Estonia 2026: Practical VASP Compliance Checklist, What Crypto Businesses Must Do Before the AML Act Sunset

Crypto compliance Estonia is no longer a future-planning exercise, it is an immediate operational priority. On 23 March 2026, Finantsinspektsioon (the Estonian Financial Supervisory Authority, or FSA) confirmed that the transition period for crypto companies ends in summer 2026, with legacy Virtual Asset Service Provider (VASP) licences ceasing to be valid after 1 July 2026. After that date, only firms holding a licence issued by Finantsinspektsioon under the Market in Crypto-Assets Act, or authorised under an equivalent EU supervisory regime, may lawfully provide crypto-asset services in Estonia.

This article delivers a practitioner-grade, time-bound VASP compliance checklist, covering licence applications, AML policy overhauls, DAC8 tax reporting readiness, Travel Rule implementation and MiCA/CASP coordination, so that general counsel, founders and compliance officers can act decisively in the weeks that remain.

Executive Summary: What This Checklist Achieves

The bottom line is straightforward: if your company provides crypto-asset services to or from Estonia and you have not secured a Finantsinspektsioon licence or an equivalent EU CASP authorisation by 1 July 2026, you must cease operations. There is no grace period after the sunset date.

This checklist is designed for two groups:

• Existing operators holding legacy VASP licences issued under Estonia’s earlier AML regime who must convert or re-apply before the deadline.
• New entrants, exchanges, custodial wallet providers and fintechs, planning to launch crypto-asset services in Estonia and needing a clear roadmap for licensing and ongoing compliance.

Each section below maps directly to a concrete compliance task, an owner (Legal, Compliance or Technology) and a deadline. The goal is to compress months of regulatory analysis into a single, actionable reference that a compliance team can execute week by week.

Key Legal Changes and Timeline for Crypto Compliance Estonia

Estonia’s crypto regulatory framework has undergone a rapid transformation. The country once issued hundreds of VASP licences through a relatively light-touch process managed by the Financial Intelligence Unit (FIU). That era is over. Supervision has shifted to Finantsinspektsioon, and the national Market in Crypto-Assets Act (Krüptovaraturu seadus) now supplements the directly applicable EU Markets in Crypto-Assets Regulation (MiCA). Below is the critical timeline every operator must internalise.

The Finantsinspektsioon notice of 23 March 2026 is unambiguous: “After that date, crypto asset services may only be provided in Estonia by companies with a licence from Finantsinspektsioon or the supervisory authority of another EU Member State.” Industry observers expect no further extensions.

Compliance Obligations by Entity Type

The critical distinction turns on whether the service involves custody, exchange or transfer of crypto-assets. The Market in Crypto-Assets Act, as published in the Riigi Teataja, “applies to persons who are engaged in the issuance, offer and admission of crypto-assets to trading on a trading platform for crypto-assets.” Purely non-custodial protocols without fiat interfaces may fall outside scope, but any element of intermediation, order matching, custody of keys, fiat conversion, triggers the licence requirement.

Who Needs an Estonia Crypto Licence After the Transition

The scope of the licensing requirement is broad. Under the dual framework of MiCA at the EU level and the national Market in Crypto-Assets Act, the following activities require authorisation from Finantsinspektsioon when conducted in or from Estonia:

• Operation of a trading platform for crypto-assets (order-book or OTC matching).
• Exchange of crypto-assets for fiat or for other crypto-assets on behalf of clients.
• Custody and administration of crypto-assets (including private-key management).
• Transfer services for crypto-assets on behalf of third parties.
• Placement, reception and transmission of orders for crypto-assets.
• Advisory services on crypto-asset portfolios.

Finantsinspektsioon is the sole licensing and supervisory body for crypto-asset service providers in Estonia. The earlier regime, under which the Financial Intelligence Unit (FIU) issued VASP licences, has been fully superseded.

