Estonia Crypto License: Compliance Requirements and How to Avoid Revocation in 2026

Estonia has shifted from a permissive crypto jurisdiction to a regulated environment where strict compliance and economic substance are paramount. As the FIU (Financial Intelligence Unit) intensifies its supervisory approach and the implementation of MiCA (Markets in Crypto-Assets Regulation) continues to raise baseline regulatory standards, crypto businesses operating in Estonia face higher expectations than in previous years.

In this article, we break down what this shift actually means in practice. From how the FIU now conducts inspections and what “real substance” really looks like, to how MiCA reshapes governance, AML/KYT expectations, and daily operations. We’ll also walk through the most common reasons licenses get revoked and what crypto businesses need to do to stay compliant in Estonia in 2026 and beyond.

For 2025–2026, the primary challenge is maintaining a valid crypto license through AML (Anti-Money Laundering), KYC (Know Your Customer), and KYT (Know Your Transaction) controls, effective governance, and demonstrable local presence.

A broader overview of licensing models and jurisdictional differences is available in our global guide on how crypto licenses work across key markets.

2025 Crypto Compliance Guide: FATF, MiCA & FinCEN Rules

Learn how FATF, MiCA, and FinCEN shape crypto AML laws in 2025. A global compliance guide for businesses.

AMLBot BlogAMLBot Team

Note: None of this information should be considered as legal, tax, or investment advice. While we’ve done our best to ensure this information is accurate at the time of publication, laws and practices may change, so please double-check it.  

Overview: Estonia’s Crypto Licensing Landscape in 2026

The trajectory of Estonia’s cryptocurrency sector represents a microcosm of the broader maturation of the global digital asset industry. Between 2017 and 2020, Estonia was a volume-based crypto hub. Following a systematic regulatory overhaul, the landscape in 2026 is defined by a "fortress approach" to crypto compliance. The number of active licenses has plummeted from thousands to fewer than 100 highly scrutinized entities, signaling a deliberate policy shift from quantity to quality.

The FIU remains the main supervisor, exercising control over legacy licenses in line with updated regulatory requirements, while the market simultaneously prepares for prudential oversight by the FSA (Financial Supervision Authority).Today, Estonia serves as a stress test for operational maturity, with only entities able to meet the FIU's supervisory expectations continuing to operate sustainably.

FIU Oversight and Regulatory Focus

The FIU has evolved into a proactive enforcement agency that employs data-driven risk analysis to monitor licensees. Oversight is no longer reactive. Inspectors conduct thematic inspections triggered by algorithmic red flags, such as unexplained spikes in transaction volumes or discrepancies between declared activities and on-chain reality. The FIU specifically targets "nested" services and opaque corporate structures, viewing them as systemic vulnerabilities.

Inspectors frequently demand granular evidence of "mind and management" within Estonia.

The regulator is particularly vigilant regarding the provenance of company funds and the transparency of UBOs (Ultimate Beneficial Owners). Complex ownership webs designed to obscure control are immediate triggers for scrutiny and potential license revocation.

How MiCA Influences Estonia’s Local Requirements

While MiCA is an EU-wide regulation, its influence on Estonia’s local requirements is one of reinforcement rather than replacement. MiCA does not nullify the FIU’s stringent AML demands; instead, it raises baseline expectations toward a more prudential standard.

In practice, this uplift is most visible in three areas: governance, IT security, and consumer protection. As a result, Estonia-licensed crypto businesses are expected to implement more mature governance frameworks, including conflict-of-interest policies and best-execution protocols, well ahead of their implementation timelines.

This interaction between national supervision and EU-level regulation becomes clearer when examining how MiCA reshapes governance, risk management, and operational standards for CASPs (Crypto-Asset Service Providers) across the Union.

