Crypto License in Estonia

Between 2017 and early 2022, Estonia ran one of Europe’s most accessible VASP licensing regimes: just €12,000 in share capital, no fit-and-proper tests, and a simple FIU registry model. That attracted over 2,000 licensees — but also drew regulatory scrutiny. In March 2022, a major amendment to the Money Laundering and Terrorist Financing Prevention Act raised capital to €100,000–€250,000, introduced mandatory audits and fit-and-proper requirements, and imposed supervision fees. By September 2024, only ~45 licensed entities remained. The CMA, which took effect in July 2024, completed the overhaul by transferring supervisory authority from the FIU to the FSA and introducing full MiCA-aligned requirements across capital adequacy, governance, and ongoing obligations.

Existing VASP license holders have until 1 July 2026 to obtain a CASP authorization or wind down EU crypto operations. After that deadline, operating under a legacy VASP license is unlawful. The public register still shows legacy entries, but registration there no longer grants any right to provide crypto-asset services after the cutoff.

Under MiCA and the CMA, you need a crypto license in Estonia (CASP authorization) before providing any of the following services commercially:

Activities not on this list (such as mining, running a node without custody, or developing non-custodial software) do not require CASP authorization Estonia. If your business model sits at the boundary, the FSA accepts pre-application queries before you file a formal submission.

One CASP authorization covers all the activities above that you apply for. You do not need separate licenses per service type, but each activity you intend to provide must be declared in your application and reviewed individually against MiCA’s prudential and conduct requirements.

These costs are set by EU law (MiCA) and Estonian law and apply regardless of which service provider you use:

• €3,000 state fee — one-time processing fee paid to Finantsinspektsioon (the Estonian Financial Supervision and Resolution Authority) at the time of CASP application. Non-refundable if the application is withdrawn or rejected.
• Minimum capital under MiCA Annex IV — set at one of three tiers depending on the scope of services applied for:
  • €50,000 (Class 1) — advice, reception/transmission of orders, execution of orders, placing, transfer services, and portfolio management.
  • €125,000 (Class 2) — custody and administration of crypto-assets and exchange services (crypto-to-fiat or crypto-to-crypto), in addition to all Class 1 services.
  • €150,000 (Class 3) — operation of a trading platform, in addition to all Class 1 and Class 2 services.
• Prudential safeguards floor (ongoing) — at all times, a CASP must hold own funds equal to the higher of (a) the Annex IV minimum above or (b) one quarter of the prior year’s fixed overheads (¼ FOH). For fast-growing businesses, ¼ FOH typically overtakes Annex IV within the first one to two years — budget for this.
• Annual supervision fee — set annually by Finantsinspektsioon in accordance with the Financial Supervision Authority Act. The fee is calculated as the sum of a capital-based share and an asset-based share. Specific CASP rates are published by the FSA each year — contact us for the current applicable rate based on your projected balance sheet.

Plan your first-year outlay around: state fee (€3,000) + Annex IV capital (€50k–€150k, kept on the balance sheet) + ongoing operating costs (registered office in Estonia, MLRO/AML officer, external audit, DORA/ICT compliance) + first-year supervision fee + professional service fees. Contact us for a tailored cost projection.

Six instruments govern crypto businesses operating in or from Estonia. The table below maps each law to the activity it covers and its current status.

Estonian VCSPs licensed by the FIU under the MLTFPA before 30 December 2024 may continue providing services under transitional provisions until 1 July 2026, or until the FSA grants or refuses their CASP authorisation, whichever is sooner. If a complete CASP application is filed before 1 July 2026 and remains under FSA review past that date, the VCSP’s activities are not deemed unauthorised — but new client contracts may not be concluded after 1 July 2026 until the decision is made. New applicants after 30 December 2024 must apply directly under MiCA.

Estonia’s current regulatory stringency is a direct response to a licensing crisis that peaked in 2020.

Between 2017 and 2019, the application process was straightforward, fees were low, and physical presence was not strictly enforced. The result: over 1,300 virtual currency service provider licenses were issued (per the FIU’s own 2020 sectoral survey), the vast majority to shell or nominee companies with no genuine business operations in Estonia.

The consequences were severe. Estonian-registered entities appeared in financial crime investigations across multiple jurisdictions. International AML standard-setters — most notably the FATF, whose June 2019 updated guidance for a risk-based approach to virtual assets and VASPs explicitly required jurisdictions to license or register VASPs and apply full AML/CFT measures — increased global scrutiny of lightly regulated VASP jurisdictions. The Council of Europe’s MONEYVAL later confirmed the diagnosis in its 2022 5th-round Mutual Evaluation Report on Estonia. Separately, the Danske Bank scandal (roughly €200 billion in suspicious flows through its Tallinn branch between 2007 and 2015) had already made Estonia’s AML reputation a political liability.

