MiCA CASP License in Cyprus

Why Choose Cyprus for Crypto Licensing?

Cyprus is one of the EU’s three Established Crypto Centres, combining MiCA passporting with an English-language regulator, the EU’s largest MiFID II investment-firm population, and a 15% headline corporate tax supported by a 2.5–3% effective rate on qualifying IP-Box income. CySEC granted eight CASP authorisations between January and December 2025, ranging from retail brokers to institutional custody operators, signalling a working pipeline for serious operators that can clear the substance and governance bar.

MiCA Passporting from a MiFID-Fluent Supervisor

A Cyprus CASP authorisation passports to all 27 EU Member States plus Iceland, Liechtenstein, and Norway via MiCA Article 65 notification, with services commencing in the host state 15 calendar days after the initial filing. Cyprus’s distinguishing feature is the existing CIF (Cyprus Investment Firm) population: 253 CIFs supervised by CySEC as of November 2025, with another 30 in the licensing pipeline.^[1] That base provides depth of supervisory experience that newer MiCA jurisdictions cannot match.

English Working Language and Common-Law Overlay

All CySEC filings, the Programme of Operations, governance documentation, and ongoing reporting are produced in English. Commercial contracts and shareholder agreements follow English common-law drafting conventions. For operators based in London, the US, the Gulf, or APAC, this removes the translation layer that adds friction in non-English EU jurisdictions and shortens partner onboarding cycles with banks, auditors, and counterparties.

Cyprus Tax Reform 2026: 15% Headline, 2.5–3% Effective via IP Box, 8% on Crypto Disposals

The Cyprus Tax Reform 2026 enacted by Parliament on 22 December 2025 raised the headline corporate income tax from 12.5% to 15% (Pillar Two alignment) while preserving the IP Box delivering approximately 2.5–3% effective tax on qualifying intellectual-property income via the 80% deduction on net qualifying profits. A new flat 8% rate applies to gains on disposal of crypto-assets by Cyprus tax residents, replacing the previous case-by-case treatment.^[2] Combined with the 17-year non-domiciled regime for founders (extendable for up to two consecutive five-year periods at €250,000 per period for a total of 27 years) and the Cyprus formation guide route into the entity, the all-in effective rate on distributed founder profits sits in the mid-teens: competitive against any EU peer, and below Malta’s headline 35% even after the imputation refund.

Track Record Under MiCA

CySEC authorised eight CASPs between 16 January 2025 and 22 December 2025, mixing retail-facing brokers, institutional custody operators, and large multi-asset platforms.^[3] The authorised population reflects the existing CIF base: several MiCA authorisations went to firms that already held CySEC MiFID permissions, using the established supervisory relationship to compress the file-to-grant cycle. New entrants without a MiFID history typically run on the longer 10–14 month timeline; CIF incumbents using the MiCA Article 60 notification route are faster.^[20]

Regulatory Framework

The Cyprus Securities and Exchange Commission is the sole national competent authority for CASP authorisation under MiCA Article 93,^[16] with the Central Bank of Cyprus handling e-money token issuers and payment-services overlap. MiCA applies directly without national transposition; the supporting Cyprus AML framework was realigned to MiCA and the EU Transfer of Funds Regulation by Law 96(I)/2025, published in the Official Gazette on 18 June 2025.^[4] CySEC maintains a dedicated MiCA information hub setting out filing expectations and supervisory guidance for applicants.^[15]

Regulatory History

Cyprus established a national CASP register in September 2021 under Directive R.A.D. 269/2021 issued pursuant to the Prevention and Suppression of Money Laundering Activities Law 188(I)/2007.^[5] The register closed to new entrants on 17 October 2024 ahead of MiCA’s general application date of 30 December 2024. The pre-MiCA register was an AML-perimeter registration only; it did not confer EU passporting rights and did not include prudential supervision. The MiCA regime is the first prudential-supervisory crypto framework in Cyprus.