Core Compliance Requirements for Estonia-Licensed Crypto Businesses

The operational reality for crypto businesses in Estonia is now defined by the concept of "substance." The regulatory framework has moved away from tolerating "brass plate" companies that exist only on paper. By 2026, core compliance requirements will be centered on demonstrating that a company functions as a genuine Estonian economic unit. This includes a physical presence, qualified local personnel, and rigorous internal governance embedded into day-to-day operations.

Substance Requirements and Local Presence Rules

The definition of "local presence" has been tightened to exclude shared workspaces and virtual offices that function as mere mail drops. A licensed crypto company must demonstrate a physical office space in Estonia that is proportionate to the scale of its business activities. These substance requirements are intended to ensure the business has genuine operations within Estonia. Furthermore, the "mind and management" of the company must demonstrably be located in Estonia. Regulators assess this by reviewing board meeting minutes to confirm where key strategic decisions are made. If decisions are systematically made by shadow directors abroad, the Estonian entity may be viewed as a shell. In practical terms, evidence of substance typically involves:

• A functioning physical office in Estonia;  
• Local decision-making ("Mind and Management");  
• Access to client records and compliance documentation from the Estonian office.

Mandatory Roles: MLRO, AML Officer, Local Director

Human capital requirements for Estonia-licensed crypto businesses are among the strictest in Europe. A pivotal role within the compliance framework is the MLRO (Money Laundering Reporting Officer), also referred to as the AML Compliance Officer.

The MLRO must be a resident of Estonia, possess demonstrable AML competence, and have sufficient independence to perform the role without undue influence from commercial management. The "fly-in" compliance officer model is explicitly rejected: the MLRO is expected to be physically present in Estonia and fully integrated into the company’s daily operations.

In addition to the MLRO, at least one member of the Management Board must effectively direct the business from Estonia. This local director is subject to a rigorous "fit and proper" assessment covering education, professional experience, and integrity. The regulator closely scrutinizes nominee directors serving on multiple boards and may revoke a license if a director lacks the capacity to genuinely oversee operations.

Governance, Internal Controls, and Documentation Standards

Governance in 2026 implies a sophisticated system of internal checks and balances. Estonia-licensed crypto businesses are expected to maintain comprehensive internal policies and procedures that are tailored to their specific risk profile and operational model. In practice, these governance frameworks typically cover key areas such as:

At an organizational level, the "three lines of defense" model is now the expected standard, comprising operational management, independent risk and compliance functions, and an internal audit function. Documentation standards have also been elevated to ensure auditability and regulatory transparency. Every decision to onboard a high-risk client or to clear a suspicious transaction alert must be thoroughly documented and traceable.

The FIU expects a clear "compliance trail" that allows supervisory authorities to reconstruct decision-making processes years after the fact. In this context, the requirement for an internal audit function, separate from the external financial auditor, represents a key governance upgrade to ensure objective, ongoing scrutiny of the company’s overall compliance effectiveness.

AML, KYC, and KYT Obligations Under Estonian FIU

AML compliance remains the bedrock of the Estonian regulatory framework. Estonia’s AML regulations are strictly enforced by the FIU, and intolerance for AML failures remains a leading driver of crypto license revocation.

Companies are expected to demonstrate a dynamic, tech-enabled compliance approach that evolves with emerging financial crime typologies. In practice, this means moving beyond one-time identity verification toward a holistic, risk-based understanding of customer behavior supported by continuous monitoring and KYT controls. Many of these expectations mirror broader international AML trends, including:

These global compliance patterns are explored in more detail in our overview of crypto AML compliance frameworks.

KYC Verification and Client Risk Scoring

KYC requirements in Estonia now rely on a multi-layered identity verification approach designed to prevent impersonation and onboarding abuse. This typically includes biometric liveness checks and screening against sanctions and PEP (Politically Exposed Persons) lists.

For corporate clients, KYC obligations extend to identifying and verifying ownership structures all the way to the UBO. Transparency of control and beneficial ownership remains a core supervisory expectation. Central to compliance is a dynamic client risk-scoring model that updates automatically based on customer behavior, transactional patterns, and risk signals. Higher-risk relationships, including PEPs, trigger mandatory EDD, often supported by detailed SoW (Source of Wealth) verification. These approaches reflect how KYC standards for VASPs (Virtual Asset Service Providers) are evolving across regulated jurisdictions in 2025, particularly in relation to verification depth and behavioral risk scoring.

