A Crypto-Asset Service Provider is an organisation that offers regulated services involving crypto-assets, such as custody, exchange, or transfer activities. For compliance teams, the key issue is that CASP status brings licensing, governance, and control evidence obligations that must be maintained continuously, not only at application time.
Expanded Definition
In crypto compliance, CASP usually refers to a regulated entity that performs activities such as custody, exchange, execution, order transmission, or transfer services for crypto-assets. Under the EU MiCA model, the label matters because it does not describe a technology stack or a wallet type; it defines a supervised business perimeter with ongoing governance duties. That distinction aligns with how NHI Management Group frames operational identity risk: the control question is not only who can log in, but which automated accounts, keys, and approvals sit behind the regulated service. For that reason, CASP is often discussed alongside access controls, segregation of duties, auditability, and evidence retention, rather than as a narrow registration term. Definitions vary across jurisdictions, so firms should map the local legal perimeter before treating CASP as a universal designation. For broader identity governance context, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0. The most common misapplication is using CASP as a generic label for any crypto business, which occurs when teams ignore whether the service is actually regulated custody, exchange, or transfer activity.
Examples and Use Cases
Implementing CASP obligations rigorously often introduces continuous evidence collection overhead, requiring organisations to weigh regulatory readiness against operational friction.
- A custody platform maintains transaction controls, key governance, and incident logs to demonstrate that client assets are protected under the applicable CASP regime.
- An exchange operator separates trading, wallet administration, and support functions so that privileged access can be reviewed as part of ongoing supervision, not just onboarding.
- A transfer service documents its approval chain for outbound movements and retains records that can support regulator inquiries and internal assurance testing.
- A compliance team uses the Ultimate Guide to NHIs to assess whether API keys, service accounts, and vault practices are aligned with the control expectations behind regulated crypto operations.
- A risk function maps its control library to the NIST Cybersecurity Framework 2.0 to make sure the CASP perimeter has repeatable monitoring, response, and recovery evidence.
Why It Matters in NHI Security
CASP status becomes an NHI security issue because regulated crypto services are heavily dependent on non-human identities, secrets, signing keys, and automated workflows. If those identities are over-privileged, poorly rotated, or not inventoried, the organisation may meet a licensing threshold on paper while failing the control evidence needed to operate safely. NHI Management Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges, which makes crypto operations especially exposed when controls are weak. The same risk pattern appears when vaults are misconfigured, when approvals are embedded in scripts, or when third-party integrations inherit standing access without review. For this reason, CASP governance is not limited to legal registration; it requires continuous identity hygiene, control testing, and escalation paths that can survive audit scrutiny. Additional context is available in the Ultimate Guide to NHIs. Organisations typically encounter the true CASP burden only after a breach, failed audit, or regulator request for evidence, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | CASP obligations depend on controlling and reviewing access for regulated crypto operations. |
| OWASP Non-Human Identity Top 10 | NHI-02 | CASP environments commonly fail when secrets and keys are stored or rotated poorly. |
| NIST AI RMF | CASP governance uses risk management to evidence controls and monitor operational harms. |
Treat CASP as an ongoing risk domain and document controls, monitoring, and remediation.