MiCA License in Estonia 2026

Obtain MiCA-compliant CASP authorization in Estonia with RUE. Structured support for exchanges, custody providers, brokers, and crypto platforms targeting EU market access.

Schedule Free Consultation

Regulator

FI

Timeframe

4-8 months

Cost

from €19,900

Capital

€50k-€150k

Depends on authorized services, governance model, and operational substance.

Why Estonia for a MiCA License

Estonia remains a credible EU base for crypto businesses that want substance, legal clarity, and disciplined compliance. RUE helps founders structure the Estonian entity, map MiCA service scope, prepare the application file, and build a regulator-ready operating model.

Polina Merkulova

Polina Merkulova

Licensing Services Manager

[email protected]

As your point of contact, I help coordinate the licensing process end-to-end, keep communication clear, and move your application forward without unnecessary delays.

At Regulated United Europe, we support MiCA license in Estonia projects end-to-end: service mapping, company setup, governance design, document drafting, capital planning, regulator-facing submissions, and post-authorization compliance implementation.

We also coordinate adjacent workstreams that many firms ignore until too late: banking strategy, Travel Rule tooling, DORA readiness, tax structuring, accounting setup, and internal controls for custody or exchange operations.

Contact me

🏛️

Recognized EU Framework

Authorization is built around MiCA, with supervision by Finantsinspektsioon and access to EU passporting after notification.

📍

Strong Local Infrastructure

Estonia offers efficient company administration, mature digital public services, and a legal ecosystem familiar with fintech and crypto compliance.

🧭

Substance Over Fiction

The jurisdiction favors applicants with real governance, documented source of funds, credible AML controls, and operational readiness.

🛡️

Scalable Compliance Base

Estonia is well suited for businesses that want to combine MiCA authorization with DORA, AML, GDPR, accounting, and banking workstreams in one project.

Mica Licence in Estonia

Package includes (8)

Preparation of necessary documents for registration of a new company in Estonia 2026
Translation of a certificate of no criminal record through a sworn translator
Payment of state fees related to company registration
Payment of notary fees related to company registration
Preparation of compliance documents for MiCA application
Preparation of a business plan
Submission of the necessary documents to FI
Recruitment of local MLRO/Compliance officer

MiCA Class Comparison for Mica Licence in Estonia

Compare MiCA Class 1, Class 2 and Class 3 by permitted activities and baseline requirements.

Mica Class 1 - 50 000 EUR

CapitalFrom EUR 50,000 TimeCountry-specific

Swipe left/right to switch license type

Reception and transmission of client orders

Execution of orders on behalf of clients

Placement and advisory services

Portfolio management

No custody of client crypto-assets

Target Models

Advisory firms Introducing brokers Portfolio advisory setups

Mica Class 2 - 125 000 EUR

CapitalFrom EUR 125,000 TimeCountry-specific

Swipe left/right to switch license type

All Class 1 services

Crypto-fiat and crypto-crypto exchange

Custody and administration of client assets

Transfer services for crypto-assets

Higher organizational and AML requirements

Target Models

Exchanges Custody providers Broker-dealer operations

Mica Class 3 - 150 000 EUR

CapitalFrom EUR 150,000 TimeCountry-specific

Swipe left/right to switch license type

All Class 2 services

Operation of crypto-asset trading platform

Enhanced governance and internal controls

Advanced risk management and reporting

Typical for full-scale marketplace operators

Target Models

Trading venues Multi-service CASP groups Institutional-grade operators

Discuss this license

MiCA Class Comparison (Class 1, Class 2, Class 3)

Activity / Option	Mica Class 1 - 50 000 EUR	Mica Class 2 - 125 000 EUR	Mica Class 3 - 150 000 EUR
Reception and transmission of orders	V	V	V
Execution of orders on behalf of clients	V	V	V
Advisory and portfolio management	V	V	V
Crypto-fiat and crypto-crypto exchange	X	V	V
Custody and administration of crypto-assets	X	V	V
Operation of a trading platform	X	X	V

Comprehensive Requirements for Estonia MiCA License

An Estonia MiCA license is, in legal terms, an authorization as a crypto-asset service provider (CASP) under Regulation (EU) 2023/1114. In practice, Finantsinspektsioon reviews whether the applicant is not only legally incorporated, but operationally capable of providing the requested services on a compliant basis.

The review is not limited to forms. The regulator will test your governance, prudential setup, AML/CFT controls, ICT resilience, outsourcing model, safeguarding logic, and the credibility of your management team. This is why a successful application must read like an operating blueprint, not a marketing deck.

Below are the core requirements that matter in real CASP authorization projects in Estonia in 2026.

Correct MiCA Service Scope and Capital Mapping +

You must first identify which MiCA service categories your business model actually triggers. This is the point where many applications go wrong. A wallet app may in fact involve custody and administration; an OTC desk may involve exchange, execution of orders, or reception and transmission of orders; a launch platform may trigger placing of crypto-assets rather than pure software activity.

Typical initial capital bands under MiCA: €50,000, €125,000, or €150,000, depending on the authorized services;
Initial capital is not the same as own funds and not the same as your total launch budget;
Own funds must generally be maintained on an ongoing basis at the higher of the applicable minimum threshold or a prudential measure linked to fixed overheads where relevant;
Capital must be demonstrably funded from lawful, traceable sources and supported by source-of-funds documentation.

A recurring market error is to quote outdated VASP-era figures or to confuse capital thresholds with operating budget. Finantsinspektsioon will expect a service-by-service legal analysis, not a generic statement that you are “an exchange”.

