MiCA CASP License in Romania

Why Choose Romania for Crypto Licensing?

Romania offers a credible MiCA CASP route built on one of the EU’s lower standard corporate tax rates (16%), the largest IT talent pool in Central and Eastern Europe (250,000+ certified specialists per ITA reporting), full MiCA passporting across 30 EEA states post-authorisation, and a moderate substance bar. The single binding constraint is timing: as of June 2026 no Romanian CASP is authorised, for the reason set out under Regulatory Framework below.

Full MiCA Passporting Across the EEA

A Romanian-authorised CASP can passport its services across all 30 EEA states under MiCA Articles 65–66, without separate national licences. ASF notifies host competent authorities and the European Securities and Markets Authority (ESMA);^[7] ESMA’s Interim MiCA Register provides public proof of authorisation. The MiCA passport covers all 10 crypto-asset services under Article 3: custody, exchange, trading platform, execution, advice, portfolio management, transfer, and others. Grandfathered firms operating under Article 143 do not have passport rights; the passport activates only on full authorisation.

16% Corporate Tax: One of the EU’s Lower Headline Rates

Romania charges 16% on company profits, among the lower standard headline rates in the EU, alongside Bulgaria (10%, with restrictions) and Cyprus (15% from 1 January 2026).^[15] A Romanian-authorised CASP that operates as a small entity in year one can elect the microenterprise regime: 1% of turnover up to €100,000 (OUG 89/2025, in force from 1 January 2026).^[16] Most CASPs outgrow the microenterprise threshold quickly. Unlike Malta, whose 35% headline rate falls to ~5% effective only through a complex refund mechanism, Romania’s headline rate is the rate paid.

CEE’s Largest Engineering Bench

Romania ranks first in Europe and sixth globally for certified IT specialists per 1,000 inhabitants, with over 250,000 software engineers concentrated in Bucharest, Cluj-Napoca, Iași, and Timișoara.^[19] For crypto operations whose authorisation depends on demonstrable ICT and Digital Operational Resilience Act (DORA) capability, this is a structural advantage: substance is genuinely deliverable, not nominally constructed. English proficiency is near-universal in the IT sector, and the time zone (EET, UTC+2) aligns with both London and the Gulf, a relevant detail for institutional client servicing.

Where Romania Sits Among EU MiCA Cost-Leaders

Romania belongs to the EU MiCA Cost-Leaders peer group together with Estonia, Latvia, Czech Republic, Slovakia, and Lithuania.^[21] Among that cluster, Romania’s 16% corporate tax is in the middle of the band; the microenterprise regime gives early-stage operators a year-one advantage. Unlike Czech Republic, which has already issued 6+ MiCA authorisations,^[8] Romania has zero, the asymmetry that frames any Q3 2026 incorporation decision.

Regulatory Framework

Romania’s CASP framework rests on Regulation (EU) 2023/1114 (MiCA), directly applicable since the Crypto-Asset Service Provider regime commenced on 30 December 2024. The national implementing OUG, drafted by the Ministry of Public Finance and published for public consultation in May 2025,^[3] was reviewed in first reading by Government on 2 April 2026^[4] but has not been published in Monitorul Oficial as of June 2026.^[5]

Dual-Regulator Structure: ASF and BNR

The Autoritatea de Supraveghere Financiară (ASF) is the designated lead competent authority for CASPs, Asset-Referenced Token (ART) issuers, and Crypto ATM operators under the draft OUG, and serves as Romania’s single point of contact with ESMA.^[6] The Banca Națională a României (BNR) retains exclusive supervision over E-Money Token (EMT) issuance by credit institutions and authorised E-Money Institutions (EMIs), and over crypto-asset services provided within supervised banks; BNR is Romania’s single point of contact with the European Banking Authority (EBA). ASF decisions are challengeable within 30 days before the Bucharest Court of Appeal.

Supporting institutions surround the two lead authorities. The Oficiul Național de Prevenire și Combatere a Spălării Banilor (ONPCSB) is Romania’s Financial Intelligence Unit and AML supervisor; the Agenția Națională de Administrare Fiscală (ANAF) administers DAC8/CARF reporting; the Autoritatea pentru Digitalizarea României (ADR) certifies CASP IT systems; the Directoratul Național de Securitate Cibernetică (DNSC) coordinates national cybersecurity under DORA.

The MiCA Layer

Regulation (EU) 2023/1114 (MiCA) entered into force on 29 June 2023. The ART/EMT issuer regime applied from 30 June 2024; the CASP regime from 30 December 2024.^[1] MiCA is directly applicable in Romania without national transposition: the implementing OUG’s role is to designate competent authorities, set procedural rules, and create national administrative offences, not to restate MiCA itself. ESMA Level 2 and Level 3 measures (RTS, ITS, guidelines, Q&As) continue to be published through 2026; the iXBRL formatting requirement for crypto-asset white papers applied from 23 December 2025.^[7]

National Implementing Legislation

The draft Ordonanță de Urgență privind reglementarea serviciilor de criptoactive (“Draft MiCA OUG”) was published for public consultation by the Ministry of Public Finance on 23 May 2025.^[3] The Government of Romania reviewed the OUG in first reading on 2 April 2026, per the gov.ro press release of that date.^[4] The OUG has not been published in Monitorul Oficial as of June 2026, placing Romania with Poland and Bulgaria among the three EU jurisdictions whose national MiCA enabling law is not in force.^[8] Adjacent national ordinances are already in force: OUG 10/2025 (AML/TFR alignment, Monitorul Oficial nr. 225 of 13 March 2025);^[10] OUG 71/2025 (DAC8 transposition);^[11] OUG 14/2026 (DORA implementing regulation).^[12] Industry commentary often conflates OUG 10/2025 with the MiCA implementing OUG: they are different instruments with different scope.

