MiCA CASP License in Estonia

Why Choose Estonia for Crypto Licensing?

Estonia is the right choice for operators who want a credible single EU base, a digital-government infrastructure built around remote administration, and a tax regime that defers corporate income tax until profits are distributed. It is not the right choice for businesses unwilling to maintain genuine Estonian substance, because Finantsinspektsioon is openly selective in 2026.

From Quantity to Quality

Estonia was the first EU member state to license virtual-currency businesses. Between 2017 and 2019, the Financial Intelligence Unit issued operating licences to more than 1,300 enterprises.^[1] A succession of reforms tightened the regime, the Financial Intelligence Unit revoked 1,808 authorisations in 2020 alone, and by mid-2024 fewer than 60 active legacy holders remained.^[2] In practice, the Estonia of 2026 is the regulator’s deliberate reset: Finantsinspektsioon as the sole licensing authority, the Krüptovaraturu seadus as the sole statute, and MiCA Crypto-Asset Service Provider authorisation as the sole forward-facing licence.

Full MiCA Passporting from a Small Base

A Finantsinspektsioon CASP authorisation confers the full MiCA passport. Under Article 65 of MiCA, a notification to the home regulator triggers a 10-working-day transmission to host competent authorities, and the CASP may begin cross-border services 15 calendar days after notification.^[3] The passport reaches all 27 EU member states and the three EEA states (Iceland, Liechtenstein, Norway). Unlike Germany, where the realistic CASP authorisation timeline is currently 12 to 24 months,^[4] Estonia’s statutory window is approximately 65 working days plus a 20-working-day pause for additional information requests: a faster on-paper process from a smaller regulator.

English-Administrable, Digital-Native Government

Finantsinspektsioon accepts English documents on request, the e-Business Register operates in English, and the Estonian e-Residency programme allows non-resident founders to sign documents and authenticate to regulator portals digitally. From 18 March 2026, all CASP and Asset-Referenced Token applications must be filed through the FSA’s online application portal; paper filings are no longer accepted.^[5] The combination matters operationally: a Lithuanian or Maltese application will involve translation costs and physical filings that an Estonian application avoids.

The Distributed-Profits Tax Model

Estonia taxes corporate profits only on distribution. As of January 2026, the rate is 22/78 of net dividend (the planned 24/76 increase was abolished by the Riigikogu in December 2025).^[6] For a growth-stage CASP that reinvests, the effective tax burden on retained earnings is zero. Unlike Ireland, where corporate income tax is 12.5% on trading profits regardless of distribution, Estonia’s model allows capital to compound inside the company before any tax leakage. This is a real, quantifiable advantage for businesses building toward institutional scale.

The Honest Caveat

What this guide does not pretend is that the legacy era left no marks. Banks across the EU and US continue to apply elevated counterparty due diligence to Estonian-licensed crypto firms, and Finantsinspektsioon has publicly signalled that late-2025 and early-2026 applicants are unlikely to obtain a decision before the 1 July 2026 transition deadline.^[7] The right answer is to engage the regulator early, build genuine substance, and treat banking as a parallel workstream from day one.

Regulatory Framework

The single regulator is Finantsinspektsioon. The single statute is the Krüptovaraturu seadus, which implements MiCA, the EU Transfer of Funds Regulation, and the Digital Operational Resilience Act in one Estonian act. The Rahapesu Andmebüroo, the Financial Intelligence Unit, retains only its AML/financial-sanctions supervisory role.

Regulatory History

The Estonian licensing journey from headline-grabbing volume to deliberate selectivity is the context every buyer should understand before choosing Estonia in 2026. Estonia introduced virtual-currency service provider authorisation in the Money Laundering and Terrorist Financing Prevention Act in 2017. By 2019, the Financial Intelligence Unit had issued operating licences to more than 1,300 enterprises, and informal estimates put more than half of the world’s virtual-asset service providers in Estonia by mid-2021.^[1]

The reforms came in waves. A March 2020 amendment raised the application fee from €300 to €3,300, introduced fit-and-proper checks, and demanded Estonian payment-account arrangements. In 2020 alone the Financial Intelligence Unit revoked 1,808 authorisations.^[2] A March 2022 amendment raised paid-in capital to €100,000–€250,000 by service type, required independent audits, and implemented the FATF Travel Rule with no de minimis threshold.^[8] A further 389 authorisations expired or were revoked in the months that followed. By 1 May 2023, only 100 active virtual-asset service provider authorisations remained.^[9]

The Krüptovaraturu seadus entered into force on 1 July 2024, transferring licensing authority from the Financial Intelligence Unit to Finantsinspektsioon and folding three EU instruments into one Estonian statute.^[10] Estonia chose the maximum 18-month MiCA transitional period under Article 143(3). Legacy authorisations expire on 1 July 2026 in all cases.

