DISPATCH ·

Building a CASP + CFD broker hybrid stack under EU regulation in 2026

Twenty-first Phase 3 dispatch and fifth operator archetype dispatch. Covers the emerging archetype of EU-regulated operators running both a CFD broker authorised under MiFID II and a CASP authorised under MiCAR under common ownership and shared operational infrastructure. Different from the prop firm plus broker hybrid (one regulated + one unregulated education entity) and different from the DMCC plus VARA dual-licensing (two different regulators in one jurisdiction): both verticals here are EU-regulated under different but increasingly convergent frameworks. The procurement question is regulatory framework convergence between MiFID II and MiCAR, the shared compliance ops opportunity, and the two-trading-stack reality with shared CRM, KYC, and hosting infrastructure. Three archetype stacks and the three procurement mistakes EU dual-licensed operators make most often.

tags · synthesis · eu-hybrid · cfd-casp · mifid-ii · micar · phase-3

Why this dispatch exists

This is the twenty-first Phase 3 dispatch and the fifth in the operator archetype synthesis sub-series. The earlier four archetype dispatches covered CySEC CFD broker, DMCC plus VARA UAE broker, hybrid prop firm plus broker, and CASP under MiCAR. The cross-archetype matrix dispatch closed the synthesis arc with a vendor-by-archetype mapping across all four archetypes.

This dispatch covers a fifth operator archetype that has emerged through 2025-2026: EU-regulated operators running both a CFD broker authorised under MiFID II (typically CySEC-regulated; some FCA-passport-leveraged) and a CASP authorised under MiCAR under common ownership and shared operational infrastructure. The archetype is structurally distinct from the four prior archetypes. Different from the prop firm plus broker hybrid because both verticals here are formally regulated under EU frameworks rather than one regulated plus one education entity. Different from the DMCC plus VARA dual-licensing because both verticals here are EU-supervised under different but increasingly convergent regulatory frameworks rather than two parallel UAE regimes. Different from the pure CySEC CFD broker because the operator extends into the crypto-asset venue layer. Different from the pure CASP because the operator retains the CFD broker layer.

The procurement question for this archetype is regulatory framework convergence between MiFID II and MiCAR, the shared compliance ops opportunity that the dual-EU framework enables, and the two-trading-stack reality with shared CRM, KYC, and hosting infrastructure plus distinct trading platforms. This dispatch covers what makes EU dual-licensed procurement different, the 14 Phase 2 chapters mapped to the EU CASP plus CFD broker hybrid stack in dependency order, three archetype stacks with annualised cost envelopes, and three procurement mistakes EU dual-licensed operators make most often.

What makes EU CASP + CFD broker hybrid procurement different

Five constraints separate EU dual-licensed procurement from the four prior archetypes:

MiFID II plus MiCAR converging supervisory expectations. EU regulators including ESMA, CySEC, BaFin, AMF, and CNMV have signalled that supervision of dual-licensed operators will treat the two verticals as operationally related rather than as independent regulated entities. The convergence affects multiple procurement decisions: comms surveillance covering both verticals under one supervisory regime, RegTech procurement spanning MAR (CFD) and MiCAR Title VI (crypto-asset) surveillance, KYC procurement spanning CFD onboarding and CASP authorisation requirements, and reporting infrastructure spanning MiFIR Article 26 transaction reporting (CFD) and CASP supervisory reporting (crypto). The procurement-relevant implication is that dual-licensed operators benefit from vendors capable of unified product positioning across both regulatory frameworks rather than from vendors specialised in one framework.

Shared compliance ops opportunity. The dual-EU framework enables compliance ops sharing across the two verticals in ways that DMCC plus VARA cannot match because the EU jurisdictional framework is more harmonised than the UAE multi-regulator landscape. Single sanctions screening vendor covering both CFD and CASP sanctions requirements. Single comms surveillance vendor covering both MAR and MiCAR conduct risk. Single compliance ops team handling MiFIR transaction reporting plus MiCAR supervisory reporting. The procurement-relevant implication is that dual-licensed operators should evaluate vendors against both vertical requirements simultaneously rather than procuring vertical-specific vendors.

