Crypto License in Poland: MiCA Requirements, Cost & Timeline 2026

Poland’s pre-MiCA framework required virtual currency businesses to register with the Head of Katowice Tax Administration Chamber, which maintained the national VASP register. As of early 2025, that register held 1,298 active entries. MiCA replaces that framework entirely with a single EU authorization called a CASP (Crypto-Asset Service Provider) license. The two regimes differ on nearly every dimension that matters to an operator:

CASP authorization adds a whitepaper regime, governance requirements, insurance or capital buffers, and ongoing reporting obligations. In return, you get the right to passport services across all 27 EU member states without setting up a local entity in each country.

MiCA entered into force across the EU on 30 December 2024, but each member state must pass domestic implementation legislation to designate a national competent authority and set out procedural rules for CASP applications. Poland’s vehicle for this was Bill 1424, which has had a turbulent journey through the Sejm. The bill was passed by parliament but vetoed by President Nawrocki on 1 December 2025, who cited threats to “the freedoms of Poles” and excessive KNF powers. A resubmitted version (Bill 2050, 8 December 2025) was followed by a revised Bill 2064 that reduced the proposed KNF supervisory fee from 0.4% to 0.1% of revenue — the President vetoed it again on 12 February 2026. On 18 April 2026 parliament attempted to override the veto but fell short of the required three-fifths majority (243 of 263 votes needed). As of late April 2026, the legislation remains blocked and KNF has not formally opened a CASP application window.

This leaves every crypto operator in Poland facing a regulatory gap:

• 30 Dec 2024 — MiCA fully applicable; VASP registrations no longer sufficient for new services covered by MiCA.
• 30 Dec 2024 — VASP register closed to new entries; no fresh VASP registrations accepted from this date (coinciding with full MiCA applicability).
• 1 Dec 2025 — Bill 1424 vetoed by President Nawrocki.
• 8 Dec 2025 — Bill 2050 resubmitted (same text as Bill 1424).
• 12 Feb 2026 — Revised Bill 2064 (supervisory fee reduced from 0.4% to 0.1%) vetoed by the President a second time.
• 18 Apr 2026 — Parliament’s attempt to override the veto fails (243 of 263 votes needed).
• 1 Jul 2026 — MiCA transitional period expires. Businesses operating under existing VASP registrations must hold a full CASP authorization by this date or cease regulated crypto activities in Poland.

For the 1,298 businesses currently listed in the VASP register, the 1 July 2026 deadline is the operative constraint. Any operator that has not converted its registration into a CASP authorization, or that cannot demonstrate an application is pending, risks forced suspension. Businesses entering the Polish market now face a parallel challenge: they cannot obtain a new VASP entry and must wait for CASP applications to open under new implementing legislation.

Poland's GDP reached around €840 billion in 2024 (World Bank: $915 billion), ranking it sixth in the EU. The domestic consumer base of 37 million people spends actively online: e-commerce penetration exceeded 70% in 2023, and crypto adoption surveys place Poland among the leading EU markets by retail participation. For businesses targeting CEE clients, a Polish entity puts you close to the region's largest market, geographically, linguistically, and regulatorily. The 400+ fintech companies already operating here have built banking integrations, payment rails, and compliance infrastructure you can plug into from day one.

Poland is a full EU member state. Under MiCA, a single CASP license issued by the Polish Financial Supervision Authority (KNF) lets you passport services across all 27 EU countries without obtaining separate national licenses. That is a combined market of 450 million+ consumers reached through one regulatory process. Poland operates under MiCA's general transitional period (Article 143(2)) until 1 July 2026, allowing existing VASP-registered entities to continue services. National implementing legislation remains blocked due to repeated presidential vetoes, so KNF has not yet opened a CASP application window — a critical timing constraint to factor into market entry plans.

Poland applies a 9% Corporate Income Tax (CIT) rate to companies with annual revenue below €2 million, one of the lowest headline rates in the EU for qualifying businesses. Above that threshold, the standard rate is 19%, still below the EU average of roughly 21.5%. There is no withholding tax on dividends paid between EU-resident parent and subsidiary companies under the EU Parent-Subsidiary Directive. VAT on crypto exchange services follows EU rules (generally exempt for exchange of currency, including crypto). If your projected revenue sits below the €2 million threshold in the first years of operation, you pay 9% CIT rather than the 25–35% rates typical in Western European jurisdictions.

