Obtaining a fintech licence in Europe is not a single event - it is a multi-stage regulatory process that can take between six months and two years depending on jurisdiction, business model and the completeness of the application. The Payment Services Directive 2 (PSD2) and the Electronic Money Directive 2 (EMD2) define the two most common licensing tracks for payment institutions and e-money institutions respectively, while the Markets in Crypto-Assets Regulation (MiCA) has added a third track for crypto-asset service providers. Choosing the wrong track, or the wrong jurisdiction, can cost a fintech company a year of preparation and several hundred thousand euros in sunk costs.
This article walks through a composite regulatory case study drawn from the experience of European licensing processes. It covers the legal framework, the choice of licensing jurisdiction, the structure of the application, the most common failure points, and the strategic decisions that determine whether a licence is granted on the first submission or after multiple rounds of regulatory queries. Entrepreneurs and senior managers who are building or restructuring a European fintech operation will find concrete procedural guidance here.
---
The Payment Services Directive 2 (Directive 2015/2366/EU) governs payment institutions (PIs) across the European Economic Area. It was transposed into national law by each member state, which means the procedural rules - application forms, timelines, capital requirements - differ between, say, Lithuania and the Netherlands, even though the substantive licensing criteria are harmonised at EU level.
The Electronic Money Directive 2 (Directive 2009/110/EC) governs e-money institutions (EMIs). An EMI licence is broader than a PI licence: an EMI can issue electronic money and provide payment services, whereas a PI can only provide payment services. The initial capital requirement for an EMI is EUR 350,000 compared to EUR 125,000 for a full PI or EUR 20,000 for a limited PI. These thresholds are set at EU level but the supervisory authority that enforces them is national.
MiCA (Regulation EU 2023/1114) is a directly applicable EU regulation, meaning it does not require national transposition. It creates a single licence for crypto-asset service providers (CASPs) and issuers of asset-referenced tokens and e-money tokens. MiCA entered full application in December 2024. A non-obvious risk for fintechs operating in the crypto space is that some activities previously conducted under national exemptions or sandbox regimes are now squarely within MiCA';s scope, requiring a formal licence where none was needed before.
The three frameworks interact. A company that issues a stablecoin classified as an e-money token under MiCA must also hold an EMI licence. A company that provides crypto-asset custody alongside fiat payment services may need both a CASP authorisation and a PI licence. Mapping the business model to the correct regulatory category before filing is the single most consequential step in the entire process.
---
The choice of licensing jurisdiction within the EU is a strategic decision with long-term operational consequences. The four jurisdictions most frequently chosen by international fintechs are Lithuania, Ireland, Luxembourg and the Netherlands. Each has a distinct regulatory culture, processing speed and cost profile.
Lithuania, supervised by the Bank of Lithuania (Lietuvos bankas), became the dominant fintech licensing hub after 2016. The regulator operates a dedicated fintech-friendly unit and publishes average processing times. A PI application typically takes three to six months from submission of a complete file; an EMI application takes four to nine months. The Bank of Lithuania has issued more EMI and PI licences than any other EU regulator. The practical advantage is speed and a well-documented process. The practical disadvantage is that correspondent banking relationships for Lithuanian-licensed entities can be harder to establish, because some tier-one banks apply enhanced due diligence to Lithuanian-licensed fintechs as a category.
Ireland, supervised by the Central Bank of Ireland (CBI), is preferred by fintechs that need a credible presence for institutional clients or that are building toward a broader financial services group. The CBI is known for thorough scrutiny. Processing times for a PI or EMI licence run from nine to eighteen months. The cost of compliance infrastructure - local substance, qualified management, internal audit - is higher than in Lithuania. However, a CBI-authorised entity carries reputational weight that is recognised by correspondent banks and institutional partners.
Luxembourg, supervised by the Commission de Surveillance du Secteur Financier (CSSF), is the preferred jurisdiction for fintechs that are part of a larger financial group or that anticipate needing a broader set of licences - for example, an investment firm licence alongside a PI licence. The CSSF is experienced with complex group structures. Processing times are broadly comparable to Ireland.
