Regulation on Licensing of Crypto-Assets Service Operators Providing Exchange Services

1FROM18 Pursuant to Article 35, paragraph 1, subparagraph 1.1 and Article 65 of Law No. 03/L-209 on the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77 / 16 August 2010), as amended and supplemented by Law No. 05/L–150 (Official Gazette of the Republic of Kosovo / No. 10 / 03 April 2017), and Article 5 paragraph 2, Article 8 paragraph 4 and Article 10 paragraph 2 of Law No. 08/L-295 on Crypto-Assets, and pursuant to Article 1 paragraph 1, subparagraph 1.1 and 1.2 of Law No. 08/L-295 on Crypto-Assets, the Board of the Central Bank of the Republic of Kosovo, at its meeting held on 29 August 2025, approved the following: REGULATION ON LICENSING OF CRYPTO-ASSETS SERVICE OPERATORS PROVIDING CRYPTO-ASSETS EXCHANGE SERVICES CHAPTER I GENERAL PROVISIONS Article 1 Purpose

1. The purpose of this regulation is to determine the conditions, requirements, procedures and deadlines to be implemented for the licensing of crypto-asset service operators that carry out the following activities: 1.1. exchange of crypto-assets for fiat money (including crypto ATMs or cryptocurrency ATMs;) and vice versa, with a physical base (office), as defined in Article 5, paragraph 1, subparagraphs 1.2 and 1.3 of Law No. 08/L-295 on Crypto-Assets; 1.2. exchange of crypto-assets for other crypto-assets, as defined in Article 5, paragraph 1, subparagraph 1.2 of Law No. 08/L-295 on Crypto-Assets. 1.3. information that must be provided to the Central Bank of the Republic of Kosovo upon application for licensing; 1.4. granting prior approvals for transactions that require prior approval by the CBK; 1.5. obligations of crypto-asset service operators to notify the CBK when carrying out their activities; 1.6. organization, management and operation of crypto-asset service operators. Article 2 Scope

2FROM18 This Regulation applies to legal entities defined under the Law on Crypto Assets that apply for licensing, as well as persons licensed under this Regulation for the exercise of the activity of exchanging crypto-assets for fiat money (including ATMs) and vice versa and/or with other crypto-assets in the Republic of Kosovo. Article 3 Definitions

1. The terms and definitions used in this Regulation have the same meaning as in Law No. 08/L-295 on Crypto-Assets and/or with the following definitions for the purpose of this Regulation: 1.1. Crypto-assets (virtual assets)– a digital representation of value or right, which can be transferred or stored electronically, using DLT or similar technology; 1.2. Crypto-asset service operator (CASO)– means a legal entity licensed to carry out the activity of providing the exchange of crypto-assets for fiat money (including ATMs) and/or other crypto-assets; 1.3. Exchange of crypto-assets for cash (including crypto ATMs and cryptocurrency ATMs)– means entering into contracts for the purchase or sale of crypto-assets with clients, against funds, using own capital; 1.4. Exchanging crypto-assets for other crypto-assets– means entering into contracts for the purchase or sale of crypto-assets with clients, against other crypto-assets, using own capital; 1.5. Main shareholder– a person who owns directly or indirectly, jointly or in concert with other persons, ten percent (10%) or more of any class of shares with voting right or ten percent of the capital interest; 1.6. Management bodies – means the management bodies of a CASO, which are authorized to determine the strategy, objectives and general management of the entity, and which oversee the process of making managerial decisions in the entity, including the persons who effectively lead the activity of the entity; 1.7. Funds –means banknotes and coins, fiat money or electronic money; 1.8. Customer– means any natural or legal person to whom CASO provides crypto-asset services as defined under this regulation; 1.9. Personal data– means personal data as defined in the relevant Law on the Personal Data Protection ; 1.10. Payment account– means an account held in the name of one or more payment service users which is used for the execution of payment transactions; 1.11. CBK –means the Central Bank of the Republic of Kosovo; 1.12. Law on Crypto-Assets– means Law No. 08/L-295 on Crypto-Assets. CHAPTER II Licensing

