Crypto & Blockchain Regulation & Licensing in Germany

Germany is one of the most clearly regulated crypto and blockchain jurisdictions in the European Union. The Kreditwesengesetz (KWG, Banking Act) was amended to classify crypto assets as financial instruments as early as 2020, making Germany the first major EU economy to formally integrate digital assets into its financial regulatory framework. Since then, the regulatory architecture has expanded substantially, layering EU-level rules - most importantly the Markets in Crypto-Assets Regulation (MiCAR) - on top of a robust national framework supervised by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin, Federal Financial Supervisory Authority).

For international businesses entering the German market, this dual-layer structure creates both opportunity and complexity. A German crypto license carries significant reputational weight across the EU, and the MiCAR passporting mechanism allows a German-licensed entity to operate across all 27 member states. At the same time, the compliance burden is substantial, the licensing timeline is measured in months rather than weeks, and BaFin';s enforcement posture is active and well-resourced.

This article covers the legal classification of crypto assets under German law, the licensing categories available to crypto businesses, the MiCAR transition framework, pre-application requirements, ongoing compliance obligations, and the most common strategic mistakes made by international operators entering Germany.

---

Legal classification is the starting point for any crypto business strategy in Germany. The classification determines which regulatory regime applies, which license is required, and which activities are prohibited without prior authorisation.

Under the KWG, as amended by the Gesetz zur Umsetzung der Änderungsrichtlinie zur Vierten EU-Geldwäscherichtlinie (the 2020 amendment implementing the Fifth Anti-Money Laundering Directive), crypto assets are defined as a separate category of financial instrument. This definition is broad: it covers digital representations of value that are not issued or guaranteed by a central bank, are not legal tender, and can be transferred, stored or traded electronically. Bitcoin, Ether, and most utility tokens fall within this definition under BaFin';s administrative practice.

Security tokens - digital representations of rights equivalent to transferable securities - are additionally subject to the Wertpapierhandelsgesetz (WpHG, Securities Trading Act) and the Wertpapierprospektgesetz (WpPG, Securities Prospectus Act). A token that grants profit participation rights, voting rights, or debt claims will typically be treated as a security, triggering prospectus obligations and MiFID II-derived conduct requirements.

E-money tokens, which are pegged to a single fiat currency and function as a digital substitute for cash, fall under the Zahlungsdiensteaufsichtsgesetz (ZAG, Payment Services Supervision Act) and the EU Electronic Money Directive as implemented in Germany. Stablecoins backed by a basket of assets or by algorithms are assessed individually by BaFin and may be classified as either e-money tokens or asset-referenced tokens under MiCAR.

Non-fungible tokens (NFTs) occupy a more ambiguous position. BaFin has indicated that purely collectible NFTs with no investment function are unlikely to qualify as financial instruments. However, fractionalized NFTs or NFTs that grant revenue-sharing rights will attract regulatory scrutiny and may require licensing.

A common mistake made by international operators is to rely on the legal classification used in their home jurisdiction. BaFin applies its own analysis, and a token classified as a utility token in Singapore or the British Virgin Islands may be treated as a financial instrument in Germany. Engaging German legal counsel before product launch - not after - avoids the risk of operating without a required license, which carries criminal liability under section 54 KWG.

---

Germany offers several licensing pathways depending on the nature of the crypto business. Each pathway has distinct capital requirements, organisational obligations, and processing timelines.

Crypto custody license (Kryptoverwahrgeschäft)

The crypto custody license, introduced by section 1(1a) sentence 2 no. 6 KWG, authorises businesses to hold, store, and secure crypto assets or private cryptographic keys on behalf of clients. This was a significant innovation: Germany became the first EU jurisdiction to create a standalone custodian license for digital assets.

Applicants must demonstrate a minimum initial capital of EUR 125,000, adequate technical infrastructure, appropriate internal controls, and at least two managing directors with relevant professional experience. BaFin reviews the reliability and professional suitability of each managing director individually. The processing time for a complete application has typically ranged from six to twelve months, depending on the complexity of the business model and the quality of the application package.

