Poland Crypto Licence: How to Register as a VASP in Poland

Overview of Poland's Crypto Licensing Framework

Poland has developed into one of the more popular EU destinations for crypto firms seeking a European regulatory foothold. The country's approach to virtual asset regulation is pragmatic and comparatively accessible, without the stringent substance requirements that characterise Estonia's post-2022 regime or the higher capital thresholds seen in the Baltic states. However, the accessibility of the registration process should not be confused with leniency on compliance: Poland's AML and operational requirements are substantive, actively supervised, and carry serious penalties for breach.

The Polish framework for virtual currency business is built on the country's implementation of the EU's AML Directives. The relevant statute is the Polish Anti-Money Laundering and Counter-Terrorist Financing Act (ustawa AML, formally: ustawa z dnia 1 marca 2018 r. o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu). This Act identifies "virtual currency activity" (działalność w zakresie walut wirtualnych) as a regulated category requiring registration, and defines the obligations that apply to firms engaged in that activity.

The regulator responsible for overseeing virtual currency businesses in Poland is the GIIF: Generalny Inspektor Informacji Finansowej, which translates as the General Inspector of Financial Information. The GIIF operates within the Ministry of Finance and is responsible for both the registration of virtual currency businesses and the supervision of their AML compliance. It also receives and analyses Suspicious Transaction Reports (STRs) from obliged entities, including licensed crypto firms.

The register through which authorisation is formalised is known as the DKWN: Rejestr działalności w zakresie walut wirtualnych, or Register of Virtual Currency Activity. Entry onto the DKWN is a legal prerequisite for conducting virtual currency business in Poland. Operating without DKWN registration is a criminal offence, not merely a regulatory infraction.

Poland's framework has been particularly attractive to Web3 firms for several reasons: it has no minimum capital requirement in statute, registration processing times are among the fastest in the EU, and Poland's central location within Europe, large skilled workforce, and well-developed financial infrastructure make it a practical base for EU operations. None of this, however, reduces the obligation to maintain a genuine, operational AML programme once registered.

Who Must Register

The Polish AML Act defines virtual currency activity broadly, and the registration obligation covers a wide range of business models commonly found in the Web3 sector. Any entity based in Poland, or any entity incorporated in another jurisdiction but servicing Polish clients, must assess carefully whether its activities fall within the scope of the registration requirement.

Activities that require DKWN registration include:

• Exchange of virtual currencies for fiat currencies: any service that allows customers to buy or sell crypto assets in exchange for traditional currencies, including EUR, PLN, USD, or any other fiat denomination.
• Exchange of virtual currencies for other virtual currencies: crypto-to-crypto exchange services, including token swaps, automated market-maker platforms, and decentralised exchange front-ends where the operator controls the interface or holds customer funds.
• Transfer services for virtual currencies: any service that moves virtual assets on behalf of customers, including custodial wallet services that execute transfers at customer instruction.
• Virtual currency custody services: the safeguarding or administration of virtual assets on behalf of customers, including custodial wallet provision and key management services.
• Operation of a virtual currency exchange platform: operating a marketplace or trading venue for virtual currencies, whether centralised or hybrid in architecture.

It is worth noting that purely non-custodial services, where the operator never holds customer assets or controls private keys, occupy a grey area under the current framework. However, the GIIF has taken a broad view of what constitutes "virtual currency activity," and firms with non-custodial models should seek specific legal advice on whether their service falls within scope before concluding that registration is unnecessary.

Capital and Substance Requirements

One of Poland's most distinctive features compared with other EU licensing regimes is the absence of a statutory minimum capital requirement. The Polish AML Act does not specify a minimum paid-up share capital as a condition for DKWN registration. This contrasts sharply with Estonia's €100,000 requirement and Lithuania's €125,000 requirement, and it has been a significant driver of Poland's attractiveness to early-stage and capital-constrained Web3 firms.

