1.  How is crypto regulated?
  2.  What are the steps taken by the regulator to adopt MiCAR? 
  3. Are the following activities regulated or unregulated in your jurisdiction? ― Direct sales of tokens by issuers ― Exchange (buy/sell) ― Custody (hold) ― Borrowing/lending ― Yield/staking services ― Staking on proof of stake consensus mechanisms.
  4. Can offshore business provide services to local customers on either active solicitation or reverse solicitation basis? 
  5. How long would establishing a crypto-asset business/ obtaining a licence in your jurisdiction take?
  6. What would be the approximate overall cost of obtaining a licence?
  7. What is the probability (%) of success in obtaining a licence?
  8. What other limitations are there in your jurisdiction when looking to set up a cryptoasset business?

jurisdiction

Estonia

Disclaimer: This chapter was last updated 21 August 2025 and does not reflect any subsequent developments. The information provided is intended for general informational purposes and should not be construed as legal advice.

1. How is crypto regulated?

Jurisdiction-specific MiCAR implementation and deviations Any other regulation

In addition to the general MiCAR framework covered in the new general chapter on MiCAR, the Estonian Market in Crypto-Assets Act (krüptovaraturu seadus – “MCAA”) regulates certain aspects of the activity, liability and termination of participants in crypto-asset markets, as well as their supervision, thereby specifying and supplementing the provisions of MiCAR and Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA).

Authorisation to participate in crypto-asset markets is granted and revoked by the Estonian Financial Supervision Authority (Finantsinspektsioon – “EFSA”).

By its decision, the EFSA may also approve:

  1. the right of a credit institution, e-money institution, investment firm, UCITS management company, alternative fund manager, central securities depository or operator of a regulated securities market to operate as a crypto-asset service provider (CASP);
  2. the right of a credit institution to issue and seek admission to trading of asset-referenced tokens (ARTs);
  3. the right of a credit institution or e-money institution to issue and seek admission to trading of e-money tokens (EMTs).

Where the EFSA approves the right of an already authorised entity to also operate as a CASP or to issue ARTs or EMTs, the entity must comply with both the requirements laid down in the MCAA and those under the law on which its existing authorisation is based. Where the requirements differ, the entity is subject to whichever requirements are more detailed or more stringent.

AML/CTF
CASPs are obliged entities within the meaning of the Estonian Money Laundering and Terrorist Financing Prevention Act (rahapesu ja terrorismi rahastamise tõkestamise seadus – “AML Act”). Accordingly, the AML Act applies to their economic activities.

The competent authority under the AML Act is the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo – “FIU”). However, CASPs are not required to obtain a separate authorisation from the FIU under the AML Act, since they must already obtain authorisation from the EFSA under the MCAA.

Financial instruments
Where existing EU financial services legislation applies to a particular crypto-asset, such as MiFID II or the Prospectus Regulation, that legislation governs its regulation.

In Estonia, the offer of securities to the public and their admission to trading on regulated securities markets, as well as the activities of investment firms and the provision of investment services, are regulated by the Estonian Securities Market Act (väärtpaberituru seadus – “SMA”).

Payment services
Certain services connected with crypto-assets may qualify as payment or e-money services under PSD2 or the E-Money Directive. In such cases, the Estonian Payment Institutions and E-Money Institutions Act (makseasutuste ja e-raha asutuste seadus) applies.

2. What are the steps taken by the regulator to adopt MiCAR? 

The MCAA entered into force on 1 July 2024. Its entry into force was accompanied by amendments to several other laws governing entities engaged in crypto-asset activities. The MCAA became applicable from 30 December 2024 for persons whose activities fall within the scope of MiCAR.

Prior to 30 December 2024, businesses engaged in crypto-asset activities could apply for authorisation as a virtual currency service provider (VCSP) under the AML Act. From that date, it is no longer possible to apply for this authorisation. Instead, businesses whose activities fall within the scope of MiCAR must apply for authorisation as a CASP.

VCSPs holding a valid authorisation under the AML Act and carrying out activities within the scope of MiCAR are subject to a transition period. They must bring their activities into compliance with the requirements of the MCAA and apply for authorisation as a CASP by no later than 1 July 2026, unless they discontinue their activities. Once authorisation under the MCAA is granted, the previous VCSP authorisation becomes void. All VCSP authorisations will in any event cease to have effect on 1 July 2026.

If a VCSP submits an application for authorisation to the EFSA before 1 July 2026, and the EFSA has not yet made a decision to grant or refuse authorisation by that date, the VCSP’s activities will not be considered unauthorised or subject to criminal liability under the Estonian Penal Code.

3. Are the following activities regulated or unregulated in your jurisdiction? ― Direct sales of tokens by issuers ― Exchange (buy/sell) ― Custody (hold) ― Borrowing/lending ― Yield/staking services ― Staking on proof of stake consensus mechanisms.

Jurisdiction-specific MiCAR implementation and deviations Any other regulation

In this respect, please see the general chapter on MiCAR. The MCAA specifically provides that it applies to persons engaged in the issuance, offering and admission of crypto-assets to trading on a trading platform for crypto-assets, as well as those providing crypto-asset services for the purposes and within the scope of application of MiCAR.

