Crypto regulation in Estonia in 2026 is governed by MiCA, Estonia’s Crypto Asset Market Act, the Money Laundering and Terrorist Financing Prevention Act, DORA, and the EU Transfer of Funds Regulation. For most regulated crypto-asset services, the relevant licensing and prudential supervisor is Finantsinspektsioon, while AML reporting and sanctions-related controls remain highly relevant to the FIU framework.
Crypto regulation in Estonia in 2026 is governed by MiCA, Estonia’s Crypto Asset Market Act, the Money Laundering and Terrorist Financing Prevention Act, DORA, and the EU Transfer of Funds Regulation. For most regulated crypto-asset services, the relevant licensing and prudential supervisor is Finantsinspektsioon, while AML reporting and sanctions-related controls remain highly relevant to the FIU framework.
This page is an informational compliance resource, not legal or tax advice. Regulatory treatment depends on the exact token design, service model, customer geography, and operating structure.
Key regulatory facts, timeline markers, and practical next steps for a fast initial read.
Relevant mainly for ART and EMT issuer perimeter analysis.
The Estonian Crypto Asset Market Act entered into force on this date.
This is the core date for the harmonised CASP regime.
Legacy operators should treat this as the hard deadline for relying on old market assumptions.
Estonia cryptocurrency regulation in 2026 is no longer a light-touch FIU-era registration story. It is a full MiCA and CASP environment with materially higher expectations around governance, own funds, AML/CFT, sanctions screening, Travel Rule data handling, safeguarding, outsourcing, and ICT resilience under DORA. The practical founder question is not whether Estonia is “crypto-friendly”, but whether the business model fits the regulated perimeter, whether the team can evidence real substance, and whether the operating stack is credible under supervisory review. Estonia remains strategically relevant because it combines an EU legal environment, digital corporate infrastructure, and access to MiCA passporting. It is not the right fit for ultra-lean operators trying to launch without compliance budget, local operating logic, or experienced control functions.
The short answer is that Estonia moved from a legacy VASP environment associated with the FIU to a MiCA-era CASP framework centred on Finantsinspektsioon for authorisation and prudential supervision. That change matters because the old market narrative—fast registration, light substance, and broad use of generic VASP templates—is not a reliable description of crypto regulation in Estonia in 2026. A founder now has to think in layers: licensing under MiCA, national procedure under the Crypto Asset Market Act, AML/CFT under MLTFPA, operational resilience under DORA, transfer-data obligations under the recast TFR, and tax/accounting treatment under Estonian law. Another practical change is that passporting is now part of the strategic value proposition: an Estonia authorisation can be used as an EU home-state basis for cross-border services, but only after the proper notification mechanics. The market also remains noisy on capital thresholds, fees, and transition rules, so source-first verification is essential.
| Topic | Legacy Approach | Current Approach |
|---|---|---|
| Primary licensing narrative | FIU-era VASP registration language dominated market materials. | MiCA-era CASP authorisation is the relevant framework for regulated crypto-asset services. |
| Main supervisory focus | AML registration and formal entry barriers were the main concern. | Governance, prudential controls, safeguarding, conduct, AML, Travel Rule, and ICT resilience are all reviewed. |
| Substance expectations | Some providers marketed Estonia as workable with minimal local footprint. | Supervisory credibility depends on real management, documented outsourcing, and an explainable operating nexus to Estonia. |
| Cross-border value | EU reach was often discussed informally. | MiCA creates a formal passporting framework, but it still requires home-state authorisation and notification steps. |
| Transition assumption | Some market copy implied old permissions would continue seamlessly. | There is no automatic conversion from legacy VASP status to a CASP authorisation. |
Crypto regulation in Estonia in 2026 is a stacked regime, not a single licence statute. MiCA provides the harmonised EU framework for crypto-asset issuers and crypto-asset service providers. Estonia’s Crypto Asset Market Act supplies the national procedural and supervisory layer. The Money Laundering and Terrorist Financing Prevention Act remains central for customer due diligence, beneficial-owner checks, suspicious activity reporting, sanctions-related controls, and record retention. DORA adds a separate governance layer for ICT risk, incident management, resilience testing, and third-party technology oversight. The recast Transfer of Funds Regulation operationalises the EU Travel Rule by requiring originator and beneficiary data to accompany in-scope transfers. GDPR matters because crypto businesses process identity data, wallet-linked behavioural data, and monitoring outputs. Tax treatment then sits on top of the regulatory stack, especially for corporate income tax, VAT analysis, and accounting classification. The key nuance many competitors miss is that MiCA does not govern every digital-asset activity: some instruments may fall into MiFID II or e-money territory, and some software-only or non-custodial models may sit outside the CASP perimeter depending on the facts.
