Obtaining a MiCA Licence in Malta

A MiCA licence in Malta now lives inside one EU system. Not Malta’s rules, not your lawyer’s guesswork — the Markets in Crypto-Assets Regulation sets the tone. MiCA changed the landscape without asking for applause. It covers firms inside the EU, firms outside the EU, and basically anyone who dares offer crypto services to EU residents. So if a global crypto project wants Europe, MiCA compliance isn’t a badge of honour; it’s the price of admission.

The licence itself goes through the Malta Financial Services Authority, or MFSA. You file your documents there, and they watch how Malta’s crypto crowd behaves, protect whoever needs protecting, and deal with the EU-level supervisors — the securities people and the banking people.

Here I spell out the actual process of obtaining a MiCA crypto licence in Malta: the requirements that matter, the steps that don’t announce themselves loudly, and the practical pieces you should pay attention to when you start fitting your business into the new European crypto regulation.

MiCA Licensing in Malta: General Information

If you’re chasing a CASP licence in Malta (Crypto-Asset Service Provider), you don’t just skim MiCA once and brag about it. You keep an eye on Brussels like on a market chart. New guidance from ESMA or EBA drops quietly, then suddenly becomes “must-follow” in real life. MiCA wraps a lot of stuff inside one box: utility tokens, ART, EMT and similar crypto toys. The Regulation tells CASP how to live day to day: what money buffer to keep, how to write risk rules, what exactly to show investors, how to treat clients, how to keep their crypto and data in one piece.

Getting a CASP licence is not “Malta does whatever it wants.” The EU wrote one basic script, and Malta sticks to it, with its own flavour of scrutiny. You go through three scans: legal, financial, operational. In human words, they want to see:

• a governance setup that actually works, with real people, real control points, not just a chart in PowerPoint;
• key people in the company — directors, owners, beneficials — with a clean business record and qualifications you can prove on paper;
• working systems for risk management, internal audit, compliance checks, client onboarding, spotting weird or suspicious activity, plus clear channels to report things to the supervisor;
• IT and information systems that don’t fall apart after one glitch, with proper data protection and a written “what we do when everything breaks” plan.

Once you hold the licence, you don’t go invisible. CASP in Malta sends reports on a schedule, and the regulator actually reads them. If you ignore MiCA rules or keep breaking them, the licence can be paused or simply killed off.

Why do people still like Malta? Not only because it plays nicely with MiCA. The tax setup matters too. For non-resident shareholders, the effective corporate tax can land around 5%, thanks to a refund mechanism built into local law. On top of that, the island is packed with people who understand finance, IT, compliance, so you don’t spend months hunting for basic expertise.

There’s one more perk that founders quietly chase — passporting. Get a MiCA licence in Malta once, and you can roll out services across EU and EEA states without begging each country for a new licence. That’s how a small Maltese CASP suddenly becomes a Europe-wide project instead of a single-island experiment.

Finally, a CASP licence in Malta is not a limited, one-use authorisation. The breadth is enormous, and it might include:

• execution of orders for clients;
• placement of crypto-assets;
• swapping crypto-assets into fiat and back again;
• swapping one crypto-asset for another;
• giving advice on anything tied to crypto-assets;
• transferring crypto-assets by client request;
• receiving and passing on client orders;
• managing investment portfolios that hold crypto-assets;
• safekeeping and administration of crypto-assets for clients;
• running trading platforms for crypto-assets.

CASP licence classes under MiCA in Malta

So, let's get real for a second: MiCA on Malta is like a level-based game. You choose a CASP class, which determines the amount of crypto work you can do and the level of oversight on your activities. The MFSA will ask more questions if you have a higher class and more freedom.

Class I CASP in Malta is basically the starter pack. You already work with client crypto, but not in a full custody or serious exchange role. Rough picture looks like this:

• Execution of orders. Client says “buy this token” or “sell that one”, you go do the deal. You’re the middleman, not the casino.
• Token placement. Projects can use your platform to push out their tokens for the first time. Think launch pad, but regulated.
• Transfer of crypto-assets. Moving coins from one blockchain address to another for the client. From wallet A to wallet B, no drama.
• Receiving and passing on orders. Like an old-school broker, but with wallets and hashes instead of paper forms. Client gives you the order, you forward it to someone who executes.
• Advisory services. Talking through crypto-assets with clients: what’s too risky, what maybe fits, which token is not total nonsense.
• Portfolio management. Client says: “Here’s my stack, here’s the strategy.”You then run that portfolio for them.

With this licence you can already be useful for clients, but you’re still not “the place that stores everyone’s coins” or “the exchange everyone trades on.”

Class II is for companies that want to go beyond basic services. Same MiCA, same Malta, just a bigger responsibility backpack. You get everything from Class I and add some heavier functions:

• Custody of client crypto-assets and keys. You look after client coins and their private keys. If that part is sloppy, nothing else really matters.
• Buy / sell crypto for fiat. Client wants to go from euro to crypto and back again? With Class II you can sit in the middle of that bridge.
• Crypto-to-crypto exchange. Swap token A for token B directly, on your side.

