MiCA CASP License in Portugal

Why Choose Portugal for Crypto Licensing?

Portugal is an EU member state offering MiCA CASP authorisation with full EEA passporting, a deep crypto-user base, and a long-standing tax position that exempts long-term holdings. It implemented MiCA late: Law No. 69/2025 of 1 December 2025 designated the supervisors and entered into force on 23 December 2025.^[1] Portugal applies MiCA’s own-funds requirements of €50,000–€150,000 directly, without national overlays. Around 10 entities held the legacy Banco de Portugal VASP registration before MiCA.^[2]

Full MiCA Passporting

A Portuguese CASP authorisation grants the right to provide crypto-asset services across all 30 EEA member states through a single notification to the Banco de Portugal under MiCA Article 65.^[3] No additional authorisation is required from host-country regulators. Both cross-border service provision and branch establishment are covered. Portugal applies MiCA’s own-funds requirements directly: €50,000 for Class 1 services, €125,000 for Class 2, and €150,000 for Class 3. Unlike Estonia, which layers national capital requirements of €100,000–€250,000 above the MiCA minimums,^[4] Portugal imposes no such overlay.

Favourable Individual Tax on Long-Term Holdings

Portugal’s personal tax treatment of crypto is among the most generous in the EU for buy-and-hold investors. Gains on crypto-assets held by individuals for 365 days or more are exempt from personal income tax; gains on assets held for less than 365 days are taxed at a flat 28% under Category G of the IRS code.^[5] This long-term exemption, in force since 2023, makes Portugal attractive to founders and high-net-worth individuals relocating their personal holdings, though it does not reduce the corporate tax a licensed CASP pays on operating profit. Security-type tokens and counterparties in blacklisted jurisdictions are excluded from the exemption.

Strong Crypto Adoption and Talent Base

Portugal has built a substantial crypto and Web3 community, concentrated in Lisbon and supported by the digital-nomad visa, the IFICI (NHR 2.0) incentive for skilled inbound professionals, and a low cost of living relative to Western European financial centres.^[5] The IFICI regime offers a 20% flat rate on qualifying employment and self-employment income for up to 10 years, although it excludes passive investment gains. For a CASP, the practical benefit is access to a motivated, English-speaking talent pool at lower personnel cost than Frankfurt, Paris, or Dublin.

Twin-Peaks Supervision

Portugal supervises CASPs under a twin-peaks model: the Banco de Portugal acts as prudential supervisor and authorising authority, while the CMVM (Comissão do Mercado de Valores Mobiliários) acts as conduct-of-business and market-abuse supervisor.^[1] The Banco de Portugal receives and decides every CASP authorisation application, coordinating with the CMVM, which issues a binding opinion within 10 to 15 working days. For applicants, this means a single submission point but two supervisory relationships to maintain after authorisation.

Regulatory Framework

Portugal regulates crypto-asset service providers under the EU’s Markets in Crypto-Assets Regulation (MiCA), Regulation (EU) 2023/1114,^[3] which applies directly without national transposition. The national implementing legislation is Law No. 69/2025 of 1 December 2025, published in the Diário da República on 22 December 2025 and in force from 23 December 2025.^[1] It establishes a twin-peaks model: the Banco de Portugal is the lead authority for CASP authorisation and prudential supervision, and the CMVM is the conduct and market-abuse supervisor. See the consolidated category page for the MiCA framework: requirements and timeline →

Twin-Peaks Regulator Structure

Portugal operates a twin-peaks supervision model for CASPs. The Banco de Portugal is the competent authority for the authorisation of CASPs (Title V, Chapter 1), the acquisition of qualifying holdings (Chapter 4), significant CASPs (Chapter 5), and the prudential, governance, outsourcing, and orderly wind-down provisions (Articles 67–68, 73–74).^[1] The CMVM supervises crypto-asset offers (Title II), market abuse (Title VI), and CASPs’ conduct-of-business obligations, safekeeping of clients’ assets, complaints handling, and conflicts of interest (Articles 66, 70–72).^[17] Authorisation applications go to the Banco de Portugal, which obtains the CMVM’s opinion within 10 to 15 working days.

