Poland's Cryptocurrency Asset Law Draft Approved: Regulatory Upgrade, Significantly Higher Licensing Threshold

On September 26, 2025, Poland’s Sejm (Lower House) approved the draft of the Crypto-Assets Market Act (referred to as “the Act”) with 230 votes in favor and 196 against. Although the Act still requires review by the Senate, signature by the President, and will take effect 14 days after publication (except for Article 70: concerning internet domain blocking, registration directories, and access restrictions, which will only take effect four months after publication), this legislative milestone marks a new phase in the country’s crypto regulation system.

This Act not only serves as Poland’s comprehensive “crypto regulation framework” but also aligns deeply with the European Union’s Markets in Crypto-Assets Regulation (MiCA): during the legislative process, the bill underwent about 3-4 review rounds and 45 amendments (including fine-tuning licensing boundaries and penalty standards), ensuring a smooth transition from the “anti-money laundering registration” era to an “全面牌照监管” (comprehensive licensing regulation) track.

For crypto practitioners intending to operate in Poland—such as trading, token issuance, custody, or payment settlement—this means regulatory transparency is imminent—future operations must be licensed; otherwise, penalties or market exit are likely.

Regulatory Scope: All “Crypto Players” Are Within Sight

The scope of regulation in the Act is highly consistent with MiCA. Poland’s legislation does not redefine the regulatory boundaries but fully incorporates the entities and business activities established under MiCA into domestic law. Specifically, the regulated entities include:

1. Crypto asset service providers, covering:

• Operation of crypto asset trading platforms;
• Wallet custody and asset safekeeping services;
• Payment and settlement services;
• Other derivative businesses involving crypto assets.

2. Token issuers: including “asset-backed token issuers” and “electronic money token issuers.”

3. Foreign crypto asset service providers: institutions from other EU member states can provide cross-border services in Poland via the MiCA Article 63 “passport mechanism.”

In summary, if you operate or provide any form of crypto asset services within Poland—regardless of where your company is registered—you must either obtain a license or exit the market.

Licensing vs. Non-Licensing: The Era of “Licensed Only” Operations

The Act enforces a typical licensing regime for crypto asset businesses. Only institutions authorized by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) and holding a Crypto Asset Service Provider license (CASP License) can operate legally.

• Licensed Entities

Can conduct approved activities within Poland or for Polish users. After licensing, entities must continuously comply with obligations such as regular reporting, internal audits, capital adequacy, and risk management.

• Unlicensed Entities

Engaging in crypto services without permission will face hefty fines or criminal penalties. The Act explicitly lists various illegal conduct and penalty standards (see below).

Basic Requirements and Operating Costs for Licensed Entities: Capital, Compliance Framework, and Ongoing Expenses Significantly Increased

This is the core of the entire Act and the most noteworthy part. The regulatory logic is clear: to obtain a license, you need money, systems, and capabilities.

(1) Capital Requirements:

The Act states that CASPs must have “sufficient funds,” which not only sets a minimum registered capital threshold but also encompasses liquidity management, risk reserves, and customer asset segregation to ensure ongoing compliance and solvency amid market fluctuations and risks.

Currently, Poland has not issued specific secondary regulations on minimum registered capital, so MiCA standards remain the primary reference. Below are the minimum registered capital requirements under MiCA for different service types provided by CASPs:

Besides paid-in capital, regulators require CASPs to maintain “continuously sufficient capital,” and if business fluctuations or market losses cause capital shortfalls, timely replenishment is mandatory.

(2) Operating Costs and Compliance Expenses: Continuous Investment in “Compliance”

1. The Act details the cost-sharing and fee structure for regulating the crypto market, explaining how license applicants and CASPs finance the regulatory framework:

• Licensing and evaluation fees: vary by license or evaluation type, up to €4,500;
• Approval of information documents: €3,000; amendments: €1,000;
• Annual license maintenance and supervision fees for CASPs: based on the past three years’ average total income, ranging from €500 to 0.4% of average annual income;
• Annual license maintenance and supervision fees for Token Issuers: ranging from €500 to the product of the total liabilities from issuing asset-backed tokens or electronic money tokens and an interest rate not exceeding 0.5%.

