Key Takeaways
- Bulgaria controls VASPs via the National Revenue Agency and related legislation, such as the Money Laundering Act and Financial Instruments Act. Do your activities (e.g. exchange, custody, transfer or wallet services) require registration or authorisation under the Bulgarian framework?
- Draft full legal and corporate documentation including AML and CTF policies, IT and security controls and a comprehensive business plan consistent with EU rules including MiCA. Organise notarisation, sworn translations and legalisation as needed and create a filing system.
- Comply with financial requirements using adequate paid-in capital, proof of funds and open records. Budget for application fees, supervisor fees and ongoing reporting to Bulgarian authorities.
- Establish strong operational integrity through transparent processes, full KYC and CDD, and independent compliance audits. Appoint an MLRO, have secure IT for digital asset transfers and record incident response and business continuity.
- Verify the fitness and propriety of directors and other key staff. Collect clean criminal record certificates, sanctions screening results, qualifications, and signed declarations.
- Approach the application lifecycle with a realistic timeline and internal stages to avoid disaster. Stay close to banks, keep an eye on NRA guidance and EU developments, and ready yourself for transition to full MiCA compliance.
A VASP licence in Bulgaria requires the registration of virtual asset service providers with the National Revenue Agency under the Measures Against Money Laundering Act. It encompasses crypto-fiat exchange, crypto-crypto exchange operated as a business, and custodial wallet services. To qualify, companies must have a Bulgarian company, fit-and-proper management and transparent ownership information. KYC checks, risk scoring, record keeping and reporting suspicious activity to SANS and the Financial Intelligence Directorate is a remit. Firms appoint an AML officer, implement internal rules, train employees and hold data for five years. Such filings include corporate documents, UBO information, clean criminal records and AML policies. Processing times differ according to the file quality. Fees apply and vary. Our below guide outlines the steps, timescales and how things can go wrong.
Bulgaria VASP Licence Requirements
Bulgarian regulations focus more on registration and robust AML controls than on a traditional cryptocurrency license for most crypto activities. Crypto companies must establish a local entity, notify the authorities, and implement comprehensive AML-CFT controls in accordance with EU standards.
1. Legal Foundations
Core laws: Measures Against Money Laundering Act (MLMA), Measures Against Financing of Terrorism Act, and alignment with EU AML directives and MiCA. (Where a token is a “financial instrument”, the Financial Markets in Financial Instruments Act applies.)
VASP licensing laws are put in place by Parliament and implemented on AML side by the Financial Intelligence Directorate (FID), which is part of SANS. The Financial Supervision Commission (FSC) regulates securities‑type tokens and investment services.
Activities covered by AML registration include exchange between virtual assets and fiat, crypto‑to‑crypto exchange, transfer of virtual assets, custodian wallet services, and ICO/IEO activities that are not securities.
Required documents: incorporation papers for a Bulgarian OOD, constitutional documents, UBO chart, AML policy and KYC/EDD procedures, IT/security policy, internal controls charter, crypto‑authorisation/notification to FID, and key personnel declarations.
2. Financial Standing
Minimum set‑up is light: a Bulgarian OOD with share capital of 2 BGN (about 1 EUR) and a Bulgarian legal address. Authorities require proof of funds for start‑up and 12‑month run‑way, clean bank statements along with accounting policies that permit transaction tracing. Ongoing fees include: court registry and notary costs or FSC fees if your company is engaging in securities, plus ad hoc AML reporting to FID.
Tax profile: crypto services are not subject to VAT. Company profits taxed at 10% on annual earnings.
3. Operational Integrity
To operate effectively, a crypto business must implement risk-based AML/KYC measures, including onboarding policies, sanctions/PEP screening, and transaction monitoring. Additionally, compliance with the cryptocurrency regulations requires internal audits or outsourced compliance audits, a designated AML officer, and ongoing staff training. Secure key storage, segregation of client assets, and encrypted logs are essential for protecting client information. Utilizing chain analytics for monitoring transfers is crucial, as well as capturing complete flows for exchange, custody, and withdrawals, ensuring adherence to the legal framework governing crypto activities.
4. Personnel Checks
Directors, UBOs, the AML officer, and control heads face fit‑and‑proper checks: criminal record certificates, CVs, proof of education and sector skills.
Those under economic sanctions or with fraud, money–laundering or bankruptcy breaches are barred from management.