Poland has over 500,000 qualified IT professionals, one of the largest tech workforces in the EU. Warsaw, Kraków, Wrocław, and Gdańsk each host established technology clusters with universities producing 15,000+ computer science graduates per year. Average gross salaries for senior software engineers run at 40–55% of equivalent roles in London, Amsterdam, or Stockholm, a direct cost advantage when you are building compliance technology, transaction monitoring systems, or customer-facing products. Google, Samsung, ABB, and Goldman Sachs all have engineering centres here for the same reason.

MiCA is an EU Regulation, not a Directive. Regulations apply automatically in every member state on their entry-into-force date without any national implementing act. Title III and Title IV (asset-referenced tokens and e-money tokens) applied from 30 June 2024. The full text — including Title V covering Crypto-Asset Service Providers (CASPs) — applied from 30 December 2024.

From that date, any company providing crypto-asset services in Poland or to Polish customers falls under MiCA’s CASP authorisation regime. This includes exchange, custody, portfolio management, transfer, and advisory services covering crypto assets as defined in Article 3(1)(5) of MiCA. The regulation is self-executing: Polish firms cannot rely on the absence of a national implementing act as a reason to avoid compliance.

ESMA’s MiCA resources provide the technical standards and guidelines that directly govern how Polish CASPs must structure their applications, disclosures, and ongoing reporting obligations.

Three bodies share oversight of crypto businesses in Poland. Their roles are distinct and non-overlapping.

KNF is the competent authority under MiCA for Poland — a designation implied by the regulation itself even absent the domestic bill. However, KNF has not yet formally opened a CASP application window because the implementing legislation (Bill 1424 / 2050 / 2064) that would set out procedural rules, fees, and transition mechanics has not entered into force. Firms should expect KNF to handle CASP authorisation applications once new legislation passes, and to communicate with ESMA on supervisory convergence matters.

Understanding the Polish crypto regulatory stack requires knowing which instruments are in force, which are pending, and which failed.

• MiCA (EU Regulation 2023/1114) — Directly applicable from 30 December 2024. Governs CASP authorisation, white paper obligations, conduct of business, and prudential requirements. Supersedes national crypto licensing regimes for in-scope services.
• Polish AML Act 2018 (as amended) — Transposes the EU’s 5th Anti-Money Laundering Directive. Defines “virtual currency” and “virtual asset service provider,” requires VASP registration with KAS Katowice, and imposes KYC, transaction monitoring, and suspicious activity reporting obligations through GIIF. Still fully in force; MiCA does not replace AML obligations.
• Bill 1424 / 2050 / 2064 (all failed) — The draft Polish laws that would have designated KNF formally as the MiCA competent authority, established application fees, set out the transition timetable for existing VASPs, and aligned national penalties with MiCA’s Article 111 framework. Bill 1424 was vetoed by President Nawrocki on 1 December 2025. Bill 2050 (resubmitted 8 December 2025) was followed by a revised Bill 2064 that reduced the proposed KNF supervisory fee from 0.4% to 0.1% of revenue — the President vetoed it again on 12 February 2026. Parliament’s override attempt on 18 April 2026 fell short of the required three-fifths majority (243 of 263 votes needed). A fresh bill has not yet been introduced.
• DORA (EU Regulation 2022/2554) — The Digital Operational Resilience Act applies to CASPs authorised under MiCA from 17 January 2025. It mandates ICT risk management frameworks, incident reporting to KNF, penetration testing for significant entities, and contractual requirements for third-party ICT providers. Any firm pursuing a Polish CASP licence must build DORA compliance into its operational structure from day one.

The MiCA transitional period for existing VASPs ends on 1 July 2026 across EU member states that have not enacted a shorter national transition window. Poland has not shortened the period, so Polish VASPs currently registered with KAS Katowice can continue operating until 30 June 2026 under the old regime.

