Crypto License in Lithuania 2026 — MiCA CASP Authorization Guide

MiCA entered into force on June 29, 2023 and applied to crypto-asset service providers (CASPs) across all EU member states from December 30, 2024. Lithuania, as an EU member state, applied MiCA on that date. The old Lithuanian VASP registration (a national instrument) was not a MiCA-compliant authorisation.

The transition mechanics worked as follows:

• Grandfathering window — Existing VASP registrations remained provisionally valid through December 31, 2025. Operators could continue business during this period without a full MiCA authorisation, provided they submitted a MiCA application before the deadline.
• Post-deadline status — Any VASP that did not submit a MiCA application by December 31, 2025 lost the right to operate in Lithuania. Lithuania originally set a shorter transitional deadline but extended it to December 31, 2025 as the final cut-off; no further extension beyond that date was granted.
• New applicants from January 1, 2026 — There is no VASP registration pathway. All new entrants must apply directly for a MiCA CASP authorisation under Article 59 of MiCA.
• Applications in progress — VASPs that filed before December 31, 2025 may continue operating while the Bank of Lithuania processes their MiCA application, until a final decision is issued.

In practice, the public VASP register maintained by the Register of Legal Entities now distinguishes between legacy registrations and active MiCA authorisations. If you are reviewing this register to check a competitor or verify your own status, confirm which column applies.

Under the old VASP regime, the FCIS (Finansinės nusikaltimų tyrimo tarnyba) was the sole registration authority. Under MiCA, the supervisory split is more granular.

The practical consequence: you now deal with two distinct authorities. BoL evaluates your business plan, governance structure, capital adequacy, and operational resilience. FCIS evaluates your AML programme, transaction monitoring controls, and beneficial ownership transparency. A deficiency flagged by either body can block your authorisation.

Between December 2024 and April 2025, the European Commission adopted a series of delegated acts and regulatory technical standards under MiCA that directly affect CASP applications. Changes that applicants filing in 2026 must account for:

• Prudential capital requirements finalised — MiCA Article 67 and Annex IV set minimum own funds at the higher of the class-based floor or one quarter of fixed overheads of the preceding year. The class floors are: (a) €50,000 for Class 1 CASPs (advisory, reception/transmission and execution of orders, placing of crypto-assets), (b) €125,000 for Class 2 (exchange of crypto-assets and operation of a trading platform), and (c) €150,000 for Class 3 (custody and administration of crypto-assets on behalf of third parties). BoL applies these thresholds directly; there is no Lithuanian-specific top-up.
• Passporting mechanics confirmed — A Lithuania MiCA authorisation allows cross-border service provision to all 27 EU member states under Article 65 without requiring separate national registrations. The home-state regulator (BoL) forwards the passport notification to the host-state NCA and ESMA within 15 working days; the CASP may begin cross-border services once notified that the forwarding is complete.
• White-paper requirements in force — MiCA Titles III and IV (covering ARTs and EMTs) applied from June 30, 2024, requiring issuers of asset-referenced tokens or e-money tokens to file a white paper with BoL before offering those tokens. The broader CASP provisions under Title V applied from December 30, 2024. Pure exchange or custody services for non-ART/EMT crypto-assets do not trigger the white-paper obligation but do require the CASP authorisation.
• Conflicts of interest rules applied — The Article 72 RTS (Commission Delegated Regulation 2025/1142, adopted 27 February 2025) sets specific requirements for conflicts-of-interest governance policies for all CASPs. Note that Article 76(5) MiCA prohibits a CASP operating a trading platform from dealing on own account on that platform. Your application must include a written conflicts-of-interest policy meeting the RTS criteria.

A Class 1 CASP license in Lithuania covers the lightest-touch MiCA services: providing advice on crypto-assets, managing crypto-asset portfolios on a discretionary basis, executing orders, receiving and transmitting orders, placing crypto-assets, and transfer services. The €50,000 minimum own funds requirement is the lowest entry point under MiCA — the regulation sets the floor, and Lithuania does not add a local surcharge above it.

This class suits firms that advise clients on which tokens to buy, sell, or hold, or that run discretionary mandates where client assets sit in the client’s own wallet rather than a firm-controlled omnibus account. If the firm touches client funds directly — holding keys or providing custody — it must apply for Class 2 or Class 3. Advisory-only models avoid the prudential complexity of custody, but they still require a full MiCA authorization, including an AML/CFT program, conflicts-of-interest policy, complaint-handling procedures, and a qualified management body. The Bank of Lithuania assesses suitability of shareholders holding ≥10% of capital.