| Law / Regime | Scope | Applies To | Why It Matters |
|---|---|---|---|
| Regulation (EU) 2023/1114 - MiCA | Licensing, conduct, prudential, safeguarding, complaints, outsourcing, and passporting rules for CASPs; issuer rules for certain crypto-assets. | CASPs and relevant crypto-asset issuers operating in or from Estonia. | It is the core EU rulebook for Estonia cryptocurrency regulation in the MiCA era. |
| Crypto Asset Market Act (Estonia) | National procedural, supervisory, and implementation layer around the MiCA framework. | Applicants and supervised entities in Estonia. | It connects EU-level MiCA obligations to Estonia’s domestic supervisory architecture. |
| Money Laundering and Terrorist Financing Prevention Act (MLTFPA) | CDD, EDD, UBO identification, monitoring, suspicious transaction reporting, sanctions-related controls, and recordkeeping. | Crypto firms that qualify as obliged entities under the AML framework. | AML failure is one of the fastest ways to delay or destabilise a crypto business in Estonia. |
| Digital Operational Resilience Act (DORA) | ICT risk management, incident classification and reporting, resilience governance, testing, and third-party ICT risk. | Financial entities in scope, including relevant crypto businesses under the EU framework. | It turns cybersecurity from a technical issue into a board-level compliance obligation. |
| Transfer of Funds Regulation (recast) | Travel Rule data transmission for crypto-asset transfers. | In-scope crypto-asset transfer flows and counterparties. | A CASP without a working Travel Rule operating model is not operationally complete. |
| GDPR and Estonia data protection rules | Lawful processing, retention, security, access rights, and cross-border handling of personal data. | All crypto businesses processing identifiable customer or transaction-linked data. | KYC, KYT, sanctions, and complaints handling all create personal-data obligations. |
| Estonian tax and accounting rules | Corporate income tax, VAT, bookkeeping, audit, and financial reporting. | Estonian crypto companies and foreign groups with Estonian operations. | Tax treatment depends on service type; not all crypto revenue streams are treated the same way. |
The direct answer is that Finantsinspektsioon is the main authority for MiCA-era CASP authorisation and supervision in Estonia, while the Financial Intelligence Unit remains highly relevant for AML/CFT reporting and the broader anti-financial-crime perimeter. Founders should also track tax, data protection, and corporate registry touchpoints because Estonia crypto regulation is operationally multi-agency even when the licence itself sits with one lead supervisor.
Authorisation and supervision of CASPs under the MiCA-era framework; review of governance, prudential, conduct, and control architecture.
CASP application, material change, supervisory request, ongoing reporting, or cross-border notification.
AML/CFT intelligence, suspicious activity reporting ecosystem, sanctions-related interfaces, and legacy VASP context.
Suspicious transaction reporting, AML inspections, sanctions concerns, or historical VASP transition issues.
Company incorporation, board and shareholder records, beneficial ownership registration, and legal entity maintenance.
Entity formation, board changes, UBO updates, or constitutional document filings.
Corporate tax, VAT, payroll, and tax reporting supervision.
Profit distribution, VAT registration analysis, payroll setup, or tax audit.
Data protection oversight relevant to KYC, monitoring, profiling, and incident handling.
Personal-data breach, data subject complaint, or compliance review.
EU-level technical standards, guidance, Q&A, and supervisory convergence.
Interpretation of MiCA, prudential, conduct, or stablecoin-related rules.
A CASP licence is usually required if the business provides a regulated crypto-asset service to clients in the MiCA sense, such as custody, exchange, transfer, order execution, placing, reception and transmission of orders, advice, portfolio management, or operation of a trading platform. The harder cases are non-custodial software, protocol development, validator or infrastructure roles, NFT projects, treasury-only activity, and token issuance structures. Estonia crypto regulation should be analysed by function, control, and customer interface—not by marketing labels. If the firm can access client assets, initiate transfers, intermediate execution, or present itself as a service provider to third parties, the authorisation risk rises sharply. If the firm only publishes open-source code, does not hold keys, does not intermediate transactions, and does not provide client-facing regulated services, it may sit outside CASP scope, but that conclusion should never be stated without a fact-specific perimeter memo. Another nuance often missed is that some tokenised products may be financial instruments rather than MiCA crypto-assets, which shifts the legal analysis away from CASP licensing and into securities regulation.
