As of early 2026, Estonia remains a mature fintech hub with a strong start-up culture and experience in regulating innovative businesses. It should be noted that previous periods, including the last 12 months, have been periods of growth, with new businesses showing significant revenue growth (mainly due to fintech companies). It should be noted that fintech in Estonia is not only about start-ups, but also about businesses that have become a strong system with stable revenues, international activity and a stable condition.

The next 12 months can be considered a phase of implementation of initiatives. In particular, the FSA is preparing to reduce administrative pressure in the financial sector and reduce the number of requirements, which is the subject of active discussion. There are also plans to launch digital solutions for licensing procedures.

Equally important is that the use of artificial intelligence-based solutions is already being implemented, especially for fintech companies in the pilot and early stages (according to a survey conducted by the FSA). At the same time, it should be noted that there are no recommendations from regulatory authorities on the use of AI in fintech, which complicates the process in a certain way and leaves it to the discretion of businesses.

In Estonia, the fintech environment is characterised by several key verticals, including both start-ups and mature companies. The most developed sector remains payment infrastructure and payment technologies, such as card issuance or BaaS solutions. These models are popular among local fintech companies as well as international businesses operating in a broader market.

Another significant area is crowdfunding platforms and digital lending. Crypto and blockchain services are no less important, even though this business has undergone regulatory tightening. It is also worth noting the active development of fintech infrastructure, in particular digital identification, compliance and AML monitoring.

In Estonia, the regulation of fintech companies depends on the applicable business model and the type of services provided. The main regulator is Finantsinspektsioon (Estonian Financial Supervision and Resolution Authority – FSA). It should be noted separately that the issue of prevention of money laundering in Estonia falls within the competence of investigative bodies, the Prosecutor General’s Office and courts, the Rahapesu Andmebüroo (Financial Intelligence Unit – FIU) and other bodies for certain aspects. At the same time, the FIU is the main body that monitors, collects information and prevents money laundering.

Finantsinspektsioon is an independent financial supervision and resolution authority. It carries out state financial supervision over the following:

• banks;
• insurance companies;
• insurance intermediaries;
• investment firms;
• fund managers;
• investment and pension funds;
• payment institutions;
• e-money institutions;
• creditors and credit intermediaries;
• crowdfunding service providers;
• debt collection agencies; and
• the crypto-asset and securities markets.

Compensation models depend directly on the applicable business model under national and EU law. Fintech companies can use models of transaction fees, subscription fees, spreads between asset purchase and sale prices, fees for executing transactions or storing assets, or fees from third parties. For crypto businesses, trading fees, custody fees, and deposit or withdrawal fees are most commonly applicable.

The key rule for applicable fees is mandatory transparency and clarity. This means that the business must clearly and unambiguously describe the fee structure, the method of calculation, possible additional costs, and possible conflicts. For certain products, such as crypto services or assets, the product risk, pricing information and transaction execution must be disclosed. Businesses must adhere to the principle of fair, clear and not misleading disclosure.

Estonia applies the same regulatory principles to both traditional financial institutions and fintech, but an important feature is the proportionality of the approach, which directly depends on the level of risk for the business model. In general, traditional players are subject to stricter regulation (in terms of capital requirements, risk management and corporate governance, liquidity, etc).

Fintech companies are subject to separate regimes specifically designed for them. This simultaneously reduces requirements and narrows the range of permitted activities, but at the same time lowers the entry threshold. It is important that the rules on AML, consumer protection and business stability remain robust and aimed at protecting end customers.

Unfortunately, there is currently no sandbox regime for crypto companies in Estonia. It is believed that the introduction of such a regime in the country would be beneficial, as it would allow more innovative businesses to enter the market, compete with each other, and provide better services to consumers.

However, there is an alternative option, which is to consult with Finantsinspektsioon before launching a business. Both start-ups and existing businesses planning to expand their range of activities can submit a request. The regulator provides explanations, which can greatly help in understanding the regulatory environment and the possibility of conducting the desired activities.

As mentioned at 2.2 Regulatory Regime, in Estonia, full regulation is carried out by Finantsinspektsioon (Estonian Financial Supervision and Resolution Authority), which assesses applicants’ businesses for compliance with requirements, issues licences and conducts the necessary supervision. The issue of AML supervision, which is carried out by the Rahapesu Andmebüroo (Financial Intelligence Unit), is dealt with separately. The Financial Intelligence Unit is the leading body and carries out monitoring, collects information and tracks income obtained by criminal means.

Estonia does not have a practice of issuing no-action letters to participants in legal relations. Most often, an informal approach is used, which consists of preliminary communication and obtaining clarifications on the application of regulations to certain types of activities. It should be noted that Finantsinspektsioon is open to communication with businesses, but the advice and clarifications provided are not binding and do not guarantee immunity from regulatory action.

