Do You Need a Crypto License? When Licensing Is Legally Required by Activity and Country (2026)

Two variables determine whether your crypto business model requires a license: what it does, and where it operates or acquires customers. Most founders assess one and skip the other. That gap is where enforcement risk lives.

A model that sits outside regulated activity in one jurisdiction may trigger full VASP authorization in another. And a structure that was genuinely unregulated eighteen months ago may now fall under MiCA, updated FATF guidance, or a jurisdiction’s revised VASP framework. This guide maps both dimensions for 2026: which activities trigger licensing regardless of structure, which models sit in genuinely contested territory, and what the threshold tests look like in the six jurisdictions that generate the highest licensing inquiry volume globally.

For context on what each license type covers or how to apply, see what is a crypto license and the VASP license guide.

Business Models That Always Require a Crypto License

There is no structure that avoids the licensing requirement for these four model types. The obligation exists across every major regulated jurisdiction, and it attaches to the activity, not the label a platform uses to describe it.

Operating a centralized exchange. Any platform running an order book, matching engine, or holding user funds in the process of facilitating asset swaps falls within VASP, CASP, or equivalent authorization requirements across all FATF-compliant jurisdictions. The trigger is custody combined with active intermediation. Platforms that argue they are “merely connecting buyers and sellers” while holding assets during settlement have consistently failed that argument before regulators.

Providing custodial wallet services. Holding private keys on behalf of users is one of the oldest and clearest licensing triggers in the regulatory playbook. The substance controls here, not the product name. Whether the service is framed as wallets-as-a-service, an app-based wallet, or exchange-embedded custody, VASP registration or CASP authorization applies in virtually every jurisdiction that has implemented FATF Recommendation 15.

Fiat-to-crypto and crypto-to-fiat conversion. Platforms facilitating conversion between fiat currency and digital assets require authorization under payment or money services frameworks in most jurisdictions. Often that means stacked obligations: MSB registration in the US and Canada, payment institution licensing in the EU under PSD2, and equivalent regimes elsewhere, sometimes alongside VASP registration, not instead of it.

Crypto payment gateways holding funds in transit. A gateway that receives funds from payers, holds them during processing, and settles to merchants is performing a regulated payment function. The key trigger is temporary custody, even when the holding window is measured in seconds. VASP or PSP licensing requirements typically stack where crypto assets are involved.

Business Models Where the Requirement Depends on Structure

The trigger here is in the operational design, not the marketing description. These models can be built with or without a licensing requirement depending on specific technical and legal choices.

DeFi protocols. Non-custodial smart contract protocols that do not control user funds may avoid the VASP trigger in some jurisdictions, including the UK and several offshore frameworks. MiCA changed that calculus for EU-facing operations. Active solicitation of EU users by any entity associated with a DeFi product can trigger CASP authorization requirements regardless of custody model. Founders running “fully decentralized” protocols that maintain a legal entity, a website, a front end, or a token treasury should not assume non-custody equals non-regulated when serving European users.

NFT platforms. Marketplace operators facilitating sales of digital collectibles with no secondary trading features generally fall outside VASP scope. The problem is the features that get added later: secondary market trading, fractional ownership mechanisms, or yield-generating attributes can push an NFT platform into financial instrument territory. Regulatory proceedings across multiple jurisdictions are actively working through this line in 2026. If the platform’s NFTs have investment characteristics, the compliance analysis cannot start from the assumption they do not.

Crypto analytics and data tools. Pure data and analytics providers do not trigger licensing, provided the platform does not custody assets, enable transactions, or execute orders on behalf of users. Adding even a thin transaction layer changes the analysis. A “buy this asset” button routed through a third-party exchange, depending on how the revenue share or referral arrangement is structured, can introduce a licensing trigger in several jurisdictions.

Software wallet providers. Non-custodial wallet software, where the user holds sole control of private keys, is broadly license-exempt. The line is crossed when the provider manages, stores, or can access keys in any arrangement: backup key services, multi-party computation setups where the provider holds a key shard, or social recovery mechanisms that give the provider override capability. Any of these arrangements creates custodial exposure regardless of what the terms of service say.