3FROM18 Article 4 Licensing of CASO

1. No person may provide crypto-asset services unless that person is a legal entity licensed by the CBK as a CASO in accordance with Article 6 of this regulation.
2. The CBK is the sole authority for licensing CASO in the Republic of Kosovo, in accordance with the provisions of this Regulation, to carry out one or both of the following activities: 2.1. exchange of crypto-assets for cash (including ATMs); 2.2. exchange of crypto-assets for other crypto-assets.
3. CASO licensed in accordance with Article 6 of this Regulation must have a registered office in the Republic of Kosovo, where they exercise at least part of their crypto-asset services.
4. CASOs licensed in accordance with Article 6 of this Regulation must meet the conditions for their licensing at all times.
5. Anyone who is not licensed as a CASO must not use a name, or trade name, or publish marketing materials or take any other action that suggests that it is a CASO or that may create confusion in this regard.
6. The CBK, while issuing licenses, specifies the crypto-asset services that operators are licensed to provide.
7. Licensed CASOs are allowed to provide crypto-asset services throughout the territory of the Republic of Kosovo.
8. CASOs licensed under this Regulation are only allowed to exchange crypto-assets, which are permitted to be traded under European Union legislation.
9. Financial institutions and their subsidiaries are not permitted to engage in the provision of crypto￾asset services unless regulated by the CBK.
10. CASOs seeking to add new services to their license must apply to the CBK for a license extension, completing and updating the information specified in Article 5 of this Regulation. The request for extension will be processed in accordance with Article 6 of this Regulation. Article 5 Licensing application
11. Legal entities that intend to provide crypto-asset services under this regulation must submit to the CBK their application for licensing as a CASO.
12. The application pursuant to paragraph 1 must contain all of the following information: 2.1. the name, including the legal name and any other trade name used, the business registration certificate of the entity applying for CASO, its website, email address, telephone number and physical address; 2.2. the act of establishment and/or statute of CASO applying for licensing;

4FROM18 2.3. the operating program, defining the types of crypto-asset services that the applicant intends to provide, including where and how these services will be provided; 2.4. description of the governance structure of the applying CASO; 2.5. data on the main shareholders of CASO in the application specified in Article 5, paragraph 3, subparagraphs 3.3 and 3.4 of the Regulation on the Registration of Non-Banking Financial Institutions, as well as other information providing their good reputation; 2.6. data on the members of the management bodies of the CASO in the application specified in Article 5, paragraph 3, subparagraph 3.5 of the Regulation on the registration of Non-Banking Financial Institutions, as well as other information providing their good reputation; 2.7. description of internal control mechanisms, policies and procedures to identify, assess and manage risks, including risks from money laundering and terrorist financing, as well as a business continuity plan; 2.8. a contract with a bank for opening a bank account, through which they will carry out their cash operations; 2.9. technical documentation of information and communication technology systems, security systems and measures, as well as a description of them in non-technical language; 2.10. description of procedures for handling customer complaints; 2.11. description of the trading policy, which must be non-discriminatory, governing the relationship with customers, as well as a description of the methodology for determining the price of crypto-assets that the operator intends to exchange for fiat money or other crypto￾assets; 2.12. the type of crypto-assets for which the relevant service is provided; 2.13. In any case where the applicant is a foreign financial institution applying to establish a CASO in Kosovo, a declaration from the home country supervisor is required. This declaration must confirm that the authority has no objection to the proposed establishment of the CASO in Kosovo and that the applicant is subject to consolidated supervision, if such supervision is in force. The existence of consolidated supervision does not exclude or limit the supervisory powers of the CBK of Kosovo over the CASO established in Kosovo. 2.14. proof of paid-up capital according to Article 9 of this Regulation; 2.15. proof of payment of the licensing fee; 2.16. additional information if the CBK considers it reasonable. Article 6 Evaluation of the request for granting or refusing licensing

1. The CBK shall confirm, within five working days of receiving an application under Article 5 of this Regulation, its receipt in writing to the applying CASO.
2. The CBK shall consider, within 25 working days of receipt of an application under Article 5 of this Regulation, whether such application is complete by checking that the information listed in

