Estonia • MiCA • CASP authorization

Estonia | MiCA CASP License

Full country note • Finantsinspektsioon supervision • Styled for CryptoWisely

Overview

Estonia has historically been one of Europe’s most visible “digital-first” jurisdictions and an early crypto hub. Under the EU’s Markets in Crypto-Assets Regulation (MiCA), Estonian crypto firms are moving from legacy VASP-era setups toward CASP authorization aligned with EU-wide standards, supervised by the Estonian financial supervisory authority (Finantsinspektsioon).

For serious operators, the Estonian proposition is clear: high compliance expectations, strong digital processes, and an environment that increasingly rewards real substance (not “letterbox” structures).

MiCA in Estonia

  • Regulatory baseline: MiCA (Regulation (EU) 2023/1114)
  • Competent authority (NCA): Finantsinspektsioon (Estonian Financial Supervision)
  • Why Estonia matters: Digitally native operating culture, historically crypto-active market, strong emphasis on AML and governance discipline

Grandfathering (Legacy Operators)

MiCA provides a transitional framework for existing service providers. In practice, legacy firms typically must:

  • Demonstrate continuity and prior status under legacy rules (where applicable)
  • Submit a complete CASP authorization application within the national transition window
  • Upgrade governance, safeguarding, ICT, and disclosures to MiCA standards

MiCA CASP Tiers & Minimum Own Funds

Tier Typical core services Minimum own funds
Tier 1 Advice, reception/transmission, execution-related services (depending on scope), transfers €50,000
Tier 2 Custody/safekeeping, exchange crypto↔fiat, exchange crypto↔crypto €125,000
Tier 3 Operation of a trading platform (and typically the broadest service perimeter) €150,000

Own funds must be fully paid-up and maintained. Ongoing adequacy is typically linked to fixed overheads and risk profile under MiCA prudential rules.

Process & Timeline (Indicative)

  • 1) Incorporate an Estonian OÜ (LLC): governance map, UBO and management KYC, registered address (≈2–4 weeks)
  • 2) Build the CASP file: Programme of Operations, AML/CFT, safeguarding, ICT/cyber, outsourcing, complaints, BCP/DR, disclosures (≈4–10+ weeks depending on maturity)
  • 3) Supervisory assessment: completeness check → RFIs (if needed) → substantive review → decision (timelines vary by workload and application quality)
  • 4) Banking/EMI rails: onboarding and capital placement, often run in parallel, but can be a critical path (≈3–8 weeks)

Practical expectation: Many teams plan for 4–8 months end-to-end when including preparation depth, review iterations, and bank/EMI onboarding.

Minimum Requirements (MiCA-Readiness)

  • Estonian OÜ and a credible local operating setup (address; substance expectations increase with scope)
  • Paid-up own funds per service perimeter
  • Fit-and-proper management with clear key functions:
    • Compliance
    • MLRO / AML function
    • Risk management
    • ICT / security accountability
  • Documentation package typically covering:
    • Programme of Operations (services, organizational design, outsourcing)
    • AML/CFT policy suite and risk assessment methodology
    • Safeguarding / custody & segregation procedures (if applicable)
    • ICT/cyber controls (incident response, monitoring, testing, DR)
    • Complaints, conflicts, disclosures/marketing controls
    • BCP/DR, GDPR, vendor management

Tax & Substance

  • Corporate tax (general principle): Estonia is widely known for taxing profits primarily upon distribution, rather than on retained earnings.
  • Substance: Estonia is not friendly to “paper-only” setups; the higher the risk/scope, the stronger the expectation for active management and operational reality.

Ongoing Obligations

  • Own funds maintenance and prudential monitoring
  • Continuous AML/CFT monitoring and reporting to the relevant FIU channels
  • Operational resilience testing and ICT controls maturity
  • Governance independence for key control functions
  • Periodic supervisory reporting and transparency duties
  • Client disclosures, complaint handling, GDPR, outsourcing oversight

Sanctions

  • Administrative fines and remedial measures
  • Restriction, suspension, or withdrawal of authorization
  • Management bans for misconduct
  • Public disclosure of enforcement actions

Legacy Snapshot — Estonia Pre-MiCA

Before MiCA, Estonia’s crypto framework evolved significantly over time and became stricter, with increasing substance and governance expectations compared to earlier years. The MiCA regime now serves as the unified EU-standard baseline for CASPs.

CryptoWisely.io Comment

Estonia blends digital efficiency with a serious compliance culture—a good match for operators who are genuinely ready to build.

Best suited for: Teams willing to maintain real substance, strong AML, and mature ICT controls.
Upside: High credibility signals in the EU when the authorization and controls are built properly.

CryptoWisely insight: In Estonia, the fastest path is usually a well-scoped application with a tight Programme of Operations and strong safeguarding + ICT evidence. Over-scoping services too early is a common approval drag.

Disclaimer: Informational only and not legal/tax advice. Always verify current Estonian supervisory guidance, implementing measures, and EU MiCA requirements before proceeding.