Crypto Custody Regulations in Germany: MiCAR, BaFin Licensing & Compliance Guide
Storing digital assets in Germany isn't just about keeping your private keys safe. It is a highly regulated activity that sits at the intersection of banking law and European Union directives. If you are looking to offer custody services or hold significant amounts of crypto through a professional provider, you need to understand the strict rules enforced by BaFin, the Federal Financial Supervisory Authority.
The landscape changed dramatically with the full implementation of the Markets in Crypto-Assets Regulation (MiCAR) on January 1, 2025. This shift moved Germany from its initial 2020 framework under the Banking Act (KWG) to a more comprehensive EU-wide standard. For businesses, this means higher entry barriers but greater legal certainty. For investors, it promises stronger protection for their assets. Let’s break down what these regulations actually mean for you in 2026.
The Dual Regulatory Framework: MiCAR and KWG
Germany operates under a unique dual-track system. On one side, you have the European Union’s MiCAR regulation. On the other, you have Germany’s national Banking Act, known as the Kreditwesengesetz (KWG). Understanding which rule applies depends entirely on the type of crypto asset you are handling.
If you are dealing with cryptocurrencies like Bitcoin or Ether, MiCAR is your primary guide. These assets fall under the scope of Crypto-Asset Service Providers (CASPs). However, if you are holding security tokens or assets that qualify as securities under civil law, the older MiFID II framework and the KWG still apply. This distinction creates a complex environment where providers often need to navigate two different sets of rules simultaneously.
| Asset Type | Primary Regulation | Licensing Body | Key Requirement |
|---|---|---|---|
| Cryptocurrencies (e.g., BTC, ETH) | MiCAR | BaFin | CASP License |
| Security Tokens / Civil Law Securities | KWG / MiFID II | BaFin | Banking License |
| Utility Tokens | MiCAR | BaFin | CASP License |
This split exists because German lawmakers wanted to ensure that assets resembling traditional stocks get the same level of scrutiny as actual stocks. While this provides clarity, experts note it increases compliance costs by roughly 25% compared to countries that apply MiCAR uniformly. You must identify exactly what you are holding before you can determine your regulatory path.
Strict Technical and Operational Requirements
Getting a license is only the first step. Maintaining it requires meeting rigorous technical standards. BaFin does not accept vague promises of security; they demand documented proof. Under the current guidelines, custody providers must implement robust internal control mechanisms that separate client assets from the custodian’s own holdings. This segregation is non-negotiable and must be physically or logically separated.
Here are the specific technical hurdles you face:
- Capital Requirements: Pure crypto custody providers need a minimum operational capital of €125,000. If you offer multiple services, such as exchange and custody, this jumps to up to €730,000 under MiCAR Article 6.
- Cybersecurity Standards: Hardware wallets must meet Common Criteria EAL 4+ certification. Software solutions require regular penetration testing by independent third parties, with results submitted to BaFin quarterly.
- Data Retention: You must keep detailed transaction records for at least five years. This aligns with anti-money laundering (AML) obligations.
- Business Continuity: Your systems must withstand disruptions for at least 72 hours without losing access to client assets. This includes having backup power, internet connections, and personnel plans.
These requirements are designed to prevent scenarios like the collapse of FTX, where commingled funds led to massive losses. In Germany, if a custodian goes bankrupt, client assets should remain untouched and accessible. This is why BaFin emphasizes "safeguarding" as a core function of custody, distinct from simple "safekeeping."
The Licensing Process: What to Expect
Applying for a crypto custody license in Germany is a lengthy and expensive process. Between January 2020 and June 2025, BaFin received 87 applications for crypto custody services. The average processing time reported by industry founders is around 7.2 months, though some institutions using accelerated procedures have cut this down to three months.