Recent Regulatory Developments

• 16 May 2026. Finantsinspektsioon transition reminder. The Management Board confirmed that applicants who have not yet filed are unlikely to receive a decision before 1 July 2026, and that legacy holders without a complete application by that date must cease entering new client contracts.^[7]
• 18 March 2026. FSA online application portal becomes mandatory. All CASP and Asset-Referenced Token applications now filed exclusively through the regulator’s portal; paper filings no longer accepted.^[5]
• 18 February 2026. ESMA Q&A on MiCA Article 67. The Q&A clarified that “fixed overheads” must be calculated from total overhead expenses (both fixed and variable), with only the deductions in Article 67(3)(a)–(d) permitted.^[11] This narrows the calculation base for the higher-of own-funds test.
• 16 January 2026. Kerstin Pilt appointed Chair of Finantsinspektsioon. The new Chair publicly identified “greater clarity and substantive dialogue with the sector” as a 2026 priority.^[12]
• 1 July 2025. VAT rate increased to 24%. The standard rate moved from 22% to 24%, affecting taxable crypto-asset services such as custody and technical wallet services. Exchange of crypto for fiat remains exempt per the CJEU’s Hedqvist judgment.^[6]
• 17 January 2025. DORA fully applicable. The Digital Operational Resilience Act now applies to all Estonian CASPs, with ICT incident-reporting and third-party register obligations live.^[13]
• 30 December 2024. MiCA Titles V–VII applicable. The CASP provisions of MiCA entered into application across the EU, marking the start of the Estonian transitional clock.^[14]

Regulatory Overlap

Several EU and Estonian regimes intersect with the MiCA CASP authorisation and must be assessed in parallel:

• EU Transfer of Funds Regulation (Regulation 2023/1113). The EU travel rule for crypto-asset transfers; applicable from 30 December 2024. Practical consequence: no de minimis threshold; originator and beneficiary information must accompany every CASP-to-CASP transfer.^[14]
• Digital Operational Resilience Act. Applies to all CASPs from 17 January 2025. Practical consequence: ICT third-party register, incident classification, and threat-led penetration testing for significant CASPs are baseline obligations.^[13]
• PSD2 and the Electronic Money Directive. The European Banking Authority’s 10 June 2025 opinion confirmed that custody and transfer of E-Money Tokens remain payment services, meaning a parallel payment-institution or e-money-institution authorisation is required where those services are provided.^[15] Capital floors do not net across regimes.
• Estonian Money Laundering and Terrorist Financing Prevention Act (RahaPTS). Continues to apply to CASPs as obliged entities. Practical consequence: independent annual AML audit and suspicious-activity reporting to the Financial Intelligence Unit remain standing obligations under Finantsinspektsioon supervision.^[8]

Regulatory Transition: FIU VASP Regime to Finantsinspektsioon MiCA CASP Regime

The Old Regime

The Financial Intelligence Unit issued virtual-currency service provider authorisations under the Money Laundering and Terrorist Financing Prevention Act from 2017. Capital floors after the March 2022 reforms were €100,000–€250,000 by service type. The Financial Intelligence Unit closed the regime to new applicants when the Krüptovaraturu seadus entered into force on 1 July 2024. As of mid-2024 approximately 50 authorisations remained active.^[10]

The New Regime

Finantsinspektsioon began accepting MiCA CASP applications under the Krüptovaraturu seadus from 1 July 2024. The MiCA provisions on CASPs entered into application EU-wide on 30 December 2024. Capital floors are €50,000 / €125,000 / €150,000 by service class under MiCA Annex IV. There is no simplified-authorisation regime under MiCA Article 143(6): legacy holders must apply for full CASP authorisation.

Grandfathering and Transitional Provisions

Under Krüptovaraturu seadus § 48(4), every legacy virtual-asset service provider must bring its activities into compliance with the act (meaning, in practice, obtain a Finantsinspektsioon CASP authorisation) by 1 July 2026.^[16] A holder that has filed a complete application before that date but has not received a decision may continue existing operations but may not enter into new client contracts from 1 July 2026 until a decision is issued. Estonia chose the maximum 18-month transitional window available under MiCA Article 143(3).^[17]

Conversion Mechanism

There is no automatic conversion. A legacy holder must submit a full MiCA CASP application package under the same rules that apply to new applicants. The application is filed through the Finantsinspektsioon online portal (mandatory from 18 March 2026), the EBA RTS Annex VI form is used, and the €3,000 processing fee applies. Prior FIU authorisation history is part of the fit-and-proper record but does not shortcut the substantive review.

Key Deadlines

Practical Implications

For legacy holders, the operative question in May 2026 is whether a complete application can be filed in time to be in the regulator’s queue before 1 July. For new applicants who have not yet engaged, the realistic timeline points past the deadline. The common mistake is treating the no-new-contracts grandfathering as a soft landing: it is operationally untenable for any growth-stage business that depends on client acquisition. The right course is either an immediate filing with documented urgency or an orderly wind-down with client notification, custody return, and a documented exit register.