Provide notarised IDs, clean criminal extracts, conflict‑of‑interest statements and signed integrity declaration to FID.
5. Business Plan
Service scope, Client profiles, jurisdictions served and growth path across Bulgaria and the EU with timelines and budgets
Cover risk mapping, AML controls, complaints handling, IT security, outsourcing oversight and business continuity metrics.
Plus 3-year financials, client number forecasts and key ratios Bear in mind, company registration can finalise in under a week! MiCA impact, FSC triggers on security tokens and escalation steps Non-compliance with AML can incur penalties from 1,000 BGN, up to 10,000,000 BGN.
The Bulgarian Regulator
VASP registration in Bulgaria falls under the Law on the Measures Against Money Laundering (AML/CFT Act). The NRA is the leading enforcement, supervisory and penalties authority. Investment and insurance markets fall under the remit of the Financial Supervision Commission (FSC), which will become more prominent once the EU Markets in Crypto‑Assets (MiCA) framework comes in. Suspicious transaction reports (STRs) and associated AML intelligence are received by the Financial Intelligence Directorate at the State Agency for National Security (SANS). By 5 June 2024, the public VASP register recorded 305 licensed companies.
While the regime is AML-focused and lighter on day-to-day operations and reporting. Bulgaria has yet to adopt MiCA rules and the current approach will likely continue until at least the end of 2025. A grace period for existing VASPs is anticipated, similarly to other EU countries.
NRA’s Role
The NRA acts as the licensing gatekeeper for crypto businesses: it registers VASPs, checks the fitness and propriety of directors and key staff, and records ultimate beneficial owners. Additionally, it reviews AML/CFT materials to ensure compliance with Bulgarian and EU legislation, especially concerning cryptocurrency activities and customer due diligence (CDD), risk scoring, transaction monitoring, internal controls, and sanctions screening. To maintain compliance, the NRA utilizes audits (both desk and on-site), information requests, and thematic reviews. In cases of breaches, the NRA can impose administrative fines, issue corrective orders, suspend activities, or strike a company from the register. Serious violations may be referred to prosecutors or SANS. The NRA collaborates with SANS on intelligence, the FSC, and the Bulgarian National Bank on perimeter issues (e.g., e-money or payment services), and with EU institutions and peer regulators in preparation for MiCA. Companies with non-resident owners or directors should appoint a local person in Bulgaria to ensure effective service of notices and day-to-day liaison.
Reporting Duties
Virtual asset service providers (VASPs) are required to submit suspicious activity reports (STRs) and other reports to SANS without delay. They must maintain thorough customer due diligence records and report any cash and virtual asset transactions exceeding EUR 1,000 through enhanced checks. Additionally, VASPs need to keep internal blacklists for high-risk relationships and provide updates to the National Revenue Agency (NRA) regarding changes in shareholding, directors, and business models. Compliance with these regulations is crucial for any cryptocurrency business operating in the Bulgarian crypto framework.
Regulatory filings for crypto companies are typically annual or event-driven, aligned with the NRA’s requirements. These returns are submitted in Bulgarian via the NRA e-portal or the national Secure Electronic Delivery system, utilizing a qualified e-signature. Some submissions may involve structured templates and supporting PDFs. Proper adherence to these legal obligations is essential, as late or non-reporting can lead to fines or even suspension from the register of licensed crypto entities.
Navigating The Application
VASP licensing in Bulgaria for cryptocurrency companies follows a defined path: form the legal entity, build core controls, file a complete pack, respond to queries, then receive crypto authorization.
Document Checklist
A full file cuts down on follow-up rounds and accelerates review for crypto businesses. Most applicants employ an OOD, hold minimal capital in a Bulgarian corporate bank account, and prepare controls compliant with the Bulgarian ML (AML Law).
- Corporate: OOD incorporation act, Articles, UBO declaration, up‑to‑date company extract, shareholder and director registers, specimen signatures, board resolutions approving crypto activities.
- Identification: notarised passports/IDs of directors, UBOs, and key AML staff. CVs demonstrating fit-and-proper experience. As well as clean criminal records where necessary.
- Governance: AML/CFT policy, KYC procedures, sanctions screening, PEP checks, transaction monitoring rules, enhanced due diligence for transactions ≥ BGN 30,000 (~€15,000), record‑keeping, STR/CTR workflows, internal audit plan.
