Select Page

An overview of the regulation of virtual assets in Estonia

British Virgin Islands (BVI) Flag

Download PDF | Download Word

Virtual asset laws and regulations in Estonia

Regulation of virtual assets and offerings of virtual assets in Estonia

Regulation of VASPs in Estonia

Regulation of other crypto-related activities in Estonia

Other relevant regulatory information

Pending litigation and judgments related to virtual assets in Estonia (if any)

Government outlook on virtual assets and crypto-related activities in Estonia

Advantages of setting up a VASP in Estonia

1. Virtual asset laws and regulations in Estonia

Estonia has taken significant steps to regulate virtual assets. The journey began in 2019 with amendments to the Money Laundering and Terrorist Financing Prevention Act (MLTFPA), which brought virtual currency service providers under anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. These providers were required to obtain licenses from the Estonian Financial Intelligence Unit (FIU) and implement measures such as customer due diligence, transaction monitoring and reporting suspicious activities.

A major shift occurred on July 1, 2024, with the introduction of the Crypto Asset Market Act, aligning Estonia’s framework with the European Union’s Markets in Crypto-Assets Regulation (MiCA) and Regulation (EU) 2022/2554 on Digital Operational Resilience (DORA). Under this new regime, all crypto-asset service providers (CASPs) must secure a license from the Estonian Financial Supervision Authority (FSA). The previous licenses issued by the FIU will remain valid only until July 1, 2026. The scope of regulation has expanded to include not just exchanges and wallets but also trading platforms, custodians and issuers of asset-referenced and e-money tokens. CASPs are now subject to requirements concerning governance, capital adequacy, client asset protection, transparency and complaint handling. They must also maintain a registered office in Estonia.

What is considered a virtual asset in Estonia?

In Estonia, a virtual asset is understood as a digital representation of value that can be digitally transferred, stored, or traded and which natural or legal persons accept as a means of payment or investment. Importantly, a virtual asset is not issued or guaranteed by any central bank or public authority, is not legal tender and does not qualify as traditional fiat currency or funds under payment services legislation.

This definition is consistent with both Estonian law and international standards, such as those set by the Financial Action Task Force (FATF) and is now applied within the broader context of the Crypto Asset Market Act and the EU’s MiCA.

What are the relevant laws and regulations?

  1. MLTFPA: The MLTFPA defines virtual currency as a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored or traded electronically. Until recently, CASPs had to obtain a license from the Estonian FIU and implement strict AML and CFT measures, including customer due diligence and transaction monitoring. While the MLTFPA remains relevant for AML/CFT obligations, now the licensing and supervision of crypto-asset services have shifted under the new regime.
  2. EU Directive 2015/849: Estonia has implemented this directive, which establishes a European legal framework for virtual currencies. Cryptocurrency service providers are required to have a license and follow AML/CFT rules. The directive has been supplemented and, in many respects, superseded by the more comprehensive EU MiCA.
  3. International Sanctions Act, 2019: It recognises virtual currency service providers as persons with special obligations to ensure that they are monitoring their transactions for compliance with international sanctions. This can help prevent financial crimes like money laundering and terrorism financing that might be facilitated through the use of virtual assets.
  4. The Crypto Asset Market Act: The Crypto Asset Market Act entered into force on 1 July 2024 and applies to anyone issuing, offering, or trading crypto-assets in Estonia. It brings crypto-asset service providers and issuers under the supervision of the Estonian FSA. All providers must obtain a CASP license from the FSA. Previous FIU-issued VASP licenses remain valid only until 1 July 2026; after this date, only FSA-issued licenses are valid. The Act sets out licensing procedures, governance standards, capital requirements, client asset protection and a complaint handling mechanism. It also details rules for corporate transformations, mergers and insolvency not covered by MiCA.

Who do such laws and regulations apply to?

Estonia’s virtual asset regulations now apply broadly to participants across the crypto-asset market, governed jointly by the national Crypto Asset Market Act and the EU’s MiCA. Any individual or company involved in the issuance, offering, or trading of crypto-assets, or in providing services such as the exchange of crypto-assets for fiat or other crypto-assets, the custody and administration of crypto-assets for clients, operation of trading platforms, execution of client orders, or advising on crypto-assets, must now obtain a CASP license from the Estonian FSA. Additionally, all providers are required to have a registered office in Estonia, as reflected in their corporate documentation.

Both existing and new service providers fall under the scope of this updated legal regime. Providers currently operating under licenses issued under the MLTFPA can continue to do so only until July 1, 2026. After this deadline, all providers regardless of previous authorisation must hold a new CASP license issued by the Estonian FSA. There is no simplified transition for previously licensed providers; all must apply anew under the revised framework. New market entrants must secure this license before beginning operations.