5FROM18 Article 5 of this Regulation has been submitted. If the application is incomplete, the CBK shall set a deadline by which the applying CASO must submit the missing information. 3. If the applicant fails to provide the requested clarifications and/or documentation within ten (10) working days or when, depending on the circumstances, the CBK decides on a longer period, but not more than twenty (20) working days, the application will be considered rejected by default. 4. Once the application is complete, the CBK will notify the applying CASO of this. 5. Before granting or rejecting an application for licensing as a CASO, the CBK will communicate with the FIU and other relevant institutions, depending on the type of license. 6. The CBK will license an applying CASOonly if it can effectively exercise its supervisory function over that CASO. 7. The CBK shall, within 60 working days from the date of receipt of a complete application, assess whether the applying CASO complies with the requirements of this Regulation and, after communication with other responsible authorities, adopt a reasoned decision to grant or refuse the license as CASO. The CBK shall notify the applicant of its decision within five working days from the date of receipt of this decision. 8. The CBK refuses licensing as a CASO if the conditions set out in Article 13 of the Law on Crypto￾Assets are met and if there are objective and factual reasons that: 8.1. the management bodies of the applying CASO pose a threat to its effective, sound and prudent management and to the continuity of its activity, as well as to the due consideration of the interests of its clients and the integrity of the market, or expose the operator to a serious risk of money laundering or terrorist financing; 8.2. any member or more members of the management bodies of the applying CASO do not meet the criteria set out in Article 8 of the Law on Crypto-Assets, Article 10, as well as Article 19 paragraph 2 of this Regulation; 8.3. any of the main shareholders of the applying CASO does not meet the good reputation criteria set out in Article 19, paragraph 3 of this Regulation; 8.4. The applying CASO does not comply or is likely to fail to comply with any of the requirements of this Regulation. 9. The CBK may request, during the assessment period specified in paragraph 7 of this Article, and no later than the 30th day of that period, any other information that is necessary to complete the assessment. Such request shall be made in writing to the applying CASO and shall specify the additional information required. 10. The assessment period under paragraph 7 of this Article shall be suspended for the period between the date of the request for missing information by the CBK and the receipt of a response to this request by the applying CASO. The suspension shall not exceed 20 working days. If the applying CASO does not complete the requested information within 20 working days from the date of the request, the application shall be considered rejected by default. 11. The CBK, within 5 working days of granting the license, informs the FIU-K and/or other responsible authorities depending on the type of license. 12. The license will be granted for an indefinite period of time and will be non-transferable and non￾tradable.

6FROM18 13. The license certificate will be issued in accordance with the Regulation on Issuance of Licensing or Registration Certificates for Financial Institutions. 14. Before starting the activity, the CASO notifies the CBK of the preparations made and its readiness to start the activity, for the creation of adequate space and infrastructure for carrying out the activity, including the installation of the information technology operating system. 15. During the license application process, as well as their operation, CASO may be examined by the CBK, in accordance with the risk-based supervision manual of banks, namely non-banking financial institutions. Article 7 Suspension or revocation of licensing

1. The license of a CASO may be suspended or revoked only by decision of the CBK if one or more of the conditions set out in Article 19 of the Law on Crypto-Assets or the following conditions are met: 1.1. has not started providing the services for which it was licensed within six (6) months from the date of licensing; 1.2. has expressly waived his/her license; 1.3. has not provided crypto-asset services for 9 consecutive months; 1.4. has obtained a license improperly, such as by providing false information/documents in his application; 1.5. no longer meets the conditions under which the license was granted and has not taken the corrective actions required by the responsible authorities within the specified time limit; 1.6. there are no effective systems, procedures and arrangements for the detection and prevention of money laundering and terrorist financing in accordance with the current legislation in force for the prevention of money laundering and terrorist financing; 1.7. CASO has violated the provisions of the current legislation in force on the prevention of money laundering and terrorist financing; 1.8. has seriously violated the rights of customers or the integrity of the market.
2. The license of a CASO may also be withdrawn if the CASO does not act in accordance with Articles 8, 9, 10 and 19 of this Regulation or exceeds the activities for which it was licensed.
3. CBK may limit the withdrawal of a license to a specific crypto-asset service of CASO. Article 8 The obligation to act with honesty, fairness and professionalism in the best interest of clients, as well as for disclosure and transparency
4. CASO must act honestly, fairly and professionally, in accordance with the best interests of clients and potential clients.