Recent Regulatory Developments

• 23 December 2025. CySEC press release on MiCA filing deadline. CySEC confirmed the 27 February 2026 deadline for legacy CASPs to file under MiCA, with operational cut-off 1 July 2026 for non-filers.^[6]
• 22 December 2025. Cyprus Tax Reform 2026 enacted. Corporate income tax rises from 12.5% to 15%; new 8% flat rate on crypto-asset disposals; non-dom regime extended to 17 years with two consecutive five-year extensions at €250k each.^[2]
• 22 December 2025. Eighth CySEC MiCA CASP authorised. A multi-asset platform operator received the eighth CySEC MiCA CASP authorisation of 2025.^[3]
• 18 June 2025. Law 96(I)/2025 published. Cyprus AML alignment with MiCA and the EU Transfer of Funds Regulation.^[4]
• 26 February 2025. ESMA reverse-solicitation guidelines published. ESMA35-1872330276-2030, applicable from 27 April 2025.^[7]
• 17 January 2025. DORA application date. Cyprus CASPs in scope from this date.^[8]
• 30 December 2024. MiCA full application date. The CASP regime goes live and the transitional period opens.^[9]

Regulatory Overlap

Three further EU and Cyprus regimes intersect with the MiCA CASP authorisation and must be assessed in parallel:

• EU Transfer of Funds Regulation (Regulation (EU) 2023/1113). Applies to all crypto-asset transfers with no de minimis threshold. Practical consequence: Travel Rule data exchange is mandatory between CASPs from 30 December 2024.^[14]
• DORA (Regulation (EU) 2022/2554). Applies to all CASPs from 17 January 2025. Practical consequence: ICT risk management, third-party register, incident reporting, BCP testing, and TLPT for significant entities are baseline obligations.^[8]
• MiFID II / Cyprus Investment Firms regime (Law 87(I)/2017). Engaged where the CASP also provides MiFID-equivalent investment services. Practical consequence: existing CIFs may notify under MiCA Article 60 instead of full CASP authorisation; the 40 working day objection window is materially faster.
• PSD2 / e-money. Engaged where the CASP processes fiat payments or issues e-money tokens. Practical consequence: the Central Bank of Cyprus is the competent authority, and separate or dual authorisation may apply.^[10]

In practice, the dual-licensing question is the most under-budgeted item in Cyprus CASP applications: operators handling fiat top-ups via their own infrastructure often discover the PSD2 overlap only after the Programme of Operations review, adding 8–12 weeks to the timeline.

Regulatory Transition: National CASP Register to MiCA

The Old Regime

The national CASP register (see Regulatory History above) was an AML-perimeter registration only. As at its closure to new entrants on 17 October 2024, approximately 35 entities were on the register.^[5]

The New Regime

MiCA CASP authorisation under Regulation (EU) 2023/1114 has been in force from 30 December 2024. It delivers prudential supervision plus AML, EU passporting via Article 65, capital requirements per Annex IV, and a DORA-aligned ICT framework.

Grandfathering and Transitional Provisions

MiCA Article 143(3) permits Member States to grant a transitional period of up to 18 months for entities authorised under national regimes before 30 December 2024. Cyprus opted for the full 18 months, expiring 1 July 2026. During the transitional period, the legacy national-regime CASP may continue operating in Cyprus only, with no EU passporting.

Conversion Mechanism

There is no simplified conversion path. Filing by the 27 February deadline preserves the legacy authorisation while the MiCA application is under review;^[6] the file CySEC reviews is the full Article 62 package regardless of legacy status.

Key Deadlines

Practical Implications

Legacy CASPs that have not begun MiCA file preparation by Q4 2025 face a compressed runway. CIFs already holding MiFID authorisation should evaluate the MiCA Article 60 notification route in preference to a full CASP authorisation: Article 60 uses the existing prudential profile and runs on a 40 working-day objection window rather than the full 25+40 day MiCA Article 63 review cycle. All sections below this point present MiCA-regime data only; national-regime data belongs exclusively in this section.

License Types and Activities Covered

A Cyprus CASP authorisation covers any combination of the ten crypto-asset services defined in MiCA Article 3(1)(16). CySEC groups the services into three capital classes under MiCA Annex IV. Where multiple classes apply, the highest applicable class governs. The authorisation is indefinite, subject to ongoing supervisory fees and compliance.