License Types and Activities Covered

Finantsinspektsioon issues a single MiCA Crypto-Asset Service Provider authorisation that is modular by service. The applicant chooses which of the ten MiCA Article 3(1)(16) services to provide, and the authorisation is granted for that bundle. Asset-Referenced Token issuance requires a separate authorisation; E-Money Token issuance requires a credit-institution or e-money-institution licence.

Covered Activities

The ten MiCA-regulated crypto-asset services are:

• Custody and administration of crypto-assets on behalf of clients. Holding client keys and crypto-assets in segregated arrangements. Applies to wallet providers, exchanges with custodial accounts, prime brokers.
• Operation of a trading platform for crypto-assets. Bringing together multiple third-party buying and selling interests within the system. Applies to spot exchanges and order-book venues.
• Exchange of crypto-assets for funds. Fiat-to-crypto and crypto-to-fiat conversion. Applies to on-ramps and off-ramps.
• Exchange of crypto-assets for other crypto-assets. Crypto-to-crypto conversion. Applies to swap services and DEX aggregators with custodial features.
• Execution of orders for crypto-assets on behalf of clients. Acting in a fiduciary capacity to execute client orders. Applies to brokerage desks.
• Placing of crypto-assets. Marketing of new crypto-assets to purchasers. Applies to launchpads and token-sale infrastructure providers.
• Reception and transmission of orders for crypto-assets on behalf of clients. Receiving client orders and transmitting them to a third party for execution. Applies to introducing brokers.
• Providing advice on crypto-assets. Personal recommendations to clients on crypto-asset transactions. Applies to investment advisers extending into crypto.
• Providing portfolio management on crypto-assets. Discretionary management of crypto-asset portfolios. Applies to asset managers.
• Providing transfer services for crypto-assets on behalf of clients. Moving crypto-assets from one address to another on behalf of a client. Applies to transfer-only operators.

What Does NOT Require CASP Authorisation

• Pure-peer-to-peer transfers between self-hosted wallets. No intermediary is acting on behalf of clients.
• Non-custodial software providers. Pure code that the user runs without the provider holding keys, taking custody, or executing orders.
• DAO governance participation in itself. Where there is no service provided on behalf of clients in a commercial capacity. The European Banking Authority and ESMA Joint Committee guidance distinguishes service provision from infrastructure.
• Bitcoin mining and validator operations. Pure validation activity falls outside MiCA’s CASP perimeter.
• NFTs that are genuinely unique and not fungible. MiCA explicitly excludes unique non-fungible crypto-assets from its scope (subject to the European Commission’s pending review of the boundary).

Adjacent Authorisations

A MiCA CASP authorisation does not confer the right to provide MiFID II investment services on financial instruments, payment services under PSD2, or e-money issuance under EMD2. Where the business model crosses these boundaries (most often, custody or transfer of E-Money Tokens, which the EBA’s 10 June 2025 opinion confirmed remain payment services), a parallel authorisation is required.^[15] Capital floors do not net: MiCA Class 2 (€125,000) and PSD2 initial capital both apply.

For credit institutions, investment firms, e-money institutions, UCITS management companies, and Alternative Investment Fund Managers, the MiCA Article 60 notification route allows entry into specific crypto-asset services without a full CASP application. As of May 2026, two Estonian intermediaries have used this route: the credit-institution channel and the investment-firm channel respectively.^[18][19] The route is not available to non-EU firms or unauthorised applicants.

Tokenised securities and RWA

MiCA Article 2(4) excludes crypto-assets that qualify as financial instruments, so a tokenised security (a tokenised share, bond, or fund unit) is regulated not under MiCA but under MiFID II, the Prospectus Regulation, and the EU DLT Pilot Regime (Regulation (EU) 2022/858), supervised in Estonia by Finantsinspektsioon. ESMA’s Guidelines on the qualification of crypto-assets as financial instruments set the security-versus-crypto boundary. The honest consequence: an Estonian MiCA CASP authorisation does not permit issuing or trading tokenised securities, which follow the MiFID securities regime instead. Where the model wraps tokenised fund units rather than instruments, the route runs through fund licensing under the underlying fund regime.

Reverse Solicitation

A non-EEA crypto-asset service provider may serve an Estonian client only where the client has initiated the service entirely on its own initiative. The exemption is narrow. Any form of EU-targeted marketing, EU-language website content, geo-targeted advertising, app-store availability, or use of EU-based influencers voids the exemption under ESMA’s February 2025 guidelines. Operators seeking systematic EEA market access cannot rely on reverse solicitation and must obtain a CASP authorisation in an EU member state. See the dedicated reverse solicitation under MiCA guide for the third-country compliance pattern.

Requirements

Two requirements determine whether an Estonian CASP application succeeds: paid-in capital genuinely deposited and segregated at an EEA institution before filing, and an Estonian operational substance the regulator can audit. Everything else, including governance, fit-and-proper, AML/CFT and DORA, is exacting but conventional. The first two are where applications most often fail.

