A Warsaw-based cryptocurrency exchange operator learns, six months before the deadline, that its existing registration with the Polish Financial Supervision Authority (KNF) does not automatically convert into a MiCA licence. The firm has been operating lawfully under national rules. Now it faces a full authorisation process, a compliance programme it has never built, and a window that is closing fast. Missing the transition period forfeits the right to passport services across the European Union – an irreversible commercial consequence.

The Markets in Crypto-Assets Regulation (MiCA) became directly applicable across all EU member states, including Poland, on 30 December 2024. Polish Virtual Asset Service Providers (VASPs) registered with the KNF under the ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorist Financing Act, AML Act) benefit from a transitional period running until 1 July 2026. After that date, continued operation without a MiCA licence constitutes a regulatory violation exposing directors to personal liability and the entity to suspension of activities.

This page sets out the regulatory framework, the authorisation instruments available to Polish VASPs, the practical pitfalls that cause applications to fail, the cross-border considerations for foreign investors, and a self-assessment checklist. Each section is structured so that a compliance officer or in-house counsel can identify the relevant risk and act on it without delay.

What does MiCA change for Polish VASPs?

MiCA replaces the fragmented national regime with a single EU-level authorisation framework. Under Polish corporate legislation, VASPs were previously required only to register in the register maintained by the KNF – a lighter-touch process compared to full licensing. MiCA introduces a mandatory authorisation requirement for Crypto-Asset Service Providers (CASPs), a category that covers the majority of activities previously classified as virtual asset services under the AML Act. The shift is structural: registration becomes authorisation, and the obligations attached to it multiply.

The regulation distinguishes three categories of crypto-asset issuers: issuers of asset-referenced tokens (ARTs), issuers of e-money tokens (EMTs), and issuers of other crypto-assets (utility tokens and similar instruments). Each category carries different capital requirements, governance standards, and disclosure obligations. A Polish firm issuing a stablecoin pegged to the euro must now comply with EMT rules, maintain own funds equal to the higher of EUR 350,000 or a percentage of average reserve assets, and hold those reserves with an EU credit institution.

For service providers – exchanges, custodians, portfolio managers, transfer agents – the operative change is the requirement to obtain a CASP licence from the KNF. The KNF acts as the competent national authority under MiCA. Once granted, the licence passports across all 27 EU member states, removing the need for separate registrations in each jurisdiction. That passport is the lost opportunity for firms that miss the 1 July 2026 deadline: they cannot rely on transitional protection and must apply from scratch, potentially facing a gap period during which cross-border services are prohibited.

We secured regulatory clearance for a crypto-asset custody provider in the Mazowieckie region (spring 2026), enabling the client to file its CASP application before the transitional window closed and avoid an operational gap.

How does the KNF authorisation process work?

The KNF authorisation process under MiCA follows a structured sequence with hard statutory deadlines. The KNF must acknowledge receipt of an application within 25 business days and issue a decision within 40 business days of confirming the application is complete. An incomplete application restarts the clock, so document quality at submission is decisive. Polish corporate legislation requires the applicant to be a legal entity with a registered office or branch in Poland or another EU member state.

The application must include a programme of operations covering at least three years, a business plan, governance arrangements, internal control procedures, an AML/CFT policy aligned with the AML Act, IT security documentation, and evidence of minimum own funds. For a firm providing only custody services, the minimum own funds threshold is EUR 125,000. For a firm operating a trading platform, the threshold rises to EUR 150,000. These figures are floors, not targets – the KNF will assess whether own funds are adequate given the firm's risk profile.

  • Programme of operations (minimum three years, Polish or English)
  • Governance and fit-and-proper documentation for management board members
  • AML/CFT policy and transaction monitoring procedures
  • IT security framework and business continuity plan
  • Evidence of minimum own funds (bank confirmation or auditor's statement)

Fit-and-proper assessment of management board members is an area where applications frequently stall. The KNF applies criteria drawn from financial services regulation: good repute, absence of criminal convictions for financial crime, and adequate professional experience. A board member who managed an unregulated exchange for three years may not satisfy the experience criterion without supplementary documentation. This is not a formality – the KNF has rejected applications at this stage.

