Crypto license in Estonia: what it is, who needs it, and how to stay compliant

Crypto license in Estonia

“Crypto license in Estonia” used to mean one thing: an authorisation from the Estonian Financial Intelligence Unit (FIU) under Estonia’s AML framework. Today, it’s more nuanced. Estonia has moved crypto-asset market supervision to the Estonian Financial Supervision Authority (Finantsinspektsioon) under the Markets in Crypto-Assets (MiCA) framework, backed by Estonia’s Market in Crypto-Assets Act.  

For founders, this shift matters because the right “license” depends on what you dowhere you are established, and whether you want EU-wide passporting. Below is a practical map of what “crypto licensing” in Estonia means in practice, and how to approach it in a way that stands up to bank onboarding, partner due diligence, and regulator scrutiny. 

What people usually mean by “crypto license in Estonia” 

In day-to-day business talk, “crypto license in Estonia” can refer to either: 

  • FIU authorisation (legacy model): historically used for virtual currency service providers under Estonia’s Money Laundering and Terrorist Financing Prevention Act (MLTFPA), with FIU guidance on application expectations.  
  • MiCA / CASP authorisation (current EU framework): authorisation to act as a crypto-asset service provider (CASP) under MiCA, supervised in Estonia by Finantsinspektsioon, with national rules set out in Estonia’s Market in Crypto-Assets Act.  

In other words: Estonia is no longer “FIU-only” for crypto market licensing—MiCA has made CASP authorisation the central route for regulated crypto-asset services in the EU.  

 

Who needs a crypto license in Estonia? 

You typically need an Estonian crypto authorisation if you are providing crypto-asset services as a business and you are established in Estonia (or seeking authorisation there to operate and passport across the EU). MiCA’s CASP concept covers professional crypto services to clients, and Estonia’s national act ties authorisation to supervision by Finantsinspektsioon.  

Common examples that trigger licensing (high-level) include: 

  • Operating an exchange or brokerage (crypto-to-fiat, crypto-to-crypto) 
  • Custody / wallet services on behalf of clients 
  • Running a trading platform for crypto-assets 
  • Executing orders, placing crypto-assets, or receiving/transmitting orders (as defined under MiCA service categories) 

The exact classification matters because it determines your application scopecapital expectationsgovernance, and compliance design.  

Crypto license in Estonia vs company registration (a common pitfall) 

A frequent misconception is: “We registered an Estonian OÜ, so we’re licensed.” 

An Estonian company registration (even with e-Residency) is not the same as being authorised to provide regulated crypto services. Licensing status depends on the relevant regulator/registry and your permissions under the applicable legal framework.  

If your go-to-market relies on “regulated in Estonia” as a trust signal, you should treat verification and regulatory positioning as a core product requirement, not a marketing checkbox. 

The two compliance layers you must plan for 

Even when you pursue MiCA/CASP authorisation, you should expect two layers to be examined in parallel: 

1) Market conduct & prudential supervision (MiCA / Finantsinspektsioon) 

This is the “permission to operate” layer: governance, suitability, risk controls, operational resilience, conflict management, client asset safeguards, and more—supervised in Estonia by Finantsinspektsioon and grounded in MiCA plus Estonia’s Market in Crypto-Assets Act.  

2) AML/CFT compliance (Estonian AML rules and expectations) 

Even with MiCA, AML expectations don’t disappear. Estonia’s FIU guidance and Estonia’s AML framework remain highly relevant to how you design KYC/KYB, transaction monitoring, sanctions screening, and reporting workflows—especially for banking and payment partner onboarding.  

At Silva Hunt, an Estonia-based accountancy and tax advisory firm, we see many licensing projects fail not because the founders “didn’t try,” but because they treated compliance as a document pack rather than an operating model. 

What regulators and banks want to see (in plain terms) 

Whether you’re applying for authorisation or trying to keep it, the strongest files tend to show four things clearly: 

Real presence and real decision-making 

Estonia’s national framework explicitly connects authorisation to establishment and governance expectations (for example, registered office requirements in the national act). In practice, you should be ready to demonstrate where decisions are madewho controls risk, and how oversight works day to day.  

