There are two Estonias in the modern crypto regulatory record, and they look almost nothing like each other. The first — call it Estonia 2018 — was the EU jurisdiction with more than 1,000 licensed VASPs at peak, a low-friction registration available to non-resident applicants for a few thousand euros, and an outsized share of the global crypto-exchange and crypto-on-ramp footprint registered there on paper. The second — Estonia 2026 — is a small, deliberate, MiCA-aligned regime supervised by Finantsinspektsioon with a handful of CASP authorisations on the ESMA register and a substance bar that is genuinely comparable to its EEA peers.
The gap between the two Estonias is the most important fact for any founder evaluating Estonia in 2026. The reputational baggage of the 2018 regime is real, the regulatory reset between 2020 and 2024 was real, and the supervisor that emerged is genuinely different from the FIU-led registration body that issued those original VASP authorisations. Reading 2018-era commentary as if it described the 2026 regime is the single most common analytical mistake in this jurisdiction.
This guide maps the Estonia reset — why the 2018 regime collapsed under its own contradictions, what the 2022–2024 cleanup actually removed, how Finantsinspektsioon now supervises MiCA CASPs in 2026, the substance bar and timeline a founder should plan against, and the practical question that matters: when is Estonia the right answer compared with Lithuania, and when is it not?
Executive summary: Estonia's 2017–2021 VASP regime peaked at 1,000+ licensees, was tightened by 2020 amendments, then thinned by 80%+ through 2022–2024 FIU revocations. In 2026 Estonia supervises a small MiCA CASP cohort under Finantsinspektsioon at substance and governance standards comparable to other EEA regulators.
Why Estonia got reset
The Estonia reset has three causal threads. First, the 2017 VASP regime was housed in the AML framework — the Money Laundering and Terrorist Financing Prevention Act — and administered by the Estonian Financial Intelligence Unit, not by the prudential supervisor Finantsinspektsioon¹[1]. That structural choice meant authorisation was an AML-registration exercise rather than an authorisation of an integrated financial institution. The screening focus, the inspection bandwidth, and the enforcement reflex were calibrated to AML — and the regime scaled past the supervisor's bandwidth almost immediately.
Second, Estonia's e-Residency programme and digital incorporation infrastructure made non-resident company formation unusually frictionless. Combined with a registration fee in the low thousands of euros, no requirement to demonstrate Estonian operating substance, and a brand promise of EU regulatory pedigree, this produced a population of paper VASPs — Estonian-registered legal entities holding Estonian crypto authorisations while operating substantively from elsewhere. By 2019–2020 Estonian VASP authorisations were being marketed worldwide as a generic EU crypto wrapper.
Third, the scandals. The Danske Bank Estonia branch case in 2017–2018 — at the time the largest AML scandal in European history — reset Estonian policy appetite for permissive AML supervision overnight. By 2019 the Estonian government had moved from defending the VASP regime to actively dismantling it, through a sequence of legislative tightenings (2020, 2021) and FIU-led revocation rounds (2022–2024) that removed the great majority of authorisations issued in the boom years.
The 2018 regime — what light-touch actually meant
The original Estonian VASP authorisation under the Money Laundering and Terrorist Financing Prevention Act came in two activity buckets — exchange of virtual currencies and virtual currency wallet service — issued by the Estonian FIU as an AML registration rather than a prudential licence. There was no minimum own-funds requirement, no requirement to demonstrate local management substance, no requirement for a real Estonian office, and a streamlined documentary process that in many cases completed within weeks of filing.
That posture produced the headline number — more than 1,000 licensed VASPs at peak — and a regulatory culture in which the supervisor knew very little about most authorised entities beyond what was on the filed application. The 2020 amendments to the Money Laundering Act bolted on a series of corrections: local management presence, a real Estonian registered office, identifiable Estonian management board members, and tightened beneficial-owner disclosure. The 2021 amendments raised the minimum own-funds threshold and tightened substance further.
