MiCA CASP License in Spain

Spain’s Crypto Licensing Landscape

Spain is a large EU member state that authorises crypto-asset service providers under MiCA, with the CNMV as the designated competent authority for CASPs and the Banco de España supervising issuers of asset-referenced and e-money tokens. A Spanish authorisation carries full EEA passporting and access to one of the EU’s largest domestic crypto user bases. Authorisations have, however, been slow to materialise: by mid-2026 only a small number of CASPs held CNMV authorisation, and the regulator extended its transitional window rather than force a market exit.

Spain’s headline advantage is market size: it is among the EU’s largest crypto-adoption markets by user count, and a domestic CNMV authorisation signals local credibility to Spanish-speaking retail and institutional clients. The trade-off is process maturity. The CNMV granted its first authorisations only in 2025, beginning with BBVA as a credit institution providing crypto services and Bit2Me as the first Spanish-speaking fintech CASP.^[6]

Full MiCA Passporting

A Spanish CASP authorisation grants the right to provide crypto-asset services across all 30 EEA member states through a single notification to the CNMV under MiCA Article 65.^[1] No additional authorisation is required from host-country regulators. Both cross-border service provision and branch establishment are covered. The passport is reciprocal: a CASP authorised in any other EU member state can serve Spanish clients on the same basis, which is why many operators target the Spanish market without holding a Spanish authorisation.

Large Domestic Market

Spain combines a population of roughly 48 million with high crypto-adoption rates by EU standards, giving CASPs a substantial Spanish-speaking client base and a natural gateway to Latin American markets. For consumer-facing exchanges and brokers, a recognisable local authorisation and Spanish-language onboarding can be a commercial differentiator. This market depth is the principal reason operators authorise directly with the CNMV, and the reason it remains the prize when they instead authorise elsewhere and passport in.

Two-Regulator Architecture

Spain splits MiCA supervision between two authorities. The CNMV authorises and supervises CASPs under MiCA Title V, while the Banco de España supervises issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) under Titles III and IV.^[2] Most service-provider applicants deal only with the CNMV; the Banco de España becomes relevant where a business issues a stablecoin or token alongside its services. AML/CFT supervision is separate again, sitting with SEPBLAC, Spain’s financial intelligence unit.

Slow Authorisation Track Record

Spain’s defining feature in 2026 is how few authorisations have been granted. The CNMV began accepting applications when MiCA became fully applicable on 30 December 2024, but by the original accelerated cut-off only a handful of providers had been authorised.^[3] The regulator responded by extending its transitional period to the EU maximum rather than disrupting the market, signalling a deliberate, deliberative pace. Applicants should plan for a thorough review and a realistic multi-month timeline rather than the rapid turnaround seen in some smaller EU jurisdictions.

Regulatory Framework

Spain regulates crypto-asset service providers under the EU’s Markets in Crypto-Assets Regulation (MiCA), Regulation (EU) 2023/1114,^[1] which applies directly as an EU Regulation without national transposition. The national framework that designates the competent authorities is Law 6/2023 of 17 March on Securities Markets and Investment Services (the new Ley del Mercado de Valores, LMV), in force since 2023.^[2] The CNMV is the competent authority for authorising and supervising CASPs, while the Banco de España supervises issuers of asset-referenced and e-money tokens. See the consolidated category page for the MiCA framework: requirements and timeline →

Multi-Authority Structure

Spain operates a split-supervision model. The CNMV handles CASP authorisation, prudential supervision, governance, and conduct-of-business oversight, and is empowered under Article 247 of the LMV to remove fraudulent crypto advertisements.^[2] The Banco de España supervises issuers of ARTs and EMTs under MiCA Titles III and IV. SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales), Spain’s financial intelligence unit, retains AML/CFT supervision under Law 10/2010, including KYC, transaction monitoring, and suspicious activity reporting.^[9]

Regulatory History

Spain’s pre-MiCA framework was AML-based, not a bespoke licensing regime. Royal Decree-Law 7/2021 amended Law 10/2010 to create a registry of virtual currency service providers, maintained by the Banco de España from 2021. Registration covered fiat-to-crypto exchange and custodian wallet providers and was an AML compliance measure rather than a prudential authorisation.^[9]

Law 6/2023 (the new LMV) provided the domestic anchor for MiCA, designating the CNMV and the Banco de España as competent authorities. In October 2023, the Spanish government announced it would bring forward full MiCA application domestically to December 2025, six months ahead of the EU backstop.^[5]