Country-by-Country Licensing Thresholds

VARA License Requirements (Dubai, UAE)

The Virtual Assets Regulatory Authority is Dubai’s primary crypto regulator, covering the emirate’s mainland and all free zones excluding DIFC. Any firm conducting virtual asset activities in or from Dubai requires a VARA license before commencing operations. The licensing framework covers seven activity categories: advisory services, broker-dealer services, custody services, exchange services, lending and borrowing, management and investment services, and transfer and settlement services. The threshold is activity-based, not entity-based. A foreign entity actively marketing to Dubai residents or operating through a Dubai-incorporated structure falls within VARA’s jurisdiction regardless of where its servers sit. The two-stage application process starts with an Initial Disclosure Questionnaire submitted to Dubai Economy and Tourism or a relevant free zone authority, followed by Approval to Incorporate, before the full VASP license application opens. Between August 2024 and August 2025, VARA issued enforcement notices against 36 firms for unlicensed activity and unauthorized marketing, which signals active supervision, not just a framework on paper.

Singapore Crypto License Requirements

The Monetary Authority of Singapore licenses digital payment token (DPT) service providers under the Payment Services Act 2019. Any entity providing DPT exchange, transmission, or custody services in Singapore, or to Singapore customers from abroad, must hold a Major Payment Institution license or qualify for an exemption. The trigger for foreign platforms is active solicitation. A platform marketing to Singapore-based users, or operating through Singapore-incorporated entities, must assess MAS licensing requirements regardless of server location. MAS has been explicit about this, and enforcement actions against unlicensed foreign platforms operating in Singapore have increased since 2023. The CASP license framework covers where MAS and CASP requirements intersect.

Hong Kong Crypto License Requirements

The Securities and Futures Commission requires VASP licensing for any platform operating a virtual asset exchange in Hong Kong or actively marketing virtual asset trading services to Hong Kong residents. The licensing regime came into full effect in 2023 with a transitional period for existing operators. That window closed by 2025. Platforms that delayed their application on the assumption the SFC would extend the transition should have resolved that position by now. The SFC’s determination of whether a specific virtual asset constitutes a security also affects whether obligations under the Securities and Futures Ordinance stack on top of VASP authorization.

Labuan Crypto License Requirements

The Labuan Financial Services Authority offers a Digital Asset Exchange (DAX) license for operators providing crypto exchange and custody services through Labuan-incorporated entities. Labuan is designed as a regional hub structure, useful for companies serving Southeast Asian and international markets from a single licensed vehicle. The licensing requirement attaches to the Labuan entity itself: incorporation in Labuan and operation from within the Labuan International Business and Financial Centre are both required. One thing founders consistently misread: Labuan licensing does not automatically grant access to the Malaysian domestic market. Separate approvals from Bank Negara Malaysia or the Securities Commission apply for onshore customer-facing activity.

Argentina Crypto License Requirements

Argentina’s Comision Nacional de Valores has implemented VASP registration requirements aligned with FATF guidance. Entities providing virtual asset exchange, transfer, or custody services in Argentina, or to Argentine residents, must register as Virtual Asset Service Providers with the CNV. The registration threshold is low, and the CNV interprets it broadly: any business with Argentine customers engaged in covered activities must register regardless of corporate domicile. Non-compliant foreign platforms face banking and payment processor restrictions that cut off Argentine market access at a practical level. The registration process requires a documented AML/CTF compliance program.

EU MiCA Requirements

MiCA applies to any platform offering crypto-asset services to EU customers, irrespective of where the platform is incorporated. A Cayman Islands entity serving French and German users requires CASP authorization. A BVI entity with a Polish customer base does too. The activity triggers for CASP authorization cover exchange services, order execution, portfolio management, custody, and placement of crypto assets. Transitional provisions that allowed previously operating platforms to continue under national regimes while their MiCA applications were processed are now largely exhausted across most EU member states.

LegalBison advises across 50+ jurisdictions globally. These six markets represent the highest-volume specific requirement queries the firm receives. They are not the full scope of the assessment.

Where You Are Incorporated vs. Where Your Customers Are

This distinction creates more enforcement exposure than almost any other licensing question. The two are not the same, and most regulatory frameworks treat them independently.

Does my crypto platform need a license if I am incorporated offshore but serve European customers?