Even after the 2020–2021 tightenings, the regime remained an AML registration under the FIU rather than an integrated financial-services authorisation. The structural mismatch between the supervisor's mandate and the realities of crypto-asset business — custody, market-abuse, ICT resilience, cross-border passporting — was not fixable inside the AML framework. The full reset waited for MiCA.
Estonia 2018 vs Estonia 2026 — what the regime actually requires today.
| Dimension | Estonia 2018 (FIU VASP) | Estonia 2026 (Finantsinspektsioon CASP) |
|---|---|---|
| Legal basis | Money Laundering & Terrorist Financing Prevention Act (national AML law) | MiCA (Regulation 2023/1114) + AMLR + Estonian implementing law |
| Supervisor | Estonian Financial Intelligence Unit (FIU) | Finantsinspektsioon — integrated prudential supervisor |
| Authorisation character | AML registration | Full financial-services authorisation |
| Population at peak / 2026 | 1,000+ licensed VASPs (2019–2020 peak) | 5 MiCA CASP authorisations on ESMA register |
| Minimum own funds | None initially; tightened in 2020–2021 | €50k / €125k / €150k by CASP class (MiCA Annex IV) |
| Local management | Not required until 2020 amendments | Required — Estonian management presence, MLRO, governance |
| Real office | Not required initially | Required — genuine Estonian operating presence |
| EEA passporting | No | Yes — Article 65 CASP passport across EEA |
| AML programme | Basic FIU expectations | AMLR-aligned, FATF Travel Rule, EDD, sanctions screening |
| Typical decision timeline | Weeks | 6–12 months (MiCA CASP authorisation) |
| Substance bar | Effectively none | Comparable to other credible EEA regulators |
The 2022–2024 cleanup — 80%+ revocations
The cleanup did not happen all at once. Between 2020 and 2022 the Estonian government raised the legal substance and capital floor; between 2022 and 2024 the Estonian FIU used those tightened standards as the basis for systematic revocation of VASP authorisations that could not demonstrate the new substance, capital and governance criteria. The headline outcome — more than 80% of VASP registrations revoked — is the cleanest single statistic in the recent history of EU crypto-asset supervision.
Two characteristics of the cleanup matter for any founder evaluating Estonia today. First, it was substantive rather than cosmetic — revocations were grounded in failure to meet the 2020–2021 standards on local management, real office, capital and identifiable beneficial owners, not in administrative slip-ups. Second, the surviving cohort had already demonstrated meaningful Estonian operating substance by the time MiCA fully applied on 30 December 2024 — which means the population from which the 2026 MiCA CASP authorisations emerged was already self-selected for substance.
The reputational implication is the inverse of the headline. The Estonia known internationally as a permissive crypto jurisdiction has stopped existing. The Estonia that issued the 2018 paper authorisations no longer issues them. Founders relying on 2018-era commentary will mis-price the 2026 regime by roughly a regulatory generation.
From 30 December 2024, the Markets in Crypto-Assets Regulation²[2] became the operative authorisation framework for crypto-asset service providers across the EEA, including Estonia. The Estonian implementation transferred CASP authorisation responsibility from the FIU to Finantsinspektsioon — the integrated prudential supervisor for Estonian banks, EMIs, payment institutions, insurance undertakings and investment firms. The supervisory model is now identical in shape to MiCA implementations in Lithuania, Cyprus or Ireland: an integrated prudential authority supervising CASPs alongside other regulated financial institutions.
As of 2026 there are 5 MiCA CASP authorisations attributed to Estonia on the ESMA register³[3] — a deliberately small cohort. The contrast with Lithuania's much larger EMI population and growing CASP cohort is the central comparative fact for any founder considering the Baltic region.