MiCA became fully applicable on 30 December 2024. From that date the Banco de España stopped accepting new entries to its virtual currency registry, which now serves an informational purpose only, and the CNMV began accepting formal CASP applications.^[3]

Authorisation Guidance

The CNMV has published a dedicated MiCA section and an applicant manual setting out the standardised authorisation form, the documentation required, and the supervisory expectations for CASPs.^[3] Unlike some EU regulators, the CNMV did not operate a separate crypto sandbox for MiCA applicants; the standard authorisation procedure under MiCA and Commission Delegated Regulation (EU) 2025/305 is the route. Spain does run a broader financial-sector sandbox under Law 7/2020, which has hosted blockchain pilots, but it is not a substitute for CASP authorisation.

Recent Regulatory Developments

Authorised CASP entity names below are sourced from CNMV announcements and supervised-entity records.^[6]

• December 2025: The CNMV reversed the accelerated 30 December 2025 cut-off and extended the transitional period to 1 July 2026, citing the small number of CASPs authorised by that date.^[3]
• July 2025: Bit2Me became the first Spanish-speaking fintech authorised as a CASP by the CNMV.^[6]
• Early 2025: BBVA, already a credit institution, obtained CNMV approval to provide crypto-asset services to retail clients.^[6]
• December 2024: MiCA fully applicable from 30 December. CNMV began accepting CASP applications; the Banco de España registry closed to new entries.
• October 2023: Spain announced it would bring forward domestic MiCA application by six months.

Regulatory Overlap

EMI/PSD2 overlap: CASPs that issue or handle e-money tokens (EMTs) trigger EMD2/PSD2 requirements. The EBA confirmed (June 2025) that custody and transfer of EMTs can constitute payment services. Dual authorisation (MiCA + PSD2) is required for EMT-related services after 2 March 2026.^[7] In Spain, EMT and ART issuance falls to the Banco de España.

MiFID II overlap: Crypto-assets that confer equity-like rights or are negotiable on capital markets are classified as transferable securities under MiFID II, not MiCA. ESMA’s technology-neutral guidelines (applicable 3 June 2025) establish a substance-over-form classification test.^[8]

AIFMD overlap: AIFMs providing discretionary portfolio management, investment advice, or reception and transmission of crypto orders to external clients require MiCA Article 60 notification. Core fund management activities remain under AIFMD without additional MiCA authorisation.

Tokenised securities and RWA

MiCA Article 2(4) excludes crypto-assets that qualify as financial instruments, so a tokenised security (a tokenised share, bond or fund unit) sits outside MiCA. In Spain such instruments are regulated under MiFID II, the Prospectus Regulation and the EU DLT Pilot Regime, Regulation (EU) 2022/858, and are supervised by the CNMV rather than under the MiCA CASP regime. ESMA’s Guidelines on the qualification of crypto-assets as financial instruments set the boundary between the two perimeters. The honest point for issuers tokenising real-world assets: a Spanish MiCA CASP authorisation does not cover tokenised securities, which follow the MiFID securities regime instead. Where the structure is a tokenised fund unit, see our fund licensing page for the underlying fund-vehicle route.

Regulatory Transition: Banco de España Registry to MiCA CASP Authorisation

Spain is moving from its legacy AML-based virtual currency registry (maintained by the Banco de España from 2021) to full MiCA CASP authorisation (granted by the CNMV). MiCA’s transitional regime under Article 143(3) lets firms that were already providing crypto-asset services under national law before 30 December 2024 continue without MiCA authorisation for a grandfathering window set by each member state. In Spain, that window runs to 1 July 2026.^[3]

Key Deadlines

Transition Status

As of mid-2026 only a small number of CASPs hold CNMV authorisation, led by BBVA (as a credit institution providing crypto services) and Bit2Me (the first Spanish-speaking fintech CASP).^[6] The thin authorisation pipeline is precisely what prompted the CNMV to extend the transition rather than force legacy registry firms out of the market. The practical reading is that the regulator is taking a careful, case-by-case approach and that a Spanish authorisation is a multi-month undertaking, not a formality.