In March 2020, the MLTFPA was amended to introduce substantive fit-and-proper requirements: mandatory local management, minimum share capital of €12,000 (later raised), comprehensive AML/CFT policies, and proof of genuine economic activity in Estonia. The FIU then audited the existing VCSP register and revoked licenses that failed the new standards. Over 1,000 licenses were cancelled in 2020, reducing the registry from more than 1,300 entities at the end of 2019 to roughly 400 by the end of 2020.

For applicants today, Estonia issues fewer licenses than it did in 2017–2019, but those it does issue carry genuine regulatory weight and EU passporting value under MiCA. A license granted after the 2020 reset, and especially one under MiCA from December 2024, signals to banks, partners, and counterparties that the operator has cleared a meaningful compliance bar.

Three Annex IV capital thresholds exist. Each threshold covers a specific set of crypto-asset services. Tiers are cumulative: Class 2 includes all Class 1 services; Class 3 includes all Class 1 and Class 2 services. If your business model spans more than one tier, you meet the highest threshold that applies to any of your intended services.

Capital can be held in two forms under MiCA Article 67(4): (a) own funds — primarily paid-up share capital and retained earnings, plus other Common Equity Tier 1 (CET1) items defined under CRR Articles 26–30. Loans, shareholder pledges, undrawn credit facilities, and intangibles do not count. (b) An insurance policy meeting MiCA Article 67(4)(b) requirements, covering specific risks (acts/errors/omissions, breach of legal obligations, conflicts of interest, business disruption, gross negligence in safeguarding client assets) across the EU territories where services are provided. Most CASPs use own funds; insurance-based capital is rare in practice but legally available. The FSA routinely requests bank statements and certified accounts to verify that the funds are genuinely available.

Estonia requires you to maintain the minimum capital continuously, not just at the time of application. The FSA can request updated financial statements at any time and cross-references annual filings against capital thresholds during routine supervision.

• Annual accounts filing — Estonian companies must file audited or unaudited accounts with the Business Register within six months of the financial year end. The FSA cross-references these against the capital threshold for your licence class.
• Capital erosion triggers a review — If losses reduce your net assets below the required threshold, you must notify the FSA promptly and submit a remediation plan. Operating below the threshold without disclosure is grounds for licence suspension.
• Capital increases for service expansion — Adding a new crypto-asset service category mid-licence requires a formal amendment application. You must demonstrate that capital meets the new, higher threshold before the FSA approves the expanded scope.
• FSA enforcement discretion — Estonia's framework gives the FSA broad supervisory discretion. The FSA typically issues a precept (a binding written order) with a remediation deadline before escalating to suspension or revocation. Operating below the threshold without disclosure significantly weakens any defence. Proactive disclosure and a credible top-up plan are the most reliable ways to avoid enforcement escalation.

We typically recommend that operators hold a buffer of 15–20% above the applicable threshold to absorb ordinary operating losses without triggering the disclosure obligations described above. If you are running lean, the FSA's scrutiny of your accounts will be heavier. They treat thin capitalisation as a risk indicator during routine supervision.

The FSA evaluates whether the people running your firm can control its risks.

• Management board (juhatus) — at least 2 members for every CASP, regardless of services. A sole director will not satisfy the FSA. At least one management board member must be an Estonian tax resident with effective presence in the country — this is a hard local-substance requirement; remote-only or nominee arrangements will not satisfy the FSA.
• Relevant experience — each management board member must demonstrate at least 2 years of verifiable experience in finance, law, IT, or a closely related field. CVs, employment records, and reference letters are required.
• Supervisory board (nõukogu) — required for any CASP providing custody and administration of crypto-assets (MiCA Article 75) or operation of a trading platform (MiCA Article 76). The supervisory board must have at least 3 members and is independent from the management board. CASPs that provide only Class 1 services (advice, transfers, execution, placing, portfolio management) are not required to have a supervisory board.
• Fit-and-proper tests — all board members, ultimate beneficial owners (UBOs), and key function holders undergo fit-and-proper screening. Criminal records, insolvency history, and prior regulatory sanctions are all checked. Any adverse finding requires a written explanation and may disqualify the individual.
• Internal auditor — an internal audit function must be established and documented. For smaller firms this can be a designated individual rather than a separate department, provided the role is operationally independent.
• External auditor — annual financial statements must be reviewed by a licensed external auditor. The auditor’s appointment should be confirmed before the application is submitted.