For Estonian companies, outsourcing can be used to perform certain regulated functions, but strict restrictions and requirements must be taken into account. The main thing is that a company cannot outsource its own compliance with regulatory requirements – that is, the company must retain effective control over the functions that are subject to regulation and transferred to another party. The vendor must comply with the requirements for operational stability, data protection, reliability and AML control. Before concluding a contract, the company must assess the counterparty, identify risks and ensure monitoring of activities. In addition, contracts with outsourcing parties must include the regulator’s access to information, data protection, business continuity and the possibility of terminating the agreement. Critical business functions, such as compliance processes or IT infrastructure, are particularly important. It should be noted that by using regulated partners for outsourcing, many businesses reduce their own regulatory risks.

Fintech companies can be considered gatekeepers but everything will depend on the nature of their services and their role in the infrastructure. In other words, a functional approach to their activities must be considered. Companies subject to licensing are required by regulatory requirements to monitor transactions, implement KYC and AML procedures, prevent abuse, etc, which effectively places them in the role of controllers of the legality of operations on platforms.

At the same time, fintech companies are often not fully responsible for the activities of users if they act as technology or infrastructure providers. That is, if a business on the platform plays an active role in conducting transactions or storing assets, etc, the regulator may require a higher level of control for the purpose of risk management and consumer protection.       

It should be noted that Finantsinspektsioon’s approach to regulated companies is not only to ensure strict and consistent compliance, which can be achieved through the imposition of fines, but also to exert significant supervisory pressure. The regulator expects companies to strictly adhere to applicable principles, which are primarily aimed at protecting users, ensuring accessibility and managing risk. Equally important is the emphasis on AML and sanctions compliance. Here, the regulator notes that, in addition to a general approach, filtering approaches should also be applied for implementation in a specific business – ie, general approaches may not be sufficient.

The gradual implementation of MiCA in Estonia also leads to increased regulatory pressure and the cleansing of the market of companies that cannot meet the requirements. Thus, the regulator does not so much punish as weed out businesses, leaving only those that are able to operate within the specified framework.

It is clear that, in addition to the direct requirements imposed on fintech businesses by direct regulation depending on the type of activity, other non-specialised regulations also apply to them, in particular Estonian national legislation and implemented EU legislation.

Fintech businesses in Estonia must strictly adhere to the principles of user confidentiality in accordance with the GDPR – ie, all verification procedures must have a proper legal basis, transparent notifications, etc. In other words, there are no exceptions for fintech businesses, and the Estonian Data Protection Inspectorate oversees compliance.

The DORA regime, with its own requirements, has had the greatest impact on cybersecurity this year and last year. This is the main difference from other areas; even a fintech start-up must comply with a clear and strict regime similar to that applied to banks. Regarding the regulation of content on social networks, companies must comply with the requirements of the Digital Services Act, which imposes obligations regarding notice-and-action, transparency, handling of illegal content and, depending on the role of the service, requirements for online interfaces and advertising.

In addition, for companies developing their own software, the Cyber Resilience Act (CRA) is important, as it sets relevant requirements and often shifts part of the regulatory burden to software development.

Fintech businesses cannot limit themselves to licensing requirements, but must take into account a broader field in accordance with their activities.

Estonian fintech companies are subject not only to industry regulation in accordance with licensed activities. The companies are also subject to financial, technical and industry supervision. First and foremost, these are auditing and accounting partners, as a licensed company (eg, EMI or CASP) must submit annual audited financial statements in accordance with standards. Auditors check financial statements, internal compliance controls and risk management.

Technology and compliance service providers that provide KYC/AML solutions, payment infrastructure, etc also play an important role. Since they are subject to applicable regulations, fintech businesses are also subject to secondary requirements when interacting with them.

Industry associations also play an important role, such as FinanceEstonia, which has no regulatory functions but works to create an environment for companies to grow, particularly in the fintech sector.

Estonian fintech companies sometimes offer unregulated services alongside regulated ones, but this practice is usually subject to careful oversight by Finantsinspektsioon. Unregulated products (such as analytical services, software or technology solutions, etc) are structured as ancillary services related to the main activity. In many cases, they are provided through a separate legal entity (to avoid regulatory risks and clearly separate licensed activities). It is important that the regulator emphasises that the structure should not mislead customers about the nature of the services, and companies must ensure transparency and appropriate disclosure of information, and manage potential conflicts of interest.        

AML and sanctions regulation has a significant impact on Estonian fintech companies. The main requirements are set at the level of European and national legislation, and supervision, as mentioned at 2.2 Regulatory Regime, is carried out by the Financial Intelligence Unit in co-operation with Finantsinspektsioon for companies subject to licensing.

