Agefi Luxembourg - juillet août 2026

Juillet / Août 2026 27 AGEFI Luxembourg Fonds &Marchés ByAdrienPIERRE, Partner, Banking&Finance & Elena MOUZAKI, Associate, Banking & Finance, Loyens & Loeff Luxembourg W ith the expiry of the transi­ tional regime for virtual asset service providers on 1 July 2026, theMarkets in CryptoAssetsRegulation (MiCAR) is nowfully opera­ tional as the EU’s harmonised framework for cryptoasset services. Firms seeking topro­ vide cryptoasset servicesmust either obtain aCASP authorisa­ tionor, where eligible, rely on a simpler notification regime to extend an existing regulated licence. Early interactions with the LuxembourgCommis­ sion de Surveillance du Secteur Financier (CSSF) show that, irrespective of the route chosen, signifi­ cant emphasis is placed on the quality, complete­ ness and consistency of the information provided. In addition, thirdcountry groups seeking to ac­ cess the EU market through Luxembourg should carefully assess the CSSF’s expectations regarding local substance, governance arrangements and the organisation of crossborder activities at an early stage. With an increasing number of CASP li­ cences nowbeing granted in Luxembourg, devel­ opments in this area have become a subject of particular interest for market participants. CSSF authorisation versus CSSF notification: which option is available to eachmarket player? UnderMiCAR,firmswishingtoprovidecryptoasset servicesinLuxembourgcaneitherobtainafullCASP authorisation or, where eligible, rely on the MiCAR notification procedure. The CSSF is the competent authority responsible for both routes. A full CASP authorisation is required for entities that do not already hold a qualifying financial licence. This optioninvolvesacomprehensiveapplicationprocess, requiring firms to demonstrate compliance with MiCAR’sgovernance,organisational,ICT,AML/CFT and prudential requirements. Once authorised, a LuxembourgCASPmayprovidetheapprovedcryp­ toasset services across the EU under the MiCAR passporting framework. Thenotificationprocedureprovidesasimplifiedalter­ native for certain regulated entities, including credit institutions,investmentfirms,electronicmoneyinsti­ tutions, UCITSmanagement companies andAIFMs. Rather than obtaining a separate CASP licence, these entitiesmay notify theCSSF of their intention to pro­ videspecificcryptoassetservicesthatarelinkedtoor equivalenttotheirexistingregulatedactivities. While generally faster and less burdensome than a full authorisation, the notification route is only available for certain services and remains subject to the limita­ tions set out inMiCAR. Firms should therefore care­ fullyassesswhethertheirintendedcryptoassetactiv­ ities fallwithin the scope of the notification regime or require a full CASPauthorisation. Initial contactwith theCSSF Before formally submitting a CASP authorisation application or notification, firms are encouraged to engage with the CSSF at an early stage. Entities already supervised by the CSSF should typically approach their usual supervisory contact, while non­ supervised entitiesmay contact the CSSF through its dedicated MiCAR channel. In practice, the process generallybeginswithanintroductorymeetingduring which the applicant presents its business model, the cryptoassetservicesitintendstoprovideanditsoper­ ating structure. The CSSF expects firms to demon­ strate a clear understanding of how their activities fit within the MiCAR framework and to provide suffi­ cient detail to facilitate the regulatory assessment. Tosupporttheseinitialdiscussions,applicantsshould bepreparedtoprovideadetailedbusinessplan,trans­ actionandwalletflowdiagrams,andaclearexplana­ tionof the role of any thirdpartyproviders, interme­ diaries or group entities involved in the operating model. As a result, thorough preparation and clear documentation from the outset can help streamline the applicationprocess andaddress potential regula­ tory concerns at an early stage. Applications for CASP authorisations and notifica­ tionsmust be submitted electronically via the CSSF’s ManagedFileTransfer ( MFT ) platform.Access to the platformis provided to applicants by theCSSF upon request.Oncesubmitted,theCSSFreviewsthedocu­ mentation uploaded and engages with applicants through written correspondence, calls and meetings asappropriatethroughouttheassessmentprocess.To date, the CSSF has largely implemented the MiCAR framework through the adoption of applicable EU regulatory and implementing technical standards, guidelines and recommendations, but has not issued material Luxembourgspecific guidance for CASP applicants. Firms are therefore expected to closely monitorandcomplywiththeevolvingEUregulatory framework, which remains the primary reference point of the Luxembourg regulator for both authori­ sation applications andnotifications. CASPnotification: process and requireddocumentation While the notification regime is intended to be more streamlined than a full CASPauthorisation, it should not be regarded as amere formality. The notification must be submitted to the CSSF at least 40 working days prior to the intended commencement of the rel­ evant cryptoasset services. The CSSF expects notifi­ cations to be supported by clear, comprehensive and wellsubstantiated documentation and may request additionalinformationwherenecessary.Uponreceipt