Crypto KYC Requirements – Regulatory Standards for VASPs

Discover crypto KYC requirements in 2025. Explore global regulatory standards, compliance challenges, and how VASPs stay compliant with AMLBot.

AMLBot BlogAMLBot Team

Ongoing Transaction Monitoring (KYT) and Reporting

KYT functions as the active defense layer within an AML compliance framework. Under FIU supervision, Estonia-licensed crypto businesses are required to conduct real-time monitoring of on-chain and off-chain transactions to detect suspicious patterns, abnormal behavior, and exposure to high-risk entities, such as mixers, sanctioned addresses, or illicit typologies.

In practice, many regulated CASPs rely on specialized KYT systems designed specifically for crypto compliance to support continuous blockchain transaction monitoring and alert-based risk analysis. Such infrastructure enables consistent identification, prioritization, and escalation of potentially suspicious activity in line with internal AML procedures and risk-based controls.

The monitoring obligation is closely linked to reporting duties. Once an alert is reviewed and validated, unusual transaction patterns must be investigated without delay and, where required, reported to the FIU through STRs (Suspicious Transaction Reports) or SARs (Suspicious Activity Reports) within the applicable statutory deadlines.

In parallel, compliance systems must ensure adherence to Travel Rule requirements governing the collection and transmission of originator and beneficiary data for qualifying crypto-asset transfers.

Record-Keeping and Audit Expectations

The FIU requires that a company’s compliance history be preserved with forensic integrity. Data relating to customer identification and transaction activity must be retained for at least five years in a format that enables immediate retrieval upon supervisory request.

From an audit perspective, expectations have shifted from basic procedural checks to substantive effectiveness testing. Compliance systems must demonstrate that controls operate as intended in practice, not merely on paper.

An external audit conducted by a certified auditor remains mandatory. In parallel, internal audit functions are expected to regularly stress-test AML controls and transaction-monitoring processes to identify, document, and remediate any weaknesses.

Operational Requirements and Daily Compliance Duties

Beyond static policies, crypto license holders in Estonia must demonstrate "Compliance in Practice." This requires integrating operational controls into the daily workflow to ensure the safety of client assets, legal transparency, and overall system resilience under FIU supervision.

Meeting the expectations of the Financial Intelligence Unit (FIU) requires a dynamic approach where theory meets execution. These five pillars represent the lifecycle of a compliant relationship:

Effective daily compliance is not a "set and forget" process. It requires close, ongoing coordination among IT, Legal, and Finance teams to maintain operational discipline and regulatory integrity.

Transaction Handling, Safekeeping, and Access Controls

The segregation of client assets from company funds is a cardinal operational rule. Client funds must be held in dedicated accounts or wallets that are clearly distinguishable from the company’s own operating capital.

For crypto assets, cold storage for the majority of funds represents standard industry practice. Custody arrangements should be aligned with the scale of operations and the underlying risk profile.

Access controls must follow the principle of least privilege. This typically involves the use of multi-signature authorization schemes or MPC (Multi-Party Computation) technology to ensure that no single individual can unilaterally move client funds.

In addition, regular reconciliation of on-chain balances with internal accounting records is required to detect discrepancies promptly and support ongoing operational integrity.

IT Security and Incident Reporting Obligations

IT security has become a core regulatory compliance requirement rather than a purely technical concern. Estonia-licensed crypto businesses are expected to implement a comprehensive ISMS (Information Security Management System) that is often aligned with ISO 27001 standards.

Such frameworks typically include strong encryption, role-based access controls, continuous security monitoring, and regular vulnerability scanning to identify and mitigate operational and cyber risks.