Regulated participants are required to implement mechanisms and strictly adhere to KYC, customer due diligence, transaction monitoring, and sanctions screening procedures, as well as report suspicious transactions to the FIU. It should be noted that unregulated companies may be subject to obligations if they perform functions related to financial flows or customer identification. Thus, AML compliance is one of the key factors for the activities of fintech companies and their ability to operate in the Estonian market.

Anti-money laundering and sanctions rules in Estonia fully comply with the standards set by the Financial Action Task Force (FATF). In the context of fintech companies, this means applying a risk-based approach, mandatory KYC, customer due diligence, transaction monitoring, and reporting of suspicious activity. In addition, the Financial Intelligence Unit is actively engaged in monitoring, countering and searching for criminally obtained funds.

The reverse solicitation scenario is not directly regulated in Estonia by a separate regime, so, in practice, the regime that operates within the EU legislation is applied. This means that customers from Estonia can independently contact foreign providers who do not actively market to the Estonian market and do not directly attract customers from the country. At the same time, it should be remembered that any form of targeted advertising, systematic work with customers in the country or local presence may lead to the application of European and Estonian legislation, including for fintech companies.

In Estonia, different classes of digital assets require different business models and corresponding licensing regimes. For most cryptocurrencies and utility tokens, regulation under the Markets in Crypto-Assets Regulation (MiCA) applies, and for transactions with such assets (trading, exchange, custody), a company must obtain the appropriate CASP licence. Models related to electronic money tokens require an additional credit institution or e-money institution licence.

As for security tokens, since they are financial instruments, they are subject to financial instrument regulations, in particular MiFID II, and companies must obtain an investment firm licence and, in some cases, prepare a prospectus.

Estonian fintech companies and traditional financial institutions are gradually introducing solutions that involve robo-advisers. For investment companies, these can be algorithmic tools for portfolio management, automated recommendations or digital onboarding processes, which are often combined with traditional advisory models. As a result, this reduces operating costs and expands access to products. The use of robo-advisers in Estonia must comply with and not violate the principles of operational stability and be aimed at protecting consumers.

Best execution requirements in Estonia apply primarily to companies that execute client orders and originate from MiFID II, implemented in national legislation (under the supervision of Finantsinspektsioon). Businesses must take all reasonable steps to achieve the best possible result for the client, taking into account price, costs, speed, settlement and the likelihood of successful execution. Similar approaches apply to fintech businesses, with an emphasis on transparency in pricing and order execution.

The most stringent requirements apply to loans to individuals (the borrower must obtain a licence and comply with responsible lending requirements, conduct a creditworthiness assessment, impose restrictions on advertising and disclose full information about the cost of the loan). Finantsinspektsioon pays considerable attention to consumer protection and affordability assessment.

A more flexible regime applies to small and medium-sized businesses. Lenders are also subject to financial supervision, but the requirements for creditworthiness checks and information disclosure are lower, as a higher level of financial literacy is assumed.

For corporate borrowers, the lending regime is more contractual and is determined by an agreement between the parties, while the regulator exercises prudential supervision over the lender.

Underwriting processes in financial and fintech companies largely depend on the type of product and are determined by regulatory requirements for certain segments. In consumer lending, lenders must assess the customer’s creditworthiness, which involves checking income, financial obligations, credit history and other factors, and is aimed at ensuring that the customer is able to fulfil their obligations.

In practice, fintech projects use automated scoring models, algorithmic data analysis and alternative sources of information. Although the methodology is not defined by law, it is important for the regulator to obtain information that the models are sound, transparent and ensure responsible service provision.

Most often, sources of fiat currency funds for loans depend directly on the applicable business model. Many fintech lenders operate with their own or investor capital, and here the main regulatory requirements are related to licensing of lending activities and responsible lending rules.

Another common model is crowdfunding or peer-to-peer financing to attract private investors through online platforms, which is subject to regulation and mandatory investor protection requirements.

Some fintech companies attract bank financing and credit lines from institutional investors, which creates requirements for risk management and disclosure.

More experienced businesses sometimes resort to securitising loan portfolios, which is also subject to regulation, including transparency requirements. Accepting deposits to finance loans is usually only possible for companies with a banking licence.

In the Estonian fintech sector, loan syndication is quite rare and can be used in peer-to-peer lending and platform financing (where a single loan can be financed by several investors participating in the financing through an online platform).

For crowdfunding platforms, activities may be subject to European regulations that set requirements for platforms, disclosure of information to investors, and risk management. For financing by investment investors, the structure is more likely to be regulated by contractual mechanisms and investor protection rules.