To receive an expert assessment of your CASP application readiness, contact info@kordeckipartners.com.

What are the key compliance pitfalls under MiCA for Polish operators?

Three compliance failures account for the majority of problems Polish VASPs encounter after authorisation. First, white-paper obligations are misunderstood. MiCA requires a crypto-asset white paper for every public offer of a crypto-asset other than an ART or EMT, unless an exemption applies. The white paper must be notified to the KNF at least 20 business days before publication. Publishing without notification triggers an administrative sanction of up to EUR 700,000 for natural persons or up to 5 percent of annual turnover for legal entities.

Second, marketing communications rules are routinely underestimated. Every marketing communication relating to a crypto-asset must be clearly identifiable as such, must be fair and not misleading, and must include a reference to the white paper where one exists. The prohibition on misleading communications applies even when no white paper is required. Social media posts, influencer campaigns, and newsletter content all fall within scope. The National Court Register (KRS) filing of a company's objects clause does not exempt it from these rules.

Third, conflicts of interest management is treated as a governance formality rather than an operational requirement. MiCA requires CASPs to maintain and implement effective policies to identify, prevent, manage, and disclose conflicts of interest. A trading platform that also provides advice, or a custodian that also acts as an exchange, must demonstrate structural separation or disclosure mechanisms that satisfy the KNF. Firms that copy generic financial services conflict-of-interest policies without adapting them to crypto-specific scenarios will face supervisory questions.

GDPR Poland obligations intersect with MiCA at the level of white-paper data and customer due diligence records. The General Data Protection Regulation applies to all personal data processed in connection with CASP activities. Retention periods for AML records (five years under the AML Act) must be reconciled with data minimisation principles. This intersection is an area where IP lawyer Warsaw-based practices with combined fintech and data expertise add measurable value.

How does MiCA affect cross-border operations involving Poland?

For a German or Swiss investor operating a crypto-asset business that serves Polish retail clients, MiCA creates both an opportunity and a compliance obligation. The opportunity is the EU passport: a CASP licensed in any EU member state may provide services in Poland without a separate Polish licence, subject to notification to the KNF. The compliance obligation is that the passport does not exempt the firm from Polish consumer protection rules, Polish language requirements for retail client communications, or the jurisdiction of Polish courts for consumer disputes.

Data transfer from Poland to Switzerland raises a specific question for Swiss-based crypto operators that process Polish user data. Switzerland is recognised by the European Commission as providing adequate data protection under GDPR. However, the adequacy decision covers general data transfers, not crypto-specific AML data sharing. A Swiss CASP sharing transaction monitoring data with a Polish partner must assess whether that transfer falls within the adequacy decision or requires supplementary safeguards. For background on the legal mechanisms available, see our analysis of data transfer from Poland to Switzerland.

We obtained a cross-border structuring opinion for a technology group with operations in Lower Silesia (autumn 2025), enabling the client to consolidate its EU CASP licence in a single jurisdiction and passport services into Poland, Romania, and three other member states without duplicating compliance infrastructure.

DORA compliance adds a further layer for larger CASPs. The Digital Operational Resilience Act applies to financial entities, and MiCA CASPs are classified as financial entities for DORA purposes once they exceed the relevant thresholds. Polish VASPs that grow beyond those thresholds after obtaining a CASP licence must implement ICT risk management frameworks, incident reporting to the KNF, and third-party ICT provider oversight – all within 12 months of crossing the threshold. Firms that plan for this from the outset avoid a costly retrofit.

For a tailored strategy on cross-border CASP structuring, reach out to info@kordeckipartners.com.

What should Polish VASPs do before the 1 July 2026 deadline?

The transitional period under MiCA runs until 1 July 2026 for Polish VASPs registered with the KNF under the AML Act before 30 December 2024. Firms that submit a complete CASP application before that date may continue operating during the KNF's review period. Firms that miss the deadline lose transitional protection immediately – there is no grace period within the grace period. The KNF has indicated it will not extend the national transitional window beyond the EU-mandated date.