7FROM18 2. CASO must provide customers with information that is fair, clear and not misleading, including in marketing materials, which must be identified as such. CASO must not, intentionally or negligently, mislead a customer about the real or perceived advantages of any crypto-asset. 3. CASO must warn clients in writing about the risks associated with transactions in crypto-assets. 4. CASO should provide clients with links to any white papers for the crypto-assets for which they are providing these services, where applicable. 5. CASO should make their policies on prices, costs and fees publicly available, in a visible place in offices, ATMs/cash machines as well as on their website. 6. CASO must provide and disclose to their clients, in a timely manner and before the provision of the service, clear, accurate, understandable and non-misleading information. This information must include the nature of the crypto-assets, the main risks associated with the exchange, the requirements for declaring the legal source of funds, as well as any other relevant information that helps the client decide and understand the risk assumed. The disclosure of this information must be made through electronic forms or in physical form, depending on the channel through which the service is provided. In the case of electronic systems, all confirmations and assertions of the client must be clearly configured and it must be proven that they have been accepted by the client before he decides to carry out a transaction. 7. CASO must ensure that the documents referred to in paragraph 6 of this Article are maintained and available at all times for the supervisory purposes of the CBK and, if requested, also for other competent authorities. Article 9 Capital requests

1. The minimum amount of capital required for licensing and maintenance for CASO is 125,000.00 (one hundred and twenty-five thousand) Euros;
2. In addition to the capital specified in paragraph 1 of this Article, the CASO must also have an additional fund for initial expenses, to cover the costs of establishment, operation and administration, which in any case must not be less than twenty percent (20%) of the capital specified in paragraph 1 of this Article. The requirement for additional funds under this paragraph applies only to initial applications for licensing.
3. The payment of the minimum capital and any subsequent additions thereto must be made in cash so as to be immediately available to absorb losses and must be accompanied by the submission to the CBK of information regarding the source of this capital and the bank document certifying the payment of the capital, as set out in Article 17, paragraph 1, subparagraph 1.3 and paragraph 4, subparagraph 4.3. of this Regulation.
4. The CBK has the right to request clarifications and conduct further verifications regarding the source(s) of funds that will be provided/serve as initial capital or as a subsequent capital addition.
5. The sources of capital funds must be legal and must not derive from debts, loans and/or other funds whose origin is illegal/suspicious. Article 10 Governance and organizational requirements

8FROM18

1. CASOs must have a board of directors composed of no less than 3 (three) members, the majority of whom are independent and non-executive directors.
2. Members of the management bodies of CASOs must meet the “fit and proper” criteria as required by the CBK.
3. Members of the management bodies of CASOs must at least meet the following criteria: 3.1. have a university degree in the field of economics, jurisprudence or another relevant field, for the position to which the person is appointed; 3.2. have 3 (three) years of experience in the banking and/or financial sector or in any other field deemed appropriate by the CBK; 3.3. have a high ethical and professional reputation; 3.4. not have been removed from the CBK from a position in a financial institution; 3.5. not have been convicted by the competent court for a criminal offense punishable by imprisonment of 1 (one) or more years, for which the option of a fine has not been established; 3.6. not have been convicted of economic crimes or found guilty of economic offenses under the Criminal Code; 3.7. not have been denied, by a court/competent authority decision, the exercise of activities within the framework of the defined competencies; 3.8. not have been excluded or suspended by the competent authority from practicing the profession due to personal misconduct; 3.9. not have caused or been responsible for the bankruptcy of any entity carrying out economic activity; 3.10. not have been subject to bankruptcy proceedings, including official administration or bankruptcy, and are free from payment of overdue obligations.
4. In exceptional circumstances, after being satisfied of the qualifications, professional experience and conduct of the person, the CBK may exclude the member of the management bodies from the provisions of subparagraphs 3.9 and 3.10 of paragraph 3 of this Article.
5. The CASOs’ Board of Directors is assisted by the following committee(s): 5.1. the audit committee which includes and is chaired by a non-executive member of the board of directors and at least 1 (one) member of the audit committee must be an external expert in the field of accounting or auditing; and 5.2. the risk management committee, whose members must also be members of the Board of Directors;
6. CASOs must have at least one committee that exercises these functions, unless otherwise required by the CBK.
7. CASOs may establish additional committees other than those specified in this article. Article 11 Outsourcing of activities

