An updated and practical guide to understanding how the CNMV controls and supervises CASPs under MiCA, what it requires in practice, and how a company can successfully navigate a continuous supervision process.

CNMV MiCA supervision has become the new regulatory axis for any company wishing to operate as a crypto-asset service provider in Spain. And, although many companies focus solely on CASP registration, the truth is that supervision goes much further. It affects solvency, custody, corporate governance, technology, and operational conduct.

In this article, we clearly and practically review how this continuous supervision works, what the CNMV truly expects, and what CASPs must prepare to operate with legal certainty. We also explain how the technical work of Cryptoveritas 360 facilitates successful supervision through crypto architecture auditing, traceability, and custody.

If you wish to delve deeper, you can consult other related articles on our blog, such as the Definitive Guide to Obtaining the CASP License from the CNMV (MiCA 2025) or our Simple Guide to the MiCA Regulation.

The CNMV as the Central Supervisor under MiCA

With MiCA, the CNMV has transitioned from a peripheral observer to a regulator with full authority to authorize, review, and oversee CASPs. This change is significant: it represents a leap from a model based on voluntary registrations (such as for advertising) to a real and demanding supervision regime.

MiCA, approved by the European Parliament, stipulates that each Member State must designate a primary supervisor. In Spain, this responsibility falls to the CNMV, which also applies the technical guidelines issued by ESMA and the EBA.

In summary: the CNMV no longer observes; it supervises. And this supervision is dynamic: it adapts to the CASP’s size, operational risks, business model, and the robustness of its internal governance.

To better understand it, it is useful to divide the process into phases.

The Supervision Process for CASPs under MiCA: Step by Step

Phase 1: The CASP Registration Application to the CNMV

CASP registration marks the starting point. Far from being a simple formality, it consists of a complex, structured, and deeply technical application. The CNMV evaluates, among other aspects:

• Program of activities: clear description of crypto services, target markets, and operational structure.
• Minimum capital: between €50,000 and €150,000, depending on the type of service.
• Corporate governance: administrators, directors, significant shareholders, and their professional suitability.
• Operational risks: cybersecurity, market, external providers, technology.
• Custody: security, segregation, and internal processes.
• Anti-money laundering: AML/CFT policies, KYC, and transaction monitoring.

In practice, preparing a solid dossier usually requires months of coordination. Experience shows that dossiers integrating specialized legal advice with technical support — such as that from Cryptoveritas 360 — are more coherent, complete, and aligned with what the CNMV expects.

If you need a complete overview of the process, you can review our Definitive Guide to Obtaining the CASP License.

Phase 2: CNMV Evaluation and Resolution

Once the application is submitted, the CNMV has a maximum period of three months to issue a resolution, although this may be extended if the dossier is complex. During this period, the supervisor reviews each element in detail.

It is common to receive requests for additional information: clarifications, policy modifications, expanded documentation, or technical justifications. The suitability of administrators and shareholders is also analyzed, which includes reputation, experience, and financial capacity.

In cross-border cases, the CNMV coordinates its review with other European authorities, following the procedures defined by ESMA and the official technical documentation of MiCA available in the ESMA MiCA section.

Phase 3: Continuous Supervision and Regulatory Reporting

Authorization does not mark the end of the process, but the beginning of constant supervision. The CASP comes under permanent surveillance, which includes:

Periodic Reporting

• Financial reports: solvency, liquidity, audits.
• Operational reports: transaction volume, incidents, client activity.
• Compliance: AML/CFT controls, alerts, corrective measures.

The frequency varies according to the entity’s risk: it can be quarterly, annually, or even monthly.

On-site Inspections

The CNMV may conduct scheduled or unannounced on-site inspections. During these inspections, it reviews documentation, interviews employees, and analyzes the effectiveness of internal controls.

Remote Supervision

The CNMV also monitors the CASP’s operational data to detect risk patterns. For example, a sudden increase in transaction volume can trigger an alert.

Phase 4: External Audits and Certifications

MiCA requires CASPs to undergo periodic external audits. These audits are key to validating internal controls and the robustness of the technological architecture.

This is where Cryptoveritas 360 provides differential value: portfolio analysis, technical review of blockchain architecture, traceability, and verification of custody models.

How to Prepare for Efficient Supervision?

In our experience at IN DIEM Abogados, the best-prepared CASPs share common elements:

• Updated and realistic documentation: no generic templates.
• Aligned teams: legal, compliance, and technology speak the same language.
• Robust custody: segregation, fragmented keys, and documented recovery.
• Complete logs: accessible and traceable technical evidence.
• Live risk map: frequently reviewed and updated.
• External technical support: partners like Cryptoveritas 360 ensure that systems meet CNMV expectations.

The goal is not to pass supervision, but to turn it into a competitive advantage.

Ongoing Obligations under CNMV MiCA Supervision

Maintenance of Minimum Capital

CASPs must permanently maintain the capital required by MiCA. If it falls, the CNMV may demand a capital increase or even limit activities.

