One EU framework
Once authorised, a Lithuanian CASP can generally use MiCA passporting to provide covered services across the European Union, subject to notification procedures and local conduct expectations.
Lithuania • MiCA • CASP authorisation
MiCA licensing in Lithuania for serious crypto-asset service providers
A practical guide for founders, compliance officers and legal teams preparing a Lithuanian CASP application under the EU Markets in Crypto-Assets Regulation.
01 / Lithuanian MiCA overview
From crypto registration to financial-services-grade authorisation
MiCA creates a harmonised EU framework for crypto-asset services. In Lithuania, applicants that are not already authorised financial institutions generally need CASP authorisation from the Bank of Lithuania before providing regulated crypto-asset services.
Before MiCA
Legacy virtual asset service provider models were mainly AML-focused. They confirmed that a company was known to the authorities and had basic anti-money laundering procedures, but they did not always test prudential resilience, governance depth, client-asset controls or operational continuity.
Under MiCA
CASP authorisation is broader. The regulator examines the business model, service scope, own funds, management suitability, ICT resilience, outsourcing, complaints handling, conflicts of interest, market conduct and safeguarding of client assets and funds.
Local credibility matters
A paper company is unlikely to be persuasive. Decision-making, compliance oversight, records, risk ownership and operational capacity should be demonstrable and proportionate to the service model.
Further jurisdiction detail
For a more specific legal-service perspective, review this guide to the MiCA licence in Lithuania and compare it with your planned service perimeter.
02 / Who should apply
Companies whose services fall within MiCA’s CASP perimeter
The licence question starts with service mapping. A company may be in scope even if it does not call itself an exchange or custodian. The substance of the service is more important than the marketing label.
Exchange and brokerage models
Platforms converting crypto-assets into funds, funds into crypto-assets, or one crypto-asset into another should review whether they perform exchange, execution, order reception or transmission services.
Custody and wallet operations
Businesses safeguarding private keys, administering client crypto-assets or controlling transfer infrastructure usually face higher expectations around segregation, access control, reconciliation and incident response.
Trading platforms and transfer services
Order-book venues, matching systems, transfer service providers and infrastructure products may need authorisation where they provide regulated services to third parties rather than purely internal technology.
03 / Licensing requirements
What a Lithuanian CASP application needs to prove
A strong file connects legal analysis with operational evidence. Policies are necessary, but they should match the real product, staffing plan, technology stack, client journey and risk profile.
| Area | Regulatory expectation | Practical evidence |
|---|---|---|
| Service perimeter | Clear identification of each MiCA service and crypto-asset type covered by the business model. | Service matrix, product diagrams, client journey maps, legal classification memo. |
| Own funds | Minimum capital and ongoing prudential resources proportionate to the authorised services and risk profile. | Capital calculation, financial forecasts, evidence of paid-in capital, wind-down funding assumptions. |
| Management suitability | Managers and key function holders must be fit, proper, experienced and collectively suitable. | CVs, criminal record checks, reputation declarations, organisational chart, governance charters. |
| ICT and security | Secure, resilient technology with access controls, incident handling, business continuity and outsourcing governance. | Architecture diagrams, penetration testing plan, access matrix, disaster recovery plan, vendor register. |
| Client protection | Safeguarding of crypto-assets and funds, clear disclosures, complaint handling and conflict management. | Custody procedure, reconciliation policy, client terms, disclosure pack, complaints register template. |
| AML/CTF | Risk-based anti-money laundering framework aligned with Lithuanian and EU expectations. | AML risk assessment, KYC rules, transaction monitoring scenarios, sanctions screening, MLRO appointment. |
04 / Step-by-step application process
A practical roadmap from scoping to authorisation
The process is easiest when handled as a regulatory project rather than a document-writing exercise. Each step should produce evidence that can survive supervisory questions.
Define the service perimeter
Map every planned service against MiCA categories. Separate regulated CASP services from unregulated technology, marketing, treasury or group support functions.
Design the Lithuanian operating model
Decide which functions sit in Lithuania, which are outsourced, who makes decisions, how compliance escalations work and how records will be kept for supervisory review.
Build governance, AML and ICT controls
Prepare policies, but also configure real controls: onboarding rules, transaction monitoring, sanctions screening, wallet risk tools, incident logs, access management and vendor oversight.