Estonian Company, Registered Office and Real Substance +

You need an Estonian legal entity, typically an OÜ, with a registered office and genuine operational substance. Estonia is not a viable jurisdiction for a pure letterbox structure if you are applying for a CASP authorization.

A registered office is mandatory, but a mailing address alone is not enough for a serious application;
The regulator will look at effective management, decision-making, access to records, and where key control functions are actually performed;
Board meetings, policy ownership, outsourcing oversight, and incident escalation should be anchored in a credible EU management structure;
Substance is assessed holistically: office, personnel, governance, vendors, banking, and operational accountability.

In practice, applicants with no realistic local or EU management footprint, no credible staffing plan, and no evidence of day-to-day control over critical functions face immediate credibility problems.

Management Body and Fit-and-Proper Assessment +

The management body must be fit and proper on both an initial and ongoing basis. In Estonia, a CASP application is heavily influenced by the quality of the people behind it.

Applicants should plan for at least two board members as a practical governance baseline for segregation and continuity;
Key persons must demonstrate relevant experience in financial services, crypto operations, compliance, risk, technology, or custody infrastructure, depending on the model;
Finantsinspektsioon will review CVs, education, professional history, criminal record extracts, reputation, conflicts of interest, and time commitment;
Shareholders and UBOs are also scrutinized, especially where there are complex holding chains, high-risk jurisdictions, nominee structures, or unclear wealth origin.

A common hidden issue is over-concentration of roles. If the same individual is effectively founder, board, AML lead, risk owner, and technology approver, the governance model usually looks immature.

AML/CFT, KYC and Sanctions Control Framework +

You must implement a business-specific AML/CFT framework aligned with Estonian AML law, EU requirements, and the operational realities of crypto transfers. A template manual is not enough.

Required elements usually include a business-wide risk assessment, customer risk scoring, CDD/EDD procedures, PEP and sanctions screening, transaction monitoring, suspicious transaction reporting, and record retention;
The framework must explain how you handle blockchain analytics, wallet screening, high-risk geographies, mixers, privacy-enhancing tools, and source-of-wealth/source-of-funds reviews;
Travel Rule compliance under Regulation (EU) 2023/1113 must be operationalized, not merely referenced;
The Estonian FIU remains relevant for suspicious transaction reporting even though CASP authorization sits with Finantsinspektsioon.

Strong applicants show alert logic, escalation routes, case management, and governance over false positives. Weak applicants only describe onboarding and ignore ongoing monitoring.

ICT Risk Management and DORA Readiness +

A CASP in Estonia must be prepared to operate under the broader EU operational resilience framework, including DORA where applicable to its regulated status and ICT environment. This means your technology stack must be governable, auditable, and resilient.

You should maintain an ICT risk management framework covering asset inventory, access control, change management, patching, vulnerability handling, logging, backup, and recovery;
Critical or important ICT third-party providers must be mapped, contractually governed, and monitored through an outsourcing register and vendor oversight process;
Business continuity and disaster recovery should define practical metrics such as RTO and RPO rather than generic promises;
Incident classification, escalation, and regulatory reporting routes must be documented before launch.

For custody models, the regulator will expect more than cloud diagrams. It will want to understand key management, wallet segregation, reconciliation, privileged access, and failover logic.

Business Plan, Financial Model and Source of Funds +

Your application must include a coherent business plan and financial projections, typically with a two-year planning horizon as a practical minimum. The regulator is testing viability, not just ambition.

The business plan should explain services, target markets, client types, onboarding channels, revenue model, outsourcing, complaints handling, and risk controls;
Financial projections should include realistic assumptions on client acquisition, transaction volumes, fee income, staffing, compliance costs, ICT spend, and capital buffers;
Capital injections, shareholder loans, and investor funds must be fully documented with lawful source-of-funds evidence;
Banking and fiat rails should be addressed early, because a CASP with no credible payment or safeguarding strategy often looks incomplete.

One overlooked point: the regulator will compare your stated business model against your financial model. If you describe an institutional exchange but budget only for one junior compliance employee and minimal security tooling, the file becomes internally inconsistent.

Safeguarding, Custody Controls and Client Asset Protection +

If your scope includes custody and administration of crypto-assets on behalf of clients, safeguarding becomes one of the central authorization themes. The regulator will expect a control environment, not a slogan about cold wallets.

Client assets must be clearly segregated from proprietary assets in both wallet architecture and accounting records;
You should document wallet typology: cold, warm, and hot storage, together with transfer approval flows and access rights;
Daily or near-real-time reconciliation, exception handling, and audit trails are expected in serious custody models;
Institutional controls may include MPC, HSM-backed key storage, dual control, key ceremony records, withdrawal limits, and emergency recovery procedures.

Proof-of-reserves may be commercially useful, but it is not a substitute for statutory accounting, safeguarding governance, or regulatory reporting.

Application File and Regulator-Facing Documentation +

A complete application file usually includes corporate documents, governance papers, policies, financials, and technical documentation. The quality of the file materially affects review speed.

Core documents typically include: constitutional documents, ownership chart, UBO disclosures, business plan, program of operations, financial projections, governance map, AML/CFT policies, risk framework, ICT/security documents, outsourcing register, and safeguarding procedures where relevant;
Key individuals should provide CVs, questionnaires, certificates, and reputation evidence;
Documents must be internally consistent across names, dates, roles, service descriptions, and financial assumptions;
Where documents originate abroad, apostille, notarization, or sworn translation may be needed depending on the document type and issuing jurisdiction.

At RUE, we treat the application file as a controlled evidence pack. That approach reduces contradictory statements, which are one of the most common causes of follow-up questions and review delays.

