Crypto license in Estonia

By 2025, the regulation of the cryptocurrency business in Estonia will have reached a high level of maturity and will comply with European Union legislation.

Currently, supervision of activities in this area is carried out by two key bodies: the Estonian Financial Supervision Authority (EFSRA, FSA) and the Financial Intelligence Unit (FIU, Rahapesu Andmebüroo).

Until recently, the FIU played the main role in regulation—it was this body that issued licenses to virtual currency service providers (VASPs) and monitored compliance with anti-money laundering and counter-terrorist financing (AML/CFT) legislation under the MLTFPA. However, on July 1, 2024, the Crypto Asset Market Act (CMA) came into force in Estonia, integrating the European regulations MiCA (Regulation on Markets in Crypto Assets) and DORA (on digital sustainability in the financial sector) into the national legal system.

With the transition to the new regime, regulatory powers have been transferred to the FSA. Now it is this body that:

• Issues CASP (crypto asset service providers) licenses to providers of services related to crypto assets;
• monitors compliance with requirements for capital, customer asset protection, transparency, governance, and complaint handling;
• monitors compliance with digital operational resilience under DORA;
• ensures that all players comply with MiCA requirements.

Licenses previously issued by the FIU are valid only until July 1, 2026. After that date, all providers are required to obtain a new CASP license from the FSA, regardless of their past status. The transition period does not imply automatic recognition of existing authorizations.

The provisions of the Crypto Market Act affect all existing and new participants, including financial institutions, if their activities affect the field of crypto assets. Thus, the regulated entities are:

• crypto asset exchanges;
• custodial wallet providers;
• crypto asset exchange platforms;
• issuers of asset-referenced tokens (ARTs) and electronic money tokens (EMTs);
• providers of transfer, management, storage, and advisory services in the field of crypto assets.

Such companies are required to undergo a rigorous licensing process and comply with requirements for capital, corporate governance, internal control, customer asset protection, and transparency. This means greater integration of crypto businesses into the traditional financial system and increased oversight of risks related to cybersecurity, money laundering, and investor protection.

Legislative framework

The legislative framework for regulating crypto businesses in Estonia combines both national legislation and European standards. From 2024–2025, regulation has become even more systematic thanks to the introduction of new laws aimed at increasing transparency, financial stability, and compliance with EU standards.

Key laws regulating crypto activities in Estonia:

• Money Laundering and Terrorist Financing Prevention Act (MLTFPA)

Adopted on March 15, 2022, this law has long been the basis for regulating the crypto business in Estonia. It:

• defines the concept of virtual currency;
• establishes mandatory procedures for combating money laundering (AML) and terrorist financing (CTF);
• requires customer identification (KYC), transaction monitoring, and reporting;
• regulates the activities of virtual currency service providers (VASPs), previously licensed by the FIU (financial intelligence unit).

The MLTFPA is still in force, but now mainly performs AML/CTF functions, having ceded its role as the primary regulator for licensing to new acts.

• Crypto Asset Market Act (CMA).

Entered into force on July 1, 2024. It is a national implementation and supplement to the European MiCA and DORA regulations and regulates:

• the activities, licensing, termination of activities, and liability of crypto market participants;
• all types of crypto services (exchange, storage, trading, consulting, transfers, etc.);
• the protection of customer rights, capital requirements, corporate governance, the storage of customer assets, and complaint handling mechanisms;
• mergers, transformations, and bankruptcies of crypto companies.

All crypto market participants, both local and international, working with Estonian customers, are required to bring their activities into compliance with the CMA. From December 30, 2024, it will apply to all new participants, and a transition period is provided for holders of old licenses until July 1, 2026.

• EU Regulation on Markets in Crypto Assets (MiCA, Regulation 2023/1114).

This is a pan-European regulation on which the CMA is based. For the first time in the EU, MiCA introduces:

• a single classification of crypto assets;
• uniform rules for custodians, issuers, platforms, exchanges, and other crypto service providers (CASP);
• requirements for transparency, ownership structure, and corporate governance;
• special provisions for asset-referenced tokens (ARTs) and electronic money tokens (EMTs).

From July 2024, MiCA will apply directly in Estonia as part of the CMA and will set standards for the entire industry.

• EU Regulation DORA (on digital operational resilience).

Complements MiCA by establishing requirements for:

• IT security of crypto companies;
• management of risks related to digital infrastructure;
• notification of cyber incidents and their prevention.

DORA applies to both banks and CASPs, strengthening oversight of the resilience of crypto businesses to technological failures.

• International Sanctions Act (2019).

Requires crypto companies to check customers and transactions for compliance with international sanctions. This reduces the risks of crypto assets being used to circumvent restrictions and finance prohibited regimes.

Thus, Estonia’s legislative framework is based on modern European standards and includes strict requirements for governance, reporting, and supervision, creating a stable, secure, and transparent environment for crypto businesses.

