Baltic Fintech Legal Outlook

Estonia holds a backlog of being the “go-to” jurisdiction for obtaining VASP licensing (Estonia used to have more than 2000 VASPs) as well as the jurisdiction to go for during the ICO boom. However, during the last years the rules were tightened and the VASPs needed to go through re-licensing. As of February 2025, there have remained a bit more than 40 VASPs in Estonia. It can be assumed that smaller or less-compliant VASPs may not meet the requirements under MiCAR and therefore need to exit the market. However, larger and more sophisticated crypto-asset service providers that successfully adapt to the new requirements from MiCAR and obtain the CASP license will benefit significantly from enhanced credibility and access to a larger EU market.

During 2017–2018, when the ICOs were at their peak in the world, Estonia was the jurisdiction companies often chose for conducting their ICOs. The lack of legislative prohibitions or straight-cut rules was intentional so as not to interfere with technological development. It was believed that Estonia was the pioneer for adopting requirements for crypto services, which added an additional layer of trust for ICO investors. Although MiCAR introduces rules for the issuance of crypto-assets, it can be assumed that it will not become that popular as a capital acquisition option in Estonia.

In relation to the application of MiCAR, Estonia introduced its Act for Markets in Crypto-Assets (AMCA) in June 2024. The regulation in AMCA was to be expected for some time and did not introduce anything revolutionary. However, some aspects are to be noted by companies intending to apply for a crypto-asset service provider’s license in Estonia.

• Estonia applies a maximum transition period for VASPs. VASPs in Estonia may operate under their current license until 1 July 2026. After this date they are allowed to keep operating only if they have obtained a CASP license under MiCAR. Applying the maximum transition period in Estonia seems wise as the practice from previous re-licensing processes have shown that the proceedings could be lengthy.
• Estonia has not foreseen a simplified transition for companies operating under a VASP license. As the VASPs in Estonia have been subject to more stringent requirements, it was expected that there would be adapted rules for a simplified transition, especially in light of the VASPs in Estonia having gone through the re-licensing process during the last few years. However, no simplified transition is foreseen.
• AMCA has introduced quantitative requirements to the management bodies of the CASP. CASPs in Estonia need to have a two-member management board and usually also a three-member supervisory board. This will impose challenges for the VASPs who have until now been often operating with a one-member management board. Considering that the members of the management bodies need to also have the necessary qualifications and at least some of the members of the management body need to be Estonians or at least have resided in Estonia for a longer period, we see possible challenges in recruiting suitable candidates.
• CASPs in Estonia fall under the supervision of the Estonian FSA. This would mean that the reference standard for supervision will be the financial institutions. Before submitting a license application to the Estonian FSA, it would be wise to start the process by meeting with the Estonian FSA, introducing the business plan and the managers (or at least part of them). The company should also be able to prove that their operations take place (at least partially) in Estonia. The Estonian FSA has already held introductory webinars for companies on how to prepare for licensing.

As part of AMCA, there have been no other guidelines adopted in Estonia by the competent authorities yet. Considering the amount of secondary legislation on the EU level for MiCAR, it is unlikely that any specific guidelines for CASPs will be adopted by local authorities (at least during the first years of MiCAR becoming applicable). Some licensing forms (e.g. for suitability assessments) have been put in place by the Estonian FSA for a long time, and most likely will be expanded to CASPs. Also, during 2025 some of the financial sector guidelines may be reviewed to become applicable also to the CASPs. Companies intending to receive CASP licensing in Estonia should familiarise themselves with the existing financial sector guidelines and practices of the competent authorities when preparing for the licensing process.

It can be expected that Estonian VASPs will start with CASP licensing already in 2025 (even though the transition period is long) and that their number will grow with time. This would be mainly driven from the fact that the CASP license can be passported throughout the EU and, thereby, would allow businesses to expand without regulatory uncertainty. Those aiming to receive the license by the end of the transition period (i.e. 1 July 2026) should submit the application in 2025, at the latest in the fourth quarter of 2025.

It is hard to predict the number of companies aiming to obtain the CASP license under MiCAR in Estonia on a first-time basis (e.g. foreign companies). Estonia has had a visible crypto-asset service provider ecosystem consisting not only of retail-oriented service providers but also sophisticated niche companies most likely identifying themselves more as DeepTech startups. Evident market knowledge shall reflect in regulator expertise and should provide an advantage when it comes to licensing. Companies intending to obtain a license in Estonia need a physical presence here and the market size of Estonia may become an issue. It can be assumed that in 2025, the focus in Estonia will be on the VASPs already operating in Estonia under the respective license.