Covered Activities

The ten MiCA Article 3(1)(16) services, grouped by capital class, are:

• Reception and transmission of orders (Class 1, €50,000). Passing client orders to other CASPs or trading venues. Applies to broker-style intermediation.
• Execution of orders on behalf of clients (Class 1, €50,000). Buying or selling crypto-assets in the client’s name.
• Placing of crypto-assets (Class 1, €50,000). Marketing on behalf of issuers, with or without firm commitment.
• Advice on crypto-assets (Class 1, €50,000). Personal recommendations on crypto investment.
• Portfolio management (Class 1, €50,000). Discretionary management of client crypto portfolios.
• Transfer services for crypto-assets (Class 1, €50,000). Moving crypto between addresses on client instruction.
• Custody and administration of crypto-assets on behalf of clients (Class 2, €125,000). Safekeeping, key management, segregated wallets.
• Exchange of crypto-assets for funds (Class 2, €125,000). Fiat-to-crypto and crypto-to-fiat conversion.
• Exchange of crypto-assets for other crypto-assets (Class 2, €125,000). Crypto-to-crypto conversion.
• Operation of a trading platform for crypto-assets (Class 3, €150,000). Running a multilateral system that brings together third-party buying and selling interests.

What Does NOT Require CASP Authorisation

• MiFID-licensed Cyprus Investment Firms providing equivalent services may notify under MiCA Article 60 without obtaining a separate CASP authorisation. The notification is reviewed by CySEC within 40 working days; if no objection is raised, the firm may commence the crypto services without further authorisation.
• Pure technology providers (wallet software developers, blockchain infrastructure providers) without custody, trading, or client-asset relationships fall outside the perimeter.
• Issuance and offering of crypto-assets is governed by MiCA Titles II–IV (white paper requirements) rather than CASP Title V; issuers are not CASPs by virtue of issuance alone.
• EMT and ART issuance is governed by separate MiCA titles and falls under the Central Bank of Cyprus rather than CySEC.

Tokenised Securities and RWA

A MiCA CASP authorisation does not cover tokenised securities or tokenised real-world assets that qualify as financial instruments. MiCA Article 2(4) carves crypto-assets that are MiFID financial instruments out of the regulation entirely, and a tokenised share, bond, or fund unit is regulated as a financial instrument under MiFID, not as a crypto-asset. In Cyprus the operative perimeter follows the same EU logic as every member state: a security token requires a Cyprus Investment Firm authorisation under MiFID from CySEC, assessed against ESMA’s Guidelines on the qualification of crypto-assets as financial instruments. For the structuring side of asset and fund tokenisation, see our fund licensing guide.

Cyprus also participates in the EU DLT Pilot Regime under Regulation (EU) 2022/858, which lets DLT market infrastructures trade and settle tokenised financial instruments on distributed-ledger systems. MiCA itself has applied in full since 30 December 2024, but it governs the crypto-asset perimeter, not the securities perimeter. A token-issuance or platform model that touches both worlds needs the CASP authorisation and the CIF authorisation scoped together, not one in place of the other.

DAO and DeFi Treatment

Cyprus has not published dedicated DAO or DeFi guidance distinct from the MiCA framework. MiCA Recital 22 excludes “fully decentralised” services from the regulatory perimeter, but ESMA’s emerging interpretation treats most operating DeFi protocols as in-scope where any identifiable person performs a CASP service. In practice, CySEC expects DAO-adjacent structures to identify the responsible legal person and route the authorisation through that entity. Operators seeking EEA market access without authorisation should review the dedicated reverse solicitation under MiCA guide, which sets out the narrow third-country exemption.

Requirements

A Cyprus CASP authorisation requires capital under MiCA Annex IV, a Cyprus-resident board majority, locally-resident MLRO and Compliance Officer, a real Cyprus office, and a complete MiCA Article 62 documentation set. The substance bar is high: practitioner guidance published in August 2025 records CySEC’s expectation that the majority of board members be Cyprus-resident and actively involved in decision-making.^[11]

Requirements Table

Fit-and-Proper Assessment

CySEC assesses each director, qualifying shareholder, and senior management function holder against six dimensions: integrity (no criminal record, civil findings, regulatory sanctions); financial soundness; relevant experience; conflicts of interest; time commitment; and absence of disqualifying circumstances. Prior CySEC approval is required before appointment to a key function role at an authorised CASP. The fit-and-proper questionnaire and supporting evidence (CVs, references, financial standing certificates, criminal-record checks) are submitted as part of the initial application.

Local Presence

Cyprus operates a substance-based model. MiCA Article 68 requires the place of effective management in the EU and at least one Union-resident director; Cyprus practice goes further, with CySEC expecting the majority of the board to be Cyprus-resident and actively engaged in decision-making.^[11] The MLRO and Compliance Officer must be Cyprus-resident; key control functions (risk, compliance, internal audit, IT/security) should be demonstrably performed from Cyprus. Outsourcing of certain operational and ICT functions is permitted under MiCA Article 73 subject to written contracts, contingency arrangements, and CySEC oversight. The common mistake is presenting a single Cyprus-resident director with the rest of the board flying in for quarterly meetings: CySEC treats this as a substance failure rather than an alternative compliance route.

