Meet Dr. Marcus Hartmann
Dr. Marcus Hartmann has spent over two decades at the intersection of financial law and emerging technology. Based in Zug, Switzerland's Crypto Valley, he has guided exchanges, custodians, and institutional investors through the full spectrum of VASP and CASP licensing, including the migration of legacy national registrations into the MiCA framework.
He has steered clients through CASP authorisation and VASP-to-CASP transition in multiple EU home states, and advises non-EU firms on whether to passport into the single market or license elsewhere, drawing on work across more than 60 jurisdictions.
A VASP (Virtual Asset Service Provider) is a FATF-defined firm, usually registered for anti-money-laundering purposes under national law, with no cross-border rights. A CASP (Crypto-Asset Service Provider) is authorised under the EU MiCA Regulation: a fuller licence covering capital and governance that carries an EU-wide passport.
- VASP is a FATF term (Recommendation 15, updated 2019) used for national AML registration regimes; CASP is the MiCA term for a fully authorised EU crypto firm
- The core practical differences are scope, capital, and passporting: a CASP must hold prudential capital and can passport across the EU, a national VASP cannot
- MiCA's CASP rules became applicable on 30 December 2024 and replace the old patchwork of national VASP registrations
- Existing VASPs had an optional grandfathering window of up to 18 months, with an absolute outer limit of 1 July 2026 under Article 143(3)
- After 1 July 2026 a legacy VASP registration alone no longer permits serving EU clients; a CASP authorisation is required
VASP vs CASP, In Brief
The terms VASP and CASP are often used as if they were interchangeable, and in casual conversation they describe the same kind of business: an exchange, a custodian, a broker, or a wallet provider. Legally, though, they belong to two different worlds. VASP is the language of the Financial Action Task Force, the global anti-money-laundering standard setter. CASP is the language of the European Union's Markets in Crypto-Assets Regulation. Knowing which one applies to you is now a fundamental licensing decision, not a matter of vocabulary.
The simplest way to hold the distinction is this: a VASP regime asks whether your firm is clean, while the CASP regime asks whether your firm is sound. A national VASP registration centres on AML and counter-terrorist-financing controls plus fit-and-proper management. A MiCA CASP authorisation layers prudential capital, governance, custody segregation, and conduct rules on top of that AML baseline. If you are new to either term, our explainer on what a VASP is and our overview of MiCA explained set out each framework on its own.
For firms operating in or selling into the European Union, the relationship between the two is now defined by a handover. The CASP regime has largely absorbed the old national VASP registrations, and the rest of this guide walks through exactly how the two compare and how to move from one to the other before the window closes.
Sources: FATF Recommendation 15 guidance; EU Regulation 2023/1114 (MiCA), Article 143(3) and Annex IV.
What a VASP Is
VASP stands for Virtual Asset Service Provider. The term originates in FATF Recommendation 15, updated in 2019 to extend anti-money-laundering and counter-terrorist-financing obligations to the crypto sector. FATF defines a VASP as any natural or legal person that, as a business on behalf of another, conducts one or more of five activities: exchanging virtual assets for fiat, exchanging one virtual asset for another, transferring virtual assets, safekeeping or administering virtual assets, and participating in the issuance or sale of virtual assets.
Crucially, VASP is a global standard, not a single law. FATF Recommendations are soft law; they only bite once a country transposes them into national legislation. Member states did so in their own ways, producing a patchwork of national registers. In the European Union before MiCA, that meant regimes such as Estonia's and Lithuania's crypto registers, Germany's BaFin crypto-custody licence, and France's PSAN registration, each centred on AML compliance and fit-and-proper management rather than prudential strength.
Two features defined the old VASP model. First, it was largely an AML registration rather than a full financial licence. Second, it was purely national: a VASP registration in one country conferred no right to operate in another. A firm wanting clients across several EU states had to register separately in each, with no single-market shortcut. That fragmentation is precisely what MiCA was designed to end.
What a CASP Is
CASP stands for Crypto-Asset Service Provider, the central category of the EU Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114, known as MiCA. A CASP is a firm authorised by a national competent authority to provide one or more of the crypto-asset services MiCA defines, including custody and administration, operating a trading platform, exchanging crypto for funds or other crypto, executing orders, placing crypto-assets, receiving and transmitting orders, advice, portfolio management, and transfer services.
A CASP authorisation is a far heavier instrument than a VASP registration. Under MiCA Article 67 and Annex IV, a CASP must hold minimum capital scaled to its activities, plus governance arrangements, custody and asset-segregation rules, complaints handling, conflict-of-interest management, and market-abuse controls. The AML obligations that defined the VASP regime remain, but they are now just one layer in a comprehensive prudential and conduct framework comparable to a traditional investment-firm licence.
The decisive upgrade is reach. A CASP authorised in one EU home member state can passport its services into all the others. That single authorisation, not a stack of national registrations, becomes the key to the entire European market. For the wider licensing picture, see our hub on crypto licences in Europe and the dedicated VASP and CASP licence overview.
Capital at a glance: MiCA Annex IV sets three classes. Class 1 (advice and portfolio management) requires EUR 50,000; Class 2 (adding custody and exchange) requires EUR 125,000; Class 3 (adding operation of a trading platform) requires EUR 150,000. A CASP must always hold the higher of its class minimum or one quarter of the previous year's fixed overheads.