Regulatory History

Before 30 December 2024, Romanian law set up an authorisation regime for virtual-currency and digital-wallet providers under Article 30^1 of Law 129/2019, to be administered by a specialised commission within the Ministry of Finance jointly with the Autoritatea pentru Digitalizarea României (ADR). The implementing Government Decision was never issued, so providers in practice operated only on the strength of an ONPCSB notification, registering as obliged entities under the AML framework without any substantive prudential or conduct supervision. The Ministry of Finance’s joint authorisation procedure remained inactive throughout 2020–2024. OUG 10/2025 then repealed Article 30^1 and replaced the terminology of “virtual-currency provider” with “crypto-asset service provider”, routing AML supervision of CASPs to ASF (or BNR for bank and EMI providers) and extending Travel-Rule and unhosted-wallet obligations under Regulation (EU) 2023/1113.^[10]

As of June 2026, the Înalta Curte de Casație și Justiție has not issued a landmark ruling establishing virtual assets as property; in Decision no. 34/2021 the Court declined to rule on the legal characterisation of cryptocurrencies, and Romanian doctrine has so far treated crypto-asset claims through general civil-law analogies rather than statutory definition. Romania participates in MONEYVAL, the FATF-style regional body for Europe, and has been a member since the body’s establishment; its most recent mutual evaluation report was published on 18 July 2023, with overall compliance assessments in the moderate-to-substantial range.

Recent Regulatory Developments

• 2 April 2026. Draft MiCA OUG reviewed in first reading by Government. The implementing ordinance designating ASF as competent authority and establishing procedural rules for Romanian CASP authorisation was discussed at the Government meeting of 2 April 2026 in first reading (“primă lectură”).^[4]
• 17 April 2026. ESMA statement on the end of MiCA transitional periods. ESMA confirms that any entity providing crypto-asset services to EU clients without a MiCA authorisation after 1 July 2026 is in breach of EU law and must execute an orderly wind-down.^[14]
• March 2026. OUG 14/2026 transposes DORA into Romanian law. Names ASF and BNR as competent authorities for crypto-asset providers; introduces administrative sanctions up to RON 23 million or 10% of annual turnover.^[12]
• 24 December 2025. OUG 89/2025 reforms microenterprise tax. Single 1% rate from 1 January 2026, turnover ceiling reduced from €250,000 to €100,000.^[16]
• 4 December 2025. ESMA supervisory communication on MiCA transitional measures. Warns NCAs that “last-minute” filings near the cut-off should be treated “with considerable caution”.^[13]
• October 2025. OUG 71/2025 implements DAC8 reporting. Crypto-asset service providers must register with ANAF and report 2026 transactions by 15 March 2027.^[11]
• 26 May 2025. Law 86/2025 amends Law 129/2019 (AML). Tightens AML obligations and beneficial-ownership reporting, ahead of the EU AMLR.^[10]
• 13 March 2025. OUG 10/2025 aligns Romanian AML with the EU Travel Rule. Repeals Article 30^1 of Law 129/2019; reassigns AML supervision of CASPs to ASF (and BNR for bank/EMI providers).^[10]

Regulatory Overlap

Three regimes intersect with the Romanian MiCA CASP framework. DORA (Regulation (EU) 2022/2554) is directly applicable from 17 January 2025 and imposes ICT risk management, incident reporting, resilience testing, and third-party ICT risk obligations on all CASPs;^[2] OUG 14/2026 sets the Romanian supervisory wrapper. The EU Transfer of Funds Regulation (Regulation (EU) 2023/1113) is directly applicable from 30 December 2024 and imposes Travel Rule obligations on every CASP-originated crypto-asset transfer regardless of value; ONPCSB has issued a national implementing guideline.^[9] The EU AMLR (Regulation (EU) 2024/1624) applies from 10 July 2027 and will replace much of the current AML directive-based architecture with a single rulebook; the EU Anti-Money Laundering Authority (AMLA) becomes fully operational from 1 January 2028.

Tokenised Securities and RWA

MiCA Article 2(4) excludes crypto-assets that qualify as financial instruments, so a Romanian MiCA CASP authorisation does not cover tokenised securities or real-world-asset tokens that are securities. A tokenised security, a tokenised share, bond or fund unit, is regulated under MiFID II, the Prospectus Regulation and the EU DLT Pilot Regime (Regulation (EU) 2022/858), supervised in Romania by the Autoritatea de Supraveghere Financiară (ASF) under the securities regime rather than under MiCA. ESMA’s Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments set that boundary.^[7] Where a tokenised fund unit is the target, the structuring route runs through fund licensing rather than a CASP application, paired with crypto custody permissions only where the operating model needs them.

Regulatory Transition: ONPCSB-Notification Regime to MiCA CASP Authorisation

Romania has notified the maximum 18-month transitional period under MiCA Article 143(3), with a hard cut-off of 1 July 2026.^[13] Providers that operated under the pre-30 December 2024 ONPCSB-notification regime may continue operations during the transitional window but cannot use the MiCA passport, and must hold a full MiCA CASP authorisation to continue serving EU clients beyond the cut-off date.

The Old Regime: ONPCSB Notification Under Law 129/2019

The pre-30 December 2024 framework is set out under Regulatory Framework above: providers operated on the strength of an ONPCSB notification only, until OUG 10/2025 repealed Article 30^1 of Law 129/2019 and reclassified them as crypto-asset service providers.^[10] ONPCSB retains its role as Romania’s FIU but no longer issues independent authorisations.

The New Regime: MiCA CASP Authorisation by ASF

From 30 December 2024, MiCA’s CASP authorisation regime applied directly. In Romania, the lead competent authority is the Autoritatea de Supraveghere Financiară (ASF) for CASP authorisation, ART issuer authorisation, and Crypto ATM supervision, with the Banca Națională a României supervising EMT issuance and bank-channel crypto services.^[6] ASF cannot grant a MiCA CASP authorisation until the national implementing ordinance and ASF’s secondary regulation are both in force.^[4] As of June 2026, zero Romanian CASPs appear on the ESMA Interim MiCA Register; 204 CASPs are authorised across the EU (register refreshed 4 June 2026), with Germany, the Netherlands, and France accounting for the largest shares.^[7]

Transitional Provisions and Grandfathering

Article 143(3) of MiCA permits member states to grant providers active before 30 December 2024 a transitional period of up to 18 months during which they may continue providing crypto-asset services under national law.^[1] Romania has notified ESMA of the maximum 18-month transitional period, ending 1 July 2026.^[13] The draft national OUG also foresaw a domestic “fast-track” procedure under Article 143(6) (file within 30 days of the OUG’s entry into force; complete authorisation by 30 November 2025), but the legislative delay has overtaken that design, and the binding deadline is now the EU-level 1 July 2026 cut-off.

What stays the same during transition: pre-existing providers continue to operate under the legacy ONPCSB-notification regime plus the amended Law 129/2019 (as updated by OUG 10/2025 for Travel Rule compliance). What changes: no MiCA passport, no use of the title “CASP” under MiCA Article 3(1)(15), full DORA obligations from 17 January 2025 regardless of MiCA status, full Travel Rule obligations from 30 December 2024.