Consequences for Unauthorised Operations

After the transition closes on 1 July 2026, providing crypto-asset services in Spain without CNMV authorisation (and without a valid passport from another member state) exposes operators to:

• Administrative penalties under MiCA Article 111: fines up to €5,000,000 or 12.5% of annual turnover (whichever is higher) for legal persons
• Penalties for natural persons (directors and officers) for serious infringements under MiCA’s sanctions regime
• Advertising enforcement: the CNMV can order the removal of fraudulent or non-compliant crypto advertisements under Article 247 of the LMV
• Public warnings: the CNMV publishes warnings naming entities operating without authorisation

Financial Institutions, Article 60 Notification

Already-authorised financial institutions (credit institutions, investment firms, EMIs) are not required to obtain a separate CASP licence. Under MiCA Article 60, these entities notify the CNMV of their intention to provide crypto-asset services, supplying a programme of operations and evidence of adequate governance. BBVA reached the Spanish market via this faster route as an existing credit institution. The Article 60 pathway is significantly quicker than a fresh CASP authorisation but is open only to entities that already hold a qualifying authorisation.

License Types and Activities Covered

MiCA defines 10 crypto-asset services grouped into 3 classes that determine capital requirements. Spain applies MiCA directly without additional national service categories. The classification determines the minimum own-funds requirement: €50,000 for Class 1, €125,000 for Class 2, and €150,000 for Class 3.

Covered Activities

What Does NOT Require CASP Authorisation

Services provided in a fully decentralised manner without any intermediary fall outside MiCA’s scope (Recital 22). Unique, non-fungible tokens (NFTs) are excluded unless issued in large series, collections, or fractionalised forms. Crypto-assets that qualify as financial instruments under MiFID II are regulated under existing securities law, not MiCA. Central bank digital currencies (CBDCs), deposits, insurance products, pension products, and securitisation positions are excluded.

DAO, DeFi, and Regulatory Perimeter

MiCA does not explicitly cover decentralised autonomous organisations (DAOs) or DeFi protocols. ESMA has stated that decentralisation exists on a spectrum rather than as a binary classification. Partially decentralised services: such as DEXs with upgrade keys, admin-controlled smart contracts, or governance tokens concentrated among a small group, remain within MiCA’s scope if an identifiable intermediary exists. The CNMV has not published jurisdiction-specific guidance on DAOs, DeFi, or decentralised exchanges beyond the EU-level framework.^[3] Applicants operating hybrid models should seek pre-application clarification from the CNMV before filing.

NFT Classification

NFTs that are unique and non-fungible are excluded from MiCA under Article 2(3). The exclusion ceases to apply when: NFTs are issued as part of a large series or collection (suggesting fungibility), NFTs are fractionalised into interchangeable units, or the NFT functions as a payment or investment instrument regardless of its label. The classification is substance-based: labelling a token as “NFT” does not determine its regulatory treatment.

Requirements

MiCA CASP authorisation in Spain requires a Spanish corporate entity (most commonly a Sociedad Limitada), minimum own-funds of €50,000–€150,000 depending on service class, a registered office in Spain, fit-and-proper management with effective direction from Spain, robust AML/CFT systems under SEPBLAC oversight, and a comprehensive compliance documentation suite. All qualifying shareholders (10%+ of capital or voting rights) undergo a fit-and-proper assessment with source-of-funds verification.

A practical consideration is language. The CNMV operates primarily in Spanish, and authorisation materials, ongoing correspondence, and supervisory interactions are most efficiently handled by Spanish-speaking compliance personnel. Applicants without Spanish-language capability should budget for a permanent local arrangement rather than a one-off translation. The CNMV publishes its authorisation manual and standardised forms in Spanish, and the extent to which it accepts English-language supporting materials is not set out in public English-language guidance, so applicants should assume Spanish-language drafting is the working default.^[3]

Fit-and-Proper Assessment

The CNMV evaluates directors, senior managers, qualifying shareholders, and key function holders against MiCA’s fit-and-proper criteria. Assessment dimensions include professional qualifications and experience, reputation and integrity (criminal background check, regulatory history), financial soundness (no insolvency or ongoing enforcement), and the collective knowledge of the management body. Demonstrating the legitimate origin of owners’ capital is a central element, and weak source-of-funds documentation is a common reason for delay across EU CASP applications generally.