AML/CFT and Travel Rule

The applicable AML framework is the Prevention and Suppression of Money Laundering Activities Law 188(I)/2007 (as amended through Law 96(I)/2025) and CySEC’s AML/CFT Directive. The EU Transfer of Funds Regulation (Regulation (EU) 2023/1113), the crypto-asset Travel Rule, applies to CASPs from 30 December 2024 with no de minimis threshold for crypto transfers.^[14] CASPs must implement risk-based KYC/CDD, PEP and sanctions screening (EU consolidated list, UN list, OFAC where applicable), transaction monitoring tuned to crypto typologies (mixers, peel chains, privacy coins), an independent AML compliance officer and MLRO function, and an annual independent AML audit. Suspicious-transaction reports go to MOKAS, the Unit for Combating Money Laundering housed within the Cyprus Law Office of the Republic.

Application Process

MiCA Article 63 fixes the CySEC review clock: 5 working days for acknowledgement, 25 working days for the completeness check, and 40 working days for substantive assessment from receipt of a complete file, with up to 20 additional working days where supplementary information is requested. End-to-end runs 8–14 months for Class 2/Class 3 files.

Application language: English (mandatory).

Pre-application engagement: optional but recommended for non-standard business models. CySEC operates an informal pre-submission engagement channel through its Innovation Hub for complex tokenomics or atypical service combinations.

Jagelski & Partners’ specialist compliance partners draft Cyprus-specific MiCA documentation as part of the CASP licensing engagement: the Programme of Operations, AML/CFT policy manual, DORA framework, and conflicts-of-interest and outsourcing policies. The compliance documentation is the most time-intensive component of any Cyprus CASP application: 8–12 weeks of specialist work that cannot be shortcut with generic templates. Book a Licensing Assessment →

Required Documents

CySEC requires the full MiCA Article 62 documentation set, supplemented by Cyprus-specific AML and DORA expectations.^[11] The documentation falls into five categories: corporate, personal (directors / officers / UBOs), compliance, business and financial, and technology and operational. The compliance documentation is the most heavily scrutinised category.

Corporate Documents

Certificate of incorporation, memorandum and articles of association, register of directors and members, certificate of registered office, corporate structure chart showing ownership down to ultimate beneficial owners, board resolutions appointing senior officers, and evidence of share capital subscription.

Personal Documents (All Directors, Qualifying Shareholders ≥10%, Senior Management)

Curriculum vitae and reference letters (3 minimum, professional); passport copy and proof of address (utility bill within 3 months); criminal record certificate from each country of residence over the past 10 years; financial standing certificate or bank reference; tax clearance certificate; fit-and-proper questionnaire (CySEC form); and detailed disclosure of all directorships and shareholdings held over the preceding 10 years.

Compliance Documentation

The compliance documentation is the most heavily scrutinised component of any Cyprus CASP application. Jagelski & Partners’ specialist compliance partners draft each of these documents as part of the licensing engagement: bespoke and Cyprus-specific, not templates adapted from other jurisdictions. Each document must reflect the applicant’s specific business model, risk profile, and operational structure.

Business Plan and Financial Projections

Three-year revenue projections by service line; cost base including capital, supervisory fees, technology, personnel, and compliance; capital adequacy and 25%-of-overheads buffer calculation; sensitivity analysis under stress scenarios; and commercial assumptions including target geography, average client value, and acquisition cost.

Technology and Operational Documentation

IT infrastructure architecture including hosting (cloud / on-premise / hybrid); custody architecture with hot / warm / cold wallet segmentation; key management procedures including multi-signature thresholds, key ceremony documentation, and backup procedures; cybersecurity policy; data protection and GDPR compliance; and an operational manual covering trade execution, settlement, custody onboarding, and complaints handling.

Costs and Pricing

CySEC charges a flat €8,000 per service non-refundable application fee, with the first year of supervisory fees waived for successful applicants.^[11] Total Year 1 cost-to-launch including capital, advisory, ICT/DORA tooling, substance build-out, and run-rate typically sits between €350,000 and €700,000 for Class 2 and Class 3 files.