Conversion Mechanism (Article 143(6))

The draft Romanian OUG sets up a simplified procedure under MiCA Article 143(6) for legacy providers seeking MiCA authorisation: a reduced application file recognising prior ONPCSB registration, ASF compatibility assessment, and decision within the standard Article 63 windows. ESMA’s October 2024 Q&A confirms that a simplified procedure is permitted but does not lower the substantive standard: applicants must still meet the full Article 62 dossier requirements on AML, governance, prudential resources, and ICT.^[7] In practice, “simplified” means procedurally streamlined recognition of corporate documents and beneficial-ownership information already held by ONPCSB; it does not reduce the substantive workload of building a MiCA-grade compliance programme.

Key Deadlines

Practical Implications

For three operator profiles, the implications diverge sharply. Grandfathered Romanian providers (active ONPCSB notification pre-30 December 2024) have a viable runway: align AML and Travel Rule procedures with OUG 10/2025, prepare the Article 62 file in advance, and submit immediately on OUG adoption. Greenfield operators with no Romanian footprint cannot enter Romania today: ASF cannot grant authorisation until the OUG is in force, and the simplified Article 143(6) procedure is reserved for pre-30 December 2024 entrants. Existing CASPs authorised in another EU member state can passport into Romania under MiCA Articles 65–66 without separate Romanian authorisation; the home NCA notifies ASF. In practice, the OUG delay means Romania cannot be the home jurisdiction of choice for new entrants targeting MiCA authorisation in H2 2026; that choice falls to Czech Republic, Lithuania, Malta, or Cyprus, with Romania positioned as a Q1–Q2 2027 option.

License Types and Activities Covered

A MiCA CASP authorisation covers any combination of the 10 crypto-asset services defined in Article 3(1)(16) of Regulation (EU) 2023/1114. Applicants select the services they intend to provide; ASF grants the authorisation for those specific services. Asset-Referenced Token (ART) issuance is a separate authorisation by ASF; E-Money Token (EMT) issuance is reserved to authorised credit institutions and Electronic Money Institutions (EMIs) supervised by BNR.

Covered Activities

The 10 MiCA-regulated crypto-asset services, each mapped to MiCA Article 3(1)(16) and its capital class:

• Custody and administration of crypto-assets on behalf of clients (Article 3(1)(17)). The CASP holds private keys or controls access to clients’ crypto-assets. Applies to crypto exchanges, custodians, and wallet providers offering safekeeping services. Minimum capital: €125,000 (Class 2).
• Operation of a trading platform for crypto-assets (Article 3(1)(18)). The CASP runs a multilateral system that brings together third-party buying and selling interests. Applies to centralised exchanges and order-book platforms. Minimum capital: €150,000 (Class 3).
• Exchange of crypto-assets for funds (Article 3(1)(19)). The CASP buys and sells crypto-assets against fiat using own capital. Applies to brokers, OTC desks, and exchange-for-fiat services. Minimum capital: €125,000 (Class 2).
• Exchange of crypto-assets for other crypto-assets (Article 3(1)(20)). The CASP buys and sells crypto-assets against other crypto-assets using own capital. Same Class 2 capital floor.
• Execution of orders for crypto-assets on behalf of clients (Article 3(1)(21)). The CASP transmits client orders to the market. Applies to brokers. Minimum capital: €50,000 (Class 1).
• Placing of crypto-assets (Article 3(1)(22)). The CASP markets newly issued crypto-assets to identified buyers. Applies to placement agents and underwriters. Minimum capital: €50,000 (Class 1).
• Reception and transmission of orders for crypto-assets on behalf of clients (Article 3(1)(23)). The CASP receives orders and transmits them to another CASP for execution. Applies to introducing brokers. Minimum capital: €50,000 (Class 1).
• Providing advice on crypto-assets (Article 3(1)(24)). The CASP gives personalised recommendations. Applies to advisers. Minimum capital: €50,000 (Class 1).
• Providing portfolio management of crypto-assets (Article 3(1)(25)). The CASP manages portfolios on a discretionary basis. Applies to crypto asset managers. Minimum capital: €50,000 (Class 1).
• Providing transfer services for crypto-assets on behalf of clients (Article 3(1)(26)). The CASP transfers crypto-assets between addresses or accounts on the client’s behalf. Applies to payment-style crypto transfer operators. Minimum capital: €50,000 (Class 1).

What Does Not Require Registration

• Fully decentralised services with no identifiable provider. MiCA’s exclusion under Recital 22 / Article 2(3) covers crypto-asset services rendered “in a fully decentralised manner without any intermediary”. The boundary is contested; ESMA’s position is that any human or legal entity exerting “sufficient control or influence” is in scope as a CASP.^[7]
• Provision of services to persons established or having their place of residence outside the Union, provided no marketing or other targeting of EU clients takes place (Article 2(4)).
• Crypto-asset transfers within a single corporate group between parent and subsidiary, where no external client is involved.
• Crypto-assets used solely as a means of payment for goods or services by the merchant directly accepting them, without further service provision.
• Mining and validation activities that do not involve client-facing service provision.
• Non-fungible crypto-assets that are genuinely unique and non-fungible (Article 2(3)), but the boundary is narrow; series of NFTs sharing characteristics may fall in scope.

ART and EMT Issuance: Separate Authorisations

Asset-Referenced Token (ART) issuance is a separate authorisation under MiCA Title III, granted in Romania by ASF.^[1] An ART is a crypto-asset that aims to maintain stable value by referencing another value or right, or a combination thereof (other than a single official currency). Minimum capital: the greater of €350,000, 2% of average reserves, or one quarter of fixed overheads, with uplifts for tokens classified as “significant” under EBA Regulatory Technical Standards. E-Money Token (EMT) issuance under MiCA Title IV is reserved to authorised credit institutions and EMIs, supervised in Romania by BNR. A CASP authorisation alone does not permit ART or EMT issuance; an issuer is also subject to MiCA white-paper publication and ongoing reserve, redemption, and disclosure obligations.

DAO, DeFi and NFT Treatment

ESMA’s Q&A series and the European Commission’s interpretative communications have steadily narrowed the boundaries of MiCA’s “fully decentralised” carve-out. As of June 2026, any DeFi protocol with identifiable governance, treasury control, or token-issuance control faces a credible argument that the protocol operator is in CASP scope.^[7] A DAO structured as a Romanian foundation or association does not avoid the analysis: ESMA’s position is that ultimate beneficial ownership and substantive control remain the test, regardless of the legal form. NFTs that are genuinely unique (a single 1/1 artwork) fall outside scope under Article 2(3); NFT collections sharing characteristics may fall in scope as crypto-assets, with the issuer subject to white-paper publication. In practice, the common mistake is assuming the DAO or NFT structure protects against CASP authorisation requirements when the underlying activity is identifiable as a crypto-asset service.

