A Warsaw-based crypto exchange has been operating under Poland's Virtual Asset Service Provider (VASP) registration regime since 2021. Its compliance team assumed that existing anti-money-laundering procedures would carry the firm through any new regulatory cycle. Then the Markets in Crypto-Assets Regulation (MiCA) entered full application, and the assumption proved costly.

MiCA – Regulation (EU) 2023/1114 – became fully applicable to all crypto-asset service providers across the European Union on 30 December 2024. Polish VASPs that were registered under the national ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act, AML Act) must now obtain a MiCA authorisation from the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) or rely on a transitional grandfathering period that expires no later than 1 July 2026. Failure to obtain authorisation before that deadline precludes continued operation in the EU single market.

This guide walks through the MiCA authorisation procedure step by step, covering the timeline, cost estimates, three business scenarios, and the most common compliance mistakes Polish VASPs make at each stage. It also explains how MiCA intersects with related frameworks – including GDPR obligations, ustawa o ochronie danych osobowych (Personal Data Protection Act), and the Digital Operational Resilience Act (DORA compliance) – that apply simultaneously.

What does MiCA require from Polish VASPs, and who must comply?

MiCA replaces the fragmented national VASP registration system with a single EU-wide authorisation framework. Any entity providing crypto-asset services in Poland – including exchange, custody, transfer, and portfolio management – must hold a MiCA licence issued by the KNF. The regulation covers crypto-asset service providers (CASPs) broadly; the Polish AML Act registration does not substitute for MiCA authorisation. Grandfathering is available, but only for entities already registered with the KNF before 30 December 2024.

The grandfathering window matters enormously. Registered Polish VASPs may continue operating until 1 July 2026 without a full MiCA licence – but only if they submitted a complete authorisation application to the KNF before that date. Missing the submission deadline, not just the licence grant date, forfeits the transitional benefit. That distinction catches many operators off guard.

MiCA also introduces three sub-categories of crypto-asset issuers: issuers of asset-referenced tokens (ARTs), issuers of e-money tokens (EMTs), and other crypto-asset issuers. Each category carries different capital requirements. For a standard CASP providing exchange services, the minimum initial capital is EUR 150,000. Custody providers face EUR 150,000 as well, while operators of a trading platform for crypto-assets must hold at least EUR 150,000 in own funds on an ongoing basis. These figures are binding, not advisory.

  • Exchange and transfer services – EUR 50,000 minimum own funds
  • Custody and administration of crypto-assets – EUR 125,000
  • Operation of a crypto-asset trading platform – EUR 150,000
  • Portfolio management and advice – EUR 50,000
  • Underwriting and placement – EUR 50,000

How does the KNF authorisation procedure work in practice?

The KNF is the competent authority in Poland for MiCA authorisation. The application must be submitted in Polish and include a programme of operations, a business plan covering three years, governance documentation, and evidence of minimum capital. The KNF has 25 working days to assess completeness and a further 40 working days to issue a decision once the file is deemed complete. In practice, expect the full cycle to take four to six months from initial submission to authorisation grant.

We secured a MiCA-readiness assessment and pre-application package for a fintech operator in the Mazowieckie region (autumn 2025). The client had underestimated the governance documentation requirements by roughly 60 percent. Rebuilding the internal control framework before submission added eight weeks to the timeline but avoided a formal incompleteness notice from the KNF, which would have reset the 40-working-day clock entirely.

Step-by-step, the procedure runs as follows. First, conduct a gap analysis against MiCA requirements – typically two to four weeks for a mid-sized VASP. Second, build or update the governance framework: policies on conflicts of interest, client asset segregation, and complaint handling. Third, prepare capital evidence and arrange an auditor's confirmation. Fourth, draft the three-year business plan and programme of operations. Fifth, file with the KNF electronically through the KNF's dedicated portal. The KNF may request supplementary information within the 40-working-day review window; each such request pauses the clock.

Total professional fees for a standard CASP application – excluding capital – typically range from PLN 80,000 to PLN 200,000, depending on the complexity of the business model and the state of existing documentation. State fees payable to the KNF are modest by comparison. For cross-border data flows that arise in custody arrangements, the mechanisms described in our analysis of data transfer from Poland to Cyprus are directly relevant to MiCA compliance programmes.

What are the three main business scenarios for Polish VASPs under MiCA?

Not every Polish VASP faces identical MiCA exposure. The procedure and cost differ materially depending on the operator's current status, service scope, and target market. Three scenarios cover most of the market.

Scenario A – Existing registered VASP, domestic focus. A Polish exchange registered under the AML Act and serving only Polish retail clients can rely on grandfathering until 1 July 2026. It must file a complete KNF application before that date. Capital requirements are manageable at EUR 50,000 to EUR 150,000. The main risk is documentation gaps: AML-era registration required far less governance detail than MiCA demands. Budget four to six months for preparation and submission.

Scenario B – New entrant or unregistered operator. A startup launching a crypto custody product in 2025 has no grandfathering protection. It must obtain full MiCA authorisation before commencing services. The KNF review cycle means a realistic go-to-market date of nine to twelve months from the decision to apply. Tax structuring for the entity should be reviewed concurrently; our tax practice in Poland regularly advises on the interplay between CASP capital requirements and corporate income tax treatment of own funds.

