Germany is one of the few jurisdictions in the European Union that has developed a detailed, enforceable legal framework for crypto and blockchain businesses before the EU-wide Markets in Crypto-Assets Regulation (MiCA) became fully applicable. The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) treats most crypto assets as financial instruments, which means operating without a licence is a criminal offence, not merely an administrative violation. For international founders and investors, this creates both a compliance burden and a competitive advantage: a BaFin-regulated entity carries credibility that offshore structures cannot replicate.
The business opportunity is concrete. Germany';s legal framework allows licensed entities to custody crypto assets for third parties, operate trading platforms, provide portfolio management in crypto, and issue tokenised securities - all within a single regulated perimeter. The risk of ignoring this framework is equally concrete: BaFin has the authority to order the immediate cessation of unlicensed activities and to impose fines that can reach into the millions of euros.
This article covers the corporate forms available, the licensing categories under German and EU law, the structuring logic for holding and operating entities, the compliance obligations that apply from day one, and the practical risks that international clients most frequently underestimate.
---
Germany transposed the EU';s Fifth Anti-Money Laundering Directive (5AMLD) and the Second Payment Services Directive (PSD2) into national law, and simultaneously introduced a domestic crypto custody licence under the German Banking Act (Kreditwesengesetz, KWG). Section 1(1a) sentence 2 no. 6 KWG defines crypto custody business (Kryptoverwahrgeschäft) as the safekeeping, administration and securing of crypto assets or private cryptographic keys for third parties. This was a world-first statutory definition at the time of its introduction.
Beyond custody, the following activities trigger BaFin authorisation requirements under KWG or the German Securities Trading Act (Wertpapierhandelsgesetz, WpHG):
The German Electronic Securities Act (Gesetz über elektronische Wertpapiere, eWpG), which came into force in 2021, added a further layer: it permits the issuance of bearer bonds and fund units as blockchain-based electronic securities registered in a crypto securities register (Kryptowertpapierregister). Entities maintaining such a register require a separate BaFin registration under eWpG Section 16.
A non-obvious risk for international founders is the broad interpretation of "crypto assets as financial instruments." BaFin has consistently taken the position that utility tokens with investment characteristics fall within the definition of securities under the EU Prospectus Regulation (Regulation (EU) 2017/1129), requiring either a prospectus or an exemption. Launching a token without a prior BaFin analysis of its classification is one of the most common and costly mistakes made by international teams entering the German market.
The MiCA Regulation (Regulation (EU) 2023/1114) applies directly in Germany from the end of 2024 for asset-referenced tokens and e-money tokens, and from mid-2025 for all other crypto-asset service providers (CASPs). MiCA does not replace KWG for activities that remain within the banking law perimeter, but it creates a parallel authorisation pathway for activities that were previously unregulated at the EU level. German entities that already hold a BaFin licence under KWG benefit from a transitional grandfathering period, but must still notify BaFin of their intention to operate under MiCA and demonstrate compliance with the new requirements within the prescribed window.
---
The choice of corporate form is not merely a formality. It determines liability exposure, governance flexibility, minimum capital requirements, and the speed at which BaFin will process a licence application.
Gesellschaft mit beschränkter Haftung (GmbH) is the standard choice for most crypto startups and mid-sized operators. The GmbH requires a minimum share capital of EUR 25,000, of which at least half must be paid in at incorporation. It offers limited liability, a flexible shareholder agreement (Gesellschaftervertrag), and is well understood by BaFin';s licensing teams. The incorporation process takes approximately four to six weeks from notarisation to entry in the commercial register (Handelsregister), assuming no complications with the articles of association.
Aktiengesellschaft (AG) is required or strongly preferred when the business model involves issuing shares to the public, listing on a regulated market, or operating as a crypto exchange with institutional counterparties. The AG requires a minimum share capital of EUR 50,000 and involves a more complex governance structure with a management board (Vorstand) and a supervisory board (Aufsichtsrat). Incorporation takes eight to twelve weeks. For a crypto custody or trading business targeting institutional clients, the AG signals a level of governance maturity that the GmbH cannot fully replicate.
Kommanditgesellschaft auf Aktien (KGaA) is occasionally used by crypto fund structures where a general partner retains operational control while limited partners provide capital. This form is less common but offers structural flexibility for tokenised fund products.
A common mistake made by international founders is to incorporate a GmbH with the minimum EUR 25,000 capital and then discover that BaFin';s fit-and-proper assessment for a crypto custody licence requires demonstrable financial resources significantly above the statutory minimum. BaFin expects the entity to hold own funds sufficient to cover at least three months of fixed operating costs, in addition to the minimum capital. For a business with meaningful operational infrastructure, this can mean maintaining EUR 150,000 to EUR 500,000 or more in own funds from the outset.