Yes, under MiCA. The licensing obligation attaches to where customers are located, not where the company is registered. A Cayman Islands-incorporated exchange actively marketing to French, German, or Italian users requires CASP authorization in the EU. Offshore incorporation does not create an exemption. The test is active solicitation: platforms with EU-language interfaces, EU-targeted advertising, or EU-based customer support are considered to be serving EU customers for MiCA purposes, full stop.

Do I need a crypto license in every country where I have users?

Not always, but “not always” is not the same as “rarely.” Most jurisdictions trigger authorization requirements based on active marketing or local incorporation, not every country where a user happens to sign up. A platform that geoblocks EU users, does not advertise in the EU, and does not support EU-specific payment rails is in a different position than one with EU-language content and a Revolut integration. The active solicitation versus passive availability distinction matters, but no jurisdiction has formally codified a clean safe harbor for passive availability. The analysis is always fact-specific.

Can I operate a crypto exchange legally without any license?

The honest answer is: the space where this was possible is shrinking fast. The number of jurisdictions with no licensing requirement for crypto exchange services has declined materially as FATF mutual evaluation pressure has moved through its member states. Several offshore domiciles that previously had no framework have introduced one in the last two years. Operating without authorization in a jurisdiction that requires it creates three problems at once: regulatory enforcement risk, loss of banking access (most correspondent banks require proof of registration or licensing for crypto clients), and loss of payment processor access. At scale, those three together make the business non-functional.

Frequently Asked Questions

Who needs a crypto license in 2026? Any business operating a centralized exchange, providing custodial wallet services, facilitating fiat-to-crypto conversion, or running a crypto payment gateway that holds funds in transit requires a crypto license in virtually every major regulated jurisdiction. Non-custodial and purely software-based models face a fact-specific analysis depending on operational structure and target markets.

When does a DeFi protocol need a crypto license? A non-custodial DeFi protocol operating through immutable smart contracts without a controlling legal entity may avoid VASP licensing in some jurisdictions. Under MiCA, any entity associated with a DeFi product that actively solicits EU users faces CASP authorization requirements regardless of custody model. The non-custodial structure is relevant but not automatically determinative.

Do I need a crypto license if my company is incorporated offshore? Offshore incorporation does not exempt a business from licensing requirements in jurisdictions where customers are located. MiCA applies based on where customers are, not where the company is incorporated. Singapore, Hong Kong, Argentina, and the UAE apply similar location-of-customer tests. The offshore structure affects corporate administration and tax positioning, not the licensing trigger in customer-facing markets.

What is the difference between a VASP license and a CASP license? VASP (Virtual Asset Service Provider) is the FATF-standard term used in jurisdictions including the UK, UAE, Singapore, and most offshore centers. CASP (Crypto-Asset Service Provider) is the MiCA-specific designation used across EU member states. Both cover exchange, custody, and transfer services, but scope, documentation requirements, and authorization processes differ by jurisdiction. A business serving EU and non-EU markets may need both.

Can a crypto exchange operate globally with a single license? Not in practice. No single license provides global authorization. EU CASP authorization under MiCA carries passporting rights across all EU member states under a single application. For non-EU markets, separate registration or licensing is required in each jurisdiction where the platform actively operates. Multi-jurisdictional licensing is standard practice for exchanges with global user bases.

How long does it take to get a crypto license? Timelines vary by jurisdiction and application quality. EU VASP registrations in Lithuania and Poland have historically been processed in two to four months. MiCA CASP authorization typically runs six to twelve months from submission. Singapore MAS licensing takes six to eighteen months. The VARA process in Dubai typically runs four to ten months depending on activity scope and documentation quality. AML/CTF compliance program completeness is the single biggest variable affecting timeline.

The licensing question is not abstract. It requires mapping specific business model activities against specific jurisdictions where the platform operates and where its customers are located. Both dimensions determine the answer, and the answer changes as new frameworks come into force.

For founders at the assessment stage, the starting point is a clear activity map: what the platform does, which activities involve custody or active intermediation, and which markets it serves. That map identifies the licensing triggers. Which jurisdictions require authorization before going live, and in which order, follows from there.

LegalBison advises operators across the full licensing cycle, from initial business model analysis through application preparation, regulator liaison, and post-granting compliance support. For an assessment of your specific model, visit legalbison.com/crypto-license or review the VASP license requirements and CASP authorization process for the markets most relevant to your business.