- Operations: business plan with services in scope (e.g., exchange, custody), target users, geography, revenue model, liquidity and wallet architecture, outsourcing register, IT and cybersecurity controls, incident response, continuity plan, staffing model.
- Financial: evidence of capital paid into a Bulgarian bank, opening letter from the bank, forecast P&L and cash flow, risk assessment, insurance (if used).
- Legal: terms of service, privacy notice, complaint handling, onboarding disclosures, risk warnings.
- Documents issued abroad: notarise, apostille/legalise as required, and translate into Bulgarian by a sworn translator.
- File control: keep a dated index, version control, and a secure repository with permissions. So we’ve got mirror copies to quickly resubmit.
Process Timeline
Stage 1—Entity and infrastructure (2–4 weeks): register the OOD, select directors/MLRO, and open the Bulgarian bank account for capital; directors and shareholders typically need not travel. Additionally, set up the exchange/custody stack and policies to comply with the crypto license requirements. Stage 2—Application build (3–6 weeks): tailor AML/KYC to the AML Law, map services to the license scope, and confirm whether other authorizations are needed. This includes a cost analysis, as fees vary by services and the complexity of the crypto business. Assemble translations and legalizations. Stage 3—Submission and formal check (1–2 weeks): the authority confirms completeness. Stage 4—Substantive review (6–12 weeks): queries on governance, IT, outsourcing, liquidity, and due diligence thresholds; provide clarifications within set deadlines. Stage 5—Decision and registration (1–3 weeks): authorization is issued or conditions are imposed; publish updates and activate production.
Common Pitfalls
Failed packs, obscure AML guidelines, or capital proof absent from a Bulgarian bank account block review.
- Misaligned services vs licence scope, or missed ancillary authorisations
- Standard AML manuals not related to BGN 30.000 EDD
- Thin MLRO experience or unclear reporting lines
- Weak wallet security, key management, or vendor oversight
- Unclear source‑of‑funds controls and sanctions screening gaps
- Translations without sworn translators; absent apostilles/legalisation
- No audit trail, version control or response plan for regulator queries
Treat authorisation as the start: keep policies live, train staff, run audits, and monitor regulatory updates to avoid post‑licence issues.
Bulgaria Within The EU
Bulgaria provides EU access with low cost and transparent rules, making it an appealing destination for crypto businesses. Its 10% corporate and personal tax – and 5% dividend tax – attract lean crypto teams. Registration for Virtual Asset Service Providers (VASPs) is with the National Revenue Agency, and the public VASP register lists 305 authorised cryptocurrency companies as of June 2024. Location in south-east Europe serves as a practical base for regional growth.
MiCA’s Influence
MiCA will replace the existing national patchwork with a single EU licence for crypto businesses and crypto-asset service providers. Bulgaria has yet to adopt MiCA rules, but a transitional period for existing VASPs is anticipated, so firms registering today should prepare for future conversion to a MiCA authorisation. This shift is significant for market access: currently, Bulgarian VASP registration is AML-focused and does not grant formal passporting; firms can serve EU users on a limited basis if they avoid aggressive marketing or direct offers, often framed as reverse solicitation. Under MiCA, a Bulgarian licence should allow full passporting throughout the EEA, enabling direct client onboarding and marketing from a single EU hub, akin to practices in France (AMF), Germany (BaFin), and Spain (Banco de España). Transition steps likely include: gap analysis against MiCA’s governance, own-funds, custody, conflict-of-interest, market abuse, and disclosure standards; policy uplifts for outsourcing, ICT risk, incident reporting, and complaint handling; board and fit-and-proper checks; audited financials and capital planning; and consumer disclosures, especially for stablecoins and token listings. Entrepreneurs should factor in practical points: incorporating a Bulgarian entity still requires a personal visit, which affects timing; group structures may compare Bulgaria with Lithuania or Estonia on setup speed, while weighing Bulgaria’s tax rates and operating costs. Get ahead by drafting MiCA-ready AML/CFT, custody controls, and marketing rules, mapping cross-border flows, and preparing supervisory engagement to facilitate the licence swap once the national MiCA law is enacted.
