Poland's encryption asset bill draft passed: regulatory upgrade, significantly increased licensing thresholds!

Written by: Huang Wenjing, Chen Haoyang

On September 26, 2025, the Polish lower house (Sejm) passed the draft of the Crypto-Assets Market Act (referred to as the “Act”) with 230 votes in favor and 196 against. Although the Act still needs to be reviewed by the upper house (Senate), signed by the president, and will take effect 14 days after publication (except for Article 70: regarding internet domain blocking, registration lists, and access restrictions, which will take effect 4 months after the Act is published), this legislative milestone also marks a new phase in the country's cryptocurrency regulatory system.

This bill is not only the “Comprehensive Cryptocurrency Regulatory Framework” in Poland but also a deep integration into the EU MiCA unified framework: during the legislative process, the bill underwent approximately 3-4 rounds of deliberation and the refinement of 45 amendments (including adjustments to licensing boundaries and penalty standards), ensuring a smooth transition from the loose era of “anti-money laundering registration” to the orderly track of “comprehensive licensing regulation.”

For crypto practitioners who intend to engage in crypto trading, token issuance, custody, or payment settlement in Poland, this means that regulatory oversight is about to shine down—future operations must be conducted with a license, otherwise it will be difficult to avoid fines or being forced out.

Regulatory targets and scope: All “crypto players” are under scrutiny.

The regulatory subjects defined by the legislation are highly consistent with MiCA. Poland's legislation this time did not redefine the regulatory boundaries but fully incorporated the regulatory subjects and business scope established in MiCA into domestic law. The specific regulatory subjects include:

1. Cryptocurrency asset service providers, with business scope covering the following areas:

Operation of cryptocurrency asset trading platforms;

Wallet custody and asset management services;

Payment and settlement related services;

Other derivative businesses related to cryptocurrency assets.

2. Token issuers: including “asset-backed token issuers” and “e-money token issuers.”

3. Foreign crypto asset service providers: Institutions from other EU member states can provide cross-border services in Poland through the “passport mechanism” of MiCA Article 63.

In summary, as long as you operate or provide any form of cryptocurrency asset services within Poland, regardless of where your company is registered, you must either obtain a license or exit.

Licensed vs. Unlicensed: Regulation enters the era of “only those with a license can participate”

The law implements a typical licensing system for cryptocurrency asset businesses. Only institutions authorized by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) and holding a Cryptocurrency Asset Service Provider License (CASP License) can operate legally.

Licensed Entity

Can conduct approved business within Poland or for Polish users. After obtaining a license, the institution must continuously fulfill compliance obligations (including regular reporting, internal audits, capital adequacy, risk control, etc.).

unlicensed entity

Those who provide cryptocurrency services without permission will face hefty fines or criminal penalties. The bill explicitly lists multiple illegal situations and punishment standards (see below).

Basic requirements and operating costs for licensed entities: capital, compliance framework, and continuity costs have all increased comprehensively.

This is the core part of the entire bill and the most noteworthy aspect. The regulatory logic is very clear: to obtain a license, one must have money, a system, and capability.

(1) Capital requirement:

The bill states that CASPs must have “sufficient funds,” which not only sets a minimum threshold for the registered capital of licensed entities but also encompasses a comprehensive assessment of capital strength, including liquidity management, risk reserve allocation, and the protection of customer asset segregation, to ensure compliance and solvency during market fluctuations and risk events.

Currently, Poland has not yet enacted any secondary regulations regarding minimum registered capital, therefore the MiCA standards remain the primary reference. Below are the minimum capital requirements based on the different types of services provided by CASPs as outlined in MiCA:

In addition to the required paid-in capital, regulatory authorities require CASPs to maintain “sufficient capital on an ongoing basis”. If there is insufficient funding due to business fluctuations, market losses, etc., it must be replenished in a timely manner.

(2) Regulatory costs and compliance expenses: Operating “compliance” means continuous investment.

1. The bill outlines the cost-sharing and fee structure for regulating the cryptocurrency asset market, specifying how Token Issuers and CASPs are to finance the regulatory framework:

License and assessment fees: Costs vary depending on the type of license or assessment, with a maximum of € 4,500;

Information document approval: Approval document: €3,000; Modification document: €1,000;

The annual license maintenance fee and regulatory fee for CASPs: based on the average total income over the past 3 years, the fee range is €500 - 0.4% of the average annual income.

The annual license maintenance fee and regulatory fee for Token Issuers: the charge ranges from €500 to the product of the arithmetic average of the total financial liabilities arising from the issuance of asset-linked tokens or electronic money tokens and an interest rate not exceeding 0.5%.