In practice, the most common reason for delays is an incomplete or inconsistent business plan. BaFin expects a detailed description of the custody technology, key management procedures, disaster recovery protocols, and the outsourcing arrangements used for IT infrastructure. A non-obvious risk is that outsourcing critical IT functions to a non-EU provider can trigger additional supervisory requirements under the European Banking Authority';s outsourcing guidelines, which BaFin applies to crypto custodians by analogy.

Investment firm license for crypto asset services

Businesses that provide investment services in relation to financial instruments - including crypto assets classified as financial instruments - require an investment firm license under section 32 KWG in conjunction with the Wertpapierinstitutsgesetz (WpIG, Securities Institutions Act). This covers portfolio management, investment advice, order execution, and the operation of a multilateral trading facility for crypto assets.

The WpIG, which transposed MiFID II into German law for smaller investment firms, creates a tiered capital regime. Class 3 firms - those that do not hold client assets or take proprietary risk - require initial capital of EUR 75,000. Class 2 firms face higher requirements, typically EUR 150,000 to EUR 750,000 depending on the scope of activities. Class 1 firms, which are systemically relevant, are subject to full CRR/CRD requirements.

Payment institution license for crypto-related payment services

Businesses that facilitate the transfer of fiat currency in connection with crypto transactions, or that operate crypto-to-fiat conversion services, may require a payment institution license under the ZAG. This is particularly relevant for crypto exchanges that allow customers to deposit and withdraw euros via bank transfer.

Crypto asset service provider registration under MiCAR

From the date MiCAR became fully applicable in Germany - with the transitional period under Article 143 MiCAR allowing existing service providers to continue operating under national law until mid-2026 - new entrants must obtain authorisation as a Crypto-Asset Service Provider (CASP) directly under MiCAR. This is discussed in detail in the next section.

To receive a checklist of BaFin licensing requirements for crypto businesses in Germany, send a request to info@vlolawfirm.com.

---

The Markets in Crypto-Assets Regulation (MiCAR, Regulation (EU) 2023/1114) is the EU-wide framework that harmonises the regulation of crypto asset issuers and service providers across all member states. MiCAR applies directly in Germany without the need for national transposition legislation, though Germany has adopted supplementary national measures through the Kryptomarkteverordnungs-Anpassungsgesetz (the MiCAR Adaptation Act) to align existing BaFin supervisory powers with the new framework.

MiCAR distinguishes between three categories of crypto asset:

• Asset-referenced tokens (ARTs), which reference multiple currencies, commodities, or other assets to maintain stable value
• E-money tokens (EMTs), which reference a single official currency
• Other crypto assets, including utility tokens and cryptocurrencies such as Bitcoin and Ether

Issuers of ARTs and EMTs face the most demanding requirements under MiCAR, including white paper publication obligations, reserve asset requirements, redemption rights for holders, and ongoing reporting to BaFin. Issuers of significant ARTs or EMTs - those exceeding thresholds set by the European Banking Authority (EBA) - are subject to direct EBA supervision rather than BaFin supervision.

For crypto asset service providers (CASPs), MiCAR defines nine categories of service: custody and administration, operation of a trading platform, exchange of crypto assets for fiat currency, exchange of crypto assets for other crypto assets, execution of orders, placing of crypto assets, reception and transmission of orders, providing advice, and portfolio management. A business providing any of these services in Germany must obtain CASP authorisation from BaFin under MiCAR, unless it already holds a relevant license under national law that is recognised as equivalent during the transitional period.

The transitional period under Article 143(3) MiCAR allows businesses that were already providing crypto asset services under national law before MiCAR';s full application date to continue operating for up to 18 months without a MiCAR authorisation, provided they notify BaFin. Germany has implemented this transitional regime, meaning that holders of existing BaFin licenses - such as crypto custody licenses or investment firm licenses - can continue operating while their MiCAR applications are processed. New entrants, however, must apply for MiCAR authorisation from the outset.

The MiCAR authorisation process requires submission of a detailed application to BaFin including a programme of operations, a business plan, governance arrangements, internal control mechanisms, a description of IT systems and security arrangements, and evidence of initial capital. BaFin has 25 working days to assess completeness of the application and a further 40 working days to reach a decision, with the possibility of a single extension of 20 working days for complex cases. In practice, pre-application engagement with BaFin - through its formal pre-application process - significantly reduces the risk of a completeness rejection.