Romania-Specific Crypto ATM Regime

The draft Romanian OUG introduces a dedicated regime for Crypto ATM operators with substance beyond the MiCA baseline.^[3] Specific provisions: prior ICI București approval for ATM hardware; prior ADR technical certification of the operator’s IT systems; location restrictions prohibiting deployment in unsupervised public premises; real-time data-access mechanisms enabling ASF to inspect transaction flows. As of June 2026, the precise ICI București and ADR dual-approval procedure remains to be fixed by ASF’s secondary regulation, which cannot be issued until the national OUG is published in Monitorul Oficial. Crypto ATM operators are CASPs for MiCA purposes (typically Class 2, providing exchange of crypto-assets for funds), and so face the standard MiCA capital, governance, AML, and DORA obligations on top of the Romania-specific operational rules.

Requirements

A Romanian MiCA CASP applicant must satisfy MiCA Article 59 substance requirements, demonstrate fit-and-proper governance, meet the Annex IV capital floor (the higher of the class-specific minimum or 25% of preceding-year fixed overheads), and operate a documented AML, Travel Rule, and DORA-aligned ICT framework. Romania-specific additions include prior ADR technical certification and adherence to the proposed 0.5% monthly ASF supervisory levy.

Requirements Table

Fit-and-Proper Assessment

MiCA Article 68 requires all members of the management body, and shareholders or members with qualifying holdings (10%+ direct or indirect), to be “of sufficiently good repute” and to possess “appropriate knowledge, skills and experience”. ASF will assess each individual against four dimensions: integrity (no relevant criminal convictions, no relevant administrative sanctions, no past licence revocations), competence (demonstrable crypto/fintech experience appropriate to the role), independence (no conflicts of interest that cannot be managed), and time commitment (sufficient time devoted to the role, with attention to non-executive directorships held elsewhere). The common mistake is treating fit-and-proper as a documentary exercise: ASF, following the ESMA peer review of July 2025, will look for substantive governance, not nominee names appended for completeness.^[18]

Local Presence and Substance

MiCA Article 59 sets the substance bar: registered office in an EU/EEA member state where part of the services are rendered, place of effective management in the EU, and at least one EU-resident director. Romania-specific expectations build on this: a Romanian-registered SRL or SA; a Romanian-resident MLRO; documented decision-making in Romania (board meetings, committee minutes, evidenced approval flows); operational staff (the ICT, AML, and compliance functions) substantively present in Romania even where some development can sit elsewhere in the EU. In practice, ESMA’s July 2025 peer review of an MFSA CASP authorisation is now the working benchmark: mailbox companies, nominee directors, and “compliance-as-a-service” structures without identifiable Romanian presence will not clear the substance test.^[18] Experienced applicants overstaff Romania for the first 12 months and consolidate later, not the reverse.

AML/CFT and Travel Rule

Romania’s AML framework is Law 129/2019, as amended most recently by Law 86/2025 (in force 26 May 2025) and OUG 10/2025 (13 March 2025).^[10] CASPs are obliged entities under Article 5 and must operate: an enterprise-wide ML/TF risk assessment, customer-level risk assessment and ongoing review, full Customer Due Diligence (CDD) with enhanced measures on transfers to or from unhosted wallets and on non-EU correspondent CASPs, transaction monitoring, Suspicious Transaction Report (STR) filings to ONPCSB, €10,000-equivalent cash-threshold reporting, and 5-year record retention. The EU Transfer of Funds Regulation (Regulation (EU) 2023/1113) is directly applicable from 30 December 2024: every CASP-originated transfer carries payer and payee information regardless of value, and ONPCSB has issued a national implementing guideline.^[9] Administrative sanctions on legal persons under Law 129/2019 reach RON 5 million (~€1 million) or 10% of annual turnover.

Application Process

ASF’s CASP authorisation procedure follows MiCA Article 63: a 25-working-day completeness check followed by a 40-working-day substantive assessment after a complete file is received, with clock-stops permitted on information requests.^[1] Realistic end-to-end timeline once the national OUG is in force is 6–9 months from preparation to grant, with parallel ADR technical certification.

Application language: Romanian is the default. Supporting documents (audited financials, group policies, vendor agreements) may be submitted in English with certified Romanian translation where ASF requests it. The cover application form, Romanian-law legal opinions, and Romanian-law contracts must be in Romanian.

Pre-application engagement: ASF is expected to offer informal pre-application meetings under the OUG, similar to other ESMA-coordinated NCAs. Engagement is non-binding and free of charge, but the substantive feedback materially reduces the risk of a structurally incomplete first submission.

Jagelski & Partners’ specialist compliance partners draft Romania-specific AML/CFT policies, the enterprise-wide ML/TF risk assessment, the Travel Rule procedure under OUG 10/2025 and Regulation (EU) 2023/1113, and the DORA framework aligned with OUG 14/2026 as part of the MiCA CASP licensing engagement. The compliance documentation is the most time-intensive component of any Romanian MiCA CASP application: 8 to 12 weeks of specialist work that cannot be shortcut with templates from other jurisdictions. Talk to us about the engagement structure →

Required Documents

ASF’s Article 62 dossier comprises five document categories: corporate, personal, compliance, business plan, and technology. The compliance documentation is the most heavily scrutinised, and the area where competitor templates most commonly fail Romanian-specificity tests. ASF expects bespoke policies that reference Romanian legislation by name, not generic frameworks lifted from other EU jurisdictions.