Jurisdiction Comparison

Compare Mica Licence in Estonia with other jurisdictions by key conditions for obtaining and operating a MiCA/CASP license: regulator, review period, fees, capital, local substance, and passporting.

* This table focuses on MiCA/CASP authorization conditions. Use the settings icon to customize countries and parameters.

💰 Licensing Cost Estimator

Get an approximate cost estimate for your crypto license based on your business needs

Configure Your Licensing Package

Select options below to see estimated costs

License Type

Mica Class 1

Mica Class 2

Mica Class 3

Do you need company registration?

Yes — Register New Company

No — I Have a Company

Additional Services

✓ AML/KYC Package ✓ Bank Account Opening ✓ Physical Office ✓ Compliance Officer

Estimated Cost

€0

Estimated Timeframe

Country-specific

Capital Requirement

€0

📞 Get Exact Quote

* This calculator provides approximate estimates only. Actual costs may vary based on your specific situation. Contact us for a detailed personalized quote.

Taxation of CASPs in Estonia in 2026

Estonia remains tax-efficient for growth-stage regulated businesses because corporate income tax is generally triggered on profit distributions rather than on retained earnings. For a MiCA license in Estonia project, this matters because early-stage compliance-heavy businesses often reinvest cash into staffing, security, and regulatory infrastructure instead of distributing profits.

How the Estonian Corporate Tax Model Works

As a rule, retained and reinvested corporate profits are not taxed immediately, while distributions are taxed at the corporate level. For 2026, founders should verify the current applicable corporate tax rate on distributed profits with the Estonian Tax and Customs Board (Maksu- ja Tolliamet) and local tax counsel before launch, because tax rates and implementing rules can change.

Retained earnings: generally not subject to immediate corporate income tax;
Distributed profits: taxed upon distribution under the Estonian corporate tax model;
Payroll taxes: salaries trigger employment tax and social tax obligations;
VAT: treatment depends on the exact service qualification and customer profile.

For crypto businesses, the VAT analysis is often misunderstood. Not every crypto-related service is exempt, and not every wallet or platform fee is taxable in the same way. Exchange services may follow principles developed in EU case law, including CJEU Hedqvist, but custody, technology access, platform fees, advisory, SaaS layers, and bundled services require separate classification.

Practical Tax Caveats for Estonian CASPs

Tax treatment depends on the legal and economic design of the service. A brokerage-style fee, a spread-based exchange margin, a custody fee, and a listing fee may each produce different VAT and accounting consequences. Cross-border operations can also create local tax registration or permanent establishment questions in other EU states if the business develops local presence, staff, or consumer-facing infrastructure there.

Regulatory and Operating Cost Layer

Tax is only one part of the budget. A realistic Estonia MiCA license budget should also include:

Corporate Income Tax

Triggered mainly on distributed profits

verify current rate

Estonia generally taxes corporate profits upon distribution rather than when profits are earned and retained. This is attractive for regulated businesses that need to reinvest in compliance, security, and growth. The exact applicable rate in 2026 should be confirmed against the current rules of the Estonian Tax and Customs Board and your ownership structure.

Value Added Tax (VAT)

Depends on exact service classification

0% / 22%*

VAT treatment is highly service-specific. Certain exchange transactions may be exempt under EU financial services principles, but custody, software access, advisory, platform subscriptions, and ancillary services may be taxable. Do not assume that all crypto services are exempt or that all crypto companies must register for VAT immediately. A transaction-by-transaction analysis is often required.

*Standard VAT rate shown for orientation; actual treatment depends on the service.

Payroll Taxes

Applies to local staff and management remuneration

variable

If you employ staff in Estonia, salaries trigger payroll-related obligations, including social tax and withholding mechanics. This becomes material in substance-heavy CASP models with local compliance, management, operations, or support staff.

Withholding and Cross-Border Structuring

Depends on shareholder and payment flows

case-specific

Dividend and cross-border payment treatment depends on the shareholder profile, treaty access, and the nature of the payment. International founders should coordinate Estonian tax planning with home-jurisdiction advice to avoid mismatches and double taxation issues.

State Fee for Authorization

Official fee must be checked before filing

official schedule

The state fee for a CASP application should always be verified against the current official Estonian schedule before submission. Market articles often repeat outdated or contradictory figures. We recommend treating unofficial fee claims as unreliable unless cross-checked against current official sources.

Annual Audit and Accounting

Mandatory statutory and operational cost layer

€8,000-€40,000+

Most CASP structures should budget for annual accounting, statutory reporting, and audit-related work depending on size and complexity. Costs increase materially for custody models, multi-entity structures, or businesses with high transaction volumes and wallet-to-ledger reconciliation demands.

Compliance and Control Functions

Recurring cost of staying authorized

€60,000-€300,000+

Ongoing costs usually include AML/CFT oversight, compliance support, board governance, risk management, policy maintenance, sanctions screening, Travel Rule tooling, and periodic control reviews. These are not optional overheads; they are part of the cost of remaining licensed.

ICT, Security and DORA Readiness

Technology governance and resilience spend

€20,000-€150,000+

Budget for hosting, logging, monitoring, penetration testing, backup systems, privileged access management, vendor oversight, and incident response capabilities. Custody and exchange models sit at the higher end of the range because they require stronger controls and more extensive evidence.

Compliance and Ongoing Obligations After Authorization

A MiCA Licence in Estonia is not a one-time filing event. After authorization, the CASP must maintain prudential, governance, AML, ICT, and conduct controls on a continuous basis.