Custody and administration of crypto-assets on behalf of clients
Usually requires authorisation
Exchange of crypto-assets for funds
Usually requires authorisation
Exchange of crypto-assets for other crypto-assets
Usually requires authorisation
Operation of a crypto-asset trading platform
Usually requires authorisation
Execution of orders for crypto-assets on behalf of clients
Usually requires authorisation
Reception and transmission of orders for crypto-assets on behalf of clients
Usually requires authorisation
Providing advice on crypto-assets
Usually requires authorisation
Portfolio management of crypto-assets
Usually requires authorisation
Pure non-custodial wallet software
Needs case-by-case analysis
Protocol development without client intermediation
Needs case-by-case analysis
| Business Model | MiCA Relevance | Adjacent Regimes | Practical Answer |
|---|---|---|---|
| Centralised exchange with fiat rails | High | AML, sanctions, TFR, DORA, tax, consumer law | Usually requires CASP authorisation and a mature compliance stack. |
| Custodial wallet provider | High | Safeguarding, AML, Travel Rule, ICT security | Usually inside the authorisation perimeter. |
| Non-custodial wallet interface | Fact-dependent | Consumer law, GDPR, sanctions exposure, software risk | May fall outside CASP scope if there is no custody or regulated intermediation. |
| NFT marketplace | Fact-dependent | Consumer law, IP, AML, possible MiCA relevance for fractionalised or series structures | Do not assume blanket exclusion; token design and economic function matter. |
| DeFi front-end with admin controls and fee extraction | Grey zone | AML, sanctions, consumer law, potential regulatory look-through | Requires detailed functional analysis; decentralisation claims alone are not enough. |
| Token issuance raising capital | Potentially high | Issuer rules, financial instruments analysis, marketing restrictions | May trigger MiCA issuer obligations or a non-MiCA regime depending on token classification. |
Token classification is the first legal question because the wrong classification can invalidate the entire Estonia licensing strategy. A token may be a MiCA crypto-asset, an ART, an EMT, an NFT that still attracts regulation due to structure or economic reality, or a financial instrument outside MiCA. The practical rule is simple: classify the token before you classify the service. If the token is outside MiCA, the CASP analysis may be incomplete or wrong.
| Category | Core Feature | Typical Trigger |
|---|---|---|
| Crypto-asset under MiCA | Digital representation of value or rights using distributed ledger or similar technology. | Default starting point if the token is not carved out into another regime. |
| Asset-referenced token (ART) | Token seeks to maintain stable value by referencing another value, right, or combination. | Stable-value design linked to baskets or referenced assets. |
| E-money token (EMT) | Token seeks stable value by referencing a single official currency. | Stablecoin structure pegged to one fiat currency. |
| NFT or purported NFT | Claimed uniqueness or limited-series digital asset. | Requires substance-over-form review; fractionalisation or series issuance may alter treatment. |
| Financial instrument | Token has characteristics placing it within securities/financial markets law. | Rights, transferability, profit participation, or other features may shift the token outside MiCA. |
Yes: Analyse MiFID II and adjacent securities rules instead of assuming MiCA.
No: Continue MiCA classification.
Yes: Assess whether it is an ART or EMT and apply the stricter issuer perimeter.
No: Continue general crypto-asset analysis.
Yes: Test whether the structure is genuinely unique or economically equivalent to a fungible issuance.
No: Continue service and offering analysis.
Yes: Assess CASP authorisation requirements.
No: Focus on issuer, treasury, or software-only perimeter analysis.
The core point is that a legacy Estonia VASP position is not the same thing as a MiCA-compliant CASP authorisation. Firms that operated under the older FIU-era model should treat 1 July 2026 as the practical end-state deadline for transition planning and should not rely on any assumption of automatic grandfathering. The supervisory question is not whether the firm existed before MiCA, but whether it can satisfy the current authorisation, governance, prudential, AML, safeguarding, and ICT requirements now. In practice, legacy firms often underestimate the uplift required in board competence, outsourcing documentation, wallet governance, Travel Rule implementation, and DORA-ready ICT controls.
Many firms built structures that are weak by MiCA-era standards.
The domestic supervisory layer aligned with the new EU reality.