Class 1 applicants should budget 5–8 months for the full authorization process, from entity setup through Bank of Lithuania approval, based on current processing timelines.

Class 2 is the broadest-use license for most operational crypto businesses. It covers everything in Class 1 and adds three high-demand services:

• Custody and administration of crypto-assets — holding private keys or means of access on behalf of clients; segregation rules and asset reconciliation obligations under MiCA Article 70 apply
• Exchange of crypto-assets for fiat — on-ramp and off-ramp operations where the firm is the counterparty or routes through liquidity providers
• Exchange of crypto-assets for other crypto-assets — token swaps executed bilaterally or via aggregated liquidity

The minimum capital floor rises to €125,000. In practice, the Bank of Lithuania will expect a firm’s ongoing own funds to cover at least one quarter of fixed overheads of the preceding year under the alternative calculation in MiCA Article 67(3), which often exceeds the statutory minimum once staffing and infrastructure costs are factored in. Custody providers holding client assets must also maintain professional indemnity insurance or an equivalent capital add-on.

A Lithuania crypto license at Class 2 level confers EU passporting rights under MiCA Article 65 — the firm can notify regulators in other member states and serve clients across all 27 EU countries without a second authorization, making Lithuania an efficient hub for pan-European operations.

Class 3 adds the highest-complexity service to the Class 2 scope: operating a multilateral crypto-asset trading platform, the MiCA equivalent of a regulated exchange. This is the authorization required by centralized exchanges, hybrid DEX/CEX models, and any venue that matches buy and sell orders from multiple parties on a non-discretionary basis.

Operating a crypto-asset trading platform under MiCA Article 76 requires non-discretionary rules for order matching, a real-time market surveillance system, pre- and post-trade transparency, and a publicly available order book. Firms must publish a token admission policy and can only list crypto-assets that have a compliant MiCA white paper on file with a competent authority. Article 76(5) MiCA prohibits a CASP operating a trading platform from dealing on own account on that platform.

If the platform lists asset-referenced tokens (ARTs) or e-money tokens (EMTs), additional obligations apply. ART and EMT issuers face a separate white paper approved by the Bank of Lithuania, a reserve asset policy, monthly reserve reporting, and redemption rights for token holders at par. “Significant” ARTs or EMTs — defined by thresholds of >10 million holders or >€5 billion average outstanding — transfer supervisory competence to the European Banking Authority (EBA).

The €150,000 capital floor applies, but Class 3 applicants should model ongoing own funds well above this level given the operational complexity. The crypto license in Lithuania at Class 3 typically requires the longest authorization timeline of all three classes.

MiCA creates three distinct token categories, and a firm’s classification obligations depend on which type it issues or handles. Misclassifying a token delays authorization and risks enforcement action.

• Asset-Referenced Tokens (ARTs) — tokens that maintain a stable value by referencing a basket of assets (fiat currencies, commodities, or other crypto-assets). Issuing ARTs requires authorization as a credit institution or Class 3 CASP plus a Bank of Lithuania-approved white paper. Reserve assets must be legally segregated and held with EU-regulated custodians.
• E-Money Tokens (EMTs) — tokens pegged 1:1 to a single fiat currency (e.g., a euro stablecoin). Issuers must hold a Lithuanian EMI or banking license in addition to CASP authorization. EMTs denominated in a non-EU currency face volume caps of €200 million per day once classified as “significant.”
• Utility Tokens — tokens providing access to a specific good or service on a DLT platform. These are the lightest-touch category: if the token is not yet functional and the offer is to fewer than 150 persons per member state or is addressed only to qualified investors, a white paper may be exempt. Once a utility token is tradable on a secondary market, a white paper must be filed with the Bank of Lithuania before marketing commences.

NFTs are generally outside MiCA scope unless issued in a large series with fungible economic characteristics, in which case the Bank of Lithuania may treat them as crypto-assets. Firms uncertain about NFT classification should seek a no-action determination before launch.

MiCA Article 67 and Annex IV set minimum own funds for CASPs at the higher of the class-based floor or one quarter of fixed overheads of the preceding year. The class floors apply directly — the Bank of Lithuania does not impose a Lithuanian-specific top-up above the MiCA minimums.