Trademark and IP considerations are relevant for firms that plan to rebrand as part of the MiCA transition. A CASP licence is granted to a specific legal entity under a specific name. Rebranding after authorisation requires notification to the KNF and, depending on the scale of the change, may trigger a fresh fit-and-proper assessment. Securing trademark protection for the new brand before the KNF notification avoids the risk of a third party registering the mark during the administrative process. For context on IP protection strategy in the technology sector, see our guide on IP protection for tech companies in Poland.

AI Act Poland obligations will intersect with MiCA for CASPs that use algorithmic trading, automated customer scoring, or AI-driven fraud detection. The AI Act classifies certain financial sector AI systems as high-risk. A CASP using a high-risk AI system must register it with the EU database and maintain technical documentation before deploying it in a regulated activity. Firms building MiCA compliance programmes now should map their AI systems simultaneously to avoid a second compliance cycle.

Warehouse and logistics contract structures are relevant for VASPs that operate physical infrastructure – hardware wallets, mining equipment, or node servers – under service agreements. The allocation of liability in those contracts affects the CASP's ability to satisfy MiCA's business continuity requirements. For an overview of how Polish law governs such arrangements, see our analysis of warehouse and logistics contracts under Polish law.

Self-assessment checklist for Polish VASPs

The following checklist covers the minimum steps a Polish VASP should complete before submitting a CASP application. It is not a substitute for legal advice, but it identifies the most common gaps found during pre-application reviews.

  • Confirm which MiCA service categories apply to your current activities and whether any exemptions reduce the scope of authorisation required
  • Verify that minimum own funds are held in eligible form and that the amount meets the applicable threshold (EUR 125,000 to EUR 150,000 depending on services)
  • Review management board members' CVs against KNF fit-and-proper criteria and prepare supplementary documentation for any gaps
  • Draft or update the AML/CFT policy to align with both the AML Act and MiCA's enhanced due diligence requirements for high-risk transactions
  • Map all crypto-asset white papers and marketing communications against MiCA notification and disclosure obligations, including the 20-business-day pre-publication window

The checklist above addresses authorisation readiness. Ongoing compliance after licensing is a separate programme. MiCA requires annual reporting to the KNF, periodic review of white papers when material changes occur, and continuous monitoring of AML obligations. Firms that treat authorisation as the finish line rather than the starting point typically face supervisory intervention within 18 months of licensing.

Frequently asked questions

Q: Does my existing KNF registration as a VASP automatically convert into a MiCA CASP licence?

A: No. The existing registration under the AML Act does not automatically convert into a MiCA authorisation. Polish law provides a transitional period until 1 July 2026, during which registered VASPs may continue operating while preparing and submitting a CASP application. The application must be filed before the transitional deadline to preserve the right to continue services during the KNF's review. Firms that fail to file before 1 July 2026 must cease regulated activities until a licence is granted.

Q: How long does the KNF take to process a CASP application, and what does it cost?

A: The KNF has 40 business days from receipt of a complete application to issue a decision. The clock stops if the KNF requests additional information. Application fees are set by regulation and are currently in the range of PLN 616 to PLN 4,600 depending on the service category. Legal and compliance preparation costs typically exceed the application fee by a significant margin – firms should budget for governance documentation, IT security assessments, and AML policy drafting as separate line items.

Q: Is it a common misconception that MiCA only applies to large crypto exchanges?

A: Yes. MiCA applies to any person providing crypto-asset services on a professional basis in the EU, regardless of size. A small Polish operator providing only custody services for a few hundred clients still requires a CASP licence. The only exemptions are for persons providing services exclusively to group companies, certain peer-to-peer arrangements without intermediaries, and services where the total value of crypto-assets does not exceed specific thresholds set by the European Banking Authority. Most commercial VASPs do not qualify for these exemptions.

Specific situations require tailored analysis. Your firm's activities, client base, and asset categories all affect the scope of MiCA obligations and the timeline for compliance.

To discuss how MiCA applies to your specific situation, email info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology regulation, crypto-asset compliance, and IP protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating MiCA, DORA, the AI Act, and related EU financial regulation. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.