MiCA PSD2 Dual Licensing Cyprus: Do You Need Both MiCA and PSD2? 2026 Rules for CASP, EMI and PSP Authorisation

The 2026 Crossroads for Cyprus Fintech Regulation

The year 2026 marks a pivotal turning point for the European fintech ecosystem, particularly for Cyprus, a hub for electronic money and crypto-asset services and licensing provider.
The interaction between the Markets in Crypto-Assets Regulation (MiCA) and the Payment Services Directive (PSD2) is creating a dual-licensing challenge that directly affects Electronic Money Institutions (EMIs), Payment Service Providers (PSPs), and Crypto-Asset Service Providers (CASPs).

With the EBA’s No Action Letter (June 2025) granting temporary relief until 2 March 2026, businesses must now decide:

“Do we need both a MiCA licence and a PSD2 (Payment Institution or EMI) authorisation , or just one?”

At CX Financia, we are frequently asked by clients :

“Do we really need both a MiCA licence and a PSD2 authorisation to offer Electronic Money Token (EMT) services in Cyprus ?”

This is one of the most pressing and confusing issues facing CASPs, EMIs, and PSPs today.

That’s exactly why we wrote this article ,to shed light on the MiCA–PSD2 overlap, explain why the 2 March 2026 licensing deadline matters, and invite professionals across the sector to share their views on how the EU should ultimately resolve this dual-licensing challenge.

Our goal is not just to clarify the current regulatory landscape but to start a constructive discussion on what approach best supports both innovation and compliance in Cyprus’ evolving financial ecosystem.

MiCA PSD2 dual licensing Cyprus: Understanding the Regulatory Overlap

MiCA Licensing in Cyprus

MiCA (Regulation (EU) 2023/1114) entered into force in 2024, establishing a harmonised EU framework for crypto-assets. In Cyprus:

• CySEC is the competent authority for CASPs and issuers of Asset-Referenced Tokens (ARTs).
• The Central Bank of Cyprus (CBC) supervises issuers of Electronic Money Tokens (EMTs) and payment/e-money institutions offering crypto-asset services.

The PSD2 Interface

Under PSD2 (Directive (EU) 2015/2366), activities involving fund transfers, payment execution, or custody of client funds are classed as payment services.
MiCA’s Article 48(2) explicitly defines Electronic Money Tokens as electronic money. Consequently, certain crypto services now fall under both regimes simultaneously.

This means a CASP may need a PSD2 licence (PI/EMI) in addition to its MiCA authorisation — a scenario commonly referred to as dual licensing under MiCA.

When MiCA PSD2 Dual Licensing Is Required in Cyprus

In June 2025, the European Banking Authority (EBA) issued what has quickly become one of the most influential documents for the EU’s crypto and payments sectors — the “No Action Letter” on the interaction between MiCA and the Payment Services Directive (PSD2). (For a detailed breakdown of what constitutes a payment service under Cyprus law, see our )

This letter was the EBA’s formal response to months of uncertainty across the EU. Many crypto-asset service providers (CASPs) were already offering Electronic Money Token (EMT) services that looked and behaved like payment transactions, but without a clear legal route under the existing rules. National authorities were unsure whether such activities required an additional licence under PSD2, potentially forcing firms into dual authorisation.

The EBA’s position was pragmatic: it recognised that the legislative framework was still evolving and advised national competent authorities , including the Central Bank of Cyprus (CBC) and CySEC , to refrain from immediate enforcement until 2 March 2026.
This grace period gives firms time to analyse their models, apply for the right authorisation, or structure compliant partnerships, while supervisors finalise guidance and the forthcoming PSD3/PSR framework takes shape.

Importantly, the letter did not remove PSD2 obligations; it merely paused enforcement to ensure consistency across the EU. Firms must therefore use this transition period to determine whether their activities qualify as payment services under PSD2.

According to the EBA’s interpretation, a CASP must hold — or operate through — a Payment Institution (PI) or Electronic Money Institution (EMI) licence from the CBC when its operations effectively perform payment functions. In practice, this applies where a CASP:

• Transfers EMTs on behalf of clients, whether to third parties or between their own wallets;
• Holds or controls clients’ cryptographic keys, giving it effective custody of client funds; or
• Executes or redeems EMT payments, acting as intermediary between payer and payee.