Local Establishment and Substance Checklist

Applicants must demonstrate genuine local presence in Estonia. The likely practical effect of the new requirements is that shell-company structures, once common in Estonia’s crypto sector, will not survive regulatory scrutiny. At a minimum, firms should ensure the following:

• Legal seat. The company must be incorporated as an Estonian private limited liability company (OÜ) or public joint-stock company (AS) with a registered office in Estonia.
• Local director. At least one member of the management board must be an Estonian resident with relevant qualifications and a clean compliance record.
• Physical office. The company must maintain a genuine office presence (not merely a virtual address) in Estonia.
• Auditor agreement. An agreement with an Estonian-registered auditor must be in place before or at the time of the licence application. This is a mandatory prerequisite.
• Compliance officer. A designated AML/CFT compliance officer, resident in Estonia, must be appointed and named in the application dossier.

Early indications suggest that Finantsinspektsioon applies rigorous fit-and-proper assessments. Firms that cannot demonstrate substantive decision-making and operational capacity in Estonia face rejection or protracted review cycles.

The 90/60/30-Day Pre-Sunset VASP Compliance Checklist

This is the operational core of the article. Each phase below maps to the weeks remaining before 1 July 2026 and assigns tasks to functional owners within the organisation.

90 Days Out: Governance, Licence Applications and Corporate Structure

Owner: Legal and Board

1. Confirm entity status. Verify that the Estonian entity (OÜ or AS) is in good standing with the Commercial Register. If no Estonian entity exists, begin incorporation immediately, the process typically takes two to four weeks.
2. Engage an Estonian auditor. Execute a formal auditor engagement letter. Finantsinspektsioon will not accept an application without a confirmed auditor relationship.
3. Prepare the licence application dossier. The dossier submitted through the Finantsinspektsioon portal must include:
   • Business plan describing the crypto-asset services to be provided, target markets and projected volumes.
   • Organisational chart identifying the management board, compliance officer and AML reporting officer.
   • Fit-and-proper documentation for all persons with qualifying holdings or management roles (CVs, criminal-record extracts, proof of qualifications).
   • Internal rules on AML/CFT, risk management and internal control.
   • IT security policies and business-continuity plans.
   • Proof of initial capital in accordance with the applicable MiCA thresholds.
4. Submit the application. Allow at least 40 business days for Finantsinspektsioon’s compliance check, which may be extended by up to 20 additional business days. Delays are common where documentation is incomplete.

60 Days Out: AML Systems, Board Policies and Transaction Monitoring

Owner: Compliance and Technology

1. Overhaul the AML/CFT policy. The existing policy must be updated to reflect AML requirements Estonia has adopted through the Market in Crypto-Assets Act. Key elements:
   • Customer due diligence (CDD) procedures with enhanced due diligence (EDD) triggers for high-risk clients and jurisdictions.
   • Ongoing monitoring rules specifying transaction-value thresholds and behavioural red flags.
   • Sanctions screening procedures (EU consolidated sanctions list, UN lists, local Estonian lists).
   • Suspicious-activity reporting procedures, including escalation paths and Finantsinspektsioon/FIU reporting templates.
2. Implement or upgrade KYC/KYT tooling. Select and integrate a KYC vendor capable of verifying Estonian and EU identity documents, and a Know-Your-Transaction (KYT) solution that screens on-chain transfers against risk-scoring models. Test the tooling against sample transaction sets.
3. Travel Rule readiness. Ensure that your system can transmit and receive originator and beneficiary information for crypto-asset transfers as required under the EU Transfer of Funds Regulation. This means integrating with a Travel Rule protocol (such as TRISA, OpenVASP or a commercial messaging network) and testing interoperability with counterparty VASPs.
4. Board resolution. The management board must formally adopt the updated AML/CFT policy, the risk-appetite statement and the compliance-monitoring plan. Minutes of this resolution should be retained for the Finantsinspektsioon dossier.