VASP vs CASP Head-to-Head
The clearest way to see the gap is field by field. The table below sets the legacy national VASP registration against the MiCA CASP authorisation on the five dimensions that matter most for a licensing decision: scope, regulator, capital, passporting, and timeline. The pattern is consistent, the CASP regime is broader, heavier, and more valuable, which is exactly why the transition is worth the effort.
| Dimension | VASP (legacy / FATF) | CASP (MiCA) |
|---|---|---|
| Scope | AML registration; five FATF activities | Full authorisation across MiCA crypto-asset services |
| Legal basis | FATF Recommendation 15, via national law | Regulation (EU) 2023/1114 (MiCA) |
| Regulator | National AML / financial authority | National competent authority, ESMA-coordinated |
| Minimum capital | Usually none specific to the registration | EUR 50,000 / 125,000 / 150,000 by class |
| Passporting | None; purely national | EU-wide passport from one home state |
| Timeline / status | Being phased out; valid only to 1 July 2026 | Operative since 30 December 2024 |
Capital figures from MiCA Annex IV. National VASP regimes varied; capital was generally not a feature of the registration itself.
"Founders ask which is better, VASP or CASP, but inside the EU that is no longer a choice. The CASP authorisation is the only durable licence; the VASP registration is a fading legacy. The real question is timing, whether you can land your CASP authorisation before your member state's grandfathering window shuts."
Dr. Marcus Hartmann, Senior Licensing Advisor
CASP Passporting and Why It Matters
Passporting is the single biggest reason the CASP regime is worth more than any national VASP registration. Once authorised in one EU home member state, a CASP can extend its services into the other member states through a notification procedure, without applying for a fresh licence in each. One authorisation unlocks a market of more than 400 million people, replacing what used to require a separate registration in every target country.
A legacy VASP registration offers nothing comparable. It is a domestic permission with no cross-border effect, which is why pre-MiCA crypto firms typically held registrations in several states at once. The shift from many national registrations to one passportable authorisation is the structural heart of MiCA, and it changes how firms choose where to incorporate. Our EU regulation overview tracks how the home-state choice plays out in practice.
Two caveats matter. First, only a full MiCA authorisation passports; a firm merely relying on grandfathering during the transition cannot exercise passport rights until its CASP authorisation is granted. Second, passporting is a notification, not a free pass: host-state authorities and consumer-protection rules still apply, and home-state supervisors remain accountable for the firm's conduct across the bloc.
Deciding between a legacy registration and a full CASP authorisation? Get a free 30-minute consultation. We will assess your transition timeline and recommend the right EU home state for passporting.
Get Free Consultation →The VASP-to-CASP Transition Deadline
MiCA's CASP rules became applicable on 30 December 2024. To avoid forcing every existing crypto firm to stop overnight, MiCA Article 143(3) created a transitional regime: entities lawfully providing crypto-asset services under national law before that date could continue under grandfathering for up to 18 months, with an absolute outer limit of 1 July 2026, or until their CASP application is granted or refused, whichever comes first.
The trap is that the grandfathering window was optional for each member state. Some used the full period, others cut it short. Reported examples include the Netherlands ending its transition in mid-2025 and Germany at the end of 2025, while Spain ran the full term to 1 July 2026. Because of this divergence, the application deadline that actually mattered for many firms fell well before July 2026, often during 2025. Founders who assumed a single EU-wide deadline were frequently caught out.
The 1 July 2026 date is the hard ceiling. After it, according to ESMA, any entity offering crypto-asset services to EU clients without a MiCA authorisation, or with only a pending application, is in breach of EU law and must cease serving those clients. A legacy national VASP, DASP, or PSAN registration no longer counts. The timeline below shows how the transition unfolded.
Member-state transition dates are illustrative examples drawn from reported practice and vary by jurisdiction. Confirm your home state's actual deadline.
In our EU licensing work we see the same costly assumption again and again: a founder reads "1 July 2026" and plans backwards from it, only to discover that their member state quietly closed its application window during 2025. The grandfathering clock was never a single EU-wide countdown; it was a separate timer in each country, and several ran short. By the time some firms came to us, their domestic route had already shut and the only options left were a rushed application elsewhere or temporary withdrawal from the market.
The firms that transitioned smoothly treated the CASP authorisation as a genuine upgrade rather than a paperwork refresh of an old VASP registration. They budgeted for the capital floor, built out governance and custody segregation early, and chose a home state for its passporting reach rather than its lighter touch. Getting that home-state decision right, before drafting a single application document, is consistently what separates a clean authorisation from a year of regulator queries.
How to Transition from VASP to CASP
Moving from a legacy VASP registration to a MiCA CASP authorisation is an upgrade application, not a renewal. You apply to your national competent authority with a programme of operations, a governance and AML framework, evidence of the minimum capital for your class, custody and asset-segregation arrangements, complaints handling, and conflict-of-interest controls. Existing VASPs often qualify for a simplified procedure, but they must lodge their application inside their member state's transitional window to keep operating.
Three decisions shape the project. First, the home state, which fixes your supervisor and your passporting base. Second, the service class, which fixes your capital floor at EUR 50,000, EUR 125,000, or EUR 150,000 under Annex IV. Third, the timing, because a refused or late application means losing the legal basis to serve EU clients after the deadline. Our AML and KYC compliance service builds the framework regulators expect, and our team coordinates the whole authorisation end to end.
If the EU route does not fit your model or your timeline, a regulated non-EU base remains a credible alternative, with EU access handled through a separately authorised entity later. We weigh that trade-off with every client before committing to a jurisdiction.
VASP vs CASP: Common Questions
Sources & Official References
- EUR-Lex: Regulation (EU) 2023/1114 (Markets in Crypto-Assets, MiCA)
- ESMA: Markets in Crypto-Assets Regulation (MiCA) overview
- FATF: Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (Recommendation 15)
- FATF: Virtual Assets topic page
- ESMA: Register of authorised crypto-asset service providers
- CSSF: Crypto-Asset Service Providers (CASP) authorisation