The Netherlands, supervised by De Nederlandsche Bank (DNB) and the Autoriteit Financiƫle Markten (AFM), is a strong choice for fintechs targeting the Dutch market or the broader Benelux region. The DNB applies rigorous integrity screening (the fit-and-proper assessment) and is known for detailed requests for information during the review process. Processing times are similar to Ireland.
A common mistake made by international applicants is choosing a jurisdiction based solely on processing speed without modelling the downstream operational requirements: local substance, board composition, outsourcing restrictions and the availability of banking partners. A licence obtained in three months in Lithuania that cannot be operationalised because no bank will open a settlement account is not a useful licence.
To receive a checklist for selecting a fintech licensing jurisdiction in Europe, send a request to info@vlolawfirm.com.
---
Every PI and EMI application in the EU must include a programme of operations (PoO). The PoO is the document that describes, in detail, the payment services or e-money activities the applicant intends to provide, the business plan for the first three years, the governance structure, the risk management framework, the safeguarding arrangements and the IT security measures. Under PSD2 Article 5 and the corresponding national implementing legislation, the PoO is a mandatory component of the application, and a deficient PoO is the most common reason for a first-round rejection or a prolonged query process.
The governance requirements deserve particular attention. Each EU regulator requires that the management body of the applicant entity includes persons who are fit and proper - meaning they have the relevant knowledge, skills and experience, and they have no disqualifying criminal or regulatory history. The fit-and-proper assessment is conducted individually for each proposed director and key function holder. In practice, this means that the composition of the board must be decided and documented before the application is filed, because any change to the proposed management team after submission triggers a new round of regulatory review.
Local substance is a de facto requirement even where it is not explicitly stated as a de jure condition. Regulators across the EU have become increasingly sceptical of applications from entities that propose to operate entirely through outsourcing arrangements with no genuine local presence. The European Banking Authority (EBA) guidelines on outsourcing (EBA/GL/2019/02) set out the conditions under which material functions can be outsourced, and they require that the licensed entity retains sufficient expertise to oversee and challenge the outsourced service provider. An applicant that proposes to outsource its compliance function, its AML function and its IT operations to group entities in a third country will face detailed questions about how it intends to meet this requirement.
Safeguarding is another area where applications frequently fail. Under PSD2 Article 10 and EMD2 Article 7, payment institutions and e-money institutions must safeguard client funds either by holding them in a segregated account at a credit institution or by covering them with an insurance policy or bank guarantee. The practical challenge is that many credit institutions are reluctant to open safeguarding accounts for newly licensed fintechs, particularly those without an established track record. Applicants who have not secured a safeguarding bank before filing their application often find themselves in a circular situation: the regulator will not grant the licence without evidence of safeguarding arrangements, and the bank will not open the account without evidence of the licence.
The solution used by experienced practitioners is to obtain a conditional letter of intent from a credit institution confirming that it will open a safeguarding account upon grant of the licence. Most regulators accept this as sufficient evidence at the application stage. Securing such a letter requires early engagement with banking partners - typically three to six months before the application is filed.
---
Under PSD2 Article 12, the competent authority must inform the applicant within three months of receiving a complete application whether the authorisation is granted or refused. The word "complete" is doing significant work in that sentence. In practice, regulators in most EU jurisdictions issue a completeness check within four to eight weeks of receiving the initial submission. If the application is deemed incomplete, the three-month clock does not start until the missing information is provided. This mechanism means that a poorly prepared application can extend the overall timeline by six months or more, because each round of queries resets the clock.
The query process is the stage where most international applicants underestimate the regulatory burden. A typical first-round query from the Bank of Lithuania or the Central Bank of Ireland will contain between twenty and sixty individual questions, each requiring a written response supported by documentation. Common query topics include:
A non-obvious risk at this stage is that the regulator may request information that the applicant cannot provide without disclosing commercially sensitive details about its technology partners or investors. Applicants should prepare a confidentiality protocol before filing, so that they can respond to regulatory queries without inadvertently creating disclosure obligations to third parties.