Each of these functions involves handling or executing value on behalf of clients — the core trigger for PSD2 authorisation.

Conversely, no PSD2 licence is required where a CASP:

• Operates crypto-to-fiat or crypto-to-crypto exchanges without controlling client money;
• Facilitates crypto purchases but never intermediates or safeguards funds; or
• Provides advisory, listing, or brokerage services unrelated to payment execution.

The key distinction is functional, not technological: regulators focus on what the service does, not how it is delivered.
If a provider holds client value or processes transactions , even through blockchain infrastructure ,it is, in substance, performing a payment service.

Because of this overlap, any CASP offering EMT transfers or custody must, by 2 March 2026, either:

• Secure its own PI or EMI licence from the CBC; or
• Establish a contractual partnership with an already authorised PSP.

After that date, continuing such services without PSD2 coverage will constitute unauthorised payment activity.

For Cyprus-based providers, this development is more than procedural; it shapes strategic positioning for the next regulatory cycle. Firms that proactively assess their service flows, identify where payment functionality arises, and engage early with the CBC or CySEC will not only remain compliant , they will be best placed to capitalise on the clearer, harmonised regime expected under PSD3.

Cyprus’ Split Supervision Model

Cyprus operates a dual-authority structure for MiCA and payment services supervision:

Area	Competent Authority	Key Scope
CASPs, ART issuers	CySEC	Crypto-asset authorisation & supervision
EMT issuers, EMIs, PSPs	Central Bank of Cyprus	Payment services, e-money, and EMT supervision

CBC’s Strengthened Licensing Framework

In anticipation of the full convergence between MiCA and PSD2, the Central Bank of Cyprus (CBC) has taken proactive steps to reinforce its supervisory framework and enhance regulatory resilience across the payments and e-money sectors. These measures signal Cyprus’s commitment to maintaining both innovation and prudential integrity as the market transitions toward PSD3.

1. New CBC Directives (August 2025)

The CBC introduced a suite of updated Directives for Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs), strengthening the baseline requirements for authorisation and ongoing supervision.
Key enhancements include:

• Higher capital adequacy thresholds, ensuring sufficient buffers against operational and credit risk;
• Full segregation of client funds, with explicit safeguarding standards for both fiat and tokenised assets;
• Enhanced governance and risk-management obligations, aligning domestic oversight with MiCA’s prudential expectations.

2. AML Directive K.D.P. 120/2025

This new directive implements a proportionate, risk-based anti-money-laundering (AML/CFT) regime, consistent with the EU’s Sixth AML Directive. It explicitly discourages blanket service refusals and instead promotes risk-sensitive customer due diligence, particularly for fintechs and crypto-integrated firms. This approach balances financial-crime prevention with market accessibility — a stance that has earned Cyprus growing recognition as a pragmatic regulator.

3. Dedicated Supervisory Directorate

To ensure consistent enforcement, the CBC has also established a specialised directorate for EMIs and PSPs. This dedicated division oversees licensing, risk monitoring, and on-site inspections — with a specific focus on firms integrating crypto-asset functionality into their payment services. The structure provides clearer accountability and deeper subject-matter expertise, streamlining communication between firms and supervisors.

Collectively, these reforms make MiCA licensing in Cyprus both competitive and credible. The jurisdiction now offers an environment where serious operators can pursue innovation within a well-defined, risk-controlled regulatory framework — an approach that continues to attract institutional-grade applicants and strengthen Cyprus’s role as a key EU licensing hub.

PSD3 and PSR: The Next Stage of Harmonisation

The upcoming Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR) represent the EU’s long-term solution to the current overlap between MiCA and PSD2. These legislative instruments, now in the final stages of trilogue negotiations, are designed to create a single, harmonised framework that removes the need for dual authorisation while ensuring equal consumer protection across both traditional and blockchain-based payment systems.