9FROM18

1. CASOs that outsource services or activities to third parties for the performance of operational functions shall take all reasonable measures to avoid additional operational risks. They shall remain fully responsible for the fulfilment of all their obligations arising from this Regulation and shall ensure at all times that the following conditions are met: 1.1. outsourcing does not result in the delegation of responsibility of CASOs; 1.2. outsourcing does not change the relationship between CASOs and their clients, nor the obligations of CASOs to their clients; 1.3. outsourcing does not change the conditions for licensing/authorization of CASOs; 1.4. the third parties involved in the outsourcing cooperate with the CBK and other competent authorities and the outsourcing does not impede the exercise of supervisory functions by the CBK and the FIU, including on-site access to obtain any information necessary for the fulfillment of these functions; 1.5. CASOs maintain the necessary expertise and resources to assess the quality of services provided, to effectively supervise outsourced services, and to continuously manage the risks associated with outsourcing; 1.6. CASOs have direct access to relevant information related to subcontracted services; 1.7. CASOs ensure that third parties involved in outsourcing meet national data protection standards. CASOs are responsible for ensuring that data protection standards are set out in written agreements between CASOs and the third party.
2. CASOs should have a policy for outsourcing, including emergency plans and exit strategies, taking into account the scale, nature and type of services being outsourced.
3. CASOs should define in a written agreement their rights and obligations, as well as those of third parties to whom they delegate services or activities. Outsourcing agreements should give CASOs the right to terminate those agreements.
4. CASO and third parties must provide all necessary information available, upon request, to the CBK, in order for the CBK to assess the compliance of the outsourced activities with the requirements of this Regulation. Article 12 Exchanging crypto-assets for cash or other crypto-assets
5. CASOs that exchange crypto-assets for cash (funds) or for other crypto-assets must draft a non￾discriminatory trading policy that defines, among other things, the type of clients they accept to work with and the conditions that these clients must meet.
6. CASOs that exchange crypto-assets for cash or other crypto-assets must publish a fixed price for the crypto-assets, or a method for determining the price of the crypto-assets they offer to exchange, as well as any applicable restrictions they impose on the amount to be exchanged.
7. Such operators must execute client orders at the prices displayed at the time the exchange order is considered final. They must inform clients of the conditions that must be met when an order is considered final.

10FROM18 4. CASOs that exchange crypto-assets for cash or other crypto-assets must publish information on the transactions carried out by them, including transaction volumes and prices. Article 13 Allocation and Safeguarding of Client Assets and Funds

1. When applying for a license, CASOs must demonstrate the capacity to ensure the clear separation of clients' crypto assets and funds from their own assets and funds.
2. Crypto-assets and funds belonging to clients should not be used by CASOs for their own account and should be held in separate and identifiable accounts, including separation from portfolios used for CASO operational needs.
3. CASO must take appropriate organizational and technical measures to ensure the protection, security and integrity of client assets, including the storage of cryptographic keys, measures for the separation of assets between clients and the storage of means of access.
4. The CASO must have policies and procedures for the segregation and safeguarding of client assets, including: 4.1. the method of separation from own assets and those of other clients, 4.2. measures for depositing funds in licensed institutions if applicable, 4.3. and how to inform customers about these policies in a clear and understandable manner.
5. All crypto-asset transactions must be carried out by CASOs through their own separate bank accounts, separate from the CASO's other operational accounts.
6. Pursuant to this article, the CBK will issue a special regulation. Article 14 Access of CASOs to bank accounts
7. CASOs have the right to access bank account services for payments, in an objective, non￾discriminatory and proportionate manner. Such access should be sufficiently broad to allow CASOs to provide payment serviceswithout obstacles and efficiently.
8. In case of denial of access to bank account services for payments, banks must provide CASO with a written justification within five (5) working days from the decision, which decision must also be made available to the CBK immediately. Article 15 Cash operations
9. Licensed CASOs, for cash operations, must engage one or more cash in transit insurance companies (CIT) licensed by the institution responsible for cash transport in accordance with the Regulation on minimum security requirements.
10. CASOs that offer their services through ATMs may be equipped/imported with ATMs.
11. CASOs that wish to be equipped with ATMs according to the provisions of paragraph 2 of this article must obtain an additional license from the CBK for the provision of these services, in

11FROM18 accordance with the Regulation on cash operations and the Instruction on the license for the provision of cash transaction services through machines and for the import of these machines. 4. Transactions exceeding the amount of EUR 1,000, or the equivalent value in foreign currency, regardless of whether the transaction is carried out as a single transaction or several transactions that are interconnected within 24 hours, must be carried out through transfer from a payment account. 5. The maximum limits on the amount of cash held in ATMs and in internal storage facilities (vaults), as well as the relevant security requirements, will be determined according to specific CBK instructions. 6. For the purposes of paragraph 5 of this article, CASOs are obliged to implement the Regulation on Minimum Security Requirements accordingly, unless otherwise regulated by the CBK. Article 16 Prevention of money laundering and terrorist financing

