Daniel lives and pays tax in Spain. He invoices digital and professional services to Spanish and other EU clients through an Estonian OÜ. The company has no real team or office in Estonia, collections run through EU PSPs, and part of the cash stays outside Spain. That structure is not automatically wrong, but it does require accounts, reporting, and the tax story to be kept in very good order.
Quick summary
What you are seeing here
RiskMap can analyse much broader structures than this example: multi-entity setups, cross-ownership, international accounts and collections, reporting exposure, treaty logic, and evidence verification. This report shows how one case is delivered; it does not define the full scope of the engine.
What is really going on here
This is not simply ‘having a company in Estonia’. It is a Spanish tax resident using an Estonian OÜ to bill Spanish and EU clients, with money, accounts, and reporting trails that may already exist outside his direct control.
Where this can drift
The sensitive point is not only the foreign company. It is the combination of foreign accounts, PSP reporting, mixed EU client types, and a corporate story that must match what banks, registers, and the tax authority may see.
What deserves attention first
The first review should focus on the visible and objective layer: foreign balances, CRS, CESOP, B2B/B2C separation, beneficial owner data, and documentary consistency. If that base is not in order, more sophisticated legal arguments come too early.
What I would do next
I would use this map as preparation for a more tailored legal review on how the OÜ truly fits the case, instead of spending paid legal time rebuilding the structure from scratch.
Assets held outside Spain · Modelo 720 / RGAT art. 42 bis
What this means and why it affects you
This case is not only about an Estonian company. It is also about foreign accounts, balances, and collections controlled by a person who pays tax in Spain. That is why the Modelo 720 conversation comes first.
What to review first
List the personal accounts and the OÜ accounts where the founder appears as holder, authorised signatory, or beneficial owner, plus interests in foreign entities, with 31 December balances and Q4 average balances, and confirm whether the €50,000 threshold is exceeded in any Modelo 720 category.
When this usually matters
It should be reviewed in the annual look-back for the previous tax year, not left until the last moment.
Real risk if misaligned
If the filing duty existed and was missed, the issue is not only penalties. It also creates a mismatch against automatic exchange data. The key point is not one global threshold, but whether €50,000 is exceeded inside a specific reporting category; as a practical benchmark already used in the product, typical exposure can range from €300 to €20,000 depending on breach type and timing.
Who usually executes it
Usually prepared by your accountant with statements and ownership evidence; legal review helps if Spain may look through the OÜ balances.
CRS/FATCA · entity accounts and controlling persons
What this means and why it affects you
If the founder is tax resident in Spain but the account sits in Estonia or another EU jurisdiction, the case becomes not just a private story but also an international banking due-diligence story.
What to review first
Confirm how the OÜ is classified with banks and PSPs, which residence and controlling person data are on file, and whether that matches what is later declared in Spain.
When this usually matters
This is not tied to one filing date: it should be corrected before opening new accounts, renewing KYC, or switching payment providers.
Real risk if misaligned
The main problem here is inconsistency. Account ownership, beneficial owner data, tax residence, and tax filings all need to tell the same story.
Who usually executes it
Your team can gather KYC and account evidence; your accountant and tax lawyer review whether the classification and look-through risk are properly handled.
EU VAT · OSS and VIES validation
What this means and why it affects you
The business sells to Spanish and other EU clients. The usual mistake is not missing an invoice, but mixing B2B and B2C, skipping VIES checks where needed, or assuming everything can run through Estonia in one single way.
What to review first
Split B2B and B2C sales, validate VAT IDs where relevant, review whether OSS is required, and make sure accounting distinguishes the different flows correctly.
When this usually matters
This deserves review every quarter and before each VAT reporting cycle is closed.
Real risk if misaligned
When that separation fails, the usual result is a chain of corrections, interest, and operational rework rather than one single dramatic event.
Who usually executes it
Usually manageable by your VAT advisor if the transaction detail is clean; hybrid or messy flows deserve extra review.
Cross-border collections · CESOP and PSP reporting
What this means and why it affects you
If the OÜ collects from Spanish and EU clients through EU payment providers, visibility does not depend on whether the founder later decides to explain the flow neatly in accounting.
What to review first
Export the quarterly PSP reports, reconcile net amounts, refunds, and incidents, and confirm that the same picture reaches books, VAT work, and internal reporting.