of a notification, theCSSF has up to 20working days to assess whether the file is complete. Where addi­ tional information is requested, the 40workingday notificationperiodissuspended(once,foraperiodof up to 20 working days) until the requested informa­ tionhas beenprovided. Inpractice,aCASPnotificationrequiresdetailedinfor­ mation on the applicant’s business model, organisa­ tionalstructureandthecryptoassetservicesitintends to provide. This includes, among other things, a description of the proposed services and relevant cryptoassets, the target markets and client base, any changes to the governance and control framework required to accommodate the proposed cryptoasset activities, the availability of adequate human and financial resources, and the firm’s ICT, cybersecurity and operational resilience arrangements, including compliancewithDORAwhere applicable. The CSSF also expects firms to demonstrate how the proposed cryptoasset services fall within the scope oftheirexistingregulatorypermissionsandtosubmit policies and procedures that adequately address the requirements of MiCAR. In many cases, this will require existing frameworks to be updated to reflect the new activities. Depending on the services con­ cerned, firms may need to adopt or revise arrange­ ments relating to conflicts of interest, safeguarding of client assets, outsourcing, operational resilience, AML/CFTcontrolsandbusinesscontinuityplanning. Firms should therefore ensure that their notification package clearlyevidences bothoperational readiness and compliancewith the applicableMiCARrequire­ ments before submitting it to theCSSF. CASP authorisation application: process and requireddocumentation Entities that do not already hold a regulated status allowing them to rely on the notification regime, or that intend to provide cryptoasset services beyond the scope of that regime, must obtain a full CASP authorisationfromtheCSSFbeforecommencingtheir activities.Thisisasignificantlymoreextensiveprocess than a notification and requires the submission of a comprehensive applicationfile. Theauthorisationprocessissubjecttostatutorytime­ lines. Upon receipt of an application, the CSSF has up to 25 working days to assess whether the file is complete. Where information or documentation is missing, the CSSF may request additional informa­ tion,inwhichcasetheassessmentperiodissuspend­ ed until the applicant has provided the requested materials. Once the application has been deemed complete, the CSSF has up to 40 working days to carryoutitssubstantiveassessmentoftheapplication. Inpractice, however, applicants should factor in sev­ eralmonths for their applicationprocess, asmultiple rounds of questions, information requests and fol­ lowupdiscussionswith theCSSFareoften required before a final decision is reached. ACASPauthorisation applicationmust address all aspects of the proposed business and demonstrate the applicant’s ability to complywith the organisa­ tional, prudential and conduct requirements of MiCAR. Applicants are expected to provide, among other things: corporate and organisational information, includ­ ing ownership structure, group organisation and governance arrangements; a detailedprogramme of operations describing the cryptoasset services tobeprovided, the tar­ getmarket,businessstrategyandfinancialpro­ jections; comprehensive governance and internal control frameworks, including the alloca­ tion of responsibilities, risk management arrangements and compliance controls; informationon the suitability, experience and good repute of members of theman­ agement body and other key function holders; evidenceofcompliancewithapplicablepru­ dential requirements, including own funds requirementswhere relevant; detailed ICT, cybersecurity and operational resilience arrangements, including compliance with DORAwhere applicable; policies andprocedures addressingAML/CFT, con­ flictsofinterest,outsourcing,complaintshandlingand business continuity; and where relevant, arrangements for the safeguarding of client cryptoassets and funds, custody processes andother servicespecific controls. Depending on the exact type of cryptoasset services intendedtobeoffered,additionalinformationordoc­ umentation may be required as part of the CASP applicationprocess. Particularattentionisgenerallypaidtolocalsubstance, operational resilience and the applicant’s ability to effectively manage the risks associated with crypto­ asset activities. Applicants should therefore ensure that the application file clearly demonstrates that the necessary resources, expertise, systems and controls arealreadyinplace,orwillbeinplaceinLuxembourg, before commencing activities. Practical CSSF expectations andpoints of attention In practice, the Luxembourg regulator applies strict quality standards to submitted files. Although MiCAR is an EUharmonised framework and Luxembourg has not, to date, introduced material Luxembourgspecific “goldplating” for CASPs, applicantsshouldnotunderestimatethelevelofdetail expectedbytheCSSF.Notificationsandauthorisation filesmustbecomplete,transparentandwellsubstan­ tiated, with explanatory drafting rather than mere crossreferences to internal policies. The CSSF will assesswhethertheproposedoperatingmodelisgen­ uinely sound and compliant inpractice. Akey area of focus is the operational organisation of