1. CASO apply the legislation in force for the prevention of money laundering and terrorist financing.
2. In addition to other requirements set out in the legislation in force on the Prevention of Money Laundering and Combating the Financing of Terrorism, CASO, when implementing customer due diligence measures, must verify the identity of the customer before carrying out occasional transactions in the amount of EUR 1,000 or more, or the equivalent value in foreign currency, regardless of whether the transaction is carried out as a single transaction or several transactions that are interconnected. Multiple transactions are treated as a single transaction if CASO is aware that the transactions were carried out by or on behalf of one person or entity and the total amount of one thousand (1,000) euros or more is made on a single day. CHAPTER III APPROVALS AND NOTIFICATION OBLIGATION Article 17 Preliminary approvals
3. Without prior approval of the CBK, CASOs may not: 1.1. change the name; 1.2. make changes to the founding document and/or statute; 1.3. increase share capital; 1.4. reduce share capital; 1.5. make changes in the main shareholders; 1.6. appoint members of the management bodies; 1.6.1. the requirements for approval of members of the management bodies under this Article also apply to the appointment of the internal auditor;

12FROM18 1.6.2. the approval process is repeated for each reappointment or extension of the mandate. If the CBK does not respond within 45 (forty-five) days after the completion of the requests for these cases, then these requests are considered tacitly approved. 1.7. opening and relocation of offices within the country, for the purposes of this Regulation, relocation of offices within the country means changing the location of the relevant office within the territory of the same municipality; 1.8. dividend distribution. 2. The CBK shall approve or reject the actions specified in paragraph 1 of this Article within 45 working days from the date of completion of the request, based on the documentation specified in paragraphs 4 and 5 of this Article. The CBK may request, during the assessment period specified in this paragraph, and no later than the 15th day of that period, any other information that is necessary to complete the assessment. Such request shall be made in writing to the applying CASO and shall specify the additional information required. 3. The assessment period under paragraph 2 of this Article shall be suspended for the period between the date of the CBK’s request for missing information and the receipt of a response to this request from the applying CASO. The suspension shall not exceed 10 working days. If the applying CASO does not complete the requested information within 10 working days from the date of the request, the application shall be considered rejected by default. 4. For the approval of transactions from paragraph 1 of this article, CASOs submit a written request accompanied by the following documentation: 4.1. name change: 4.1.1. the decision by the decision-making body; and 4.1.2. written justification for such a change. 4.2. changes to the Act of Establishment and/or statute: 4.2.1. decision by the decision-making body; 4.2.2. the act of establishment and/or amended statute; 4.2.3. written justification for such a change to the act of establishment and/or statute. 4.3. share capital increase: 4.3.1. if the share capital has been increased from internal sources: 4.3.1.1. a statement of the source of the capital increase; 4.3.1.2. the external audit report for the previous year; 4.3.1.3. the financial statements of the last period reported to the CBK, which demonstrate the adequacy of these resources within the capital structure. 4.3.2. If the share capital is increased from external sources, then the requirements of Article 5, paragraph 2, subparagraph 2.6 of this regulation shall apply. 4.4. reduction of share capital: 4.4.1. decision by the decision-making body; 4.4.2. description of the impact of such change on capital requirements;

13FROM18 4.4.3. written justification for the reduction of share capital. 4.5. change in main shareholders: 4.5.1. the name, nationality, residence and business and professional history of the applicant, and any beneficial owner of the applicant who, as a result of the transaction, would indirectly benefit from five percent (5%) or more of the capital interests of CASO as well as the information/documentation required in Article 5, paragraph 2, subparagraph 2.6 of this Regulation; 4.5.2. a list of companies in which the proposed owners, including beneficial owners (as described above), hold shares, specifying the level of such shares and the registered addresses of those companies; 4.5.3. for each person organized as a business entity, audited financial statements (if any) for the last three (3) years; 4.5.4. the source and value of the funds used to exercise the appropriation, as defined in Article 5 paragraph 2 subparagraph 2.6 and Article 9 paragraph 5 of this Regulation; and 4.5.5. in any case where the merger of shares would cause CASO to become a subsidiary of a foreign financial institution, a statement from the responsible supervisory authority of the country of origin regarding the fact that there are no objections to the commencement of activity in Kosovo and that it exercises global consolidated supervision over the financial institution established in Kosovo, if applicable; 4.5.6. has signed a notarized agreement for the change of ownership of shares. 4.6. The appointment of directors and persons responsible for management shall be made according to the documentation specified in Article 5, paragraph 2, subparagraph 2.5 of this regulation: 4.7. opening and relocation of offices: 4.7.1. decision by the decision-making body; 4.7.2. justification for opening or relocating the office; 4.7.3. written notification of compliance with technical and safety requirements. Such notification shall specify the steps taken to meet these requirements and photographs to prove this. 4.8. Dividend distribution: 4.8.1. the decision of the shareholders' assembly and the board of directors on the distribution of dividends; 4.8.2. projections regarding the balance sheet, income statement and capital on a monthly basis for the next 12 (twelve) months, reflecting the possible payment of the dividend; 4.8.3. audited financial statements for the previous year. 5. The CBK may request additional documents in addition to those specified in paragraph 4 of this article.