Two trading stacks with shared operational infrastructure. The CFD broker side and the CASP side typically run distinct trading platforms (MT5 or cTrader for CFD; crypto exchange WL platform for CASP) because the architectures are structurally different. The shared infrastructure layer covers CRM (multi-tenant configuration covered in the broker CRM deep dive), KYC (two-vendor pattern covered in the KYC pre-consolidation dispatch), comms surveillance, hosting (split architecture with CFD trading platform at LD4 or FR2 plus CASP venue at EU-resident DC), and regulatory horizon scanning. The procurement question is which infrastructure layers benefit from sharing versus which require per-vertical procurement.

EU passporting plus MiCAR Article 67 passporting compound the geographic scope. The CFD broker authorised under CySEC passports into the EU and EEA under MiFID II Article 34. The CASP authorised under MiCAR passports into the EU and EEA under MiCAR Article 67. The combined passporting envelope is broader than either single passport. The procurement-relevant implication is that dual-licensed operators face a wider geographic client mix than single-licence EU operators, which affects KYC jurisdiction coverage, payment rail coverage, marketing material approval workflows, and per-jurisdiction disclosure requirements.

The procurement decision horizon extends across two evolving regulatory frameworks. MiFID III is in discussion at the EU level with potential proposals in 2026-2027. MiCAR technical standards are being progressively finalised by ESMA through 2025-2027. Both frameworks will continue evolving through the dual-licensed operator’s procurement horizon. The procurement-relevant implication is that dual-licensed operators should weight vendor regulatory-readiness more heavily than single-licence operators because the operator faces compound regulatory change risk across two frameworks rather than one.

The 14 chapters mapped to an EU dual-licensed stack

Foundation: what you decide first

Chapter XIV - Brokerage hosting. Dual-licensed hosting requires EU data residency under both MiFID II and MiCAR Article 75 custody segregation. The credible institutional paths are Equinix FR2 direct for Frankfurt EU-resident deployments, Equinix AM3 for Amsterdam, or Beeks Group at FR2 for managed proximity compute. The dual-licensed operator typically runs split architecture: CFD platform at LD4 (London) or FR2 (Frankfurt) for LP proximity; CASP venue at FR2 or AM3 for EU-resident crypto-asset client data. Custody facility separate from CASP venue facility per MiCAR Article 75 expectations covered in the crypto exchange WL consolidation dispatch.

Trading layer: two stacks, shared LP coordination

Chapter II - Alternative white-label platforms. CFD broker side: MT5 default with cTrader as differentiated experience layer per the trading platform deep dive. The CFD platform decision is the same as Archetype A (CySEC CFD broker) procurement.

Chapter X - Crypto exchange white-label. CASP side: B2BX or Soft-FX crypto as the regulated crypto trading venue per the CASP archetype dispatch and the crypto exchange WL consolidation dispatch. The crypto exchange WL decision is the same as Archetype D (CASP under MiCAR) procurement.

Chapter VIII - Liquidity providers. LP procurement runs two parallel tracks. CFD side: two tier-1 FX prime brokers or PoP relationships per the LP procurement deep dive. CASP side: three to five institutional crypto LPs (Cumberland, Wintermute, GSR, Falcon X, Galaxy Digital Trading) plus CEX institutional access plus stablecoin rails. The LP relationships are bilateral with each side but the operator’s risk management infrastructure can aggregate exposure across both sides for consolidated risk reporting.

Chapter IX - Risk management. Risk management at the operator-level consolidates exposure across both verticals while maintaining per-vertical pre-trade controls. Specialist risk-aggregation platforms (Centroid Solutions, panOptik) can handle cross-vertical aggregation; the procurement-relevant question is whether the operator wants consolidated VaR limits at the operator level (which produces a unified risk picture) versus per-vertical VaR limits (which maintains supervisory separation between the two regulated entities). Most mid-market dual-licensed operators maintain per-vertical VaR limits with operator-level monitoring overlay.

Compliance layer: the shared opportunity

Chapter III - KYC + AML for brokers. This is the largest compliance-ops sharing opportunity in the dual-licensed stack. The two-vendor procurement pattern from the KYC pre-consolidation dispatch applies but with explicit CASP-specific extension. Primary KYC vendor (Sumsub is the strongest universal option) handles CFD broker onboarding plus CASP authorisation requirements (wallet ownership verification, supported asset configuration per jurisdiction). Secondary ongoing screening vendor (ComplyAdvantage) handles both CFD client ongoing screening and CASP client ongoing screening with crypto-specific PEP and sanctions data set extension. Travel Rule infrastructure (Sumsub TRP bundled or separate Notabene) handles the CASP-specific transfer-level compliance. The shared infrastructure reduces vendor management overhead and produces cleaner operator-level compliance reporting.