The Estonian application follows the standard MiCA shape: programme of operations, three-year financial projections (base and stressed), governance arrangements, fit-and-proper of directors and qualifying shareholders, ICT and cyber-resilience framework aligned with DORA, segregation of client assets, custody policy where applicable, AML and CFT programme aligned with the AML Regulation, MLRO appointment, sanctions screening, market-abuse surveillance for trading-platform operators, and complaints handling.
On the AML side, the Estonian supervisor's expectations now run against the AML Regulation⁴[4] — directly applicable EU law replacing the directive-based 5AMLD/6AMLD architecture. The AMLR sets harmonised CDD, EDD, beneficial-owner and Travel Rule expectations across CASPs and other obliged entities. The historical Estonian advantage of low AML expectations is mathematically extinguished by AMLR's direct applicability: a Tallinn-supervised CASP is subject to the same AML core as a Vilnius- or Frankfurt-supervised one.
On the prudential side, the move from FIU supervision to Finantsinspektsioon is the most consequential structural change. Finantsinspektsioon supervises Estonian banks — including some of the most consequential balance sheets in the Baltic region — alongside EMIs, payment institutions and investment firms. Its inspection methodology, fit-and-proper testing of qualifying shareholders and management, and supervisory follow-through on conditions are calibrated to financial-institution standards, not to AML-registration standards. The change in supervisor changes the meaning of an Estonian authorisation.
Two further consequences flow from that change. First, the supervisor's day-to-day relationship with the European Central Bank and EBA — embedded supervisory dialogue, common reporting templates, peer review — is the same fabric that supervises the rest of the Estonian financial sector. A Finantsinspektsioon-authorised CASP enters that ecosystem on equal terms. Second, EEA passporting under MiCA Article 65 is now genuinely available to Estonian CASPs — a structural permission the 2018 VASP regime never conferred.
When Estonia is the right answer (vs Lithuania, vs Cyprus)
The natural comparator for Estonia in 2026 is Lithuania — the EEA jurisdiction that built its supervisor's reputation processing EMI licences in 3–6 months and is now scaling its MiCA CASP cohort at material velocity (covered in our EMI Licence Lithuania guide). On most operational dimensions — English-language supervisor, EU passport, lower-cost-than-Germany regulatory home, MiCA-aligned authorisation — the two jurisdictions converge. Where they diverge is in cohort size, supervisory velocity, and the regulator's accumulated experience with the operating model the founder is bringing.
Choose Estonia if you want a small, deliberate cohort with high per-firm supervisory attention; if you are operating from a Baltic or Nordic base and Estonian residency, language or banking relationships are already part of the footprint; if your business model is novel enough that you want a supervisor with the bandwidth to actually engage with it; or if you value the regulatory clarity of a small, integrated supervisor over the higher-throughput model of a larger EEA peer.
Choose Lithuania if you need the fastest realistic CASP authorisation in the EEA; if your business depends on a deep EMI cohort for payments rails alongside the CASP; if you want a supervisor that has already processed a large number of MiCA applications and has well-rehearsed expectations; or if you need the broader Baltic fintech ecosystem (founders, hires, advisers) at scale — see our MiCA compliance guide for the full authorisation walkthrough.
Choose Cyprus if your franchise is investment-services-flavoured and you can plug into the CySEC investment-firm supervisory tradition; choose Malta if you have a pre-MiCA VFA history or value MFSA's eight-year supervisory experience with crypto-asset firms. Reputational baggage is the real reason firms avoid Estonia in 2026 — not regulatory deficit. The reset is real; the perception lag is the planning constraint.