The managing director (Geschäftsführer) of the GmbH, or the management board members of an AG, must satisfy BaFin';s reliability (Zuverlässigkeit) and professional suitability (fachliche Eignung) requirements under KWG Section 33. This means at least one managing director must have demonstrable experience in financial services, risk management or a directly comparable field. Appointing a nominee director with no relevant background is not a viable strategy: BaFin will reject the application and the delay can cost six to twelve months of runway.
To receive a checklist for corporate form selection and initial capital planning for a crypto and blockchain company in Germany, send a request to info@vlolawfirm.com
---
The BaFin licensing process for crypto-related activities is structured but demanding. Understanding the sequence and the realistic timelines is essential for business planning.
Pre-application phase. Before submitting a formal application, BaFin strongly encourages a preliminary meeting (Vorgespräch). This is not a legal requirement, but it is practically indispensable. In the preliminary meeting, BaFin';s examiners assess whether the proposed business model falls within a specific licence category, identify documentation gaps, and flag structural issues that would cause a formal rejection. Scheduling a preliminary meeting typically takes four to eight weeks from the initial request.
Formal application submission. The application package for a crypto custody licence under KWG Section 32 includes, at minimum: a detailed business plan covering at least three years, organisational charts, IT security documentation, AML/CFT policies and procedures, fit-and-proper documentation for all managing directors and qualifying shareholders, and evidence of minimum own funds. BaFin publishes a checklist of required documents, but the checklist understates the depth of analysis required in the business plan. A business plan that reads like a pitch deck rather than a regulatory submission will be returned with a request for supplementation, adding three to six months to the timeline.
BaFin review period. Once BaFin declares the application complete (vollständig), the statutory review period is twelve months under KWG Section 33(4). In practice, BaFin issues queries (Nachfragen) during the review, and each query restarts a response clock. A well-prepared application with no material gaps can receive a decision in six to nine months. A poorly prepared application can remain in review for eighteen to twenty-four months.
Costs. BaFin charges administrative fees for licence applications. These fees vary by licence category and are set under the BaFin Fee Regulation (BaFin-Gebührenverordnung). Legal and advisory fees for preparing a complete application package typically start from the low tens of thousands of euros for a straightforward custody licence and can reach the mid-six figures for a complex multi-licence application involving trading, custody and portfolio management. Founders should budget separately for IT security audits, AML policy drafting, and ongoing compliance officer costs.
MiCA authorisation pathway. Under MiCA, a CASP authorisation application is submitted to BaFin as the competent national authority. BaFin then has forty working days to assess completeness and a further forty working days to reach a decision, with the possibility of extension. The MiCA application requirements overlap significantly with KWG requirements, but MiCA adds specific requirements around white paper disclosure, conflict of interest policies, and client asset segregation that go beyond the KWG baseline.
A non-obvious risk in the licensing process is the treatment of qualifying shareholders. Any person or entity holding ten percent or more of the shares in the applicant entity must undergo BaFin';s fit-and-proper assessment. If a qualifying shareholder is a foreign holding company with opaque ownership, BaFin will require full beneficial ownership disclosure up the chain. Structures involving multiple layers of offshore holding companies are not automatically disqualifying, but they add significant documentation burden and extend the review timeline.
---
Most serious crypto and blockchain businesses operating in Germany do not consist of a single German entity. They operate as a group, with distinct entities performing distinct functions. The structuring logic follows three principles: regulatory perimeter management, tax efficiency, and liability isolation.
The operating entity. The German GmbH or AG holds the BaFin licence and conducts all regulated activities. It employs the compliance officer, the AML officer, and the key management personnel. It holds the minimum own funds required by BaFin. It is the entity that signs client agreements and appears on the BaFin public register.
The holding entity. A holding company - often incorporated in Germany, Luxembourg, the Netherlands or another EU jurisdiction - holds the shares in the operating entity. The holding entity does not conduct regulated activities and therefore does not require a BaFin licence. It receives dividends from the operating entity and can hold equity stakes in other group companies. The choice of holding jurisdiction affects the tax treatment of dividends and capital gains, the availability of double tax treaties, and the ease of future fundraising.
A common structuring mistake is to place the holding entity in a jurisdiction that triggers BaFin';s qualifying shareholder assessment in a way that creates disclosure problems. If the holding entity is incorporated in a jurisdiction that does not exchange information with German authorities, BaFin will require additional evidence of beneficial ownership, and the application timeline will extend accordingly.
The IP entity. Blockchain protocols, smart contract code, proprietary trading algorithms and brand assets represent significant value in a crypto business. Holding these assets in a separate entity - often in a jurisdiction with a favourable IP box regime - allows the group to charge royalties to the operating entity, reducing the taxable profit at the operating level. Germany does not have a dedicated IP box regime, but it does allow deductions for royalty payments to related parties, subject to transfer pricing rules under the German Income Tax Act (Einkommensteuergesetz, EStG) and the German Foreign Tax Act (Außensteuergesetz, AStG).