The regulations also have international implications. They apply not only to entities based in Estonia but also to foreign companies offering crypto-asset services to Estonian residents, provided such activity would otherwise require a license under Estonian law. In addition to CASPs, other entities are also subject to regulation. Custodian wallet providers and those who safeguard private cryptographic keys or offer storage services for such keys are also required to comply with licensing rules and AML/CFT obligations. Furthermore, issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) must meet specific requirements set out under both Crypto Asset Market Act and MiCA.

Who are the relevant regulatory authorities in relation to virtual assets in Estonia?

The relevant regulatory authorities for virtual assets in Estonia are:

  1. Financial Supervision Authority (FSA): As of 2025, the FSA is the primary regulator for CASPs and issuers under the Crypto Asset Market Act and the EU’s MiCA. The FSA is responsible for licensing, supervision and enforcement of compliance with financial, governance and consumer protection requirements. All new licenses for crypto-asset activities must be obtained from the FSA and by July 1, 2026, all existing providers must transition to FSA supervision.
  2. Financial Intelligence Unit (FIU): The FIU has historically overseen AML/CTF compliance for VASPs and issued licenses under the MLTFPA. The FIU will continue supervising existing license holders until July 1, 2026, after which its role in licensing will end and all oversight will shift to the FSA.

What are the penalties for breaches of virtual asset laws and regulations in Estonia?

The Crypto Asset Market Act in Estonia, together with the EU’s MiCA Regulation, establishes a detailed system of penalties and enforcement measures to ensure compliance. These are primarily addressed in Chapter 8 of the Act under the section titled “Liability” and in Chapter 7, “Supervision,” which outlines the powers granted to the Estonian FSA.

For breaches of rules related to the provision of crypto-asset services under specific articles of MiCA, natural persons can face fines up to €700,000 or up to twice the amount of profits made or losses avoided. Legal persons may be fined up to €5 million, twice the unlawful gains or avoided losses, or up to 5% of their turnover or that of their consolidated group. Issuers of ARTs violating rules of MiCA face similar penalties; natural persons up to €700,000 or double the profit, while legal entities can be fined up to €5 million, twice the gain, or 12.5% of their turnover.

Issuers of EMTs who violate Articles of MiCA are subject to the same penalty thresholds: natural persons up to €700,000 or twice the profits earned or losses avoided and legal persons up to €5 million, double the gains, or 12.5% of turnover. Violations related to the offering and trading of other crypto-assets MiCA also carry fines of up to €700,000 or twice the profit for natural persons and up to €5 million, twice the profit, or 3% of turnover for legal persons.

In cases where entities fail to publicly disclose inside information, natural persons can be fined up to €1 million or three times the profit and legal entities up to €2.5 million, three times the profit, or 2% of turnover. The most severe penalties are reserved for breaches involving market abuse prevention and detection, where natural persons can face fines of up to €5 million or three times the profit and legal entities up to €15 million, three times the profit, or 15% of their turnover or that of their group.

In addition to financial penalties, the Estonian FSA has the authority to revoke licenses, suspend activities and impose other corrective measures.

2. Regulation of virtual assets and offerings of virtual assets in Estonia

Are virtual assets classified as ‘securities’ or other regulated financial instruments in Estonia?

Estonia’s Crypto Assets Market Act, introduced alongside the EU’s MiCA, specifically addresses various types of crypto-assets, ARTs, EMTs and other digital tokens. Crypto assets are not automatically classified as “securities” or traditional financial instruments. Instead, regulates crypto-assets as their own category, focusing on their issuance, trading and related services. While the Securities Market Act (SMA) may be referenced in Crypto Assets Market Act, this is done mainly for technical purposes; such as defining aspects of corporate structure or control and not for deciding whether a crypto-asset qualifies as a security.

That said, if a specific crypto-asset has characteristics similar to a security, for example, if it grants ownership rights, a share in profits, or involves a debt obligation; it may still fall under the rules of the SMA. In such cases, the asset would be assessed individually and could be regulated as a security depending on its specific features.

Are stablecoins and NFTs regulated in Estonia?

Stablecoins: Estonia regulates stablecoins primarily through the Crypto Asset Market Act and the EU’s MiCA. Although the term “stablecoin” isn’t used directly, the laws categorise them into two specific types: ARTs, which are tied to multiple assets such as currency baskets or commodities and EMTs, which are pegged to a single fiat currency like the euro. Issuers of both ARTs and EMTs are required to obtain authorisation from the Estonian FSA and must comply with rules on capital reserves, governance standards, transparency and consumer protection. They are also subject to ongoing supervision and may face penalties for non-compliance.

NFTs: As for NFTs, they are not directly addressed in Crypto Asset Market Act or MiCA, mainly because these regulations are intended for fungible crypto-assets. That said, NFTs are generally excluded from the core scope of these laws unless they are designed or promoted in a way that gives them characteristics of financial instruments or investment products. For example, if an NFT can be used for payment, confers profit rights, or mimics the structure of a security, it may fall under financial or AML regulations. Even when outside MiCA’s scope, persons offering or seeking admission to trading of such “other crypto-assets” (potentially including NFTs) are still subject to oversight and liability.