However, the absence of a formal capital threshold does not mean that capital is irrelevant. The GIIF reviews the financial sustainability of applicants as part of the registration process. A company that is incorporated with the statutory minimum Polish share capital of PLN 5,000 (approximately €1,200) for a limited liability company (Sp. z o.o.) and presents no evidence of adequate funding may face scrutiny over its operational viability. A credible business plan that demonstrates how the business will sustain its operations, meet its compliance obligations, and safeguard customer assets is a practical necessity even without a formal capital floor.

The substance requirements are also less prescriptive than in Estonia. Poland requires that the company be registered in the Polish National Court Register (KRS) and maintain a Polish business address. There is no statutory requirement for a physical office with employees, nor a requirement for a Polish-resident board member. In practice, however, firms that intend to conduct genuine business in Poland rather than use Poland purely as a licensing jurisdiction will need to establish some degree of operational presence.

The practical implication is that Poland can be an efficient and cost-effective licensing base for firms that have their operational substance elsewhere in the EU, provided they maintain genuine compliance operations and are not simply using the Polish registration as a front for business conducted entirely outside Poland. The GIIF has become progressively more attentive to substance issues as crypto regulatory standards across the EU have risen.

Fit and Proper Requirements

The GIIF applies fit and proper requirements to the management of entities seeking DKWN registration. While less extensive in formal scope than the FIU's assessment in Estonia or the Bank of Lithuania's review of senior managers, these requirements are material and must be addressed properly in the application.

The core fit and proper requirements under the Polish AML Act are as follows:

• No criminal convictions for specified offences: Management board members and the designated AML compliance officer must not have been convicted of financial crimes, fraud, money laundering, terrorist financing, or other specified criminal offences. A criminal record certificate from the relevant Polish and foreign authorities is required for each individual.
• No involvement in previous AML violations: Individuals who have been subject to administrative sanctions for AML violations in Poland or other EU member states may be disqualified from holding management roles in a registered virtual currency business.
• Professional competence: The designated AML compliance officer must have relevant knowledge and experience in AML compliance. The GIIF assesses the adequacy of the individual's qualifications relative to the complexity and risk profile of the business.

Declarations of fit and proper status must be submitted for all board members and for the designated AML compliance officer as part of the DKWN application. These declarations are not merely self-certifications; they are legal statements, and providing false information in a DKWN application is a criminal offence.

AML and KYC Operational Requirements

The AML obligations of a DKWN-registered firm are among the most substantive aspects of Polish crypto regulation, and they are continuously operative once the registration is obtained. The GIIF supervises compliance with these obligations through inspections, information requests, and analysis of STR data, and it has the authority to impose significant penalties for non-compliance.

Internal AML Procedures

Every registered firm must have documented internal AML procedures that reflect the specific risks of its business. These procedures must cover: the firm's AML risk assessment methodology; customer acceptance criteria; CDD and EDD procedures; transaction monitoring processes; STR identification, investigation, and reporting procedures; record-keeping obligations; and staff training requirements. The procedures must be reviewed and updated at least annually and whenever there is a material change in the business or in the applicable regulatory framework.

Designated AML Compliance Officer

A designated AML compliance officer (AMLCO) must be appointed before the DKWN registration takes effect and must be operationally responsible for the AML programme throughout the period of registration. In smaller firms, the AMLCO may be a member of senior management. In larger firms, it is typically a dedicated role. The AMLCO must have sufficient seniority and access to information within the firm to fulfil the role effectively; an AMLCO who is not empowered to make decisions or escalate concerns is not compliant with the requirement.

Customer Due Diligence

Standard CDD is required for all customers and must be completed before the business relationship commences. CDD includes: identification and verification of the customer's identity using reliable, independent documentation; for legal entity customers, identification and verification of the beneficial owner (persons holding more than 25% of shares or exercising effective control); understanding the purpose and intended nature of the business relationship; and assessment of the customer's risk profile.