AMLD5 Compliance
AMLD5 has been successfully transposed into Bulgarian law, forming the backbone of the current crypto business regime for virtual asset service providers (VASPs). Key responsibilities include business registration with the National Revenue Agency and conducting customer due diligence (KYC) based on risk tiers. Enhanced due diligence is crucial for higher-risk cases, such as cross-border clients or high-value transfers, requiring stronger verification and source-of-funds checks. The adoption of the Travel Rule and robust screening capabilities will gradually become a reality, ensuring compliance with EU AML/CFT standards. A public VASP register will enhance transparency and support the regulatory framework for cryptocurrency activities in Bulgaria.
Keep AML programmes live: run periodic risk assessments, refresh policies with EU guidance, test controls, and train staff at least yearly. Strong AML now reduces friction when upgrading to MiCA and when serving EEA users within current marketing limits.
The Unwritten Rules
Beyond the formal crypto license and filings, outcomes hinge on trust, access, and fit with local practice. The Bulgarian crypto framework is popular and not overly strict, but norms shape how banks, partners, and officials judge risk and intent.
Banking Relationships
Stable banking is the linchpin for a virtual asset service provider (VASP) in Bulgaria. Opening accounts can be laborious as some banks still view crypto business as high risk (there are no crypto-specific laws, and licensed firms can only provide exchange and wallet services). To reduce friction, show substance early: a Bulgarian limited liability company, a legal address, minimum share capital of 2 BGN, and clear AML–KYC policies aligned with AML–CFT rules that stem from EU directives. Map your customer journey, set risk scores, list sources of funds checks, and name your MLRO. Refer to the FID at SANS as your supervisory touchpoint and retain evidence of previous filings and STR/CTR raison d’être. Disclose board minutes on risk, vendor due diligence on your wallet and blockchain analytics tools, and staff training results. Provide sample reports for the bank’s compliance team to consider. Think site visits, tougher KYC on founders, and evidence of operational controls. Keep a standing update channel with your bank: notify them before any product change, new coin listing, or cross-border corridor. Submit quarterly compliance summaries, and respond to follow-up inquiries quickly. That blend – substance, evidence, and clear lines – establishes the trustworthiness banks require to sanction and support accounts in the cryptocurrency business.
Local Nuances
Culture and language count in the crypto business landscape. Short, unambiguous Bulgarian notes help. Use simple timelines, not hype. Meetings begin formal, and hierarchies along with time-keeping matter. Reputation travels fast in a small market, so under-promise and over-deliver to maintain your standing in the Bulgarian crypto framework.
Regional habits vary across the country. Sofia teams are used to speed, while in Plovdiv and Varna, outreach takes longer, and face-to-face talks are more effective. It’s wise to pick vendors that already serve regulated fintechs in those cities, especially those familiar with the crypto license requirements.
Management is blunt and paper-laden. The good news: once documents are ready, registration often takes less than a week. The challenge: guidance can be informal, and expectations shift. Some argue this absence of codification makes duties difficult to read, so stick close to existing Bulgarian law and FID notices. Maintain constructive engagement with regulators – good relationships can determine results.
Attend crypto meet-ups, fintech forums, EU AML briefings in Sofia. These rooms have unwritten rules before it hits a memo.
How We Can Assist
Support for crypto authorization in Bulgaria requires clear steps, robust AML-CFT controls, and compliance with the Bulgarian crypto framework. We provide hands-on support for crypto businesses from set-up to day-to-day operations at every stage.
Offer end-to-end support for company formation, VASP licence application, and regulatory compliance in Bulgaria
We establish your Bulgarian firm (EOOD or AD), prepare articles, register with the Commercial Register, and obtain tax and VAT registrations as required. When documents are ready, registration can be completed in under a week. We draft the crypto authorization file under the AML/CFT Act in accordance with the EU AML rules. This includes internal AML policies, an MLRO mandate, risk scoring, onboarding flows, and reporting lines. We scope your intended services—be they crypto businesses and fiat exchange, crypto-to-crypto, or custodian wallet services—to ensure compliance with AML and countering the financing of terrorism (CFT) rules. We construct the customer due diligence system, which encompasses KYC, PEP and sanctions checks, EDD for high-risk users, and transaction monitoring. We report incidents & suspicious activity to the Financial Intelligence Unit and create records for audits.
Provide tailored legal and business solutions for crypto entrepreneurs and foreign investors entering the Bulgarian market
We map the legal path for overseas founders from DIR and UBOs to service agreements and language support, particularly in the context of a crypto business. We explain tax points in plain terms: Bulgaria’s corporate tax rate is 10%, which is low in the EU, making it attractive for cryptocurrency companies. We structure deals (e.g., a Bulgarian opco with an EU EMI partner), write consumer terms, and examine IP and data regulations while helping you plan staff training and outsourcing compliance tasks.