Requirements Table

Fit-and-Proper Assessment

Finantsinspektsioon conducts a substantive fit-and-proper review of every management-body member, key function holder, and qualifying shareholder (10% or more). The dimensions assessed are knowledge and experience appropriate to the role, good repute, sufficient time commitment, financial probity, and the absence of any prior regulatory sanction or involvement in failed regulated entities. Documents required include CVs, criminal-record extracts, professional history, conflict-of-interest declarations, and the Finantsinspektsioon Sobivusmenetlus questionnaire completed for each person. In practice, the regulator looks closely at how the team’s combined experience maps to the specific services the CASP intends to provide; a portfolio-management licence applied for by a team with no asset-management experience will not pass.

Local Presence and Substance

The registered office requirement is structural, not formal. Finantsinspektsioon expects the registered Estonian address to be where part of the services are actually performed, supported by key function holders reachable in Estonia and operational records maintained in the country. The regulator inherited a strong scepticism of mailbox structures from the 2022 RahaPTS reforms, and post-authorisation supervision tests substance directly. The real constraint is not statutory minimum staff numbers (there are none); it is the operational ability to evidence that the AML/CFT Officer, Compliance Officer, and ICT Risk Officer are present, contactable, and exercising their functions from Estonia.

AML/CFT and Travel Rule

The Money Laundering and Terrorist Financing Prevention Act (RahaPTS) continues to apply to CASPs as obliged entities under Finantsinspektsioon supervision, with the Financial Intelligence Unit retaining its AML/CFT and financial-sanctions supervisory role. The EU Transfer of Funds Regulation (Regulation 2023/1113) applies from 30 December 2024 with no de minimis threshold; originator and beneficiary information must accompany every CASP-to-CASP transfer.^[14] Customer due diligence follows the EBA Guidelines on ML/TF risk factors (EBA/GL/2021/02), with enhanced due diligence triggered by high-risk jurisdictions, politically exposed persons, complex ownership structures, and transactions through privacy-enhancing technologies. Suspicious activity reports are filed to the Financial Intelligence Unit via the goAML system.

Application Process

The Finantsinspektsioon CASP authorisation process runs approximately 65 working days from completeness confirmation, plus up to 20 working days for additional-information pauses. Real-world timelines from engagement to authorisation run 6 to 12 months on the regulator’s own published expectation, with the long tail driven by documentation depth, fit-and-proper assessments, and ICT framework substantiation.

Application language: Estonian. English documents accepted on a document-by-document basis with prior notification in the application itself.

Pre-application engagement: Finantsinspektsioon operates a public Innovation Hub and runs Estonian-language briefing sessions for crypto-asset applicants (infopäev). Bilateral pre-application meetings are available on request; the regulator’s expectation is that applicants come with a near-complete programme of operations and substantive draft documentation before engaging.

Jagelski & Partners’ specialist compliance partners draft Estonia-specific AML/CFT policy manuals, enterprise-wide risk assessments, DORA ICT frameworks, and Travel Rule implementation procedures as part of the MiCA CASP licensing engagement. The compliance documentation is the most time-intensive component of any Estonian CASP application: 8 to 16 weeks of specialist work that cannot be shortcut with generic templates. Book a Licensing Assessment →

Required Documents

The application package follows the EBA Regulatory Technical Standards Annex VI for CASPs. Finantsinspektsioon’s public guidance lists the documentation expectations in detail.^[20] The package spans corporate documents, personal documents for all assessed persons, a programme of operations, the bespoke compliance documentation, and the technology and operational resilience framework.

Corporate Documents

Articles of association of the Estonian OÜ or AS, certificate of incorporation from the e-Business Register, register extract showing share capital paid in, ownership chart down to ultimate beneficial owners, group structure where applicable, audited financial statements of the parent group where applicable, and bank statement evidencing the deposit of capital.

Personal Documents (All Directors, Officers, UBOs, Qualifying Shareholders)

Identity documents, criminal-record extracts from every country of residence in the past 10 years, CVs covering the full career history, professional references, declarations of any prior regulatory sanction, financial-probity declarations, conflict-of-interest declarations, and a completed Finantsinspektsioon Sobivusmenetlus questionnaire for each individual.

Compliance Documentation

The compliance documentation is the most heavily scrutinised component of any Estonian CASP application. Jagelski & Partners’ specialist compliance partners draft each of these documents as part of the licensing engagement, bespoke and Estonia-specific, not templates adapted from other jurisdictions. Each document must reflect the applicant’s specific business model, risk profile, and operational structure.

Business Plan and Financial Projections

Three-year financial projections (base, downside, upside), revenue model by service, cost structure, capital adequacy projection against the MiCA Article 67 higher-of test, treasury and liquidity plan, and a wind-down plan demonstrating how clients would be made whole under an orderly exit.

Technology and Operational Documentation

Network and architecture diagrams, custody and key-management architecture, cybersecurity policy and information-security management system documentation, business continuity and disaster recovery plans, ICT third-party register, and incident-management playbooks. The level of detail expected on the ICT side has stepped up materially since DORA’s 17 January 2025 applicability date.