Government / CySEC Fees

Total Cost Summary

Authorisation is indefinite; the supervision fee structure replaces the renewal-fee model used in pre-MiCA national regimes. The variable supervisory component scales with crypto-asset turnover up to the €500,000 annual cap.

Timeline

The shortest realistic Cyprus CASP timeline runs 8 months for a clean file with prior CySEC engagement and substance in place at filing. The longest, for a complex multi-service or trading-platform applicant building team and ICT framework in parallel, extends to 14 months. The MiCA Article 63 statutory clock governs the regulatory review once the file is confirmed complete.

Clean files with prior CySEC engagement, an experienced local team, and substance in place at filing close in 8–10 months. Files with complex tokenomics, atypical custody arrangements, multi-jurisdictional shareholder structures, or substance build-out promised post-authorisation regularly extend to 12–14 months. Experienced applicants file the MiCA Article 65 passporting notifications alongside, or shortly after, authorisation rather than waiting: the 15 calendar day commencement window means an EEA-wide live date 4–6 weeks after the CySEC grant, not 4–6 months later.

Taxation

Cyprus is a low-headline-tax EU jurisdiction with a competitive IP regime, but the Cyprus Tax Reform 2026 raised the corporate income tax rate from 12.5% to 15% from 1 January 2026 and introduced a flat 8% rate on crypto-asset disposals.^[2] The reform aligns Cyprus with OECD Pillar Two while preserving the structural tax features that anchor the jurisdiction’s value proposition.

Cyprus Tax Reform 2026

Enacted by Parliament on 22 December 2025 (Official Gazette No. 5070), in force from 1 January 2026. Key changes: headline corporate tax 12.5% to 15%; new 8% flat rate on disposal of crypto-assets by Cyprus tax residents; Special Defence Contribution on dividends 17% to 5% (resident/domiciled individuals only); 50% income-tax exemption threshold for new tax residents lowered from €100,000 to €55,000; non-dom regime lengthened to 17 years with two consecutive five-year extensions at €250,000 each (total reach 27 years).^[17][18]

DAC8 / CARF Reporting

Cyprus has committed to implementing DAC8 (Council Directive (EU) 2023/2226 amending DAC) requiring CASPs to report crypto-asset transactions to the Cyprus tax authority. First reporting period: 2026 reportable transactions, first exchange of information between EU tax administrations from 2027.^[12] CARF (the OECD Crypto-Asset Reporting Framework) is being implemented in parallel via DAC8 for EU coverage; non-EU jurisdictions are addressed through CARF bilaterally.

Pillar Two (Global Minimum Tax)

Cyprus enacted Pillar Two domestic implementing legislation as part of the 2026 reform. The 15% global minimum effective tax rate applies to multinational groups with consolidated revenue exceeding €750 million. Standalone CASP entities below this threshold are not in scope of Pillar Two top-up tax but must still file the standard Cyprus corporate income tax return at 15%.

Ongoing Compliance & Post-Registration

A Cyprus CASP authorisation creates a permanent compliance infrastructure obligation across capital adequacy, AML, prudential reporting, DORA operational resilience, client-asset segregation, and supervisory engagement with CySEC. The authorisation is indefinite, replaced by ongoing supervisory fees and continuous fitness review.

Annual Reporting Obligations

Capital adequacy reviewed annually against the higher-of-class-minimum-or-25%-of-fixed-overheads rule; quarterly client-asset statements; annual audited financial statements filed with CySEC within four months of year-end; MOKAS suspicious-transaction reporting on a per-event basis; annual independent AML audit; complaints reporting to CySEC; and market-abuse surveillance reporting for trading platforms.

Supervision Fees and Operational Costs

Annual supervisory fees as set out in the Costs section above. Recurring operational costs include Cyprus office lease (€25,000–€60,000 p.a.), MLRO and Compliance Officer engagement (€60,000–€120,000 p.a.), Cyprus-licensed external auditor (€15,000–€35,000 p.a.), AML and Travel-Rule technology stack (€40,000–€80,000 p.a.), and DORA tooling and TLPT testing (€20,000–€60,000 p.a.).

Regulatory Inspections

CySEC conducts both scheduled supervisory engagements and thematic reviews. Scheduled engagements typically run on a 12–24 month cycle for newly-authorised CASPs, transitioning to a risk-based cycle thereafter. Thematic reviews in 2025–2026 have focused on AML control effectiveness, DORA implementation, and client-asset segregation. CySEC has powers to conduct unannounced on-site inspections and to require documentation production within stated timelines.