New applicants had to design for the CASP model, not the old VASP model.
Legacy operators should have completed gap analysis, remediation, and authorisation strategy.
A legacy register entry or historical VASP status should never be treated as proof that the business can continue operating after the MiCA transition without a fresh perimeter and authorisation analysis.
The application process starts with perimeter analysis and entity readiness, not with uploading forms. In practice, founders should expect a sequence of company setup, governance design, documentation build-out, capital planning, pre-filing quality control, formal submission, completeness review, substantive assessment, and potential management interviews. The statutory review logic commonly referenced in the MiCA context is a 25 working day completeness check followed by a 40 working day substantive review, but that is not the same as real-world elapsed time. The clock can pause when the regulator asks follow-up questions, and weak documentation can turn a nominal schedule into a multi-month remediation cycle. A realistic planning assumption for a serious applicant is often 3–6 months or more from readiness work to decision, depending on business complexity and dossier quality.
Map services, token types, customer geography, outsourcing, wallet model, and payment flows. Confirm whether MiCA, issuer rules, or adjacent regimes apply before building the file.
Form the Estonian entity, define registered office and operational footprint, appoint board members, map UBOs, and plan banking or EMI relationships without assuming frictionless onboarding.
Prepare business plan, financial model, governance framework, AML/CFT manual, sanctions controls, Travel Rule model, safeguarding policy, complaints handling, conflicts management, outsourcing register, and ICT risk documentation.
Document source of funds, capital availability, ownership chain, and prudential planning. Weak source-of-funds evidence is a recurring failure point.
File the application with the regulator and respond quickly to completeness queries. Missing annexes or inconsistent narratives can stop momentum immediately.
The regulator tests governance credibility, control ownership, outsourcing logic, safeguarding, AML/KYT, and management competence. Interviews may focus on how the business actually operates, not just what the policy says.
The file should read like one operating model, not like disconnected policy appendices.
| Document | Purpose | Owner |
|---|---|---|
| Business plan | Explains the service model, customer base, revenue logic, and operational design. | Founders / management |
| Financial projections and prudential model | Shows viability, capital planning, fixed overhead logic, and funding runway. | Finance lead |
| Governance framework | Defines board oversight, committees, reporting lines, and segregation of duties. | Board / legal |
| AML/CFT and sanctions policies | Documents CDD, EDD, monitoring, STR escalation, sanctions screening, and record retention. | MLRO / compliance |
| Travel Rule operating model | Explains data capture, counterparty handling, exception management, and messaging standard usage. | Compliance / operations / product |
| Safeguarding and wallet governance policy | Covers custody architecture, segregation, reconciliation, key management, and incident response. | Operations / security |
| ICT risk and outsourcing documentation | Maps DORA-relevant controls, vendors, cloud dependencies, and third-party risk oversight. | CTO / risk / compliance |
| Source of funds and ownership evidence | Supports fit-and-proper and anti-financial-crime review of shareholders and controllers. | UBOs / legal |
The practical cost question has three layers: official filing costs, prudential capital, and the real operating budget needed to survive supervisory scrutiny. Founders should not confuse the state application fee with share capital, and should not confuse share capital with the broader own-funds and runway requirement. The market has circulated conflicting numbers on Estonia crypto licence fees and capital thresholds, so every applicant should validate the current position directly against Finantsinspektsioon, Riigi Teataja, and the final legal text applicable to the exact service mix. In real projects, recurring compliance spend often becomes more material than the filing fee itself because AML tooling, screening, audit, internal control staffing, legal support, and ICT governance continue after authorisation.
| Cost Bucket | Low Estimate | High Estimate | What Drives Cost |
|---|---|---|---|
| Official application fee | Verify current tariff | Verify current tariff | Do not rely on outdated market pages; confirm directly with official Estonia sources. |
| Minimum capital / own funds | Service-dependent | Service-dependent | Interpret capital thresholds together with MiCA prudential logic and the applicant’s fixed overhead profile. |
| Legal and application drafting | Medium | High | Complexity increases sharply for custody, exchange, trading platform, and cross-border models. |
| AML, KYT and sanctions tooling | Recurring monthly cost | Recurring enterprise cost | Blockchain analytics, screening, case management, and Travel Rule integrations are ongoing expenses. |
| Governance, audit and control staffing | Lean team | Full control-function build-out | MLRO, compliance, risk, internal audit support, and board competence all affect cost. |
| ICT and security stack | Basic resilience setup | Advanced custody and resilience architecture | MPC/HSM, logging, vendor assurance, backups, and incident management are not optional for serious operators. |
The most common budgeting mistake is using the minimum capital figure as the total launch budget. A more realistic founder formula is: Total launch budget = minimum capital or own funds floor + setup costs + compliance build + technology stack + at least 6-12 months of operating runway.