Enhanced due diligence (EDD) is mandatory for high-risk customers. Under the Polish AML Act, high-risk situations include: dealings with politically exposed persons (PEPs); transactions involving customers from high-risk third countries designated by the European Commission; complex or unusual transactions that have no apparent economic or lawful purpose; and situations where the customer's source of funds or wealth cannot be satisfactorily established through standard CDD. EDD involves more intensive verification, additional documentation, and senior management approval for the business relationship. For a comprehensive breakdown of what KYC and AML operational controls look like in a well-structured crypto compliance programme, see our dedicated guide.

Transaction Monitoring

Ongoing transaction monitoring is a core obligation. The monitoring programme must be capable of detecting transactions that are inconsistent with the customer's known profile, unusual in size or complexity, connected to high-risk jurisdictions, or otherwise indicative of potential money laundering or terrorist financing. Monitoring must be systematic, not ad hoc; firms with high transaction volumes require automated transaction monitoring tooling. The monitoring rules and thresholds must be documented, reviewed regularly, and adjusted as the firm's risk profile evolves.

Suspicious Transaction Reporting

Where a transaction monitoring alert or other information gives rise to a suspicion of money laundering or terrorist financing, the firm must conduct an internal investigation. Where the suspicion is not discharged, an STR must be submitted to the GIIF. Reporting is not discretionary; there is a legal duty to report, and tipping off the customer about an STR is prohibited. Firms must maintain records of all STR submissions and the investigations leading to them, in a format that is accessible during GIIF inspections.

Record Keeping

All CDD documentation, transaction records, and AML-related files must be retained for a minimum of five years from the end of the business relationship or the completion of the transaction. Records must be stored securely, with appropriate access controls to prevent unauthorised modification or deletion, and must be producible on request by the GIIF or law enforcement authorities.

Staff Training

All staff who handle customer relationships, process transactions, or have access to AML-relevant information must receive AML training. Training must cover the firm's specific AML risks, current money laundering typologies relevant to virtual currency businesses, the firm's internal procedures, and the legal reporting obligations. Training must be documented, with records of completion and assessment. New staff must be trained before they begin customer-facing or transaction-processing work.

Security and IT Requirements

Poland's AML Act is less prescriptive on cybersecurity than some other EU frameworks. There is no equivalent to the detailed IT security guidance that the FIU has issued in Estonia, nor the operational resilience standards that the Bank of Lithuania applies to payment institutions. However, this does not mean that security is an optional consideration for DKWN-registered firms.

The GIIF's assessment of an AML programme includes implicit review of whether the firm has adequate controls to protect client assets and data from compromise. A firm whose systems are poorly secured is a firm whose AML controls are undermined, because a compromised system may be used to launder funds through the firm without the firm's knowledge or ability to detect it. The GIIF understands this connection, and applications that present an AML programme without adequate supporting security infrastructure raise concerns about the credibility of the compliance programme.

Client Asset Protection

Firms that hold virtual assets on behalf of clients must have adequate custody arrangements. This means hardware security module (HSM) infrastructure or equivalent hardware-backed key management for private keys, segregation of client assets from the firm's own assets, multi-signature or multi-party computation (MPC) approval processes for asset movements, and documented recovery procedures for situations where custody systems fail or are compromised. The adequacy of custody arrangements is relevant both to client protection and to the integrity of the AML programme.

Information Security Policies

Registered firms should maintain documented information security policies covering: access control and privileged access management; data protection and encryption standards; system hardening and patch management; vulnerability management and penetration testing; and supplier and third-party security. These policies serve the dual purpose of protecting the business and demonstrating to the GIIF that the firm has the operational controls necessary to run a trustworthy virtual currency service.

Incident Response

A documented incident response plan is a practical necessity. Security incidents that affect client assets, client data, or the integrity of the AML programme may trigger notification obligations to the GIIF and to the data protection authority (UODO). The incident response plan must define what constitutes a reportable incident, the escalation path within the firm, notification timelines, containment and recovery steps, and post-incident review procedures. For Polish firms operating under the EU's Digital Operational Resilience Act, additional ICT-related incident reporting obligations will apply. Our guide on DORA compliance covers these requirements in detail.