Incident reporting obligations are mandatory and time-sensitive. Any major ICT-related incident, such as a cyber breach, data compromise, or significant service outage, must be reported to the regulator within strict timelines to limit potential systemic impact.

These expectations are further reinforced at the EU level through the DORA (Digital Operational Resilience Act), which sets detailed standards for ICT risk management, incident reporting, and operational resilience across the financial sector.

Outsourcing, Third-Party Risk, and Service Providers

While certain operational functions may be outsourced, regulatory responsibility cannot be delegated. The license holder remains fully liable for the actions and compliance failures of its service providers.

Accordingly, robust third-party risk management is required. This includes comprehensive due diligence covering vendor compliance capabilities, security controls, and operational resilience. Outsourcing arrangements must be documented appropriately and subject to ongoing oversight.

Contracts with critical service providers must explicitly preserve the regulator’s right to audit outsourced activities. In addition, companies are expected to maintain exit strategies for each material vendor to ensure service continuity if a provider fails or the relationship is terminated.

Outsourcing is permitted for specific functions, such as KYC verification, KYT monitoring, or cloud infrastructure, provided that these arrangements are risk-assessed, documented, and effectively supervised. In all cases, the FIU expects the CASP to retain complete control and oversight over outsourced activities.

Common Reasons for License Revocation by the FIU

License revocation is typically the result of a sustained pattern of non-compliance rather than a single isolated failure. Such outcomes usually reflect repeated or material violations of FIU requirements and supervisory expectations.

Understanding the specific triggers cited by the FIU is therefore critical for Estonia-licensed crypto businesses, particularly as the regulator continues to remove non-compliant actors from the market actively.

Lack of Substance or Real Activity

The "Inactivity Clause" is one of the primary grounds for license revocation under FIU supervision. A crypto license may be revoked if a company fails to commence operations within six months of issuance or ceases operations for a continuous six-month period.

The regulator monitors operational activity through tax filings, transactional data, and other supervisory reporting. Indicators such as the absence of employees paying local taxes or the declaration of zero turnover are treated as strong signals of inactivity.

Where such indicators persist, the entity may be classified as a "shelf company" due to a lack of real activity, which can ultimately result in the cancellation of its crypto license.

Insufficient AML/KYC Controls or Missing Documentation

Systemic deficiencies in AML and KYC controls are a frequent basis for license revocation, often cited as "for cause" rather than as a consequence of inactivity. Such failures typically indicate that compliance controls are either ineffective in practice or not correctly implemented. Common issues identified by the FIU include:

• The use of nested accounts or third-party banking layers without adequate oversight;  
• Failure to verify the source of funds or the source of wealth for higher-risk clients;  
• Inadequate sanctions screening, including reliance on outdated sanctions lists.

In addition, the inability to promptly produce requested customer or transaction data during supervisory inspections is frequently treated as a material breach of record-keeping obligations and may independently justify enforcement action.

Failure to Respond to FIU Information Requests

Timely responsiveness to supervisory communications is critical under FIU oversight. A failure to respond to an FIU precept or an RFI (Request for Information) is commonly interpreted as non-compliance or, in some cases, as an indicator of operational dormancy.

Such failures often arise where companies lack an effective local presence capable of receiving, processing, and responding to official correspondence within prescribed deadlines.

In addition, failure to keep corporate data in the commercial register up to date, including current directors, contact persons, or registered addresses, constitutes a procedural breach that may rapidly escalate into enforcement action and, ultimately, license revocation.

Deficiencies Found During Inspections

Regulatory inspections function as stress tests of a company’s Compliance Program. License revocations often stem from discrepancies between documented policies and actual day-to-day practices uncovered during these audits. Typical indicators include:

• Staff interviews suggest a limited understanding of internal AML procedures.  
• Inconsistencies between financial figures submitted in FIU reporting and those reflected in tax filings.

Where such gaps are identified, the regulator may conclude that governance is ineffective or that compliance exists only on paper. These findings can lead directly to enforcement actions and, in severe cases, license revocation.

