Business Plan for a CASP License under MiCA

The European MiCA Regulation (Regulation (EU) 2023/1114) introduces mandatory licensing for crypto-asset service providers (CASPs). In other words, if a crypto startup plans to provide cryptocurrency-related services professionally within the EU, it must obtain authorization from the competent regulator.

According to Article 62(1) of MiCA, a company must submit an application for authorization to the competent authority of its home country (in Slovakia – the National Bank of Slovakia, NBS). Importantly, the CASP license application must include a detailed business plan (also referred to as a “programme of operations”) covering at least the next three years.

Below, we explain what the regulator expects from this business plan: its structure, mandatory sections, and practical aspects based on Slovak regulatory experience.

Regulatory Requirements for a MiCA Business Plan

Article 62(2) of MiCA lists the information that must be included in a CASP license application. One of the key elements is the business plan describing the planned crypto-asset services. MiCA requires the business plan to be comprehensive and cover a minimum of three years.

In particular, the applicant is expected to provide:

• Description of services and business model. A clear list of the types of crypto-asset services the company plans to offer (crypto-asset exchange, custody and administration, portfolio management, advisory, etc.) and how it will generate revenue from them. The plan must explain how and where these services will be provided and marketed (target markets, distribution channels, cross-border operations, if any). It must demonstrate the viability of the business model and the applicant’s understanding of the market.
• Target audience and markets. A description of the categories of clients the company will serve (retail investors, corporate clients, institutional investors) and the geographic scope (e.g., operations limited to Slovakia or serving the wider EU market). The regulator wants to see that the applicant understands its target segment and demand for its services.
• Organisational structure and governance. The legal form of the company, ownership structure, and internal organisation chart showing key roles and departments. The plan should explain the corporate governance system: who is on the management board, who is responsible for compliance and risk, and what internal policies will be in place. MiCA requires sound governance, so the plan must show that the company’s management is fit and proper and that internal controls will function effectively.
• Risk management and compliance. The plan must describe how the company will ensure compliance with regulatory requirements, especially anti-money laundering and counter-terrorist financing (AML/CFT) policies, client asset segregation procedures (keeping client crypto-assets separate from the company’s own funds), and conflict-of-interest management.
It should also include business continuity and cybersecurity measures: how IT systems will be resilient, how data will be backed up, and what the contingency plan is in case of incidents (these requirements are aligned with the DORA regulation on operational resilience). Having well-developed controls shows the regulator that the company is ready to operate reliably.
• Financial plan and resources. Financial projections for at least three years must be provided. The business plan must include projected profit and loss, balance sheet, capital adequacy calculation, and funding sources. The regulator will check that the applicant has sufficient prudential resources – own funds of at least the minimum required (depending on services, €50,000–€150,000) or equivalent insurance coverage. This section should show that the company is financially sound, has realistic income/expense expectations, and can meet prudential requirements.

Regulator’s Expectations: Experience from Slovakia (NBS)

Slovakia has implemented MiCA requirements nationally through Act No. 248/2024 Coll. on Crypto-assets, designating the NBS as the supervisory authority for MiCA compliance and CASP licensing.

The NBS thoroughly assesses submitted business plans, checking not only their formal compliance but also their realism and clarity. Even before MiCA, Slovak authorities required a “detailed and realistic” business plan – now the bar is even higher.

Practice shows the NBS pays close attention to the following:

• AML/CTF compliance. NBS is known for its strict approach to anti-money laundering. The business plan and accompanying policies must clearly describe KYC onboarding, transaction monitoring, Travel Rule implementation, appointment of an AML officer, and related measures. NBS publishes guidelines on AML expectations, and the lack of convincing AML details can lead to additional questions or even rejection.
• Corporate governance and key staff. The regulator carefully reviews the composition of management and ownership. Applicants should be ready to provide CVs of managers, criminal record certificates, and proof of relevant experience in finance or IT. NBS expects clearly designated qualified persons for key roles — directors, compliance officer, risk manager – and a transparent reporting structure. Missing key positions raises red flags, while a clear division of responsibilities and conflict-of-interest policies demonstrates readiness for sound governance.
• Technical and operational resilience. Given modern risks, NBS wants to see the project’s IT architecture: cybersecurity systems, disaster recovery plans, backups, and protection against cyberattacks. The plan should describe how client funds and data will be protected (e.g. cold storage wallets, multi-factor authentication, cyber insurance). Showing proactive preparedness for incidents and business continuity is viewed positively.
• Financial transparency. NBS checks if financial projections are realistic. Overly optimistic figures without justification or ignoring compliance costs raise doubts. The plan should show the sources of starting capital, profitability roadmap, and liquidity buffers to cover operational costs. NBS also looks at how client assets will be safeguarded: whether separate accounts will be used, if there is an agreement with a third-party custodian, and how these assets will be insured.
• Form and language of submission. All documents must be submitted in Slovak. If the business plan and annexes are in another language, an official Slovak translation is required. In rare cases, NBS may allow technical documentation in English, but this is an exception. Foreign applicants should plan time and resources for translation and localisation.

Importantly, NBS encourages early engagement via “pre-licensing dialogue” meetings even before the formal application. Practice shows this is a good idea: it helps applicants understand expectations, get advice on structure, and avoid common mistakes.

As experts note, the full documentation package must prove that the applicant has a viable business model, sound governance, risk controls, technological resilience, and financial resources to operate successfully. A well-prepared and clear business plan significantly smooths the licensing process.

Conclusion

A business plan for a CASP license is not just a formality – it is one of the most important documents in the application.

It must give the regulator a full picture of your project: from the business model to compliance and financials. Meeting the structure and requirements of MiCA (Article 62(1) of Regulation 2023/1114), referencing national rules (like Slovak Act No. 248/2024 Coll.), and addressing NBS expectations will greatly increase your chances of success.

A concise, clear, and legally sound business plan is the key to getting your CASP license and launching your crypto startup confidently on the EU market.