A non-obvious risk in the MiCAR framework is the interaction between the CASP authorisation and the existing KWG/WpIG licensing regime. A business that holds a KWG crypto custody license and also wishes to provide MiCAR-regulated services must assess whether its existing license covers all intended activities or whether a separate MiCAR authorisation is required. BaFin has indicated that it will assess these cases individually, and the answer is not always straightforward.

Many international operators underappreciate the significance of the white paper obligation under MiCAR. Article 6 MiCAR requires issuers of crypto assets other than ARTs and EMTs to publish a white paper that meets specific content requirements, including a description of the issuer, the project, the rights and obligations attached to the crypto asset, the underlying technology, and the risks. The white paper must be notified to BaFin before publication. Failure to comply with white paper obligations can result in supervisory measures including publication bans and administrative fines of up to EUR 700,000 or 5% of annual turnover.

---

Germany';s anti-money laundering (AML) framework for crypto businesses is among the most demanding in the EU. The Geldwäschegesetz (GwG, Money Laundering Act) designates crypto asset service providers as obliged entities, subjecting them to the full range of AML obligations applicable to financial institutions.

The core obligations under the GwG include:

• Customer due diligence (CDD) for all business relationships and transactions above EUR 1,000 in crypto assets
• Enhanced due diligence for high-risk customers, politically exposed persons, and transactions involving high-risk third countries
• Ongoing monitoring of business relationships and transaction patterns
• Suspicious transaction reporting to the Zentralstelle für Finanztransaktionsuntersuchungen (FIU, Financial Intelligence Unit)
• Appointment of a dedicated AML officer with appropriate qualifications and authority

The travel rule, derived from the Financial Action Task Force (FATF) Recommendation 16 and implemented in Germany through the GwG and the EU';s Transfer of Funds Regulation (TFR, Regulation (EU) 2023/1113), requires crypto asset service providers to collect and transmit originator and beneficiary information for all crypto asset transfers. The TFR applies to transfers of any value, removing the EUR 1,000 threshold that previously applied under the predecessor regulation. This creates significant operational requirements for exchanges and custodians, who must implement systems capable of transmitting and receiving travel rule data in real time.

A common mistake made by international operators is to implement AML systems designed for their home jurisdiction without adapting them to German requirements. BaFin';s AML supervisory practice is detailed and prescriptive: it expects documented risk assessments, written AML policies and procedures, regular staff training records, and evidence of independent AML audits. BaFin conducts on-site inspections of licensed crypto businesses and has imposed significant administrative fines on firms with inadequate AML frameworks.

The interaction between AML obligations and the travel rule creates a practical challenge for businesses dealing with unhosted wallets - wallets not held by a regulated CASP. Under the TFR, transfers to or from unhosted wallets above EUR 1,000 require the CASP to collect information about the wallet owner and assess whether the wallet is controlled by the CASP';s own customer. BaFin has published guidance on unhosted wallet procedures, and compliance with this guidance is assessed during supervisory reviews.

In practice, it is important to consider that BaFin';s AML supervision of crypto businesses is coordinated with the FIU and, for cross-border matters, with the European Anti-Money Laundering Authority (AMLA), which will assume direct supervisory responsibility for the largest CASPs from 2028 onwards. Building an AML framework that meets both current BaFin standards and anticipated AMLA standards is a more efficient long-term investment than retrofitting compliance systems after supervisory intervention.

To receive a checklist of AML compliance requirements for crypto businesses in Germany, send a request to info@vlolawfirm.com.

---

Three scenarios illustrate how the German regulatory framework applies to different business models and dispute situations.

Scenario 1: A Singapore-based exchange seeking EU market access through Germany

A Singapore-based crypto exchange with an existing MAS license wishes to offer services to EU customers and has identified Germany as its preferred licensing jurisdiction, given the MiCAR passporting benefit. The exchange provides spot trading, custody, and fiat on-ramp services.