Prepare the application file
Compile corporate documents, business plan, financial forecasts, own-funds evidence, management files, outsourcing documentation, safeguarding procedures and client-facing disclosures.
Submit and manage regulator questions
After submission, expect follow-up questions. The response process should be controlled, consistent and evidence-based. Weak answers often reveal gaps between policy wording and actual operations.
Launch under ongoing supervision
Authorisation is not the endpoint. CASPs need monitoring, reporting, periodic reviews, incident notification procedures, complaint tracking, AML testing and board-level risk reporting.
05 / AML and governance duties
Controls must match crypto-specific risk, not generic finance templates
Crypto compliance requires evidence that the firm understands blockchain transaction risk, wallet exposure, cross-border clients, sanctions evasion typologies and the operational risks of custody or transfer services.
AML framework essentials
- Business-wide AML/CTF risk assessment covering products, clients, geographies and delivery channels.
- Customer due diligence, enhanced due diligence and source-of-funds procedures.
- Sanctions and PEP screening before onboarding and during the client relationship.
- Transaction monitoring scenarios calibrated for crypto flows, fiat rails and wallet risk.
- Suspicious activity escalation, recordkeeping and staff training.
Governance and control notes
- Board oversight: directors should receive meaningful risk and compliance reporting, not only annual policy approvals.
- Three-lines logic: operational teams, compliance and independent testing should have distinct responsibilities where proportionate.
- Outsourcing: key vendors need due diligence, contracts, access controls, exit plans and ongoing monitoring.
- Conflicts: revenue incentives, token listings, group services and proprietary trading must be identified and controlled.
- Safeguarding: client assets should be segregated, reconciled and protected against unauthorised access.
06 / Document checklist
Core documents to prepare before filing
The exact file depends on the service scope, corporate structure and risk profile. The checklist below is a practical working base for a Lithuanian CASP readiness review.
Corporate documents, UBO structure, group chart and shareholder information.
Detailed programme of operations and MiCA service perimeter analysis.
Business plan, financial projections, own-funds calculation and wind-down assumptions.
Management body files, fit-and-proper declarations, CVs and reputation evidence.
AML/CTF policy, business-wide risk assessment and customer due diligence procedures.
Transaction monitoring, sanctions screening and suspicious activity escalation procedures.
ICT architecture, cybersecurity policy, access control matrix and incident response plan.
Safeguarding, custody, reconciliation and client-asset segregation procedures.
Outsourcing register, vendor due diligence, service-level controls and exit plans.
Client terms, disclosures, complaints procedure and conflict-of-interest policy.
Internal audit or independent review plan proportionate to the business model.
Data protection, recordkeeping and regulatory reporting procedures.
07 / FAQ
Frequently asked questions
These answers are intended as practical orientation. They are not legal advice and should be checked against the exact business model before filing.
Is a Lithuanian MiCA licence valid across the EU?
MiCA is designed as an EU framework. After authorisation and the required passporting steps, a Lithuanian CASP can generally provide covered crypto-asset services in other EU member states without obtaining a separate full licence in each state.
Can a foreign-owned company apply in Lithuania?
Foreign ownership is not the main obstacle. The stronger question is whether the applicant has credible governance, management suitability, operational capacity, AML controls and a Lithuanian operating model that matches the proposed services.
How long does the application take?
Timing depends on file quality, service complexity, ownership structure and regulator questions. A realistic plan should include time for pre-application scoping, document drafting, control implementation, submission review and follow-up responses.
What is the biggest reason applications become weak?
The common weakness is inconsistency. For example, the business plan says custody is outsourced, the ICT policy assumes internal custody, the AML risk assessment ignores high-risk jurisdictions, and the financial forecast does not fund the compliance team described in the governance chart.
Does MiCA replace AML obligations?
No. MiCA adds a crypto-asset services authorisation framework, but AML/CTF obligations remain central. Lithuanian applicants need both MiCA-ready governance and a robust AML programme suitable for crypto-specific risks.
Can policies be prepared before the platform is fully built?
Yes, but they must be operationally credible. The regulator may expect evidence that the controls described in the policies can actually be implemented, tested and monitored before launch.
Readiness review
Check whether your Lithuanian CASP file is regulator-ready
Use this demo form to request a structured review of service perimeter, required policies, management files, AML controls, ICT evidence and launch readiness. The form runs entirely in the browser and does not send data to a backend.