At the heart of the legislative debate are two possible pathways:

Option 1 – Strengthen MiCA (EBA’s Preferred Approach)
Under this model, MiCA would be amended to incorporate key PSD3 and PSR requirements—such as consumer protection, strong customer authentication (SCA), transparency, fraud reporting, and liability for unauthorised transactions.
This would allow CASPs providing Electronic Money Token (EMT) services to operate under MiCA authorisation alone, eliminating the need for a separate PSD2 or PSD3 licence while still maintaining equivalent regulatory safeguards.

Option 2 – Modify PSD3/PSR to Recognise MiCA-Licensed CASPs
Alternatively, PSD3 and PSR could be drafted to explicitly exempt MiCA-authorised entities from additional payment-service authorisation. CASPs would remain subject to certain technical, operational, and security requirements, but supervision would rest primarily with the MiCA competent authority (in Cyprus, CySEC), ensuring consistency without duplicative oversight.

Expected legislative milestones:

• Political agreement: Q1 2026
• Formal adoption: Mid-2026
• Entry into force / application: Late 2027 to early 2028

Until the new regime takes effect, firms in Cyprus must continue operating under both MiCA and PSD2. This means maintaining dual compliance obligations — including separate prudential, governance, and safeguarding requirements — while preparing for the transition to a unified framework under PSD3 and PSR.

For businesses pursuing MiCA licensing in Cyprus, the coming years are best viewed as a strategic preparation window: an opportunity to align internal systems, consolidate controls, and position early for the post-2027 harmonised regulatory landscape.

How to Decide: MiCA PSD2 Dual Licensing Cyprus – Do You Need Both Licences?

A practical assessment framework:

Service	MiCA Licence	PSD2 Licence (PI/EMI)	Comments
Exchange crypto–fiat	✅	❌	MiCA only
Custody wallets (non-custodial)	✅	❌	MiCA only
Custody wallets (custodial transfers enabled)	✅	✅	Dual licensing required
EMT issuance	✅	✅	CBC supervises both
EMT transfer between users	✅	✅	Dual required
Broker/intermediary (no fund control)	✅	❌	MiCA only

Firms should conduct a service-mapping audit to determine where their activities fall.

Strategic Options for Cyprus Firms

As the March 2026 deadline approaches, firms offering Electronic Money Token (EMT) services must decide how to structure their regulatory positioning under MiCA and PSD2. The best path forward depends on business scale, service scope, and timing of market entry. Cyprus, with its dual-supervision framework under CySEC and the Central Bank of Cyprus (CBC), offers three viable strategies:

Option A — Dual Licensing for Full Autonomy
Apply for both MiCA authorisation and PSD2 (PI/EMI) licensing, integrating governance, safeguarding, and capital frameworks from the outset.
This approach ensures complete operational independence across the European Economic Area, enabling firms to provide both crypto-asset and payment services without reliance on third-party PSPs.
It is most suitable for established CASPs or fintech groups with the resources to meet cumulative capital requirements

Best suited for: mature or well-capitalised CASPs and EMIs seeking EU-wide scalability and control.

Option B — Partnership Model under MiCA Article 70(4)
Operate primarily as a CASP under MiCA, while outsourcing payment functions—such as EMT transfers or fiat settlements,to a CBC-licensed PSP or EMI.
This structure allows a firm to offer EMT-related services without direct PSD2 authorisation, reducing capital and time-to-market barriers while maintaining regulatory coverage through the partner’s licence.
Strong contractual oversight and due diligence are critical, as MiCA holds CASPs accountable for the performance of outsourced functions.

Best suited for: start-ups, early-stage CASPs, or firms prioritising speed to market and lower regulatory overheads.

Capital and Compliance Implications for MiCA PSD2 Dual Licensing Cyprus

The European Banking Authority (EBA) has made clear that, for now, capital and prudential requirements under MiCA and PSD2 apply cumulatively, not jointly. This means that entities operating under both frameworks must hold separate initial capital allocations for each authorisation until a harmonised regime takes effect under PSD3/PSR.

Typical thresholds are as follows:

• MiCA (CASP custody or exchange services): minimum €125,000 initial capital
• PSD2 (Payment Institution / Electronic Money Institution): minimum €125,000 for payment execution services
  → Combined initial capital expectation: approximately €250,000

Firms should plan capital adequacy on this cumulative basis, recognising that CBC’s supervisory assessments may require higher thresholds depending on transaction volumes, operational complexity, or cross-border exposure.