2. In addition to the costs associated with regulating the cryptocurrency market, licensed entities must also incur the following expenses during their operation:

Periodic financial and compliance audit expenses;

External legal counsel and technical compliance costs;

Costs for KYC systems, risk monitoring, and AML technology platform construction.

Key Compliance and Risk Management Focus for Licensed Entities

Licensed institutions must still ensure compliance and risk management during their operations. To this end, the legislation proposes multi-layered risk control and compliance requirements.

(1) Governance Structure and Compliance Framework: Must operate “like a financial institution”.

The bill requires CASPs to establish a comprehensive governance and compliance system, including:

Establish independent compliance, risk control, and internal audit departments;

Management must possess professional qualifications and have no adverse records.

Establish a risk identification, internal control, and anomaly reporting system;

Establish a professional confidentiality system and clarify technical standards.

Strictly implement anti-money laundering (AML) and know your customer (KYC) requirements.

In particular, Article 22 emphasizes: each institution must establish internal regulations to refine the technical standards for “professional confidentiality and information protection.” These standards are not limited to the company level but also include technical details such as system security, data access, information encryption, and internal transmission mechanisms.

The specific details of these technical standards will not all be written into the text of the bill; instead, they will be gradually issued and implemented by the KNF through “secondary regulations.” These secondary regulations will standardize the reporting content, operational details, technical compliance standards, cybersecurity standards, and regulatory interfaces, ensuring consistency in execution across all institutions. This means that licensed institutions must closely monitor the accompanying guidelines, rules, and implementation standards issued by the KNF in addition to the text of the bill itself; otherwise, there is a risk of “formal compliance but substantive violation.”

(2) Information Disclosure and Regulatory Reporting Obligations

CASPs must regularly disclose the following to the KNF:

Financial condition and risk structure;

Reserves, trading volume, liquidity indicators;

System operation and security status;

Compliance controls, governance changes, significant transactions, etc.

Any event that may affect the security of customer assets or market stability must be reported immediately along with the corresponding response measures. Regulatory authorities may also publicly disclose punishment decisions to ensure transparency and market accountability.

(3) Risk Management System

Licensed entities must establish a comprehensive system covering market risk, operational risk, and liquidity risk. The requirements include:

Conduct regular stress tests;

Establish an abnormal transaction monitoring system;

Implement a customer segmentation and high-risk account identification mechanism.

(4) Investor Protection and Information Transparency

The bill imposes higher requirements on licensed entities in terms of investor protection and information disclosure:

Fully disclose the risks of crypto assets;

Conduct suitability assessments for retail clients;

Establish a customer asset isolation and compensation mechanism;

Set up channels for complaint handling and dispute mediation.

Regulators hope to rebuild investor trust and market security through institutional development.

(V) Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT)

In line with EU standards, CASPs must implement:

Full-process KYC certification;

Suspicious transaction monitoring and reporting;

Enhanced scrutiny of high-risk customers;

Automated traceability mechanism.

Violations can not only result in fines but may also lead to the revocation of licenses.

(6) Compliance Audit and Reporting Mechanism

Licensed institutions must:

Regularly undergo external independent audits;

Submit compliance and risk reports annually;

Significant changes in governance, equity, and business structure must be reported in advance for KNF approval.

The specific unified template and deadline requirements will be stipulated in the operational secondary rules to be published by KNF in the future.

Prohibited Acts and Criminal Liability

In addition to explicit compliance requirements and regulatory frameworks, the Polish cryptocurrency asset legislation also imposes strict limitations on the behavior boundaries of participants, clearly enumerating illegal and non-compliant activities that should be avoided in market operations. At the same time, the legislation establishes criminal liability provisions, adding a “high-voltage line” to illegal activities in the cryptocurrency asset field, ensuring market transparency and order through severe punitive measures.

(1) Prohibited actions and penalties (including unlicensed entities)

1. Licensed entity

2. Non-licensed entities

(2) Criminal Responsibility

The following are the main criminal offenses and penalties defined in the bill:

Transition period and execution time: Existing enterprises need to smoothly “migrate”.

To help the market transition smoothly and avoid operational interruptions, the legislation establishes a transition period for registered entities of existing Virtual Asset Service Providers (VASPs): VASPs currently registered under anti-money laundering regulations can continue to operate in compliance with existing rules until July 1, 2026, but must gradually upgrade to the new standards until they obtain CASP authorization or the deadline. The following are the specific requirements of the legislation regarding the transition period, and market participants should also pay attention to the effective implementation of the secondary rules accompanying the legislation.