Chapter XIII - RegTech and compliance reporting. The dual-licensed RegTech procurement is structurally split but shares vendor relationships:

  • Trade surveillance: Single vendor covering both MAR (CFD) and MiCAR Title VI (crypto-asset) is the procurement opportunity. Eventus Validus is the strongest single-vendor answer at mid-market scale per the RegTech post-MiCAR dispatch. Nasdaq SMARTS at tier-1 scale.

  • Transaction reporting: Asymmetric procurement. CFD side requires Cappitech or equivalent for MiFIR Article 26 reporting. CASP side does not have equivalent transaction reporting requirement (MiCAR Title VI surveillance plus Travel Rule recordkeeping replaces MiFIR for CASP). The procurement decision is therefore one vendor (Cappitech) for CFD side rather than dual procurement.

  • Comms surveillance: Single vendor covering both verticals. Behavox or Smarsh handles email, mobile, and collaboration platform capture across both CFD and CASP staff with consolidated supervisory reporting.

  • Regulatory horizon scanning: Single vendor covering MiFID II plus MiCAR plus ESMA technical standards plus the broader EU regulatory landscape. CUBE or Corlytics handle the multi-framework scope. Procurement-appropriate for dual-licensed operators specifically because the multi-framework regulatory taxonomy is genuinely useful.

Operations layer: where the business runs

Chapter IV - Broker CRMs. The dual-licensed CRM architecture decision is the second-most-consequential procurement choice (after the regulatory framework convergence question). The broker CRM deep dive covered three multi-tenant patterns. Dual-licensed operators typically procure Pattern 3 (one CRM tenant for each entity, shared parent) using B2Core’s multi-tenant capability because B2Core’s native crypto-asset positioning covers both verticals cleanly. Pattern 1 (one CRM, two record types) creates legal entity separation gaps that dual-EU-licensed operators should not accept. Pattern 2 (two CRMs, integration layer) is procurement-appropriate for operators with explicit engineering investment but operationally heavier than Pattern 3.

Chapter VI - Payments. Payment procurement runs two parallel tracks but shares specialist banking relationships. The CFD side runs the 4-6 PSP stack per the CySEC archetype dispatch. The CASP side runs the specialist banking partner (Bank Frick, BCB Group, Sygnum, Clear Junction) per the payments + EU banking dispatch plus stablecoin rails. The combined PSP stack covers both verticals with some PSP relationships handling both CFD and CASP merchant flow.

Chapter VII - IB management. IB management typically attaches to the CFD broker side primarily because the CFD product is the typical IB referral driver. The CASP side may run a separate IB program with crypto-affiliate-specific positioning. The procurement-relevant question is whether to run unified IB platform with two vertical configurations or two separate IB platforms; most dual-licensed operators choose unified with vertical configuration.

Chapter V - Turnkey suites. Limited applicability per the turnkey suite procurement deep dive. B2Broker turnkey is the closest to dual-licensed-ready procurement because B2Broker bundles both CFD broker stack components and CASP venue components (B2BX). Other turnkey suites do not cover the dual-vertical requirement. The procurement decision is typically B2Broker turnkey at lean scale or unbundled best-of-breed at mid-market scale.

Retention layer

Chapter XI - Broker analytics and market signals. The CFD side runs the broker analytics deep dive 2-4 parallel products pattern. The CASP side runs separate CASP-specific analytics (CoinGecko Terminal, Glassnode, Messari Pro). The two vendor sets do not have meaningful overlap; the procurement decision is parallel rather than shared.

Chapter XII - Copy and social trading. CFD side runs the copy trading deep dive procurement with cTrader Copy native (if cTrader is deployed) or Brokeree Social Trader (if MT5-only). CASP side typically does not run copy trading because the Phase 2 chapter vendors are calibrated for FX and CFD copy execution rather than crypto-asset copy.

Vertical-specific layers

Chapter I - Prop firm technology. Not relevant for the EU dual-licensed archetype unless the operator runs an integrated prop firm vertical (which would transition to a tri-vertical archetype not yet covered in the synthesis series).