Similarly, the scope of participants in markets in crypto-assets for the purposes of the MCAA is defined to include:

  1. a CASP;
  2. an issuer of ARTs specified in MiCAR, an issuer of EMTs specified in MiCAR, and an issuer of other crypto-assets;
  3. an offeror of other crypto-assets and any person seeking admission to trading of other crypto-assets, unless such activity falls outside the scope of application of MiCAR.

NFTs are generally excluded from the scope of MiCAR. However, if they are part of a larger fungible series or collection, they may no longer be considered non-fungible and could therefore fall within the scope of regulated crypto-assets.

In case the existing EU financial services legislation applies, it governs the regulation of such crypto-assets.

4. Can offshore business provide services to local customers on either active solicitation or reverse solicitation basis? 

In this respect, please see the general chapter on MiCAR.

Active solicitation by offshore firms into the EU is not permitted under MiCAR unless the firm is authorised as a CASP within the EU.
Reverse solicitation under MiCAR is permitted only at the client’s own exclusive initiative.

5. How long would establishing a crypto-asset business/ obtaining a licence in your jurisdiction take?

In case of applying for authorisation with the EFSA, businesses should consider that the entire application procedure usually takes between six months and one year. Certain preparations must be completed before submitting an application. Once the application has been submitted, the law sets specific deadlines for the EFSA to review it.

ARTs
The EFSA will assess the completeness of an application for authorisation of an ART within 25 business days of receiving it. If the EFSA concludes that the application is complete, it will then assess, within 60 business days, whether the applicant issuer meets the requirements for the issuance of an ART. If additional questions arise, the procedure may be paused for up to 20 business days.

Other crypto-asset services
The EFSA will assess the completeness of an application for authorisation for other crypto-asset services within 25 business days. If the EFSA concludes that the application is complete, it will then assess, within 40 business days, whether the applicant CASP meets the requirements of MiCAR and the MCAA. The time limit may be paused for up to 20 business days.

EMTs
For offers to the public or admission to trading of EMTs, the issuer is not required to seek authorisation from the EFSA. However, it must already be authorised as a credit institution or an e-money institution (EMI). In addition, it must notify the EFSA and publish a white paper in accordance with Article 51 of MiCAR.

6. What would be the approximate overall cost of obtaining a licence?

The cost of obtaining authorisation depends on the type of activities the business engages in and the complexity of its operations, which affects potential personnel, infrastructure and legal costs. While these vary on a case-by-case basis, a processing fee of EUR 3,000 is payable by CASPs, issuers of ARTs or EMIs when seeking authorisation from the EFSA.

Prospective market participants should also take into account that CASPs, issuers of ARTs and EMIs are required to pay a supervision fee from the date they are granted the right to operate in the corresponding area of activity.

7. What is the probability (%) of success in obtaining a licence?

As of August 2025, the EFSA has not granted any authorisations under the MCAA for Estonian CASPs. This does not necessarily indicate the success rate of applications but rather reflects that the transition period runs until 1 July 2026, and service providers are not rushing to move to MiCAR. However, 25 service providers have been registered as providing services in Estonia on a cross-border basis.

8. What other limitations are there in your jurisdiction when looking to set up a cryptoasset business?

Jurisdiction-specific MiCAR implementation and deviations Any other regulation

Certain limitations apply when seeking authorisation as a participant in markets in crypto-assets under the MCAA. These limitations mainly concern the operations of the business.

Physical presence
The registered office of the business must be in Estonia. In addition, the business may only operate as a private limited company (osaühing) or a public limited company (aktsiaselts).

Governance requirements
A crypto-asset business must have a supervisory board consisting of at least three members, unless it is a private limited company that does not provide the service specified in Article 3(1), point (16)(a) or (b) of MiCAR. The management board of a CASP must consist of at least two members.

Reporting and auditing obligations
Participants in markets in crypto-assets must submit their annual reports and other relevant documents to the EFSA within two weeks of the shareholders’ meeting, and no later than six months after the end of the financial year.

Annual accounts must be audited, and participants must appoint a trustworthy audit firm with adequate expertise and experience, with the EFSA notified of the appointment.

Reorganisation of business
The transformation of a CASP or an issuer of ARTs is permitted only from a private limited company into a public limited company, in accordance with the Estonian Commercial Code (äriseadustik) and with EFSA approval.

The merger or dissolution of a CASP or an issuer of ARTs must follow the Commercial Code and requires EFSA approval. Division of a CASP or an issuer of ARTs is not permitted.

Since CASPs are obliged entities under the AML Act, they must apply the AML Act in their activities and perform the necessary due diligence measures. In addition, CASPs must appoint a management board member responsible for overseeing the implementation of the AML Act and relevant guidelines. They must also appoint a compliance officer, who serves as the contact person for the FIU.

Compliance officer
Only a person who works permanently in Estonia and has the education and background required to perform the duties of a compliance officer may be appointed to this role. The appointment of a compliance officer must be coordinated with the FIU, which assesses the suitability of the candidate.
 

 

The experts from Tegos provided the input.