Payment providers in Estonia most often use existing payment infrastructures (eg, SEPA) or payment networks of card schemes (Visa) or correspondent banking networks. The systems are already integrated into the European payment infrastructure and comply with EU requirements and standards.

At the same time, there is no direct ban on the development of new payment solutions or infrastructures. The main thing is that they comply with financial regulation and security requirements. Fintech companies often create alternative payment interfaces but the actual transfer of funds usually goes through banks or payment systems. It is important for the regulator that the systems comply with the principles of customer protection, operational stability and AML requirements.

Cross-border payments and money transfers in Estonia are regulated by EU law, in particular the Payment Services Directive (PSD2), anti-money laundering legislation, SEPA rules and implemented AML/CFT standards. To transfer funds, a business must obtain the appropriate licence from Finantsinspektsioon and then comply with the mandatory requirements. The key requirements remain AML/CFT, sanctions control, customer verification (KYC) and transaction monitoring. Businesses must collect and transmit information about payers and recipients, with particular attention paid to preventing transactions, transparency of services and fees, and the operational stability of payment systems.

The possibility of creating marketplaces in Estonia directly depends on the type of assets and the nature of the transactions, and the regulatory regime is based on implemented EU legislation under the supervision of Finantsinspektsioon.

• For financial instrument trading platforms, the European MiFID II regime applies, which requires platforms to obtain a licence to operate a multilateral trading system.
• Crowdfunding platforms can operate in accordance with implemented EU legislation, which allows for the financing of projects through online platforms.
• To operate a crypto-asset trading platform, the applicant must obtain the appropriate licence (CASP) in accordance with the implemented legislation regulating crypto activities.

Under European law, different classes of digital assets in Estonia are subject to different regulatory regimes, which determine both the platform requirements and licensing requirements.

For security tokens (subject to the applicable legislation regulating financial instruments and in accordance with MiFID II and securities market legislation), the platform must obtain an investment licence to operate a multilateral trading facility (compliance with best execution, market abuse and investor protection rules is mandatory).

Cryptocurrencies will be subject to MiCA rules. MiCA introduces a clear classification system for crypto-assets, categorising them into three main types:

• asset-referenced tokens;
• e-money tokens; and
• other crypto-assets.

This classification is crucial for understanding the regulatory requirements and implications for each type of token. Asset-referenced tokens are designed to maintain a stable value by referencing one or several assets, such as fiat currencies or commodities. E-money tokens, on the other hand, are digital representations of fiat currency and are intended to be used as a means of payment. Finally, other crypto-assets encompass a wide range of digital assets that do not fall under the previous two categories, including utility tokens. By establishing these categories, MiCA provides a clear framework for the regulation of crypto-assets, ensuring that each type of token is subject to appropriate oversight and consumer protection measures.

The emergence of cryptocurrency exchanges on the Estonian market has had a significant impact on the regulatory approach. The country was one of the first in Europe to introduce a licensing regime for virtual asset providers. Tighter AML and sanctions controls have gradually led to a reduction in the number of locally licensed companies.

The implementation of MiCA in the country requires crypto exchanges to obtain the appropriate CASP licence, which means higher requirements for corporate governance, customer asset protection, trading transparency and sustainability. For the fintech market, this leads to the gradual institutionalisation of crypto trading, and the regulation of such platforms is approaching the standards of traditional financial markets.

Listing standards in Estonia depend directly on the type of asset and platform. When it comes to financial instruments, the rules applicable to securities require transparency, disclosure of information about the issuer, verification of the asset, prevention of market abuse, publication of a prospectus, etc.

For crypto-assets with appropriate regulation, the asset must have an approved white paper containing key information about the asset, its issuer, risk assessment, etc before it can be admitted to trading.

In addition to formal requirements, additional standards also apply, including issuer due diligence, liquidity assessment, technology verification and AML compliance. These practices are designed to reduce the risk of fraud, protect users and increase investor confidence.

As described earlier, Estonian regulations on order handling are based on pan-European standards and depend on the type of assets and platform, respectively.

For securities, investment firms must ensure fair, prompt and consistent execution of orders, which is implemented through clear internal policies that determine the prioritisation of transactions, prevent conflicts of interest, etc.

For crypto-assets, companies with CASP licences must ensure a transparent procedure for accepting, transmitting and executing orders. The platform must have clear rules for execution, disclosure of information about the order processing procedure, and proper accounting of transactions. It should be noted that this brings such platforms closer to the standards of traditional financial markets.

In Estonia, as in other countries, the growth of peer-to-peer (P2P) trading platforms has had a significant impact on market participants (both traditional and fintech). P2P platforms have effectively expanded users’ access to investments and lending without intermediaries, directly between themselves. This has become a challenge for financial institutions, and they have begun to integrate digital platforms and automated services into their own activities, as well as interact with fintech companies in order not to lose market share.

