Our Expert in Estonia
Estonia’s virtual-asset licensing regime is undergoing its most significant overhaul since the country first attracted global crypto operators with its pioneering regulatory framework. For licensing lawyers Estonia has long relied upon, the central challenge in 2026 is guiding clients through the VASP sunset clause, the statutory mechanism that will invalidate legacy virtual-asset service provider licences on July 1, 2026 unless operators secure fresh authorisation under the EU’s Markets in Crypto-Assets Regulation (MiCA) or the updated national framework administered by Finantsinspektsioon (the Estonian Financial Supervision and Resolution Authority).
Alongside the sunset deadline, upgraded AML requirements, a mandatory supervisory portal for ongoing reporting, and new obligations affecting gambling operators who accept crypto-assets have combined to create an urgent compliance calendar that no FinTech founder, compliance officer or CFO can afford to ignore.
This article provides a practitioner-level roadmap covering every critical deadline, the VASP re-application process, document checklists, AML upgrades, gambling-licence overlaps, and bank-onboarding guidance for e-resident companies. Whether you hold a legacy licence or are applying fresh, the step-by-step guidance below is designed to help you act decisively before the July 1 cut-off.
Five immediate actions every affected operator should take now:
Under the transitional provisions of the EU Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114, Article 143), Member States were permitted to allow entities lawfully providing crypto-asset services before December 30, 2024, the date MiCA’s Title V provisions on crypto-asset service providers (CASPs) became applicable, to continue doing so for a defined transitional period. Estonia elected to apply this transitional window in full, meaning that operators holding valid licences from the former Financial Intelligence Unit (FIU) regime could continue operating under their existing authorisations while they pursued new-regime licensing.
The critical date is July 1, 2026. On that date, every legacy VASP licence that has not been replaced by a MiCA-compliant CASP authorisation issued by Finantsinspektsioon will be automatically invalidated. There is no further extension mechanism built into the current legislative text as published in the Riigi Teataja (Estonian State Gazette). Industry observers expect that the regulator will not exercise discretion to extend transitional relief, given Estonia’s stated policy objective of restoring supervisory credibility after revoking hundreds of legacy licences in earlier clean-up rounds.
The practical effect of the sunset clause is threefold. First, any operator that has not submitted a CASP application by a date early enough to receive a decision before July 1 risks an operational gap, a period during which it cannot lawfully provide services. Second, client funds held by an unlicensed entity after the sunset date will trigger immediate supervisory intervention. Third, counterparties, banks, payment processors and partner exchanges, are already requesting evidence of pending applications as a condition for maintaining service agreements.
| Date | Event | Action Required |
|---|---|---|
| December 30, 2024 | MiCA Title V (CASP provisions) becomes applicable across the EU | Operators lawfully active before this date qualify for the transitional period |
| Q1 2025 – Q1 2026 | Finantsinspektsioon accepts and processes CASP authorisation applications | Submit application with full documentation; respond promptly to information requests |
| July 1, 2026 | VASP sunset, all legacy FIU-issued licences are automatically invalidated | Operators must hold a valid CASP authorisation or cease providing crypto-asset services |
| Post–July 1, 2026 | Enforcement phase: Finantsinspektsioon monitors for unlicensed activity | Non-compliant operators face administrative fines, injunctions and potential criminal referral |
The answer depends on your current licence status, the nature of your crypto-asset activities and whether you have already engaged with Finantsinspektsioon. The VASP re-application process is not uniform; four distinct scenarios capture the majority of affected operators.
If you hold a legacy FIU-issued VASP licence and have already filed a CASP authorisation application with Finantsinspektsioon, you may continue to operate under the transitional provisions until either (a) Finantsinspektsioon grants or refuses your CASP authorisation, or (b) July 1, 2026 arrives, whichever comes first. The likely practical effect is that operators with applications submitted in early-to-mid 2025 should receive decisions well before the deadline. However, operators that filed late in Q4 2025 or Q1 2026 face a heightened risk that processing timelines will not conclude before the sunset date, and early indications suggest that some of these applicants may need to suspend services temporarily.
Operators in this position face the most acute risk. Without a pending application, there is no basis for continued operations after July 1, 2026. The immediate step is to file a CASP authorisation application as soon as possible, accepting that the review period may extend beyond the sunset date. In parallel, these operators should prepare a contingency wind-down plan for client assets and contractual obligations.
Holders of an Estonian gambling licence who accept crypto-asset deposits or withdrawals must assess whether those activities constitute “crypto-asset services” within the meaning of MiCA. If they do, for example, if the operator provides custody or exchange services rather than simply accepting payment, a separate CASP authorisation is required. The gambling licence alone does not cover crypto-asset service provision.
