Estonia, the country that turned company formation into a frictionless online product and exported it to the world through e-Residency, is about to make one of its most-praised datasets harder to reach. As of 10 July 2025, the Ministry of Finance is ending fully public, anonymous access to beneficial-ownership data in the e-Business Register. Competent authorities and AML-obligated entities such as banks and notaries keep free, unlimited access. Everyone else — journalists, NGOs, researchers, curious citizens — must demonstrate a legitimate interest, and those without predefined rights must file a justified request rather than simply querying the register.
The change is not an Estonian idiosyncrasy. It is the direct downstream effect of a 2022 ruling from the Court of Justice of the EU and the bloc's new anti-money-laundering package, and on the law Estonia has essentially no choice. The interesting question is not whether Tallinn should comply — it must — but whether it will implement the access model in a way that preserves accountability or quietly recreates opacity.
What the law actually requires
On 22 November 2022, in Joined Cases C-37/20 and C-601/20 (WM and Sovim SA v Luxembourg Business Registers), the CJEU declared invalid the provision of the Fifth Anti-Money Laundering Directive that required member states to make beneficial-ownership information accessible to "any member of the general public." The Court held that blanket public access was a serious interference with the rights to private life and data protection under Articles 7 and 8 of the EU Charter, and that it was neither strictly necessary nor proportionate to the goal of fighting money laundering.
That judgment did not abolish transparency; it abolished indiscriminate transparency. The EU's 2024 AML package — the Sixth Anti-Money Laundering Directive (AMLD6) and the accompanying regulation — rebuilt access around legitimate interest. Authorities and obliged entities retain unlimited access. Crucially, for journalists, civil-society organisations and academics whose work connects to anti-money laundering or its predicate offences, AMLD6 presumes legitimate interest and calls for generalised access rather than case-by-case begging. The access provisions carried a transposition deadline of 10 July 2025 — exactly the date Estonia has chosen — with the broader register rules due by 10 July 2026.
Deputy Secretary General Evelyn Liivamägi framed the Estonian reform precisely in the Court's language: beneficial-ownership data "must be available to those who need it to perform their duties or to prevent money laundering, but it does not need to be unjustifiably public for everyone."
The strongest case for the old open register
Before criticising anything, the case for the prior regime deserves to be stated at full strength. Open beneficial-ownership registers are among the most effective anti-corruption tools of the past decade. Cross-border investigations into the Danske Bank Estonia scandal, Russian sanctions evasion, and countless shell-company networks were possible precisely because reporters could pull ownership chains without asking permission. For Estonia specifically, this matters more than for almost any other state: e-Residency lets non-residents register and run an EU company entirely online, and the programme's credibility depends on outsiders being able to verify that those companies are not anonymous laundering vehicles. Friction-free public scrutiny is part of what keeps the e-Residency brand from becoming a shell-company brand.
That is the genuine cost of the CJEU's logic, and the Court accepted it knowingly — it explicitly acknowledged that media and civil society have a legitimate interest in this data, while ruling that a right of access for literally everyone went too far.
Where Estonia could get this wrong
Proportionate regulation, our consistent position, means tailoring the restriction to the harm — here, the privacy of beneficial owners against indiscriminate, purposeless exposure — without sacrificing the accountability function. The CJEU struck the right balance in principle. The risk lives entirely in implementation.
The danger is procedural friction masquerading as a privacy safeguard. If a journalist or watchdog must file an individual, justified application — reportedly routed through the Tartu County Court's registry department — for each company or each query, the presumed-legitimate-interest principle in AMLD6 becomes a dead letter. Access that exists on paper but takes weeks and a court filing per lookup is functionally no access at all for the time-sensitive, network-mapping work that exposes laundering. The whole point of AMLD6's "generalised access" language is to avoid exactly this case-by-case gatekeeping.
The early EU evidence is not reassuring. Transparency International reports that after the 2025 deadline the European Commission opened infringement proceedings against 11 member states over incomplete transposition, and that among the 14 states with legitimate-interest regimes in place, criteria, procedures and fees vary wildly — from free to over €200 — with Ireland and Hungary outright rejecting access requests. A fragmented, fee-gated, court-mediated patchwork is the predictable failure mode, and it would hit Estonia's reputation hardest.
The proportionate path
Estonia should comply with the letter of the CJEU ruling and the spirit of AMLD6's presumption. That means a fast, low-friction accreditation track for journalists and registered NGOs — a one-time credential granting standing, programmatic API access rather than per-company petitions, no per-query court filing, and minimal or no fees for accredited public-interest users. The Tartu County Court route should be a fallback for contested cases, not the front door.
Estonia built its global reputation on the premise that digital government can be both private and transparent without trading one for the other. The e-Business Register is where that promise is now tested. Lock the data behind a court clerk and the country protects beneficial owners' privacy while quietly weakening the public scrutiny that makes its flagship digital-identity export worth trusting. Build a frictionless legitimate-interest lane and it can satisfy the Charter, the directive, and the watchdogs at once — which is exactly what proportionate regulation is supposed to deliver.