Are decentralised finance (DeFi) activities (e.g. lending virtual assets) regulated in Estonia?

Estonia’s Crypto Asset Market Act, aligned with the EU’s MiCA Regulation, does not explicitly address or directly regulate DeFi activities, such as lending or borrowing digital assets through decentralised protocols.

The regulation primarily applies to identifiable natural or legal persons such as crypto-asset service providers, issuers, or operators, who are involved in offering or managing crypto-asset services or trading platforms. In cases where a DeFi activity is provided or facilitated by a known intermediary or legal entity, that person or entity may fall within the regulatory scope and become subject to licensing, AML/CFT compliance and supervision by the Estonian FSA.

The approach is consistent with MiCA Recital 22, which clarifies that the regulation applies only to activities carried out or controlled by identifiable persons. As a result, fully autonomous DeFi protocols, where no party exercises control or oversight, are not currently subject to direct regulation in Estonia or under the broader EU framework. Nevertheless, the Estonian FSA, continue to monitor developments in the DeFi space and have indicated that any identifiable service provider or facilitator operating in connection with DeFi should adhere to the same standards of market integrity, consumer protection and regulatory compliance as traditional centralised operators.

Are there any restrictions on issuing or publicly offering virtual assets in Estonia?

Yes, Estonia’s Crypto Asset Market Act, aligned with the EU’s MiCA introduces several obligations for issuers and CASPs:

  1. Licensing and authorisation: All CASPs and crypto-asset issuers are required to obtain authorisation from the Estonian FSA. This marks a shift from the previous regime, under which licenses were issued by the FIU. Those existing licenses will remain valid only until July 1, 2026, after which reauthorisation under the new framework becomes mandatory. Additionally, any entity seeking to issue crypto-assets must be incorporated as a legal entity in Estonia and have its registered office located within the country.
  2. White paper obligations: Prior to any public offering or admission to trading, issuers are required to prepare and submit a detailed white paper to the Estonian FSA. This document must provide comprehensive information about the issuer, the nature and risks of the crypto-asset and the rights and obligations attached to it. The regulatory approval or notification process depends on the asset type: ARTs require formal approval from the Estonian FSA, while EMTs only require notification. For other crypto-assets, notification must be submitted at least 20 business days before publication. Marketing materials must remain consistent with the white paper and avoid any misleading representations.
  3. Capital and governance requirements: CASPs are subject to minimum capital requirements, generally set at €100,000, with higher thresholds applicable to certain services such as custody. Entities must maintain governance arrangements, including a management board with at least two members who are residents of Estonia. Effective internal controls and risk management systems are mandatory as well.
  4. AML/CFT compliance: Issuers and service providers must adhere to stringent AML/CFT obligations. These include customer due diligence measures such as KYC protocols, continuous monitoring of transactions and reporting of suspicious activity.
  5. Restrictions by crypto-asset type: Different categories of crypto-assets are subject to specific regulatory requirements. Issuers of ARTs must manage reserves appropriately and provide ongoing disclosures, with Estonian FSA approval being a prerequisite. EMTs can only be issued by entities that are authorised as credit institutions or e-money institutions.
  6. Penalties for non-compliance: The framework includes significant penalties for regulatory breaches. Legal entities may be fined up to €5 million or 15% of their annual turnover for severe violations. Additionally, the Estonian FSA holds the authority to suspend or revoke licenses if a service provider fails to meet regulatory obligations.

Are there any exemptions to the restrictions on issuing or publicly offering of virtual assets in Estonia?

Yes, the Crypto Asset Market Act, aligned with the EU’s MiCA outlines specific exemptions, offering regulatory relief in certain limited scenarios.

Exemptions under the Crypto Asset Market Act and MiCA: Certain regulated entities may operate in the crypto-asset space without the need for an additional license. This includes credit institutions, e-money institutions, investment firms and management companies or alternative investment funds, provided they comply with applicable MiCA requirements and formally notify the Estonian FSA of their crypto-related activities. These entities benefit from a more streamlined compliance pathway, recognising their existing oversight under financial regulations.

Intragroup transactions, those conducted exclusively within a group of companies, where a parent company holds at least 50% of the shares or voting rights in its subsidiaries, are generally excluded from public offering requirements. Since these transactions are internal and not aimed at the broader market, they do not trigger full regulatory obligations under the Act or MiCA.

Further exemptions are granted for private and small-scale offers. Specifically, offers made to fewer than 150 persons per EU Member State or those falling below a defined monetary threshold (as set out in MiCA) are not subject to the full white paper or licensing requirements. However, these offers must still comply with core AML/CFT obligations.