Regulatory History

Portugal’s crypto regulatory history explains the current landscape. The legacy VASP registration regime began on 1 September 2020, when Law No. 58/2020 of 31 August transposed the Fifth Anti-Money Laundering Directive (AMLD5) into the AML/CFT Law (Law No. 83/2017).^[2][19] From that date, virtual-asset activities in Portugal required prior registration with the Banco de Portugal. The registration procedure was detailed in Notice (Aviso) No. 3/2021 of 24 April.

The legacy regime was AML/CFT-focused only: it screened beneficial owners and AML governance but did not impose MiCA-style capital, prudential, or conduct requirements. Roughly 10 entities completed registration, a much smaller cohort than the hundreds seen in Estonia or Lithuania, reflecting Portugal’s narrower registration scope.

On 5 December 2025, the Assembleia da República approved the MiCA implementing law; Law No. 69/2025 was published on 22 December 2025, designating the Banco de Portugal and the CMVM as the competent authorities. A separate Law No. 70/2025 transposed the Transfer of Funds Regulation amendments into the AML/CFT Law.^[6]

Recent Regulatory Developments

• July 2026: National transitional period for legacy VASPs ends on 1 July 2026, aligned with the EU-wide MiCA Article 143(3) grandfathering cliff.
• December 2025: Law No. 69/2025 (MiCA implementation) and Law No. 70/2025 (TFR/AML amendments) published 22 December, in force 23 December 2025.^[1]
• January 2025: Banco de Portugal confirmed (press release, 3 January 2025) that no MiCA competent authority had yet been designated and that it could not accept or assess CASP authorisation applications pending the implementing law.^[2]
• December 2024: MiCA became fully applicable across the EU on 30 December 2024; Portugal had not yet enacted national implementing legislation.
• September 2020: Legacy Banco de Portugal VASP registration regime commenced under Law No. 58/2020.

Regulatory Overlap

EMI/PSD2 overlap: CASPs that issue or handle E-Money Tokens (EMTs) trigger EMD2/PSD2 requirements. The EBA confirmed (June 2025) that custody and transfer of EMTs can constitute payment services. Dual authorisation (MiCA + PSD2) is required for EMT-related services after 2 March 2026.^[7]

MiFID II overlap: Crypto-assets that confer equity-like rights or are negotiable on capital markets are classified as transferable securities under MiFID II, not MiCA, and fall under CMVM securities supervision. ESMA’s technology-neutral guidelines (applicable 3 June 2025) establish a substance-over-form classification test.^[8]

AML/CFT overlap: Portuguese CASPs remain subject to the AML/CFT Law (Law No. 83/2017, as amended by Law No. 70/2025) and to supervision for money-laundering purposes. The Travel Rule under the TFR Recast applies directly. CASPs must continue to file suspicious-transaction reports and maintain AML governance alongside their MiCA obligations.

Regulatory Transition: VASP Registration to MiCA CASP Authorisation

Portugal is mid-transition from its legacy Banco de Portugal VASP registration regime to full MiCA CASP authorisation. Because national implementing legislation (Law No. 69/2025) only entered into force on 23 December 2025, the authorisation process effectively opened in 2026. The national transitional period for legacy VASPs runs to 1 July 2026, aligned with the EU-wide MiCA Article 143(3) grandfathering cliff.^[1]

Key Deadlines

Transition Mechanics

The grandfathering relief is narrow. It is available only to entities that, as at 30 December 2024, were already registered with the Banco de Portugal and had commenced and duly notified the virtual-asset activities for which they were qualified.^[1] During the interim period those entities are treated as CASPs for MiCA purposes, but the relief lapses automatically for any entity that had not commenced its notified activity by that cut-off. With roughly 10 registered VASPs, Portugal’s grandfathered cohort is small; the larger flow is expected to be fresh applicants drawn by the EU passport and the tax position rather than legacy conversions.^[18]

Article 143(3) Transitional Cliff

MiCA Article 143(3) is the EU-wide grandfathering provision: it lets entities that lawfully provided crypto-asset services under national law before 30 December 2024 continue until 1 July 2026 or until a CASP authorisation is granted or refused.^[3] Member states could shorten this window or remove it; Portugal adopted the full 1 July 2026 horizon. The practical consequence is a hard deadline: an applicant that has not filed in time to be decided by 1 July 2026 risks a gap in its legal basis to operate.