The exchange must apply for MiCAR CASP authorisation from BaFin, covering the service categories of custody and administration, operation of a trading platform, exchange of crypto assets for fiat currency, and exchange of crypto assets for other crypto assets. It must establish a German legal entity - typically a GmbH (Gesellschaft mit beschränkter Haftung, limited liability company) or AG (Aktiengesellschaft, public limited company) - with genuine substance in Germany, including at least two managing directors resident in the EU and a physical office.

The initial capital requirement under MiCAR for a CASP providing custody and trading services is EUR 150,000. The business plan must demonstrate that the German entity has real decision-making authority and is not merely a shell for the Singapore parent. BaFin scrutinises substance requirements carefully, and applications that appear to establish a letterbox entity are rejected. The total cost of the licensing process - including legal fees, compliance infrastructure, and initial capital - typically starts from the low hundreds of thousands of euros for a business of this scale.

Scenario 2: A German fintech issuing a utility token for a loyalty programme

A German fintech company wishes to issue a utility token that grants holders access to premium features of its software platform. The token is not intended to be traded on secondary markets, but the company anticipates that a secondary market may develop.

Under MiCAR, the company must publish a white paper notified to BaFin before the token offering, unless an exemption applies. MiCAR Article 4(2) provides exemptions for tokens offered free of charge, tokens created through mining, tokens that are unique and non-fungible, and tokens offered to fewer than 150 persons per member state. If none of these exemptions apply, the white paper obligation is triggered.

The company must also assess whether the token constitutes a financial instrument under the KWG or WpHG. If the token grants governance rights or profit participation, it may be classified as a security, triggering prospectus obligations under the WpPG and investment firm licensing requirements. A non-obvious risk is that even a token designed as a pure utility token can be reclassified by BaFin if its economic substance resembles an investment product. BaFin has published guidance on token classification, and seeking a formal BaFin opinion (Auskunft) before launch is a prudent step.

Scenario 3: A BVI-incorporated DeFi protocol with German users

A decentralised finance (DeFi) protocol incorporated in the British Virgin Islands provides automated lending and borrowing services to users globally, including a significant number of German retail users. The protocol is governed by a decentralised autonomous organisation (DAO) and has no central operator.

BaFin has taken the position that the absence of a central operator does not automatically exempt a DeFi protocol from German financial regulation. Where a protocol provides services that fall within the definition of financial services under the KWG or MiCAR, and where German users are actively targeted - through German-language marketing, German payment methods, or German-focused community channels - BaFin may assert jurisdiction over the protocol';s operators or developers.

The risk of inaction here is significant: operating a regulated financial service in Germany without a license is a criminal offence under section 54 KWG, punishable by imprisonment of up to five years or a fine. BaFin has the power to issue public warnings, order the cessation of unlicensed activities, and refer matters to the public prosecutor. International operators who assume that a BVI incorporation insulates them from German regulatory reach are exposed to a material legal risk.

---

Obtaining a BaFin license or MiCAR authorisation is the beginning of the compliance journey, not the end. German-licensed crypto businesses face a continuous set of supervisory obligations that require dedicated internal resources or external compliance support.

Licensed CASPs must submit regular reports to BaFin, including annual financial statements audited by a BaFin-approved auditor, periodic prudential reports, and incident notifications for significant operational or security events. MiCAR Article 30 requires CASPs to notify BaFin of any material changes to their business model, governance arrangements, or IT systems before implementing those changes. Failure to notify can result in supervisory measures including license suspension.

Capital adequacy monitoring is an ongoing obligation. CASPs must maintain their initial capital at all times and must notify BaFin immediately if their own funds fall below the required minimum. MiCAR Article 67 requires CASPs to hold own funds equal to the higher of the fixed minimum capital requirement and one quarter of fixed overheads from the preceding year. For growing businesses, the fixed overhead requirement can exceed the fixed minimum capital as the business scales, requiring capital injections that must be planned in advance.

Governance requirements under MiCAR are detailed. CASPs must have a management body with collective expertise in crypto asset markets, technology, and financial regulation. At least one third of management body members must be independent. The management body must meet regularly, maintain minutes of its meetings, and conduct an annual self-assessment of its effectiveness. BaFin reviews governance arrangements during supervisory reviews and expects evidence of genuine board-level engagement with risk and compliance matters.