2. In addition to costs related to regulating the crypto market, licensed entities must also spend on:

• Regular financial and compliance audits;
• External legal and technical compliance consulting;
• KYC systems, risk monitoring, and AML platform development.

Focus Areas for Compliance and Risk Management for Licensed Entities

Licensed institutions must implement robust compliance and risk management practices, with multi-layered requirements.

(1) Governance and Compliance Framework: Must “Operate Like a Financial Institution”

The Act requires CASPs to establish comprehensive governance and compliance systems, including:

• Independent compliance, risk control, and internal audit departments;
• Management with professional qualifications and clean records;
• Risk identification, internal controls, and exception reporting systems;
• Confidentiality policies and clear technical standards;
• Strict AML (Anti-Money Laundering) and KYC (Know Your Customer) procedures.

Particularly, Article 22 emphasizes: each institution must develop internal rules detailing technical standards for “professional confidentiality and information protection.” These standards cover not only corporate policies but also system security, data access, encryption, and internal communication protocols.

These technical standards will not be fully detailed in the Act itself but will be issued gradually by KNF through “secondary regulations.” These will standardize reporting content, operational procedures, technical compliance, cybersecurity standards, and regulatory interfaces, ensuring consistency across all institutions. Therefore, licensed entities must pay close attention to KNF’s guidance, rules, and implementation standards to avoid “formal compliance but substantive violations.”

(2) Information Disclosure and Regulatory Reporting

CASPs are required to regularly disclose to KNF:

• Financial status and risk profile;
• Reserves, trading volume, liquidity indicators;
• System operation and security status;
• Compliance controls, governance changes, significant transactions.

Any events that could impact client asset safety or market stability must be reported immediately with response measures. The regulator may also publish enforcement decisions to ensure transparency and market accountability.

(3) Risk Management Systems

Licensed entities must establish comprehensive risk management covering market, operational, and liquidity risks, including:

• Regular stress testing;
• Anomaly detection systems;
• Customer tiering and high-risk account identification.

(4) Investor Protection and Transparency

The Act imposes higher requirements on licensed entities regarding investor protection and information disclosure:

• Full disclosure of crypto asset risks;
• Suitability assessments for retail clients;
• Customer asset segregation and compensation mechanisms;
• Complaint handling and dispute resolution channels.

The goal is to rebuild investor trust and market safety through institutional standards.

(5) AML/CFT (Anti-Money Laundering/Countering Financing of Terrorism)

Aligned with EU standards, CASPs must implement:

• Full KYC verification processes;
• Monitoring and reporting suspicious transactions;
• Enhanced scrutiny of high-risk clients;
• Automated traceability systems.

Violations can lead to fines or license revocation.

(6) Compliance Audits and Reporting

Licensed institutions must:

• Undergo periodic external audits;
• Submit annual compliance and risk reports;
• Report significant governance, ownership, or business structure changes for prior approval by KNF.

Specific templates and deadlines will be detailed in future operational secondary regulations issued by KNF.

Prohibited Conduct and Criminal Liability

Beyond explicit compliance and regulatory requirements, the Polish crypto asset law also strictly limits the conduct of market participants, explicitly listing illegal and non-compliant behaviors to avoid. The law also establishes criminal liability provisions, creating a “high-voltage line” for illegal activities in the crypto sector to ensure market transparency and order.

(1) Prohibited Conduct and Penalties (Including Non-Licensed Entities)

1. Licensed entities

2. Non-licensed entities

(2) Criminal Liability

The law defines key criminal offenses and penalties, including:

Transition Period and Implementation Timeline: Existing Firms Must Migrate Smoothly

To facilitate a smooth transition and avoid operational disruptions, the Act provides a transition period for existing crypto service providers (VASPs). Currently registered under anti-money laundering regulations, VASPs can continue compliant operations until July 1, 2026, but must gradually upgrade to meet the new standards and obtain CASP authorization or comply by the deadline. The following outlines the specific requirements for the transition period, along with the implementation of secondary rules issued by the market regulator.