30 Days Out: Testing, Filing and Go-Live Preparation

Owner: All Functions

1. End-to-end compliance test. Run a simulated onboarding cycle: client identification, CDD, EDD, transaction screening, Travel Rule message exchange and suspicious-activity report generation. Document the results and remediate any failures.
2. Safeguarding and custody proofs. If the business custodies client crypto-assets, prepare evidence of segregation arrangements, cold/hot wallet architecture, multi-signature controls, insurance coverage (if applicable) and reconciliation procedures.
3. EMTA registration and data readiness. Register or confirm registration with the Estonian Tax and Customs Board (EMTA). Verify that your systems can export the data fields required for DAC8 crypto reporting (detailed in the next section).
4. Regulatory correspondence file. Compile all communications with Finantsinspektsioon, EMTA and external advisers into a single indexed file. This file will be your first line of defence in any post-licensing audit.
5. Contingency plan. If the licence has not been granted by 1 July 2026, prepare a wind-down or suspension plan for Estonian operations. Unlicensed provision of crypto-asset services after the sunset date exposes the firm and its directors to enforcement action.

DAC8, EMTA and Tax Reporting Obligations for Crypto Compliance Estonia

Tax reporting is the second major compliance front for Estonian crypto businesses. In January 2026, Estonia’s Finance Minister confirmed that “income earned from crypto assets must be taxed like any other income” and that, from 2027, it will be mandatory for crypto-asset information to be submitted to EMTA. This aligns with the EU’s DAC8 directive, which extends automatic exchange of tax information to cover crypto-asset transactions.

What Data Must Be Captured and Reported

Crypto platforms operating in Estonia must begin collecting and retaining the following data at the transaction level, ready for DAC8 crypto reporting exports from 2027:

• User identification: Full legal name, date of birth, tax identification number (TIN), country of tax residence and registered address for each reportable user.
• Transaction details: Type of transaction (purchase, sale, exchange, transfer), date, gross proceeds, cost basis (where available), and the specific crypto-asset involved.
• Wallet addresses: On-chain addresses associated with each transaction, to the extent the platform controls or records them.
• Aggregate annual figures: Total number of transactions and aggregate gross proceeds per user per crypto-asset, per calendar year.

Retention periods under Estonian law and DAC8 require that these records be maintained for a minimum of five years from the date of the transaction. Firms should implement structured database exports in the technical format specified by EMTA, early indications suggest alignment with the OECD Crypto-Asset Reporting Framework (CARF) XML schema.

Preparing IT Systems for DAC8 Exports

Technology teams should treat DAC8 readiness as a dedicated workstream:

• Map existing data fields against the DAC8/CARF reporting template. Identify gaps, particularly in customer TIN collection, which many platforms have historically not enforced.
• Build export pipelines that can generate XML or CSV files compliant with EMTA specifications, on demand or on a scheduled reporting cycle.
• Test data integrity. Run reconciliation between on-chain records, internal ledger entries and the DAC8 export output. Discrepancies will attract regulatory attention.
• Assign a crypto tax Estonia reporting owner within the finance or compliance team who will be responsible for reviewing, signing off and submitting EMTA filings.

Interaction with EU MiCA and CASP Authorisation

A question that arises frequently: will MiCA CASP authorisation replace the need for a separate Estonian licence? The answer is nuanced. Estonia now regulates crypto under a dual framework. MiCA sets common rules across the EU, while the national Market in Crypto-Assets Act elaborates and supplements MiCA at the domestic level. Finantsinspektsioon is the designated competent authority for both.

In practice, this means:

• A single application to Finantsinspektsioon can serve as both the national licence and the MiCA CASP authorisation, provided the application meets the full requirements of both regimes.
• EU passporting is available once a firm holds a MiCA CASP authorisation. This permits the provision of crypto-asset services across the entire European Economic Area without requiring separate licences in each member state, a significant commercial advantage of the Estonian route.
• Firms authorised by another EU member state’s supervisor may provide services into Estonia under their home-state licence, without a separate Estonian application. The Finantsinspektsioon notice of 23 March 2026 expressly contemplates this pathway.