Segregation and Protection of Assets

The CNMV verifies that client assets are segregated, audited, and held with robust procedures. This point is especially critical for companies managing third-party funds or cryptocurrencies.

You can find more information on this topic in the article Cryptocurrency and investment funds registered with the CNMV.

Client Transparency

Information must be clear, understandable, and not misleading. Contracts, fees, and risks must be explained without ambiguity.

Complaint Management

The CNMV reviews the quality of the internal complaint system. It’s not enough to have one; it must function effectively.

Regulatory Updates

MiCA evolves through RTS and ITS issued by ESMA and EBA. CASPs must update policies, processes, and systems as these technical standards advance.

Frequently Asked Questions

What is CNMV MiCA supervision?

It is the continuous control exercised by the CNMV over authorized CASPs under MiCA.

Is CASP registration mandatory to operate in Spain?

Yes. Without CASP authorization, crypto-asset services cannot be provided in Spanish territory.

What happens if a CASP fails to comply?

The CNMV can impose sanctions, suspend activities, revoke the license, or issue precautionary measures.

Can a CASP operate throughout the EU after being authorized in Spain?

Yes. MiCA establishes a European passport valid for providing services in any Member State.

How do IN DIEM and Cryptoveritas 360 help?

We offer comprehensive support: legal, technical, custody, and blockchain architecture.

Keep in mind…

CNMV MiCA supervision is not a mere formality: it is a thorough oversight system that demands documentary coherence, robust technology, and updated policies. Those who prepare well can operate with legal certainty and competitiveness.

If your company needs to obtain a CASP license, prepare a technical audit, or strengthen its compliance, contact IN DIEM Abogados. We work together with Cryptoveritas 360 to cover all the requirements demanded by the CNMV.

Request a meeting with our MiCA specialist team

How can we help you?

At IN DIEM Abogados, we understand that the process of registering as a crypto-asset service provider (CASP) with the CNMV can seem complex, especially if your company combines legal, financial, and technological components.

That’s why we have designed comprehensive support that unites legal strategy, regulatory compliance, and specialized technical support through our collaboration with Cryptoveritas 360.

Here’s how we can help you at each stage of the journey:

1. Initial assessment and MiCA diagnosis.
   We analyze your business model, the type of services you provide, and regulatory viability according to the MiCA Regulation. We identify the exact type of license you need and the associated legal or technical risks.
2. Preparation of the dossier for the CNMV.
   We draft and adapt all required documents: articles of association, business plan, AML/CFT manuals, organizational structure, security policies, and governance. We ensure everything complies with CNMV standards.
3. Interlocution with the regulator.
   We act as the point of contact with the CNMV during the review and rectification process, reducing timelines and avoiding errors that could delay approval.
4. Technical advice and auditing.
   Through Cryptoveritas 360, we verify your technological systems, blockchain security, wallet custody, traceability, and compliance audits. Legal and technical aspects are integrated into a single workflow.
5. Continuous compliance and training.
   Once the license is obtained, we help you maintain it with periodic audits, employee training, and constant updates to your MiCA and AML policies.

Expert Cryptocurrency Lawyers: Málaga, Seville, Madrid, Las Palmas de Gran Canaria, Almería, Huelva, Marbella, Estepona,…

At IN DIEM Abogados and Cryptoveritas 360 we provide our services at all our offices and locations in Spain, offering direct and personalized coverage in Madrid, Seville, Málaga, Marbella, Las Palmas de Gran Canaria, as well as continuous service through our digital channels for clients throughout the country.

Our multidisciplinary team also advises international companies—including Europe, Latin America and Asia—that wish to establish or expand in Spain under the MiCA regulatory framework, whether through obtaining the CASP license from the CNMV or the incorporation of companies and compliance structures adapted to the European market.

Thanks to a hybrid working methodology (in-person and online), we guarantee the same level of quality, confidentiality and efficiency for both local and foreign clients, supporting each project from initial planning to effective regulatory authorization.

We are at your disposal for anything you need. You can reach us via IN DIEM Lawyers Phone (+34) 916 353 892. For urgent cases, you can contact us on IN DIEM 24-Hour Emergency Lawyers Phone: (+34) 610 667 452.

Did you know that IN DIEM Abogados offers an online service and an urgent service?

We offer our clients the option of being assisted via video call or videoconference, as well as by telephone, according to our clients’ preference, so that the assistance is as personal as possible, with absolute immediacy, without the need to travel. This service is complemented by communication via email, which facilitates the analysis and delivery of documentation.

Likewise, we offer urgent and 24-hour services for our companies, handling national and international contracting operations.

For more information on the Online Legal Advisory Service HERE, the 24-hour and Urgent Service, HERE, and some recognitions, we leave you this link.

Anything else about IN DIEM Lawyers? Here’s a short presentation video…

You will find us in Seville, Madrid, Las Palmas de Gran Canaria, Málaga, Huelva, Punta Umbría, Tomares, Coria del Río, Dos Hermanas, Mairena del Alcor, Estepona, Marbella, Mairena del Aljarafe… it will be a pleasure to serve you…!!