After 1 July 2026, the following applies:

• No grandfathering without CASP authorisation — VASP registration with KAS Katowice gives no right to continue operating crypto-asset services. Firms that have not obtained a MiCA CASP authorisation from KNF must cease all in-scope activities on 1 July 2026.
• EU passporting becomes available — A CASP authorised in Poland gains the right to notify other EU member states and provide services cross-border without additional local licences. This is materially different from the pre-MiCA VASP regime, which carried no passporting rights.
• New entrants require CASP authorisation from day one — Companies incorporated after 30 December 2024 that provide MiCA-regulated services cannot use the transitional relief. They must apply to KNF for full CASP authorisation before commencing operations.
• AML obligations continue unchanged — VASP registration obligations under the Polish AML Act 2018 and GIIF reporting requirements remain in force regardless of MiCA authorisation status. A CASP licence does not replace AML registration.

The practical implication is clear: firms with existing VASP registrations in Poland should begin CASP authorisation preparation now. KNF has not published a detailed application timeline, and the absence of implementing legislation means some procedural questions remain open. Building a compliant CASP application under MiCA — covering governance, capital, custody, white papers, and DORA ICT frameworks — typically takes six to nine months.

Class 1 covers advice and order reception without taking custody of client assets. A Class 1 CASP passes orders to a third-party venue and may manage discretionary crypto portfolios, but it never holds private keys. Because the firm does not touch client funds directly, MiCA sets the lowest capital floor at €50,000. The overhead rule still applies: a Class 1 firm with €240,000 in annual fixed costs must hold €60,000 in own funds — €10,000 above the class minimum.

Practical fit: crypto robo-advisers, signal-service platforms that execute via a partnered exchange, and IFA-style crypto consultancies fall squarely in Class 1. If your business model does not touch custody or execution on your own matching engine, start here and upgrade later.

Class 2 adds custody and administration of client assets, plus crypto-to-fiat and crypto-to-crypto exchange services to the Class 1 scope. A Class 2 CASP holds private keys on behalf of clients and facilitates currency conversion, but does not operate its own trading platform. The €125,000 floor reflects the higher operational and counterparty risk of safekeeping client assets and settling exchange transactions. Any firm offering custodial wallet services, a fiat on-ramp, or an OTC exchange desk will need at minimum a Class 2 authorisation.

The overhead rule gains teeth quickly at this level: a Class 2 operation with a 10-person team and standard infrastructure can easily exceed €500,000 in annual fixed costs, which triggers a required capital level of €125,000 — exactly at the class minimum in year one, but potentially €150,000–€200,000 by year two as the team grows.

Class 3 is the broadest scope: it adds the operation of a trading platform for crypto-assets on top of all Class 1 and Class 2 services. The €150,000 minimum is only €25,000 above Class 2, but the regulatory obligations expand substantially — segregation of client assets, insurance or equivalent arrangements, and daily reconciliation requirements all apply at Class 3. Most full-service exchanges that operate their own order book or matching engine will require Class 3 regardless of whether they initially intend to offer the full suite, because regulators expect the authorisation to match actual business practice.

The overhead floor is where Class 3 firms feel the real capital pressure. A mid-size exchange with 20 staff and cloud infrastructure typically carries €800,000–€1,200,000 in annual fixed overheads, implying a required capital buffer of €200,000–€300,000 — well above the €150,000 class minimum. Firms should model the overhead calculation for years one through three before deciding on initial share capital.

Most applicants incorporate as a Spółka z ograniczoną odpowiedzialnością (Sp. z o.o.) — the Polish equivalent of a limited liability company. This structure meets the legal-entity requirement and is well understood by Polish authorities. Key parameters:

• Minimum share capital — PLN 5,000 (approximately €1,200). Capital must be fully paid up before you apply. This figure is low by EU standards, but regulators look closely at whether the business has enough working capital to operate compliantly, so budget well beyond the statutory minimum.
• Registered address — a genuine Polish address is required. A virtual office at a reputable provider in Warsaw or Kraków satisfies this rule, provided mail can be received and inspectors can visit the premises.
• KRS registration — the company must be entered in the National Court Register (Krajowy Rejestr Sądowy) before submitting the VASP application. KRS registration typically takes 7–14 days when filed electronically through the S24 portal.
• Legal entity requirement — sole traders (jednoosobowa działalność gospodarcza) cannot hold the crypto license. You need a capital company — Sp. z o.o. or S.A.