Enforcement

CySEC has a developed enforcement record across MiFID, AIFMD, and the national CASP register. Penalties include administrative fines (calibrated to the violation’s gravity, the firm’s size, and the period of non-compliance), public reprimands, withdrawal of authorisation, and individual sanctions on directors and senior management. Operating without authorisation is a criminal offence under Cyprus law; the post-1 July 2026 unauthorised continuation of CASP activity by non-filers is the highest enforcement priority for the immediate transitional period.

ICT Risk Management & Operational Resilience

DORA (Regulation (EU) 2022/2554) applies to all Cyprus CASPs as financial entities under Article 2 from 17 January 2025.^[8] Compliance is documented through an ICT risk framework, an incident-management workflow, a third-party register, and resilience testing.

ICT Risk Management Framework

The framework must specify ICT governance (board oversight, designated function holder), risk identification methodology, classification of ICT assets, risk assessment cadence, and risk mitigation controls. Cyprus expects the framework to be approved by the board and reviewed annually.

Incident Reporting

Major ICT-related incidents must be classified per DORA Article 18 criteria and reported to CySEC within the timeframes set by the regulator. Significant cyber threats are also reportable. The classification matrix (critical / major / significant) must be documented and applied consistently.

Digital Operational Resilience Testing

Annual BCP testing with documented results and remediation. Significant CASPs (designated under DORA criteria) must conduct threat-led penetration testing on a three-year cycle. The testing scope, methodology, and remediation tracking are documented.

Wallet and Key Management

Cold-wallet segregation from hot-wallet operations; documented key ceremony with multi-party computation or multi-signature thresholds; backup procedures with geographic and operator separation; and quarterly attestation of key custody.

Third-Party ICT Risk

Third-party register naming each ICT service provider, criticality assessment, contractual safeguards (DORA-aligned clauses), exit strategy for critical providers, and concentration risk assessment. CySEC has noted in supervisory communications that single-vendor dependency on cloud or custody-tech providers is a recurring area of concern.^[11]

Banking

Cyprus banking access for crypto-asset businesses is selective but workable. Local credit institutions take a case-by-case approach, with stronger appetite for MiCA-authorised CASPs than for pre-MiCA or AML-only registered entities. The EMI and payment-institution ecosystem provides widely-used operational alternatives, and Cyprus IBANs integrate fully into SEPA and SWIFT.

The Cyprus Banking Landscape

Cyprus credit institutions evaluate CASP onboarding against a now-standardised framework: source-of-funds and source-of-wealth documentation for the entity and its UBOs, MiCA authorisation evidence, Programme of Operations review, AML control attestation, expected transaction volume and corridor mix, and counterparty concentration. Institutions with crypto-onboarding mandates can move from initial contact to live account in 8–14 weeks; institutions without such mandates may decline at intake or require a 12-month observation period.

Practical Architecture

EMI and payment-institution access in Cyprus and across the EEA is broader and faster, with several specialist providers maintaining established CASP-onboarding programmes. For operational redundancy, most Cyprus CASPs maintain one credit-institution relationship plus one to two EMI relationships, distributing operational fiat flows while reserving the credit institution for client-fiat safeguarding under MiCA Article 70. For larger CASPs with institutional flow, correspondent banking access is selective; operators with substantial USD turnover should structure their banking stack with the USD correspondent route in mind from the outset.

The Correspondent-Banking Constraint

The real constraint on Cyprus banking is not the local credit institution itself but the correspondent banking layer above it: an operator’s bank can be onboarded comfortably while still finding that USD wires are routed through a chain that takes a separate compliance view. Operators should engage the correspondent question early where institutional USD flow is material, rather than discovering the routing constraint after the local account is live.

Jagelski & Partners’ Banking Service

Jagelski & Partners’ banking partner network spans more than 90 credit institutions and EMIs across the EU, the UK, the Gulf, Asia, and offshore centres. A licence without banking access is a certificate on the wall: learn about our Banking service →

FATF Status & International Standing

Cyprus is a MONEYVAL-evaluated jurisdiction in compliance with FATF standards. The most recent MONEYVAL evaluation rated Cyprus largely compliant or compliant across the 40 FATF Recommendations, with effectiveness ratings in the moderate to substantial range. Cyprus is not on any FATF grey or black list and the EU does not list Cyprus as a high-risk third country.