An important aspect remains that P2P platforms must comply with regulatory requirements, especially regarding investor protection, risk transparency, AML/CFT requirements and the obligation to operate within the legal framework.

Payment for order flow (PFOF) in Estonia is subject to EU-wide regulations, including MiFID II. The main problem with PFOF is the conflict of interest it creates and the potential deterioration in best execution, as orders are sent not to the platform offering the best solution, but to the one that pays for the orders.

Platforms and brokerage services in Estonia must adapt their business models to avoid PFOF by highlighting direct commissions or other revenue models that provide transparency and clarity for clients.

The basic principles of market integrity and market abuse in Estonia are defined by applicable EU law, in particular the Market Abuse Regulation (MAR). The main principles are:

• the prohibition of insider disclosure;
• the prohibition of insider trading; and
• the prevention of market manipulation.

Participants are required to implement trading monitoring systems, report suspicious transactions and maintain proper disclosure of information.

As mentioned earlier, market participants are supervised by the Estonian Finantsinspektsioon, which monitors compliance with the rules. It should be noted that similar rules are being introduced for crypto-assets through MiCA regulation in order to ensure transparent trading, protect users and prevent manipulation.

High-frequency and algorithmic trading in Estonia is subject to general EU regulation as the country is integrated into the single financial market.

For securities, the use of these approaches is regulated in accordance with MiFID II. Investment firms must have effective risk control systems and measures in place that are appropriate to their activities to ensure the resilience and sufficient capacity of trading systems, comply with relevant trading thresholds and limits, and prevent the transmission of erroneous orders or the functioning of systems in a way that could create or contribute to market instability.

For crypto-assets, the approach differs due to the application of different regulations (European MiCA), which focus more on trading transparency, stability and risk management, but without detailed regulation.

Thus, high-frequency and algorithmic trading in traditional markets are subject to more detailed and stringent rules than in the crypto sphere – but, in both cases, the main focus is on preventing manipulation and ensuring fair trading.

Estonian participants who conduct high-frequency or algorithmic trading in a principal capacity may be subject to MiFID II regulations, which have been implemented into national legislation. If the business model involves trading in securities, the company must obtain an investment firm licence from Finantsinspektsioon. This means that the company must comply with requirements regarding capital, risk management, algorithmic trading control systems and market abuse prevention. If the business model involves trading in cryptocurrencies in the meaning of MiCA, the company must obtain a CASP licence from Finantsinspektsioon.

According to European regulations implemented in Estonian legislation, regulation of companies will differ depending on the business model. While investment firms are subject to MiFID II regulation, which clearly defines the rules for high-frequency and algorithmic trading and requires traders to disclose information to the regulator and the trading venue, in particular regarding strategies, risk management, etc, the legislation applicable to funds does not specifically regulate such activities. Both models may use the same technologies but, depending on the business model, they will have different regulations and responsibilities.

In Estonia, developers of algorithmic trading software are not directly regulated. Finantsinspektsioon focuses on regulated businesses. At the same time, one can talk about indirect regulation, since, ultimately, the requirements imposed on businesses are imposed by the businesses themselves on developers directly, and it is they who must implement the regulator’s requirements. Responsibility, of course, remains with the regulated business, while the responsibility of developers may arise within the framework of concluded software development agreements.

Insurtech market participants in Estonia most often use digital and automated underwriting processes based on data analysis, integration with external sources and algorithmic models. This includes automated risk assessment, the use of behavioural or big data, artificial intelligence tools to determine customer risk profiles, and other aspects.

Assessment methods must comply with the requirements of the Solvency II Directive applicable in the country, but the regulations do not contain clear underwriting processes.

Although insurance in general in the EU and Estonia in particular is subject to a single regulatory framework, in practice it is used differently and regulated differently. In Estonia, supervision is also carried out by Finantsinspektsioon.

Life insurance and annuities are subject to stricter requirements for disclosure, long-term reserves and risk management, as they are directly related to capital accumulation and investment components. At the same time, property and casualty insurance has a shorter risk horizon, so the focus is on pricing, claims management and efficiency.

Insurtech companies are more likely to implement digital solutions in the non-life segment due to shorter product life cycles, less stringent requirements and generally simpler automation.

Regtech providers in Estonia are not usually subject to direct financial regulation, as their activities are focused on providing technological solutions. These may include tools for AML/KYC, transaction monitoring, risk management, or compliance analytics. For their activities, they are technology service providers and, as mentioned earlier, the main responsibility will remain with the regulated entity. At the same time, the requirements may be partially transferred to regtech providers, not through direct regulation, but through the provisions of agreements with customers who are subject to regulation and order the product. Regtech companies may be subject to regulation if their activities are not limited to the technical component, but also include payment processing or customer asset management, which are financial services and require authorisation from the regulator.