Estonia (Finantsinspektsioon) vs Lithuania (Bank of Lithuania) — MiCA CASP authorisation comparison (2026).
| Dimension | Estonia — Finantsinspektsioon | Lithuania — Bank of Lithuania |
|---|---|---|
| Supervisor | Finantsinspektsioon — integrated | Bank of Lithuania — integrated |
| MiCA CASP cohort (2026) | 5 authorisations on ESMA register | Materially larger and growing cohort |
| EMI cohort | Small | Largest EMI population in the EEA |
| Authorisation timeline (CASP) | 6–12 months realistic | 6–12 months, often at the faster end |
| Language of supervision | English working | English working |
| Minimum own funds | €50k / €125k / €150k (MiCA Annex IV) | €50k / €125k / €150k (MiCA Annex IV) |
| Substance bar | Real Estonian management, office, MLRO | Real Lithuanian management, office, MLRO |
| AML framework | AMLR + Estonian implementing law | AMLR + Lithuanian implementing law |
| Corporate income tax | 20% (deferred until distribution) | 15% standard / 5% for small co's < €300k |
| Reputational signal | Reset jurisdiction — perception lags reality | Established fintech hub since 2017 |
| Supervisory bandwidth per firm | High — small cohort, high attention | Lower per firm — scale supervisor |
Substance bar, capital, timeline
The 2026 Estonian substance bar is operational rather than nominal. Finantsinspektsioon expects identifiable Estonian-resident management — at least one resident management-board member, with the rest of the board demonstrating availability for genuine oversight — a real Estonian office with operational presence and not merely a registered-office shell, and a permanent MLRO with appropriate Estonian-jurisdiction AML credentials.
Capital follows the MiCA Annex IV table: €50,000 for Class 1 (advice, transmission of orders, placement, reception of orders), €125,000 for Class 2 (execution, portfolio management, exchange), and €150,000 for Class 3 (custody, operation of a trading platform). Additional own-funds requirements may apply based on fixed overheads or activity volumes — the Annex IV floor is a floor, not a target.
Timeline runs in the standard MiCA shape: pre-application engagement, formal application, supervisory review, in-principle approval, conditions, and final authorisation. 6–12 months is a realistic planning range for a competent application with a well-prepared dossier; complex business models, weak management dossiers, or unresolved AML structural questions can extend this materially. The supervisor that will not be rushed is the one that produces an authorisation worth holding.
Cost is rarely decisive but worth flagging. Application and annual supervisory fees in Estonia are mid-range by EEA standards — meaningfully below Germany or Ireland, broadly in line with Lithuania, and above the cheapest offshore alternatives. The larger cost driver is Estonian operating substance: real management, real office, real MLRO, real audit, real ICT operating costs. Founders treating the authorisation as a paper exercise — the 2018 reflex — under-budget on a recurring annual basis of €300k–€600k before transaction-monitoring and audit costs are layered in.
Tax-wise, Estonia's distinctive distributed-profits regime — 20% corporate income tax payable only on distribution, with retained profits effectively untaxed at the corporate level — remains intact and is a genuine planning advantage for CASPs that intend to compound retained earnings for several years before paying distributions. The trade-off is the OECD's Pillar Two minimum-tax architecture, which Estonia has been working through; large in-scope groups should run that overlay before relying on the headline rate.
Frequently asked questions
Is Estonia still a light-touch crypto jurisdiction in 2026?
No. The 2017–2021 light-touch VASP regime is gone. Between 2020 and 2024 Estonia tightened legal substance, capital and governance standards, revoked more than 80% of VASP authorisations, and moved CASP supervision from the FIU to Finantsinspektsioon. The 2026 regime is a credible MiCA-aligned authorisation at substance and governance standards comparable to other EEA regulators.
Realistic planning range is 6–12 months from pre-application engagement to final authorisation, assuming a well-prepared dossier. Complex business models, weak management dossiers or unresolved AML structural questions can extend the timeline meaningfully.
Estonia vs Lithuania for MiCA CASP — which is faster?
Both supervise within a 6–12 month envelope. The Bank of Lithuania has processed a materially larger CASP cohort and tends toward the faster end of the range for well-prepared applications. Finantsinspektsioon supervises a smaller cohort with higher per-firm attention. If raw speed is decisive, Lithuania is usually the answer; if supervisory bandwidth for a novel model matters more, Estonia is competitive.