Issuances of crypto-assets for non-economic purposes, such as rewards tied to charitable or voluntary activities, may also fall outside the scope of MiCA and Crypto Asset Market Act. In such cases, the key condition is that the issuance is not used for investment, exchange, or payment purposes, thereby removing the need for licensing or full disclosure.

Technical and Operational Exemptions: Entities that provide only technical maintenance or support services for crypto-asset wallets, without holding or controlling users’ assets, are generally not considered crypto-asset service providers under the Act. As such, they are not subject to the same licensing or supervisory obligations. This exemption reflects the principle that purely infrastructural or backend services should not be captured under the regulatory net, unless they directly facilitate market activity.

Even in situations where exemptions apply, entities must be aware that AML/CFT requirements often remain in force. The Estonian FSA retains supervisory authority over these activities, particularly if there is any element of financial risk or public exposure. Moreover, in certain cases, a simplified white paper or formal notification to the Estonian FSA may still be required, even where full authorisation is not.

3. Regulation of VASPs in Estonia

Are VASPs operating in Estonia subject to regulation?

Yes, entities that would typically fall under the category of VASPs are subject to regulation in Estonia under the updated legal framework.

The Crypto Assets Markets Act applies broadly to individuals and entities involved in the issuance, offering and admission of crypto-assets to trading platforms, as well as to those providing crypto-asset services. It defines a “participant in markets in crypto-assets” to include crypto-asset service providers, issuers of ARTs, EMTs and other crypto-assets, as well as offerors or those seeking admission of these assets to trading. Although the specific term “Crypto Assets Service Providers (CASP)” has been used instead of “VASP”.

Importantly, the transitional provisions of the Crypto Assets Markets Act directly address entities that were previously regulated under a different regime. Specifically, any person who was authorised to provide virtual currency services under the MLTPA must bring their operations into compliance with the new Act no later than 1 July 2026.

To legally operate in the crypto-asset market, participants such as service providers, issuers and offerors must obtain authorisation from the Estonian FSA, unless they fall under specific exemptions outlined in the Crypto Assets Markets Act or MiCA. The Estonian FSA holds supervisory authority over all participants in Estonia’s crypto-asset market. Its responsibilities include ensuring compliance with both national and EU-level rules.

CASPs are subject to capital and operational requirements. Most CASPs must maintain a minimum share capital of €100,000 and those offering virtual asset transfer services face a higher threshold of €250,000. Entities must establish a physical office in Estonia and appoint a management board with at least two Estonian residents. Comprehensive IT systems, cybersecurity protocols and business continuity plans are also mandatory. Compliance with AML/CFT rules is strictly enforced. CASPs must implement KYC, transaction monitoring and suspicious activity reporting. The Travel Rule applies even to transfers involving self-hosted wallets. Also, CASPs must submit quarterly activity and financial reports to the Estonian FSA and the Bank of Estonia and undergo annual audits by certified auditors.

Are VASPs providing virtual asset services from offshore to persons in Estonia subject to regulation in Estonia?

Yes, under Estonia’s regulatory regime, offshore VASPs providing crypto asset services to persons in Estonia are subject to Estonian regulation. With the implementation of the Crypto Asset Market Act and MiCA, any VASP-including those based abroad-that targets Estonian residents, actively markets services in Estonia, or provides services remotely to persons located in Estonia must obtain a license from the Estonian FSA and comply with all local requirements. This includes establishing a real economic presence in Estonia, meeting capital and governance standards and adhering to strict AML/KYC obligations. The Estonian FSA has powers to refuse or revoke licenses for operators that do not conduct genuine business activities in Estonia or attempt to evade EU and Estonian regulatory standards.

What are the main requirements for obtaining licensing / registration as a VASP in Estonia?

To obtain a license or registration as a VASP in Estonia, the following main requirements must be met:

  1. General Authorisation Requirement: Any person or entity engaged in providing crypto-asset services, issuing tokens, or making public offerings of crypto-assets in Estonia must obtain prior authorisation from the FSA. The authorisation is granted for an indefinite period and cannot be transferred to another party. Operating in this space without an authorisation is a serious breach that results in the forfeiture of the right to issue, offer, or facilitate the trading of crypto-assets. The authorisation requirement ensures that only compliant, supervised and trustworthy entities are permitted to participate in the regulated crypto-asset market.
  2. Legal Structure and Registered Office: Entities applying for a license must be incorporated in Estonia as either a private limited company or a public limited company. The company’s registered office must be located in Estonia and this must be clearly reflected in the articles or memorandum of association.
  3. Compliance with EU Regulations: Applicants must operate in compliance with a suite of EU regulations. Most prominently, this includes MiCA (Regulation (EU) 2023/1114), which outlines the legal framework for crypto-asset issuance, service provision and market conduct. In addition, crypto-asset service providers must follow Regulation (EU) 2023/1113, which implements the Travel Rule, requiring the transmission of customer data along with crypto-asset transfers. Entities are also bound by DORA Regulation (EU) 2022/2554, which mandates strong digital infrastructure, IT security and operational continuity in financial services.
  4. Management and Governance: Strong corporate governance is a cornerstone of the licensing regime. A crypto-asset service provider must have a management board consisting of at least two individuals who are competent, experienced and of good repute. Specific governance obligations are laid out under Article 68 of MiCA, requiring that the board members possess appropriate qualifications and integrity. Where applicable, companies must also comply with structural rules for supervisory boards. Internal mechanisms must be in place for reporting regulatory violations. Furthermore, issuers of ARTs and crypto-asset service providers must notify the Estonian FSA of any changes to their management bodies, ensuring continuous supervisory oversight.
  5. Capital, Office and Operational Infrastructure: The licensing regime imposes minimum capital thresholds based on the nature of the services provided. Generally, the required minimum share capital is €100,000, but this increases to €250,000 for entities that provide virtual asset transfer services, due to the higher risk exposure. In addition, the entity must maintain a physical office in Estonia, reflecting a commitment to conducting real economic activity within the country. The applicant must also have operational infrastructure in place, including comprehensive IT systems, cybersecurity measures and a business continuity plan that meets both national and EU standards for financial service providers.
  6. Application Process and FSA Assessment: To begin operations, an application must be submitted to the Estonian FSA. While the exact list of documents may vary depending on the business model, the FSA assesses applications based on several core criteria. These include the applicant’s financial standing, internal governance structure, and the reliability and competence of its management and beneficial owners. The Estonian FSA will also evaluate the entity’s ability to comply with AML/CFT obligations. If the applicant’s structure or operations pose risks to clients, the market, or effective regulatory supervision, the FSA may deny the license. The Estonian FSA has broad authority to request additional information and supporting documents during both the licensing and supervision phases.
  7. Transitional Period for Pre-Existing Entities: Entities that were operating under prior laws, specifically those registered as virtual currency service providers under the MLTPA are subject to a transitional regime. These entities must bring their activities fully into compliance with the new Crypto Asset Market Act no later than 1 July 2026. During this period, they must reapply for authorisation under the new framework and meet all applicable requirements. Failure to do so will result in loss of permission to operate in Estonia’s regulated crypto market.

What are the main ongoing requirements for VASPs regulated in Estonia?

CASPs regulated in Estonia must comply with several ongoing requirements to ensure they are following applicable regulations. These requirements include:

  1. Governance and Operational Conduct: CASPs must ensure proper governance by maintaining a management board with at least two members. If structured as a private limited company, a supervisory board of at least three members is required unless exempted under MiCA. Individuals providing advice or information on crypto-assets must possess adequate knowledge of crypto services, execution of client orders, risks, conflicts of interest, complaints handling, and MiCA’s operational standards. Internal policies and procedures must be implemented for ethical business conduct, and mechanisms must be in place for internal reporting of violations of MiCA rules. Any changes to the management body must be notified to the Estonian FSA at least 30 days before the new member begins their role.
  2. AML/CTF: CASPs are required to implement comprehensive AML/CFT controls consistent with EU and Estonian legislation. This includes customer due diligence (CDD), transaction monitoring, and timely reporting of suspicious activity reports (SARs) to the FIU. All persons advising or interacting with clients on behalf of CASPs must be well-trained in AML/CTF rules. CASPs must comply with the Transfer of Funds Regulation (Regulation EU 2023/1113), which mandates that all crypto-asset transfers carry sufficient identifying information (Travel Rule), including those involving self-hosted wallets. Entities operating from or connected to high-risk third countries may be denied permission to operate if linked to elevated AML/CTF risks.
  3. Cybersecurity and DORA: CASPs and issuers of asset-referenced tokens must comply with the DORA by 17 January 2025. They must establish ICT risk management frameworks, incident response systems, and business continuity plans. All major ICT-related incidents must be reported to the Estonian FSA and the Information System Authority using the prescribed formats and within established timeframes under DORA Articles 19 and 20. CASPs may also report significant cyber threats voluntarily. Non-compliance with DORA, covering risk classification, testing, response, third-party ICT services, and governance can result in fines of up to €5 million or 10% of global turnover for legal persons.
  4. Reporting Obligations: CASPs must fulfill detailed reporting obligations to the FSA. This includes submission of annual reports, decisions on profit distribution or loss coverage, and shareholder meeting minutes within two weeks of such meetings, and no later than within six months after the end of the financial year. Regular supervisory reports (e.g., quarterly or annually) must also be submitted within 20 days of the period’s end. The Estonian FSA may request additional ad hoc reports depending on the risk profile or regulatory needs. CASPs must also notify the Estonian FSA of any material changes to their operations, structure, or risk exposure.
  5. Audit Requirements: Annual accounts of CASPs must be audited by an external certified auditor. The audit must confirm compliance with financial and prudential requirements, particularly where CASPs rely on own funds as their safeguard mechanism. The audit firm must verify adherence to these obligations and report its findings to the FSA. Additionally, if any material deficiencies or regulatory concerns arise during the audit, the firm is required to notify the Estonian FSA.
  6. Recordkeeping: CASPs must maintain detailed and secure records of all customer transactions, internal policies, AML/CTF due diligence measures, and communications. These records must be stored for at least five years, or longer if stipulated by the FSA or FIU, and must be readily retrievable for inspection or supervisory purposes.