Since financial services firms must strictly comply with applicable regulations in Estonia and general regulations in the EU, they seek to transfer some of the requirements that can be fulfilled by regtech companies to their contracts. Note the compliance of services with the requirements of DORA, GDPR and EBA guidelines, which is related to the obligation of licensed companies to ensure control over critical IT providers. It should also be noted that it has become industry practice to include high penalties in contracts with regtech companies, as the regulator may impose fines and the licensed company may be unable to continue its activities.

Estonia is rightly considered one of the leading countries in the implementation of blockchain technologies, particularly in the financial sector. Banks and financial companies are increasingly inclined to use distributed ledger technology (DLT) to manage customer data, optimise payments and automate compliance procedures, including KYC and AML monitoring. This is aimed at increasing transparency, automation and security.

It is still too early to talk about the widespread use of blockchain technologies by traditional players – but, at the same time, it opens up new opportunities for them and enables them to compete with innovative businesses and form partnerships with fintech and regtech companies. All this is aimed at improving the security and efficiency of systems and procedures.

Finantsinspektsioon has a reputation among fintech businesses as a friendly regulator that also pays considerable attention to risk management and strict compliance with legislation. The approach remains that technology is not regulated separately, but activities that use technology to provide financial services are part of the regulatory regime.

The main stage today is the introduction of the Markets in Crypto-Assets Regulation (MiCA), which has been implemented in Estonian legislation and establishes rules for crypto-asset service providers (CASP), and the regulator is focused on this. In other words, the use of blockchain is recognised as a reality in conjunction with maintaining system security and user protection.

In addition to the general MiCA framework covered in the new general chapter on MiCA, the Estonian Crypto Market Act (krüptovaraturu seadus – CMA) regulates certain aspects of the activity, liability and termination of participants in crypto-asset markets, as well as their supervision, thereby specifying and supplementing the provisions of MiCA and Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA). The CMA entered into force on 1 July 2024. Its entry into force was accompanied by amendments to several other laws governing entities engaged in crypto-asset activities. The MCA became applicable from 30 December 2024 for persons whose activities fall within the scope of MiCA.

According to the pan-European approach, which also works in Estonia, the determination of whether a blockchain asset is a financial instrument is based on its nature rather than its form. This means that if a blockchain asset has the characteristics of a financial instrument (eg, it confers a right to participate in capital, a right to profit), then it should be classified as a security and subject to the applicable regime for securities.

Digital assets without the characteristics of financial instruments will be classified in accordance with MiCA interpretations (which distinguish between asset-referenced tokens, e-money tokens and crypto-assets other than asset-referenced tokens or e-money tokens) if they meet the requirements.

The main thing is not the form of the asset, but its essence.

• Asset-referenced tokens (ARTs), often referred to as a type of stablecoin, are designed to maintain a relatively stable value by referencing one or several underlying assets, such as fiat currencies, commodities or a basket of assets. These tokens have gained significant popularity in the crypto market as they aim to reduce volatility and provide a more predictable value compared to traditional cryptocurrencies. Under MiCA, asset-referenced tokens are subject to strict regulatory requirements. Issuers must obtain authorisation from the relevant national competent authority and comply with governance, transparency and risk-management obligations. The purpose of this regulatory oversight is to ensure the reliability and stability of such tokens, as well as to protect consumers and maintain financial stability within the European Union.
• E-money tokens (EMTs) represent digital versions of fiat currency and are primarily intended to function as a means of payment. In many respects, they resemble electronic money and are designed to serve as a digital alternative to traditional payment instruments. Under MiCA, e-money tokens are regulated in a manner similar to electronic money issued by e-money institutions. Issuers are required to obtain authorisation as a credit institution or electronic money institution and must comply with applicable capital, safeguarding and operational requirements.
• Other crypto-assets include a broad category of digital assets that do not qualify as asset-referenced tokens or e-money tokens. This category commonly includes utility tokens, which provide access to a specific product or service. Under MiCA, these assets are subject to a more flexible regulatory approach that reflects their diverse characteristics and use cases. For example, issuers of certain utility tokens may be required to prepare and publish a crypto-asset white paper and comply with transparency obligations.

NFTs are generally excluded from the scope of MiCA when they are genuinely unique and non-fungible, although collections or fractionalised NFTs may fall within the regulation.

Estonian, as well as European regulation of blockchain asset issuance, relies on MiCA regulation. Issuers of certain assets must prepare and publish a crypto-asset white paper disclosing information, in particular, about the project, risks, investor rights, mandatory warnings about the asset, and notify the regulatory authority. For asset-referenced tokens and e-money tokens, the rules are stricter, and companies must apply to Finantsinspektsioon for permission before making a public offering.