14FROM18 6. The application for approvals under paragraph 1 of this Article, as well as the documentation attached to the application, shall be submitted by the CASOs and shall be in the official language of the Republic of Kosovo, in original or in notarized copies. In the case of documentation issued by the relevant official authorities in foreign countries other than the Republic of Kosovo, the documentation shall also be certified by the responsible authorities of the relevant countries. 7. The CBK shall approve requests submitted under paragraph 1 of this article only if the following criteria are met: 7.1. name change: 7.1.1. The proposed new name will be in accordance with the Law on Crypto-Assets, the Law on Business Organizations, and the Law on the Use of Languages. 7.2. changes to the Act of Establishment and/or statute: 7.2.1. The changes must not be in conflict with the relevant legislation in force, depending on the type of change in question. 7.3. share capital increase: 7.3.1. licensing conditions relating to capital are applied appropriately; 7.4. reduction of share capital: 7.4.1. the impact of such a decline on CASO, including but not limited to the impact the decline may have on CASO's financial stability, ownership structure and shareholder suitability. 7.5. change in main shareholders; 7.5.1. The proposed merger is assessed according to the same criteria that apply to the approval of the application for licensing of the CASOs in relation to the shareholders, including, but not limited to, the expected effects of the proposed merger on the financial stability and ownership structure of the CASOs and the impact of such a merger on the supervision of the CASOs by the CBK. 7.6. appointment of directors and persons responsible for management: 7.6.1. the criteria under Article 19, paragraph 2 of this regulation; 7.7. Opening and relocation of offices within the country: 7.7.1. the impact of the opening or relocation on the community where the office is or will be located; 7.7.2. CASOs must provide the CBK with sufficient information and facts regarding the readiness of the office to carry out its activities in terms of technical and security conditions, including the computer system, personnel, security, etc.; 7.7.3. The CBK has the right to order the suspension of activity in the relevant office even after approval if it determines that the technical and security conditions for the exercise of financial activity have not been met; 7.8. dividend distribution. 7.8.1. the impact of the dividend distribution on CASO, including, but not limited to, the expected effects on the financial sustainability of CASO.

15FROM18 8. When deciding whether to approve such transactions/actions, the CBK will also take into account other criteria in order to achieve its goals set out in applicable legislation. Article 18 Requirements for notification of changes

1. CASOs must notify the CBK within 30 (thirty) days of the occurrence of changes for the following transactions: 1.1. any change in ownership of shareholders holding less than ten percent (10%) of the capital; 1.2. resignation of members of management bodies; 1.3. closing of offices within the country; 1.4. changes in the organizational structure, if these changes are not reflected in the statute or members of the management bodies.
2. CASOs shall promptly notify the CBK of operational risk events if one of the following occurs: 2.1. financial losses from theft, financial fraud or other similar cases, which represent losses for CASOs in an amount exceeding 1,000 (one thousand) euros; 2.2. events resulting in serious damage or loss of important data or books of CASOs as well as interruptions of operations that affect normal functioning; 2.3. if the exclusive information of CASOs is stolen, sold or published without their permission or if they lose information that could harm their financial stability; 2.4. frequent violations of applicable rules by members of management bodies. CHAPTER IV GOVERNANCE AND MANAGEMENT Article 19 Corporate Governance and governance principles
3. CASOs must have sound governance, including a clear organizational structure with well-defined and transparent lines of responsibility; effective processes for identifying, managing, monitoring and reporting the risks to which they are or may be exposed, and internal control mechanisms, including sound administrative and accounting procedures.
4. The members of the management bodies of the CASOs must be of good reputation and possess appropriate knowledge, skills and experience, both individually and collectively, to perform their duties, as required by Article 10, paragraph 3 of this Regulation. In particular, they must not have been convicted of criminal offences relating to money laundering or terrorist financing, or of any other offence which would be prejudicial to their reputation. They must also demonstrate that they can devote sufficient time to the effective exercise of their functions.