The application itself is massive. BaFin requires 47 distinct documentation components. This includes detailed business plans, organizational charts showing three lines of defense, IT security architecture diagrams, and proof of capital. You also need to employ at least two senior managers with "fitness and propriety" certification. There is currently a shortage of these certified officers in Germany, which can delay hiring and setup.
For existing players, there was a grandfathering period until December 31, 2025. After this date, all providers must operate under full MiCAR compliance. If you were running a service under the old 2020 rules, you had to upgrade your systems and governance structures significantly to survive into 2026. Many smaller firms struggled with this transition, citing the bureaucratic burden as excessive.
Market Impact and Institutional Adoption
Despite the complexity, the German market for crypto custody is growing fast. As of June 30, 2025, total assets under custody reached €48.7 billion, a 28.3% increase year-over-year. This growth is driven largely by institutional investors who value regulatory certainty over speed.
Traditional banks are leading this charge. Deutsche Bank, Commerzbank, and DZ Bank collectively hold 58% of the market share by assets under custody. They benefit from an accelerated notification procedure under MiCAR Article 91(2), which allows them to leverage their existing MiFID II licenses. This gives them a significant advantage over pure-play crypto startups that have to build their compliance infrastructure from scratch.
However, specialized providers like Coinbase Custody and Finoa are also gaining ground, holding 27% of the market combined. They appeal to clients who want dedicated crypto expertise rather than a bank treating crypto as a side product. The choice between a bank and a specialist often comes down to trust and specific service needs.
Future Outlook: DAC 8 and Tax Changes
Looking ahead to late 2026 and beyond, new pressures are emerging. The DAC 8 reporting requirements, set to take effect on January 1, 2026, will mandate that custody providers report crypto transactions to tax authorities. This aligns with the OECD’s Crypto-Asset Reporting Framework. Providers must implement new technical interfaces by Q4 2025 to comply, adding another layer of cost and complexity.
Tax treatment is also evolving. A March 2025 circular introduced distinctions between active and passive staking, with active staking now taxed as commercial income. This affects how custody providers advise their clients and structure their services. Additionally, the planned revision of civil securities law by Q2 2026 may reclassify more tokens as securities, potentially forcing more providers to seek full banking licenses instead of financial services licenses.
While these changes add friction, they also mature the market. Deloitte forecasts a 45% reduction in custody-related incidents following full MiCAR implementation. For serious investors and institutions, Germany’s rigorous approach offers a safer harbor than less regulated jurisdictions, even if it costs more to enter.
How long does it take to get a crypto custody license in Germany?
The average processing time for a new crypto custody license application in Germany is approximately 7.2 months. However, established financial institutions already licensed under MiFID II can use an accelerated notification procedure, reducing the timeline to about 3 months. The process involves submitting 47 distinct documentation components to BaFin.
What is the minimum capital required for crypto custody in Germany?
Under MiCAR regulations, a pure crypto custody provider must hold a minimum operational capital of €125,000. If the provider offers multiple services, such as trading and custody, the requirement increases significantly, up to €730,000 depending on the specific activities covered under MiCAR Article 6.
Does MiCAR replace the German Banking Act (KWG) for crypto?
Not entirely. Germany uses a dual framework. MiCAR regulates cryptocurrencies like Bitcoin and utility tokens. However, security tokens and assets that qualify as securities under civil law remain regulated under the German Banking Act (KWG) and MiFID II. Providers often need to comply with both sets of rules depending on their asset mix.
Who oversees crypto custody regulations in Germany?
The Federal Financial Supervisory Authority, known as BaFin, is the primary regulatory body overseeing crypto custody services in Germany. BaFin issues licenses, conducts audits, and enforces compliance with both national laws like the KWG and EU regulations like MiCAR.
When do DAC 8 reporting requirements start in Germany?
DAC 8 reporting requirements are set to take effect on January 1, 2026. Custody providers must implement new technical interfaces to report crypto transactions to tax authorities by Q4 2025 to ensure compliance with the OECD’s Crypto-Asset Reporting Framework.