Costs and Pricing

The Finantsinspektsioon CASP application fee is €3,000. Total Year 1 cost for an Estonian CASP authorisation, excluding the paid-in capital itself, typically ranges from €80,000 to €220,000, with the spread driven by service class, ICT framework complexity, and the depth of fit-and-proper work required for the management team and qualifying shareholders.^[20]

Government / Finantsinspektsioon Fees

The annual supervisory fee percentage is set annually by regulation of the Minister of Finance after Finantsinspektsioon supervisory-board approval. The 2026 figure is published on the FSA “Regulatory fees and charges” page.

Total Cost Summary

For supervision-fee-based regimes such as Estonia’s, the CASP authorisation is granted for an indefinite period. There is no renewal fee. The supervisory fee combines a capital component and an assets-based component, the latter scaling with the operational footprint of the CASP.

The compliance documentation row is a separate line item, not bundled into legal advisory. Documentation depth is the operational reality: the AML/CFT manual, enterprise-wide risk assessment, Travel Rule procedures, sanctions framework, and DORA ICT documentation cannot be shortcut.

Timeline

The shortest realistic Estonian CASP timeline from engagement to authorisation is approximately 6 months for a well-prepared single-service applicant. The longest, for a multi-service or trading-platform applicant building team and ICT framework in parallel, can run to 12 months. The regulator’s own communications confirm this range as the standard expectation.^[7]

In practice, what affects speed is documentation quality at first submission. The Finantsinspektsioon statutory clock pauses on every additional-information request, and a thin AML/CFT manual or an under-specified ICT framework triggers them. The common mistake is treating the 25-working-day completeness check as a soft window. It is a substantive review of completeness, not a procedural one, and a deficiency notice resets the diligence cycle.

Taxation

Estonia is a distributed-profits jurisdiction. Corporate tax is 0% on retained profits and 22/78 of net dividend on distribution as of 2026.^[6] For a CASP that reinvests, the effective income-tax burden is zero; for a CASP that distributes, the rate is competitive within the EU. Value-added tax on taxable services is 24%.

Crypto-Asset Tax Treatment

Per the Estonian Tax and Customs Board, crypto-assets acquired through a MiCA-authorised provider are treated as financial assets for personal income-tax purposes (Income Tax Act § 171(2) clause 10, effective 1 January 2025) and may be held in the investment-account system for tax deferral.^[21] Gains realised outside a MiCA-authorised provider are treated as transfer of property. For corporate holders, crypto-assets are classified as property under Estonian accounting standards, or, when held for sale in the ordinary course of business, as inventory under IFRS.

DAC8 / CARF Reporting

The EU DAC8 directive applies to crypto-asset service providers from 1 January 2026, with the first reporting cycle covering 2026 data and due in 2027. The Estonian Tax and Customs Board (Maksu- ja Tolliamet, EMTA) administers the obligation. Practical consequence: every Estonian CASP must capture and report reportable user information and reportable transactions from 1 January 2026 onward.

Pillar Two (Global Minimum Tax)

Estonia transposed the EU Pillar Two Directive with effect for fiscal years starting 31 December 2024. The 15% global minimum top-up tax applies to multinational groups with consolidated revenue exceeding €750 million in at least two of the four preceding fiscal years, a threshold unlikely to affect standalone Estonian-domiciled CASPs in their growth phase. Operators that form part of a larger international group should model the Pillar Two interaction with the Estonian distributed-profits model in advance of any in-scope status change.

Ongoing Compliance & Post-Registration

A Finantsinspektsioon CASP authorisation is granted for an indefinite period. Ongoing compliance is not an annual renewal event; it is a continuous supervisory relationship governed by quarterly and annual reporting, material-change notifications, independent AML/CFT audit, annual statutory audit, and ICT third-party register maintenance under DORA.

Annual Reporting Obligations

Audited financial statements filed with Finantsinspektsioon and the Estonian Commercial Register under the Accounting Act. Quarterly and annual supervisory reports per Krüptovaraturu seadus § 25 and the MiCA Regulatory Technical Standards, due within 20 days of period-end for most quantitative templates. Annual AML/CFT independent audit report submitted to Finantsinspektsioon. Annual DORA ICT third-party register update and intra-year updates for material changes.

Supervision Fees

A capital component plus an assets-based component, the latter set annually by Ministry of Finance regulation after Finantsinspektsioon supervisory-board budget approval. Recurring operational costs scale with the CASP’s size: Tallinn office rent (€1,000–€2,500 per month for a credible operational footprint), statutory audit (€10,000–€30,000 annually), AML/CFT independent audit (€8,000–€20,000 annually), key function holders (€50,000–€120,000 annually as in-house or outsourced retainers).