What are the main restrictions on VASPs in Estonia?

Under Estonia’s Crypto Asset Market Act and the EU’s MiCA regulation, all CASPs must obtain a license from the FSA by July 1, 2026. Previous licenses issued by the FIU will become invalid after this date. Licenses are indefinite, non-transferable, and require the registered office to be in Estonia. They may expire upon dissolution, merger, bankruptcy, or revocation. Certain financial institutions (e.g., credit or e-money institutions) may operate under FSA approval if MiCA conditions are met. Offerors and those seeking trading admission of other crypto-assets may also operate without full CASP authorisation if MiCA requirements are fulfilled.

CASPs must be established as private or public limited companies, maintain a physical office in Estonia, and have a management board with at least two Estonian residents holding relevant education and experience. Minimum share capital is €100,000, or €250,000 for those offering virtual asset transfers. Governance rules limit how many CASP boards an individual may serve on, and all management must meet fit-and-proper criteria.

CASPs must comply with MiCA and Regulation (EU) 2023/1113, including AML/KYC processes, customer due diligence, transaction monitoring, and suspicious activity reporting. They must implement strong internal governance, risk management systems, and IT infrastructure, with mandatory cybersecurity and IT audits. CASPs and issuers of asset-referenced tokens must also meet DORA requirements, including reporting major ICT incidents to the FSA and Information System Authority.

Advisory services must only be provided by qualified individuals with knowledge of crypto risks, conflict management, AML/CTF, market abuse prevention, and client protection. The minister in charge may impose additional requirements. Also, operations in third countrie require FSA approval, which may be denied or revoked if risks to clients or compliance arise. Participants must meet Estonian, EU, and local laws and enable effective FSA supervision. A license application fee of €10,000 applies, with ongoing supervision fees based on turnover.

What are the main information that VASPs have to make available to its customers?

In Estonia, CASPs are required to make certain essential information available to their customers to ensure transparency. Some of the main information that CASPs must provide to their customers include:

  1. Company details: CASPs must provide customers with their full legal name, registration number, and registered address to ensure customers are aware of the entity they are dealing with.
  2. License information: CASPs must inform customers that they hold a valid license from the Estonian FIU and provide the license number. This helps customers verify the legitimacy of the VASP.
  3. Terms and conditions: CASPs must provide customers with clear and comprehensive terms and conditions that outline the rights and obligations of both parties, including fees, transaction limits, and dispute resolution procedures.
  4. Privacy policy: CASPs must provide customers with a privacy policy that explains how their personal data will be collected, stored, processed, and protected in accordance with Estonian data protection laws.
  5. AML/CFT policies: CASPs must inform customers about their AML/CFT policies, including customer due diligence and verification procedures.
  6. Risk disclosure: CASPs must provide customers with a clear explanation of the risks associated with virtual assets, including price volatility, cybersecurity threats, and the potential for financial loss.
  7. Customer support: CASPs must provide customers with contact information for customer support, including email addresses, phone numbers, and support hours, to ensure customers can access assistance when needed.
  8. Complaint resolution: CASPs must provide customers with information about their complaint resolution process, including how to file a complaint and the timeframe for resolving complaints.
  9. White paper (for issuers): If the CASP is issuing crypto-assets, they must make a white paper available that details the nature of the asset, the rights and obligations attached, and the associated risks, as required by MiCA.

What market misconduct legislation/regulations apply to virtual assets?

In Estonia, market misconduct regulations for virtual assets are primarily governed by the MiCA and the Crypto Asset Market Act. These frameworks establish clear rules to prevent and address market abuse, such as insider trading, market manipulation and the unlawful disclosure of inside information in the context of crypto-assets, regardless of whether they qualify as financial instruments under traditional securities law.

If a virtual asset qualifies as a security or financial instrument, the SMA and applicable EU regulations, including the Market Abuse Regulation (MAR), apply. These impose obligations related to insider trading, market manipulation, disclosures, and the publication of prospectuses for public offerings.

Consumer protection is also reinforced under MiCA and the Estonian Consumer Protection Act, which require transparent information, fair marketing practices, and safeguards against misleading conduct targeting retail crypto users.

AML/CFT obligations are enforceable under the MLTFPA. This mandates that all crypto-asset service providers establish strong AML controls, perform customer due diligence, and report suspicious activities.