Ensure full compliance setup with Bulgarian and EU cryptocurrency regulation laws, including MiCA and AMLD5
We align your controls with AMLD5, the AML/CFT Act, and relevant EU rules, while explaining how MiCA affects cryptocurrency activities such as token issuance, exchange, and custody. Our team assesses if your assets are likely to be e-money tokens, asset-referenced tokens, or other MiCA-linked instruments, planning whitepaper disclosures and governance where applicable. We design record-keeping (at least five years), risk assessments by product and geography, and travel-rule-aligned data collection to support your crypto business. Additionally, we map local expectations to EU standards to reduce gaps at audits.
Deliver ongoing compliance consulting, audit preparation, and assistance with banking relationships for Bulgarian crypto companies
We perform scope checks prior to inspection/monitoring alerts and SAR logs related to cryptocurrency activities. We prepare annual AML reports, KPIs, and training plans to ensure compliance with the regulatory framework. For banking, we prepare onboarding packs: source of funds evidence, programme summaries, and key registers. Establishing relationships with Bulgarian banks and EU EMIs helps maintain accounts for crypto businesses, while we keep track of MiCA timelines and emerging AML guidance to ensure your policies are up to date.
Conclusion
Bulgaria provides solid base for VASP work. Rules remain strong, but just. The gate remains open for firms who plan ahead, have clean books, and demonstrate who runs the show. It’s no shortcut, but it’s no labyrinth either.
Establish a micro-exchange for cross border trade?” “Scan documents, demonstrate AML action and keep staff focused.” Open a wallet app for retailers? Map cash flows, log checks and keep sharp KYC Want EU reach without the faff? A clean build in Bulgaria will allow you to scale in line with EU guidelines.
Got a plan and require an unbroken road to a green light? Get in touch for a chat. Share scope, get clear next steps and move with pace.
Frequently Asked Questions
What is a VASP licence in Bulgaria?
In Bulgaria, cryptocurrency businesses operate as VASPs registered under the Anti-Money Laundering Act, not licensed. They must re-register with the National Revenue Agency (NRA) and adhere to AML/CFT obligations, appointing an AML officer while maintaining robust KYC and compliance controls.
Who is the Bulgarian regulator for VASPs?
The VASP register, managed by the National Revenue Agency (NRA), oversees AML compliance for cryptocurrency businesses. Depending on your actions, other authorities may also be involved. Under future EU MiCA rules, additional crypto authorization will include the financial regulator once implemented nationally.
What are the key requirements to register as a VASP?
To establish a cryptocurrency business in Bulgaria, you need a Bulgarian company, fit-and-proper managers and owners, clean criminal records, an appointed AML officer, and AML/KYC policies, along with risk assessment and customer due diligence procedures.
How long does the Bulgarian VASP registration take?
Timelines differ with file quality in the context of a cryptocurrency business. A well-prepared application for a crypto license can be processed in a few weeks, while delays may occur if paperwork needs amending or the agency requests clarification.
How does MiCA affect VASPs in Bulgaria?
MiCA introduces an EU-wide regime for cryptocurrency companies, requiring Bulgaria to align its national rules with MiCA. Current registered crypto businesses may need to transition to crypto license authorization on specified EU timelines, so planning ahead is crucial to avoid rework later on.
What are the “unwritten rules” to know before applying?
Ensure your cryptocurrency business holds full, Bulgarian-language policy documents and maintains a transparent ownership structure, along with a documented source of funds. It’s crucial that your AML officer is experienced and available, especially when dealing with financial authorities. Make certain you maintain records for inspection and ensure consistency across all filings to avoid delays.
How can expert advisers help with the application?
Advisers simplify incorporation for cryptocurrency businesses, draft compliant AML/KYC frameworks, prepare fit-and-proper files, and handle submissions and regulator queries. This mitigates errors, reduces lead times, and sets you up for MiCA transition with minimal friction.
Daniel Malbašić is a business expert with extensive experience in the field of business consulting, organization and business optimization. His expertise includes market analysis, strategic planning, and implementation of effective business solutions. Daniel is dedicated to helping companies grow and improve their operations, providing them with comprehensive support in making key business decisions.