📊

Regulatory Reporting and Governance

Maintain ongoing own funds and capital adequacy monitoring
Submit regulatory reports and audited financial statements as required
Notify Finantsinspektsioon of material changes in ownership, management, or services
Keep governance documents, board minutes, and control evidence up to date
Review fit-and-proper suitability on an ongoing basis

🧾

AML, KYC and Travel Rule

Perform CDD and EDD according to customer and transaction risk
Run sanctions, PEP, and adverse media screening
Monitor transactions and blockchain exposure continuously
File suspicious transaction reports to the Estonian FIU where required
Operationalize Travel Rule data exchange for in-scope crypto transfers

🔐

ICT, Security and DORA Controls

Maintain ICT asset inventory, access control, logging, and change management
Test backup, recovery, and business continuity arrangements periodically
Classify incidents and escalate major ICT events through defined channels
Govern outsourced critical ICT providers through contracts and oversight
Document vulnerability management and security testing cadence

🛡️

Client Protection and Conduct of Business

Segregate client assets and maintain reconciliation controls where relevant
Operate complaints handling and client communication procedures
Manage conflicts of interest and disclose them where required
Keep fee disclosures, terms, and marketing communications compliant
Monitor outsourcing, execution flows, and safeguarding arrangements continuously

💡

RUE handles compliance for you. Our team provides ongoing compliance support, including AML officer services, regulatory reporting, and policy updates. We ensure your license stays in good standing year after year. Contact us for compliance support →

What a MiCA License in Estonia Actually Means

What a MiCA License in Estonia Actually Means

A MiCA license in Estonia is market shorthand for an authorization as a crypto-asset service provider (CASP) under Regulation (EU) 2023/1114. This distinction matters because the legal analysis starts with the service you perform, not with the marketing label you use.

Stablecoin-related MiCA rules started applying from 30 June 2024
CASP rules under MiCA started applying from 30 December 2024
In Estonia, the old VASP regime does not convert automatically into a CASP authorization
The transition period for legacy VASP operators runs until 1 July 2026

This means that a business searching for an Estonia MiCA license in 2026 usually needs one of three separate legal analyses:

CASP authorization for services such as custody, exchange, execution, advice, or platform operation
Token issuance / white paper analysis for public offerings or admission to trading of crypto-assets
EMT / ART regime analysis for e-money tokens or asset-referenced tokens, which follow stricter rules and may trigger additional authorization questions

RUE structures projects around the correct regulatory track from day one. That avoids a common mistake: trying to solve an issuance or stablecoin problem with a pure CASP application.

Discuss Your MiCA Scope

MiCA License vs CASP Authorization vs Old VASP License

MiCA License vs CASP Authorization vs Old VASP License

The old Estonian VASP regime was primarily associated with AML registration and supervision through the Financial Intelligence Unit. The current framework is different in both legal nature and supervisory intensity.

Old model: VASP licensing under Estonia’s earlier national crypto framework, with strong AML focus and FIU involvement
New model: CASP authorization under MiCA, supervised by Finantsinspektsioon as the national competent authority
Practical consequence: governance, prudential safeguards, conduct rules, safeguarding, and ICT controls now matter far more than under the old registration-driven model
Transition: legacy operators may rely on transitional arrangements only within the legal limits and deadlines set by Estonia and MiCA, with 1 July 2026 being the key Estonian date widely referenced for the end of the transition

There is no automatic conversion of an old VASP license into a CASP authorization. Existing operators must assess gaps, prepare a new evidence-based file, and satisfy the current authorization standard. In practice, the regulator is not asking whether you once held a crypto license in Estonia; it is asking whether you are ready to operate as a MiCA-grade financial services business now.

Get Transition Assessment

Legal Framework and Regulators for Estonia MiCA Authorization

The legal framework for an Estonia CASP license sits across several EU and national layers. The core act is MiCA — Regulation (EU) 2023/1114, but a serious applicant must also map DORA, AML law, the recast Transfer of Funds Regulation, data protection, company law, and tax rules.

The main legal stack includes:

MiCA (Regulation (EU) 2023/1114): defines CASP services, authorization rules, prudential requirements, conduct obligations, and passporting mechanics
DORA (Regulation (EU) 2022/2554): governs ICT risk management, incident handling, resilience testing, and third-party ICT risk
TFR recast (Regulation (EU) 2023/1113): applies Travel Rule-style information requirements to crypto transfers
Estonian implementing and complementary legislation: published through Riigi Teataja and relevant to local supervision, procedures, and sanctions
Estonian AML framework: relevant for CDD, monitoring, and suspicious transaction reporting to the Rahapesu Andmebüroo
GDPR and local data protection rules: supervised in Estonia by the Andmekaitse Inspektsioon

Who does what:

Finantsinspektsioon: authorization and prudential/conduct supervision of CASPs
ESMA and EBA: RTS, ITS, guidelines, convergence work, and interpretive framework at EU level
Estonian FIU: suspicious transaction reporting and AML intelligence functions
Estonian Tax and Customs Board: tax and VAT administration

A practical point many founders miss: if your model touches fiat payment flows, stored value, or token structures resembling e-money, you may also need a parallel analysis against PSD2, EMD, or the EMT regime under MiCA. CASP authorization does not automatically solve those perimeter questions.