For the most accurate and up-to-date regulatory guidance, we recommend consulting the following official resources of the Estonian Financial Intelligence Unit (FIU) and legislative databases:

Official FIU Estonia Yearbooks. Detailed annual reviews of the AML landscape, supervision trends, and reasons for license revocations.

Advisory Guidelines for Obliged Entities. Step-by-step instructions on submitting suspicious transaction reports (STRs) and applying due diligence measures.

Money Laundering and Terrorist Financing Prevention Act. The primary legislation governing the duties of crypto service providers and other financial institutions in Estonia.

National Risk Assessment (NRA), 2025. The comprehensive governmental study of money laundering and terrorist financing risks in Estonia, which must be reflected in every entity's internal risk assessment.

How MiCA Changes Expectations for Estonia-Licensed CASPs

The transition to MiCA introduces a prudential regulatory framework that significantly elevates expectations around financial stability and market integrity for crypto businesses operating in Estonia.

As a result, supervisory focus expands beyond AML compliance alone to encompass broader requirements related to consumer protection, regulatory reporting, and operational resilience for CASPs.

Higher Governance Standards

MiCA requires that the management body of a CASP possess sufficient knowledge, skills, and experience to effectively manage business and operational risks.

Governance frameworks must ensure the proper identification and management of conflicts of interest, particularly for crypto exchanges that also perform market-making or proprietary trading functions.

In addition, remuneration policies are expected to align with sound risk management principles to discourage excessive risk-taking. Boards are increasingly expected to include independent expertise and to exercise active oversight over risk management, internal audit, and compliance functions.

Enhanced Transparency and Disclosure Requirements

Transparency is a core principle under MiCA. CASPs are required to publish clear and detailed information on pricing, fee structures, and terms of service applicable to clients.

Custodial service providers must clearly disclose their asset custody and segregation arrangements. Trading platforms, in turn, are expected to be transparent about order execution mechanisms and how client orders are handled in practice.

All marketing and client-facing communications must be fair, clear, and not misleading, and must include appropriate risk warnings for consumers. Collectively, these disclosure requirements are designed to align crypto markets more closely with traditional financial market standards, thereby enhancing trust and accountability.

Operational Resilience Under MiCA

MiCA explicitly links crypto-asset regulation to the EU’s digital resilience framework, embedding IT security and operational continuity expectations into the supervisory landscape. These requirements are closely aligned with DORA standards applicable across the financial sector.

Under this framework, CASPs are expected to demonstrate the ability to withstand operational disruptions through robust BCP and disaster recovery arrangements. Operational resilience is assessed not only in terms of prevention, but also preparedness and recovery.

This includes maintaining an orderly wind-down plan designed to ensure the safe return of client assets in the event of insolvency or license withdrawal. For more granular technical specifications and reporting formats, refer to the ESMA technical standards issued under MiCA.

Checklist: How to Keep Your Estonia Crypto License in 2026

To maintain regulatory compliance and reduce the risk of license revocation, Estonia-licensed crypto businesses should regularly review the following operational and compliance checkpoints:

• Confirm economic substance, including a physical office and active local staff in Estonia.  
• Ensure the MLRO is an Estonian resident and fully dedicated to the company’s compliance function.  
• Keep internal AML, KYC, and KYT policies aligned with the current risk profile and business model.  
• Maintain effective transaction monitoring with documented alert review and escalation processes.  
• Apply risk-based Customer Due Diligence, including EDD for higher-risk relationships.  
• Enforce Travel Rule compliance for qualifying crypto-asset transfers.  
• Implement ICT risk management and incident reporting controls in line with DORA.  
• Regularly reconcile on-chain activity with internal accounting and reporting records.  
• Keep corporate data (Directors, UBOs, Contact Details) accurate and up to date in the commercial register.  
• Respond promptly and completely to all FIU supervisory requests and information notices.

For additional technical context and examples of compliance tooling, you can explore the AMLBot Platform.

FAQ