16FROM18 3. The main shareholders of OSHAs must enjoy good reputation and, in particular, must not have been convicted of criminal offenses related to money laundering or terrorist financing, or for any other criminal offense that would damage their reputation. 4. If the influence exercised by the major shareholders of an CASO endangers the sound and prudent management of that operator, the CBK must take appropriate measures to address these risks. The measures may include: imposing sanctions on members of the management bodies, or suspending the exercise of voting rights attached to the shares held by the shareholders. 5. The management bodies of CASOs must adopt effective policies and procedures to ensure compliance with this Regulation. 6. CASOs should employ staff with the necessary knowledge, skills and expertise to carry out the responsibilities assigned to them, taking into account the scale, nature and range of crypto-asset services provided. 7. The management bodies of the CASOs must periodically assess and review the effectiveness of the policies and procedures established to implement Articles 8, 10, 11, 12 and 19 of this Regulation and take appropriate measures to address any deficiencies in this regard. 8. CASOs must take all reasonable measures to ensure continuity and regularity in the performance of their services. To this end, they must use appropriate and proportionate resources and procedures, including stable and secure information systems, as required by current legislation in force. 9. CASOs must draft and approve a business continuity policy, which must include business continuity plans for information systems, as well as information systems response and recovery plans and which aim to ensure, in the event of disruption of their information systems and procedures, the preservation of essential data and functions and the preservation of crypto-asset services or, where this is not possible, the rapid recovery of those data and functions and the rapid resumption of crypto-asset services. 10. CASOs should implement mechanisms, systems and procedures for effective risk assessment arrangements in accordance with current legislation in force on the prevention of money laundering and terrorist financing. They should monitor and, on a regular basis, assess the adequacy and effectiveness of those mechanisms, systems and procedures, taking into account the scale, nature and range of crypto-asset services provided, and should take appropriate measures to address any deficiencies in this regard. 11. CASOs must have systems and procedures to protect the availability, authenticity, integrity and confidentiality of data in accordance with current legislation in force. 12. CASOs must ensure that records are kept of all crypto-asset services, including but not limited to activities, orders and transactions carried out by them. The records must be in accordance with applicable law to enable the responsible authorities to carry out their supervisory duties and take enforcement measures, and in particular to verify whether CASOs have fulfilled all obligations, including those towards clients or potential clients and towards ensuring market integrity. 13. The records kept in accordance with paragraph 12 of this Article shall be made available to customers upon request and shall be kept for a period of five years. Where requested by the responsible authority before the expiry of five years, these records shall be kept for a period of up to seven years.

17FROM18 14. CASOs must implement and maintain effective policies and procedures, taking into account the scale, nature and range of crypto-asset services provided, to identify, prevent, manage and disclose conflicts of interest between: 14.1. themselves and: 14.1.1. shareholders; 14.1.2. any person directly or indirectly related to CASO or its shareholders; 14.1.3. members of the management bodies; 14.1.4. their employees; 14.1.5. their customers; or 14.2. two or more clients whose common interests are in conflict. CHAPTER V FINAL PROVISIONS Article 20 Applicable fees

1. CASOs applying for licensing with the CBK will pay an application fee, according to the amount determined by the CBK. The fee paid is non-refundable in the event of refusal of licensing.
2. After licensing, CASOs will pay other fees according to the amounts determined by the CBK. Article 21 Transitional Provisions Institutions that are subject to licensing through this Regulation are obliged, within a period of 90 (ninety) days from the date of entry into force of this Regulation, to undertake all necessary actions to apply for licensing and comply with the requirements of this Regulation. Article 22 Enforcement, Corrective Measures and Penalties Any violation of the provisions of this Regulation shall be subject to corrective measures and administrative penalties, as set out in Article 67 of Law No. 03/L-209 on the Central Bank of the Republic of Kosovo, as amended and supplemented by Law No. 05/L -150, as well as Chapter VII of Law No. 08/L-295 on Crypto-Assets. Article 23

18FROM18 Entry into force This Regulation shall enter into force 90 (ninety) days after its approval by the Board of the Central Bank of the Republic of Kosovo. Dr.Sc. Bashkim Nurboja Chairman of the Board of the Central Bank of the Republic of Kosovo