The transfer pricing rules are a hidden pitfall that many international founders discover only after the first German tax audit. AStG Section 1 requires that all intra-group transactions be conducted at arm';s length. If the royalty rate charged by the IP entity to the German operating entity is not supported by a contemporaneous transfer pricing study, the German tax authority (Finanzamt) can recharacterise the arrangement and impose additional tax plus interest. Transfer pricing documentation should be prepared before the first intra-group payment is made, not retrospectively.
Token issuance structures. If the group plans to issue tokens - whether utility tokens, security tokens or asset-referenced tokens - the issuing entity must be carefully chosen. Issuing tokens from the German operating entity subjects the issuance to BaFin';s prospectus or white paper requirements. Issuing from a foreign entity does not automatically avoid German regulatory reach: if the tokens are offered to German residents, BaFin';s jurisdiction is triggered under the territorial principle. The structuring of a token issuance requires a prior legal opinion on classification, a decision on the issuing entity, and a disclosure document that satisfies either the EU Prospectus Regulation or MiCA';s white paper requirements.
To receive a checklist for group structuring and transfer pricing documentation for a crypto and blockchain company in Germany, send a request to info@vlolawfirm.com
---
Obtaining a BaFin licence is the beginning of the compliance journey, not the end. German law imposes ongoing obligations that require dedicated internal resources and external legal support.
AML obligations. The German Money Laundering Act (Geldwäschegesetz, GwG) designates crypto custody businesses and crypto exchange operators as obligated entities (Verpflichtete) under GwG Section 2(1) no. 10. This means the entity must appoint a money laundering compliance officer (Geldwäschebeauftragter), implement a risk-based AML programme, conduct customer due diligence (KYC) on all clients, maintain transaction monitoring systems, and file suspicious activity reports (Verdachtsmeldungen) with the Financial Intelligence Unit (Zentralstelle für Finanztransaktionsuntersuchungen, FIU) where required.
The KYC requirements for crypto businesses are more demanding than those for traditional financial institutions in one specific respect: the Travel Rule. Under the EU';s Transfer of Funds Regulation (Regulation (EU) 2015/847), as amended to cover crypto assets, a crypto asset service provider must transmit originator and beneficiary information alongside every crypto transfer above EUR 1,000. Compliance with the Travel Rule requires technical integration with a Travel Rule solution provider and legal agreements with counterparty CASPs. Many early-stage crypto businesses underestimate the technical and legal cost of Travel Rule compliance and discover the gap only when BaFin conducts its first supervisory review.
Data protection. The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies fully to crypto businesses operating in Germany. Blockchain-based systems present a specific tension with GDPR';s right to erasure (Article 17 GDPR): data written to an immutable ledger cannot be deleted. German data protection authorities (Datenschutzbehörden) have issued guidance on pseudonymisation and off-chain storage as mitigating measures, but the legal risk of storing personal data on-chain has not been fully resolved. Founders should design their data architecture with GDPR compliance in mind before the first line of code is written.
Ongoing BaFin reporting. Licensed entities must submit annual financial statements to BaFin, report material changes to their business model or ownership structure within defined timeframes, and notify BaFin of any changes to managing directors or qualifying shareholders. Failure to notify BaFin of a qualifying shareholder change within the required period - typically three months under KWG Section 2c - can result in BaFin ordering the suspension of voting rights attached to the relevant shares.
Practical scenarios.
Consider three scenarios that illustrate the range of compliance challenges:
---
The decision to establish a crypto and blockchain company in Germany involves a genuine cost-benefit analysis. The regulatory burden is real, but so is the strategic value of a BaFin-regulated entity.
When Germany is the right choice. Germany is the right primary jurisdiction when the business model requires institutional counterparties, when the target client base is in the EU, when the business involves custody or trading of assets that are clearly financial instruments, or when the founders want the credibility signal of BaFin regulation for fundraising purposes. The MiCA passport - which allows a CASP authorised in one EU member state to operate across all member states - makes Germany an attractive hub for EU-wide crypto operations.
When Germany may not be the right primary jurisdiction. Germany';s regulatory framework is demanding and the licensing timeline is long. For a startup that needs to launch quickly and iterate, the six-to-eighteen-month BaFin licensing timeline may be commercially prohibitive. In that case, structuring the initial operating entity in a jurisdiction with a faster licensing process - such as Lithuania, Estonia or Malta within the EU - while establishing a German entity for the medium term is a legitimate alternative. The risk of this approach is that the foreign entity';s licence may not be recognised by German institutional counterparties, and the MiCA transitional provisions may not apply to entities that were not already licensed in Germany before MiCA';s full application date.