MiCA Service Mapping for Common Crypto Business Models

Business model	Likely MiCA service bucket	Typical capital band	Main regulatory focus
Custodial wallet provider	Custody and administration of crypto-assets on behalf of clients	€125k or service-specific verification required	Safeguarding, key management, segregation, reconciliation
Crypto exchange / broker	Exchange of crypto-assets for funds or other crypto-assets; execution or transmission may also apply	€125k-€150k	Order flow, best execution logic, AML monitoring, market abuse controls
OTC desk	Execution of orders, exchange, reception and transmission of orders	€125k-€150k	Client classification, pricing governance, sanctions and source-of-funds checks
Crypto advisory firm	Providing advice on crypto-assets	€50k	Suitability logic, disclosures, conflicts of interest
Portfolio manager	Portfolio management on crypto-assets	€125k	Mandate governance, client instructions, valuation and reporting
Trading platform operator	Operation of a trading platform for crypto-assets	€150k	Market integrity, access rules, matching logic, resilience, surveillance
Token placement / launch support	Placing of crypto-assets	€50k or service-specific verification required	Distribution model, disclosures, conflicts, white paper perimeter
Non-custodial software layer	May fall outside CASP scope, but requires perimeter analysis	Case-specific	Control over keys, execution role, fee model, DeFi perimeter

Capital bands shown are orientation-level market references only. Exact classification must be verified against the final authorized service scope and current official interpretation.

Initial Capital vs Own Funds vs Total Launch Budget

Initial Capital vs Own Funds vs Total Launch Budget

Initial capital, own funds, and launch budget are three different concepts. Many websites collapse them into one number, which is why online figures for an Estonia MiCA license often contradict each other.

Initial capital: the minimum regulatory entry threshold linked to your CASP service category
Own funds: the prudential amount you must maintain on an ongoing basis, often expressed as the higher of the minimum threshold and a risk-sensitive or fixed-overheads-based measure where applicable
Total launch budget: the real cash needed to get authorized and reach go-live

Practical formula:

Total launch budget = state fee + paid-up capital + legal/compliance drafting + staffing + office + audit + AML/KYC tooling + ICT/security + banking/onboarding reserve + contingency

For a lean advisory-only model, the launch budget may be materially lower than for an exchange-plus-custody model. For a platform or custody business, the gap between minimum capital and real launch cost is often large because security architecture, governance, reconciliation, and operational testing consume significant budget before first revenue.

Why different websites quote different figures

Some still use old VASP-era numbers
Some confuse share capital with own funds
Some quote one service class while describing another
Some include local business costs in “capital” and some do not
Some ignore that a multi-service application may need the higher threshold

At RUE, we solve this by building a capital memo tied to the actual service map, governance model, and operating budget. That is the only reliable way to answer the question “how much capital do we need?”

Request Capital Planning

Corporate Substance and Governance Expectations

Estonian Entity

Applicants normally use an Estonian company, most often an OÜ, with clean ownership records, UBO transparency, and a credible operating purpose.

Board Structure

A practical baseline is at least two board members with defined roles, sufficient time commitment, and no unmanaged conflicts of interest.

AML Ownership

An AML function must exist in substance, with reporting lines, escalation routes, and authority to challenge business decisions.

Effective Management

The regulator looks at where decisions are made, who controls vendors, and whether management can evidence day-to-day oversight.

Segregation of Duties

Critical approvals should not sit with one person. This matters especially in custody, treasury, onboarding, and withdrawal workflows.

Source of Funds

Capital origin, shareholder background, and wealth provenance must be documented in a way that survives regulator scrutiny.

Do You Need a Physical Office, Local Director and AML Officer?

Yes to substance, not to myths. An Estonia MiCA license application usually requires more than a registered address, but the law should not be oversimplified into slogans such as “one director must always be Estonian resident”.

Physical office: a real operating setup is strongly preferable where your model includes management, compliance, or customer-facing activity in Estonia
Local director: not every case turns on formal Estonian residency, but the regulator will expect credible effective management and accessible decision-makers within the EU governance structure
AML officer: an AML/CFT function is practically indispensable for a CASP; whether fully internal or partly outsourced, it must be competent, independent enough, and operationally embedded
Local substance: assessed through the total picture: office, staff, board activity, outsourced functions, records, and control over operations

The wrong question is “what is the minimum we can fake?” The right question is “what level of substance matches our risk profile and will survive a supervisory review?”

AML, KYC, Sanctions and Travel Rule in Practice

AML, KYC, Sanctions and Travel Rule in Practice

An Estonian CASP must run operational AML, not just maintain a policy library. The regulator will expect controls across onboarding, transaction monitoring, sanctions screening, blockchain analytics, escalation, and suspicious transaction reporting.

What a serious AML stack usually includes

CDD and EDD: identity verification, beneficial ownership checks, source-of-funds/source-of-wealth analysis, and enhanced review for high-risk customers
Risk scoring: customer, geography, product, channel, and transaction behavior risk variables
Sanctions screening: screening of customers, counterparties, wallet exposure, and adverse media
Transaction monitoring: fiat and on-chain monitoring, alert thresholds, manual investigations, and documented dispositioning
STR process: escalation and reporting to the Estonian FIU where suspicious activity is identified
Record retention: retention periods under AML law and data governance rules

How the Travel Rule works for CASPs

The EU crypto transfer regime under Regulation (EU) 2023/1113 requires originator and beneficiary information to accompany in-scope crypto transfers. In practice, this means your CASP must be able to collect, verify where required, transmit, receive, and reconcile transfer data with counterpart CASPs.

Data model: originator and beneficiary identifiers, account or wallet references, and other required transfer data
Technical standard: many providers use IVMS101 as the common data schema for interoperability
Operational challenge: handling transfers involving self-hosted wallets, incomplete data, or counterparties with weak interoperability
Control point: Travel Rule logic must be built into onboarding, transfer approval, exception handling, and sanctions workflows

A useful technical nuance: many failed implementations treat the Travel Rule as a messaging add-on. In reality, it is a workflow problem touching customer data quality, wallet attribution, sanctions controls, and transfer hold/release logic.