Cybersecurity is a particular focus of BaFin';s supervisory approach to crypto businesses. BaFin applies the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) to CASPs, requiring them to implement ICT risk management frameworks, conduct regular penetration testing, maintain incident response plans, and report major ICT incidents to BaFin within prescribed timeframes. DORA';s requirements are technically demanding and require investment in specialist cybersecurity expertise.

A loss caused by an incorrect compliance strategy - for example, implementing a governance framework that satisfies MiCAR on paper but fails to reflect actual decision-making processes - can result in BaFin imposing remediation requirements that are more costly and disruptive than building a compliant framework from the outset. BaFin';s supervisory reviews are thorough, and the gap between formal compliance and substantive compliance is a recurring theme in enforcement actions.

---

What is the most significant practical risk for a foreign crypto business entering Germany?

The most significant practical risk is operating a regulated activity without a required BaFin license or MiCAR authorisation. German financial regulation applies based on where services are provided and where customers are located, not solely where the business is incorporated. A foreign operator that actively markets crypto asset services to German customers - through German-language content, German payment methods, or targeted advertising - is likely providing regulated services in Germany. BaFin monitors unlicensed activity actively and has the power to issue public warnings, order cessation of activities, and refer cases to criminal prosecutors. The criminal liability under section 54 KWG applies to individual managers, not only to the corporate entity, which creates personal exposure for directors and senior officers.

How long does the BaFin licensing process take, and what does it cost?

The formal processing timeline under MiCAR is 25 working days for a completeness assessment and 40 working days for a substantive decision, with a possible 20-working-day extension. In practice, the total elapsed time from initial preparation to license grant is typically six to twelve months for a well-prepared application. The main variables are the complexity of the business model, the quality of the application package, and the extent of pre-application engagement with BaFin. Legal and compliance advisory fees for a full licensing project typically start from the low tens of thousands of euros for simpler business models and can reach the mid-to-high hundreds of thousands for complex multi-service applications. Initial capital requirements range from EUR 75,000 to EUR 150,000 depending on the license category, and ongoing compliance infrastructure - including AML systems, cybersecurity measures, and audit costs - represents a significant recurring cost.

When should a business choose a German CASP authorisation over licensing in another EU jurisdiction?

Germany is the preferred choice when the business intends to serve German institutional or retail clients directly, when the German market is a primary revenue source, or when the reputational benefit of a BaFin license is commercially significant. Germany';s regulatory framework is demanding but well-respected: a BaFin-supervised entity is viewed as a credible counterparty by German banks, institutional investors, and corporate clients. For businesses whose primary market is outside Germany but who wish to passport across the EU, other jurisdictions with lighter supervisory frameworks may offer a faster and less costly path to MiCAR authorisation. However, the passporting benefit is the same regardless of the licensing jurisdiction, and businesses that subsequently seek to build a significant German client base will face BaFin scrutiny regardless of where they are licensed. The strategic choice depends on the business';s geographic priorities, its risk appetite for regulatory scrutiny, and its capacity to meet ongoing compliance obligations.

---

Germany';s crypto and blockchain regulatory framework is comprehensive, technically demanding, and actively enforced. The combination of BaFin';s national supervisory powers and the EU-wide MiCAR framework creates a dual-layer compliance environment that rewards careful preparation and penalises shortcuts. For international businesses, the German market offers genuine commercial opportunity and the reputational benefit of operating under one of Europe';s most rigorous regulatory regimes - but only for those who invest in building compliant structures from the outset.

The key strategic decisions - legal entity structure, license category, AML framework design, and governance architecture - must be made before the application process begins, not during it. Errors at the design stage are costly to correct under supervisory scrutiny.

To receive a checklist of key steps for obtaining a crypto license in Germany, send a request to info@vlolawfirm.com.

Our law firm VLO Law Firms has experience supporting clients in Germany on crypto asset regulation, BaFin licensing, MiCAR compliance, and blockchain business structuring matters. We can assist with license application preparation, AML framework design, governance structuring, and ongoing supervisory engagement. To receive a consultation, contact: info@vlolawfirm.com