Corporate Documents

• Certificate of incorporation and CUI (unique tax registration code) from ONRC
• Articles of association and any shareholder agreements
• Constitutive act (Romanian-language)
• ANAF tax certificate confirming no overdue obligations
• Beneficial-ownership declaration (filed with ONRC under the AML framework)
• Resolution of the share-capital deposit at the Romanian bank
• Office lease or proof of use for the Romanian registered office
• Certificate of no unreversed criminal record for the legal person (cazier judiciar)

Personal Documents (All Directors, Key Function Holders, Qualifying Shareholders)

• Identity document (passport for non-Romanian residents)
• Curriculum vitae detailing crypto/fintech experience
• Certificate of no unreversed criminal record (cazier judiciar) from Romania and from each country of residence over the past 10 years
• Professional references (two minimum)
• Financial-standing declaration covering personal and entity-level solvency
• Conflicts-of-interest declaration listing all current directorships and qualifying holdings
• For shareholders ≥10%: source-of-funds and source-of-wealth evidence
• For non-EU directors: independent fit-and-proper certification from the home jurisdiction’s regulator if applicable

Compliance Documentation

The compliance documentation is the most heavily scrutinised component of any Romanian MiCA CASP application. Jagelski & Partners’ specialist compliance partners draft each of these documents as part of the licensing engagement: bespoke and Romania-specific, referencing Law 129/2019 (as amended by Law 86/2025 and OUG 10/2025), Regulation (EU) 2023/1113, and ASF guidance directly. Each document must reflect the applicant’s specific business model, risk profile, and operational structure.

Business Plan and Financial Projections

The Article 62 business plan covers a minimum three-year horizon and must include: a description of the planned activities and service mix (mapped to MiCA Article 3 service categories), the target market and client segmentation, the pricing model and revenue projections, the cost structure, the headcount plan, the technology spend, and the prudential resources projection. ASF will use the projection to assess whether the 25% fixed-overhead test bites in years 2 and 3 (it frequently does as the business scales) and whether the proposed own-funds level remains adequate. Sensitivity analysis on adverse scenarios (50% revenue shortfall, regulatory penalty, security incident, market downturn) is expected, not optional.

Technology and Operational Documentation

The technology documentation operates at the intersection of MiCA, DORA, and the Romanian ADR certification. Required elements: IT systems architecture diagram; cybersecurity policy aligned with DORA Articles 5–14; wallet and key-management procedures (HSM specifications, cold-storage governance, transaction-signing workflow); business continuity and disaster recovery plans with documented testing; third-party ICT risk register; penetration-testing programme. The documentation must reference DORA’s specific RTS on ICT risk management and the ESMA Supervisory Briefing on CASP authorisations.^[2][7] ADR certification is the Romanian-specific layer on top of this DORA-aligned package, focused on technical interoperability and data-availability for regulator inspection.

Costs and Pricing

Total Year 1 cost for a Romanian MiCA CASP runs €100,000–€220,000 depending on service category (Class 1 services at the lower end, Class 3 trading-platform operations at the upper end), excluding the minimum capital itself. The ongoing annual cost runs €60,000–€120,000 including the proposed 0.5% monthly ASF supervisory levy on authorised-activity revenue, professional indemnity coverage, and recurring compliance maintenance.

Government / ASF Fees

Total Cost Summary

The compliance documentation row commands the second-largest share of Year 1 spend after legal advisory because Romanian-specific AML, Travel Rule, and DORA-aligned ICT programmes cannot be templated from other EU jurisdictions: ASF will compare the file against the named Romanian legislation, and generic EU language is the most common ground for RFI extensions. The 0.5% monthly ASF supervisory levy is unusual among EU MiCA jurisdictions in being revenue-linked rather than fixed; it should be modelled as a 6% effective annualised cost on authorised-activity revenue, payable independent of profitability. Treat the levy as a fixed cost item from day one.

Timeline

Realistic end-to-end timeline for a Romanian MiCA CASP authorisation is 6–9 months from preparation start to grant, contingent on the national OUG being in force when the application is filed. The MiCA Article 63 statutory periods (25 working days completeness + 40 working days substantive) frequently extend through clock-stops; experienced applicants budget for 6–9 months end-to-end, not the 13-week MiCA minimum.

The realistic timeline assumes the national OUG is in force at the start of Stage 1 and ASF’s implementing regulation is published. As of June 2026, neither is the case, and the timeline floor for any new applicant is the time-to-OUG-adoption plus the 6–9 months above. ESMA’s December 2025 supervisory communication explicitly warns NCAs that “last-minute” filings near the 1 July 2026 EU transitional cut-off should be treated “with considerable caution”,^[13] meaning operators relying on the Article 143(3) transitional regime cannot expect ASF to fast-track a file that lands in May or June 2026. Build banking, capital, and substance in advance of OUG adoption, not after.

Taxation

Romania is a competitive-tax jurisdiction: 16% corporate income tax on profits, 1% microenterprise tax on turnover up to €100,000 (first-year option for most CASPs), 19% standard VAT with crypto-fiat exchange exempt under CJEU Hedqvist (C-264/14), and 16% withholding tax on dividends and interest to non-residents from 1 January 2026 (with EU directive and double-tax-treaty relief).

Microenterprise Regime: the Year-One Advantage and What Replaces It

OUG 89/2025 (Monitorul Oficial nr. 1203 of 24 December 2025) tightened the microenterprise regime from 1 January 2026: a single 1% rate on turnover up to €100,000, with the prior 3% bracket and the 80% consulting/management exclusion eliminated.^[16] For most CASPs, year one is the only year in which the regime is realistically available: once revenue scales above €100,000 (which happens quickly for an authorised CASP), the standard 16% corporate income tax applies. The 16% rate is still among the lower standard headline rates across EU MiCA jurisdictions, and unlike Malta’s 35% headline rate with a refund mechanism, the Romanian 16% is the rate paid.

DAC8 / CARF Reporting

OUG 71/2025 transposes Directive (EU) 2023/2226 (DAC8) into Romanian law and implements the OECD’s Crypto-Asset Reporting Framework (CARF).^[11] From 1 January 2026, every CASP operating in Romania must: (a) register with ANAF as a reporting crypto-asset service provider; (b) collect customer tax-residency self-certifications under CARF due-diligence rules; (c) maintain detailed records of reportable crypto-asset transactions (exchanges, transfers, retail-payment transactions, NFT transactions where in scope); (d) file the annual CARF return with ANAF by 15 March 2027 for 2026 transactions. ANAF then exchanges the data with EU tax authorities under DAC8 and with CARF jurisdictions outside the EU under the OECD Multilateral Competent Authority Agreement. Sanctions for non-compliance reach RON 100,000 per breach. Most operators underestimate the operational lift: DAC8/CARF reporting requires data infrastructure that goes beyond MiCA’s prudential disclosures.