Licensing and registration

In 2025, Estonia continues its transition to a new crypto market regulation system in accordance with the pan-European MiCA regulation and the national Crypto Asset Market Act. The key licensing document is the CASP (Crypto-Asset Service Provider) license, which is gradually replacing the previously valid VASP licenses.

The CASP crypto license is an official permit issued by the Estonian Financial Supervision Authority (FSA). It confirms the company’s right to provide a wide range of services related to digital assets.

These activities include:

• cryptocurrency wallet storage services — the company can provide custodial services, i.e., manage clients’ crypto wallets and store their private keys on behalf of the owners;
• cryptocurrency exchange for fiat currency — the company is granted the right to buy and sell digital assets in exchange for traditional currencies;
• exchange of one virtual currency for another — the company is permitted to provide a service that allows users to exchange one crypto asset for another.

Income from exchange transactions is usually generated by charging a commission.

When applying for a license, a company must indicate the specific activities it plans to engage in and register as a provider of the relevant services. It is possible to register for all areas covered by Estonian law at once.

Obtaining a license is mandatory for anyone who wants to legally conduct crypto business in Estonia and have access to the European market on a stable legal basis. The license confirms that the company complies with AML/KYC standards, has a transparent structure, sufficient capital, and reliable managers.

To obtain a license, a company must:

• be registered in Estonia;
• have a physical presence in the country (office and employees);
• comply with AML/CFT rules and conduct KYC procedures;
• ensure a transparent corporate structure;
• have qualified and trustworthy managers;
• provide a business plan and description of activities;
• have authorized capital (the amount depends on the services provided).

The CASP license is indefinite, but it is non-transferable and may be revoked if the requirements are violated.

The transition period lasts until July 1, 2026. Until that date, companies with an outdated VASP license (issued by the FIU) may continue to operate but are required to switch to CASP and bring their business into compliance with the new regulations. From July 1, 2026, the CASP license will be the only valid form of admission to crypto activities in Estonia.

Register of crypto companies

The Estonian register of cryptocurrency companies is open and available on the website of the national Economic Activities Register, which contains information on all licensed companies in Estonia, not just those in the crypto sphere.

Companies in the register are classified by license type, reflecting differences in their regulatory status. Since there are several types of crypto licenses in Estonia, each registered company is listed according to the services for which it has been authorized.

Thus, the register separately lists companies registered for the following activities:

• provision of services related to virtual currency;
• provision of cryptocurrency wallet storage services;
• conducting cryptocurrency-to-fiat exchange transactions.

In addition, the register also lists companies whose licenses have been revoked.

Conducting crypto business in Estonia is subject to a number of strict obligations established under anti-money laundering and counter-terrorist financing (AML/CFT) legislation. Companies providing services related to virtual currencies are considered reporting entities and are required to comply with certain control and reporting procedures.

One of the key requirements is the obligation to monitor customer transactions to identify suspicious activity. This includes analyzing business relationships and daily transactions, as well as mandatory notification of the Financial Intelligence Unit (FIU) if signs of possible money laundering or terrorist financing are detected. Particular attention is paid to large transactions exceeding €32,000 or the equivalent in another currency if the settlement is made in cash. Even if this amount is split into several payments over a year, the reporting obligation remains. However, this requirement applies specifically to cash transactions and does not directly apply to cryptocurrency transactions.

Cryptocurrency service providers are required not only to conduct internal monitoring but also to undergo mandatory audits to assess their compliance with AML/CFT requirements. Thus, the crypto business in Estonia requires a systematic approach to financial compliance, including the establishment of transparent procedures for customer identification, transaction monitoring, and interaction with the regulator.

Liability for non-compliance

Failure to comply with the established requirements may result in serious liability. Estonian legislation, including the Crypto Asset Market Act and the provisions of the European MiCA Regulation, provides for both administrative sanctions and supervisory measures.

The most common consequences for violators are license revocation, especially in cases where the company does not commence operations within six months of receiving a license or ignores key requirements.Penalties and fines are also possible.
For individuals, the maximum fine can reach €700,000 and, depending on the circumstances, twice the amount of the illegally obtained profit or losses that were avoided. For legal entities, the penalties are significantly higher—up to €5 million, or up to 5% of annual turnover (or the turnover of the entire group of companies), or twice the amount of the benefit obtained.

Special attention is paid to issuers of crypto assets. Violation of MiCA requirements for reserve-backed assets (ART) or electronic money tokens (EMT) entails similar liability. Fines of up to 12.5% of turnover or up to €15 million are possible in cases of serious market abuse.
If a crypto company violates disclosure rules, ignores requirements to combat market manipulation, or commits other abuses, the sanctions are increased: individuals face fines of up to €5 million, and legal entities face fines of up to €15 million or up to 15% of turnover.
In addition to financial penalties, the Estonian Financial Supervision Authority (FIU) has the power to apply coercive measures. It has the right to temporarily suspend a company’s activities, revoke its license, or demand that violations be remedied within a specified period.