Three archetype stacks for EU dual-licensed operators

Lean EU dual-licensed (CySEC CFD plus CASP)

For operators with 2,000-5,000 active CFD accounts plus a CASP venue with 1,000-3,000 active CASP accounts. Lean engineering team. Optimise for: regulatory readiness across both frameworks, shared compliance ops, single-vendor accountability where the dual-vertical scope permits.

  • Hosting: Single Beeks Proximity Cloud deployment at FR2 with logical separation between CFD trading platform and CASP venue.
  • Trading platforms: MT5 for CFD side; B2BX for CASP venue.
  • CRM: B2Core multi-tenant (Pattern 3 from broker CRM deep dive) with parent organisation visibility across both entities.
  • KYC: Sumsub primary with TRP module bundled for Travel Rule; ComplyAdvantage for ongoing screening. Single vendor pair covering both verticals.
  • RegTech: Eventus Validus for trade surveillance covering both verticals; Cappitech for CFD MiFIR; Smarsh for comms surveillance.
  • Payments: Bank Frick as primary banking partner; 2-3 PSPs for CFD retail withdrawal; USDC stablecoin rail for CASP institutional.
  • LP: Two CFD PoPs; B2BX bundled crypto liquidity plus one CEX institutional.
  • Risk management: Bundled with B2Broker stack at entry scale.
  • Custody: Fireblocks for CASP custody with bundled commercial crime insurance.
  • IB management: B2Core IB module unified across both verticals.

Total estimated annual stack cost: $550,000 to $900,000.

Mid-market EU dual-licensed

For operators with 10,000-25,000 active CFD accounts plus a CASP venue with 5,000-15,000 active CASP accounts. Dedicated tech and compliance teams. Optimise for: best-of-breed within shared infrastructure layers, multi-vendor redundancy where vertical separation is regulatory-mandatory.

  • Hosting: Equinix FR2 direct for CFD trading platform plus AM3 for CASP venue redundancy. Separate physical facility for cold custody if running in-house.
  • Trading platforms: MT5 plus cTrader for CFD differentiated experience; B2BX or Soft-FX for CASP venue.
  • CRM: B2Core multi-tenant or Match-Trader CRM multi-tenant; parent organisation analytics layer.
  • KYC: Sumsub or Veriff primary with explicit CASP-specific configuration; ComplyAdvantage for ongoing screening; Notabene as separate Travel Rule for counterparty network coverage advantage.
  • RegTech: Eventus Validus for unified trade surveillance covering both verticals; Cappitech for CFD MiFIR with Kaizen Reporting for accuracy testing; Behavox for comms surveillance covering both verticals; CUBE for unified regulatory horizon scanning across MiFID II plus MiCAR.
  • Payments: Bank Frick plus BCB Group for CASP fiat rails; 4-6 PSPs covering CFD retail; USDC plus EURC stablecoin rails for institutional CASP flow.
  • LP: Two tier-1 FX prime brokers or PoPs; 3-4 institutional crypto LPs (Cumberland, Wintermute, GSR) plus CEX institutional access.
  • Risk management: Specialist risk-aggregation platform (Centroid Solutions or panOptik) with per-vertical VaR limits plus operator-level monitoring overlay.
  • Custody: Fireblocks or Komainu for institutional CASP custody with 50-100M EUR commercial crime cover.
  • IB management: Specialist IB platform (Cellxpert or equivalent) with vertical configuration for CFD plus CASP attribution.
  • Analytics: Trading Central plus Solitics for CFD side; Glassnode plus Messari Pro for CASP side.
  • Copy trading: cTrader Copy on CFD side if cTrader deployed.

Total estimated annual stack cost: $2.8M to $6M.

Tier-1 EU dual-licensed plus multi-jurisdiction

For operators with 25,000+ active CFD accounts plus 15,000+ active CASP accounts plus typically additional regulated entities (CySEC plus FCA passport plus possibly DMCC or DFSA), in-house engineering and compliance, institutional client segments. Optimise for: best-of-breed per layer, multi-jurisdiction supervisory examination readiness, public-company vendor preference.