A compliant Estonia crypto operating model must combine legal policy, customer onboarding, blockchain monitoring, sanctions screening, Travel Rule data exchange, escalation governance, and record retention. Under the MLTFPA and the EU Travel Rule framework, a CASP cannot rely on a generic KYC checklist alone. The regulator will expect risk-based customer due diligence, identification of beneficial owners, source-of-funds and sometimes source-of-wealth analysis, transaction monitoring calibrated to the business model, suspicious activity escalation, and data retention that supports later reconstruction. A technical nuance often omitted by competitors is that Travel Rule compliance is not just a legal statement—it requires data fields, counterparty logic, exception handling, and interoperable messaging, commonly aligned in practice with IVMS101. Another overlooked point is that manual-only monitoring may be acceptable for very small volumes during early stages, but it becomes increasingly difficult to defend once the business scales or offers faster-moving services such as exchange or custody.
| Workflow Step | Control | Owner |
|---|---|---|
| Customer onboarding | CDD/KYB, UBO identification, sanctions/PEP screening, risk scoring | Compliance / onboarding team |
| Wallet and address review | KYT screening, exposure checks, typology flags, high-risk jurisdiction logic | Compliance / fraud / operations |
| Transaction execution | Travel Rule data collection and counterparty handling for in-scope transfers | Operations / product / compliance |
| Ongoing monitoring | Alert generation, behavioural review, sanctions refresh, threshold triggers | AML monitoring team |
| Escalation and reporting | Case investigation, decisioning, STR filing, audit trail preservation | MLRO |
| Retention and review | Store records, evidence, and decision logs for the required retention period | Compliance / data governance |
MiCA passporting means an authorised CASP in one EU home state can provide in-scope services across other Member States through the applicable notification process. The key operational point is that passporting is not a marketing slogan; it is a regulated cross-border mechanism. Estonia can therefore be strategically useful for firms targeting EU-wide activity, but only after home-state authorisation and the correct supervisory steps. Firms should also separate freedom to provide services from branch-based expansion, because the operational and governance implications differ.
Reverse solicitation is a narrow exception and should not be used as a substitute for proper authorisation, notification, or local legal analysis.
The highest-risk failures are usually not exotic legal questions but basic credibility gaps. Regulators notice when the business plan is copied from another jurisdiction, when the AML manual does not match the product, when the board lacks practical control over outsourced vendors, or when the firm cannot explain how keys, wallets, reconciliations, and incident escalation actually work. Estonia cryptocurrency regulation in 2026 rewards firms that can evidence operational reality, not just formal paperwork.
Legal risk: Weak MLTFPA compliance evidence and likely supervisory challenge
Mitigation: Rewrite the AML framework around the exact customer, wallet, geography, and transaction model
Legal risk: Fit-and-proper and AML concerns can stall or derail the application
Mitigation: Prepare documentary audit trail, ownership chain mapping, and coherent funding narrative
Legal risk: Operational non-readiness under the EU transfer-data framework
Mitigation: Define data fields, counterparty logic, IVMS101-compatible messaging approach, and exception handling
Legal risk: Safeguarding concerns and customer-asset risk
Mitigation: Document legal and technical segregation, reconciliation, key ceremonies, and access controls
Legal risk: DORA and governance deficiencies
Mitigation: Maintain outsourcing register, vendor due diligence, SLA oversight, and board reporting
Legal risk: Misalignment between digital incorporation convenience and supervisory substance requirements
Mitigation: Build real operating nexus, management presence, and accountable control ownership
The high-level tax answer is that Estonia is known for taxing corporate profits on distribution rather than on mere retention, but founders should verify the exact rate and formula in force in 2026 before relying on any summary. For crypto businesses, the difficult tax questions usually concern VAT treatment of specific services, accounting classification of digital assets, transfer pricing inside groups, and payroll treatment for local staff. A blanket statement that “crypto is tax free” or that “all crypto services are VAT exempt” is inaccurate. Exchange-related services may follow one logic, while technical platform fees, software subscriptions, custody-related charges, or advisory services may follow another. The right approach is service-by-service analysis aligned with Estonian tax authority guidance, EU case law where relevant, and the company’s actual invoicing model.