Prepare MiCA Compliance Documents

Travel Rule Operationalization Matrix

Requirement	Operational implication	Typical solution layer
Originator and beneficiary data collection	KYC records must be structured and retrievable before transfer release	Onboarding/KYC platform + internal case management
Data transmission to counterparty CASP	Transfer cannot rely on blockchain payload alone	Travel Rule provider using IVMS101-compatible messaging
Screening and exception handling	Transfers may need hold/review if data is incomplete or sanctions risk is detected	Sanctions engine + compliance workflow
Self-hosted wallet scenarios	Additional controls may be needed around ownership verification and risk scoring	Wallet verification tools + policy-based review
Audit trail and retention	CASP must evidence what was sent, received, reviewed, and approved	Immutable logs + document retention controls

ICT, Cybersecurity and DORA Readiness for Estonian CASPs

ICT, Cybersecurity and DORA Readiness for Estonian CASPs

DORA readiness means being able to prove that your ICT environment is governed, resilient, and recoverable. For an Estonian CASP, this is especially important where the business model depends on custody, matching engines, API connectivity, or outsourced cloud infrastructure.

ICT governance: board visibility over critical systems, risk appetite, and major incidents
Asset inventory: documented systems, data stores, interfaces, privileged accounts, and external dependencies
Security baseline: MFA, encryption at rest and in transit, secure SDLC, logging, vulnerability management, and least-privilege access
Resilience: tested backup, restoration, failover, and business continuity procedures
Third-party risk: contracts, SLAs, concentration risk review, and exit planning for critical vendors

What your custody and wallet architecture should prove

If you provide custody, the regulator will want evidence that the architecture supports client protection under stress, not only under normal conditions.

Segregation: client wallets and records must be separable from house assets
Reconciliation: wallet balances, ledger balances, and client entitlements should reconcile daily or more frequently depending on the model
Key management: use of MPC, HSMs, dual control, and restricted privileged access
Wallet tiers: documented cold/warm/hot wallet policy with exposure limits and approval thresholds
Recovery metrics: practical targets such as RTO under 24 hours and RPO near zero for critical ledgers, subject to system design

A subtle but important point: many applicants document wallet security but forget entitlement integrity. The regulator cares not only whether keys are safe, but whether your books can always prove who owns what.

Documents Most Likely to Delay an Estonia CASP Application

Document	Why it matters	Common mistake
Business plan	Shows viability, target market, service model, and control environment	Marketing language with no operational detail
Program of operations	Maps exact services and process flows	Requested scope does not match actual product
Financial projections	Tests sustainability and prudential logic	Revenue assumptions unsupported by staffing and costs
Source-of-funds package	Validates lawful capitalization	Unclear investor chain or missing bank evidence
AML/CFT framework	Core to customer and transaction risk control	Generic template not tailored to crypto flows
ICT/security documentation	Supports DORA and operational resilience review	No architecture, no incident logic, no vendor map
Governance map	Shows reporting lines and segregation of duties	One-person control over all key functions
Outsourcing register	Critical where vendors perform key activities	Missing oversight or exit planning
CVs and fit-and-proper evidence	Supports management suitability	Experience does not match requested services
Safeguarding / custody policy	Essential for custody applicants	No reconciliation, no asset segregation logic

Passporting Under MiCA Is Powerful but Not Absolute

Passporting Under MiCA Is Powerful but Not Absolute

An Estonia MiCA license can support cross-border activity across the EU’s 27 member states, but passporting is not the same as “one license and no more local rules”.

Passporting is service-scope dependent: you can passport only the services for which you are authorized
Notification mechanics apply: cross-border activity normally requires notification through the competent authority framework
Local law still matters: tax, sanctions, consumer law, marketing rules, complaints handling, and data protection remain relevant in target markets
Operational readiness still matters: language support, disclosures, onboarding flows, and local payment arrangements may need adaptation

In other words, passporting removes the need for a second crypto authorization in another EU state, but it does not remove the need for local legal analysis. This is especially important for retail-facing exchanges, app-based products, and firms planning local branches or sales teams.

Plan EU Expansion

Top 10 Regulator Red Flags in Estonia CASP Files

No real substance

Letterbox setup, no credible management presence, and no evidence of operational control.

Wrong service classification

Product reality does not match the requested MiCA service scope.

Weak source of funds

Capital origin is opaque, fragmented, or poorly documented.

Template AML manual

Policies mention crypto generically but do not explain your actual onboarding and monitoring logic.

Overloaded founder governance

One person controls board, compliance, AML, treasury, and technology approvals.

No banking or fiat strategy

The business model assumes fiat operations without credible payment rails or partner discussions.

Immature custody architecture

No clear segregation, reconciliation, key management, or withdrawal approval design.

No outsourcing oversight

Critical vendors are listed, but no one owns monitoring, SLA review, or exit planning.

Unrealistic financial model

Projected revenue implies scale that the staffing, tooling, and capital plan cannot support.

Poor regulator communication

Slow, inconsistent, or defensive responses during review materially reduce trust.

Is Estonia the Right Jurisdiction for Your Project

Is Estonia the Right Jurisdiction for Your Project

Estonia is a strong jurisdiction for founders who want a disciplined EU setup and are prepared to build a real compliance architecture. It is usually a poor fit for applicants looking for the cheapest possible license or trying to run a high-risk model with minimal substance.