Security4Web3 works with DKWN applicants and existing registrants to build the security programmes that support genuine compliance. This includes security architecture assessments, custody security reviews, policy drafting, penetration testing, and preparation for DORA compliance. The broader point is that an AML programme built on insecure infrastructure is not a credible AML programme, and the GIIF's focus on the substance of the compliance programme means that security and AML are inseparable.

Application Process

The DKWN application is submitted online through the GIIF's dedicated portal. All applications must be submitted in Polish, and all supporting documents must be in Polish or accompanied by certified translations. The company must be registered in the KRS before the application can be submitted. The GIIF does not charge an application fee, which makes Poland unusual among EU crypto licensing jurisdictions, though professional preparation costs are significant for any applicant taking the process seriously.

Required Documentation

• Company registration documents: extract from the KRS confirming the company's registration, business activities, share structure, and management board composition.
• AML programme: the firm's complete internal AML procedures, covering all elements required by the AML Act, including the business-wide risk assessment, CDD and EDD procedures, transaction monitoring methodology, STR procedures, record-keeping procedures, and training plan.
• Fit and proper declarations: signed declarations from all members of the management board and the designated AMLCO, confirming the absence of criminal convictions for specified offences and compliance with the fit and proper requirements of the AML Act.
• Criminal record certificates: official certificates from Polish and relevant foreign criminal record authorities for all board members and the AMLCO.
• Description of services: a description of the virtual currency activities to be conducted, the technology infrastructure, the markets to be served, and the risk management approach.
• Business plan: a description of the business model, projected transaction volumes, and financial sustainability of the operation.

Processing Timeline

For a complete and compliant application, the GIIF typically processes DKWN registrations within 2 to 4 weeks. This is substantially faster than Estonia (60 to 90 days) or Lithuania (1 to 3 months), and is one of the most compelling practical advantages of the Polish route. The key condition for achieving this timeline is submitting a complete application with a genuine, well-drafted AML programme. Applications that are incomplete, or where the AML programme is clearly a template rather than a firm-specific document, will be returned for remediation, adding weeks or months to the process.

Penalties for Non-Compliance

The penalties for operating without DKWN registration or for material AML violations are serious, and they reflect the Polish legislature's intent to treat virtual currency regulation as a matter of substantive financial crime prevention rather than administrative box-ticking.

Operating virtual currency activity in Poland without DKWN registration is a criminal offence under the AML Act. The penalty is imprisonment of up to three years. This applies to the individuals responsible for the firm's management, not just to the entity itself. For management teams considering whether to delay registration while building the business, this is a significant legal risk.

AML violations by registered firms attract administrative penalties. The GIIF can impose fines of up to PLN 5 million (approximately €1.2 million) for material AML breaches, including failure to conduct adequate CDD, failure to submit required STRs, and failure to maintain required records. In addition to financial penalties, the GIIF can impose operational restrictions, including restrictions on taking on new customers or on conducting specific transaction types, and can ultimately withdraw the DKWN registration.

Personal liability attaches to the members of the management board and the AMLCO for AML violations committed in the name of the firm. This is not merely a theoretical risk: the GIIF has pursued individual enforcement action in cases of serious non-compliance.

MiCA Transition for Polish VASPs

Poland is an EU member state, and MiCA's CASP authorisation framework applies directly in Poland without the need for implementing legislation. From December 2024, MiCA has set the framework for crypto-asset service providers across the EU, including Poland. For existing DKWN-registered firms, MiCA introduces both an opportunity and an obligation.

The opportunity is the EU passport: a MiCA CASP authorisation obtained from any competent authority in the EU allows the holder to provide crypto-asset services across the entire EU single market. For Polish firms that currently rely on the DKWN registration for Polish market access, a MiCA authorisation would enable them to scale operations across all 27 EU member states without separate national registrations.

