Estonia Raises VASP Capital Requirements and Adds Audit Mandate
Between 2017 and 2020, Estonia issued over 1,400 virtual asset service provider licenses, making it the de facto licensing hub for crypto businesses that wanted an EU-adjacent regulatory stamp without heavy compliance burdens. That era is conclusively over. The latest amendments from Estonia's Financial Intelligence Unit raise the floor again, and most remaining licensees will need to decide whether staying is worth the cost.
The new requirements
Estonia's Financial Intelligence Unit (FIU) has implemented two major changes effective mid-2026. First, minimum capital requirements for VASPs increase to EUR 350,000 for custodial service providers and EUR 125,000 for non-custodial operators (exchange and transfer services only). Previously, the capital threshold sat at EUR 100,000 for most license categories, itself a significant increase from the near-zero requirements that existed before 2022.
Second, all licensed VASPs must now undergo mandatory annual external audits conducted by approved auditing firms. The audit must cover AML/CFT controls, customer fund segregation, cybersecurity protocols, and operational risk management. Audit reports must be submitted to the FIU within three months of the financial year end. This is not a checkbox exercise: the FIU has published detailed audit standards and reserves the right to require supplementary reviews if initial reports are deemed insufficient.
The attrition continues
Estonia's VASP population has already collapsed. From the peak of over 1,400 licenses, the FIU's tightening since 2020 reduced the count to roughly 100 by the end of 2024, and fewer than 70 as of early 2026. The new capital and audit requirements will push that number lower. Industry estimates suggest 15 to 25 additional licensees lack the capital reserves or operational maturity to meet the new thresholds, meaning Estonia could end 2026 with around 45 to 55 active VASP licenses.
This is by design. The FIU has been explicit that it prefers a smaller number of well-capitalized, properly governed VASPs over a large population of shell-like entities that used Estonian licenses primarily for marketing purposes. Many of the early licensees had no Estonian employees, no local office, and no meaningful connection to the country. They operated from other jurisdictions using the Estonian license as regulatory cover.
MiCA transition and what comes next
The timing matters because of MiCA (Markets in Crypto-Assets Regulation). Existing VASP licensees in EU member states can operate under transitional provisions until their national regulator implements MiCA authorization procedures. Estonia's transitional period runs through the end of 2026, after which all VASPs must hold a MiCA-compliant authorization to continue operating.
By raising capital requirements and mandating audits now, Estonia is effectively pre-screening its VASP population for MiCA readiness. Operators that cannot meet EUR 350,000 in capital will not survive MiCA's own capital requirements (EUR 50,000 to EUR 150,000 for crypto-asset service providers, with additional prudential requirements for custodial services). The audit mandate aligns with MiCA's governance and reporting obligations. In this light, Estonia's moves are less about national policy preferences and more about ensuring that licensees transitioning to MiCA authorization are not dead on arrival.
For crypto businesses currently licensed in Estonia, the calculation is straightforward. If you have genuine operations, adequate capital, and a compliance infrastructure capable of passing an external audit, stay and transition to MiCA. If your Estonian license was a flag of convenience with minimal local presence, the FIU has made clear you are not welcome. Lithuania, which also tightened its VASP rules but remains slightly less demanding on capital, may absorb some departing operators, though it faces its own MiCA transition pressures.
The broader signal is that EU member states are converging on higher VASP standards ahead of MiCA's full implementation. The race to the bottom that characterized European crypto licensing from 2017 to 2022 has reversed into a race toward credibility. Whether that produces a healthier industry or simply pushes activity to non-EU jurisdictions depends on how effectively the ESMA framework accommodates smaller operators once MiCA is fully operational.
Related Jurisdictions
Related Articles
South Africa FSCA Crypto Licensing: 300 Approved and Counting
South Africa's FSCA has licensed over 300 crypto asset service providers since 2023, making it the most mature crypto licensing regime in Africa. The process, the standards, and what it means for firms looking at the continent's largest financial market.
India Inches Toward Crypto Exchange Regulation Under SEBI
India's Finance Ministry, SEBI, and RBI are building a crypto regulatory framework ahead of the 2026-27 Budget. The discussion paper is out, the COINS Act sits unvoted, and 119 million holders await clarity. Here's what's happened versus what's been promised.
Nigeria SEC Implements Crypto Exchange Licensing Framework
Nigeria's Securities and Exchange Commission rolls out a formal crypto exchange licensing regime for Africa's largest digital asset market, setting capital thresholds that will reshape who can legally operate.
Malaysia Labuan Introduces Digital Asset License for Offshore Crypto Firms
Malaysia's Labuan Financial Services Authority creates a dedicated digital asset business license targeting offshore crypto operations, positioning the island as an Asia-Pacific alternative to Singapore and Hong Kong.