Latvia is eager to establish itself as a key player in the cryptocurrency landscape, with both politicians and the supervisory authority actively encouraging CASPs to consider Latvia as their preferred jurisdiction for licensing, and they are backing their words with concrete actions:

• Supervisory fees payable by CASPs are said to be the best in the Baltics. Although models for calculation of the supervisory fees applied by various countries differ significantly and hence are difficult to compare, Latvian politicians acted upon calls by the industry (its most influential representative being the Latvian Blockchain Association (LBAA)) and agreed on a supervisory fee model that has a competitive edge over the ones applicable in Estonia and Lithuania. The supervisory fee is set in Latvia at up to 0.6% of gross CAS-related income (to be determined annually by the Bank of Latvia), but no less than 3000 EUR. The licensing fee is set at 2500 EUR for the CASP license.
• Innovation Centre and Regulatory Sandbox operated by the Bank of Latvia. The Latvian FSA, which for the CASPs will be the Bank of Latvia, has put in place various mechanisms to assist CASPs in entering the market. The regulatory sandbox can be used to test fintech ideas in real life. The innovation centre, on the other hand, offers practical help during the so-called pre-licensing stage via dedicated consultations by the employees of the Bank of Latvia. For additional information, check out fintechlatvia.eu.
• Access to the Bank of Latvia retail payment system (EKS) and SEPA: in a groundbreaking step, the Bank of Latvia has become the first jurisdiction to open access to its retail payment system EKS and hence also to SEPA to licensed payment service providers and thus also to CASPs who provide payment services.
• Payment of share capital in crypto and other developments. To popularise the usage of crypto, amendments to Latvian Commercial Law were recently adopted, making it possible to pay share capital of a company (any company, not just CASPs) by crypto. Discussions are also ongoing about the possible integration of CASPs providing crypto exchange services to the systems used for payment of taxes.
• The right to keep client’s funds in an account in the Bank of Latvia. In addition to granting access to the payment systems, the Bank of Latvia also wanted to provide an option for CASPs to keep a client’s funds in an account in the Bank of Latvia. Hence, a respective provision is even envisaged in the Latvian Law on Crypto-Asset Services (the LCAS). This innovative idea was struck down by the ECB as incompatible with the core role of central banks. Accordingly, the Bank of Latvia will be following the ECB’s policy on access to central bank accounts of July 2024, whereby only the moneys necessary for payment execution (settlement) may be placed in such an account with the remainder thereof being transferred to a bank for safekeeping. To this end, the local AML guidelines have been further revised to allow banks to adopt a more cooperative stance towards those engaged in the crypto sphere.
• No quotas for the licenses. Everyone that meets MiCAR requirements is welcome!

To supplement MiCAR, LCAS was adopted in the summer of 2024, with the ten brief articles thereunder focusing on establishing supervisory mandates and introducing the above-described competitive licensing and supervision fees. Other LCAS provisions of importance:

• Existing VASPs registered with the State Revenue Service may continue operations until 30 June 2025. Currently, there are less than 10 VASPs registered in Latvia, and only a few of them are believed to have viable business models and are hoping to continue their operations in a post-MiCAR environment.
• No simplified transition from being a VASP to a CASP. Considering that the pre-MiCAR registration regime in Latvia was rather relaxed, both existing VASPs and entities not previously subject to supervision will undergo an identical licensing process.
• No gold-plating. No significant local requirements in addition to MiCAR are introduced in Latvia. As for governance arrangements, CASPs will be entitled to follow the relatively straightforward two-tier legal set-up consisting of the shareholders and an executive board, noting however the need to adhere to the AML requirements enshrined in both MiCAR and the national legal framework calling for the appointment of dedicated AML officers.
• Latvian CASPs to be supervised by the Bank of Latvia. In light of the Bank of Latvia’s current role as the central supervisor of financial service providers, its mandate has been extended to encompass CASPs.

Lithuania is actively aligning its regulatory framework with MiCAR. With a reputation for efficient licensing processes and a forward-thinking approach to financial technologies, Lithuania has become a prominent jurisdiction for crypto-asset service providers seeking to operate under the unified EU framework.