The risk of withdrawal is real. If an applicant fails to respond to a query within the prescribed period - typically two to three months depending on the jurisdiction - the regulator may treat the application as withdrawn. Restarting the process from scratch means paying application fees again and losing the time already invested. In practice, it is important to consider that regulatory queries often arrive during periods of intense operational activity for a startup, and the temptation to deprioritise the regulatory response in favour of product development is a common and costly mistake.
To receive a checklist for managing the regulatory review process for a fintech licence in Europe, send a request to info@vlolawfirm.com.
---
Scenario one: a B2C payment app targeting the EU retail market
A technology company incorporated in Singapore wants to launch a consumer payment application in the EU. The application allows users to hold a balance, make peer-to-peer transfers and pay merchants. The business model requires an EMI licence because the product involves issuing electronic money. The founders consider applying in Lithuania for speed. The key constraint is that the Singapore parent has no EU presence and the proposed management team has no prior regulated financial services experience. The Bank of Lithuania will require at least one director with relevant experience in a regulated financial institution. The founders need to recruit a qualified local director before filing. The total preparation timeline, including recruitment, is approximately nine to twelve months. The initial capital requirement is EUR 350,000, and the realistic first-year compliance budget - including the cost of the local director, the AML officer, external legal and regulatory advisory fees, and IT security assessments - starts from the low hundreds of thousands of euros.
Scenario two: a B2B payments infrastructure provider
A UK-based company that provided payment services under its FCA authorisation before Brexit needs to re-establish EU access. It has an existing client base of European merchants and cannot afford a gap in service. The company considers two options: applying for a PI licence in Ireland (where it has an existing subsidiary) or acquiring a small licensed PI in Lithuania and using that entity as the EU vehicle. The acquisition route is faster in terms of time to market - a licensed entity can begin passporting services within weeks of completing the acquisition - but it carries the risk of inheriting undisclosed regulatory issues from the target. The application route is slower but cleaner. The decision turns on the urgency of the client contracts and the quality of due diligence on available acquisition targets. In practice, many post-Brexit UK fintechs have chosen the acquisition route for speed, only to discover that the acquired entity had outstanding regulatory queries or deficient AML programmes that required remediation before the new owner could use the licence effectively.
Scenario three: a crypto-asset service provider under MiCA
A European startup has been operating a crypto exchange under a national virtual asset service provider (VASP) registration in Estonia. MiCA now requires it to obtain a CASP authorisation. The company must apply to the Estonian Financial Supervision Authority (Finantsinspektsioon) for a MiCA authorisation. Under MiCA Article 63, the competent authority has forty working days to assess the completeness of the application and then a further forty working days to grant or refuse authorisation. The company';s existing VASP registration does not automatically convert to a MiCA authorisation, but MiCA';s transitional provisions allow it to continue operating under the national regime until the earlier of the date on which the competent authority makes a decision on its MiCA application or a specified transitional deadline. A common mistake is assuming that the transitional period provides unlimited runway: it does not, and companies that delay filing their MiCA application risk operating without any valid authorisation if the transitional period expires before their application is decided.
---
A European fintech licence is valuable primarily because of passporting. Under PSD2 Article 28 and EMD2 Article 3, a PI or EMI authorised in one EEA member state can provide services in any other EEA member state either by establishing a branch or by providing services on a cross-border basis, without needing a separate licence in each country. The passporting notification procedure requires the home regulator to notify the host regulator within one month of receiving the passporting request. The host regulator then has two months to prepare for supervision of the incoming entity.
Passporting is a right, not an automatic entitlement. Host regulators can impose additional requirements in areas outside the harmonised scope of PSD2, such as local consumer protection rules or language requirements for customer communications. A non-obvious risk is that some host regulators interpret their supervisory powers broadly and impose requirements that go beyond what PSD2 strictly requires. Fintechs that passport into multiple jurisdictions simultaneously can find themselves managing a patchwork of local compliance requirements that significantly increases the operational cost of the EU licence.
Post-licensing obligations are substantial and ongoing. Under PSD2 Article 22 and the EBA';s guidelines on internal governance, a licensed PI or EMI must maintain a permanent and effective compliance function, an independent internal audit function and a risk management framework. Annual reporting obligations to the home regulator typically include audited financial statements, a report on the safeguarding audit, a report on the AML/CFT programme and statistical data on payment volumes and incidents. The cost of maintaining these obligations - compliance staff, external auditors, regulatory reporting systems - is a recurring cost that must be modelled in the business plan from the outset.