Local Presence and Substance

Spain requires genuine local substance for authorised CASPs. A registered office and central administration in Spain are expected, and virtual-office-only arrangements do not satisfy the CNMV. In supervisory practice the CNMV expects the business to be effectively directed by at least two persons, a four-eyes convention carried over from CRD-style governance review rather than an express MiCA requirement, and it assesses whether the applicant’s organisational structure permits effective supervision from Spain. A letterbox entity with management outsourced to another jurisdiction is not acceptable. Substance expectations scale with the service profile: a Class 3 trading-platform operator faces materially higher governance and staffing expectations than a Class 1 advisory firm.

AML/CFT and Travel Rule

Spain’s AML framework is governed by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing, with SEPBLAC as the financial intelligence unit and AML supervisor.^[9] The EU’s Transfer of Funds Regulation Recast (Regulation (EU) 2023/1113) applies directly. Critically, there is no de minimis threshold for CASP-to-CASP transfers: full originator and beneficiary information must accompany every crypto transfer regardless of amount. The €1,000 threshold applies only to transfers involving self-hosted wallets: where a transfer exceeds €1,000 to or from an unhosted address, the CASP must verify that the customer owns or controls that address.^[10]

Sanctions screening must cover EU consolidated sanctions lists (mandatory) and UN sanctions lists (implemented via EU legislation). OFAC screening is not legally mandatory in Spain but is strongly recommended given extraterritorial reach and correspondent banking expectations. Suspicious transactions are reported to SEPBLAC, and obliged entities also file systematic monthly reports of certain transactions under Article 27 of Law 10/2010.

Application Process

Once a complete application is filed, MiCA Article 63 gives the CNMV 25 working days to confirm completeness and 40 working days to assess it substantively, with the clock paused while the regulator awaits requested information.^[1] In practice the CNMV poses questions during review, to which applicants respond within 10 working days.^[3] Including entity setup and documentation drafting, the realistic end-to-end timeline is 5–9 months.

The CNMV has published a MiCA applicant manual and a standardised authorisation form, and applicants benefit from clarifying business-model questions with the regulator before filing.^[3] Early clarity on classification (for example, whether a token is a financial instrument under MiFID II rather than a crypto-asset under MiCA) can save significant time during the substantive review.

Application language: the CNMV operates primarily in Spanish. The CNMV’s applicant manual and standardised forms are published in Spanish, and applicants without Spanish-language compliance capability should plan for local-language drafting and correspondence rather than relying on ad hoc translation.^[3]

Compliance documentation is the most time-intensive component of any CASP application, typically 8–12 weeks of specialist drafting covering AML/CFT policy manuals, enterprise-wide risk assessments, sanctions-screening frameworks, and Travel Rule implementation. Generic templates adapted from other jurisdictions are a common cause of delay and information-request cycles.

Required Documents

The CNMV’s CASP authorisation documentation requirements follow MiCA Article 62 and Commission Delegated Regulation (EU) 2025/305.^[11] The CNMV publishes a standardised authorisation form and an applicant manual covering governance, programme of operations, and prudential safeguards.^[3]

Corporate Documents

Certificate of incorporation from the Registro Mercantil. Articles of association (estatutos sociales). Shareholder register. Spanish tax identification number (NIF). Evidence of own-funds or qualifying insurance per MiCA Annex IV. Legal Entity Identifier (LEI). Proof of registered office address in Spain.

Personal Documents (All Directors, Officers, and Qualifying Shareholders)

Valid government-issued photo identification (passport or national ID). Curriculum vitae with detailed professional history. Criminal record certificates from each country of residence in the past 10 years. Declaration of good repute and absence of pending proceedings. Evidence of professional qualifications, skills, and experience relevant to the role. For qualifying shareholders (10%+): detailed source-of-funds and source-of-wealth documentation, among the most scrutinised elements in EU CASP applications.

Compliance Documentation

The compliance documentation is the most heavily scrutinised component of any Spanish CASP application. Each document must be bespoke, reflecting the applicant’s specific business model, risk profile, and operational structure, and aligned to Spanish AML law and SEPBLAC expectations. Generic MiCA templates adapted from other jurisdictions are a common cause of information requests and delay.

Business Plan and Financial Projections

Programme of operations per MiCA Article 62(2)(d): description of all crypto-asset services to be provided, target markets, client profile, marketing strategy. Three-year financial projections including revenue model, cost base, capital adequacy forecasts, and break-even analysis. Description of the governance structure and internal control mechanisms.

Technology and Operational Documentation

IT architecture documentation. Cybersecurity policy and penetration test reports. Hot/cold wallet management and key management procedures (for custody service providers). Business continuity plan and disaster recovery procedures. Third-party ICT provider register (DORA requirement). Incident response plan for major ICT incidents.