The application file must be complete on first submission. Missing documents do not pause the clock — they restart it. Prepare the following before you file:

• Articles of association (Umowa spółki) — notarised or filed electronically via S24, listing crypto activities in the company’s objects clause.
• KRS extract — current printout from the National Court Register, dated no earlier than three months before submission.
• UBO declarations — each beneficial owner holding 25% or more must submit a signed declaration identifying themselves and confirming the accuracy of beneficial ownership data.
• Criminal record certificates — required for each board member, proxy, and UBO. Polish nationals obtain this from the National Criminal Register (KRK); foreign nationals must obtain an equivalent certificate from their country of residence and have it apostilled or legalised.
• Proof of share capital payment — a bank statement or notarial confirmation showing the PLN 5,000 (or higher amount stated in the articles) has been deposited into the company account.
• Business plan — a substantive document, typically 15–30 pages, covering the services offered, target markets, revenue model, IT infrastructure, and projected financials for the first two years. Regulators reject plans that are generic or copied.
• IT security policy — a written policy describing how client assets and data are protected, including wallet custody arrangements, access controls, encryption standards, and incident response procedures. This document feeds directly into DORA compliance (see Staff and Governance below).

Poland’s AML Act places crypto firms in the same category as banks and payment institutions for most compliance obligations. The framework is detailed and enforced — the Financial Intelligence Unit (GIIF) can and does audit registered VASPs.

• Internal AML/CFT policies — written procedures covering customer due diligence (CDD), enhanced due diligence (EDD) for high-risk clients, politically exposed persons (PEP) screening, and sanctions list checks. Policies must be reviewed and updated at least annually.
• Designated AML officer — you must appoint a named individual responsible for AML compliance before registration. This person does not need to be Polish but must be reachable by GIIF and must have demonstrable AML experience. The officer’s CV and qualifications are reviewed as part of the application.
• Risk assessment — a documented, jurisdiction-specific risk assessment covering the services offered, client types, delivery channels, and geographic exposure. The assessment must follow the methodology set out in the AML Act and reference the national risk assessment published by the Polish government.
• Suspicious transaction reporting threshold — transactions at or above €15,000 (or equivalent in PLN or crypto) trigger enhanced due diligence. Suspicious transactions of any value must be reported to GIIF within 24 hours of detection. Automated monitoring tools are not legally required but are effectively necessary at any meaningful transaction volume.
• Record retention — KYC documents, transaction records, and STR logs must be retained for five years from the date of the transaction or the end of the business relationship.

Poland’s VASP requirements do not set a headcount minimum, but the quality and residency of key personnel are examined during the application review and any subsequent audits.

• EU/EEA-resident director — at least one board member must be resident in the EU or EEA and available to attend meetings with regulators on short notice. This is a practical expectation rather than an explicit statutory requirement, but applications with fully offshore management structures face heightened scrutiny.
• Fit and proper assessment — directors and senior managers must demonstrate that they have not been convicted of financial crimes, fraud, money laundering, or terrorism financing offences. The criminal record certificates serve as the primary evidence. Regulators also review professional backgrounds for relevant experience.
• Compliance officer — distinct from the AML officer (though one person can hold both roles if the firm is small enough), the compliance officer is responsible for ongoing regulatory monitoring, filing obligations, and internal audit. The role must be resourced sufficiently to handle the firm’s actual transaction volumes.
• DORA compliance — the Digital Operational Resilience Act applies to crypto-asset service providers from January 2025. This requires a documented ICT risk management framework, business continuity and disaster recovery plans, regular resilience testing, and a process for reporting major ICT-related incidents to the KNF within defined timeframes. The IT security policy in your application file is the starting point; DORA requires it to be operationalised and tested on a recurring basis.

Poland operates a two-tier registration system. Pre-MiCA, you file with the VASP register maintained by the Director of the Tax Administration Chamber in Katowice. Under the incoming MiCA regime, supervised by the Polish Financial Supervision Authority (KNF), you submit a formal CASP authorisation application. Both fees apply if you are in the transition window and need current registration while your CASP application is pending.

The €4,500 CASP application fee is set under MiCA implementing rules — this figure is not widely publicised by competitors but is confirmed in KNF guidance. Company registration via the S24 online system costs PLN 250; the paper route runs up to PLN 500.

MiCA Article 67 sets minimum own funds thresholds by service category. The capital must be paid in and held — it is not a fee you pay and lose; it stays on your balance sheet. However, it is real cash you cannot deploy until regulatory conditions are met.