Financial Institutions, Article 60 Notification

Already-licensed financial institutions (credit institutions, investment firms, EMIs) are not required to obtain a separate CASP licence. Under MiCA Article 60, these entities notify the Banco de Portugal of their intention to provide crypto-asset services. The notification must include a programme of operations and evidence of adequate governance. This route is significantly faster than a fresh CASP application.

License Types and Activities Covered

MiCA defines 10 crypto-asset services grouped into 3 classes that determine capital requirements. Portugal implements MiCA directly without additional national service categories. The classification determines the minimum own-funds requirement under Article 67 and Annex IV: €50,000 for Class 1, €125,000 for Class 2, and €150,000 for Class 3.

Covered Activities

What Does NOT Require CASP Authorisation

Services provided in a fully decentralised manner without any intermediary fall outside MiCA’s scope (Recital 22). Unique, non-fungible tokens (NFTs) are excluded unless issued in large series, collections, or fractionalised forms. Crypto-assets that qualify as financial instruments under MiFID II are regulated under existing securities law, not MiCA. Central bank digital currencies (CBDCs), deposits, insurance products, pension products, and securitisation positions are excluded.

DAO, DeFi, and Regulatory Perimeter

MiCA does not explicitly cover decentralised autonomous organisations (DAOs) or DeFi protocols. ESMA has stated that decentralisation exists on a spectrum rather than as a binary classification. Partially decentralised services: such as DEXs with upgrade keys, admin-controlled smart contracts, or governance tokens concentrated among a small group, remain within MiCA’s scope if an identifiable intermediary exists. The Banco de Portugal and the CMVM have not published Portugal-specific guidance on DAOs, DeFi, or decentralised exchanges. Applicants operating hybrid models should seek pre-application engagement with the Banco de Portugal before filing.

NFT Classification

NFTs that are unique and non-fungible are excluded from MiCA under Article 2(3). The exclusion ceases to apply when: NFTs are issued as part of a large series or collection (suggesting fungibility), NFTs are fractionalised into interchangeable units, or the NFT functions as a payment or investment instrument regardless of its label. The classification is substance-based: labelling a token as “NFT” does not determine its regulatory treatment.

Tokenised Securities and RWA

MiCA Article 2(4) excludes crypto-assets that qualify as financial instruments. A tokenised security, a tokenised share, bond or fund unit, is regulated under MiFID II, the Prospectus Regulation and the EU DLT Pilot Regime (Regulation (EU) 2022/858), supervised in Portugal by the CMVM, not under MiCA. ESMA’s Guidelines on the qualification of crypto-assets as financial instruments set the boundary. The honest point: a Portuguese MiCA CASP authorisation does not cover tokenised securities or real-world-asset tokens that are financial instruments; those follow the MiFID securities regime. For the fund-tokenisation route, see fund licensing.

Requirements

MiCA CASP authorisation in Portugal requires a Portuguese corporate entity (typically a Lda or S.A.), minimum own-funds capital of €50,000–€150,000 depending on service class, a real establishment in Portugal, at least two effective directors, a compliance officer, and a comprehensive compliance documentation suite. All qualifying shareholders (10%+ of capital or voting rights) undergo fit-and-proper assessment.

A practical early consideration is the dual-supervisor relationship. The Banco de Portugal leads authorisation, but the CMVM issues a binding opinion and supervises conduct. Applicants should expect their governance, conduct, and client-asset arrangements to be scrutinised against CMVM standards, not only the prudential standards the Banco de Portugal applies.

Fit-and-Proper Assessment

The Banco de Portugal, with the CMVM’s input, evaluates directors, senior managers, qualifying shareholders, and key function holders against MiCA’s fit-and-proper criteria. Assessment dimensions include: professional qualifications and experience, reputation and integrity (criminal background check, regulatory history), financial soundness (no insolvency or ongoing enforcement), and the collective knowledge of the management body. Across early MiCA cohorts EU-wide, the most common failure point has been an inability to evidence the legitimate origin of owners’ capital, so source-of-wealth documentation should be prepared from the outset.

Local Presence and Substance

Portugal requires genuine substance for licensed CASPs. The applicant must have a real establishment and head office in Portugal, with effective management capable of being exercised from there; a letterbox entity with management outsourced to another jurisdiction is not acceptable. MiCA Article 68 requires at least two persons to effectively direct the business and a governance framework proportionate to the services provided. The Banco de Portugal and the CMVM assess whether the organisational structure allows effective supervision of both prudential and conduct obligations from Portugal.