Costs and Pricing

Spain’s MiCA CASP costs are structured across the three MiCA service tiers. The largest components are professional advisory, personnel (Spanish salary levels are higher than in the Baltics), compliance documentation, and the own-funds requirement that must be held as permanent capital. The figures below are indicative planning ranges, not CNMV quotes; the CNMV does not levy a high fixed application fee comparable to Malta’s.

Total Cost Summary

Note: the minimum own-funds capital (€50,000–€150,000) must be maintained as permanent equity and is not consumed during operations. The ongoing own-funds obligation is the higher of the permanent minimum or one quarter of the preceding year’s fixed overheads. CASPs may meet the requirement with own funds, a qualifying insurance policy, or a combination. The CNMV does not publish a fixed CASP application fee comparable to Malta’s, and no standalone CASP fee schedule appears in its public English-language materials; the government and supervision figures above are indicative planning ranges, not CNMV quotes.^[3]

Timeline

Spain’s statutory clock mirrors MiCA Article 63 (25 working days completeness, 40 working days substantive), but stop-the-clock periods for information requests are the main driver of real-world timelines. The slow authorisation pipeline through 2025–2026 means applicants should plan for the upper part of the range rather than the lower; well-prepared applications with clear classification and strong source-of-funds evidence move fastest.

Taxation

Spain is a standard-rate EU jurisdiction. The general corporate income tax rate is 25%, with a reduced 23% rate for micro-enterprises (turnover below €1 million) and a 15% rate for newly created companies in their first two profitable years.^[12] Crypto-asset exchange services are VAT-exempt across the EU under the CJEU Hedqvist ruling. For individuals, crypto capital gains are taxed as savings income on a progressive scale up to 28%.

Individual Savings-Income Bands

Crypto capital gains realised by Spanish-resident individuals are taxed in the savings base (base del ahorro) on a progressive scale: 19% up to €6,000; 21% from €6,000 to €50,000; 23% from €50,000 to €200,000; 27% from €200,000 to €300,000; and 28% above €300,000. Mining, staking, salary, and certain DeFi yield are instead treated as general income, which can be taxed at marginal rates up to roughly 47% depending on the autonomous community.^[13]

Modelo 721 and CASP Reporting

Residents holding crypto-assets on foreign platforms worth more than €50,000 at year-end must file the informational Modelo 721 between 1 January and 31 March; filing it does not itself trigger a payment.^[13] Spanish CASPs and certain intermediaries report customer balances and operations to the Spanish tax authority via Modelo 172 and Modelo 173. These reporting obligations are distinct from the EU-wide DAC8 framework described below.

DAC8 / CARF Reporting

Spain is implementing the DAC8 Directive (Council Directive (EU) 2023/2226), under which CASPs collect and report customer transaction data, with reporting that broadly aligns to the EU-wide schedule (data collection from 2026, first reporting in 2027 covering 2026).^[14] DAC8 transposes the OECD Crypto-Asset Reporting Framework (CARF) into EU law, harmonising crypto tax transparency across member states.^[15] Spain transposes DAC8 chiefly by amending Additional Provision 13 of Law 58/2003 (the General Tax Law, Ley General Tributaria), which already governs virtual-currency information obligations, together with a dedicated CASP reporting model; the DAC8 rules took effect from 1 January 2026, with the first reporting due by 30 September 2027 for the 2026 reporting year.^[14]

Pillar Two (Global Minimum Tax)

Spain has implemented the OECD Pillar Two global minimum tax, which applies a 15% effective minimum rate to multinational groups with consolidated revenue exceeding €750 million. This threshold is unlikely to affect a standalone Spain-domiciled CASP, but it is relevant where a CASP forms part of a large multinational group.

Ongoing Compliance & Post-Authorisation

MiCA CASP authorisation creates a permanent compliance obligation. The authorisation is indefinite (no renewal), but the CNMV conducts ongoing supervision through periodic reporting, inspections, and real-time ICT incident reporting. Indicative annual ongoing compliance costs run from roughly €75,000 for a minimal Class 1 operation to €220,000+ for a full-service Class 3 exchange.