Estonia is a strong fit for these business models

Custody-led businesses that can document wallet security, reconciliation, and governance
Brokerage and OTC models with institutional or professional client focus
Exchange businesses prepared for real AML, sanctions, and market conduct controls
Advisory and portfolio management firms that want an EU regulatory base under MiCA
Groups building multi-country EU operations that need legal, tax, banking, and compliance coordination from one hub

Estonia is usually a poor fit for these cases

Very low-budget startups that cannot fund governance, documentation, and post-license compliance
Founders seeking a purely remote shell with no credible management or control environment
Projects with unstable token economics that actually need issuance or EMT/ART analysis instead of a simple CASP application
Businesses with no banking strategy, no source-of-funds clarity, or no appetite for Travel Rule and sanctions implementation

If your target is a serious MiCA Licence in Estonia, the right feasibility question is not “can we file?” but “can we operate under supervision for years without breaking the model?” That is the standard RUE uses in pre-engagement assessments.

Related RUE services: crypto license in Estonia, cryptocurrency regulation in Estonia, accounting services in Estonia, crypto business bank account, legal services in Estonia.

Check Project Feasibility

Sources and Legislation

This page is written as a practical regulatory guide and should be read together with official sources. For legal certainty, always verify the latest text, implementing acts, and regulator guidance before filing.

EUR-Lex: Regulation (EU) 2023/1114 (MiCA)
EUR-Lex: Regulation (EU) 2022/2554 (DORA)
EUR-Lex: Regulation (EU) 2023/1113 (Transfer of Funds Regulation recast)
Finantsinspektsioon: official Estonian supervisory guidance and application materials
Riigi Teataja: official publication of Estonian legislation
ESMA and EBA: RTS, ITS, guidelines, and convergence materials
FATF Recommendation 16: Travel Rule baseline
Estonian Tax and Customs Board: tax and VAT administration
Andmekaitse Inspektsioon: data protection supervision in Estonia

Disclaimer: this page is for information only and does not constitute legal or tax advice. The exact requirements depend on your service scope, token model, customer geography, outsourcing design, and interaction with other regimes such as PSD2, EMT/ART, sanctions, GDPR, and consumer law.

📝 Check Your Eligibility

Answer a few quick questions to find out if this jurisdiction suits your crypto business

Step 1 of 5

What type of crypto services will you provide?

Exchange (fiat ↔ crypto)

Custody & Wallet Services

Transfer & Payment Services

Advisory / Portfolio Management

Multiple / All of the Above

Step 2 of 5

What is your target market?

European Union only

EU + Global markets

Global (non-EU priority)

Step 3 of 5

Do you already have a registered company in the EU?

Yes, in this jurisdiction

Yes, in another EU country

No, I need to register one

Step 4 of 5

What is your available budget range?

Under €20,000

€20,000 – €50,000

€50,000 – €100,000

Over €100,000

Step 5 of 5

When do you plan to launch?

As soon as possible (1–3 months)

Within 6 months

Within a year

Just exploring options

✅

This Jurisdiction Is a Great Fit!

Based on your answers, this jurisdiction matches your business requirements well. Here's a quick summary:

Recommended License

CASP License

Estimated Budget

€24,000 – €35,000

Estimated Timeframe

4–6 months

EU Passporting

Available

📞 Get Personalized Assessment

Step-by-Step CASP Authorization Process

Step 1

Scope and Feasibility

Map the exact MiCA services, identify whether token issuance, EMT/ART, PSD2, or other parallel regimes are relevant, and test whether Estonia is the right jurisdiction. Duration: 1-2 weeks.

Step 2

Company Setup

Incorporate the Estonian entity, prepare ownership disclosures, arrange registered office, and structure governance and substance. Begin banking and staffing workstreams early. Duration: 1-3 weeks.

Step 3

Governance Design

Appoint board and key function holders, define reporting lines, segregation of duties, outsourcing model, and fit-and-proper evidence pack. Duration: 2-4 weeks.

Step 4

Documentation Drafting

Prepare the application file: business plan, program of operations, financial projections, AML/CFT framework, ICT and security documents, safeguarding policies, and source-of-funds package. Duration: 4-8+ weeks.

Step 5

Pre-Filing Review

Run a gap analysis to remove contradictions, verify service mapping, align financial assumptions with staffing and controls, and finalize the evidence pack for submission. Duration: 1-2 weeks.

Step 6

Application Submission

Submit the file to Finantsinspektsioon and pay the applicable official state fee. The regulator begins its completeness and substantive review process. Duration: 1 week.

Step 7

Regulator Review

Statutory review includes a completeness check of up to 25 working days and an assessment period of up to 40 working days, with possible suspension or extension where information is missing. Real timing depends heavily on file quality.

Step 8

Approval and Go-Live

After authorization, complete final operational conditions: banking, vendor onboarding, Travel Rule connectivity, staff training, reporting setup, and passporting notifications where relevant. Typical total project timeline: 4-8 months+, sometimes longer for complex models.

Start Your Application

Frequently Asked Questions

How long does it take to get a MiCA license in Estonia? +

A realistic timeline is usually 4-8 months or more. The formal regulator clock is only part of the process. In practice, you should separate document preparation from statutory review.

Preparation phase: often 6-12+ weeks for company setup, governance, policies, financials, and source-of-funds evidence
Completeness check: up to 25 working days
Assessment phase: up to 40 working days
Possible suspension/extension: up to 20 working days or more where the file is incomplete or responses are delayed

The biggest variable is not the regulator. It is applicant readiness. Weak governance, missing source-of-funds documents, inconsistent service mapping, and poor ICT documentation are the main reasons timelines slip.

What is the minimum capital for an Estonia MiCA license? +

The usual MiCA capital bands are €50,000, €125,000, or €150,000, depending on the services. The exact threshold depends on the authorized CASP service category or combination of services.