For blockchain assets with the characteristics of financial instruments, financial regulation rules apply, including the preparation of the issuance process.

The tokenisation of real assets in Estonia faces common challenges, mainly related to the determination of property rights and the application of legislation, as well as the need to make changes to registers and other matters in the event of a change in tokens without an automatic format.

The regulation of blockchain asset trading platforms in Estonia, as in the EU in general, is mainly determined by MiCA regulation. Platforms that organise trading fall under Class 3 crypto regulation and require a CASP licence from Finantsinspektsioon. Licensed platforms must strictly comply with requirements, in particular regarding trading transparency, protection of client assets, AML/CFT control, and risk management. The same rules apply to secondary market trading through intermediaries; and in the case of peer-to-peer transactions without the involvement of a licensed provider, regulatory control is limited, but transactions may still be indirectly subject to sanctions and AML requirements.

Estonia here relies on the European Securities and Markets Authority (ESMA) clarification of the staking activity. In its narrow meaning, staking is the process of immobilising crypto-assets to support the operations of proof-of-stake and proof-of-stake-like blockchain consensus mechanisms in exchange for the granting of validator privileges that can generate block rewards. MiCA does not contain provisions specific to staking. It does not therefore prohibit staking, and staking as such is not subject to specific requirements or licensing.

As opposed to staking, where crypto-asset holders engage themselves directly on a proprietary basis with the distributed ledger protocol to stake their assets to obtain validator privileges and eventually collect associated block rewards, or where they commit their assets to a liquidity pool in return for a yield, staking services (also referred to as staking-as-a-service) are provided to clients for a consideration by intermediaries that undertake to stake the clients’ crypto-assets on their behalf. The staking service provider will collect the yield or obtain the validator privileges allowing them to earn block rewards. This yield or these block rewards are then distributed between the service provider, as consideration for their service (staking the assets on the client’s behalf, exercising validator obligations and collecting the block rewards, etc), and the staking service provider’s clients, who are the ultimate owners of the crypto-assets that are staked.

In the provision of staking services the crypto-assets, or the private keys giving access to them, are held by the staking service provider in custody. Thus, the provision of staking services is ancillary to custody services which are fully covered under MiCA. The provision of staking services therefore requires that the crypto-asset staking service provider is authorised under MiCA to provide custody and administration of crypto-assets on behalf of clients, as set out in Article 75 of MiCA. In offering and providing the staking services, the service provider must meet at all times the requirements set out in MiCA incumbent on entities authorised for the provision of custody and administration of six crypto-assets on behalf of clients (in particular Articles 59, 62, 66 and 67 to 75 of MiCA including but not limited to concluding agreements that specify duties and responsibilities, segregating customer assets from the service provider’s estate, minimising the risk of loss, liability for loss of crypto-assets, etc).

In particular, it follows from these obligations that, where staking services are provided in combination with the provision of custody, crypto-asset service providers (CASPs) should ensure that the assets held on behalf of clients can be returned to the clients in accordance with the custody agreement. CASPs should also remain liable to their clients for any loss of crypto-assets attributable to them, pursuant to Article 75(8) of MiCA. Losses of crypto-assets stemming from the provision of staking services provided to the client, and from the underlying staking activity itself, should be deemed as attributable to the CASP.

Where staking services are provided in combination with any other crypto-asset services governed by MiCA, CASPs should obtain an explicit consent from the clients to stake their crypto-assets, as it may have an impact on their clients’ ability to access them.

Estonia, in accordance with the MiCA framework, does not specify separate regulations for the provision of lending services for crypto-assets. Similarly, if the services involve the storage or management of clients’ crypto-assets, the activity may be subject to regulation and require a CASP licence from the competent regulator.

Cryptocurrency derivatives in Estonia are generally considered financial instruments if their nature and structure meet the definition under EU legislation – ie, regulations applicable to financial instruments may apply, and companies must obtain an investment firm licence and comply with risk management, investor protection, trading transparency and best execution requirements. As specified in the MiCA regulation, its scope does not include assets that are already financial instruments.

Currently, Estonia does not have separate DeFi regulations, and business activities are assessed according to the EU principle of “same activity, same regulation”. This means that, regardless of the type of business, if it conducts regulated activities (trades in crypto-assets, provides custody services, executes orders), such activities will fall under the scope of MiCA and require a CASP in Estonia; or, in the case of offering tokenised securities, financial regulation, in particular MiFID II, will apply.

In other words, providers cannot avoid regulation by referring solely to the absence of a formal intermediary, because as long as there is a person or structure that controls or administers the service, Finantsinspektsioon will consider it a provider of services subject to regulation.

