On September 26, 2025, the Polish lower house (Sejm) passed the draft Crypto-Assets Market Act (the "Bill") by 230 votes to 196. Although the bill still needs to be reviewed by the Senate, signed by the President and take effect 14 days after promulgation (except Article 70: Internet domain name blocking, registration list and access restrictions will not take effect until 4 months after the promulgation of the bill), this legislative milestone also marks the country's crypto regulatory system entering a new stage.

This bill is not only Poland's "overall outline for crypto regulation," but also a unified framework deeply aligned with the EU's MiCA: during the legislative process, the bill underwent about 3-4 rounds of review and 45 amendments (including fine-tuning of licensing boundaries and penalty standards), ensuring a smooth transition from the loose era of "anti-money laundering registration" to the orderly track of "comprehensive licensing supervision."

For crypto practitioners who intend to engage in crypto trading, token issuance, custody or payment settlement in Poland, this means that regulatory sunshine will soon shine - future operations must be carried out with a license, otherwise they will not be able to escape fines or be delisted.

Regulatory objects and scope: All "crypto players" are included in the field of vision

The regulatory objects defined in the bill are highly consistent with MiCA. Poland's legislation does not redefine regulatory boundaries, but rather fully incorporates the regulatory objects and business scope established in MiCA into domestic law. Specific regulatory objects include:

1. Crypto asset service providers, whose business scope covers the following areas:

• Operation of crypto asset trading platforms;
• Wallet custody and asset custody services;
• Payment and settlement related services;
• Other derivative businesses involving crypto assets.

2. Token issuers: including “asset-anchored token issuers” and “electronic currency token issuers”.

3. Foreign crypto-asset service providers: Institutions from other EU member states can provide cross-border services in Poland through the “passport mechanism” of MiCA Article 63.

In summary, as long as you operate or provide any form of crypto asset services within Poland, no matter where your company is registered, you must either obtain a license or withdraw.

Licensed or unlicensed: Regulation enters an era of "licensed only"

The bill implements a typical licensing system for crypto-asset businesses. Only institutions authorized by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) and holding a Crypto-Asset Service Provider License (CASP License) can legally operate.

• Licensed entity

Licensed institutions can conduct approved business in Poland or with Polish users. After obtaining a license, institutions must continue to fulfill compliance obligations (including regular reporting, internal audits, capital adequacy, risk control, etc.).

• Non-licensed entities

Providing encryption services without a license will result in significant fines or criminal penalties. The bill clearly outlines a number of violations and penalties (see below).

Basic requirements and operating costs for licensed entities: capital, compliance framework, and ongoing costs are comprehensively improved

This is the core of the bill and the area that deserves the most attention. The regulatory logic is clear: to obtain a license, you must have money, systems, and capabilities.

(1) Capital requirements:

The bill states that CASPs must have "sufficient funds." This not only sets a minimum threshold requirement for the registered capital of licensed entities, but also includes comprehensive capital strength considerations including liquidity management, risk reserve allocation, and customer asset isolation and protection, to ensure compliance and solvency during market fluctuations and risk events.

Poland has not yet issued secondary regulations on minimum registered capital, so the MiCA standards remain the primary reference. The following are the minimum registered capital requirements in MiCA based on the different types of services provided by CASPs:

In addition to the paid-in capital, regulators require CASPs to maintain "continuously adequate capital." If there is a shortage of funds due to business fluctuations, market losses, etc., they must replenish them in a timely manner.

(II) Regulatory costs and compliance expenses: Operational compliance means continuous investment

1. The bill sets out the cost sharing and fee structure for regulating the cryptoasset market, and explains how token issuers and CASPs finance the regulatory framework:

• Permit and assessment fees: Fees vary depending on the type of permit or assessment, but are capped at €4,500;
• Approval of information documents: Approval document: €3,000; Modification document: €1,000;
• Annual license maintenance and regulatory fees for CASPs: Based on the average gross revenue of the past three years, the annual fee ranges from €500 to 0.4% of the average annual revenue.
• Annual license maintenance and regulatory fees for Token Issuers: The fee range is €500 - the product of the arithmetic average of the total financial liabilities arising from the issuance of asset-linked tokens or electronic money tokens and an interest rate not exceeding 0.5%.