Pillar Two (Global Minimum Tax)

Romania has transposed the EU Pillar Two Directive (Council Directive (EU) 2022/2523) into national law and applies a 15% effective minimum tax to multinational groups with consolidated revenue exceeding €750 million.^[15] For standalone Romanian-domiciled CASPs, the threshold is well above the realistic operating scale; Pillar Two exposure typically arises only where the Romanian CASP sits inside a multinational financial-services group above the threshold. Where applicable, the CASP’s Romanian income is included in the group’s Pillar Two computation under the Income Inclusion Rule (IIR) or, where Romania is the ultimate-parent jurisdiction, the Domestic Minimum Top-Up Tax (DMTT). Standalone operators below the threshold can disregard Pillar Two for planning purposes.

ANAF Crypto Enforcement

ANAF has prosecuted crypto-tax under-reporting since 2022. Romania Insider (June 2022), citing ANAF via Economica.net, reported that out of audits totalling €131 million of crypto income across 63 individuals, €48.67 million was either unreported or under-reported, generating supplementary taxes of €2.1 million on the under-reporters.^[17] DAC8/CARF reporting from 2026 will substantially extend ANAF’s enforcement reach: the data sharing under DAC8 closes the cross-border information asymmetry that previously protected unreported activity. For Romanian-licensed CASPs, the compliance burden is operational, not strategic: the CASP files for its customers; the customers’ own under-reporting is then a personal-tax matter ANAF can pursue.

Ongoing Compliance & Post-Registration

A Romanian MiCA CASP authorisation is indefinite: there is no fixed renewal period under MiCA. Ongoing compliance instead operates through annual reporting to ASF, the 0.5% monthly supervisory levy, periodic ASF inspections, DORA-mandated incident reporting, and quarterly DAC8/CARF data exchange with ANAF.

Annual Reporting Obligations

Romanian CASPs file annually with ASF: audited financial statements (Romanian audit standards), the compliance officer’s annual report, the MLRO’s annual AML report, the DORA incident summary, the prudential resources confirmation against the Annex IV class minimum and the 25% fixed-overhead test, and any updates to the Article 62 file (governance changes, qualifying-holding changes, service-mix amendments, outsourcing changes). The MiCA Article 70 client-asset confirmation is filed annually together with the auditor’s segregation report. Filing deadlines align with the Romanian financial-year cycle (calendar year for most entities) with the audit completed within 150 days of year-end and ASF filings within 30 days of audit completion. DAC8/CARF returns are filed separately with ANAF by 15 March of the following year.

Supervision Fees and Recurring Costs

The proposed Romanian framework replaces fixed renewal fees with a 0.5% monthly supervisory levy on authorised-activity revenue, payable to ASF by the 15th of the following month under the draft OUG. Non-payment triggers authorisation revocation. Other recurring costs: office and registered-address (€8,000–€15,000 per year for a Bucharest office adequate for a small CASP), accounting and Romanian tax advisory (€10,000–€20,000), annual audit (€10,000–€25,000), MLRO and compliance officer (€40,000–€70,000 fully loaded), ICT and DORA-related infrastructure maintenance (€10,000–€20,000). Total recurring outside the supervisory levy runs €60,000–€120,000 per year for a moderate-scale operation.

Regulatory Inspections

ASF conducts both scheduled and unscheduled inspections of authorised CASPs. Scheduled inspections typically occur every 18–24 months for moderate-risk entities; high-risk entities (custody-intensive, trading platform, exposure to ART/EMT issuers) face annual or more frequent inspections. Inspection themes follow ESMA’s annual supervisory priorities: for 2026, expected focus areas include DORA implementation maturity, AML and Travel Rule programme effectiveness, fit-and-proper of senior management, and client-asset segregation. Inspections involve on-site walkthrough of operations, documentation review, interviews with key function holders, and post-inspection findings letters. Remediation timeframes vary from 30 to 180 days depending on finding severity. Unscheduled inspections frequently follow incident reports (DORA major incidents, STR pattern changes, client complaints to ANPC) and are typically narrower in scope.

Enforcement and Sanctions

Sanctions for breach of the MiCA framework reach €5 million or 10% of annual turnover for legal persons under MiCA Article 111; breaches of Law 129/2019 (AML) carry penalties up to RON 5 million (~€1 million) or 10% of annual turnover. OUG 14/2026 sets DORA-specific sanctions of up to RON 23 million or 10% of annual turnover.^[12] ASF’s escalation ladder runs: informal supervisory letter, formal sanction, temporary restriction of activities, authorisation revocation. ESMA’s July 2025 peer review highlighted that NCAs must be willing to revoke or refuse authorisations for substantive failure; ASF is expected to apply this standard from its first cohort onwards.^[18] Operating without authorisation post-1 July 2026 constitutes a criminal offence under Romanian law in addition to the administrative breach.

ICT Risk Management & Operational Resilience

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”) has been directly applicable to Romanian CASPs since 17 January 2025.^[2] OUG 14/2026 sets the Romanian supervisory wrapper, designating ASF and BNR as competent authorities for crypto-asset providers with the Directoratul Național de Securitate Cibernetică (DNSC) coordinating national cybersecurity.^[12] Penalties under OUG 14/2026 reach RON 23 million or 10% of annual turnover.

Required DORA Elements

ICT Risk Management Framework (Articles 5–14). Documented governance arrangements with board accountability; identification and classification of ICT-supported business functions; ICT risk-tolerance statements linked to the Risk Appetite Statement; continuous monitoring; protection and prevention controls (access management, encryption, network segmentation, vulnerability management); detection capabilities (security monitoring, threat intelligence); response and recovery plans tested annually. ASF expects a board-approved ICT strategy and a chief ICT officer or equivalent role with direct board reporting.

ICT-Related Incident Management and Reporting (Articles 17–23). Documented incident-classification taxonomy; internal escalation rules; reporting of major incidents to ASF within statutory timeframes (initial notification within 4 hours of classification as major; intermediate report within 72 hours; final report within 1 month); incident root-cause analysis; lessons-learned procedures. Major incidents are also notifiable to clients where they may affect client crypto-assets.

Digital Operational Resilience Testing (Articles 24–27). Annual basic testing programme (vulnerability assessments, penetration testing, network security assessments, scenario-based testing); Threat-Led Penetration Testing (TLPT) every three years for significant entities (CASPs above the size and complexity threshold to be set by ESMA). DORA RTS on TLPT follow the TIBER-EU framework. Test results are reported to ASF and inform the risk-management framework.