In addition, the Estonian Criminal Code applies to market misconduct, such as insider trading and market manipulation, if the virtual asset in question is treated as a security or financial instrument.

4. Regulation of other crypto-related activities in Estonia

Are managers of crypto funds regulated in Estonia?

In Estonia, fund managers who want to deal with crypto-assets-such as managing crypto funds or offering crypto-related investment services-are regulated by the Estonian FSA.

To legally provide crypto-asset services, these managers must obtain specific approval from the Estonian FSA in accordance with the Crypto Asset Market Act and the EU’s MiCA. Once authorised, fund managers are required to comply with a range of regulatory obligations. These include ensuring that personnel providing advice on crypto-assets possess appropriate expertise, implementing digital operational resilience measures as required by the EU’s DORA, and fulfilling strict reporting, accounting, and audit requirements. Although some general licensing provisions may not apply to these entities, all crypto-asset related activities must adhere to the relevant standards set by the Estonian FSA and EU law.

They are required to have internal control measures in place to identify and mitigate the risks of money laundering and terrorist financing. In addition, the crypto fund managers must also submit suspicious transaction reports to the Estonian FSA.

Are distributors of virtual asset funds regulated in Estonia?

In Estonia, distributors are subject to regulation when they operate in crypto-asset markets. Under the Crypto Asset Market Act and the EU’s MiCA, these fund distributors are treated as “participants in markets in crypto-assets” if they distribute crypto-assets. While they are not required to go through the full authorisation process like other crypto-asset service providers, they must obtain specific approval from the Estonian FSA. This approval is granted once the fund manager meets all conditions outlined in MiCA and provides the required documentation to the FSA.

After receiving approval, fund distributors must comply with a range of regulatory obligations. These include ensuring that anyone giving crypto-asset advice is properly qualified, adhering to the EU’s DORA on digital operational resilience, and reporting any major IT or cybersecurity incidents to the authorities. Additionally, they must maintain accurate accounting records, submit regular reports, and have their annual accounts audited. If a distributor intends to operate outside the European Economic Area (EEA), they must also obtain special permission from the Estonian FSA.

Although some general licensing requirements do not apply to these fund distributors due to their specific approval process, they are still fully responsible for complying with all relevant rules and standards that apply to their crypto-asset-related activities. The Estonian FSA closely supervises their operations and has the authority to request information, conduct inspections, and enforce penalties in cases of non-compliance.

Are there requirements for intermediaries seeking to provide trading in virtual assets for clients or advise clients on virtual assets in Estonia?

In Estonia, intermediaries such as Undertakings for Collective Investment in Transferable Securities management companies, alternative investment fund managers and other participants engaging in crypto-asset activities are regulated under the EU’s MiCA and the Crypto Asset Market Act. Generally, such participants must obtain authorisation from the Estonian FSA, although specific fund managers may instead obtain targeted approval if they meet the conditions set out in Article 60 of MiCA and provide the necessary information.

Entities providing crypto-asset advice must ensure that individuals involved possess adequate knowledge of crypto-related risks, client order execution, conflict of interest management, personal data protection, dispute resolution, market abuse prevention, AML/CFT) rules, as well as the rights and obligations of clients, including associated costs. Compliance with MiCA is mandatory for all activities related to crypto-asset services such as trading or investment advice. From January 17, 2025, providers must also adhere to the EU DORA, which includes obligations to report major ICT incidents and cyber threats to the Estonian FSA.

Ongoing supervision by the Estonian FSA includes the authority to request documentation, perform inspections, issue enforcement precepts and levy penalties for non-compliance. Intermediaries must maintain proper accounting, submit periodic supervisory reports (typically quarterly or annually) and ensure their annual accounts are independently audited. Failure to comply with these obligations may result in administrative liability or fines.

5. Other relevant regulatory information

Are there any upcoming regulatory developments in respect of crypto-related activity in Estonia?

In 2025, Estonia is mainly focused on fully adopting the EU’s new crypto rules under the MiCA, along with its own national law called the Crypto Asset Market Act. By July 1, 2026, all crypto service providers in Estonia must get a MiCA-compliant license from the Estonian FSA. The older licenses issued by the FIU will no longer be valid after that date.

Until then, crypto companies need to update their operations to meet MiCA’s detailed requirements. This includes having strong internal systems, proper checks for AML and KYC, good risk and financial management and protecting clients’ assets. Companies that issue crypto-assets also have to publish clear and detailed white papers. The Estonian FSA will oversee all licensed providers to make sure they follow the same high standards as other financial institutions. This shift to MiCA is the biggest change for Estonia’s crypto industry in 2025.

Has there been any notable events in Estonia that has prompted regulatory change recently?

Yes, there have been some notable events in Estonia that have prompted regulatory change recently, particularly in relation to virtual currency regulation.