MiCA Passporting and EU Market Access

A Cyprus CASP authorisation passports to all 27 EU Member States plus the EEA (Iceland, Liechtenstein, Norway) under MiCA Article 65. The mechanism is procedural: a notification filed with CySEC, forwarded to the host competent authority and to ESMA’s interim MiCA register within 10 working days, and services may commence in the host state 15 calendar days after the initial notification.

No separate national authorisation is required in passported jurisdictions; conduct-of-business rules remain governed by MiCA, with host competent authorities retaining limited supervisory powers for branches and certain ongoing conduct matters.

Passporting filings are typically front-loaded against the markets with confirmed commercial pipeline and banking. As of 22 May 2026, ESMA’s MiCA register records 204 MiCA-authorised CASPs across the EU; Cyprus accounts for eight, with the highest concentration in Germany (53).^[3] The interim register is the authoritative source for the live cross-border CASP count.^[19]

The MiCA passporting framework genuinely delivers single-licence EU/EEA market access, but the host-state conduct-of-business and consumer-protection overlay is more material than the headline framework suggests: operators expecting “27 markets, one rulebook” will find that the rulebook is uniform while the local consumer-protection and tax-disclosure interfaces vary materially, and 4–6 weeks of host-state-specific preparation per major market is realistic.

Advantages and Limitations

Cyprus delivers MiFID-grade EU supervision in English with a competitive tax architecture and a working MiCA authorisation pipeline. The trade-offs are real: total cost-to-launch is materially above the EU cost-leaders, the substance bar is high, and the transitional window for legacy CASPs closes hard in early 2026.

• ✓ English working language across regulator, advisers, and courts. Eliminates the translation layer that adds friction in non-English EU jurisdictions; faster partner onboarding.
• ✓ MiFID-grade supervisory experience. 253 CIFs under CySEC supervision as of November 2025; depth of regulatory engagement that newer MiCA hubs cannot match.^[1]
• ✓ Cyprus Tax Reform 2026 architecture. 15% headline corporate tax, IP Box ~2.5–3% effective, 8% flat on crypto disposals, 0% withholding on outbound dividends to non-residents.^[2]
• ✓ Working MiCA pipeline. Eight CASP authorisations granted between January and December 2025; the supervisor is calibrated to crypto-business model review.^[3]
• ✓ 17-year non-dom regime with two five-year extensions (27 years total). Founder-level optimisation supported by 50% income-tax exemption for new tax residents earning above €55,000.^[2]
• ✓ MiCA Article 60 notification route for existing CIFs. Faster path for MiFID-authorised firms providing equivalent crypto services; 40 working day objection window instead of full Article 63 review.
• × Total cost-to-launch is materially above the EU cost-leaders. €350k–€700k Year 1 vs €100k–€250k in Estonia, Lithuania, or Czech Republic. Mitigation: for operators where institutional credibility, English working language, and tax structuring outweigh upfront cost, the lifetime economics favour Cyprus; for cost-constrained startups, Estonia is the preferred lower-cost EU alternative.
• × High substance bar. Cyprus-resident board majority, locally-engaged MLRO and Compliance Officer, real Cyprus office, place of effective management in Cyprus. Mitigation: front-load substance recruitment and office lease before filing; CIF-experienced directors with crypto fluency are available in the Cyprus market, and the lease and key-person recruitment can run in parallel with documentation build during weeks 4–12.
• × Transitional window for legacy national-regime CASPs closes hard in 2026 (see Key Deadlines above). Missed deadlines have no extension mechanism.^[6] Mitigation: legacy CASPs not yet engaged in MiCA file preparation should begin immediately; the standard 8–12 week documentation phase plus capital and substance build will not fit a Q1 2026 start. Operators not on the legacy register file as fresh MiCA applicants with no transitional cover.
• × Banking access is selective and correspondent-banking dependent. Cyprus credit institutions onboard MiCA CASPs case-by-case; USD correspondent routing adds an additional compliance layer above the local bank’s own decision. Mitigation: structure the banking stack with one Cyprus credit institution (required for MiCA Article 70 client-fiat safeguarding) plus one to two EMIs for operational redundancy; engage the correspondent question early if institutional USD flow is material to the business model.