Beyond prudential capital, ongoing compliance expectations are becoming increasingly sophisticated. Both CySEC and the Central Bank of Cyprus (CBC) now emphasise:

• Implementation of Strong Customer Authentication (SCA) mechanisms aligned with PSD2 standards;
• Fraud monitoring, incident reporting, and escalation procedures;
• Robust governance and fit-and-proper assessments for key personnel;
• Segregation and safeguarding of client funds, ensuring that crypto and fiat holdings are both properly protected.

Under the CBC’s proportional AML/CFT framework, firms must apply risk-based customer due diligence, continuous monitoring, and transaction screening across both crypto-asset and fiat channels. This integrated approach ensures that AML controls remain consistent regardless of the payment instrument or technology used.

For firms pursuing MiCA licensing in Cyprus, these combined requirements mean that capital planning and compliance design should be treated as one integrated exercise, not separate regulatory obligations. A harmonised governance and control environment not only meets supervisory expectations but also reduces duplication once PSD3 introduces the anticipated single-authorisation model.

Key Risks for 2025–2026

The transition toward full MiCA implementation and PSD2 alignment will test firms’ regulatory readiness across multiple dimensions. Understanding and mitigating these risks early is essential to preserve business continuity and credibility with supervisors.

1. Regulatory Uncertainty

As of late 2025, CySEC and the Central Bank of Cyprus (CBC) have yet to issue joint post-2026 supervisory guidance clarifying how CASPs, EMIs, and PSPs will transition once the EBA’s No-Action period ends. Firms must therefore operate under a moving regulatory landscape, relying on interim EU-level direction while maintaining open dialogue with both authorities.

2. Operational Misclassification

A recurring compliance pitfall is misjudging which services trigger PSD2 obligations. Activities such as wallet-based transfers or custodial EMT services often cross into payment-service territory even when structured as crypto operations. Accurate service mapping and regulatory gap analysis are critical to avoid inadvertent non-compliance.

3. Capital Under-Provisioning

Many firms underestimate the cumulative capital impact of dual licensing. CBC-authorised EMIs and PSPs must maintain higher own funds, while MiCA imposes parallel prudential requirements for CASPs. Failure to provision adequately can delay authorisation or lead to supervisory intervention once MiCA licensing in Cyprus becomes fully operational.

4. Delayed Applications and Approval Timelines

The CBC’s review process for PI/EMI authorisations is thorough and may extend beyond Q4 2025 if submissions are incomplete or require iterative feedback. Late applicants risk missing the 2 March 2026 compliance deadline, leaving insufficient time to obtain or finalise authorisation before enforcement resumes.

5. Heightened Supervisory Scrutiny

Even during the transition period, the CBC continues to prioritise AML/CFT, ICT, and operational resilience—especially under the Digital Operational Resilience Act (DORA). Firms seeking or maintaining authorisation must demonstrate effective risk controls, tested continuity plans, and proportionate due diligence frameworks.

Together, these risks underscore that the 2025–2026 window is not merely a compliance grace period but a regulatory proving ground. Firms that anticipate and address these challenges now will enter the post-2026 regime with stronger foundations and greater supervisory trust.

Preparing Now: A Compliance Roadmap

With the March 2026 transition deadline approaching, firms should use the remaining months to secure compliance readiness under MiCA and PSD2.
A focused roadmap includes:

1. Map Services and Risks – Identify which activities trigger PSD2 obligations and where MiCA coverage alone suffices.
2. Engage Early with Regulators – Schedule pre-application meetings with CySEC and the Central Bank of Cyprus to confirm documentation and expectations.
3. Prepare Unified Documentation – Align business plans, governance frameworks, and AML policies to satisfy both MiCA and PSD2 requirements.
4. File Ahead of Q4 2025 – Early submission allows time for regulatory feedback before 2 March 2026 enforcement resumes.

A streamlined compliance plan ensures continuity and demonstrates supervisory readiness during the EU’s regulatory transition period.

The Cyprus Advantage

Cyprus continues to distinguish itself as one of the European Union’s most strategic hubs for financial licensing and regulatory innovation. Its combination of mature supervision, flexible business environment, and access to the single market makes it particularly attractive for firms navigating the intersection of MiCA and PSD2.