AML/CFT and Travel Rule

Portugal’s AML framework is governed by the AML/CFT Law (Law No. 83/2017, as amended), with the Transfer of Funds Regulation amendments transposed by Law No. 70/2025.^[6] The EU’s Transfer of Funds Regulation Recast (Regulation (EU) 2023/1113) applies directly. Critical detail: there is no de minimis threshold for CASP-to-CASP transfers: full originator and beneficiary information must accompany all crypto transfers regardless of amount. The €1,000 threshold applies only to transfers involving self-hosted wallets: when a transfer exceeds €1,000 to or from an unhosted address, the CASP must verify that the individual owns or controls that address.^[9]

Sanctions screening must cover EU consolidated sanctions lists (mandatory) and UN sanctions lists (implemented via EU legislation). OFAC screening is not legally mandatory in Portugal but is strongly recommended given extraterritorial reach and correspondent-banking expectations. Suspicious-transaction reports are filed to Portugal’s Financial Intelligence Unit (Unidade de Informação Financeira, UIF) and the DCIAP within the legal deadlines.

Application Process

The Banco de Portugal assesses MiCA CASP applications within the statutory MiCA framework: 25 working days for completeness and 40 working days for substantive assessment (extendable if additional information is requested), with the CMVM’s binding opinion delivered in 10 to 15 working days during the procedure. The realistic end-to-end timeline, from initial preparation through authorisation, is 6–12 months.

There is no established Newcomer-style sandbox dialogue specific to CASPs. Applicants should engage the Banco de Portugal early to confirm expectations, particularly on the CMVM-supervised conduct and client-asset arrangements that sit alongside the prudential file.

Application language: The formal authorisation file is expected in Portuguese; supporting documents (articles of association, internal policies, AML manual, ICT framework) generally require certified Portuguese translations, and applicants should expect Portuguese-language correspondence throughout. Neither the Banco de Portugal nor the CMVM has published a CASP policy permitting an English-language formal application.

Pre-application engagement: As of June 2026 neither the Banco de Portugal nor the CMVM operates a CASP-specific formal pre-application programme, but early contact is advisable to confirm documentation expectations before the statutory clock begins, especially while the first authorisation cohort is being processed. Innovators can also use the Portugal FinLab regulator dialogue channel, which is general rather than CASP-specific.

Required Documents

The Banco de Portugal’s CASP authorisation documentation requirements follow MiCA Article 62 and Commission Delegated Regulation (EU) 2025/305.^[10] The application must cover governance, the programme of operations, prudential safeguards, and the full AML/CFT and conduct framework, with the CMVM reviewing the conduct and client-asset elements.

Corporate Documents

Certificate of incorporation of the Portuguese company (Lda or S.A.) from the Commercial Registry. Articles of association (contrato de sociedade). Shareholder register. Proof of minimum own-funds capital deposit (bank statement). LEI (Legal Entity Identifier). Proof of the Portuguese head office and establishment address.

Personal Documents (All Directors, Officers, and Qualifying Shareholders)

Valid government-issued photo identification (passport or national ID). Curriculum vitae (CV) with detailed professional history. Criminal record certificates from each country of residence in the past 10 years. Declaration of good repute and absence of pending proceedings. Evidence of professional qualifications, skills, and experience relevant to the role. For qualifying shareholders (10%+): detailed source-of-funds and source-of-wealth documentation, consistently the most scrutinised element in MiCA CASP applications.

Compliance Documentation

The compliance documentation is the most heavily scrutinised component of any Portuguese CASP application, and generic MiCA templates are the single most common cause of application delays. Each document must be bespoke and Portugal-specific, reflecting the applicant’s business model, risk profile, and operational structure, and must satisfy both the Banco de Portugal’s prudential standards and the CMVM’s conduct standards. Templates adapted from other jurisdictions are a common cause of rejection.

Business Plan and Financial Projections

Programme of operations per MiCA Article 62(2)(d): description of all crypto-asset services to be provided, target markets, client profile, marketing strategy. Three-year financial projections including revenue model, cost base, capital adequacy forecasts, and break-even analysis. Description of the governance structure and internal control mechanisms.