  1. Danske Bank Money Laundering Scandal:

    In 2018, it was revealed that Danske Bank’s Estonian branch was involved in one of the largest money laundering scandals in history. The scandal involved the transfer of around 200 billion EUR in suspicious funds through the bank’s Estonian branch between 2007 and 2015.

    In response to the scandal, the Estonian government introduced a number of changes to its AML/CTF framework. These changes included strengthening the powers of the Estonian FIU, increasing the penalties for non-compliance, and introducing new regulations for virtual currency service providers. The new regulations for virtual currency service providers came into force in 2020 and require service providers to obtain a license from the Estonian FIU and comply with AML/CTF requirements.

  2. Coin Metro Hacking:

    In 2019, the Estonian cryptocurrency exchange, Coin Metro, was hacked, resulting in the theft of around 1.7 million EUR in cryptocurrency.

    In response to the hack, the Estonian government introduced new regulations for virtual currency exchanges. The new regulations came into force in 2020 and require virtual currency exchanges to implement stronger security measures, such as two-factor authentication and to comply with AML/CTF requirements.

  3. A major milestone was the adoption of the Crypto Asset Market Act, which entered into force on 1 July 2024. This law, together with the implementation of the EU MiCA, shifted regulatory supervision from the FIU to the FSA, imposed stricter licensing, capital and operational requirements and introduced rules for investor protection and digital operational resilience.

6. Pending litigation and judgments related to virtual assets in Estonia (if any)

Yes, there have been some pending litigation and decided judgments in Estonia in relation to virtual currency. Here are a few examples:

  1. In 2020, the Estonian FIU froze the accounts of a virtual currency exchange, BTC-Alpha OÜ, and its related companies. The Estonian FIU alleged that the companies were involved in money laundering and terrorist financing activities. The case is currently pending in the Estonian courts.
  2. Prosecutor’s Office v. K. and T: In 2019, the Tallinn Circuit Court ruled in this case involving the theft of virtual currency from an Estonian company. The court found that virtual currency is a digital asset that can be the subject of a criminal offense and awarded damages to the victim.
  3. Eesti Pank v. AS LHV Pank: In 2020, the Estonian Supreme Court ruled in this case involving the taxation of virtual currency transactions. The court found that virtual currency transactions are subject to value-added tax in Estonia, and that the tax should be calculated based on the market value of the virtual currency at the time of the transaction.

7. Government outlook on virtual assets and crypto-related activities in Estonia

Estonia has taken a forward approach to regulating virtual assets and crypto activities. Starting July 1, 2024, the Crypto Asset Market Act came into effect alongside the EU’s MiCA. Oversight has shifted from the FIU to the FSA. Existing providers of virtual currency services must switch to the new CASP licensing system by July 1, 2026. After this deadline, only entities licensed by the Estonian FSA can legally operate.

The regulations focus on strong measures for preventing AML/CFT, protecting investors and ensuring transparent operations. Estonia encourages digital innovation, development of blockchain, fintech and digital asset solutions and remains open to new business models, including DeFi and NFTs, while expecting all market players to uphold high standards in governance, risk management and customer protection, akin to traditional financial institutions.

8. Advantages of setting up a VASP in Estonia

According to a report by Statista, the global virtual currency market size is projected to reach over $4.3 billion by 2027, growing at a compound annual growth rate of 12.8% from 2020 to 2027. This growth is expected to be driven by factors such as increasing acceptance of virtual currencies as a mode of payment, growing demand for remittance solutions and rising in-vestment in virtual currency startups.

  1. High Level of Digital Adoption: Estonia is a highly digital society, with a high level of digital adoption among its citizens. According to the World Bank, Estonia ranks first in the world for the number of online services offered by the government. This high level of digital adoption can benefit CASPs in terms of customer acquisition and operational efficiency.
  2. Licensing and Regulatory Framework: Estonia’s regulatory regime for CASPs is now fully aligned with MiCA, offering clear, stable and EU-harmonised rules for crypto businesses. Estonia’s single license covers exchange, wallet, token issuance and other crypto services, making it a preferred jurisdiction for digital asset businesses seeking EU market access.
  3. Competitive Business Environment: Estonia has a competitive business environment, with a simple and efficient business registration process. According to the World Bank’s Doing Business report, Estonia ranks 18th out of 190 countries for ease of doing business. This can help VASPs to establish and operate their business efficiently.
  4. Strong Cybersecurity Framework: Estonia has a strong cybersecurity framework, with a high level of technical expertise. According to the Global Cybersecurity Index, Estonia ranks 3rd out of 194 countries for its commitment to cybersecurity. This can benefit VASPs in terms of security and operational resilience.
  5. Favorable Tax Environment: Estonia has a favorable tax environment, with a corporate income tax rate of 20% and a 0% tax rate on retained and reinvested profits. According to a report by KPMG, Estonia ranks 1st out of 137 countries for its tax competitiveness. This can help VASPs to reduce their tax liability and reinvest their profits in their business.