Regulatory Inspections

Finantsinspektsioon conducts both scheduled and unannounced on-site inspections under its general supervisory powers. Thematic reviews in 2025–2026 have focused on AML/CFT effectiveness, Travel Rule implementation, and DORA ICT incident reporting. The Finantsinspektsioon Innovation Hub and supervisory dialogue framework allow proactive engagement; experienced applicants treat the regulator as a counterparty to be kept informed, not a body to be avoided between annual filings.

Enforcement

Under the Krüptovaraturu seadus and MiCA Article 111, Finantsinspektsioon may impose administrative fines on legal persons of up to the higher of €5 million or 3% of total annual turnover for most CASP infringements, rising to the higher of €15 million or 15% of turnover for market-abuse infringements under MiCA Title VI. Natural-person fines reach €700,000 for general infringements and €5 million for market abuse. Authorisation withdrawal grounds include failure to commence operations within 12 months, sustained AML/CFT or DORA breach, false information in the application, and loss of fit-and-proper status.

Marketing Communications Rules

MiCA Articles 6–7 and 28–29 require marketing communications to be fair, clear, and not misleading, and to be consistent with the relevant white paper where applicable. Marketing of E-Money Tokens requires the underlying issuer to hold the appropriate credit-institution or e-money-institution licence under Article 51. Cross-border marketing into another EEA state follows the passport notification.

ICT Risk Management & Operational Resilience

The Digital Operational Resilience Act (DORA) applies to all Estonian CASPs from 17 January 2025.^[13] DORA is not a layer on top of MiCA; it is a parallel direct-effect regulation supervised by Finantsinspektsioon. Compliance is documented through an ICT risk framework, an incident-management workflow, a third-party register, and resilience testing.

Applicable Regulation

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), applicable to CASPs from 17 January 2025, supplemented by the joint EBA/ESMA/EIOPA Regulatory Technical Standards and ITS on ICT risk management, incident classification and reporting, and the third-party register.

ICT Risk Management Framework

DORA Articles 5–14 require a documented ICT risk management framework proportionate to size and complexity, with the management body bearing ultimate responsibility under Article 5. The framework must cover ICT-risk identification, classification, mitigation, monitoring, response, and learning. Estonian CASPs should expect Finantsinspektsioon to test alignment between the policy framework and operational reality during supervisory engagement.

Incident Reporting

Major ICT-related incidents must be classified and reported to Finantsinspektsioon under DORA Articles 17–23, with initial, intermediate, and final reports per the joint RTS and ITS timelines. The Finantsinspektsioon reporting channel mirrors the structure used for other supervised entities.

Testing and Resilience

Information security testing, vulnerability assessment, and business continuity testing are required at frequencies proportionate to the CASP’s significance. Significant CASPs designated under DORA Articles 26–27 face threat-led penetration testing on a three-year cycle, conducted by accredited testers and overseen by Finantsinspektsioon.

Wallet Management

Wallet management is the CASP-specific operational-resilience concern. The MiCA Article 75 standards on custody (segregated wallets, register of positions per client, daily reconciliation) intersect with DORA’s ICT third-party requirements where wallet infrastructure is outsourced. Hot-cold segregation, multi-signature thresholds, key-ceremony protocols, and disaster-recovery key reconstitution are baseline expectations.

Third-Party ICT Risk

Article 28(3) requires a maintained register of all ICT third-party service-provider arrangements at entity, sub-consolidated, and consolidated levels, with annual reporting to Finantsinspektsioon. Critical ICT third-party service providers designated under the DORA pan-EU oversight framework face direct EBA-led oversight. CASP outsourcing contracts must include audit rights, sub-outsourcing controls, exit plans, and DORA-aligned termination triggers.

Banking

Banking access for Estonian CASPs in 2026 is workable but selective. A Finantsinspektsioon authorisation opens the conversation with credit institutions and EMIs but does not guarantee approval. Banks evaluate asset mix, expected monthly volume, capital and runway, and AML/CFT control quality. A multi-institution architecture is the only resilient design.

The Estonian Banking Landscape

Estonia’s banking market is dominated by four institutions supervised under the ECB Single Supervisory Mechanism as significant institutions, supplemented by branches of Nordic and pan-Baltic groups and a smaller pool of Estonian-licensed e-money institutions. Among the four significant institutions, one is consistently the most pragmatic counterparty for regulated crypto-asset businesses; the others typically restrict crypto-related accounts to specific risk-classified institutional clients or decline the segment entirely. The legacy of the 2017–2022 FIU virtual-asset service provider era continues to drive elevated counterparty due diligence across EU banks and US correspondents, regardless of the new MiCA architecture.

Practical Architecture

A resilient banking design for an Estonian CASP combines an operating account at an Estonian or EEA-passporting credit institution, a client-money safeguarding account at a credit institution where the regulator requires bank-level segregation, an EMI for SEPA redundancy and operational agility, and a specialist EEA acquirer for card on-ramps where applicable. The real constraint is concentration risk: a single-bank architecture cannot survive a de-banking event, and CASPs that have lost their primary bank without a fallback have routinely failed within months.

