When the Markets in Crypto-Assets Regulation (MiCA) dropped on 30 December 2024, it wiped out a patchwork of conflicting national rules and introduced a single, EU-wide framework for everything from asset-referenced tokens to custodial wallets.
Fast forward to 4 July 2025, and Bulgaria’s Financial Supervision Commission (FSC) stamped its own Markets in Crypto-Assets Act (MICAL) into law—adapting MiCA to local needs, defining licence procedures, and setting out new penalties.
In this article, I’ll break down exactly how these EU standards landed in Bulgaria, what you must include in your licensing dossier, the critical dates you can’t afford to miss, and the practical steps you need to take to secure your CASP authorisation and unlock EU-wide passporting.
Master your licence dossier to avoid costly delays
Nailing the application dossier is your shortcut to authorization—and to sidestepping back-and-forth with regulators. Under Article 62 of MiCA, any legal entity “professionally providing one or more crypto-asset services” must be a Crypto-Asset Service Provider (CASP).
That covers exchanges, custodial wallets, brokers, ART (asset-referenced token) and EMT (e-money token) issuers, and crypto-fiat payment services. To get your FSC green light, you’ll need a robust dossier that mirrors MiCA’s own requirements.
What to include in your application dossier
Here’s the lowdown on the FSC’s must-haves:
| Component | Key Elements |
| Program of Activities | Service descriptions, business model, geographic reach |
| Governance & Internal Controls | Org chart, roles, outsourcing policies, fit-and-proper evidence |
| Risk Management & AML/KYC | Customer due diligence, transaction monitoring, SAR reporting, Travel Rule alignment |
| Technical & Operational Resilience | ICT-system architecture, cybersecurity, BCP/DR plans |
| Prudential Resources | Tiered capital (€50 000–€150 000) or quarterly overhead cover; custodial insurance |
| White Paper & Disclosure | Standardized rights, fees, governance, redemption, and risk-factor disclosures for ART/EMTs |
PRO TIP
Combine your AML/CFT policies and Travel-Rule workflows into one end-to-end process diagram—visuals can fast-track FSC reviewers through complex controls.
Get your timeline right or you’ll miss the window
If you blink, you’ll miss critical deadlines—and you don’t want to halt operations on 1 July 2026 because you missed the 18-month grandfathering cutoff. Mark these dates today:
| Date | Milestone |
| 30 Dec 2024 | MiCA becomes directly applicable EU-wide (EUR-Lex text) |
| 4 July 2025 | Bulgarian MICAL promulgated; FSC designated |
| 8 July 2025 | National MiCA-style licensing rules kick in |
| 1 July 2026 | Last day of grandfathering: pre-existing VASPs need a MiCA licence or must cease ops |
PRO TIP
Set automated reminders in your project management tool at the three-, one-, and zero-month marks before each date to trigger compliance tasks.
What crypto firms need to know
You’ve got the licence path mapped; now let’s talk strategy. MiCA isn’t just a check-the-box exercise—it’s a framework that gives you an EU passport and builds customer trust.
You can’t wing governance and fit-and-proper checks
I’ve seen applications stall over weak governance descriptions and half-baked fit-and-proper evidence. The FSC expects an org chart with clear roles for the governing body, compliance, and risk functions, plus detailed outsourcing policies. Every manager and key-function holder must pass integrity and expertise tests that mirror MiCA’s prudential ethos. Nail this part, and you’ll breeze past one of the stiffest gates.
Operational resilience isn’t optional—it’s a licence prerequisite
You need more than a nod to cybersecurity—you must prove redundant ICT systems, regular penetration tests, and documented business-continuity and disaster-recovery plans. Show me that if your main data center goes dark, clients won’t even notice. This section of your dossier is where you turn technical muscle into regulatory gold.
Capital & insurance: Don’t underestimate the ask
MiCA sets minimum paid-in capital between €50 000 and €150 000, depending on services, or you can opt to cover last year’s quarterly overheads. If you’re a custodian, cold-wallet insurance isn’t negotiable. Sketch out your funding plan early so you’re not scrambling for capital days before submission.
You’re just one licence away from EU-wide passporting
Once Bulgaria’s FSC stamps your CASP licence, you unlock automatic access to all 27 EU markets—no extra local licences required. That’s your growth rocket fuel, but you still need to notify each host regulator under MiCA’s passporting rules. Plan your roll-out sequence to match where your customers live.
Prepare for high stakes: Sanctions and ongoing standards
Bulgaria’s MICAL slaps fines up to €1 000 000 for procedural breaches, while MiCA allows penalties up to 5% of annual turnover or €5 million. And this is just the start—keep an eye on ESMA’s forthcoming Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to avoid future gaps.
PRO TIP
Assign a compliance lead to monitor the ESMA website for draft RTS/ITS and integrate those updates into your living GRC framework.
Streamline MiCA Compliance with CyberUpgrade
Meeting MiCA’s rigorous requirements—from whitepaper filings to ongoing governance and transparency—often means endless manual tracking and audit prep. CyberUpgrade automates your MiCA workflows with prebuilt templates and real-time Slack or Teams prompts, keeping policies, risk assessments, and evidence audit-ready in one central hub.
Beyond MiCA, CyberUpgrade also supports DORA, ISO 27001, and NIS 2 frameworks, letting you “map once, prove many” across multiple regulations. Automated data extraction, vulnerability scans, and KPI dashboards feed each regulator’s portal seamlessly, reducing manual work by up to 80 %.
With fractional CISO services guiding your continuous monitoring and customizable compliance workflows, you’ll secure faster approvals, avoid fines, and adapt as MiCA and related frameworks evolve—turning compliance from a hurdle into a strategic advantage.
Ready to turn compliance into your competitive edge?
I get that MiCA and Bulgaria’s MICAL can feel like a mountain of paperwork, but with a structured gap analysis, a bulletproof dossier, and proactive FSC engagement, you’ll lock in regulatory certainty and scale across Europe. If you’re curious how to tailor your white paper disclosures for Bulgarian investor protections—or how passporting can turbocharge your expansion—drop me a line below. Let’s turn these rules into your next growth story.