If your application covers services spanning multiple classes, the highest applicable threshold applies. A firm seeking both custody (Class 2) and trading platform operation (Class 3) must hold €150,000 in minimum own funds — the thresholds do not stack. The capital must be fully paid up in monetary form and held in an EEA-based bank account. Contribution in kind is not accepted.

Any natural or legal person holding a qualifying holding of 10% or more in the applicant entity must be disclosed to the Bank of Lithuania. The regulator assesses the suitability of each qualifying shareholder before granting authorisation. The following documentation is required for every shareholder and ultimate beneficial owner (UBO) above the 10% threshold:

• UBO identification — full name, nationality, date of birth, residential address, and percentage of ownership or control for every individual who ultimately owns or controls ≥10% of the applicant.
• Source of funds declaration — documented evidence of the origin of funds used for the capital contribution, including bank statements, audited accounts, or notarised declarations.
• Criminal record certificates — original or certified copies from each country of residence over the past ten years, apostilled and translated into Lithuanian or English as required.
• Curriculum vitae — professional CV covering at least the last ten years, with specific emphasis on financial services, fintech, or crypto-related experience.

Where a qualifying shareholder is a corporate entity rather than a natural person, the Bank of Lithuania requires a complete ownership chain traced back to the ultimate natural-person UBOs. Nominee arrangements and bearer shares are not permitted under Lithuanian corporate law for entities seeking CASP authorisation.

MiCA and Lithuanian implementing legislation require the management body of a CASP to demonstrate collective fitness and propriety, including adequate knowledge, skills, and experience in crypto-asset services and financial regulation. The Bank of Lithuania evaluates board composition as part of the authorisation assessment.

• Minimum two management board members — Lithuanian company law requires a UAB (private limited company) applying for a CASP authorisation to have at least two directors on the management board, each of whom is subject to individual fit-and-proper assessment by the Bank of Lithuania.
• At least one Lithuanian-resident director — the Bank of Lithuania expects at least one member of the management body to be resident in Lithuania, ensuring that effective management and decision-making occur within the jurisdiction. A fully remote board based outside Lithuania will not satisfy the substance requirement.

Each board member must undergo a fit-and-proper assessment that covers professional qualifications, prior regulatory history, criminal background, and financial standing. The Bank of Lithuania may require candidates to attend an interview at its offices in Vilnius. Board members who have been subject to regulatory sanctions or criminal proceedings in other jurisdictions must disclose this information in full — failure to do so is grounds for refusal.

Lithuanian law, in particular the Law on the Prevention of Money Laundering and Terrorist Financing, requires every CASP to appoint a dedicated AML/CFT compliance officer (MLRO). The FCIS reviews and approves the appointment as part of the licensing process. The AML officer must meet the following criteria:

• Full-time employee — the AML officer must be employed by the applicant company on a full-time basis. Outsourcing the MLRO function to an external consultant or shared-service provider is not permitted under Lithuanian AML law for CASPs.
• Professional qualifications — the officer must hold relevant qualifications in AML/CFT compliance, financial crime prevention, or a related field. The FCIS may request evidence of training certifications, prior compliance roles, or professional memberships.
• Lithuania resident — the AML officer must be physically based in Lithuania. Remote performance of this function from another country does not satisfy the regulatory requirement.
• Direct reporting line — the AML officer must report directly to the management board and have unimpeded access to all transaction data, customer records, and suspicious activity reports. The officer cannot be subordinated to operational or commercial teams.

Beyond the individual appointment, the applicant must submit a comprehensive AML/CFT programme covering customer due diligence procedures, transaction monitoring rules, sanctions screening protocols, suspicious activity reporting workflows, and staff training schedules. The FCIS evaluates this programme independently of the Bank of Lithuania’s assessment of the business model and governance structure.

MiCA Article 62 requires every CASP to maintain a registered office and place of effective management in the Member State where it is authorised. The Bank of Lithuania interprets this requirement strictly — a virtual office, mailbox address, or co-working hot desk does not qualify.

The registered office must be reflected in the Lithuanian Register of Legal Entities and match the address provided in the CASP application. In practice, the Bank of Lithuania expects the following:

• Dedicated premises — a physical office space (owned or leased) where the company conducts its day-to-day operations. The lease agreement must be in the company’s name and cover at least the initial authorisation period.
• Staff present on-site — at least the AML officer and one management board member must work from the Lithuanian office. The regulator may conduct unannounced visits to verify substance.
• Operational systems hosted or accessible locally — IT infrastructure, transaction monitoring platforms, and client data storage must be accessible from the Lithuanian office. If systems are cloud-hosted, the company must demonstrate that operational control resides with staff in Lithuania.