Technology and Operational Documentation

IT architecture documentation. Cybersecurity policy and penetration test reports. Hot/cold wallet management and key management procedures (for custody service providers). Business continuity plan and disaster recovery procedures. Third-party ICT provider register (DORA requirement). Incident response plan for major ICT incidents.

Costs and Pricing

Portugal’s MiCA CASP authorisation costs are structured across three tiers matching MiCA’s service classification. The largest cost components are the locked own-funds capital, personnel (a small team at Lisbon salary levels), and the bespoke compliance documentation. The estimates below are indicative ranges for a typical applicant; the exact Banco de Portugal application and supervision fees are set by the competent authorities.^[10]

Total Cost Summary

Note: The minimum own-funds capital (€50,000–€150,000) must be maintained as permanent equity and is not consumed during operations. The ongoing own-funds obligation under MiCA Article 67 is the higher of the permanent minimum or 25% of the preceding year’s fixed overheads, and may be met through own funds, a qualifying insurance policy, or a comparable guarantee.

Timeline

The 6–12 month range reflects the statutory MiCA assessment periods plus the twin-peaks coordination between the Banco de Portugal and the CMVM, and the lead time on a credit-institution safeguarding account. Applicants targeting authorisation before the 1 July 2026 transitional cliff should treat documentation readiness as the critical path. As of June 2026 the Banco de Portugal had not published average decision-time statistics for CASP authorisations, so the range above reflects the statutory periods rather than an observed processing record.

Taxation

Portugal is a moderate-tax EU jurisdiction with a well-known incentive for long-term individual crypto holders, but a standard corporate burden for the CASP itself. The standard corporate income tax (IRC) rate is 19% for financial years beginning on or after 1 January 2026, reduced from 20% in 2025 and on a legislated path toward 17% by 2028.^[11] A preferential 15% rate applies to qualifying SMEs on the first €50,000 of taxable income. Municipal and state surtaxes (derrama) apply on top of the headline rate.

IFICI (NHR 2.0) and Inbound Talent

The Tax Incentive for Scientific Research and Innovation (IFICI), often called NHR 2.0, offers a 20% flat personal income tax rate on qualifying Portuguese employment and self-employment income from eligible activities for up to 10 years.^[5] For a CASP recruiting skilled staff into Portugal, IFICI can lower the personal tax burden on key hires. It does not apply to passive investment income, so it provides no relief on trading gains, and it is distinct from the long-term holding exemption described above.

DAC8 / CARF Reporting

Portugal, as an EU member state, is bound by the DAC8 Directive (Council Directive (EU) 2023/2226), under which crypto-asset service providers must begin collecting reportable data from 1 January 2026, with the first reporting expected in 2027 (covering calendar year 2026).^[12] DAC8 transposes the OECD Crypto-Asset Reporting Framework (CARF) into EU law.^[20] Portugal transposed DAC8 (and DAC9) through Law No. 26/2026 of 3 June 2026, published in the Diário da República on 3 June 2026; the annual CASP report is due by 31 May each year for the preceding calendar year.^[21]

Pillar Two (Global Minimum Tax)

Portugal has transposed the EU Pillar Two Directive (Council Directive (EU) 2022/2523) into domestic law. The OECD Global Minimum Tax applies a 15% effective floor to multinational and large domestic groups with consolidated revenue exceeding €750 million: a threshold unlikely to affect standalone Portugal-domiciled CASPs, but relevant to applicants that form part of a large group.

Ongoing Compliance & Post-Registration

MiCA CASP authorisation creates a permanent compliance infrastructure obligation. The authorisation is indefinite (no renewal), but the Banco de Portugal and the CMVM conduct ongoing supervision through reporting, periodic inspections, and incident reporting. Annual ongoing compliance costs range from around €65,000 for a minimal Class 1 operation to €185,000+ for a full-service Class 3 exchange.

Annual Reporting Obligations

CASPs must submit financial statements, capital-adequacy reports, and activity reports to the competent authorities and maintain annual audited financial statements. AML/CFT reporting obligations under Law No. 83/2017 continue alongside the MiCA prudential and conduct reporting. DAC8 reporting on reportable crypto-asset users begins for data collected from January 2026, with first reporting in 2027. As of June 2026 the Banco de Portugal and the CMVM had not published CASP-specific periodic reporting templates or submission deadlines, so applicants should confirm the operational reporting calendar with each supervisor.