Once you step into Class II, “we have a policy on paper” stops working. You need real AML/CFT routines running day to day, not just in a PDF. Client funds separation and protection also get checked way more closely.

Once you pass MiCA's Class III threshold in Malta, you can no longer refer to yourself as "a service provider" but rather as "we run a crypto exchange." You keep all rights from Class I and Class II and add one big thing: operating a full trading platform.

Users can trade with each other on your system: order books, matching engine, charts, all that.

Because of that, the regulator throws the heaviest rulebook at Class III firms. You have to:

• keep trading fair and not turn the market into a playground for insiders;
• run tools that catch spoofing, wash trades and other “smart” manipulation tricks;
• give participants equal access, not just VIP treatment for friends;
• deal with conflicts of interest before they explode in public.

On top of it, two words never leave the conversation: client protection and tech resilience. The platform is expected to stay up, stay stable, and not crash the moment volume jumps.

Getting a MiCA licence in Malta: what the regulator actually wants

If a company wants a crypto licence in Malta, it has to play by a long list of rules. We’re talking internal structure, people who know what they’re doing, reports, audits, client protection, risk systems, and tech infrastructure that doesn’t collapse every time someone refreshes a page.

Fit-and-proper check: “Are you really the person who should run this thing?”

MFSA doesn’t hand licences to randoms. Anyone holding 10% or more of shares or voting rights — directly, indirectly, via a company, whatever — has to pass a strict “fit and proper” test. They look at honesty, competence, financial reliability. Not the story you tell them — the actual track record.

People in charge of running the organisation have to look like they belong there. Professional attitude, decent ethics, clean behaviour in business.

MFSA basically checks: Is this person honest? Are they competent? Can they pay their bills? Will they run a crypto business without setting it on fire?

Local presence and management team

A CASP licence on Malta isn’t something you run from the other side of the planet. You register a Maltese company (usually an Ltd), get a local registered office, and — this is important — within six months of receiving your MiCA licence, you must have at least 10 people working for you in Malta. Full-time or outsourced, but physically present.

As for management: you need minimum two qualified directors with real experience. One of them must be a Maltese resident. Not negotiable.

And the governance structure has a few more mandatory seats:

• Compliance Officer – makes sure the company follows its own policies and the law.
• MLRO – the anti-money-laundering person; deals with AML/CFT matters.
• Risk Manager – keeps an eye on the risks the business creates or faces.
• Internal Auditor – checks whether internal controls actually work and aren’t just a pretty flowchart.

There should be no middleman between the MLRO and the board of directors; instead, they should report straight to the board. That’s done so they stay independent and don’t get pressured into hiding anything.

Capital requirements

Getting a MiCA licence in Malta isn’t free, and it’s not cheap either. The minimum initial capital depends on which CASP class you’re applying for:

• Class 1 — from €50,000
• Class 2 — at least €125,000
• Class 3 — from €150,000

But these are just the entry numbers. There’s another rule: once licensed, a CASP must constantly maintain whichever is higher:

1. the minimum capital for its licence class;
2. 25% of its fixed operating costs from the previous financial year.

So if your business is expensive to run, your capital requirements probably jump up with it.

CASP reporting duties

Reporting is one of the things Malta takes seriously. A CASP doesn’t get a licence and then disappear into the sunset — you report, and you do it often.

Every year is split into four quarters, and for each quarter you send an interim CFASP report (Crypto-Asset Service Provider Financial Report). This helps MFSA track your financial health and what you’re doing with digital assets.

Then, after your financial year ends, you get six months to send a big package that includes:

• audited financial statements;
• the annual CFASP report with verification results;
• an IT infrastructure audit report;
• a statement from an external financial-control specialist.

It’s basically “show us everything, and then show us who double-checked what you showed us.”

How to get a MiCA licence in Malta

The process of getting a CASP MiCA licence in Malta is not a quick checkbox moment — it needs detailed paperwork and full transparency from the applicant. Just a reminder: everything here runs under the Maltese Financial Services Authority. The general steps to get a MiCA licence in Malta look like this:

• Company registration.
• Collecting and preparing the full application pack.
• Regulator reviews the submission and gives comments.
• Applicant fixes whatever the supervisor didn’t like.
• Final approval and licence issuance.

The first real step in the licensing process is filing the application together with a bulky package of documents: a strategic business plan, an organisational chart, descriptions of internal controls, the whole risk-management setup, plus the measures you use for information and cyber security. Every detail has to be accurate and complete, because any missing or sloppy piece can drag the whole review out far longer than you want.

Once MFSA receives the full pack, they have up to 25 working days to check whether the information is complete. If something is missing or unclear, they will send a request for additional data, with a fixed deadline to provide it. Only after everything is accepted as “okay, this is complete” does the full regulatory assessment begin.