The cost of non-compliance is severe. Under PSD2 Article 103, member states must ensure that competent authorities have the power to impose administrative sanctions including fines of up to EUR 5 million or 10% of annual turnover, whichever is higher, for serious breaches. Licence revocation is also available as a sanction. In practice, regulators across the EU have become significantly more active in enforcement against licensed fintechs that fail to maintain adequate AML/CFT programmes. The reputational damage from a public enforcement action - which most EU regulators are required to publish - can be more damaging to a fintech';s business than the financial penalty itself.
Many underappreciate that the post-licensing compliance burden is often more demanding than the licensing process itself. A fintech that invests heavily in the application but underinvests in the ongoing compliance infrastructure is building toward a regulatory problem that will materialise within two to three years of authorisation.
We can help build a strategy for your European fintech licensing and post-licensing compliance programme. Contact info@vlolawfirm.com.
To receive a checklist for post-licensing compliance obligations for fintech companies in Europe, send a request to info@vlolawfirm.com.
---
What is the most significant practical risk when applying for a fintech licence in Europe?
The most significant practical risk is submitting an incomplete or internally inconsistent application, which triggers an extended query process and resets the regulatory clock. Regulators assess not only whether the required documents are present but whether the business model described in the programme of operations is coherent and whether the governance structure is genuinely capable of managing the risks of the proposed activities. An application that describes a complex multi-product business model but proposes a governance structure designed for a simpler operation will generate detailed questions about risk management adequacy. The practical consequence is a delay of six to twelve months beyond the statutory timeline, during which the applicant continues to incur preparation costs without generating revenue from the licensed activity.
How long does European fintech licensing take and what does it cost?
The realistic timeline from the decision to apply to the grant of a licence ranges from six months in the most favourable cases - a straightforward PI application in Lithuania with a well-prepared file - to eighteen to twenty-four months for a complex EMI or CASP application in a jurisdiction with a more demanding supervisory culture. The total cost of the licensing process, including legal and regulatory advisory fees, the cost of recruiting qualified management, IT security assessments, and the initial capital requirement, typically starts from the low hundreds of thousands of euros for a PI application and can reach several hundred thousand euros for a full EMI or MiCA CASP application. These figures do not include the ongoing annual compliance costs, which must be budgeted separately and which represent a significant recurring commitment.
When should a fintech consider acquiring a licensed entity rather than applying for a new licence?
Acquiring an existing licensed entity makes strategic sense when time to market is critical and the cost of delay - in terms of lost client contracts or competitive position - exceeds the premium paid for the acquisition and the cost of post-acquisition regulatory remediation. The key condition is that the due diligence process must be thorough enough to identify any outstanding regulatory issues, undisclosed enforcement actions or deficiencies in the AML/CFT programme of the target entity. A licensed shell with a clean regulatory history and no operational liabilities is a genuinely valuable asset. A licensed entity with undisclosed regulatory queries or a deficient compliance programme is a liability that can result in the acquirer inheriting enforcement proceedings. The decision should be made only after a detailed regulatory due diligence review conducted by advisers with direct experience of the relevant regulator.
---
Fintech licensing in Europe is a structured regulatory process with clear legal frameworks, defined timelines and significant consequences for errors at any stage. The choice of jurisdiction, the quality of the programme of operations, the governance structure and the safeguarding arrangements are the four variables that most directly determine whether an application succeeds on the first submission or enters a prolonged query cycle. Post-licensing compliance obligations are substantial and must be planned from the outset. A well-executed licensing strategy is a competitive asset; a poorly executed one is a source of regulatory and reputational risk.
Our law firm VLO Law Firms has experience supporting clients in Europe on fintech regulatory and licensing matters. We can assist with jurisdiction selection, application preparation, regulatory query management, passporting procedures and post-licensing compliance structuring. To receive a consultation, contact: info@vlolawfirm.com.