Supervision Fees

MiCA authorisation is indefinite: there is no annual renewal fee. Instead, CASPs pay annual supervision contributions to the competent authorities. The contributions fund supervisory activity and are calculated according to the methodologies set by the Banco de Portugal and the CMVM; as of June 2026 the exact CASP supervision fee methodology and amounts had not been published in primary sources, so applicants should budget on the basis of indicative guidance and confirm the figures with each supervisor.

Regulatory Inspections

The Banco de Portugal and the CMVM conduct both scheduled and unscheduled supervisory inspections within their respective remits. Banco de Portugal reviews focus on prudential soundness, governance, AML/CFT, and operational resilience; CMVM reviews focus on conduct of business, client-asset safekeeping, complaints handling, and market abuse. The twin-peaks model means inspections from either authority can occur independently.

Enforcement

The competent authorities’ enforcement powers under MiCA include:

• Administrative fines up to €5,000,000 or 12.5% of annual turnover for legal persons (MiCA Article 111)
• Fines up to €700,000 for natural persons (directors, officers)
• Public statements naming the entity and the nature of the breach
• Withdrawal of authorisation
• Temporary prohibition on management functions
• Suspension or limitation of services

Advertising and Promotion Rules

MiCA’s marketing communications regime (Articles 7, 29, 53, and 66) applies directly to Portuguese CASPs, with the CMVM as conduct supervisor.^[3] All marketing must be fair, clear, and not misleading. Marketing communications must be identifiable as such and consistent with the published documentation. CASPs are accountable for third-party promotional content, including influencer and social media marketing. Google requires valid CASP authorisation for crypto advertising within the EU from April 2025.

ICT Risk Management & Operational Resilience

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to all CASPs authorised under MiCA.^[13] DORA has been applicable since 17 January 2025. The Banco de Portugal is the enforcement authority for DORA compliance among Portuguese CASPs. Non-compliance carries penalties of up to 2% of total annual worldwide turnover or €1,000,000 for individuals.

Incident Reporting

Major ICT-related incidents must be reported to the Banco de Portugal within strict deadlines:

Digital Resilience Testing

All CASPs must conduct general resilience testing under DORA Articles 24–25, including vulnerability assessments and penetration testing. Threat-led penetration testing (TLPT) under Articles 26–27 applies only to entities identified by the Banco de Portugal as significant. TLPT frequency: at least every 3 years. Microenterprises are explicitly excluded from TLPT. Most smaller and mid-size CASPs will not be designated for TLPT but must still conduct general testing.

Third-Party ICT Risk

CASPs must maintain a register of all ICT third-party service providers, including cloud providers, blockchain infrastructure providers, and custody technology vendors. Contractual arrangements must include audit rights, termination provisions, and data localisation specifications.

Wallet and Key Management

CASPs providing custody services must implement segregated hot/cold wallet architectures, multi-signature authorisation for material transactions, key generation in secure environments, and documented key backup and recovery procedures.

Banking

Banking access for Portugal-licensed CASPs is moderate to difficult. Domestic Portuguese banks remain cautious about onboarding crypto-asset service providers, and MiCA authorisation improves credibility but does not guarantee acceptance. The constraint is not access to any account: it is access to the right accounts for client-fund safeguarding.

EMIs licensed across the EU and connected to SEPA provide credit-transfer rails for day-to-day payments, reducing dependency on a single domestic banking relationship for payment processing.

The credit-institution relationship is the harder account to obtain. European credit institutions are more receptive to MiCA-authorised entities than to the legacy VASP cohort, but enhanced due diligence remains lengthy. Banking access for Portugal-licensed entities typically requires 2–4 months for safeguarding-account setup, so applicants should begin banking conversations during the application preparation phase rather than after authorisation is granted. This second relationship, rarely solved with a domestic bank, is the one that decides whether the licence can operate. Learn about crypto business banking →

FATF Status & International Standing

Portugal does not appear on any FATF list. It is absent from both the FATF list of Jurisdictions under Increased Monitoring (the “grey list”) and the list of High-Risk Jurisdictions subject to a Call for Action (the “black list”), and has never been listed under either. As an EU member state, Portugal is likewise outside the scope of the EU list of high-risk third countries, which by definition covers non-EU jurisdictions only.