What Determines Bank Approval

In practice, four variables determine the answer:

• Asset mix. Bitcoin and major stablecoins are routinely onboardable. Privacy coins and mixer-adjacent business models are routinely declined.
• Monthly volume. €5 million to €50 million is the operational sweet spot for the institutions that engage; below that range pricing efficiency fails, above it counterparty concentration becomes a regulatory concern for the bank itself.
• Capital and runway. Banks ask for evidence of 18–24 months of operating capital in addition to the segregated MiCA prudential capital. Founders treating capital as a paid-in formality fail this test.
• AML/CFT control evidence. Banks frequently request the AML/CFT policy suite, sanctions framework, and Travel Rule documentation as part of their own enhanced due diligence. The documentation built for the regulator doubles as the banking pack.

Jagelski & Partners’ Banking Service

Jagelski & Partners’ banking partner network spans more than 90 credit institutions and EMIs across the EEA, the UK, Switzerland, and select offshore jurisdictions. Through that network, businesses placed more than fourteen billion euros in client turnover across banking and EMI relationships in 2025. Jagelski & Partners is paid by the institution, not by the client. We do not mark up institutional banking or EMI pricing. We do not charge an onboarding fee.

FATF Status & International Standing

Estonia is not a FATF member; its AML/CFT framework is assessed via MONEYVAL, the Council of Europe’s FATF-style regional body (FSRB). The country is not subject to any FATF grey-listing or black-listing as of May 2026. The Estonian Financial Intelligence Unit’s 2024 Yearbook rates the national money-laundering and terrorism-financing risk as medium.^[22]

MONEYVAL and FATF Standing

Estonia underwent its most recent MONEYVAL mutual evaluation in 2022, with follow-up reporting completed in 2024. The country is rated as substantially or largely compliant on the majority of FATF Recommendations, with technical compliance progress documented through the standard MONEYVAL follow-up cycle. The 2024 Financial Intelligence Unit Yearbook confirms that the national money-laundering and terrorism-financing risk in Estonia remains medium overall, and that the virtual-asset sector (though significantly reduced in active operator count) continues to receive enhanced supervisory attention.^[22]

MiCA Passporting and EU Market Access

A Finantsinspektsioon MiCA CASP authorisation confers the full MiCA passport across all 27 EU member states and the three EEA states. The mechanism is the Article 65 notification: Finantsinspektsioon transmits the notification to the host competent authority within 10 working days, and cross-border services may begin 15 calendar days after notification. A branch establishment requires additional information on branch management and outsourcing; a pure freedom-of-services notification requires only the standard package. The passport does not extend to Switzerland or the United Kingdom, both of which operate independent crypto-asset regimes. There is no separate national licence required in any EEA state once Estonian authorisation is granted.

Advantages and Limitations

Estonia’s advantages cluster around tax efficiency, digital administration, and EU passport reach. Its limitations cluster around substance enforcement, reputation legacy, and banking constraints. The trade-off is favourable for operators committed to building a real Tallinn presence and unfavourable for operators looking for a low-substance EU back door.

• ✓ Full MiCA passport from a single Tallinn authorisation. Cross-border services to 30 EEA states via Article 65 notification, 15 calendar days from notification to operation.
• ✓ 0% corporate tax on retained profits. Distributed-profits model defers all corporate income tax until dividend payment; 22/78 of net dividend on distribution as of 2026.
• ✓ English-administrable filings. Finantsinspektsioon accepts English documents on request; e-Business Register operates in English.
• ✓ Digital government infrastructure. e-Residency, X-Road, and digital signatures support remote founder administration; mandatory FSA online portal from 18 March 2026.
• ✓ Modular CASP authorisation. Applicant selects from ten MiCA services; capital and supervisory burden scale to the bundle chosen.
• ✓ Pragmatic regulator posture. The 2026 Chair has publicly prioritised substantive dialogue with the sector; the Innovation Hub allows pre-application engagement.
• × Reputation legacy from the FIU era. The 2017–2022 virtual-asset service provider history continues to drive elevated counterparty due diligence by EU banks and US correspondents. Mitigation: build a multi-institution banking architecture from the start, plan the AML/CFT and ICT documentation to double as the banking pack, and treat counterparty diligence as a workstream from day one.
• × Selective regulator with low decision velocity. Finantsinspektsioon has signalled that late-2025 and early-2026 applicants are unlikely to obtain a decision before 1 July 2026. Mitigation: file as early as possible with a near-complete documentation set, engage the Innovation Hub pre-application, and budget for a 9–12 month timeline.
• × Real substance requirement. The regulator inherited a strong scepticism of mailbox structures from the 2022 RahaPTS reforms. Mitigation: place at least the AML/CFT, Compliance, and ICT Risk function holders in Estonia, secure a credible operational office (not virtual), and maintain books and records in country.
• × Banking onboarding is selective. A licence opens the conversation but does not guarantee approval; concentration risk is real. Mitigation: secure relationships at four to six institutions across operating, safeguarding, EMI, and acquiring layers before authorisation.
• × Documentation depth. The compliance and ICT documentation that Finantsinspektsioon expects has stepped up significantly post-DORA. Mitigation: budget 8 to 16 weeks of specialist drafting work, do not template from other jurisdictions, and reference Estonian legislation by name throughout the policy suite.