Current virtual asset service providers (VASPs) are permitted to continue their operations under their existing licenses until 1 June 2025. After this date, all VASPs must transition to CASP licenses in order to maintain their operations. All applicants, including existing VASPs, must meet the full licensing criteria set by MiCAR.

The implementation of MiCAR presents several challenges for Lithuania’s crypto-asset sector, including:

• Operational adjustments: CASPs must meet MiCAR’s enhanced governance and operational resilience requirements. Applicants will need to demonstrate robust cybersecurity measures and adopt effective risk management practices.
• Local presence requirements: To qualify for a CASP license, firms must establish a substantial presence in Lithuania. This includes hiring qualified staff locally and ensuring key management positions are held by individuals with strong ties to Lithuania.
• Staffing and expertise: The demand for skilled professionals to manage CASPs’ operations and compliance responsibilities may exceed supply, potentially creating challenges for companies striving to meet MiCAR standards.

Implementation of MiCAR is expected to transform Lithuania’s crypto-asset landscape, shifting the focus towards more institutional and sophisticated market participants. While some smaller or less-compliant VASPs may exit the market, those that successfully adapt to the new requirements will benefit from enhanced credibility and greater market access.

The quality and compliance expectations set by the Bank of Lithuania are likely to be high. However, a positive development is that the Bank of Lithuania has already published CASP licensing forms and clearer guidelines for licensing documentation, providing market participants with more clarity on what to expect and what the regulatory authority expects from licensing applications. Companies planning to apply for CASP licenses are encouraged to begin their applications early, as the process is expected to become increasingly competitive as the 1 June 2025 deadline approaches.

Before DORA became applicable, financial institutions in Estonia not subject to the EBA guidelines had to apply the requirements from the Estonian FSA’s respective guidelines. However, both the Estonian FSA guidelines for the organisation of IT and information security and FSA guidelines on outsourcing were more general than the EBA guidelines and applied the “apply or explain” approach. In light of DORA, we assume that the Estonian FSA requirements on IT and information security remain applicable only to those financial institutions not under DORA (e.g. credit providers, credit intermediaries) in order to avoid duplication with DORA. Financial institutions should track possible amendments to stay compliant. It is, however, unlikely that Estonian competent authorities would hurry into issuing additional guidelines, as there are a number of second level regulations for DORA.

In 2024, financial institutions received the first inquiry from the Estonian competent authorities monitoring the status of implementing DORA. Whereby larger financial institutions had DORA implementation projects that had been ongoing for more than a year, smaller market participants (covering most of the fintech sector) started the implementation processes in 2024. In 2025, it is expected that the monitoring by the competent authorities will become more active by issuing new inquiries. It is therefore wise for fintech companies to prepare beforehand for inquiries by the competent authorities.

The Estonian FSA has published information on the important aspects of DORA that is worth reading for all market participants.

Before DORA became applicable, financial institutions in Latvia had to apply requirements set forth in the Latvian FSA’s regulations, including Regulation on management of IT and security risks, which, in light of DORA, ceased to apply from 17 January 2025.

There are, however, a number of Latvian legislative acts that will be relevant in the context of DORA. Thus, although DORA is a directly applicable EU legislative act and does not require transposition into the laws of the member states, some elements are further elaborated in Latvia’s draft Law on Digital Operational Resilience of Financial Markets. The Ministry of Justice has criticised the draft law, noting that, in addition to addressing supervision and penalties, it also regulates matters already covered by DORA. This overlap creates a risk of misinterpretation and incorrect application of DORA requirements. Fintech companies engaged in payment service provision should take note of the recently adopted Latvian FSA’s Regulation on outsourcing requirements for credit institutions, payment institutions and e-money institutions, which, although tailored to avoid duplication with the DORA requirements, will continue to apply.

During 2024, the Latvian FSA organised events aiming to raise awareness of the forthcoming DORA requirements, also highlighting that the current compliance status of the relevant financial institutions varies a lot. With operational resilience identified as one of the supervisory priorities by the Latvian FSA for 2024–2026, financial institutions should anticipate and prepare for reviews focusing on DORA compliance matters.