Third-Party ICT Risk Management (Articles 28–44). Register of Information listing every ICT third-party arrangement with contractual safeguards meeting DORA Article 30 (exit strategies, data-handling obligations, sub-outsourcing restrictions, on-site audit rights, termination triggers, performance metrics). Annual reporting of the Register of Information to ASF. ESMA designates critical ICT third-party providers (CTPPs) that fall under direct EU-level oversight; CASPs must accommodate this in contractual arrangements with their CTPPs.

Wallet Management and Custody-Specific ICT Procedures. For Class 2/3 CASPs (custody and trading platform), the ICT framework documents hot/warm/cold wallet segregation thresholds, HSM specifications (FIPS 140-2 Level 3 or equivalent baseline), key-generation and key-rotation procedures, multi-signature schemes, transaction-signing workflow with separation of duties, insurance arrangements covering custodial-key compromise. ASF expects custody architecture to be demonstrably tested, not theoretical.

Information Sharing. DORA Article 45 permits CASPs to participate in voluntary cyber-threat-intelligence sharing arrangements. ESMA encourages participation; ASF expectations are likely to align.

Banking

Banking access for Romanian MiCA CASPs is functional but narrow. Domestic Romanian tier-1 commercial banks remain risk-averse to crypto-native operations; the Banca Națională a României has issued repeated public warnings on crypto risks, and operating-account onboarding for crypto-native firms remains rare even for transitional CASPs. EU-licensed e-money institutions specialised in crypto are the default rail for IBAN and SEPA Instant; pan-European banks with regulated digital-asset arms serve client-fiat safeguarding under MiCA Article 70.

Banking Landscape (Archetype-Level, No Named Institutions)

Domestic Romanian tier-1 commercial banks (retail and SME profile). Risk-averse to crypto-native operations. The Banca Națională a României has issued repeated public warnings on crypto-related risks since 2018,^[20] and most major Romanian commercial banks decline to onboard crypto-native firms or route applications to specialised compliance subsidiaries with extended onboarding cycles. For non-crypto operating expenses (payroll, office, vendors), domestic banks remain viable; for client crypto-asset flows, they typically are not.

EU-licensed e-money institutions specialising in crypto (multi-jurisdiction fintech profile). The default rail for Romanian CASPs in transition and post-authorisation. Provide IBAN issuance, SEPA Instant access, client-money safeguarding, and crypto-on/off-ramp connectivity. Onboarding cycles run 6–12 weeks and require a full MiCA Article 62 dossier or evidence of grandfathered Article 143(3) status. Pricing is materially higher than tier-1 bank pricing but the access is reliable for compliant operators.

Pan-European banks with regulated digital-asset arms (DE / FR / NL incorporated, institutional client profile). Used for MiCA Article 70-compliant client-fiat safeguarding, the next-business-day placement requirement for client funds with an EU credit institution or central bank. Also used for institutional treasury services, larger-ticket FX, and counterparty banking on the institutional side. Onboarding cycles run 8–16 weeks with substantial diligence on AML and ICT/DORA readiness.

Specialist treasury and settlement rails (EU and UK incorporated, professional client profile). Used by larger CASPs for OTC settlement, stablecoin redemption, inter-CASP correspondent activity, and institutional FX. Not a general operating-account substitute but essential infrastructure for any CASP running material flows.

The real constraint for Romanian CASPs is not the licence itself: it is sequencing banking applications early enough that an authorised entity has working rails on day one. Experienced applicants begin banking applications 60–90 days before the expected ASF authorisation grant, presenting the ASF substantive-assessment confirmation as evidence of progress.

Jagelski & Partners’ banking partner network includes 90+ institutions across EU EMIs, pan-European banks with digital-asset arms, and specialist treasury providers. A licence without banking access is a certificate on the wall: learn about our Banking service →.

FATF Status & International Standing

Romania is a member of the Financial Action Task Force-style regional body MONEYVAL, the Council of Europe’s Committee of Experts on the Evaluation of Anti-Money Laundering Measures, and is not on the FATF black or grey lists.^[22] The most recent MONEYVAL mutual evaluation report (2023) found Romania in the moderate-to-substantial range for technical compliance with the FATF 40 Recommendations, with effectiveness ratings calibrated accordingly.

Romania is also not on the EU AML high-risk third-country list (Regulation (EU) 2024/1624 implementing acts): operators receive standard EU treatment in correspondent banking and counterparty due diligence.

MiCA Passporting and EU Market Access

A Romanian MiCA CASP authorisation grants full freedom-of-services and freedom-of-establishment passporting rights across the 30 EEA states under MiCA Articles 65–66.^[1] Pre-passporting notification follows the standard EU mechanism: the home NCA (ASF) notifies the host NCA(s) and ESMA in advance; the host NCA cannot prevent passporting beyond Article 65–66 procedural rights; the authorisation is registered on ESMA’s Interim MiCA Register and (from 2026) the full ESMA MiCA Register. There is no separate Romanian licence applicable to cross-border CASP activities: once authorised in Romania, EU-wide service is operationally a matter of notification, not re-authorisation. Grandfathered firms operating under Article 143(3) transitional measures do not have passporting rights.^[7] As of the most recent ESMA Interim MiCA Register snapshot (refreshed 4 June 2026), 204 CASPs are authorised across the EU, with Germany, the Netherlands, and France accounting for the largest shares;^[7] zero are authorised in Romania.

Advantages and Limitations

Romania offers a structurally attractive cost-talent-EU combination, among the EU’s lower corporate tax rates, the largest CEE IT talent pool, full MiCA passporting, and a moderate substance bar, but the binding 2026 constraint is the unfinished national MiCA implementing legislation. The cost advantages are real; the timing risk is binding for any operator who must hold authorisation in H2 2026.