A standard exchange covering custody, fiat-to-crypto conversion, and crypto-to-crypto trading typically falls into Class 2, requiring €125,000 locked on the balance sheet at authorisation. Plan your funding round with this figure as a hard floor.

One-time fees are the smaller problem. The recurring costs below repeat every year and scale with your revenue. Budget for all of them from day one.

The KNF supervisory fee is the figure most guides omit entirely. At 0.1% of gross revenue, it becomes material as you scale: a business turning €10 million per year pays €10,000 to the regulator annually, on top of all other costs.

The table below combines all categories for a Class 2 CASP (the most common profile for a crypto exchange). “Cash out” shows money you spend and do not get back. “Capital lock-up” shows money that stays on your balance sheet.

Cash out total (Year 1, excl. supervisory fee): approximately €35,560–87,620. Add the KNF supervisory fee on top based on your revenue projection. Add €125,000 in capital that must sit on the balance sheet.

Poland levies CIT at a standard rate of 19% on net profits. However, companies whose annual revenue does not exceed €2 million qualify for a preferential 9% CIT rate — one of the lowest headline rates in the EU and a significant advantage for early-stage crypto businesses that are still scaling. The €2 million threshold is assessed on gross revenue (przychody), not profit, so a high-revenue, low-margin exchange could lose access to the preferential rate faster than a custody-focused CASP with lower transaction volumes.

Crypto-to-crypto exchanges are not a taxable event for CIT purposes in Poland. Tax arises only when crypto-assets are converted to fiat currency or used to pay for goods and services. This means a CASP can rebalance reserves, accept crypto payments from clients, and hold digital assets on its balance sheet without triggering a CIT liability until a fiat conversion occurs. Deductible costs include acquisition price of crypto-assets, transaction fees, licensing and compliance expenses, office rent, and staff salaries — standard business expense rules apply.

Individual shareholders, founders, and employees who hold or trade crypto-assets in their personal capacity are subject to a flat 19% capital gains tax on net profits from the disposal of virtual currencies. “Disposal” means conversion to fiat, payment for goods or services, or exchange for a non-crypto asset. As with CIT, crypto-to-crypto swaps are not a taxable event for individuals — tax is deferred until fiat conversion.

Gains and losses from crypto transactions are reported in the annual PIT-38 tax return, filed by 30 April of the following year. Losses from crypto trading can be offset against crypto gains in the same tax year but cannot be carried forward to future years or offset against other categories of income (e.g., employment income or rental income). This is a meaningful restriction for traders who experience a loss year followed by a profitable year.

For CASP founders drawing a salary through a Polish employment contract, standard progressive PIT rates apply to that salary income: 12% on the first PLN 120,000 and 32% above that threshold. Dividends paid from a Polish Sp. z o.o. to individual shareholders are subject to a flat 19% withholding tax, though the EU Parent-Subsidiary Directive may eliminate withholding on dividends paid to qualifying EU corporate parents.

Crypto-to-fiat exchange services are exempt from Poland’s standard 23% VAT under the EU VAT Directive, following the CJEU’s landmark Hedqvist ruling (Case C-264/14), which classified virtual currency exchange as a financial service. The exemption applies to the exchange service itself — i.e., the act of converting crypto-assets to fiat and vice versa — and covers both the CASP’s own exchange operations and white-label exchange services provided to third parties.

Other crypto-asset services do not automatically benefit from the VAT exemption. Custody fees, portfolio management charges, advisory fees, and subscription-based access to trading platforms may be subject to the standard 23% VAT rate, depending on how the Polish tax authorities classify the service. The distinction turns on whether the service constitutes a “financial transaction” under Article 43(1)(7) of the Polish VAT Act — a question that requires case-by-case analysis for bundled service offerings.

CASPs providing cross-border services within the EU must also manage VAT reverse-charge rules for B2B transactions and may need to register for VAT OSS (One Stop Shop) for B2C digital services delivered to consumers in other member states. Getting VAT treatment wrong can result in retrospective assessments plus interest, so we recommend obtaining a binding VAT ruling (interpretacja indywidualna) from the Director of the National Tax Information Office (KIS) before launching any service that is not a straightforward crypto-to-fiat exchange.