The physical presence requirement is not a formality. The Bank of Lithuania has rejected applications where the purported Lithuanian office was a serviced-address provider with no actual staff on the premises. Applicants should budget for a real office in Vilnius or Kaunas from the incorporation stage.

The Digital Operational Resilience Act (EU 2022/2554), known as DORA, applies to all CASPs authorised under MiCA. DORA has been mandatory since January 17, 2025, and the Bank of Lithuania assesses ICT resilience as part of the CASP application review.

For applicants, DORA translates into four concrete obligations that must be documented in the application and maintained on an ongoing basis:

• ICT risk management framework — a formal, Board-approved framework covering identification, protection, detection, response, and recovery for all ICT-related risks. This includes documented policies for access control, network security, data encryption, and change management.
• Incident reporting within 4 hours — major ICT-related incidents must be classified and reported to the Bank of Lithuania within four hours of detection. The company must maintain an incident response plan with clear escalation procedures and designated reporting contacts.
• Resilience testing — regular penetration testing and, for significant CASPs, threat-led penetration testing (TLPT) under DORA Article 26. Test results and remediation plans must be documented and available for supervisory review.
• Third-party ICT risk management — all critical third-party ICT service providers (cloud infrastructure, blockchain node operators, cybersecurity vendors) must be subject to contractual oversight, risk assessments, and exit strategies. The company must maintain a register of all ICT third-party arrangements.

We prepare all DORA-related documentation as part of our full CASP licensing package (€35,000), including the ICT risk management framework, incident response plan, and third-party ICT register aligned to the Bank of Lithuania’s current expectations.

These foundational documents establish the legal identity, ownership structure, and governance framework of the applicant entity. The Bank of Lithuania requires originals or certified copies, with Lithuanian translations where the source language is not English.

• Certificate of Incorporation — notarised copy of the UAB registration certificate issued by the Register of Legal Entities, confirming the company’s legal existence in Lithuania.
• Articles of Association — the current version of the company’s founding document, reflecting the CASP-related business purpose, share capital, and governance rules required under MiCA.
• Extract from Company Register — a recent extract (no older than three months) from the Lithuanian Register of Legal Entities showing current directors, shareholders, registered address, and company status.
• Shareholder Register — a complete list of all direct and indirect shareholders, including ultimate beneficial owners (UBOs) holding ≥10%, with nationality, residence, and percentage of ownership for each.
• Board Resolution — a signed resolution of the management board authorising the CASP application and appointing the person(s) responsible for liaising with the Bank of Lithuania.
• Power of Attorney — a notarised power of attorney authorising Fintech Simple (or other representative) to submit the application and correspond with the regulator on behalf of the applicant.
• Organisational Chart — a diagram showing the corporate group structure, reporting lines, key function holders (CEO, MLRO, IT security officer), and the position of the Lithuanian entity within any parent group.

The FCIS and Bank of Lithuania jointly assess your AML/CFT framework. These documents must demonstrate that your policies are substance-based and tailored to your specific CASP activities — generic templates will be rejected.

• AML/CFT Policy Manual — a comprehensive document covering customer due diligence (CDD), enhanced due diligence (EDD), politically exposed persons (PEPs), and internal controls aligned with Lithuanian AML Law and MiCA organisational requirements.
• Risk Assessment — a business-wide ML/TF risk assessment identifying the inherent and residual risks of each crypto-asset service the company intends to offer, with mitigating controls mapped to each risk.
• Customer Risk Classification — a methodology for classifying customers into risk categories (low, medium, high) based on geography, transaction patterns, product type, and delivery channel, with clear escalation triggers.
• KYC/KYB Procedures — step-by-step procedures for onboarding individual and corporate clients, including identity verification methods, document requirements, and ongoing monitoring obligations.
• Transaction Monitoring Policy — rules and thresholds for automated and manual transaction monitoring, covering crypto-to-fiat, crypto-to-crypto, and self-hosted wallet transfers, with alert investigation workflows.
• SAR Procedure — the internal process for identifying, escalating, and reporting suspicious activity reports (SARs) to the FCIS within the required timeframes, including staff responsibilities and record-keeping requirements.
• MLRO Appointment — a formal appointment letter for the Money Laundering Reporting Officer (AML compliance officer), including proof of qualifications, Lithuanian residency, and a declaration that the officer does not serve another entity simultaneously.
• Sanctions Screening — documentation of the sanctions screening process, including the lists screened (EU, UN, OFAC), screening frequency, technology used, and escalation procedures for potential matches.
• Data Retention Policy — a policy specifying retention periods for customer records (minimum eight years under Lithuanian law), transaction data, and AML documentation, with procedures for secure destruction after the retention period expires.