The obligation is that the DKWN registration does not automatically become a MiCA CASP authorisation. The national registration and the MiCA authorisation are distinct legal instruments. Polish VASPs that wish to continue operating as crypto-asset service providers beyond the MiCA transitional period must apply for a CASP authorisation from the KNF (Komisja Nadzoru Finansowego, the Polish Financial Supervision Authority). The KNF is the competent authority for MiCA authorisation in Poland.

MiCA's requirements are substantially more demanding than the DKWN regime in several areas: organisational and governance requirements, capital requirements (which vary by the type and scale of crypto-asset services), client asset protection rules (including mandatory segregation and custody standards), conflicts of interest policies, and cybersecurity and operational resilience requirements aligned with DORA. For a comprehensive breakdown of what MiCA requires operationally, see our detailed guide on MiCA compliance requirements.

Firms that are entering the Polish market now, in 2026, should build their compliance programmes to MiCA standards from the outset. The marginal cost of building to a higher standard initially is far lower than the cost of a full programme overhaul at the MiCA transition point, and it positions the firm to apply for the EU passport rather than remaining limited to the Polish national market.

Comparison with Estonia and Lithuania

Poland, Estonia, and Lithuania are the three most commonly considered EU jurisdictions for crypto VASP licensing, and they present meaningfully different risk/cost/effort profiles. Understanding the differences is essential for founders and compliance teams making a licensing strategy decision.

Capital Requirements

Poland has no statutory minimum capital requirement. Estonia requires €100,000. Lithuania requires €125,000. For capital-constrained early-stage firms, Poland offers the most accessible route. For firms with adequate capital, the higher requirements in Estonia and Lithuania are not prohibitive, but they do represent a meaningful upfront investment.

Substance Requirements

Estonia requires a physical office and a resident board member. Lithuania requires a registered office and a Lithuanian-resident manager. Poland requires a registered company and business address but does not impose a physical office or residency requirement for management. Poland is therefore the most flexible option for firms whose operational teams are based elsewhere.

Processing Times

Poland's DKWN registration typically takes 2 to 4 weeks. Estonia's VASP licence takes 60 to 90 days. Lithuania's FNTT licence takes 1 to 3 months. For firms that need to commence operations quickly, Poland offers a clear advantage. For detailed information on the Estonian framework, see our guide on the Estonia crypto licence. For Lithuania's specific requirements, see our guide on the Lithuania crypto licence.

MiCA Transition

All three jurisdictions will converge under MiCA. The competent authorities for MiCA authorisation differ: Finantsinspektsioon in Estonia, the Bank of Lithuania for MiCA (building on its EMI licensing experience), and KNF in Poland. The transition pathway and the competent authority's track record in engaging with crypto firms are relevant factors in the MiCA strategy.

Why Crypto Firms Choose Poland

Beyond the regulatory framework, Poland offers several structural advantages that make it a compelling EU base for crypto businesses.

Poland has one of the largest and most technically skilled workforces in Central and Eastern Europe. The country produces a high number of software engineers, data scientists, and financial technology professionals each year, and the cost of talent is generally lower than in Western Europe. For firms that need to build engineering and compliance teams, Poland is a practical and cost-effective location.

Poland's financial sector is well-developed. Warsaw is a significant regional financial centre, with established banking relationships, well-practised corporate law firms, and a growing compliance services sector with specific expertise in virtual currency regulation. Banking access, which remains a challenge for crypto firms in many European jurisdictions, is more achievable in Poland for DKWN-registered firms with credible AML programmes than in some other EU markets.

Poland's central location within the EU, with excellent transport links to Western Europe, makes it a practical operational hub for firms serving clients across the continent. The country's time zone (CET) aligns well with most EU business operations.

The absence of a minimum capital requirement means that the financial barriers to entry are lower than in many competing jurisdictions, allowing founders to allocate capital to operational development rather than to regulatory reserves. This does not reduce the need for a genuine compliance investment, but it does make Poland more accessible for firms at an earlier stage of development.