If your company previously held a VASP licence but no longer provides virtual-asset services, no re-application is necessary. However, the legacy licence should be formally surrendered to avoid any supervisory confusion, and the company’s registry entry should reflect the change in activities.
| Scenario | Must Reapply? | Deadline | Immediate Steps |
|---|---|---|---|
| A, Legacy VASP, CASP application pending | Application already filed; await decision | Decision expected before July 1, 2026 | Respond to Finantsinspektsioon queries promptly; prepare contingency plan |
| B, Legacy VASP, no application filed | Yes, urgently | File immediately; sunset is July 1, 2026 | Engage licensing counsel; prepare full documentation package; draft wind-down plan |
| C, Gambling operator with crypto activities | Yes, if crypto activities qualify as CASP services | July 1, 2026 (VASP sunset) and ongoing gambling-licence conditions | Conduct activity classification assessment; file CASP application if required |
| D, No longer providing crypto services | No | N/A | Surrender legacy licence; update commercial register |
The MiCA transitional mechanism functions as a form of grandfathering: operators lawfully active before December 30, 2024 are “grandfathered” into a limited-duration continuation right. However, this right is not indefinite and cannot be extended by unilateral operator action. The grandfathering protection expires automatically on July 1, 2026 under the Estonian transposition, regardless of whether an application is pending. Operators relying on grandfathering should treat it as a countdown, not a safe harbour.
Securing a crypto licence Estonia operators can rely upon post-sunset requires a methodical approach. The application is submitted through the Finantsinspektsioon portal, and the regulator expects a comprehensive package that demonstrates organisational fitness, governance quality, AML/CTF readiness and adequate technical infrastructure. Below is the practitioner’s step-by-step process.
Before engaging with Finantsinspektsioon, conduct an internal readiness assessment. This should cover corporate governance documents, the existing AML/CTF framework, technical infrastructure for wallet management and transaction monitoring, and the fitness-and-propriety status of directors and beneficial owners. Gaps identified at this stage are far less costly to remedy than deficiencies flagged during regulatory review.
The following table sets out the core documents required, the regulatory purpose each serves and the most common pitfalls that delay or derail applications.
| Document | Why Needed | Common Pitfalls |
|---|---|---|
| Articles of association (notarised, current) | Confirms corporate structure and registered activities | Activities clause does not cover all intended crypto-asset services |
| Shareholder register and beneficial-owner disclosure | Identifies all persons with qualifying holdings | Outdated register; undisclosed indirect holders |
| Directors’ fitness-and-propriety declarations | Demonstrates management competence and clean record | Missing criminal-record certificates from non-Estonian jurisdictions |
| Business plan (3-year projections) | Evidences viability and operational model | Overly generic plan; no risk analysis or scenario modelling |
| AML/CTF programme and internal rules | Core compliance document, demonstrates MiCA-grade controls | Programme not updated to reflect 2026 AML requirements; no named AML officer |
| Transaction-monitoring methodology | Shows ability to detect suspicious transactions in real time | Reliance on manual processes without automated tooling for scale |
| KYC/EDD procedures and technology description | Confirms customer onboarding meets enhanced due-diligence standards | No provision for ongoing monitoring or periodic KYC refresh |
| IT security and wallet-management policy | Demonstrates safekeeping of client crypto-assets | No cold-storage policy; inadequate key-management documentation |
| Complaints-handling procedure | Required under MiCA for consumer protection | Procedure exists on paper but no designated complaints officer or response timeline |
| Proof of capital adequacy / own-funds calculation | Meets minimum prudential requirements under MiCA | Capital calculated before deducting intangible assets; insufficient buffer |
Applications are submitted electronically through the Finantsinspektsioon portal mandate system. Applicants must create an organisational account, designate an authorised submitter (typically the compliance officer or external counsel) and upload all documents in the prescribed format. The portal generates an acknowledgement of receipt and assigns a case reference number. Industry observers expect processing times of approximately three to six months from the date of a complete submission, though complex cases or applications requiring supplementary information may take longer.
Finantsinspektsioon routinely issues information requests during review. Delayed responses are among the most common reasons for extended timelines. Best practice is to designate a single point of contact, typically a licensing lawyer experienced in Finantsinspektsioon procedures, to manage all regulator communications and maintain a response log.
Upon approval, Finantsinspektsioon issues a CASP authorisation that replaces the legacy VASP licence. The authorisation typically carries post-authorisation conditions, including ongoing reporting obligations, periodic AML audits and notification duties for material changes in ownership or management. Operators must diarise these obligations immediately upon receiving the decision.
The AML requirements Estonia applies to crypto-asset service providers in 2026 reflect both the MiCA framework and national enhancements introduced through amendments published in the Riigi Teataja. Compliance teams face a dual workload: upgrading internal AML/CTF programmes to meet the new substantive standards, and registering for, and reporting through, the Finantsinspektsioon supervisory portal.
| Action | Responsible Team | Deadline / Cadence |
|---|---|---|
| Register organisational account on the Finantsinspektsioon portal | Compliance / IT | Before first submission; mandatory for all CASP-authorised entities |
| Submit periodic compliance reports (volumes, AML incidents, complaints) | Compliance officer | Quarterly, within 30 days of quarter-end |
| File suspicious transaction reports (STRs) | AML officer | Without delay upon identification of suspicious activity |
| Notify material changes (ownership, directors, business model) | Legal / corporate secretary | Within 14 days of the change |
| Submit annual AML audit report | External auditor / compliance | Annually, within 4 months of financial year-end |
For operators holding a gambling licence Estonia’s regulatory framework presents a layered compliance challenge when crypto-assets are involved. The Estonian Tax and Customs Board (EMTA) and the gambling supervisory functions operate alongside Finantsinspektsioon, and the boundaries between regimes are not always intuitive.