Any CASP employing staff on Polish employment contracts (umowa o pracę) must pay mandatory social security contributions to ZUS (Zakład Ubezpieczeń Społecznych). The employer’s share of ZUS contributions adds approximately 20% on top of the gross salary, covering pension, disability, accident insurance, and the Labour Fund. For a senior compliance officer earning PLN 15,000 gross per month, the employer pays roughly PLN 3,000 in additional ZUS contributions.

• Pension insurance (emerytalne) — 9.76% employer share, calculated on gross salary up to the annual cap (30× the forecast average monthly salary, approximately PLN 260,000 in 2026).
• Disability insurance (rentowe) — 6.50% employer share, same salary cap as pension.
• Accident insurance (wypadkowe) — 0.67%–3.33% depending on the company’s risk category; office-based CASPs typically pay 0.67%.
• Labour Fund + FGSP (Fundusz Pracy + Fundusz Gwarantowanych Świadczeń Pracowniczych) — 2.45% employer share, mandatory for most employers.

Founders and board members who do not have a separate employment contract but serve on the management board under a corporate appointment (powołanie) are generally not subject to ZUS contributions on their board remuneration. This is a common structure for CASP founders who want to minimize social security costs while drawing a management fee. However, if the same person also has an employment contract with the company, ZUS applies to the employment income regardless of the board appointment.

An alternative used by many tech and crypto companies in Poland is the civil-law contract (umowa zlecenie) for contractors and part-time staff. ZUS contributions apply to zlecenie contracts as well, but the rates and caps differ slightly. For international hires working remotely from outside Poland, ZUS obligations generally do not apply — but the CASP must verify the employee’s social security status under EU coordination rules (Regulation EC 883/2004) or bilateral agreements to avoid double contributions.

VASP violations cover failures under the domestic AML/CFT regime — for example, operating without registration, failing to perform customer due diligence, or not filing suspicious transaction reports with the General Inspector of Financial Information (GIIF). KNF may impose an administrative fine of up to 100,000 PLN per individual breach, and fines can accumulate across multiple simultaneous violations.

CASP violations under MiCA apply from the date MiCA became fully applicable. KNF, acting as the competent authority designated under MiCA Article 93, can impose fines of up to €5,000,000 on legal persons, or up to 10% of total annual turnover — whichever figure is higher. For natural persons, the ceiling is €700,000. Aggravating factors include repeat offences, intentional conduct, and harm caused to clients.

AML criminal liability targets the most serious breaches — deliberately facilitating money laundering or terrorist financing through a crypto business. Conviction carries a custodial sentence ranging from 3 months to 5 years. Prosecutors can pursue individuals at the director or beneficial-owner level, not just the entity.

KNF enforcement powers extend beyond fines. The regulator can suspend a CASP’s authorisation, prohibit it from onboarding new clients, require it to cease specific activities, or revoke the licence entirely. KNF also publishes enforcement decisions on its website, creating significant reputational exposure alongside the financial penalty. Any business operating in Poland — or passporting into Poland under MiCA — should treat KNF’s supervisory capacity as a live operational risk.

CASP-authorized entities in Poland must submit periodic reports to both KNF and GIIF (General Inspector of Financial Information). The reporting calendar covers financial, prudential, and AML dimensions:

• Annual financial statements — audited accounts must be filed with KNF within the timeframe set by the Polish Accounting Act, typically within six months of the financial year-end
• Capital adequacy reports — quarterly submissions demonstrating that own funds remain above the MiCA minimum (€50,000–€150,000 or one quarter of fixed overheads, whichever is higher)
• Suspicious transaction reports (STRs) — filed with GIIF without delay whenever a transaction or attempted transaction raises AML/CFT concerns, regardless of value
• Above-threshold transaction reports — transactions of €15,000 or more must be reported to GIIF, including linked transactions that cumulatively reach the threshold
• Annual AML risk assessment update — the business-wide risk assessment must be reviewed and updated at least annually, with the revised version available for KNF or GIIF inspection on request

Missing a reporting deadline does not trigger an automatic grace period. KNF can impose administrative fines for late or incomplete submissions, and repeated failures may lead to a formal supervisory review of your authorization status.