theproposedcryptoassetservices.Applicantsshould be prepared to provide clear process descriptions, transactionandwalletflowcharts,reportinglinesand responsibility matrices demonstrating how the ser­ vices will operate in practice. For institutions using the notification route, MiCARspecific requirements shouldbe carefullymappedagainst the existinggov­ ernance, compliance, riskmanagement, outsourcing, ICT, conflicts of interest, complaints handling and AML/CFT framework. In many cases, the preferred approach will be to update existing policies or add targetedcryptospecificsupplementsratherthancre­ ating a fullyparallel policy framework. The CSSF also pays close attention to thirdparty arrangements and outsourcing, whether within or outside the EU.Applicants should clearly identify all externalserviceproviders,assesswhethertherelevant arrangements qualifyas outsourcingandensure that DORArequirementsareproperlyaddressed.Aswith other Luxembourg regulated entities, outsourcing arrangements will need to be robustly documented and monitored, including from an ICT and opera­ tional resilience perspective. For thirdcountrygroups, particular attentionshould be paid to the overall accessmodel to the EUmarket. Thereisnogeneralcrossborderregimeallowingnon­ EU entities to provide cryptoasset services into Luxembourgor theEUwithout appropriateMiCAR authorisation or notification. Broker models, shared order bookarrangements, custodymodels and intra­ groupreliancestructuresshouldthereforebecarefully assessedatanearlystage.ESMA’sguidanceonshared order book andbrokermodels usedbyglobal crypto groups relying on nonEU execution venues should be carefully reviewed and reliedupon. Otherrecurringpointsofattentionincludethelocation andorganisationofcryptoassetcustodyandthesafe­ guarding and segregation of client assets.Applicants are expected to demonstrate robust arrangements in these areas to ensure compliancewithMiCAR’s pru­ dential and investor protection requirements. Applicants should also give careful thought to Luxembourg substance. A minimal local setup is unlikely to be sufficient. In practice, the CSSF will expect staffing levels to be proportionate to the com­ plexity,scaleandriskprofileoftheproposedbusiness. Formorecomplexbusinessmodels,orwhereanexist­ inginternationalclientbaseisintendedtobemigrated toLuxembourg,sufficientstaffandoperationalcapac­ ityshouldbeinplacefromtheoutsetratherthanbuilt gradually after authorisation. Prefiling discussions with theCSSF are therefore particularly important. At that stage, applicants should be prepared to pre­ sent, at aminimum, the plannedbusinessmodel, the qualificationofthecryptoassetservicestobeprovid­ ed in Luxembourg, initial forecasts and financing information, the shareholdingandgovernance struc­ ture, outsourcing arrangements, custody and safe­ keeping arrangements, any broker or shared order bookmodel, and theAML/CFT framework. Finally, futureCSSF communicationsmayapply cer­ tain governance expectations applicable to other reg­ ulated entities by analogy (pending more dedicated guidance). What should applicant firms do? Whether pursuing a CASP authorisation or submit­ ting a notification for a topup, firms should invest sufficienttimeinpreparingarobustapplicationpack­ age that clearly articulates their businessmodel, con­ trolframeworkandcompliancewithMiCARrequire­ ments. Early engagement with the CSSF and careful alignment with the evolving EU regulatory frame­ work can significantly contribute to a smoother reviewprocess. WhyLuxembourg? The recent wave of CASP authorisations in Luxembourg, which already counts 13 authorised providers, reflects the increasing appeal of Luxembourg for cryptoasset businesses,whichben­ efit from the country’s stable and innovationdriven financialecosystem,deeppoolofinternationalexper­ tise,matureregulatoryframework,collaborativereg­ ulator and access to the EUsinglemarket. The presence of wellestablished fintech and digital asset players that have chosen Luxembourg as their European base further reinforces the jurisdiction’s position as a key destination for businesses seeking MiCARauthorisation. MiCAR in full force: key considerations for CASP applications and notifications in Luxembourg L a quantité demonnaie en circulation dans la zone euro a continué dʹaugmen­ ter enmai, selon les dernières statis­ tiques de la Banque centrale européenne (BCE), reflétant une améliorationprogressive du financement de lʹéconomie. Cette évolution est portée par une hausse des crédits accordés aux ménages (+3,1 %) et surtout aux entre­ prisesnonfinancières(+4,0%),ainsiqueparunepro­ gressiondes dépôts des entreprises. Lesdépôtsdesménagessontrestésstables,tandisque ceuxdesfondsdʹinvestissementontcontinuédedimi­ nuer, mais à un rythme moins marqué que le mois précédent. Cette évolution laisse entrevoir une stabi­ lisation progressive de lʹactivité des fonds, dans un contextedereprisegraduelledesconditionsdefinan­ cement. La BCE souligne également que la progres­ siondes créances sur le secteurprivé constituedésor­ mais le principal moteur de lʹexpansion monétaire dans la zone euro. Selon lʹinstitution, ces évolutions confirment une améliorationprogressivede ladistri­ butionde financements par les banques. Source : BCE La BCE voit une amélioration pour les fonds d’investissement © magnific

RkJQdWJsaXNoZXIy Nzk5MDI=