The core question is whether a gambling operator’s interaction with crypto-assets constitutes a “crypto-asset service” under MiCA. If the operator merely accepts crypto-asset payments that are immediately converted to fiat by a third-party processor, the likely practical effect is that no separate CASP authorisation is needed, the conversion service is provided by the processor, not the gambling operator. However, if the operator holds crypto-assets on behalf of players (custody), allows players to wager in crypto-assets without conversion (exchange-like functionality) or facilitates transfers between player wallets, industry observers expect that Finantsinspektsioon will classify these activities as requiring CASP authorisation.
| Licence Type | Supervisory Body | Key Compliance Divergence |
|---|---|---|
| Gambling licence (remote / land-based) | EMTA / Gambling supervisory authority | Player-protection focus; responsible-gambling obligations; advertising restrictions |
| CASP authorisation (MiCA) | Finantsinspektsioon | AML/CTF focus; prudential requirements; custody and safekeeping obligations |
| Dual-licence operator (gambling + crypto services) | Both, parallel supervision | Must satisfy both regimes; AML programme must address both player and crypto-transaction risks |
Operators in the dual-licence category should conduct a detailed activity-mapping exercise, ideally with the assistance of licensing counsel familiar with both regimes, to determine which activities fall under which supervisory remit and to ensure that internal policies address the full spectrum of obligations without gaps or contradictions.
Securing and maintaining banking relationships remains one of the most persistent practical obstacles for crypto-asset operators in Estonia, particularly those structured as e-resident companies. Estonian and European banks routinely classify virtual-asset service providers as high-risk clients, subjecting them to enhanced due diligence that can delay account opening by months or result in outright refusal.
To improve the probability of successful e-resident company bank account onboarding, operators should prepare the following before approaching any institution:
For e-resident companies that face persistent bank refusals, alternative payment-service providers and electronic money institutions (EMIs) authorised in the EEA may offer viable interim solutions. However, these alternatives must themselves be assessed for regulatory risk, and the operator’s AML programme must extend to cover any non-bank payment channels.
Operators that continue providing crypto-asset services without valid authorisation after July 1, 2026 face a spectrum of enforcement actions. Finantsinspektsioon has the power to impose administrative fines, issue public warnings, order the immediate cessation of activities and refer cases to criminal-prosecution authorities where the conduct meets the threshold for criminal liability.
Early indications suggest that Finantsinspektsioon intends to take an assertive enforcement stance in the post-sunset period, consistent with Estonia’s broader strategy of restoring the jurisdiction’s reputation after the mass-revocation exercises of 2020–2023. Operators that find themselves without authorisation on July 1 should immediately take the following steps: cease onboarding new clients, ring-fence existing client assets, notify affected clients of the regulatory position in writing, and engage legal counsel to explore whether an expedited application, a voluntary wind-down or a transfer of client relationships to an authorised entity is the most appropriate course of action.
| Entity / Licence Type | Key Deadline | Immediate Action Required |
|---|---|---|
| Legacy VASP (FIU-issued licence) | July 1, 2026, licence automatically invalidated | File CASP authorisation application with Finantsinspektsioon; prepare wind-down contingency |
| Gambling operator accepting crypto-assets | July 1, 2026 (if crypto activities qualify as CASP services) | Conduct activity-classification assessment; file CASP application if required; update AML programme |
| New crypto-asset service provider (post-December 30, 2024) | No transitional relief, authorisation required before commencing services | Submit CASP application via Finantsinspektsioon portal; do not commence services until authorised |
| E-resident company with crypto activities | July 1, 2026 (same sunset applies) | Secure banking, demonstrate substance, file CASP application; address bank-onboarding risks in parallel |
| All authorised CASPs (post-authorisation) | Ongoing, quarterly reports, annual AML audit | Register on Finantsinspektsioon portal; diarise all reporting deadlines; appoint named AML officer |
The VASP sunset clause 2026 is not a theoretical risk, it is a hard statutory deadline that will invalidate legacy licences on July 1, 2026 with no built-in extension. For any operator currently relying on a legacy authorisation, the window to act is narrowing. The role of experienced licensing lawyers Estonia operators engage is critical to navigating the CASP application, AML upgrades and supervisory-portal obligations within the remaining timeframe.
Three actions to take within the next 30, 60 and 90 days:
To explore licensing lawyers in Estonia who can assist with CASP applications, AML readiness and regulatory strategy, consult the Global Law Experts directory for qualified practitioners in this practice area.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Mark Gofaizen at Gofaizen & Sherle Fintech Lawyers, a member of the Global Law Experts network.
posted 11 minutes ago
posted 40 minutes ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message