The economics of the decision. A realistic budget for establishing a BaFin-licensed crypto custody or trading entity in Germany includes: incorporation costs (low thousands of euros), minimum own funds (EUR 125,000 to EUR 730,000 depending on licence category under KWG), legal fees for the licence application (starting from the low tens of thousands of euros), IT security audit (low to mid tens of thousands of euros), AML policy and compliance infrastructure (ongoing annual cost in the tens of thousands of euros), and senior compliance officer salary (EUR 80,000 to EUR 150,000 per year in Germany). Total first-year costs for a well-structured operation typically fall in the range of EUR 300,000 to EUR 700,000, excluding own funds.
The cost of an incorrect strategy is higher. A business that begins operating without a licence, receives a BaFin cease-and-desist order, and then attempts to regularise its position faces not only the original licensing costs but also legal fees for the enforcement proceedings, potential fines, reputational damage with institutional counterparties, and the loss of revenue during the period of forced inactivity. The risk of inaction is asymmetric: the longer an unlicensed business operates in Germany, the greater the enforcement exposure.
Comparing alternatives in plain terms. A German GmbH with a KWG crypto custody licence offers the broadest regulatory coverage for EU institutional clients but requires the longest setup time and the highest ongoing compliance cost. A Lithuanian VASP registration under the national AML framework offers faster setup but provides no MiCA passport and is viewed with scepticism by German institutional counterparties. A Malta Virtual Financial Assets (VFA) licence offers a structured EU framework but Malta';s supervisory reputation has been questioned by the European Banking Authority. For a business targeting German and EU institutional clients with a three-to-five-year horizon, the German route is the most defensible.
We can help build a strategy for your crypto and blockchain company setup in Germany, including licensing pathway analysis, corporate structuring and compliance programme design. Contact info@vlolawfirm.com to discuss your specific situation.
---
What is the biggest practical risk for a foreign founder setting up a crypto company in Germany?
The biggest practical risk is underestimating BaFin';s fit-and-proper requirements for managing directors and qualifying shareholders. Many foreign founders appoint directors without relevant financial services experience, or structure their shareholding through opaque holding chains, and discover only after submitting the application that BaFin will not approve the structure. Correcting these issues after submission adds six to twelve months to the timeline and requires restructuring costs that could have been avoided with proper planning. A preliminary meeting with BaFin before incorporation is the single most effective risk mitigation measure. Legal counsel familiar with BaFin';s current practice - not just the statutory text - is essential for navigating this phase.
How long does it realistically take to obtain a BaFin crypto licence, and what does it cost?
A well-prepared application for a crypto custody licence under KWG Section 32 takes six to nine months from the date BaFin declares the application complete. Adding the pre-application phase and document preparation, the realistic total timeline from the decision to apply to receiving the licence is twelve to eighteen months. Total costs, including legal fees, own funds, compliance infrastructure and personnel, typically fall between EUR 300,000 and EUR 700,000 in the first year. Founders who budget for six months and EUR 100,000 consistently run out of runway before the licence is granted. The financial planning for a BaFin licensing project must be conservative and must account for delays caused by BaFin queries.
Should a crypto startup use a German entity as the primary operating entity, or is it better to use a foreign entity and passport into Germany under MiCA?
The answer depends on the business model, the target client base and the timeline. If the business needs to be operational within six months and the primary clients are retail users rather than institutional counterparties, establishing a primary operating entity in a faster-licensing EU jurisdiction and using the MiCA passport to serve German clients is a viable interim strategy. If the business targets German institutional clients - banks, asset managers, family offices - a German entity with a BaFin licence is practically necessary, because institutional clients in Germany apply their own due diligence standards and typically require their service providers to be BaFin-regulated. The two approaches are not mutually exclusive: a group can operate a foreign entity in the short term while building the German entity in parallel, provided the foreign entity does not conduct activities in Germany that require a BaFin licence.
---
Germany offers a mature, enforceable and internationally credible legal framework for crypto and blockchain businesses. The BaFin licensing process is demanding, the compliance obligations are ongoing, and the cost of entry is substantial. For businesses with a serious EU institutional strategy, these costs are justified by the regulatory credibility and the MiCA passport that a German licence provides. The key to a successful setup is early legal analysis, realistic financial planning, and a compliance infrastructure that is built before the licence is granted, not after.
To receive a checklist for the full licensing and structuring process for a crypto and blockchain company in Germany, send a request to info@vlolawfirm.com
Our law firm VLO Law Firms has experience supporting clients in Germany on crypto and blockchain regulatory matters. We can assist with BaFin licence applications, corporate structuring, AML programme design, token classification analysis and ongoing compliance support. To receive a consultation, contact: info@vlolawfirm.com