MiCA—the Markets in Crypto-Assets Regulation—has set a new standard for crypto-asset oversight across the EU, and Spain has been quick to integrate it into national law. In this deep dive, I’ll explain how MiCA’s phased rollout meshes with Spain’s legal framework, outline the requirements for a Crypto-Asset Service Provider (CASP) licence, and offer clear steps to secure your authorisation dossier. By the end, you’ll know exactly how to engage with regulators, align your governance and technical safeguards, and leverage EU passporting to scale across Europe.
Understanding MiCA and Spain’s national framework
Spain implemented MiCA (EU 2023/1114) through Law 6/2023 (Article 251.h), assigning supervision of crypto-asset service providers (CASPs) to the Comisión Nacional del Mercado de Valores (CNMV) and prudential oversight of e-money tokens (EMTs) and asset-referenced tokens (ARTs) to the Bank of Spain.
This dual-authority model balances market conduct and financial stability under familiar regulators, ensuring both investor protection and token issuer oversight.
PRO TIP
Structure your compliance team around two tracks—one aligned with CNMV’s conduct requirements and another with the Bank of Spain’s prudential rules—to streamline communication and documentation.
MiCA’s phased rollout in Spain
MiCA’s application in Spain is split into two key phases. On June 30, 2024, issuers of ARTs and EMTs had to comply with governance and disclosure rules EU-wide.
On December 30, 2024, the full authorisation, supervision, and conduct regime for CASPs took effect. Both regulators have published detailed handbooks and FAQs to guide applicants.
| Date | Scope | Authority |
| June 30, 2024 | ART/EMT issuance and governance rules | Bank of Spain |
| December 30, 2024 | Full CASP authorisation, supervision, conduct | CNMV |
PRO TIP
Review the CNMV’s authorisation handbook before June 2024 to identify any gaps in your token governance models.
Licensing requirements for crypto-asset service providers
Under MiCA Article 62, any firm offering trading, custody, portfolio management, transfer, advisory, or issuance services for crypto-assets must hold a CNMV licence.
Your application dossier must demonstrate robust governance, solid anti-money laundering/counter-financing of terrorism (AML/CFT) controls, and sufficient capital.
| Component | Highlights |
| Program of activities | Business model, service types, geographic reach, EU passporting plans |
| Governance and fit & proper | Organisational chart; roles for board, compliance, risk; conflict-of-interest policies; integrity attestations |
| Risk management & AML/CFT | Know-your-customer/customer-due-diligence (KYC/CDD) procedures, transaction monitoring, suspicious-activity reporting, Travel Rule compliance |
| Technical resilience | ICT architecture, cybersecurity measures, penetration tests, business-continuity plans |
| Prudential resources | Own funds (€50 000–€150 000 tiered by service), client-asset segregation, cold-wallet insurance |
| White paper & disclosure | Standardised token disclosures: rights, governance, fees, redemption, risk factors (for ART/EMT issuers) |
| Supporting documentation | Incorporation papers, audited financials, professional-liability insurance |
PRO TIP
Build your governance manuals in modular sections so you can quickly update roles and policies when ESMA publishes new guidelines.
Transitional regime and key deadlines
Spain opted for a shortened 12-month grandfathering for existing virtual asset service providers (VASPs). After December 30, 2024, any provider without MiCA authorisation must halt operations.
Those registered under Law 6/2023 have until December 31, 2025 to secure a licence before being forced to exit the market.
| Deadline | Requirement | Outcome |
| December 30, 2024 | Hold MiCA authorisation or cease operations | No further operations allowed |
| December 31, 2025 | Existing VASPs must obtain MiCA licence | Mandatory exit if unmet |
| Beyond 2025 | New entrants require authorisation from day one | No operation without licence |
PRO TIP
Submit a dossier outline to the CNMV by mid-2024 to secure your place in the review queue and get early feedback on completeness.
Navigating the application process and timelines
The CNMV offers bilateral pre-application meetings and maintains an FAQ portal to clarify documentation needs. Once you submit, they’ll perform a completeness check before moving to substantive review.
CASP licences target a 60-working-day decision window from a complete application; the Bank of Spain follows a similar timeline for ART/EMT prudential licences. Spain’s first MiCA licences—awarded to Bit2Me and Openbank in July 2025—demonstrate that this timeline is achievable when dossiers are well-prepared (CNMV press release, July 2025).
Critical considerations for crypto firms
Compliance under MiCA is an ongoing programme, not a one-time checkbox. You should engage early with both regulators to refine your dossier, ensure your transaction-monitoring and KYC/CDD platforms meet MiCA’s stricter Travel Rule requirements, and appoint a dedicated compliance officer to oversee fit-and-proper attestations.
Regular cybersecurity audits and penetration tests will prove your operational resilience, while securing the required own funds and segregating client assets will satisfy prudential resources mandates. Once authorised, you can passport your services EU-wide without additional approvals.
PRO TIP
Maintain a rolling “Regulatory Watch” calendar synced with ESMA’s delegated acts and CNMV circulars to stay ahead of evolving guidance.
Practical next steps to secure MiCA compliance in Spain
Start with a gap analysis comparing your current AML/CFT controls, governance model, and ICT resilience against MiCA and Spain’s Law 6/2023. Assemble your dossier: draft your programme of activities, governance manuals, technical architectures, AML/CFT policies, financial projections, and white papers.
Book pre-application meetings with CNMV and the Bank of Spain to clarify fees and timelines, then train your teams on reporting duties and breach-notification protocols. Finally, set up an ongoing monitoring process for ESMA and CNMV updates so you never miss a delegated standard.
PRO TIP
Use a project-management tool (Jira or Asana) with built-in compliance templates to assign tasks, track progress, and keep stakeholders accountable.
Streamline MiCA compliance with CyberUpgrade
Meeting MiCA’s rigorous requirements—from whitepaper filings to ongoing governance and transparency—often means endless manual tracking and audit prep. CyberUpgrade automates your MiCA workflows with prebuilt templates and real-time Slack or Teams prompts, keeping policies, risk assessments, and evidence audit-ready in one central hub.
Beyond MiCA, CyberUpgrade also supports DORA, ISO 27001, and NIS 2 frameworks, letting you “map once, prove many” across multiple regulations. Automated data extraction, vulnerability scans, and KPI dashboards feed each regulator’s portal seamlessly, reducing manual work by up to 80 %.
With fractional CISO services guiding your continuous monitoring and customizable compliance workflows, you’ll secure faster approvals, avoid fines, and adapt as MiCA and related frameworks evolve—turning compliance from a hurdle into a strategic advantage.
Ready to turn regulatory mandates into opportunities?
By aligning your governance, technical safeguards, and capital plans with MiCA and Spain’s national framework—and by partnering closely with the CNMV and the Bank of Spain—you’ll secure legal certainty and a competitive edge in Europe’s unified crypto market. Reach out to CyberUpgrade if you’d like to discuss how these steps apply to your organisation.