Funds in Estonia that invest in blockchain assets are subject to regulation depending on the nature of the assets themselves and their legal nature. For investment funds that invest in securities, European regulations on licensing, risk management, disclosure and investor protection will apply. For crypto-assets that are not financial instruments, MiCA requirements must also be taken into account, especially for the storage of crypto-assets or the use of licensed CASP providers’ services.

The concept of virtual currencies and the broader concept of blockchain assets are treated differently in Estonia, reflecting the development of the EU regulatory framework. Prior to the introduction of MiCA in the country, the term “virtual currency” was mainly considered in the context of AML/CFT regulation, with an emphasis on the storage and exchange of cryptocurrencies.

Today, after the implementation of MiCA, Estonia uses the concept of crypto-assets, which includes, as mentioned earlier, asset-referenced tokens, e-money tokens and other crypto-assets. Therefore, it can be said that virtual currency is usually considered a subcategory of crypto-assets, while blockchain assets are a broader technological concept that may include tokenised assets or other digital representations of rights.

As mentioned earlier, Estonia has implemented the pan-European MiCA regulation, which regulates crypto-assets and excludes NFTs from its scope. Accordingly, NFTs and NFT platforms are not directly included in the financial regulatory perimeter if they represent unique and non-fungible digital assets that are not used as an investment or payment instrument.

It should be noted that the regulatory assessment will depend on the actual function of the asset. If, for example, an NFT is used as an investment product, a shared asset or a tokenised financial instrument, it will still be subject to MiCA or MiFID II regulations – ie, it all depends on the nature of the asset. NFT platforms may also be subject to regulation if their activities involve intermediation in financial services or other regulated activities.        

Following the introduction of MiCA into Estonia’s regulatory framework, stablecoins are subject to this regulation. According to the MiCA definition, stablecoins fall under asset-referenced tokens (ART) and e-money tokens (EMT) and are therefore subject to the same regulatory features as in other EU countries.

It should be noted that stablecoin issuers must be licensed as EMIs and supervised by Finantsinspektsioon. In addition, stablecoins must be fully backed by high-quality liquid reserves in Europe, and, among other things, issuers are required to publish periodic reports on their reserves and ensure external audits of their assets.

The development of open banking in Estonia is largely supported and implemented in accordance with EU law, in particular PSD2, which requires banks to open up customer data to third-party providers. The adoption of the regulation has had a positive impact on the development of the fintech sector in the country, creating opportunities for new businesses involving the aggregation of financial data, innovative financial management tools or alternative payment services. It should be noted that, for regulated banks, the implementation of PSD2 was both a challenge in terms of opening APIs and an opportunity, as, following its phased implementation, there has been a significant increase in transaction volumes, and players can provide a wider range of services and meet customer needs.

Open banking has created a number of opportunities, but it has also given rise to data security challenges. Estonian fintech providers seek to address cybersecurity and privacy issues by complying with established supranational standards, including PSD2 (also in terms of strong customer authentication) and GDPR, which stipulate that access to banking data is provided exclusively through secure APIs and with the customer’s consent.

The most commonly used methods are multi-factor authentication, data encryption, access monitoring, and incident management and resolution procedures, which are implemented by banks and require compliance by fintech companies. DORA requirements also strengthen cybersecurity and infrastructure management controls, which are key to building trust in open banking.

Most often, fraud in the fintech sector in Estonia is associated with deliberate deception for financial gain, resulting in property damage to individuals. Common types of fraud include fraudulent investment offers, manipulation of digital assets, phishing schemes, and misuse of payment instruments. Estonia is combating these crimes and trying to prevent them, in particular by monitoring transactions, implementing AML/KYC mechanisms and ensuring that licensed companies comply with legal requirements.

Estonian regulators and other authorities involved in preventing and investigating fraudulent schemes pay particular attention to phishing, account takeover, payment card fraud, crypto-investment schemes and authorised push-payment (APP) fraud, where customers independently initiate payments under the influence of fraudulent schemes. Finantsinspektsioon and other supervisory authorities supervise fintech providers to ensure the implementation of effective mechanisms for transaction monitoring, fraud detection and customer awareness in order to reduce the level of fraud in the fintech sector.

The liability of fintech providers in Estonia will depend directly on the nature of the services and the applicable regime (eg, if an unauthorised payment transaction has been made, the provider must reimburse the customer for the amount of the transaction, unless the customer acted fraudulently or with gross negligence). For fintech services, business liability will arise in the event of a breach of proper order execution, risk management or disclosure of information. It is important to understand in this context that contractual terms, standards of due diligence and consumer protection requirements can vary significantly for different services.