Before DORA regulation came into force, financial institutions in Lithuania were required to adhere to the rules established by the Bank of Lithuania, including the Resolution of the Board of the Bank of Lithuania on the “Description of Requirements for Information and Communication Technology and Security Risk Management”. The majority of the requirements under this resolution are set to be repealed, as its provisions have largely been incorporated into the DORA regulation and its accompanying technical standards. Currently, no additional local legislation is planned in Lithuania for the implementation of DORA.

A revision of the Bank of Lithuania’s outsourcing rules for financial market participants is also anticipated. While this resolution will remain in effect, its scope will be revised to exclude outsourcing agreements involving the transfer of ICT services to third parties, as such agreements will fall under the requirements of the DORA regulation.

Over the past two years, the Bank of Lithuania has actively prepared for the implementation of DORA. It has organised public consultations and events to raise awareness among financial market participants and clarify the upcoming requirements. Furthermore, the Bank of Lithuania is developing the REGATA reporting data management platform. This system is designed to improve data management and reduce administrative burdens by providing a unified channel for financial market participants to report ICT-related incidents and details on all ICT service providers and submit other regulatory notifications in relation to compliance with DORA requirements.

The use of AI solutions by Estonian financial institutions is becoming more and more popular, especially among fintech companies providing financial services online.

Estonia has been relatively active in relation to boosting the use of AI-based applications both in the public and private sector. In 2019, the Estonian government introduced an expert report (the so-called Kratt report) on how to advance the use of AI in the public and private sector. After this, Estonia has also introduced National AI Strategies for 2019–2021, for 2022–2023 and currently for 2024–2026. The National AI Strategies also introduced legal initiatives for regulating AI in Estonia. In light of the EU AI Act, these initiatives were redirected towards solving specific problems that needed to be regulated and were able to be regulated independently of the EU regulations. According to the National AI Strategy for 2024–2026, the aim is to support the implementation of the EU AI Act within Estonia, including establishing a supervisory framework for developing and using AI. However, Estonia’s specific legal initiatives on AI as well as the National AI Strategy for 2024–2026 establishing the goals for implementing EU regulation put little to no attention to the use of AI specifically in the financial sector.

This could also be the reason why Estonian competent authorities had not issued any guidelines addressing the usage of AI in the financial sector until now. It could be expected that more guidance will be given once there is a unified view on the implementation of the EU regulation. It is unlikely that such guidelines will be introduced during 2025. However, it can be assumed that, as the application of the EU AI Act is coming closer, the competent authorities will start preparing for supervision.

Fintech companies should therefore start reviewing what AI systems they already use and which AI systems they plan to implement before the EU AI Act becomes applicable. Also, fintech companies should analyse the requirements from the EU AI Act applicable to the use of such AI systems and prepare the action plan for becoming compliant. The action plan can be submitted to the competent authorities in the case of a respective inquiry.

As of now, there are no specific legislation or guidelines issued in Latvia with respect to AI. At the same time, the Latvian parliament has been discussing several legislative initiatives related to promoting the use of AI in Latvia, and thus it is expected that additional local legislation and/or guidelines on AI will be introduced in 2025.

The use of AI in the financial sector has been increasing exponentially. According to a survey conducted by the Bank of Latvia in the first half of 2024, 34 Latvian financial market participants are already using AI solutions in their work. According to the survey, AI solutions are used in all financial market segments, although the most frequent users are deemed to be investment brokerage companies, insurance companies and investment management companies.

Up until the adoption and coming into force of the EU AI Act, the Bank of Latvia has exercised limited supervision on the application of AI by financial institutions, and it is expected that as the application of the EU AI Act approaches, the competent authorities will increase the level of supervision going onwards.

Lithuania, as an EU member state, is preparing for the implementation of the EU AI Act by adapting to new requirements and promoting responsible AI use across various sectors, including public administration, the economy and the financial sector. The Ministry of Economy and Innovation is leading the implementation of the EU AI Act in Lithuania, working closely with institutions such as the Communications Regulatory Authority and the State Data Protection Inspectorate. National efforts include: a review of existing national laws (such as those related to data protection and consumer rights) to ensure alignment with the EU AI Act’s requirements, education and awareness initiatives and support for innovation.

In terms of areas where Lithuania could excel, the local fintech community increasingly views AI as a field with strong leadership potential. AI technologies are already being applied in Lithuania’s financial sector, particularly for enhancing risk assessment and fraud detection. For instance, financial institutions are using AI tools to ensure compliance with AML (anti-money laundering) and KYC (know-your-customer) requirements, thereby reducing administrative burdens and improving accuracy.