A compliance program that matches your risk 

FIU application guidance (legacy route) is a useful benchmark for how Estonia expects AML processes to be documented and operated, including internal rules, risk assessment, and responsible roles. Even if you are moving into the MiCA lane, these expectations still influence counterparties and local compliance culture.  

Transparent ownership and fit-and-proper leadership 

Crypto licensing is not friendly to “nominee-by-default” setups. You should expect scrutiny on: 

  • beneficial owners and funding sources 
  • management competence and integrity 
  • conflicts of interest 
  • outsourcing and group structures 

(Exact tests depend on your services and structure under MiCA and Estonian law.)  

Operational resilience and security that can be audited 

Even before you scale, you need controls that stand up to external review: access management, incident handling, vendor governance, and reliable recordkeeping. Regulators increasingly read “security” as part of consumer protection and market integrity, not a technical afterthought.  

Step-by-step: how to approach a crypto license in Estonia (practical route) 

Below is a founder-friendly sequence that reduces rework and improves your odds of clean onboarding. 

Step 1: Define the exact service scope 

Start with a brutally specific service map: 

  • What do you do for the client? 
  • Do you ever custody client assets? 
  • Where are clients located? 
  • Do you touch fiat rails (payments, cards, IBANs)? 
  • Are you only providing software, or an actual financial service? 

Your scope drives whether you need CASP authorisation and what kind.  

Step 2: Choose the “home Member State” strategy 

MiCA authorisation is anchored to your home jurisdiction, and successful companies align substance, leadership, and key functions with that choice. If Estonia is your home base, align your organisation and governance accordingly.  

Step 3: Build the operating model first, then write the policies 

Policies should reflect reality: 

  • onboarding flow (KYC/KYB) 
  • risk scoring 
  • blockchain analytics / monitoring logic 
  • sanctions checks 
  • escalation and reporting 
  • client communications and complaints 

FIU guidance documents (from the prior licensing era) remain useful as a “minimum seriousness bar” for AML documentation quality.  

Step 4: Prepare governance and fit-and-proper evidence 

Have a coherent story for: 

  • board and senior management roles 
  • compliance officer and MLRO responsibilities 
  • independence and reporting lines 
  • competence evidence (experience, qualifications) 
  • internal audit / second-line oversight (even if outsourced) 

Under Estonia’s Market in Crypto-Assets Act, authorisation is granted and revoked by Finantsinspektsioon. Treat governance as central, not administrative.  

Step 5: Align finance, tax, and accounting from day one 

This is where many crypto startups lose time: 

  • how you recognise revenue (fees, spreads, staking, listing, etc.) 
  • how you treat client funds / client assets 
  • how you document token flows 
  • how you evidence source of funds for capitalisation and operating expenses 

A licensing-ready business is usually also a “bank-ready” business—and that requires clean accounting logic from the start. 

If you’re setting up the company itself, Silva Hunt’s Estonia incorporation support page is a good starting point. 

Step 6: Treat the application as a regulated product launch 

A strong application pack typically includes: 

  • clear service descriptions 
  • policies that match your systems 
  • governance, staffing, and outsourcing details 
  • risk assessments 
  • security and continuity controls 
  • evidence that your Estonian setup is real and sustainable 

Finantsinspektsioon’s crypto-asset licensing page confirms the supervisory lane for crypto-asset markets in Estonia under the national act.  

Key risks that get crypto licences rejected (or later revoked) 

If you want to reduce the “surprise rejection” risk, watch these patterns: 

  • Thin substance: no real leadership, no real operations, “paper Estonia” 
  • Policy theater: impressive PDFs, weak actual controls 
  • Unclear token/flow logic: cannot explain where value comes from and where it goes 
  • High-risk exposure without controls: weak sanctions posture, weak monitoring, weak escalation 
  • Overpromising “EU passporting” too early: marketing claims that don’t match authorisations 

With our guidelines, it’s easier to understand the main topics and the core documents you’ll need for a crypto license in Estonia. But every business model is different, and each case requires an individual approach. At Silva Hunt, our legal team reviews your situation case-by-case and turns complex licensing steps into a clear, practical plan that fits your operations. We have extensive experience helping founders avoid the common mistakes that often happen when companies try to navigate licensing on their own. Let our professionals support you in building your business the right way—smoothly, compliantly, and with fewer delays.

by
Estimated reading time: 16 minutes