Reporting Obligations

CASPs must submit periodic reporting to the CNMV under MiCA’s reporting framework, including financial information, prudential data, and activity reporting. The CNMV has published CASP reporting templates and communications setting out the templates and submission requirements.^[4] Audited financial statements are required, and CASPs separately meet AML reporting obligations to SEPBLAC and tax reporting obligations (Modelo 172/173 and, from 2027, DAC8).

Supervision Fees

MiCA authorisation is indefinite, so there is no annual renewal fee. CASPs are instead subject to CNMV supervisory fees set under Spain’s public-fee framework for securities-market supervision; the CNMV does not publish a standalone CASP supervisory-fee schedule in its English-language materials, so the ongoing figures in the cost table are indicative planning ranges rather than published tariffs.^[3]

Regulatory Inspections

The CNMV conducts both scheduled and unscheduled supervisory inspections, with thematic reviews focused on AML/CFT compliance, client asset segregation, cybersecurity, and governance. SEPBLAC conducts separate AML/CFT supervision under Law 10/2010, so a CASP can face oversight from either body independently.

Enforcement

The CNMV’s enforcement powers under MiCA include:

• Administrative fines up to €5,000,000 or 12.5% of annual turnover for CASPs (MiCA Article 111)
• Significant fines for natural persons (directors, officers) for serious infringements
• Public statements naming the entity and the nature of the breach
• Withdrawal of authorisation
• Temporary prohibition on management functions
• Suspension or limitation of services

Advertising and Promotion Rules

MiCA’s marketing communications regime (Articles 7, 29, 53, and 66) applies directly to Spanish CASPs.^[1] All marketing must be fair, clear, and not misleading, and materials must carry a disclaimer that the competent authority has not approved the marketing. Spain has a notably active crypto-advertising regime: under Article 247 of the LMV and CNMV Circular 1/2022 on crypto-asset advertising, the CNMV supervises mass crypto campaigns and influencer promotions and can order non-compliant advertisements removed.^[2] Google has required valid CASP authorisation for crypto advertising within the EU since April 2025.

ICT Risk Management & Operational Resilience

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to all CASPs authorised under MiCA.^[16] DORA has been applicable since 17 January 2025. The CNMV is the enforcement authority for DORA compliance among Spanish CASPs. Non-compliance carries significant penalties under the DORA enforcement regime.

Incident Reporting

Major ICT-related incidents must be reported to the CNMV within strict deadlines:

Digital Resilience Testing

All CASPs must conduct general resilience testing under DORA Articles 24–25, including vulnerability assessments and penetration testing. Threat-led penetration testing (TLPT) under Articles 26–27 applies only to entities identified by the CNMV as significant. TLPT frequency is at least every 3 years. Microenterprises are explicitly excluded from TLPT. Most smaller and mid-size CASPs will not be designated for TLPT but must still conduct general testing.

Third-Party ICT Risk

CASPs must maintain a register of all ICT third-party service providers, including cloud providers, blockchain infrastructure providers, and custody technology vendors. Contractual arrangements must include audit rights, termination provisions, and data localisation specifications.

Wallet and Key Management

CASPs providing custody services must implement segregated hot/cold wallet architectures, multi-signature authorisation for material transactions, key generation in secure environments, and documented key backup and recovery procedures.

Banking

Banking access for crypto-asset businesses connected to Spain is shaped by two factors: the general caution of European banks toward the sector, and the practical reality that a Spanish CASP must satisfy MiCA’s client-money safeguarding rules. Spain’s large domestic banks remain selective with crypto operators, though a CNMV authorisation improves credibility over the legacy registry status.

For client-fund safeguarding under MiCA Article 70, a CASP must hold a relationship with a credit institution: this is the harder of the two accounts to obtain. Spanish and EU credit institutions apply lengthy enhanced due diligence to crypto businesses, so applicants should budget 2–4 months for safeguarding-account setup and begin the process in parallel with the authorisation rather than after it. Operators already holding a banking or EMI relationship are at a clear advantage.

An operator authorising in another EU member state and serving Spanish clients by passport faces the same Article 70 safeguarding obligation, but can satisfy it through a credit-institution relationship in its home jurisdiction. Banking depth is therefore a legitimate jurisdiction-selection criterion: some EU member states have markedly deeper crypto-accommodating banking and EMI ecosystems than others.