When this usually matters
Best reviewed at each quarter-end rather than only at year-end.
Real risk if misaligned
If the provider sees one set of figures and your accounting tells another story, the case becomes more visible and more expensive to defend.
Who usually executes it
Finance or the founder can lead the export and reconciliation; the accountant validates consistency with the tax side.
Beneficial owner · AMLD5 and UBO register
What this means and why it affects you
In a structure with a founder in Spain and a company in Estonia, the beneficial-owner register stops being a remote admin step and becomes a core consistency document.
What to review first
Confirm that the >25% beneficial owner is current, that the ownership chain matches bank onboarding, and that different providers are not holding contradictory versions of the structure.
When this usually matters
It must stay updated throughout the company’s life, not only on day one.
Real risk if misaligned
When registry, bank, and tax story do not match, operational friction rises sharply even before any formal audit begins.
Who usually executes it
This can often be cleaned up with the corporate provider and the founder; complex chains or recent changes deserve legal review.
Customer data · GDPR
What this means and why it affects you
Small businesses often ignore this front because it feels secondary, but once everything runs through SaaS tools, PSPs, and CRMs, it becomes part of the documentary perimeter of the business.
What to review first
Create a simple map of where customer data lives, who accesses it, how long it is kept, and whether billing, support, and payment tools follow the same retention logic.
When this usually matters
Best resolved before growth, delegation, or major tool-stack changes.
Real risk if misaligned
This is not usually the biggest tax cost, but it is a frequent source of disorder and uncomfortable questions in serious compliance reviews.
Who usually executes it
The founder can usually organize it operationally; an advisor checks whether the minimum documentary layer is adequate.
The relevant point is not only what you file yourself, but which data third parties are already producing about collections, accounts, and the company structure.
Payment provider
If customers pay through Stripe or another EU PSP, the provider is already building a cross-border trail of collections and beneficiary data.
Reporting chain
Typical chain: EU PSP -> PSP home authority -> CESOP exchange across the EU -> cross-check against books and filings of the beneficiary.
Why it matters
If accounting, VAT work, and collections do not tell the same story, the case becomes much easier to surface and review.
Bank or fintech account
Financial accounts may report holders, controlling persons, balances, and some returns under CRS/FATCA frameworks.
Reporting chain
Typical chain: bank/fintech -> account-country authority -> authority of the relevant residence country of the holder or UBO.
Why it matters
That is why “the account is in Estonia” is not enough; what matters is how it is classified, who is behind it, and whether the tax story matches.
Corporate register
The company also leaves a trail through its beneficial-owner and company-control records, which banks and providers then reuse in due diligence.
Reporting chain
Typical chain: company register / corporate provider -> bank / PSP / advisor -> AML and documentary consistency checks.
Why it matters
If the control chain changes depending on which counterparty looks at it, the structure loses credibility very quickly.
First
Next
Once that is ordered
What has been checked
5 legal fronts reviewed before writing the explanation.
Which sources support the map
Official rules and frameworks already present in the platform to validate the legal basis of the example.
What I would still ask to see
The final useful conversation is how the real operating fit between Spain and Estonia looks once balances, VAT, UBO, and collections have been cleaned up.
Each front in this report was selected from rules and legal references that already exist inside the product and its legal repository.
BOE-A-2005-1716 · ES-Estonia treaty
Used as context to show that an Estonian company does not by itself remove the need to keep the Spain-Estonia tax story coherent.
Open original source →BOE-A-2013-954 · Order HAP/72/2013
Used to explain why foreign accounts, securities, interests, and other foreign-held assets remain one of the first filters when the tax resident lives in Spain.
Open original source →OECD · automatic exchange of information
Used to explain why company accounts and beneficial-owner data can produce international reporting and banking due diligence.
Open original source →EUR-Lex · AMLD5
Used to support the part of the map dealing with beneficial ownership and ownership-chain consistency.
Open original source →Directive (EU) 2020/284 + Regulation (EU) 2020/283
Used to explain why an EU PSP can end up building a detailed official picture of the business’s cross-border collections.
Open original source →If you later book an Expert Session, the lawyer starts from this same map and these same references instead of rebuilding the basics from scratch.