CMS Expert Guide to Crypto Regulation in Austria

Disclaimer: This chapter was last updated on 20 June 2025 and does not reflect any subsequent developments. The information provided is intended for general informational purposes and should not be construed as legal advice.

The provision of one or more crypto-asset services as detailed in Article 3 (1) (16) Regulation (EU) 2023/1114 on Markets in Crypto-Assets (“MiCAR”) requires (i) authorisation by the Austrian Financial Market Authority (“FMA”) if Austria is the home Member State or (ii) passporting of the MiCAR license obtained in another Member State into Austria.

A “crypto-asset” is defined in Article 3(1)(5) MiCAR, as a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology (DLT) or similar technology. This includes:

• asset-referenced tokens pursuant to Article 3(1)(6) MiCAR;
• electronic money tokens pursuant to Article 3(1)(7) MiCAR;
• other crypto-assets pursuant to Article 3(1)(9) MiCAR.

The MiCAR framework, however, does not cover crypto-assets that fall under an existing legal framework, e.g. under capital market or financial services supervisory law as stated in Article 2(4) MiCAR (e.g., MiCAR is not applicable to Security Tokens / [tokenized] financial instruments as defined by Directive 2014/65/EU (MiFID II; Markets in Financial Instruments Directive)). Also, non-fungible token (NFT) are in principle not covered by MiCAR unless they are part of a larger fungible series or collection, in which case they might be treated as regulated crypto-assets.

Crypto-asset service providers licensed under MiCAR in Austria (“CASPs”) are so-called obliged entities under AML/KYC laws and thus subject to the Austrian Anti-Money Laundering Act (Finanzmarkt-Geldwäsche Gesetz). CASPs are required to comply with applicable regulations regarding the prevention of money laundering and terrorist financing and demonstrate their compliance.

Austria’s MiCAR Enforcement Act (MiCA-Verordnung-Vollzugsgesetz) is the national law that gives MiCAR practical effect within Austria. It was passed by the National Council on 3 July 2024, and came into force on 20 July 2024, designating the FMA as the competent supervisory authority for all crypto-asset activities in Austria. Hence, Austria was amongst the first jurisdictions to implement a MiCAR compliant framework and FMA took applications as of end of 2024.

FMA Guidance: Recent guidance published on the FMA’s website provides a detailed overview of its authorisation expectations and supervisory approach, emphasising that interested applicants should begin discussions with the regulator early. Specifically, the FMA suggests that companies already planning to seek authorisation should arrange a preliminary meeting (for which an Excel-based questionnaire and initial business documentation must be submitted) as soon as practicable, ensuring they provide sufficient information about their organisational structure, proposed business model, and any relevant documentation requested by the FMA. The FMA’s goal is not only to clarify its requirements regarding the content and quality of application submissions, but also to confirm the suitability of an applicant’s internal governance.

In addition, applicants must be prepared to demonstrate robust compliance measures against money laundering and terrorist financing. Given that thorough documentation will be required, applicants should have well-developed internal controls and risk assessment procedures, as well as suitably qualified and trustworthy personnel to serve as anti-money laundering officers and their deputies. Through these measures, the FMA underscores Austria’s commitment to ensuring a secure environment for crypto-asset operations. Prospective CASPs are therefore encouraged to prioritise early planning, thorough preparation, and strong adherence to anti-money laundering and counter-terrorism financing obligations in order to successfully navigate the authorisation process under MiCAR.

The following services are regulated under MiCAR if the tokens fall within MiCAR’s scope (i.e., ARTs, EMTs, or other crypto-assets). We refer to the general chapter (non-country specific of this guide)

In the following, we want to briefly highlight Austrian specifics:

• Direct sales of tokens by issuers:
  • Regulated under applicable capital markets laws / financial services laws if tokens qualify as tokenized financial instrument, typical MiFID II regime applicable
• Exchange (buy/sell):
  • Regulated under applicable capital markets laws / financial services laws if tokens qualify as tokenized financial instrument, typical MiFID II regime applicable
• Custody (hold):
  • Regulated under applicable capital markets laws / financial services laws if tokens qualify as tokenized financial instrument, typical MiFID II regime applicable
• Borrowing/lending:
  • Borrowing / lending must be distinguished:
    • Borrower / lending of cash by CASPs or "crypto funds" is regulated as banking service and requires a banking license under the Austrian Banking Act (BWG), unless specific exemptions apply (to be scrutinized on a case-by-case basis)
    • Borrowing / lending of crypto assets that fall under MiCAR is not specifically regulated in Austria
    • Borrowing / lending of tokenized financial instruments, e.g. Security Tokens, is subject to applicable capital markets laws / financial services laws to the extent that borrowing / lending financial instruments per se is regulated
    • Borrowing / lending if structured as pooled investment products may be subject to the Austrian Alternative Investment Fund Managers Act (AIFMG)
• Yield/staking services:
  • Yielding/staking, which involves the process of immobilising crypto-assets to support the operations of proof-of-stake and proof-of-stake-like blockchain consensus mechanisms in exchange for the granting of validator privileges that can generate block rewards, is not explicitly regulated under Austrian law.
  • Depending on the exact business model, regards must be had that no regulated services are provided (e.g. certain business models may qualify as AIF, if this business model involves some sort of fund raising by the service provider)
• Staking on proof of stake consensus mechanisms:
  • Although staking under proof-of-stake consensus mechanisms is not explicitly classified as a regulated service under MiCAR, providers offering staking services on behalf of clients must obtain a license to provide custody and administration services if they hold clients’ crypto-assets in custody.
• NFTs:
  • NFTs are not generally regulated under Austrian law.
  • Regard must be had that the NFT is not also having aspects of a Security Token, in which case "traditional" capital markets and financial services supervisory laws would apply.

Active solicitation – permissibility of active solicitation - meaning any form of marketing, promotion, advertising, or outreach - of Austrian clients needs to be scrutinized carefully as Austria is known for a relatively strict regulatory approach, in particular if solicitation towards consumers is envisaged. To the extent that the activities are covered by MiCAR, the permissibility of active solicitation is subject to the rules of MiCAR. To the extent MiCAR does not apply, the permissibility is subject to "traditional" capital markets or financial services laws as well as the general requirement to obtain a trade license for any kind of commercial business conducted in Austria (under consideration, of course, of the Freedom of Services on a strictly temporary basis). What constitutes active solicitation of Austrian clients is to be determined on a case-by-case basis, but can already be assumed by, e.g. running German-language websites or advertisements, using Austrian influencers or affiliates. FMA is particularly vigilant in enforcing these rules and has a history of publishing warnings and taking action against unlicensed market participants subject to license requirements.

Reverse solicitation - where the Austrian client independently approaches the offshore firm without any prior solicitation - may be tolerated in very limited circumstances. However, this exemption is interpreted very narrowly by the FMA. It applies only if the customer initiates contact on their own, without having been influenced by any form of targeted marketing. Even then, the FMA evaluates the substance over the form: if the business appears to have tailored its services to the Austrian market (e.g., through language, pricing, or interface), it may still be considered active solicitation regardless of disclaimers.

As part of CASP authorisation procedures, applicants must submit extensive documentation and information about the proposed business model and the FMA in turn conducts comprehensive supervisory review steps and procedures. Such supervisory procedures usually take several months. Bybit was able to achieve its MiCAR authorization in Austria in approx. 4-5 months.

The actual duration of a formal authorisation procedure essentially depends on the quality of the authorisation application, the documents submitted, the complexity of the corporate structure of the applicant and the underlying business model, as well as any changes that the applicant is required to make to the planned business model as part of the procedure.

The cost of obtaining a MiCAR license in Austria will vary and are depending on the specific services offered and the complexity of the application. The following items summarize the main cost drivers:

Application Fees: Fees (independent of the outcome of the procedure) are payable for the conduct of the authorisation procedure and, if authorisation is granted, fees are payable in accordance with the FMA Fee Regulation (FMA-Gebührenverordnung).

Legal and Compliance Costs: These are likely to be a significant expense, as they involve setting up the legal structure of the company, drafting necessary policies (like AML/KYC procedures), and ensuring compliance with MiCAR requirements. 

IT Security Costs: Depending on the nature of the services, particularly if the company will be operating an exchange or dealing with digital wallets, there will be costs associated with ensuring the security of the systems and data (ie requirements under DORA).

Ongoing Compliance Costs: Once licensed, there will be ongoing costs for maintaining compliance with MiCAR regulations and reporting requirements.

The possibility of obtaining a licence is difficult to estimate, but the following factors are likely to be influential:

• if all the required documents been submitted correctly,
• the strength of the applicant’s business plan and model;
• if the applicant can demonstrate a robust internal organizational set-up, including having established or being able to demonstrate that proper human resources will be available to the applicant; and
• the applicant’s adherence to Austrian AML/CTF laws, thorough policies, and fit-and-proper management and MLRO.

Austrian consumer protection laws need to be complied with.

Further, depending on whether the tokens / business model(s) are covered by MiCAR or, as the case may be, "traditional" capital markets / financial supervisory laws, compliance and other requirements may apply. E.g. if financial services are provided in relation to financial instruments, a proper MIFID II set-up will be required.