Applying for MiCA Licence in Estonia: Lessons Learned and Practical Guidance.

The European Union’s Markets in Crypto-Assets Regulation (MiCA) introduces a harmonised licensing framework for crypto-asset service providers (CASPs) across all Member States. For applicants, one of the most decisive success factors lies in the quality and completeness of submitted documentation.

Supervisory authorities across Europe expect more than compliance “templates” — they require documentation that reflects the actual governance, operations, and risk management practices of the applicant. Poorly prepared applications risk lengthy delays, repeated regulator queries, or even rejection.

I recently attended an excellent hands-on event organized by the Estonian Web3 Chamber, focused on providing practical guidance on applying for a MiCA license, among other topics. Representatives from the Finantsinspektsioon (Estonian Financial Supervision Authority) shared key insights based on their interactions with prospective applicants.

Below, we outline the key focus areas for CASPs preparing their MiCA licence applications, with practical insights on how to align with supervisory expectations.

1. Document Quality: More Than Paperwork

Documentation forms the foundation of the licensing process. High-quality, tailored materials send a clear message to regulators: the applicant is credible, transparent, and operationally ready.

• Internal Policies: These must describe actual business practices. For example, procedures on management selection, client asset handling, or accounting cannot simply restate legal requirements. Instead, they should explain how the company genuinely applies these principles in practice.

• Clarity and Accessibility: Regulators value straightforward documents without unnecessary cross-referencing. Each requirement should be addressed clearly within the application package.

• Application Forms: FI questionnaires or supervisory forms should be incorporated already in the initial submission to avoid unnecessary delays.

• Accounting Policies: Financial rules must reflect the applicant’s business model. CASPs, in particular, need to include specific procedures for client asset safeguarding, custody, and supervisory oversight.

2. The Licensing Procedure: Step by Step

Understanding the procedural flow is essential for planning resources and timelines.

• Pre-Application Phase: This stage provides valuable insight into potential “red flags.” Applicants should identify risk areas early, address supervisory concerns, and adjust their application before formal submission.

• Completeness Check: Once submitted, the regulator will verify whether the application includes all required documents and information. Only then does the substantive assessment begin.

• Administrative Decision: Upon confirming completeness, the supervisory authority issues a formal act, initiating the evaluation of the applicant’s business model, governance, and risk management framework.

3. Core Areas of Supervisory Assessment Organisation and Governance

• Substantial Local Nexus: Applicants must demonstrate a meaningful connection to the licensing Member State. While service delivery may be cross-border, governance and decision-making should remain anchored locally.

• Risk Officer Location: Regulators often expect the risk officer to be based in the licensing jurisdiction, ensuring close oversight.

• Passporting Strategy: Applicants should specify which EU countries they intend to passport services to, providing clarity on future expansion.

4. Risk Management

• Holistic Approach: MiCA requires risk frameworks that go beyond AML and CTF risks. Operational, market, IT, and strategic risks must all be addressed.

• Adequate Resources: A competent, well-resourced team is indispensable for robust risk management.

• Three Lines of Defence: Organisations should clearly separate business risk ownership, monitoring functions, and independent assurance.

• Transparent Reporting: Risk escalation processes and accountability structures must be fully documented.

5. Group Structure and Outsourcing

• Simplification Over Complexity: Complex, multi-layered structures raise supervisory concerns, particularly when combined with extensive outsourcing.

• Accountability Retained: Outsourcing arrangements are permitted but do not transfer responsibility. The licensed entity must demonstrate active oversight and quality control.

6. Capital Requirements for MiCA Licence in Estonia

• Asset Segregation: Client assets must be ring-fenced from company funds. Separate accounts and wallets should clearly demonstrate segregation.

• Cash and Custody Practices: Company liquidity, operational capital, and client funds should all be maintained in distinct accounts.

• Financial Projections:

  • Provide realistic 3-year forecasts, including detailed assumptions.

  • Incorporate stress tests and adverse scenarios to demonstrate resilience.

  • Outline contingency measures for extreme market conditions.

  • Regulators may request quarterly projections to test robustness.

• Own Funds and Buffers: Own fund requirements under MiCA must be calculated accurately, avoiding logical or technical inconsistencies.

7. IT Systems and DORA Compliance

• Demonstrable Readiness: IT systems should be fully operational, not theoretical or under development, at the time of licensing.

• Evidence of Compliance: Certificates, independent audits, penetration testing results, and resilience assessments should be submitted at the outset.

• Governance and Oversight: Even if IT is outsourced, the management board must include members capable of understanding and supervising IT operations.

• Authentication and Cybersecurity: Regulators will expect a clear explanation of how client authentication and data protection are ensured.

8. Management and Shareholder Competence

• Competent Leadership: Both management and supervisory boards must demonstrate adequate skills, independence, and a clear understanding of their roles.

• Local Representation: Having at least one board member with local (e.g., Estonian) experience reinforces the applicant’s credibility.

• Conflict of Interest Management: Lawyers joining management boards should suspend their legal practice to avoid conflicts, while supervisory board positions allow more flexibility.

• Auditor Confirmation: Independent auditors should confirm the absence of conflicts of interest.

9. Combined Licensing and Payment Services

• Certain business models may require a MiCA licence in combination with a payment institution licence.

• The European Banking Authority (EBA) has issued guidelines clarifying when dual licensing applies.

• Applicants should carefully assess whether direct SEPA or TARGET2 access will affect licensing requirements.

Final Thoughts

A MiCA licence application is far more than a regulatory formality. It is a comprehensive demonstration of governance, operational capacity, and risk awareness. Regulators seek assurance that the applicant is not only compliant on paper but also capable of responsibly managing client assets and safeguarding financial stability in practice.

For CASPs, the challenge — and opportunity — lies in preparing high-quality, business-specific documentation that reflects genuine practices, supported by a governance and risk management framework built to withstand regulatory scrutiny.

At the end of the day, successful applications are those that combine authenticity, transparency, and strategic foresight — positioning CASPs for sustainable growth within the European digital asset ecosystem.

Why Estonia?

Estonia continues to stand out as one of the most attractive jurisdictions for obtaining a MiCA licence. With a strong digital infrastructure, forward-thinking regulatory environment, and experienced supervisory authorities, Estonia offers a practical and supportive setting for innovative CASPs seeking to establish and scale operations across the EU.

👉 Contact us for guidance on your MiCA application and discover why Estonia remains one of the best entry points into the European digital asset market.