What Are the Fines for Operating Without a License in the EU?

Operating in the “underground” or informal economy within the European Union is becoming a practical impossibility. With the integration of cross-border databases, the implementation of directives like DAC8, and the harmonisation of financial regulations, the era of flying under the radar has ended. Authorities no longer rely solely on random audits; they utilise competitor complaints, whistleblower reports, and automated financial flagging to identify unregistered entities.

For entrepreneurs, the reality is stark. The cost of obtaining a proper license is a fraction of the potential fines, which can now include global turnover penalties, operational shutdowns, and personal liability for directors.

The new era of crypto penalties (MiCA)

The most significant shift in the regulatory landscape is the full application of the Markets in Crypto-Assets (MiCA) regulation. The transition period for Crypto-Asset Service Providers (CASPs) is rapidly closing. Entities that provided services under applicable national laws before December 2024 may continue to do so only until 1 July 2026 or until they are granted or refused a CASP authorisation.

The urgency is visible in jurisdictions like Lithuania. Despite having approximately 370 registered crypto firms, only around 30 have formally applied for MiCA licenses. This disparity puts hundreds of businesses at immediate risk of closure or enforcement action once the transition window shuts.

The fines

Under the new regime, financial penalties are tiered and designed to be dissuasive. Member States are mandated to empower competent authorities to impose maximum administrative fines based on the severity of the infringement. For legal persons (companies), these fines are substantial:

• for general infringements, fines can reach at least EUR 5,000,000;
• for specific serious infringements, fines are tiered and can reach up to 12.5% of the total annual turnover of the legal person.

It is critical to note that if the legal person is a subsidiary of a parent undertaking, the relevant total annual turnover is the total annual turnover resulting from the consolidated accounts of the ultimate parent undertaking. This means a compliance failure in a local subsidiary could trigger a fine calculated on the group’s global revenue.

For natural persons, such as directors or operators, maximum administrative fines can reach at least EUR 700,000 for general infringements. In cases of market abuse, these fines for individuals can escalate to EUR 5,000,000.

Operational bans and management liability

Beyond monetary loss, regulators possess the power to effectively kill a business. Competent authorities have the power to order the immediate cessation of the activity without prior warning and require the cessation of any practice considered contrary to the regulation.

The corporate veil does not protect management. Regulators can impose a temporary ban preventing any member of the management body from exercising management functions in a crypto-asset service provider.

Investment fund (AIFMD) sanctions by country

While MiCA regulates crypto-assets, many projects inadvertently cross into the territory of collective investment schemes. Marketing an investment fund without a passport or proper notification triggers specific national penalties under the Alternative Investment Fund Managers Directive (AIFMD). The severity varies significantly by Member State:

High-severity examples

• Italy: the penalties are aggressive, with directors and employees facing personal fines of up to €5,000,000 if the breach is due to their violation of duties;
• Estonia: operating without the required financial authorisation can lead to administrative penalties of up to €5 million, with criminal liability extending significantly higher in cases of severe misconduct;
• Malta: the unauthorised management of customer funds or collective investment schemes can lead to potential imprisonment of up to 4 years alongside financial penalties.

Moderate and percentage-based fines

• Romania: fines can reach up to 10% of yearly income for operating without authorisation;
• Croatia: fines up to €132,720 specifically for prospectus violations;
• Latvia: administrative penalties cap at approximately €142,300;
• Bulgaria: legal entities face fines up to roughly €100,000;
• Portugal: the securities market commission (CMVM) applies administrative fines ranging between €25,000 and €5,000,000, depending on the severity.

Request a free consultation with our experts

General Data Protection Regulation (GDPR) risks

Virtually every fintech and digital business processes the personal data of EU citizens. Operating without a license often correlates with a failure to adhere to data privacy standards, compounding the regulatory risk.

The “undertaking” rule

Similar to MiCA, GDPR fines are calculated based on the “undertaking,” which antitrust law defines as the entire economic unit. This is a critical distinction: if a local subsidiary violates GDPR, the fine is not calculated on that subsidiary’s local revenue, but on the parent company’s global turnover.

The numbers

• Severe violations: for fundamental breaches, fines can reach up to €20 million or 4% of global turnover, whichever is higher;
• Less severe violations: for administrative failures, fines can reach up to €10 million or 2% of global turnover.

General business registration & banking access

Before even reaching the level of financial regulation, operating an unregistered business triggers immediate operational paralysis, particularly regarding banking.

Banking access 

Financial institutions are under strict AML/KYC obligations. Most banks require definitive proof of registration and licensing to open a corporate account. Without this, businesses are forced to rely on personal accounts. This prevents the business from scaling, blocks access to payment processors, and often leads to the freezing of funds when the bank detects commercial activity on a personal ledger.

Immediate fines and commercial suicide

• Germany: penalties for failing to register a trade can start around €3,600 and escalate rapidly if tax evasion is suspected;
• Late filing fees: regulators impose cumulative fees for the failure to file accounts. For example, the UK Companies House imposes automatic penalties that increase over time, eventually leading to the company being struck off the register.

Beyond fines, unregistered businesses generally cannot enforce contracts in court or protect intellectual property. Under MiCA, having a registered office and a place of effective management in the Union is a prerequisite for authorisation.

Still unsure? You can rely on legal experts, it’s free

Conclusion

The European regulatory net is tightening. With the full implementation of MiCA, the “wild west” era of digital finance in Europe is definitively over. Ignorance of the law is not a defence, and the tools available to regulators – from website blocking to global turnover fines – are more powerful than ever.

The cost of compliance is an investment in longevity. The cost of non-compliance is the total loss of your business and potential personal liability.

LegalBison solution

From crypto licensing to global company formation, we ensure you operate legally. Our team specialises in navigating the transition to MiCA, helping you secure the necessary authorisation to operate without fear of enforcement.

Contact LegalBison today for a compliance audit or to start your licensing application.

Contact Us