With the EU AI Act, fintech companies utilising artificial intelligence solutions will need to prepare for potential new regulations and compliance requirements specific to artificial intelligence.

There are no initiatives in Estonia regarding PSD3/PSR/FIDA.

There are no initiatives in Latvia regarding PSD3/PSR/FIDA.

There are no initiatives in Lithuania regarding PSD3/PSR/FIDA.

From the Estonian perspective the CCD II shall play an important role in reshaping the BNPL market. Offering BNPL schemes has been very popular in Estonia both among credit providers and other entities as it is a largely unregulated area and provides notable profit. After the CCD II, a number of these companies providing BNPL schemes currently in Estonia would most likely need to obtain a license in order to keep providing such services. Also, BNPL providers are required to apply to BNPL clients the same requirements that are applicable to ordinary consumer borrowers. Hence, the influence of the CCD II to the Estonian non-bank lender and therefore fintech market is considerable.

In Estonia, entities providing or intermediating consumer credit need to obtain a license from a competent authority. The process of and requirements for obtaining the license are comparable with those applicable to other financial institutions. Meanwhile, several other member states require only simple registration or authorisation from creditors / credit intermediaries. As the CCD II does not introduce a unified licensing regime for creditors / credit intermediaries, the entry barriers to the Estonian market remain higher for creditors / credit intermediaries than in several other member states.

In June 2024, the Ministry of Justice required feedback from parties affected by the CCD II on the implementation of the CCD II in Estonia. Credit providers and credit intermediaries (as well as companies providing BNPL schemes without a license) should keep themselves up to date in 2025 on the developments of implementing CCD II into the Estonian law.

Consumer lending is already subject to very strict regulatory requirements in Latvia, as set forth in the Consumer Rights Protection Law (CRPL), including capping the total cost of credit to consumers, mandating thorough creditworthiness checks and extensive restrictions on advertising. Nevertheless, it is expected that CCD II will have a considerable impact on lenders, most notably those who are currently exempt from licensing requirements in Latvia, e.g. companies providing increasingly popular BNPL schemes.

In 2024, a working group for the implementation of CCDII into Latvian law was set up by the Ministry of Economics, commencing its work with a discussion on possible exemptions from the scope of application of CCD II, including exclusion of certain credit agreements in the form of deferred debit cards.

The CCD II will play a significant role in reshaping the BNPL market in Lithuania, a service that has become increasingly popular across various industries, including e-commerce and telecommunications. Currently, many BNPL providers (among which there are notable fintech companies known for offering BNPL) operate in a regulatory grey area, as the service often falls outside the traditional scope of consumer credit regulations. After the CCD II, the companies providing BNPL schemes without a license would most likely need to obtain a consumer credit provider license. At the same time, the credit providers need to apply the same requirements to BNPL clients and to ordinary consumer borrowers.

As a result, the implementation of CCD II is expected to have a far-reaching impact on Lithuania’s non-bank lending and fintech sectors. The directive aims to strengthen consumer protections while fostering a level playing field, which could challenge existing business models and demand operational adjustments from both new and established BNPL providers in Lithuania.

The EU AML package will have a significant impact on the Estonian Money Laundering and Terrorist Financing Act (MLFTPA) and the guidelines of the competent authorities.

The legislator and the competent authorities shall soon start with the implementation processes and the obliged entities (including fintech companies) should closely monitor the proposed amendments to the MLFTPA and guidelines of the competent authorities.

The EU AML package will have a significant impact on the Latvian Law on Prevention of Money Laundering and Terrorism and Proliferation Financing (LPMLTPF) and the regulations issued by the supervisory authorities.

The legislator and the competent authorities will soon start with the implementation processes and the obliged entities (including fintech companies) should closely monitor the proposed amendments to the LPMLTPF and guidelines of the competent authorities.

The EU AML package will have a significant impact on the Law on the Prevention of Money Laundering and Terrorist Financing and the regulations issued by the supervisory authorities.

The legislator and the supervisory authorities will soon start with the implementation processes and the obliged entities (including fintech companies) should closely monitor the proposed amendments to the respective law and accompanying regulations and guidelines issued by the supervisory authorities.