• FATF Travel Rule — CASPs must transmit originator and beneficiary information with every crypto-asset transfer. For transfers between two CASPs, the originator’s name, account number, and address (or national identity number or date and place of birth) must accompany the transaction. Poland enforces this under the EU Transfer of Funds Regulation (TFR), which applies directly alongside MiCA
• OECD Crypto-Asset Reporting Framework (CARF) — Poland has committed to implementing OECD CARF, which requires CASPs to collect and report tax-relevant information on customers’ crypto-asset transactions to Polish tax authorities, who then exchange data with other participating jurisdictions. First reporting periods are expected from 2027
• Unhosted wallet due diligence — transfers to or from wallets not hosted by a regulated CASP require enhanced due diligence measures, including verifying whether the customer controls the wallet and assessing the risk profile of the transaction before processing

The Travel Rule and CARF create parallel data-collection obligations. Building a single compliance infrastructure that satisfies both frameworks from the outset avoids costly retrofitting when CARF reporting goes live.

KNF exercises continuous supervision over all CASP-authorized entities. Supervision is risk-based: entities with higher transaction volumes, more complex service offerings, or prior compliance issues receive more frequent attention. Key supervisory touchpoints include:

• KNF supervisory fee — CASPs pay an annual supervisory fee to KNF, calculated as a percentage of revenue (proposed at 0.1% under the latest draft legislation). The fee funds KNF’s ongoing oversight activities and is due within the deadline set by KNF each year
• On-site and off-site inspections — KNF may conduct inspections at any time, with or without advance notice. Inspections typically cover AML compliance, capital adequacy, governance arrangements, and complaints handling. Entities must provide full access to records, systems, and personnel
• DORA compliance — the Digital Operational Resilience Act (EU 2022/2554) requires CASPs to maintain ICT risk management frameworks, report major ICT-related incidents to KNF, conduct regular digital resilience testing, and manage third-party ICT provider risks. Smaller CASPs benefit from a simplified regime but are not exempt
• Sanctions screening — CASPs must screen all customers and counterparties against EU, Polish, and UN sanctions lists before onboarding and on an ongoing basis. Matches must be escalated and, where confirmed, transactions frozen and reported to GIIF
• Record retention — all transaction records, customer identification data, risk assessments, and internal correspondence related to compliance must be retained for a minimum of five years after the end of the business relationship or the date of the transaction, whichever is later

KNF publishes enforcement decisions and supervisory expectations on its website. Staying current with these publications is part of the compliance obligation — ignorance of a published supervisory position is not a defence in enforcement proceedings.

Poland holds an edge over Lithuania on government fees (€4,500 vs. €5,200) and on market access: Poland's 38 million consumers represent one of the largest retail crypto markets in Central and Eastern Europe, whereas Lithuania's domestic market is roughly 2.8 million people. If your business model depends on local customer volume or local banking relationships, Poland is the stronger base.

Lithuania wins on one dimension that matters to some operators: it has processed more MiCA transitional applications than any other Baltic state and its Bank of Lithuania runs a dedicated RegTech sandbox. If you need rapid MiCA authorisation and your team already has Lithuania-based infrastructure, the shorter average processing window in Vilnius may outweigh Poland's cost advantage. The €700 fee difference alone does not justify a jurisdiction switch—but processing speed might.

The Czech Republic charges the lowest government fee of the four jurisdictions at €3,000, which is €1,500 less than Poland. That saving is real, though it is a one-time cost rather than an ongoing structural advantage. On CIT, the Czech flat rate of 19% is higher than Poland's small-business rate of 9% (available to companies with annual revenue below PLN 2 million, roughly €450,000). Businesses that qualify for the 9% rate will save meaningfully on tax year over year—outweighing the upfront fee difference within the first operating year.

Where the Czech Republic legitimately wins: timeline certainty. Czech authorities have a well-established track record with crypto registrations predating MiCA, which means more predictable processing and a mature legal services ecosystem around crypto compliance. If your legal team has existing Czech relationships or your target market skews toward Central European exchanges and payment corridors, the Czech Republic is a defensible choice—not merely a consolation option.

For a casp license poland application, the combination of Poland's market size, the 9% CIT option, and the EU passport under MiCA gives it a stronger overall profile for most operators. But businesses prioritising upfront cost minimisation over ongoing tax efficiency should run the numbers for their specific revenue projections before committing.