The Bank of Lithuania verifies that the applicant has sufficient financial resources to operate as a CASP and meet ongoing prudential obligations. Capital must be fully paid up in monetary form before the application is submitted.

• Audited Financial Statements — the most recent annual financial statements audited by a qualified auditor, or, for newly incorporated entities, an opening balance sheet signed by the management board.
• Proof of Paid-Up Capital — a bank statement or confirmation letter from an EEA-based credit institution showing that the minimum share capital (€50,000 for Class 1, €125,000 for Class 2, €150,000 for Class 3) has been deposited and is freely available.
• 3-Year Financial Projections — detailed revenue, cost, and cash-flow projections for the first three years of CASP operations, including assumptions about customer acquisition, transaction volumes, and staffing costs.
• Capital Adequacy Calculation — a calculation demonstrating that the company’s own funds meet the higher of the MiCA class-based floor or one quarter of the preceding year’s fixed overheads, in line with MiCA Article 67 and Annex IV.
• Professional Indemnity Insurance (PII) Policy — evidence of PII coverage or an equivalent own-funds guarantee, as required for CASPs providing advisory or portfolio management services under MiCA Article 67(4).
• Client Asset Safeguarding — a detailed policy describing how client fiat funds and crypto assets are segregated from the company’s own assets, including custodian arrangements and insolvency protections.
• Source of Funds Declaration — a declaration for each shareholder holding ≥10% explaining the lawful origin of funds used for the capital contribution, supported by bank statements, tax returns, or other documentary evidence.

MiCA and DORA impose specific technical requirements on CASPs. The Bank of Lithuania assesses your IT infrastructure, operational resilience, and governance procedures as part of the authorisation review.

• White Paper — required only if the CASP intends to issue crypto-assets under MiCA Titles II–IV; must include project description, rights and obligations, underlying technology, and risk disclosures in the format prescribed by the regulation.
• IT System Architecture — a technical overview of the production environment, including network topology, hosting infrastructure, data flow diagrams, access control mechanisms, and encryption standards used for data at rest and in transit.
• Cybersecurity Policy & Penetration Test — a written ICT security policy meeting DORA requirements, accompanied by a recent penetration test report from an independent third party, covering all client-facing and internal systems.
• Business Continuity Plan (BCP) — a documented plan for maintaining critical CASP services during operational disruptions, including failover procedures, communication protocols, and recovery time objectives.
• Disaster Recovery Plan (DRP) — a technical recovery plan for IT systems and data, including backup schedules, geographic redundancy, restoration procedures, and testing frequency aligned with DORA Article 11.
• Outsourcing Agreements — copies of all material outsourcing contracts (cloud providers, custody technology vendors, KYC/AML service providers), with evidence that each arrangement complies with MiCA Article 73 and DORA third-party risk management requirements.
• Conflict of Interest Policy — a governance policy identifying, preventing, and managing conflicts of interest in line with MiCA Article 72 and Commission Delegated Regulation 2025/1142, including specific prohibitions for trading platform operators dealing on own account.
• Complaints Handling Procedure — a written procedure for receiving, acknowledging, investigating, and resolving client complaints within defined timeframes, as required by MiCA Article 71.
• Key Personnel CVs & Fit-and-Proper Declarations — detailed curricula vitae and criminal record certificates for all members of the management body, qualifying shareholders, and key function holders, with certified translations where the original documents are not in Lithuanian or English.

CASP license holders submit two parallel reporting streams: AML/CFT reports to the FCIS and prudential/operational reports to the Bank of Lithuania.

• Annual AML/CFT report — filed with the FCIS by 31 January each year, covering the previous calendar year. The report details transaction volumes, customer risk segmentation, number of EDD cases opened, and internal control findings.
• Suspicious Activity Reports (SARs) — must be filed with the FCIS within 3 business days of identifying a suspicious transaction. There is no minimum monetary threshold for SARs: any transaction that raises suspicion of money laundering or terrorist financing must be reported regardless of amount. Reporting is mandatory even where the transaction has already been declined or reversed.
• Large-transaction reports — cash transactions and crypto transfers equivalent to €15,000 or more trigger an automatic report to the FCIS under the Law on the Prevention of Money Laundering and Terrorist Financing.
• Bank of Lithuania notifications — material changes to beneficial ownership, management, or service scope require prior notification and, in some cases, prior approval. Quarterly statistical returns on transaction volumes are also required.