Two cautions matter:

Initial capital is not the same as own funds
Minimum capital is not the same as total launch budget

If you are applying for custody, exchange, or platform operation, the effective funding requirement is usually much higher than the bare minimum because you must also fund staffing, security, AML tooling, audit, and working capital. RUE normally prepares a service-mapped capital memo before filing.

Can a foreign founder own a CASP in Estonia? +

Yes, foreign founders can own an Estonian CASP. Estonia does not prohibit foreign ownership as such. What matters is transparency, fitness, and lawful source of funds.

UBOs and qualifying shareholders must be fully disclosed
Ownership chains should be clear and documentable
Source of funds and, where relevant, source of wealth must be evidenced
Sanctions, reputation, and fit-and-proper issues are assessed carefully

Foreign ownership is common. Opaque holding structures, nominee-heavy arrangements, and unexplained capital flows are the real problem areas.

Do I need a physical office in Estonia? +

You need real substance, and in many cases that means more than a virtual address. A registered office is mandatory, but a CASP authorization is not designed for a pure letterbox structure.

The regulator will look at:

where management decisions are made
where records and control functions are accessible
whether key personnel can actually oversee operations
whether the office and staffing model match the risk profile

Some models can operate with leaner local presence than others, but custody, exchange, and platform businesses usually need a more robust substance story.

Can an existing VASP continue after 1 July 2026? +

Not under the old framework alone. The key Estonian transition date widely referenced for legacy VASP operators is 1 July 2026. After the transition ends, firms that have not moved into the MiCA/CASP framework should not expect to continue providing in-scope services lawfully on the basis of the old regime.

There is no automatic conversion from VASP to CASP. Existing operators should complete a gap analysis early, because the transition requires more than updating an AML manual. Governance, prudential setup, safeguarding, ICT controls, and service mapping all need review.

Does a MiCA Licence in Estonia allow EU-wide passporting? +

Yes, but only for the services you are authorized to provide and only through the MiCA passporting framework. Passporting gives access to the EU market, but it is not a waiver from all local law.

You can passport the authorized CASP services into other EU member states
Notification mechanics still apply
Local tax, sanctions, consumer, marketing, and data protection rules still matter
Operational adaptation may be needed for local languages, complaints handling, and payment flows

Passporting is a major commercial advantage, but it should be planned as a legal-operational rollout, not as a checkbox.

Is token issuance covered by a CASP authorization? +

Not always. A CASP authorization covers crypto-asset services. It does not automatically solve every token issuance scenario.

You may need separate analysis for:

crypto-asset white paper obligations
public offering or admission to trading
asset-referenced tokens (ARTs)
e-money tokens (EMTs)

This is one of the most common perimeter mistakes in the market. If your business model includes launchpad, treasury token, or stablecoin features, the CASP workstream must be coordinated with issuance analysis from the start.

What is the difference between initial capital and own funds? +

Initial capital is the entry threshold; own funds are the ongoing prudential requirement. The first is what you need to qualify for authorization. The second is what you must continue to maintain after authorization.

In practice:

Initial capital is tied to your CASP service category
Own funds may need to remain at the higher of the minimum threshold and another prudential measure, such as one linked to fixed overheads
Launch budget is separate again and includes all real setup and operating costs

This distinction matters because some firms technically meet the entry threshold but still fail the viability test once realistic operating costs are modeled.

Do CASPs in Estonia need DORA compliance? +

They need to assess and implement the relevant ICT risk and operational resilience obligations applicable to their regulated setup. In practice, serious CASP applicants in Estonia should prepare for DORA-grade expectations around governance, incident handling, testing, and third-party ICT risk.

ICT asset inventory and access control
backup and recovery planning
incident classification and escalation
outsourcing register and vendor oversight
periodic resilience testing

For custody and exchange models, weak ICT governance is often one of the fastest ways to lose regulator confidence.

Is VAT always due on crypto services in Estonia? +

No. VAT treatment depends on the exact service design. Some exchange activities may fall under exemption logic developed in EU case law, but many crypto-related services do not automatically qualify for exemption.

Examples that need separate review include:

custody fees
platform access fees
advisory services
technology subscriptions
bundled exchange-plus-software models

Do not rely on blanket statements such as “all crypto is VAT exempt” or “all wallet services are taxable”. Correct classification should be confirmed with Estonian tax specialists.

Can RUE help with banking, accounting and compliance after authorization? +

Yes. RUE supports not only the MiCA application itself but also the adjacent workstreams that determine whether the business can actually launch and remain compliant.

This integrated approach is especially useful for exchange, custody, and platform projects that need synchronized legal, tax, banking, and compliance execution.

Regulated United Europe OÜ

Registration number: 14153440
Anno: 16.11.2016
Phone: +372 56 966 260
Email: [email protected]
Address: Laeva 2, Tallinn, 10111, Estonia

Company in Lithuania UAB

Registration number: 304377400
Anno: 30.08.2016
Phone: +370 6949 5456
Email: [email protected]
Address: Lvovo g. 25-702, Vilnius, 09320, Lithuania

Company in Czech Republic s.r.o.

Registration number: 08620563
Anno: 21.10.2019
Phone: +420 775 524 175
Email: [email protected]
Address: Na Perstyne 342/1, Prague

Company in Poland Sp. z o.o.

Registration number: 38421992700000
Anno: 28.08.2019
Email: [email protected]
Address: Twarda 18, Warsaw, 00-824, Poland

Please leave your request

The RUE team understands the importance of continuous assessment and professional advice from experienced legal experts, as the success and final outcome of your project and business largely depend on informed legal strategy and timely decisions. Please complete the contact form on our website, and we guarantee that a qualified specialist will provide you with professional feedback and initial guidance within 24 hours.

Main Services

Terms of Cooperation

Regulated United Europe