Overheads Requirement is all overhead expenses — fixed and variable — before applying only the four permitted deductions listed in Article 67(3)(a)-(d). Fix: present the full overhead ledger mapped to the firm's accounting framework, showing the gross base, each deduction taken, and the resulting FOR figure alongside the applicable Annex IV minimum.
  • Omitting the insurance alternative. Presenting own funds as the sole prudential route is both factually incomplete and a drafting error. Article 67(4) explicitly permits firms to meet prudential safeguard requirements through an insurance policy covering the territories of the Union where crypto-asset services are provided, or a comparable guarantee. Fix: acknowledge both routes in the prudential section; if insurance is planned, attach the policy term-sheet and a written confirmation of coverage territory.
  • Non-resident management body. Article 68 requires that management body members genuinely reside in the EU and that decisions are made from within the Union. Time-zone-distant directors with no documented EU presence are a common return trigger, particularly flagged by MFSA and BaFin reviewers. Fix: provide signed time-commitment attestations, EU residency evidence, and board-meeting calendar entries showing where decisions are actually taken.
  • AML framework copied from a fiat-payments template. A generic AML policy that references wire-transfer typologies and misses crypto-specific risk vectors will fail. NCAs expect explicit treatment of DeFi protocol interactions, mixer and tumbler exposure, NFT wash-trading patterns, and peel-chain detection. Equally, the Travel Rule operational runbook — required under Regulation (EU) 2023/1113 — must explain precisely how the firm handles outbound transfers to self-hosted wallets, including the information-collection workflow and the risk-based decision to proceed or freeze. Fix: build a crypto-native AML section that maps each typology to a detective control and names the transaction-monitoring ruleset applied.

A return from an NCA is not automatically fatal, but it resets the clock and signals to the reviewer that the application was not exam-ready. Treating each of these six areas as a compliance deliverable — not a narrative exercise — is the practical difference between a first-pass approval and a second-round submission.

Frequently asked questions

What is the difference between the Programme of Operations and a commercial business plan?

A commercial business plan is a fundraising or strategy document. The Programme of Operations is a regulated legal document required under Article 62(2)(d) of MiCA and specified in Commission Delegated Regulation (EU) 2025/305. It must describe the firm's organisational structure, its strategy for providing each authorised crypto-asset service to targeted clients, and its operational capacity for three years following authorisation. NCAs assess it for regulatory readiness, not commercial viability.

How do I calculate the Fixed Overheads Requirement for a CASP that has been operating for less than one year?

Article 67(2) of MiCA applies: firms operating for less than one year use projected fixed overheads rather than prior-year figures. Those projections must be produced using the applicable accounting framework and should be auditor-signed or, where auditors are unavailable, validated by the NCA. Importantly, ESMA Q&A 2349 (Commission answer, 18 February 2026) confirms that the overhead base covers ALL expenses — both fixed and variable — before only the four deductions listed in Article 67(3)(a)–(d), which is an exhaustive list.

Can a CASP use an insurance policy instead of holding own funds to meet MiCA prudential requirements?

Yes. Article 67(4) of MiCA explicitly permits a CASP to hold either own funds (CET1 instruments after Article 36 CRR deductions) or an insurance policy covering all Union territories where services are provided — or a comparable guarantee — as its prudential safeguard. The insurance or guarantee route is a genuine alternative, not a fallback. CASPs planning to use it must include the policy term-sheet and coverage territory confirmation in the Programme of Operations.

Which Annex IV capital class applies if my CASP offers custody, exchange, and operates a trading platform?

Annex IV classes are cumulative — the highest applicable class governs. Operation of a trading platform falls under Class 3, which carries the €150,000 minimum. Because Class 3 is the highest class in scope, €150,000 is the fixed minimum floor. The actual requirement is then the higher of €150,000 and one quarter of fixed overheads under Article 67. All Class 1 and Class 2 services (including custody and exchange) are covered within the Class 3 authorisation.

What happens if my CASP application is declared incomplete by the NCA?

Under Article 63 of MiCA, the NCA has 25 working days to assess completeness. If the application is declared incomplete, the 25-working-day clock restarts once the supplementary information is submitted. The 40-working-day decision period does not begin until the file is confirmed as complete. Receiving one incompleteness ruling can add weeks to the authorisation timeline and, in competitive NCA queues, push the firm's file behind newly submitted complete applications.

Does Commission Delegated Regulation (EU) 2025/305 limit what NCAs can ask for in a CASP application?

Yes. Regulation (EU) 2025/305 sets out an exhaustive list of information NCAs may require in a CASP authorisation application under Article 62. NCAs cannot ask for information beyond what 2025/305 prescribes. This harmonisation is designed to create a level playing field across EU member states and prevent regulatory gold-plating at the national level, though supervisory expectations and processing timelines still vary in practice.

Link copied to clipboard