During this second stage of MiCA licensing in Malta, the regulator digs into the applicant’s financial stability, the reliability and efficiency of internal controls, the competence of the management team, and the organisation’s actual ability to meet obligations toward clients while keeping their interests protected. They look not only at whether the business is legally and operationally stable, but also whether it follows the core principles of honesty, transparency, and fair treatment of consumers.

If the licence relates to a project issuing crypto-assets, then preparing and publishing a white paper becomes mandatory. This document needs to outline the token’s characteristics, its purpose, the conditions of the offering, and the investment risks. Depending on the type of crypto-asset, the white paper may require prior approval from the regulator or at least a formal notification that it is being published.

After all review stages are finished, the application goes for final consideration.

This is where the national regulator decides whether you’re getting the licence or getting a polite “nope.” Officially, this last stretch is supposed to take up to three months. In real life — judging by how similar cases played out before — the timeline often stretches twice as long and can hit eight months, especially if the project is complex, unusual, or needs extra sign-offs from different departments.

To get a MiCA licence in Malta, you have to prepare a pretty heavy stack of documents:

• Copies of the company’s Articles and Memorandum.
• Audited records of income and expenses for the last three years (for companies that are already running).
• Financial and economic predictions for the first three years, along with the plan for how to build wealth.
• Documents proving that prudential-protection mechanisms are actually implemented.
• A description of the internal and external audit setup.
• The management structure and allocation of key roles.
• Details on the internal-control framework.
• A policy for preventing and handling conflicts of interest.
• An operational-continuity plan.
• AML/CTF policies and procedures.
• Questionnaires and profiles of board members and senior management.
• Full information on every shareholder.
• An overview of the IT system and security measures in place.
• Explanation of how client assets are segregated.
• Rules for handling customer complaints and inquiries.

If you’re planning to apply for a MiCA licence in Malta, keep in mind that one of the key documents is the programme of activities. This is where the company lays out what exactly it plans to do. The document must describe every type of service — regulated or not — that the applicant intends to provide. It also covers marketing approaches, target markets, and the geographical scope of the business. A big chunk is the three-year strategic plan: scaling steps, new product lines, plans for entering foreign markets, and how the company expects to interact with different client groups.

The programme also has to outline the future client base clearly — demographics, behaviour patterns, risk profile. The financial section includes detailed forecasts for revenue, expenses, profitability, plus the investment needs and expected returns. And if the applicant wants to launch its own exchange or trading platform, the business model of those projects must be described in detail.

A key part of this policy is the set of tools for assessing and reacting to operational and market risks — including early detection of market abuse, price manipulation, or insider-information schemes in the crypto space. This requires more than tech alone. Automated monitoring systems help, but trained staff who can interpret alerts and act quickly is just as crucial.

In addition, any CASP applicant in Malta must clearly show how it plans to protect the security, confidentiality, and integrity of data — both clients’ personal information and critical business processes. This includes digital protections (encryption, access controls, backups) and physical ones (restricted access to data centres, role separation, and similar measures).

Special attention is given to conflict-of-interest mitigation, especially when the company plans to provide several types of services at once — for example, custody. The organisation needs to present a detailed rulebook explaining how potential conflicts will be identified, prevented, and, when unavoidable, disclosed.

The MiCA Regulation also demands strong mechanisms for safeguarding client assets.Client crypto can’t be touched to cover CASP liabilities or used for anything unrelated to the client’s direct instructions. To ensure this, the applicant must set up segregated accounts with an EU-licensed bank, providing full legal and operational separation of assets.

Beyond organisational safeguards, anyone applying for a crypto licence in Malta has to show that they have proper insurance in place — covering theft, asset loss due to outages, cyberattacks, or internal misconduct. The insurance level must match the scale of operations, the types of assets handled, and the risk profile of the business.

If a CASP company in Malta doesn’t start its licensed activity within 12 months after receiving the crypto licence, or if it simply stops providing crypto-related services for 9 months in a row, the regulator has the right to initiate a licence withdrawal. On top of that, there is a system of financial penalties — fines can range from 3% to 12.5% of the company’s annual turnover, and recurring penalty payments may also be imposed. The regulator can additionally restrict individuals from holding management positions if their conduct raises concerns or breaches established requirements.

Any questions?

Contact our specialists

Send your application

Taxation of legal entities in Malta

Companies with a crypto licence in Malta fall under the standard corporate tax rate of 35%.However, due to the specifics of Malta’s tax system — mainly the full tax credit mechanism — the actual tax burden becomes far lighter. After profit distribution, the ultimate beneficiaries can reclaim up to 6/7 of the tax paid, effectively dropping the tax rate to roughly 5%.

Conclusion

Malta’s lawmakers were among the first to recognise the potential of digital assets and build a legal infrastructure that supports innovation while protecting market participants. Because state institutions worked on this consistently, the country became an international hub for blockchain startups, crypto exchanges, and ICO projects.

Malta also plays a leading role in international cooperation, working closely with global regulators and financial institutions to shape thoughtful policies aimed at stability, transparency, and innovation. Thanks to this approach, the country established itself as a key contributor to Europe’s unified crypto standards, influencing legislative decisions and practical frameworks across the region.