How Cyprus Compares

Cyprus sits in the EU/EEA Established Crypto Centres tier alongside Malta and Gibraltar, with Estonia as the lower-cost EU alternative. Malta brings the longest dedicated crypto track record under the 2018 VFA Act; Gibraltar offers post-Brexit DLT positioning; Estonia is the cost-leader on regulatory and advisory fees.

Compare every crypto jurisdiction side by side →

Cyprus and Malta are the closest peers in regulatory standing: both run MiFID-grade supervisors with English working language, both target institutional + retail CASPs, and both deliver MiCA passporting from established financial-services jurisdictions. The decision typically reduces to tax structuring (Cyprus IP Box and 8% crypto-disposal rate vs Malta’s imputation refund) and existing operational footprint.

Gibraltar’s positioning is distinct: the DLT framework predates MiCA and brings a different operator profile (DLT-native businesses, crypto-native legal structures), but Gibraltar is a third country under MiCA, so a DLT licence carries no EU passporting. Estonia is the cost-leader cross-sell: operators where lifetime tax economics outweigh upfront cost choose Cyprus; operators with capital constraints and EU passporting as the binding requirement choose Estonia.

When Cyprus Is the Right Choice

Choose Cyprus if:

• English-language regulator and advisory infrastructure are decisive (institutional client base, US/UK/Gulf founders)
• You expect material IP income (white-label tech, custody software, exchange tech) that fits the IP Box
• The MiCA Article 60 notification route is available because the entity already holds CySEC MiFID permissions
• The operator targets EU institutional flow and needs a MiFID-grade home supervisor

Consider alternatives if:

• Total upfront cost is the binding constraint and €100–€200k is the working budget: see Estonia
• Speed-to-passport is the binding constraint and 6 months is the target: Lithuania has the EU’s fastest documented MiCA review (but a tougher rejection trend)
• The business has substantial Maltese commercial history or VFA-era authorisation: see Malta
• The DLT framework’s specific token-issuance treatment is decisive for the business model: consider Gibraltar

Not sure which column is you? Ask Emma. She compares these jurisdictions in seconds, in your language.

Common Mistakes in Cyprus Applications

CySEC’s published expectations under the August 2025 practitioner guide, supplemented by ESMA’s 10 July 2025 fast-track peer review of MFSA’s MiCA practice (read across to all NCAs including CySEC), point to five recurring file deficiencies that delay or downgrade Cyprus CASP applications.^[11][13]

• Generic, payments-derived AML manual. Applicants reuse AML manuals drafted for payment-services businesses without adapting for crypto-specific typologies (mixers, peel chains, privacy coins, cross-chain bridges). CySEC routinely flags this on first review and requests Cyprus-specific, crypto-tuned manuals with MOKAS reporting pathways, EU consolidated sanctions list integration, and TFR Travel Rule plumbing.
• Substance promised post-authorisation. Submitting with a single Cyprus-resident director and a commitment to recruit MLRO, Compliance Officer, and additional resident directors after authorisation. CySEC treats this as a substance failure that adds 3–6 months to the substantive review, often via a sequence of supplementary information requests rather than a single rejection.
• Deferred DORA package. Treating DORA as a post-authorisation project. The ICT framework, third-party register, incident classification, BCP testing schedule, and TLPT plan are expected as part of the initial Article 62 file, not as conditional commitments.
• Under-budgeted dual-licensing (MiCA + PSD2) for fiat infrastructure. Operators handling fiat top-ups or maintaining e-money-token-like positions discover the Central Bank of Cyprus PSD2 perimeter only after Programme of Operations review, adding 8–12 weeks to the timeline and a separate authorisation track.^[10]
• Insufficient source-of-funds for qualifying shareholders. Qualifying shareholders (≥10%) must document source of funds and source of wealth to CySEC’s satisfaction. Complex shareholder structures with international trusts, holding companies, or token-treasury chains require front-loaded documentation; deferred source-of-funds and source-of-wealth evidence is the most common single trigger of supplementary information rounds for non-CIF applicants.

The dominant failure mode for Cyprus CASP applications is not a flaw in the regulatory framework but a misread of CySEC’s substance expectations: applicants treat Cyprus as if it were a flag-of-convenience jurisdiction with a tolerant approach to nameplate substance, when in practice CySEC operates closer to the MFSA and BaFin end of the EU spectrum than to the Eastern European cost-leaders.

Frequently Asked Questions

References