Portugal is a full member of the FATF and is assessed directly by it, rather than through a FATF-style regional body. Its fourth-round Mutual Evaluation Report was adopted at the FATF Plenary in December 2017, concluding that Portugal has a sound and effective regime for combating money laundering and terrorist financing, while recommending stronger implementation of measures for designated non-financial businesses and professions.^[14]

For crypto businesses, the practical significance is reputational comfort: a Portuguese CASP operates from a clean, FATF-member jurisdiction, which eases correspondent-banking and counterparty due diligence relative to grey-listed or offshore alternatives. The legacy VASP registration regime, run by the Banco de Portugal since 2020, was the national response to the FATF and EU virtual-asset standards; the MiCA framework now layers a full prudential and conduct regime on top of that AML foundation.

MiCA Passporting and EU Market Access

MiCA passporting is the headline commercial value of Portuguese CASP authorisation. Under Article 65, a Portuguese CASP notifies the Banco de Portugal of its intention to provide cross-border services or establish a branch in other EEA member states. The Banco de Portugal communicates the notification to host NCAs and ESMA. No separate authorisation, additional capital, or waiting period is required from host countries.^[3]

Both routes are covered: freedom to provide services (cross-border without establishment) and right of establishment (opening a branch). Host NCAs cannot block either route except in extraordinary circumstances. A single Portuguese authorisation therefore opens the entire EEA market from a Lisbon base.

The MiCA passport extends across the full EEA. The EEA EFTA states Iceland, Liechtenstein and Norway sit inside the MiCA passport via EEA Joint Committee Decision No 41/2025 of 20 February 2025 (with supplementary RTS via JCD 138/2025 of 13 June 2025); three non-EU/non-EEA jurisdictions in geographical Europe sit outside the passport regime and require local authorisation for local clients: the United Kingdom, Switzerland, and Gibraltar.^[15]

Article 61 reverse solicitation is third-country-only and does not apply to a Portuguese-authorised CASP marketing to other EU/EEA Member States: passporting via Article 65 is the operative pathway. The ESMA Guidelines on reverse solicitation (26 February 2025) are framed for non-EU operators serving EU clients on a strictly unsolicited basis, with any further same-type marketing confined to the context of the original transaction. See the dedicated reverse solicitation guide for the third-country compliance pattern.^[16]

The ESMA Interim MiCA Register has been operational since 30 December 2024, published as CSV files updated regularly.^[8] A Portuguese CASP authorisation, once granted, is notified to ESMA for inclusion in the EU-wide register.

Advantages and Limitations

Portugal offers a genuine commercial proposition for MiCA CASP authorisation: EU passporting, a generous long-term individual tax position, and a deep crypto community. The limitations set out below are real but manageable.

• ✓ Full EU passporting to 30 EEA states. A single Portuguese authorisation grants cross-border service provision and branch establishment rights across the entire European Economic Area.
• ✓ MiCA capital requirements applied directly, no national overlays. Portugal follows MiCA minimums (€50,000–€150,000) without the national buffers imposed by Estonia (€100,000–€250,000).
• ✓ Long-term individual crypto holdings are tax-exempt. Gains on assets held for 365 days or more are exempt from personal income tax, attractive to founders and high-net-worth relocators.
• ✓ Deep crypto community and English-friendly talent. Lisbon hosts a large Web3 ecosystem, and the IFICI incentive and digital-nomad visa support inbound skilled hiring at lower cost than Western European hubs.
• ✓ Clean FATF-member jurisdiction. Portugal is a full FATF member, never grey- or black-listed, which eases correspondent-banking and counterparty due diligence.
• × Brand-new authorisation route with no track record. The implementing law only took effect on 23 December 2025, so there is no settled body of decided CASP applications. Mitigation: Build the application directly to the MiCA RTS standard and engage the Banco de Portugal early to confirm expectations.
• × Compressed transitional cliff. The 1 July 2026 grandfathering deadline leaves a narrow window for applicants who need authorisation before then. Mitigation: Prioritise documentation readiness as the critical path and file as early as the entity and capital allow.
• × Dual-supervisor model increases coordination burden. CASPs must satisfy the Banco de Portugal on prudential matters and the CMVM on conduct and client-asset matters. Mitigation: Appoint compliance staff familiar with both supervisors’ expectations and prepare conduct and client-asset documentation to CMVM standards.
• × Banking access remains moderate to difficult. Domestic banks are cautious with crypto, and client-fund safeguarding requires a credit-institution relationship (not an EMI). Mitigation: Begin banking conversations during the application preparation phase, not after authorisation.
• × Portuguese-language regulatory environment. Regulatory correspondence and filings are expected in Portuguese. Mitigation: Engage Portuguese-speaking compliance counsel and budget for certified translations of supporting documents.