Lithuania transposed the EU Transfer of Funds Regulation (TFR) — the crypto extension of which took effect under the Markets in Crypto-Assets Regulation (MiCA) framework — requiring CASPs to attach originator and beneficiary data to every crypto transfer above specific thresholds.

For self-hosted wallet transfers at or above the €1,000 threshold, the CASP must verify that the unhosted wallet belongs to the customer before processing. Acceptable verification methods include cryptographic proof of address ownership (signed message) or, where that is impractical, transaction-based verification via a micro-deposit. The obligation applies to each leg of the transfer, not just the sending side.

CASPs must implement a compliant Travel Rule solution — such as integration with an inter-VASP messaging protocol — and retain all transmitted data for at least 5 years. Sending to a counterparty CASP that cannot receive Travel Rule data does not exempt the originating CASP from the transmission requirement; instead, the CASP must assess whether to proceed with or block the transfer.

Lithuanian CASPs that hold client assets — whether fiat or crypto — must keep those assets strictly separate from the company’s own funds. The segregation requirement has three practical dimensions:

• Fiat segregation — client euro balances must be held in one or more dedicated safeguarding accounts at an EU-licensed credit institution or e-money institution. The account title or sub-ledger must make the client-ownership status identifiable at all times.
• Crypto segregation — client crypto holdings must be held in wallets that are operationally and ledger-distinct from the CASP’s proprietary wallets. Commingling, even temporarily during settlement, is prohibited.
• Insolvency protection — segregated assets must be structured so that, in the event of CASP insolvency, client assets fall outside the insolvency estate. This typically requires a trust structure or contractual ring-fencing confirmed by Lithuanian legal counsel.

Operators should reconcile client asset records against wallet and bank balances at least daily and document each reconciliation. The FCIS may request reconciliation records during an inspection; gaps in the reconciliation trail are treated as a control failure even if no assets are missing.

The FCIS supervises CASPs through both desk-based reviews and on-site inspections. Understanding how each works lets compliance teams prepare rather than react.

• Desk-based monitoring — the FCIS analyses SAR patterns, transaction data, and annual AML reports continuously. Anomalies — such as a spike in high-risk-country transfers or a drop in SARs despite rising volume — typically trigger a follow-up information request before any on-site visit.
• Announced on-site inspections — the FCIS gives written notice, usually 10–15 business days in advance. The inspection team reviews AML/CFT policies, KYC files, transaction monitoring alerts, training records, and management oversight documentation.
• Unannounced inspections — permitted where the FCIS has reason to believe that advance notice would result in evidence being altered or destroyed. These are reserved for cases where prior monitoring has identified serious deficiencies.
• Document retention window — all KYC records, transaction data, and correspondence must be retained for 8 years from the end of the business relationship. Inspection teams routinely request records going back several years; missing documentation is treated as a substantive breach.

After each inspection, the FCIS issues a findings report. The CASP must respond with a remediation plan within the deadline specified in the report — typically 30 days. Failure to submit a remediation plan, or submission of a plan that the FCIS deems inadequate, escalates to formal enforcement.

Lithuanian law gives the FCIS a graduated enforcement toolkit. Penalties scale with the severity and duration of the breach, and with whether the CASP self-reported the issue or the FCIS discovered it independently.

License revocation grounds under Lithuanian law include: operating outside the licensed scope, persistent failure to meet AML/CFT obligations, providing false information to the FCIS or Bank of Lithuania, insolvency, and — critically — failure to commence operations within 12 months of license grant. A CASP that receives its license but delays launch must notify the FCIS to avoid automatic revocation on the 12-month deadline.

The standard Lithuanian CIT rate was 15% for many years, rising to 16% in 2025 and then to 17% from 1 January 2026 under the defence-funding tax reform. A crypto CASP operating in Lithuania pays CIT on worldwide profits if it is tax-resident there (i.e., incorporated in Lithuania or managed and controlled from Lithuania). Taxable income is calculated as revenue minus allowable expenses; losses can be carried forward for up to five years, and up to 70% of taxable profit per year.