Estonia’s AML framework is among the most scrutinized in the EU. Requirements were progressively tightened by the FIU between 2020 and 2022, and the FSA inherited and now enforces this regime alongside MiCA-level controls. The FSA continues to update its AML guidelines and legislation. You must demonstrate a working compliance program before authorization is granted.

• Estonia-based AML officer — the MLRO must be physically based in Estonia. Remote-only arrangements are rejected. The MLRO must have documented AML/KYC training and cannot simultaneously serve as a board member in a conflicted role.
• KYC procedures — written customer due diligence (CDD) and enhanced due diligence (EDD) procedures must be included in the application.
• Risk-based approach (RBA) — a documented business-wide risk assessment covering customer types, geographies, products, and channels is mandatory.
• Travel Rule compliance — Estonia applies the FATF Travel Rule with no minimum threshold.
• Client asset segregation — client funds and crypto assets must be held separately from the firm’s own assets.
• Transaction monitoring — automated or manual systems for identifying suspicious activity must be in place.
• Record retention — KYC records, transaction data, and correspondence must be retained for at least 5 years.

The EU Digital Operational Resilience Act (DORA) applies to CASPs authorized under MiCA. Estonia-registered CASPs must comply with DORA from the date of authorization. The FSA assesses IT risk governance during the licensing review.

• ICT risk management framework — a written ICT risk management policy, reviewed and approved by the board.
• Incident reporting — major ICT incidents must be reported through a multi-stage process: initial notification within 4 hours, intermediate report within 72 hours, final report within one month.
• Penetration testing & vulnerability management — regular penetration tests of internet-facing systems are required.
• Third-party ICT risk — all critical technology vendors must be listed in an ICT third-party risk register.
• Business continuity & disaster recovery — documented BCP and DRP must cover crypto-specific scenarios.

You pay 0% corporate income tax on retained profits. There is no annual corporation tax filing on net income, no deferred tax liability, and no minimum tax on undistributed earnings. The tax event is the distribution itself.

When you distribute profits (as dividends or deemed dividends), the 22% rate applies under Estonia’s standard corporate income tax on distributions (raised from 20% to 22% on 1 January 2025; the planned increase to 24% in 2026 was cancelled by the Riigikogu in December 2025). Estonia calculates this on a 22/78 gross-up formula: if you want the shareholder to receive €78,000 net, the gross taxable distribution is €100,000 and you remit €22,000 to the Tax and Customs Board. The effective rate on the net amount paid out is approximately 28.2%, not 22%, a distinction that matters when modeling returns.

For founders and employees drawing salary, individual income tax is a flat 22%. The first €8,400 per year (2026 threshold; €700/month) is tax-free for all residents regardless of income level, following the abolition of the regressive “tax hump” from 1 January 2026. Social tax adds 33% on top of gross wages, paid by the employer. If you structure compensation through dividends rather than salary, you sidestep social tax entirely, though the Estonian Tax Authority scrutinizes arrangements where founders draw no market-rate salary.

Estonia does not levy any withholding tax on outbound dividends to any non-resident (corporate or individual) under domestic law — the only tax on a distribution is the 22/78 corporate income tax paid at company level. An extensive network of over 60 double taxation treaties provides additional protection against double taxation with non-EU jurisdictions.

Estonia applies the EU VAT Directive rules to crypto services. The standard VAT rate is 24% (raised from 20% to 22% in January 2024, then to 24% on 1 July 2025). However, not all crypto activities carry this burden.

Crypto exchange services (converting fiat to crypto or crypto to crypto) are VAT-exempt under the financial services exemption, consistent with the CJEU Hedqvist ruling (C-264/14) that EU courts have uniformly applied. You do not charge VAT on exchange transactions, and correspondingly you cannot reclaim input VAT on costs directly attributable to exempt services.

Wallet storage and custody services are taxable at the standard 24% rate. If your business model includes both exchange and custody, you need to apportion input VAT between taxable and exempt supplies. This affects how you recover VAT on office costs, software licences, and professional fees.

Companies with taxable turnover above €40,000 per year must register for VAT in Estonia. The registration threshold applies only to taxable supplies, so a pure exchange operator may not reach it. Mixed-model operators (combining taxable custody with exempt exchange services) typically do.

The supervision fee directly affects your P&L every year you hold the license.

The Estonian Financial Supervision and Resolution Authority (FSA) charges an annual supervision fee calculated as the sum of a capital-based share (a percentage of own funds) and an asset-based share (a percentage of assets), in accordance with the Financial Supervision Authority Act. The specific CASP rates are set annually by ministerial regulation based on the FSA’s budget. The percentages for supervised financial entities under the Act generally fall in the 0.005%–1% range. Budget conservatively until the annual rate applicable to your entity is published. This fee is separate from your licensing, compliance staffing, and AML software costs.