| Topic | Why It Matters | Responsible Team |
|---|---|---|
| Corporate income tax on distributed profits | Estonia’s tax model is attractive, but founders must confirm the current 2026 rate and distribution formula before modelling returns. | Finance / tax |
| VAT treatment by service type | Crypto exchange, custody, technology fees, and advisory may not all receive the same VAT treatment. | Tax / finance / legal |
| Accounting classification of crypto-assets | Balance-sheet treatment affects reporting, audit, and prudential discussions. | Finance / accounting |
| Payroll and management remuneration | Local substance often means local staff or management costs, which creates payroll and employment tax obligations. | HR / payroll / finance |
| Transfer pricing and group charges | Cross-border groups using Estonia entities must justify intra-group service fees and IP arrangements. | Tax / finance |
First 90-180 days
Sequence these after the core perimeter, governance, and launch-control decisions are stable.
Open the key issues founders, compliance teams and legal leads usually need to confirm before launch.
Yes. Crypto-related business is legal in Estonia in 2026, but many activities are regulated. Legality does not mean exemption from authorisation. If the company provides in-scope crypto-asset services such as custody, exchange, transfer, advice, or trading platform operation, it will usually need to assess CASP authorisation under MiCA and Estonia’s national framework.
For MiCA-era CASP authorisation and prudential supervision, the key authority is Finantsinspektsioon. The FIU remains relevant for AML/CFT reporting and the broader anti-financial-crime ecosystem. Legacy market materials that describe the FIU as the main crypto licensing authority should be treated with caution in the 2026 context.
A legacy VASP position should not be treated as sufficient after the transition end-state. The market consensus and transition framing around 1 July 2026 point to the need for a MiCA-era authorisation strategy. There is no automatic conversion from a legacy VASP status into a CASP authorisation.
Not always. A pure non-custodial software provider may sit outside the CASP perimeter if it does not hold client assets, control private keys, or intermediate regulated services. But the answer is highly fact-specific. Admin controls, transaction intermediation, fee structure, and customer-facing functionality can change the analysis.
The correct answer depends on the exact service category and the final applicable legal text. Founders should distinguish between minimum initial capital, own funds, and broader operating budget. Because the market contains conflicting and sometimes outdated figures, applicants should verify the current thresholds directly against official MiCA and Estonia sources before filing.
A common MiCA-era reference point is 25 working days for completeness review and 40 working days for substantive assessment, but real elapsed time is often longer. The process can pause for follow-up questions, remediation, and management interviews. In practice, many applicants should plan for 3-6 months or more.
No. Estonia’s e-Residency is a useful digital administration tool, but it does not replace regulatory substance. Supervisors will look at real management, governance ownership, operational footprint, outsourcing oversight, and whether the company can demonstrate an authentic nexus to Estonia.
The legal obligation comes from the EU Travel Rule framework, while a commonly referenced technical messaging standard in industry practice is IVMS101. A compliant model must address required data fields, counterparty handling, exception management, and auditability rather than merely stating that the company is “Travel Rule compliant”.
Yes, potentially. Not every NFT project is outside regulation. The analysis depends on economic substance, issuance structure, fractionalisation, series characteristics, and whether the business provides regulated services around the tokens. Founders should avoid blanket assumptions based only on the NFT label.
Possibly, but not all crypto-related services share the same VAT treatment. Exchange-related activity may follow one analysis, while custody-related charges, software fees, platform subscriptions, or advisory services may follow another. The right answer requires service-by-service review under Estonian tax rules and relevant EU case law.
As a baseline compliance datapoint, AML/KYC records are commonly retained for at least 5 years where the applicable framework requires it. The company should also preserve onboarding evidence, monitoring decisions, STR-related records, sanctions screening logs, and Travel Rule data in a way that supports reconstruction and audit.
Yes, for the right profile. Estonia is attractive for serious EU-facing operators that want a credible MiCA framework, digital corporate infrastructure, and passporting potential. It is usually a poor fit for founders seeking a low-substance, low-budget, or compliance-light setup.
The right answer depends on the exact service model, token classification, customer geography, governance structure, and control environment. A proper review should test MiCA scope, Estonia national requirements, AML/TFR readiness, DORA exposure, tax touchpoints, and transition risk before any filing or launch decision.