Research and development expenditure qualifies for a triple deduction — meaning €1 spent on qualifying R&D reduces taxable income by €3. Crypto companies building proprietary trading engines, compliance tools, or blockchain infrastructure can benefit materially from this provision if they document R&D activities correctly.

Companies with annual revenue below €300,000 qualify for a reduced CIT schedule (the employee-count cap was abolished from 2026). In the first two years of operation the rate is 0%; from the third year onward it is 7%. This applies to the full taxable profit — not just the first tranche — as long as the revenue threshold is met.

A startup crypto exchange or custody provider that stays within that threshold during early years can build capital quickly under the 0–7% schedule. Once revenue exceeds €300,000, the standard 17% rate applies from the following tax period. Planning the timing of growth milestones around this threshold is a routine part of Lithuanian tax structuring.

Lithuania implemented the EU VAT Directive faithfully. The Hedqvist judgment (CJEU C-264/14) established that exchange of fiat currency for bitcoin and back constitutes a VAT-exempt financial service throughout the EU. Lithuanian VAT Law Art. 28 reflects this: cryptocurrency exchange, wallet services, and payment processing in crypto are VAT-exempt.

VAT exemption is not an automatic benefit. It means the company cannot recover input VAT on purchases related to exempt activities. Businesses offering a mix of taxable and exempt supplies — for example, a platform that also sells NFT consulting or SaaS tools — must apply a pro-rata calculation to determine how much input VAT is recoverable. The standard Lithuanian VAT rate for taxable supplies is 21%. Companies with annual taxable turnover above €45,000 must register for VAT.

Lithuania applies a 17% withholding tax on dividends paid to non-resident shareholders from 2026 (previously 15–16%). This is the domestic rate. Lithuania has signed double-tax treaties with over 50 countries; treaty rates for dividends vary but are commonly 0–10% for qualifying corporate recipients holding a minimum participation stake (typically 10–25%).

Within the EU, the EU Parent-Subsidiary Directive eliminates withholding tax entirely on dividends paid to EU parent companies holding at least 10% of the subsidiary’s share capital for a continuous period of at least one year. A Lithuanian crypto company owned by an EU holding entity can therefore distribute profits tax-free at source under the Directive, subject to anti-abuse rules introduced in Lithuania in 2021.

Lithuanian employees pay social insurance (Sodra) at 12.52% and compulsory health insurance at 6.98% deducted from gross salary, totalling 19.5%. The employer’s contribution is a separate 1.77% on gross salary (or 2.49% including the Guarantee Fund for fixed-term contracts). These contributions apply to all employed staff, including directors receiving salary.

Founders drawing only dividends avoid payroll contributions on dividend distributions, though Lithuania introduced a minimum social insurance floor for company directors in 2021 to curtail pure dividend structuring. A crypto company with a lean team of licensed AML officers and management can keep payroll exposure contained, but the combined employer burden is a real cost factor when budgeting for the Lithuania crypto license cost and ongoing operations.

MiCA passporting is a notification procedure, not an approval procedure. Once the Bank of Lithuania (BoL) grants your CASP authorisation, you do not need the host state’s permission to begin operating there — you need only to notify.

• Step 1: Notify your home NCA — You submit a passport notification to BoL identifying the target member state, the specific crypto-asset services you intend to provide there, and whether you plan to operate through a branch or on a cross-border basis. Cross-border means remote provision with no physical presence in the host state; branch means a local office subject to host-state conduct rules on top of home-state prudential rules.
• Step 2: BoL forwards the notification — Within 15 working days of receiving a complete notification, BoL transmits it to the competent authority of the host state and to ESMA. ESMA updates its public CASP register to reflect the cross-border activity. No approval from the host state is required at this point.
• Step 3: You may begin — You can start providing services in the host state immediately after BoL confirms dispatch of the notification. There is no waiting period imposed on the CASP. The host-state regulator receives a copy but cannot block or delay your entry — their recourse is post-entry supervision of conduct rules, not a pre-entry gate.

One practical constraint: the passport covers only the services named in your original Lithuanian CASP authorisation. If your authorisation covers custody and exchange but not operation of a trading platform, you cannot passport trading platform services — you would need to first extend your Lithuanian authorisation.