Key strengths include:

• Experienced supervision by the Central Bank of Cyprus (CBC) and CySEC, applying a proportionate, risk-based approach that supports innovation while maintaining prudential standards.
• EU passporting rights that allow Cyprus-licensed EMIs, PSPs, and CASPs to provide services seamlessly across all EEA member states.
• A strong ecosystem of legal, compliance, and RegTech professionals, ensuring high-quality advisory and operational support throughout the licensing and post-authorisation journey.
• A progressive stance on crypto-payment services, aligning domestic implementation with MiCA’s framework for asset-referenced and electronic money tokens.

By securing MiCA licensing in Cyprus, firms gain not only regulatory credibility but also scalable access to the EU market — combining a compliant foundation with strategic flexibility for long-term growth.

MiCA PSD2 dual licensing Cyprus: What 2026 Means for EMIs and PSPs

March 2026 compliance deadline marks a turning point in Europe’s licensing landscape under MiCA and PSD2.

For Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs) already authorised by the Central Bank of Cyprus (CBC), this transition presents a significant opportunity. Their existing regulatory structures — capital adequacy, safeguarding, governance, and AML frameworks — already align closely with MiCA’s standards. As a result, these firms can extend into crypto-asset and Electronic Money Token (EMT) services with relatively limited structural change, often through a straightforward Article 60 notification.

In contrast, unlicensed Crypto-Asset Service Providers (CASPs) face a decisive inflection point. To continue offering EMT-based payment or custody services after the EBA’s grace period ends, they must:

• Form a partnership with a CBC-licensed PSP or EMI, or
• Begin the authorisation process to obtain their own Payment Institution (PI) or EMI licence.

Firms that delay risk losing operational continuity once the No-Action period expires on 2 March 2026. The months ahead should therefore be used to evaluate service models, initiate applications, and secure compliant structures before supervisory enforcement resumes.

Conclusion: Temporary Complexity, Long-Term Clarity

The coexistence of MiCA and PSD2 has created a short-term period of regulatory overlap for services based on Electronic Money Tokens (EMTs). For the next two years, firms will need to navigate this dual framework carefully — ensuring that payment-like services are licensed under PSD2 while continuing to meet MiCA’s crypto-asset obligations.

However, the horizon is already shifting. The forthcoming PSD3 and Payment Services Regulation (PSR) are expected to merge the two frameworks by 2028, streamlining authorisations and removing duplication. When that happens, Europe’s regulatory landscape for digital assets and payment services will finally converge under a single, technology-neutral regime.

Until then, strategic preparation is the differentiator. Firms that align early with CySEC and the Central Bank of Cyprus, assess their operational scope, and adopt proportionate compliance measures will not only meet the 2026 expectations — they will enter the unified regime positioned for sustainable growth.

Cyprus, with its coordinated supervision and EU passporting access, remains one of the most structured jurisdictions for building compliant digital-finance models that bridge traditional payments and emerging crypto innovation.

Understanding Your MiCA Licensing Pathway in Cyprus

“Building on this transition, firms must now map their business models against MiCA and PSD2 criteria to confirm where dual authorisation applies.”

A structured assessment of your operational model against CySEC and Central Bank of Cyprus (CBC) criteria is therefore essential. This includes mapping services, reviewing custody or payment functionalities, and identifying whether dual authorisation or a partnership arrangement is the most effective approach.

At CX Financia, our regulatory specialists support clients throughout this process — from preparing MiCA licence documentation and coordinating dual-licence applications, to aligning frameworks with AML/CFT and DORA standards.

As the March 2026 transition period approaches, clarity on your licensing position is key to ensuring uninterrupted operations within Cyprus’s evolving MiCA–PSD2 environment.

You can explore more about licensing requirements through our article What is a Payment Service Provider License in Cyprus.

Contact us to secure your MiCA licensing in Cyprus before the March 2026 transition or more info about MiCA PSD2 dual licensing in Cyprus.

Read more about:

CySEC’s official register for CASPs

Central Bank of Cyprus (CBC) List of EMIs/PSPs