How Portugal Compares

Portugal competes with Spain (the larger Iberian market), Malta (the established crypto centre), and Cyprus (the financial-services hub). Estonia is a common Baltic alternative. Each offers MiCA passporting; the differentiators are timeline, tax, regulatory maturity, and how settled the authorisation route is.

Compare every crypto jurisdiction side by side →

The key difference is: all four apply MiCA capital requirements directly, so the spread is on route maturity and tax. Portugal’s standout is the individual long-term holding exemption, which benefits founders rather than the entity. For the CASP itself, Malta’s low effective rate via the refund system and Cyprus’s 15% headline rate are competitive against Portugal’s 19% IRC. Malta and Cyprus also offer more settled, English-language authorisation routes.

Spain shares the Iberian market and a similar timeline but carries a higher corporate tax rate (25%) and is supervised solely by the CNMV. Portugal’s twin-peaks model adds a second supervisory relationship that Spain does not.

Jagelski & Partners, through its partner network, delivers Portuguese MiCA CASP authorisation end-to-end: company formation, the Banco de Portugal authorisation file and CMVM conduct dossier, banking introductions, and post-licensing compliance. We also licence across the EU, so if the comparison points you toward Malta, Cyprus, or Estonia, the same single engagement covers those routes too.

When Portugal Is the Right Choice

Choose Portugal if: the priority is EU-wide passporting from a country with strong crypto adoption and an English-friendly business environment; founders or key individuals will benefit from the long-term holding exemption; the team can absorb the compressed 1 July 2026 transitional window.

Consider alternatives if: a settled, English-language authorisation route is a priority (Malta and Cyprus offer track records); lower corporate tax on the entity matters more than individual tax (Cyprus at 15% or Malta’s refund system); the operation reinvests profits and a 0%-on-retained-profits model is preferred (Estonia).

Not sure which column is you? Ask Emma. She compares these jurisdictions in seconds, in your language.

Common Mistakes in Portugal Applications

Because Portugal’s CASP route is new, the failure patterns are drawn from the EU-wide MiCA experience and the structure of the Portuguese framework rather than a settled local rejection record. The recurring themes are documentation quality, source-of-funds evidence, and underestimating the dual-supervisor and deadline dynamics.

• Treating the legacy VASP registration as a head start. A Banco de Portugal VASP registration was an AML-only screen and does not convert into a CASP authorisation. Grandfathered VASPs must file a full MiCA application; assuming the registration carries over is a costly misread of the 1 July 2026 cliff.
• Inadequate source-of-funds documentation for beneficial owners. Across MiCA cohorts, the most common rejection driver is failure to evidence the legitimate origin of qualifying shareholders’ capital. Tax returns, bank statements, and employment records covering 3–5 years are the starting point, not certificates of deposit alone.
• Preparing only for the prudential supervisor. Applicants often build a strong prudential file for the Banco de Portugal but underweight the conduct, client-asset safekeeping, complaints, and conflicts documentation the CMVM reviews. Both supervisors must be satisfied for authorisation.
• Submitting generic compliance templates. Documentation adapted from other jurisdictions or template libraries does not pass. Each policy must reflect Portuguese law (Law No. 83/2017 for AML, Law No. 70/2025 for the Travel Rule) and the applicant’s specific business model and risk profile.
• Underestimating the compressed timeline. With the implementing law in force only from 23 December 2025 and the cliff at 1 July 2026, applicants who delay entity formation and documentation drafting risk missing the window to be decided in time.
• Failing to begin banking setup in parallel. MiCA Article 70 requires client-fund safeguarding with a credit institution, and obtaining that account for a crypto business takes 2–4 months. Banking should commence during the documentation preparation phase, not after authorisation.

Frequently Asked Questions

References