  • Hosting: Direct Equinix at LD4 plus FR2 plus AM3 plus NY4 plus possibly DX1 if DMCC-dual-licensed. Lucera or Avelacom for low-latency network. Multiple physically isolated cold custody facilities.
  • Trading platforms: MT5 plus cTrader plus possibly proprietary alt-WL for CFD institutional; institutional crypto-native platform (ChainUp or AlphaPoint) for CASP venue with proprietary execution layer.
  • CRM: Best-of-breed standalone CRM with in-house customisation; multi-tenant configuration across the regulated entity set.
  • KYC: Tier-1 KYC vendor per regulated entity with continuous monitoring vendor plus in-house compliance ops team plus periodic third-party audit.
  • RegTech: Nasdaq SMARTS for trade surveillance across all verticals and jurisdictions; Cappitech for EU-passported MiFIR; Kaizen Reporting; Behavox; CUBE or Corlytics for multi-jurisdiction regulatory horizon scanning.
  • Payments: 4-6 banking partners across multiple EU jurisdictions; 10-15 PSPs for CFD retail; comprehensive stablecoin rails.
  • LP: 5-8 FX LP relationships plus 5-10 institutional crypto LP relationships plus CEX institutional access plus DEX aggregator routing.
  • Risk management: Specialist risk-aggregation plus in-house quant-built market risk and inventory risk analytics.
  • Custody: In-house custody with multiple cold facilities plus delegated custody (Fireblocks Vault or BitGo Trust) for institutional client segregation.
  • IB management: Specialist platform with in-house attribution analytics.
  • Analytics: Multi-vendor stack including institutional data feeds (Acuity, Newsquawk) plus crypto-specific (Glassnode, Messari Pro) plus proprietary analytics.

Total estimated annual stack cost: $10M to $35M+ depending on jurisdictional breadth.

Three procurement mistakes EU dual-licensed operators make most often

Mistake 1: Treating the two verticals as fully separate procurement tracks rather than evaluating the shared compliance ops opportunity. The dual-EU framework enables compliance ops sharing across KYC, comms surveillance, regulatory horizon scanning, and trade surveillance in ways that operators often miss because the two verticals’ compliance teams may report separately into the operator’s corporate structure. Operators that procure vertical-specific vendors for layers that could share vendor relationships pay more vendor management overhead and produce inconsistent supervisory reporting across the two verticals. The procurement decision should explicitly evaluate which infrastructure layers benefit from sharing versus which require per-vertical procurement.

Mistake 2: Procuring the CASP venue infrastructure from CFD-broker-calibrated vendors. Match-Trade Crypto, ETNA Software, and similar vendors covered in the crypto exchange WL consolidation dispatch are LIMITED for MiCAR-supervised CASP procurement regardless of the operator’s CFD broker relationship with the parent vendor. Dual-licensed operators sometimes extend their CFD platform vendor procurement to the CASP venue layer because of integration convenience; the procurement consequence is regulatory exposure that the LIMITED Phase 2 verdicts specifically flagged. The CASP venue procurement should follow the CASP archetype procurement framework regardless of the operator’s CFD platform vendor relationship.

Mistake 3: Underspecifying the regulatory framework convergence question in vendor RFPs. MiFID II plus MiCAR supervisory expectations are converging through 2025-2027 with progressive ESMA technical standards and potential MiFID III proposals in 2026-2027. Vendors capable of unified product positioning across both frameworks are differentially advantaged for dual-licensed operators; vendors specialised in one framework may face product capability gaps as the convergence proceeds. The procurement RFP should explicitly request vendor positioning on the convergence question and forward-compatibility with the progressive technical standards rather than evaluating vendor capability against current framework state alone.

What comes next in the operator archetype synthesis sub-series

Five operator archetype dispatches now shipped: CySEC, DMCC plus VARA, hybrid prop firm plus broker, CASP under MiCAR, and EU dual-licensed CASP plus CFD broker. The remaining archetype candidates:

  • ADGM FSRA institutional broker. Abu Dhabi Global Market regulated institutional positioning distinct from DMCC + VARA UAE archetype.
  • LATAM CFD broker. Brazilian CVM, Mexican CNBV, Argentine CNV regulatory landscape with cross-jurisdictional client mix patterns.
  • APAC CFD broker. Singapore MAS, Hong Kong SFC, Japan FSA, Australia ASIC regulatory landscape.

Beyond archetype dispatches the Phase 3 roadmap includes additional vendor refresh cycles, cross-pillar synthesis updates (cross-archetype matrix dispatch periodic refresh), and per-pillar deep-dives if specific chapters accumulate sufficient editorial signal.

If you operate an EU dual-licensed CASP plus CFD broker stack and the synthesis above does not match your direct procurement reality, that is the editorial signal we are looking for. The corpus improves through ground-truth from operators.