2. In addition to the costs of regulating the cryptoasset market, licensed entities will also incur the following expenses during their operations:

• Regular financial and compliance audit expenses;
• external legal counsel and technical compliance costs;
• Costs of building KYC systems, risk monitoring and AML technology platforms.

Key compliance and risk management areas that licensed entities should focus on

Licensed institutions still need to ensure compliance and risk management during their operations. To this end, the bill puts forward multi-level risk control and compliance requirements.

(1) Governance and compliance structures: must operate “like a financial institution”

The Act requires CASPs to establish a comprehensive governance and compliance system, including:

• Establish independent compliance, risk control and internal audit departments;
• The management team must have professional qualifications and no bad records;
• Establish risk identification, internal control, and exception reporting systems;
• Establish a professional confidentiality system and clarify technical standards;
• Strictly enforce Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements.

In particular, Article 22 emphasizes that each organization must develop internal regulations detailing the technical standards for "professional confidentiality and information protection." These standards extend beyond the company level and encompass technical details such as system security, data access, information encryption, and internal communication mechanisms.

The specific details of these technical standards will not be fully incorporated into the bill itself; instead, they will be gradually promulgated and implemented by the KNF through "secondary regulations." These secondary regulations will standardize reporting content, operational details, technical compliance standards, cybersecurity standards, and regulatory interfaces, ensuring consistent implementation across all institutions. This means that licensed institutions must not only closely monitor the bill's provisions but also closely follow the supporting guidelines, detailed rules, and implementation standards issued by the KNF. Failure to do so risks "formal compliance but substantive non-compliance."

(2) Information disclosure and regulatory reporting obligations

CASPs must regularly disclose the following to the KNF:

• financial condition and risk structure;
• Reserves, trading volume, and liquidity indicators;
• System operation and security status;
• Compliance controls, governance changes, major transactions, etc.

Any incident that could affect the security of customer assets or market stability must be reported promptly, along with a description of the response measures. Regulators can also make penalty decisions public to ensure transparency and market accountability.

(3) Risk management system

Licensed entities must establish a full-process system covering market risk, operational risk, and liquidity risk. Requirements include:

• Conduct regular stress testing;
• Establish an abnormal transaction monitoring system;
• Implement customer stratification and high-risk account identification mechanisms.

(IV) Investor Protection and Information Transparency

In terms of investor protection and information disclosure, the Act imposes higher requirements on licensed entities:

• Full disclosure of crypto asset risks;
• Conduct suitability assessments on retail clients;
• Establish a customer asset isolation and compensation mechanism;
• Establish complaint handling and dispute mediation channels.

Regulators hope to rebuild investor trust and market security through institutional building.

(V) Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT)

In line with EU standards, CASPs must implement:

• Full-process KYC certification;
• Suspicious transaction monitoring and reporting;
• Enhanced scrutiny of high-risk customers;
• System automated traceability mechanism.

Violations may result in not only fines but also license revocation.

(VI) Compliance audit and reporting mechanism

Licensed institutions must:

• Regularly undergo external independent audits;
• Submit compliance and risk reports annually;
• Major changes in governance, equity, and business structure must be reported to the KNF for approval in advance.

The specific unified template and time limit requirements will be stipulated in the operational secondary rules issued by KNF in the future.

Prohibited Conduct and Criminal Liability

In addition to clarifying compliance requirements and the regulatory framework, the Polish Cryptoasset Act also strictly defines the boundaries of behavior for industry players, explicitly listing illegal and irregular behaviors that should be avoided in market operations. Furthermore, the Act establishes criminal liability provisions, placing a "high-voltage line" on illegal and irregular behaviors in the cryptoasset sector and implementing severe penalties to ensure market transparency and order.

(1) Prohibited Conduct and Penalties (including for non-licensed entities)

1. Licensed entity

2. Non-licensed entities

(2) Criminal liability

The following are the main criminal offences and penalties defined in the Act:

Transition period and implementation time: Existing enterprises need to "migrate" smoothly

To facilitate a smooth market transition and avoid operational disruptions, the bill establishes a transition period for existing VASPs. VASPs currently registered under anti-money laundering regulations may continue to operate under existing rules until July 1, 2026, but must gradually upgrade to the new standards until they obtain CASP authorization or meet the expiration date. The following are the specific requirements for this transition period. Market participants should also pay attention to the implementation of the secondary rules supporting the bill.