The 15-working-day window is BoL’s obligation to forward, not a review period. In practice, passport notifications submitted through BoL’s authorisation portal are processed as administrative transmissions rather than substantive reviews. What BoL checks: that the notification is formally complete (correct fields, correct service codes, correct host-state NCA identified). What BoL does not do at the notification stage: re-examine your business model or your AML programme for the host state.

Host states can impose conduct requirements on incoming CASPs operating through a branch — for instance, local language disclosure obligations or local AML registration in some jurisdictions that layer national AML law on top of MiCA. Cross-border (non-branch) passporting carries fewer host-state obligations but means you are serving customers remotely, which may affect your ability to meet local consumer protection rules in practice.

MiCA imposes no territorial cap on the number of passports a CASP can hold simultaneously. You can notify all 26 other EU member states on the same day if your business plan warrants it. ESMA’s public register reflects each active cross-border notification, giving clients in host states a verification mechanism.

Three factors make Lithuania worth serious consideration for a CASP licence that will be used primarily for passporting into larger EU markets.

• Cost structure — BoL’s application fees and annual supervisory levies are lower than those charged by BaFin (Germany), AFM (Netherlands), or AMF (France). Office costs, payroll for the mandatory local substance, and professional service fees in Vilnius run materially below equivalent costs in Frankfurt, Amsterdam, or Paris. For a business whose primary revenue will come from passported services in other markets, the domicile cost matters.
• Fintech-friendly regulatory culture — BoL established a dedicated Innovation Office and the Newcomer Programme, and has consistently engaged with crypto and fintech applicants through pre-application consultations. This does not mean the process is easy — MiCA is MiCA regardless of member state — but it does mean BoL staff have processed enough crypto-asset applications to understand the business models. You are less likely to encounter regulators who have never seen a non-custodial exchange or a staking service before.
• Track record — Lithuania authorised several hundred VASPs under the old national regime, giving BoL more institutional experience with crypto supervision than most EU NCAs. That experience transferred into the MiCA transition: BoL published detailed internal guidance, engaged ESMA early, and processed grandfathering applications on a structured timeline. Established process matters when your business depends on a predictable authorisation timeline.

From January 2025, the Bank of Lithuania requires every VASP licensee to hold a payment or settlement account with either a Lithuanian-licensed credit institution or a foreign bank that operates a branch physically established in Lithuania. Correspondent accounts and remote relationships with foreign banks no longer satisfy this condition.

The rule was introduced to give supervisors direct visibility into fund flows. When the account sits inside Lithuanian jurisdiction, the Bank of Lithuania can request transaction data and freeze funds under domestic law — something it cannot do through foreign correspondent channels. For applicants, this means banking due diligence must start in parallel with the license application, not after approval.

The largest banks in Lithuania — Swedbank, SEB, and Luminor, all subsidiaries of Nordic parent groups — remain cautious toward crypto businesses and typically decline onboarding unless the applicant has a multi-year operating history and substantial assets under management. The more realistic path for most new licensees runs through Electronic Money Institutions (EMIs) licensed in Lithuania or EMIs with a Lithuanian branch.

• Lithuanian-licensed EMIs — Several EMIs hold full payment institution or e-money licenses from the Bank of Lithuania and have established crypto onboarding procedures. They conduct their own AML review of your VASP documentation, business model, and source-of-funds policy before granting an account. Onboarding typically takes four to eight weeks.
• EU EMIs with Lithuanian branches — A smaller number of EU-headquartered payment institutions operate registered branches in Vilnius. These satisfy the January 2025 rule provided the branch is the entity of record on the account agreement, not the parent in another member state.
• Traditional banks (selective) — Larger crypto firms with established compliance infrastructure and demonstrable revenue have successfully opened accounts at Lithuanian branches of Nordic banks. Expect a longer review period and requests for third-party AML audits.

In practice, most applicants open an EMI account first to satisfy the licensing requirement, then pursue a full banking relationship once they can show twelve months of clean transaction history. Some operators maintain accounts at two institutions — one for client fund segregation, one for operational expenses — which also satisfies business continuity expectations the Bank of Lithuania raised in its 2024 supervisory guidelines.

When selecting an institution, verify three things before submitting your onboarding pack: that the entity holds a current Bank of Lithuania license or has a branch registration number in the Lithuanian commercial register, that their fee schedule covers the transaction volumes you project in your business plan, and that their crypto acceptance policy explicitly includes your licensed activities (exchange, custody, or both). Presenting a completed Bank of Lithuania crypto license — rather than an application in progress — significantly improves acceptance rates.