Under Estonia’s Money Laundering and Terrorist Financing Prevention Act, cash currency-exchange transactions over €32,000 with non-business-relationship clients, and any unusual transactions over €32,000 with no apparent lawful purpose, must be reported to the FIU within two working days. This is in addition to the general obligation to report suspicious transactions of any size. Failure to report is a compliance breach that can trigger supervisory action or license suspension.

Build both the supervision fee and the reporting infrastructure into your year-one budget. Operators who calculate only the one-time application cost routinely underestimate the total cost of holding an Estonian crypto license.

The table below consolidates the key rates and thresholds for quick reference.

Estonian banks operate under Finantsinspektsioon supervision and apply their own risk appetite frameworks on top of EU AML rules. For crypto companies, this typically means:

• Prolonged review timelines — onboarding reviews for crypto businesses can take 3–6 months, and banks may request the full AML/KYC policy, transaction flow diagrams, and beneficial ownership structures going back several layers.
• Volume and counterparty restrictions — even when a bank accepts you, it may impose monthly transaction caps or block payments to certain exchanges and custodians.
• SWIFT vs. SEPA access — SEPA credit transfers and SEPA Instant (SCT Inst) are the relevant rails for euro-denominated operations within the EU. SWIFT access is available but depends on correspondent banking relationships; some Estonian banks limit SWIFT for crypto clients to reduce correspondent bank risk.
• Account termination risk — banks periodically review their crypto client portfolios. A change in internal policy or a compliance incident elsewhere in the sector can result in account closure with as little as 30 days’ notice.

LHV has historically been the most crypto-receptive of the Estonian banks and has served the largest share of the country’s licensed crypto clients. However, following the mass licence revocations in 2020–2022, LHV tightened its own acceptance criteria. A well-documented application with a clear business model, realistic transaction forecasts, and a credible compliance officer improves your odds.

When a traditional bank account is unavailable or while your bank application is pending, licensed Payment Service Providers (PSPs) and Electronic Money Institutions (EMIs) are the practical alternative. Several EU-licensed EMIs actively serve crypto businesses and offer SEPA access through their own payment institution licences.

• SEPA access via EMI — EMIs authorised under the EU Payment Services Directive 2 (PSD2) can issue IBANs and process SEPA credit transfers. This gives your crypto business a functional euro account without going through a commercial bank. Processing fees are typically flat per transaction (€0.20–€3 depending on provider), compared with €1–€5 per outgoing SEPA transfer at many traditional banks for business accounts.
• Multi-currency accounts — providers such as Mistertango (licensed in Lithuania), Nexpay, and several others operating in the Baltic region offer multi-currency accounts designed for fintech and crypto clients. They will conduct their own KYB review, but their risk tolerance for licensed crypto firms is higher than retail banks.
• Safeguarding requirements — EMIs holding client funds are required under PSD2 Article 10 to safeguard those funds either in a segregated bank account or through an insurance policy. This provides a layer of protection that a standard current account does not.
• Crypto-native banking rails — some infrastructure providers offer direct blockchain settlement combined with SEPA off-ramp capability, removing the need for a traditional IBAN entirely for crypto-to-crypto flows. These are not substitutes for fiat banking but can reduce reliance on it.

The practical approach for most Estonian CASP licence holders is to open an EMI account first to cover operational needs, then pursue a bank account in parallel. Having an active business with documented transaction history strengthens your bank application. If you need introductions to vetted PSPs and EMIs that currently accept Estonian CASP clients, reach out to our licensing team.

• 500+ licenses obtained since 2016 — across multiple EU and non-EU jurisdictions, including Estonia’s FSA-regulated CASP framework.
• Dedicated Estonia licensing team — specialists who stay current with FSA guidance, MiCA implementation, and AML/CFT rule changes.
• End-to-end service — we handle company formation, UBO and director due diligence, AML policy drafting, and the full FSA application.
• Defined timelines — we give you a realistic project schedule up front and flag any FSA queries within 24 hours so delays stay minimal.
• Post-license compliance support — our compliance team assists with ongoing AML monitoring, suspicious transaction reporting, and FSA annual reporting.
• Fixed-fee packages — no open-ended hourly billing. You know the cost before we start.

If you are evaluating whether an Estonia crypto license fits your business model, book a free consultation. We will walk through the FSA requirements, capital expectations, and realistic timelines with you.