Banking access is a binding constraint, not an afterthought: a crypto authorisation without functioning banking is of little practical use. The partner network places banking and EMI relationships for operators authorised in the EU jurisdictions it services, across institutions covering EU banks, EMIs, and crypto-native rails. Banking for licensed crypto operators →

FATF Status & International Standing

Spain does not appear on any FATF list. It is absent from both the FATF list of Jurisdictions under Increased Monitoring (the “grey list”) and the list of High-Risk Jurisdictions subject to a Call for Action (the “black list”), and has never been listed under either. As an EU member state, Spain is likewise outside the scope of the EU list of high-risk third countries, which by definition covers non-EU jurisdictions only.

Spain is a founding member of the FATF and is assessed by the FATF directly rather than by a FATF-style regional body. Its most recent full Mutual Evaluation, adopted in December 2014, rated Spain among the strongest-performing jurisdictions for AML/CFT effectiveness at the time and it subsequently completed the follow-up process.^[17] Spain’s AML framework is set by Law 10/2010, supervised by SEPBLAC, and updated in line with successive EU AML directives.

For a crypto operator, the practical reading is that Spain carries strong international standing: a CNMV authorisation is a reputable, EU-grade credential with no FATF or EU watchlist baggage. Spain is also within scope of the EU’s new AML package, including the Anti-Money Laundering Regulation (Regulation (EU) 2024/1624) and the new EU Anti-Money Laundering Authority (AMLA), which will progressively harmonise AML supervision across member states.^[9]

This standing is one reason Spanish-market access is commercially attractive. The same standing is available from any reputable EU member state: an operator authorised elsewhere reaches Spanish clients on the same regulatory footing, without inheriting a jurisdiction-specific reputational discount.

MiCA Passporting and EU Market Access

MiCA passporting is the headline commercial value of any CASP authorisation. Under Article 65, a Spanish CASP notifies the CNMV of its intention to provide cross-border services or establish a branch in other EEA member states. The CNMV communicates the notification to host NCAs and ESMA. No separate authorisation, additional capital, or waiting period is required from host countries.^[1]

Both routes are covered: freedom to provide services (cross-border without establishment) and the right of establishment (opening a branch). Host NCAs cannot block either route except in extraordinary circumstances.

The MiCA passport extends across the full EEA. EEA jurisdictions Iceland, Liechtenstein and Norway sit inside the MiCA passport via EEA Joint Committee Decision No 41/2025 of 20 February 2025 (with supplementary RTS via JCD 138/2025 of 13 June 2025); three non-EU/non-EEA jurisdictions in geographical Europe sit outside the passport regime and require local authorisation for local clients: the United Kingdom, Switzerland, and Gibraltar.^[18]

Article 61 reverse solicitation is third-country-only and does not apply to an EU-authorised CASP marketing to other EU/EEA Member States: passporting via Article 65 is the operative pathway. The ESMA Guidelines on reverse solicitation (26 February 2025) are framed for non-EU operators serving EU clients on a strictly unsolicited basis, with any further same-type marketing confined to the context of the original transaction. See the dedicated reverse solicitation guide for the third-country compliance pattern.^[19]

The ESMA Interim MiCA Register has been operational since 30 December 2024, published as CSV files updated weekly.^[8] Full IT integration is expected mid-2026. Spanish CASPs are listed in the CNMV register and propagated to the ESMA register on authorisation.

Advantages and Limitations

Spain offers a credible MiCA route into one of the EU’s largest crypto markets, with strong international standing and full passporting. The limitations are real: a slow authorisation pipeline, a Spanish-language process, and standard Western-EU tax and cost levels.

• ✓ Full EU passporting to 30 EEA states. A single CNMV authorisation grants cross-border service provision and branch establishment rights across the entire European Economic Area.
• ✓ Large domestic market. Roughly 48 million people with high crypto adoption by EU standards, plus a natural Spanish-language bridge to Latin America.
• ✓ MiCA capital requirements applied directly, no national overlays. Spain follows MiCA minimums (€50,000–€150,000), met with own funds, qualifying insurance, or a combination.
• ✓ Strong international standing. FATF founding member, never grey- or black-listed, and a reputable, EU-grade authorisation credential.
• ✓ Clear two-regulator architecture. The CNMV handles CASPs and the Banco de España handles ART/EMT issuers, giving stablecoin and token projects a defined supervisory home.
• ✓ Indefinite authorisation with no renewal. MiCA CASP authorisation does not expire; ongoing costs are supervision fees, not renewal fees.
• × Slow authorisation pipeline. Only a handful of CASPs were authorised by mid-2026, and the CNMV extended its transition rather than force the market. Mitigation: prepare a complete, well-evidenced application and plan for the upper end of the timeline.
• × Spanish-language process. The CNMV operates primarily in Spanish. Mitigation: engage Spanish-speaking compliance counsel for drafting and correspondence.
• × Standard Western-EU cost and tax base. 25% headline corporate tax and higher salaries than the Baltics. Mitigation: micro-enterprise (23%) and new-company (15%) rates may apply.
• × Banking remains selective. Spanish banks are cautious with crypto, and client-fund safeguarding requires a credit-institution relationship (not EMI). Mitigation: begin banking setup in parallel with the application.
• ✓ End-to-end delivery in Spain. Jagelski & Partners, through its partner network, runs the full CNMV CASP route: entity, authorisation, banking, and ongoing compliance. Where speed-to-passport outweighs a Spanish presence, the comparison below maps the faster EU routes.