• ✓ EU MiCA passporting across 30 EEA states. Full freedom of services and establishment under Articles 65–66, post-authorisation.
• ✓ 16% corporate tax, among the EU’s lower headline rates. Microenterprise option (1% up to €100,000 turnover) available in year one for most operators.
• ✓ CEE’s largest engineering bench. 250,000+ certified IT specialists, EU-rate-affordable for ICT and DORA roles; English-proficient.
• ✓ Moderate substance bar. Romanian-resident MLRO and EU-resident management satisfy Article 59; no inflated headcount requirements.
• ✓ No FATF grey-listing, no EU AML high-risk listing. Standard treatment in correspondent banking and counterparty due diligence.
• × National MiCA implementing legislation not yet in force. ASF cannot grant authorisations until the OUG is published in Monitorul Oficial and ASF issues its secondary regulation. Mitigation: Operators with pre-30 December 2024 ONPCSB notification can rely on the Article 143(3) transitional regime through 1 July 2026; greenfield operators targeting authorisation before Q3 2026 should consider Czech Republic, Lithuania, Malta, or Cyprus.
• × Zero authorised CASPs as of June 2026. No published Romanian precedent; first applicants bear the calibration cost of ASF’s interpretation. Mitigation: Use pre-application engagement extensively; reference ESMA’s CASP authorisation supervisory briefing and analogous decisions from Estonia, Malta, and Czech Republic to anchor file structure.
• × 0.5% monthly ASF supervisory levy on authorised-activity revenue. Effective ~6% annualised supervisory cost on top-line revenue, payable regardless of profitability. Mitigation: Model the levy as a fixed operating cost from day one; pricing strategy must absorb it without compressing margin to unviable levels.
• × Banking-friction for crypto-native operations. Domestic Romanian tier-1 banks decline most crypto-native onboarding; EU-licensed EMIs are the default rail at materially higher pricing. Mitigation: Sequence banking applications 60–90 days before the expected ASF authorisation grant; plan dual rails (operating + client-fiat safeguarding) from day one.

How Romania Compares

Romania belongs to the EU MiCA Cost-Leaders peer group. Three direct comparators frame the choice: Czech Republic (already authorising; 21% corporate tax; ~5-month timeline), Slovakia (regional cost peer; 21%/10% corporate tax; first transitional cohort), and Latvia (Baltic cost peer; 0% retained-earnings tax). Malta provides the cross-tier reference as the EU MiCA upgrade path for institutional optics, at substantially higher headline cost.

Compare every crypto jurisdiction side by side →

Czech Republic is the closest direct alternative: equivalent cost band, equivalent capital regime, equivalent passport scope, but already issuing authorisations. The 5-percentage-point tax differential (Romania 16% vs Czech 21%) is a recurring operational saving; the timing differential is a one-time strategic decision. For founders with no Romanian footprint and pressure to be authorised in H2 2026, Czech Republic out-executes Romania today.

Latvia’s headline 0% retained-earnings tax is structurally attractive for high-growth operators that intend to retain rather than distribute profits, but the Latvian framework distributes 20% only when profits are paid out, so the effective rate matches Romania’s 16% (or exceeds it) once distributions begin. Slovakia tracks Romania closely on most dimensions; the choice between them is typically about existing footprint, not framework. Malta is the institutional choice: Maltese authorisation carries different brand weight in client conversations than any Cost-Leader jurisdiction, at a materially higher cost.

When Romania Is the Right Choice

Choose Romania if:

• The 16% corporate tax is a material factor in your unit economics, not a nice-to-have
• You can credibly target a Q1 2027 authorisation date (which gives Romanian OUG adoption + 6–9 months a realistic runway)
• You already have or intend to build Romanian engineering operations (DORA staffing economics tip in your favour)
• You qualify for the Article 143(3) transitional regime through pre-30 December 2024 Romanian activity

Consider alternatives if:

• You must hold authorisation in H2 2026: pick Czech Republic for fastest current EU entry, or Cyprus / Malta for greater certainty of process
• Your client base or distribution channels are concentrated in a different EU member state: passport from where your operations live
• Institutional brand-weight in client conversations is critical: Malta carries different optics than any Cost-Leader jurisdiction
• 0% retained-earnings taxation is structurally important: consider Latvia or Estonia

Not sure which column is you? Ask Emma. She compares these jurisdictions in seconds, in your language.

Common Mistakes in Romania Applications

Romanian MiCA CASP applications fail or stall for the same reasons MiCA applications fail anywhere: substance gaps, AML weakness, ICT under-resourcing, governance shortcuts. Romania adds two jurisdiction-specific failure modes: treating OUG 10/2025 as the MiCA implementing ordinance (it is not, it is the AML/TFR alignment), and underestimating the time to OUG adoption when budgeting authorisation timelines.

• Treating OUG 10/2025 as the MiCA implementing ordinance. OUG 10/2025 (Monitorul Oficial nr. 225 of 13 March 2025) aligns Romanian AML and Travel Rule provisions with the EU framework. It does not designate ASF as competent authority for MiCA CASP authorisation, nor does it empower ASF to grant such authorisations. The MiCA implementing OUG is a separate instrument, drafted by the Ministry of Public Finance in May 2025 and reviewed in first reading by Government on 2 April 2026, but not yet in Monitorul Oficial.^[4] Filing a “MiCA application” with ASF before the implementing OUG is in force is wasted effort.
• Underestimating the time to OUG adoption when budgeting authorisation timelines. The 6–9 month authorisation timeline runs only from the date the OUG is in force and ASF’s secondary regulation is published. As of June 2026, neither is the case. Treat the realistic earliest grant date as: (OUG adoption date) + 30–60 days for ASF Regulation + 6–9 months for the authorisation cycle. Operators planning around a Q4 2026 grant should budget for Q2 2027 instead.
• Generic AML and Travel Rule templates lifted from other EU jurisdictions. ASF will compare the file against Law 129/2019 (as amended by Law 86/2025 and OUG 10/2025) by name. Generic EU AML language is the most common reason for RFI extensions during substantive assessment. The common mistake is submitting an “EU MiCA AML manual”: the regulator wants a Romanian AML manual that complies with MiCA, not the other way round.
• Nominee directors and mailbox substance. ESMA’s July 2025 peer review of an MFSA CASP authorisation is now the working benchmark across all NCAs.^[18] Nominee directors with no operational role, “compliance-as-a-service” arrangements without identifiable Romanian presence, and headcount thresholds met only on paper will not clear ASF’s substance test. Experienced applicants overstaff Romania for the first 12 months and consolidate later.
• Under-resourcing the ICT and DORA programme. The draft Romanian OUG conditions authorisation on prior ADR technical certification, which substantively overlaps with DORA Articles 5–14 (ICT risk management). Applicants who treat ICT as an afterthought, incident reporting outsourced, third-party ICT risk register absent, penetration testing untested, will fail the ASF substantive assessment on the ICT pillar regardless of how strong the rest of the file is.
• Filing close to the 1 July 2026 transitional cut-off without grandfathered status. ESMA’s December 2025 supervisory communication explicitly warns NCAs that “last-minute” filings near the cut-off should be treated “with considerable caution”.^[13] Operators relying on the Article 143(3) transitional regime to keep operating while ASF processes a late file should expect ASF to apply this warning literally: the regulator is not under EU-level pressure to accelerate.

Frequently Asked Questions

References