What substance does Estonia actually require in 2026?
At minimum: identifiable Estonian-resident management presence on the management board, a real operating office in Estonia (not a registered-office shell), a permanent MLRO with Estonian-jurisdiction AML credentials, an AML and CFT programme aligned with AMLR and MiCA expectations, and MiCA Annex IV minimum own funds for the relevant CASP class.
Does the 2018 Estonia reputational baggage still matter for banking access?
Yes, but less than it did in 2022. Correspondent banks and EEA banking partners distinguish between legacy 2018-era Estonian VASP entities and 2026-era Finantsinspektsioon-authorised CASPs. A clean origination story — incorporated post-reset, authorised under MiCA by Finantsinspektsioon, real Estonian substance — significantly de-risks the banking conversation, though it does not eliminate the explanatory burden entirely.
Evaluating Estonia or Lithuania for a MiCA CASP authorisation? Book a free regulatory assessment. We respond within 24 hours.
Book AssessmentEMI Licence Lithuania: the Bank of Lithuania authorisation track and what makes Vilnius the EEA's largest EMI hub.
MiCA Compliance Guide for CASPs: the full authorisation walkthrough for EEA crypto-asset service providers.
EEA vs UK vs Offshore: where to incorporate your crypto business in 2026 and why jurisdictional choice is determinative.
AMLR Readiness — 12-Month Roadmap: how to operationalise the EU AML Regulation across CDD, EDD, Travel Rule and sanctions screening.
Regulatory Legal Opinions: jurisdictional, licensing and structuring opinions for fintechs evaluating EEA authorisation tracks.
The Estonia reset is one of the cleaner regulatory turnarounds in modern EU financial supervision — a jurisdiction that recognised it had become a problem, dismantled the regime that made it one, and rebuilt under an integrated supervisor on MiCA's substance terms. The market has not fully repriced that yet. For founders willing to read the 2026 regime on its own evidence rather than on its 2018 reputation, Estonia is a credible, deliberately small, supervisor-engaged alternative to Lithuania — and the perception lag is itself part of the opportunity.
Footnotes & Citations
Compliance & regulatory advisory
Bespoke MiCA, AML, PSD2, GDPR, DORA programmes. No templates.
OpenToolMiCA Token Classifier
Decision tree ending at EMT, ART, utility, MiFID II, or out-of-scope.
OpenAssessmentFree regulatory bankability assessment
Pre-engagement scorecard with three priority remediation moves. Free.
OpenContinue with related resources
- MiCA & Licensing49 min read
Running a Crypto Exchange Under MiCA: Class 3 Operator Playbook (2026)
Class 3 crypto exchange under MiCA — capital, custody architecture (hot/warm/cold), matching engine, listing policy, market surveillance, DORA, AML at scale, and annual cost benchmarks by tier.
Read - MiCA & Licensing16 min read
Anatomy of a MiCA Class 3 Supervisory Inspection (2026)
The inspection-readiness map — a phase-by-phase anatomy of what supervisors actually ask during a MiCA Class 3 inspection, with evidence-pack expectations at each phase.
Read - AML/KYC16 min read
Travel Rule Architecture Build: From Scratch (2026)
Most Travel Rule writeups compare vendors. The harder build is the four-layer operating stack underneath — protocol, vendor, policy, exception — that a CASP needs in place before going live in 2026.
Read - Banking Relationships37 min read
Banking for Offshore VASPs: Cayman, BVI, Seychelles (2026)
Cayman, BVI, and Seychelles are the three offshore jurisdictions where VASPs are most often domiciled in 2026. The frameworks look broadly similar — VASP-specific statutes, licensing regimes, AML/CFT alignment — but banking outcomes differ materially. Cayman opens doors at Tier-1 USD correspondents; BVI is mid-tier; Seychelles is structurally constrained. The Offshore VASP Banking Spread.
Read