How Estonia Compares

Estonia’s natural peers under MiCA are Lithuania, Latvia, and the Czech Republic, the three Baltic and CEE jurisdictions competing on cost-efficient EU passporting. Malta is the established-centre upgrade for operators willing to spend more for institutional weight. The comparison shows Estonia as the most digitally-administered and tax-efficient of the cost-leader cluster.

Compare every crypto jurisdiction side by side →

Lithuania’s Bank of Lithuania is the most selective of the Baltic regulators: of the 102 CASP applications submitted by 55 companies through 2025, only three licences had been granted by January 2026.^[23] The headline cost in Lithuania is lower than the all-in cost once rejection risk and rework are factored in. Estonia’s selectivity is real but the rejection rate is not yet at the Lithuanian level.

Czech Republic and Latvia offer credible alternatives at different price points: Czech Republic with a stable, slower-paced regulator and a flat corporate tax; Latvia with an Estonian-style distributed-profits model and the lowest absolute cost in the cluster. For operators willing to step up to an established crypto centre, Malta offers an institutional reputation and a maturing MiCA regime, at materially higher cost and timeline. Estonia sits at the centre of the cost-leader cluster on most dimensions, with the strongest tax model and the most digitally-administered process.

When Estonia Is the Right Choice

Choose Estonia if you...

• Want a single EU base with full MiCA passporting and the strongest distributed-profits tax model in the cost-leader cluster
• Are willing to maintain real Estonian operational substance, including key function holders in country
• Value English-administrable filings, digital government infrastructure, and remote-friendly e-Residency administration
• Can build a multi-institution banking architecture from the start, not after authorisation

Consider alternatives if you...

• Need decision velocity faster than 9 months: Latvia typically runs 6–10 months and is the closest peer
• Want a larger domestic market or a more established crypto-finance centre: Malta is the established-centre upgrade
• Are focused on payment-adjacent flows and willing to accept Lithuania’s high rejection rate for its stronger payment-institution ecosystem: Lithuania
• Want demonstrated regulator throughput and the strongest EU personal-investor crypto tax regime, at a higher Year-1 budget: Czech Republic

Not sure which column is you? Ask Emma. She compares these jurisdictions in seconds, in your language.

Common Mistakes in Estonia Applications

Finantsinspektsioon’s published guidance and 2026 transitional communications point to a consistent pattern of application weakness. The mistakes are documentary, not structural; and almost all of them are preventable by treating the regulator as a substantive counterparty from the first engagement rather than as a checklist body to be satisfied at the end.^[20]

• Treating capital as a paid-in formality. Applicants frequently deposit capital into the operating account rather than a segregated account, or fund it via founder loans and unpaid share capital. Finantsinspektsioon expects cash, deposited at an EEA institution, segregated from operations, and demonstrably available on an ongoing basis. Founder loans, group guarantees, and uncalled capital do not count.
• Templating the AML/CFT manual from another jurisdiction. A Lithuanian or Maltese AML manual adapted with a find-and-replace on the regulator name is the single most common cause of completeness-stage deficiency notices. The Estonian regime references the Money Laundering and Terrorist Financing Prevention Act (RahaPTS) by name, requires Travel Rule procedures with no de minimis threshold, and expects suspicious-activity reporting via the Financial Intelligence Unit’s goAML system.
• Under-specifying the ICT framework. Since DORA’s 17 January 2025 applicability date, Finantsinspektsioon expects an ICT risk-management framework, incident-classification protocol, and third-party register at authorisation, not in Year 2. Applications that treat ICT as a one-paragraph cybersecurity statement trigger material additional-information requests.
• Light fit-and-proper packages on qualifying shareholders. Applicants commonly under-document the qualifying shareholder layer (10% or more), expecting the regulator to treat shareholder review as a formality. In practice, Finantsinspektsioon assesses qualifying shareholders to the same depth as the management body, and ownership through complex SPV chains triggers source-of-funds investigation.
• Submitting before the team is in place. Filing with only one in-country function holder, or with key function holders engaged on a part-time outsourced basis without evidence of capacity, fails the substance test. Experienced applicants secure the AML/CFT Officer, Compliance Officer, and ICT Risk Officer in advance of submission, not in parallel with the regulator’s review.
• Relying on no-new-contracts grandfathering as a soft landing. Legacy FIU virtual-asset service providers that have not filed by mid-Q2 2026 face an operational dead end: from 1 July 2026 they may continue existing contracts but cannot enter new ones. For any growth-stage business this is untenable. The right course is an early filing with documented urgency or an orderly wind-down.

Frequently Asked Questions

References