The Operational Security Angle

The GIIF's approach to AML supervision has become increasingly sophisticated. Early assessments focused primarily on whether an AML programme existed and whether the required policies were filed. More recent inspections focus on whether the AML programme is genuine: whether transaction monitoring is actually operating, whether STRs are being submitted at a rate consistent with the firm's transaction volumes and risk profile, whether staff can demonstrate AML training, and whether the CDD files are complete and current.

This evolution in supervisory focus has significant implications for the security programme. A firm's ability to maintain a genuine AML programme depends critically on the quality of its operational infrastructure. Transaction monitoring that works requires reliable data feeds from the firm's trading and custody systems. CDD records that are accessible and complete require a secure, well-designed data management system. STR investigations that are timely and well-documented require a case management process built on secure, audit-trailed systems.

Firms that have built their AML programme on paper but have not invested in the underlying operational infrastructure consistently fail GIIF inspections. The inspection finds that the transaction monitoring system is not configured to the stated thresholds, or that CDD files are incomplete, or that there are no training records for staff who have been handling customer relationships. The result is enforcement action, regardless of how impressive the policy documentation appears on paper.

Security4Web3 works with DKWN applicants and registered firms to close the gap between the paper AML programme and operational reality. This means security architecture reviews to ensure that the systems supporting the AML programme are secure and reliable; data management assessments to confirm that CDD and transaction records are complete, accessible, and protected; and operational security reviews to identify vulnerabilities that could be exploited to circumvent AML controls. The investment in operational security is not separate from the compliance investment; it is the foundation on which a credible compliance programme is built.

Frequently Asked Questions

What is the DKWN in Poland?

The DKWN (Rejestr działalności w zakresie walut wirtualnych) is the Polish register of virtual currency activity. It is maintained by the GIIF (General Inspector of Financial Information) and represents the authorisation that crypto firms must obtain before conducting virtual currency exchange, custody, transfer, or exchange platform services from a Polish entity. Entry onto the DKWN is a legal prerequisite for virtual currency business in Poland, and operating without registration is a criminal offence.

Do I need a Polish company to register for the DKWN?

Yes. DKWN registration requires a Polish-registered company. Foreign entities cannot hold a DKWN registration directly. The company must be registered in the Polish National Court Register (KRS) and maintain a Polish business address. The most common corporate form used for DKWN applicants is a Polish limited liability company (Sp. z o.o.), which can be incorporated with a statutory minimum capital of PLN 5,000.

Is there a minimum capital requirement for the Poland crypto licence?

The Polish AML Act does not specify a statutory minimum capital requirement for DKWN registration. This contrasts with Estonia's €100,000 requirement and Lithuania's €125,000 requirement, and is one of Poland's key structural advantages for early-stage firms. However, the GIIF expects evidence of operational and financial sustainability. A credible business plan that demonstrates adequate funding relative to the scope of the proposed activities is a practical necessity even in the absence of a formal capital floor.

How long does DKWN registration take?

For a complete and compliant application, the GIIF typically processes DKWN registrations within 2 to 4 weeks. This is one of the fastest processing times among EU crypto licensing regimes. The key condition is submitting a genuinely complete application, particularly an AML programme that reflects the firm's specific risk profile rather than a generic template. Incomplete applications are returned for remediation, which can add weeks or months to the process.

What happens when MiCA takes effect in Poland?

MiCA's CASP authorisation framework supplements and will ultimately replace national VASP registrations across the EU, including Poland's DKWN. Polish firms wishing to continue operating as crypto-asset service providers after the MiCA transitional period must apply for a CASP authorisation from the KNF. The requirements under MiCA are more comprehensive than those under the current DKWN regime, covering organisational governance, capital adequacy, client asset protection, conflicts of interest, and DORA-aligned cybersecurity. Firms should begin building MiCA-compliant programmes now to avoid a disruptive overhaul at the point of transition.