Scenario C – Foreign CASP passporting into Poland. An EU-licensed CASP authorised in, say, Lithuania can passport services into Poland through a notification procedure under MiCA's single-market passport mechanism. The home-state regulator notifies the KNF. The Polish entity does not need a separate licence, but it must still comply with local AML obligations, GDPR Poland requirements for Polish data subjects, and – if it provides operational services from Polish infrastructure – DORA compliance obligations. Ignoring local GDPR obligations while relying on a passport is one of the most common and costly mistakes.

Which compliance mistakes most often derail MiCA applications in Poland?

The KNF's early-stage feedback on MiCA applications points to four recurring problems. Addressing them before submission is far cheaper than responding to an incompleteness notice or, worse, a refusal.

First, inadequate conflicts-of-interest policy. MiCA requires documented procedures for identifying, managing, and disclosing conflicts. Policies copied from MiFID II investment firm templates rarely satisfy MiCA's crypto-specific requirements, particularly around proprietary trading and token issuance conflicts. The KNF has flagged this in multiple pre-application consultations.

We assisted a Silesian fintech client in rewriting its conflicts framework from scratch after a draft KNF incompleteness notice (winter 2025). The revised policy added 14 pages of crypto-specific scenarios. The application was accepted as complete within the statutory 25-working-day window.

Second, missing client asset segregation evidence. MiCA mandates that CASPs hold client crypto-assets separately from own assets. The application must include contractual and technical evidence of segregation – wallet architecture diagrams, custodian agreements, and internal ledger procedures. Many applicants submit policy documents but omit technical evidence entirely.

Third, underestimating DORA compliance obligations. VASPs that qualify as financial entities under DORA – which applies in Poland from 17 January 2025 – must demonstrate ICT risk management, incident reporting procedures, and digital resilience testing. MiCA and DORA apply simultaneously. A CASP that addresses MiCA governance but ignores DORA operational resilience requirements risks a parallel supervisory proceeding with the KNF.

Fourth, IP and trademark exposure. Crypto brands that have not protected their name and logo under Polish and EU trademark law face infringement risk as the market professionalises. For operators building proprietary technology, trade secret protection strategies under Polish law provide a complementary layer alongside MiCA compliance. An IP lawyer Warsaw-based clients consult early saves significant cost later.

Frequently asked questions

Q: Does MiCA authorisation replace the existing Polish VASP registration under the AML Act?

A: Yes, but the transition is not automatic. A MiCA authorisation granted by the KNF will supersede the AML Act registration for MiCA-covered services. However, AML obligations continue in parallel – MiCA does not remove anti-money-laundering requirements. Operators must maintain AML compliance throughout the authorisation process and after licence grant. The registration in the KNF's register of VASPs under the AML Act will be maintained separately for activities not covered by MiCA.

Q: How long does the KNF MiCA authorisation process realistically take, and what does it cost?

A: From initial gap analysis to authorisation grant, budget nine to twelve months for a well-prepared applicant. The KNF has 25 working days to assess completeness and 40 working days to decide once the file is complete. Each information request from the KNF pauses that clock. Professional fees for preparation and submission typically range from PLN 80,000 to PLN 200,000. Capital requirements add EUR 50,000 to EUR 150,000 depending on service category. Rushing the preparation phase to save fees almost always extends the overall timeline.

Q: Does a Polish VASP need to comply with DORA as well as MiCA?

A: Most CASPs that fall within MiCA's scope will also qualify as financial entities under the Digital Operational Resilience Act, which applies across the EU from 17 January 2025. DORA compliance requires an ICT risk management framework, contractual provisions with third-party technology providers, and a digital operational resilience testing programme. The KNF supervises DORA compliance for Polish financial entities. A MiCA application that does not address DORA will face supplementary questions from the KNF. Treating the two frameworks as separate projects is a common and expensive mistake.

What should Polish VASPs prepare before filing?

The following checklist covers the minimum documentation set for a standard CASP application to the KNF. Gaps in any of these areas will trigger an incompleteness notice and reset the review timeline.

  • Governance documentation: conflicts-of-interest policy, remuneration policy, internal control framework
  • Client asset segregation evidence: wallet architecture diagrams, custodian agreements, internal ledger procedures
  • Capital evidence: auditor's confirmation of minimum own funds (EUR 50,000–EUR 150,000 depending on service)
  • Three-year business plan and programme of operations in Polish
  • DORA compliance framework: ICT risk management policy, incident classification and reporting procedure

Operators with cross-border data flows – particularly those using cloud infrastructure outside Poland – should also prepare a data protection impact assessment under GDPR Poland requirements and document the legal basis for any international transfers before the KNF review begins.

The specific situation of each firm determines which elements require the most work. A VASP with strong AML procedures but no formal governance framework faces a different preparation challenge than a new entrant with clean documentation but no capital base. Both face irreversible consequences if the 1 July 2026 submission deadline passes without a complete application on file.

For a tailored assessment of your firm's MiCA readiness and a preparation roadmap matched to the KNF's current expectations, contact info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology regulation, MiCA authorisation, and digital compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.