Industry observers expect the coordination between MiCA and national regimes to tighten further as ESMA’s technical standards are finalised, but for now, the recommended sequencing is to apply for the Finantsinspektsioon licence first, this satisfies both the Estonian and EU requirements simultaneously and avoids the risk of operating without authorisation during any lag between regimes.

Enforcement, Audit Readiness and Dealing with Regulator Checks

Estonia has moved from being one of Europe’s most permissive crypto jurisdictions to one of its most actively supervised. Finantsinspektsioon has the power to conduct on-site inspections, request documentation at short notice, impose fines and revoke licences. Non-compliance after the 1 July 2026 sunset carries serious consequences, including personal liability for directors and board members.

To prepare for regulatory audits, firms should maintain a standing “audit readiness” dossier containing:

• Current AML/CFT policy with evidence of board approval and the date of last review.
• Transaction-monitoring logs demonstrating that alerts are investigated, escalated and resolved within documented timeframes.
• KYC records for all customers, including CDD/EDD documentation and ongoing monitoring notes.
• Suspicious-activity reports (SARs) filed with the FIU, with a register of filing dates and reference numbers.
• Incident-response records for any data breaches, fraud events or sanctions-screening hits, including the remediation steps taken.
• Auditor reports and management letters from the most recent annual audit cycle.

Firms that can produce these documents promptly signal operational maturity to the regulator. Those that cannot should expect protracted scrutiny, remediation orders or, in the worst case, licence suspension.

Practical Annexes and Templates

To support implementation, compliance teams should prepare the following documents as part of their VASP compliance checklist. While every firm’s circumstances differ, the templates below provide a structural starting point:

• One-page compliance checklist (PDF). A single-sheet summary of all tasks from the 90/60/30-day plan, with tick-boxes, assigned owners and target dates, designed for printing and pinning to the compliance-team board.
• AML/CFT policy skeleton. A template policy document covering: scope and applicability, CDD/EDD procedures, sanctions screening, transaction monitoring, SAR filing, record retention and staff training.
• DAC8 data export field list (CSV/XML). A mapping table of all data fields required for EMTA/DAC8 reporting, aligned with the OECD CARF schema, with your platform’s corresponding database field names.
• Finantsinspektsioon submission checklist. A document-by-document list of the items required for the licence application, with status fields (drafted / reviewed / submitted) and version control.
• EMTA registration and reporting checklist. Steps for confirming tax registration, configuring reporting exports and scheduling the first mandatory filing cycle (2027).

Conclusion: Act Now on Crypto Compliance Estonia

The 1 July 2026 deadline is immovable, and the regulatory consequences of non-compliance are severe. For any business providing crypto-asset services in or from Estonia, the path forward requires a Finantsinspektsioon licence, fully updated AML/CFT policies, Travel Rule capability, DAC8-ready data infrastructure and genuine local substance. This VASP compliance checklist provides the operational framework, but execution must begin immediately. Every week of delay compresses the margin for regulatory review, system testing and remediation. Crypto compliance Estonia is now a matter of corporate survival, not strategic planning.

Sources

1. Finantsinspektsioon, Operating Licence in Markets of Crypto Assets
2. Finantsinspektsioon, The Transition Period for Crypto Companies Ends in Summer (23 March 2026)
3. Riigi Teataja, Market in Crypto-Assets Act (Consolidated)
4. ERR News, Cryptocurrency Services Now Required to Make Tax Authority Declarations
5. European Commission, Markets in Crypto-Assets (MiCA)
6. ACAMS, Estonia Intensifies Cryptocurrency Crackdown
7. Hacken, Estonia Crypto License: Requirements & Benefits