Spain vs. EU Routes

Because the same MiCA passport reaches Spanish clients from any EEA member state, the practical question is rarely “Spain or nothing”: it is whether a domestic Spanish presence is worth a longer, Spanish-language process, or whether a faster EU authorisation that passports into Spain serves the goal better. Jagelski & Partners delivers all of the jurisdictions below end-to-end, including the direct CNMV CASP authorisation in Spain; each offers MiCA passporting into Spain, and several authorise faster than the CNMV currently does.

Compare every crypto jurisdiction side by side →

The key point is: Spain’s main draw is domestic brand presence in a large market, not regulatory speed or cost. Where speed matters, a jurisdiction with an English-language process (Cyprus, Malta) or a deep fintech ecosystem (Lithuania) reaches exactly the same Spanish clients by passport.

Beyond the direct Spanish route, Jagelski & Partners provides end-to-end crypto licensing in Lithuania, Estonia, Latvia, the Czech Republic, Cyprus, and Malta: company formation, licence application, banking introductions, and post-licensing compliance, each with Article 65 passporting into Spain. A CASP authorised in any EEA member state serves Spanish retail and institutional clients on identical terms to a Spanish-authorised provider, supervised by its home regulator for prudential matters and by the CNMV for conduct in Spain. See the full Cyprus CASP licensing guide →

When Spain Is the Right Choice

Consider a direct Spanish authorisation if: a visible domestic CNMV authorisation is commercially important for a Spanish-facing retail brand; the business is already established in Spain with Spanish-speaking compliance staff; or the operation benefits from proximity to the Spanish and Latin American markets and is comfortable with a longer authorisation timeline. Otherwise, where speed (Lithuania and Cyprus run 4–8 month pipelines against the CNMV’s congested queue), English-language proceedings, or cost efficiency are the priority, a jurisdiction plus passporting reaches the same clients.

Not sure which column is you? Ask Emma. She compares these jurisdictions in seconds, in your language.

Common Mistakes With the Spanish Regime

Most errors around Spain are strategic rather than procedural: they stem from misreading the transitional timeline or assuming a Spanish authorisation is the only way to reach Spanish clients. The most frequent missteps are below.

• Relying on the abandoned 30 December 2025 deadline. As the Transition section sets out, that early cut-off was reversed; the operative transitional deadline is 1 July 2026. Planning around the withdrawn date leads to either premature wind-downs or false comfort.
• Assuming a Spanish authorisation is required to serve Spanish clients. Under MiCA Article 65 a CASP authorised in any EEA member state passports into Spain on identical terms to a Spanish-authorised provider.
• Treating the legacy registry as a licence. The Banco de España virtual currency registry is an AML measure that is now informational only and does not convert to MiCA status. Registry entries buy time during the transition; they are not authorisations.
• Underestimating the Spanish-language process. The CNMV operates primarily in Spanish. Applicants without Spanish-language compliance capability face slower drafting and correspondence and a higher risk of information-request cycles.
• Inadequate source-of-funds evidence for beneficial owners. As across the EU, qualifying shareholders (10%+) must evidence the legitimate origin of capital in depth. Tax returns, bank statements, and a multi-year record are the starting point, not a single certificate.
• Ignoring the advertising regime. Spain actively supervises crypto advertising under Article 247 of the LMV and CNMV Circular 1/2022, including influencer campaigns. Marketing into Spain must comply regardless of where the CASP is authorised.

Frequently Asked Questions

References