Crypto License in Austria

Austria as a Gateway to the EU Crypto Market

The dust has settled on the European Union’s landmark Markets in Crypto-Assets (MiCA) Regulation, and Austria has firmly established itself as a premier, compliant, and highly sought-after jurisdiction for global crypto businesses. The country’s commitment to regulatory clarity, driven by the Austrian Financial Market Authority (FMA), makes the MiCA Crypto-Asset Service Provider (CASP) License in Austria a strategic gateway to the entire EU single market. This extensive analysis serves as the definitive guide to obtaining a CASP license in Austria, detailing the transition from the national Virtual Asset Service Provider (VASP) registration to the comprehensive pan-European authorization framework. We will explore the stringent compliance requirements, the mandatory capital thresholds, the role of the FMA, and the vital steps for MiCA authorization that define success in this new, regulated environment. Our goal is to offer unparalleled clarity for entrepreneurs, legal advisors, and institutional investors looking to secure a future-proof Austrian crypto operating license.

The Regulatory Paradigm: MiCA and the FMA

The Transition from VASP Registration to CASP Authorization

Prior to the full application of MiCA, the Austrian regulatory landscape for crypto was governed by the national Financial Market Money Laundering Act (FM-GwG), requiring Virtual Asset Service Providers (VASPs) to register with the FMA for Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) compliance. The 18-month transitional period for existing VASPs ended on July 1, 2026, officially marking the date when all professional providers of crypto-asset services in Austria must hold the full MiCA CASP authorization. This shift is not merely a name change; it represents a profound increase in prudential safeguards, consumer protection, and organizational requirements.

The FMA, recognized for its proactive regulatory approach and early CASP application guidance, is the primary Competent Authority for MiCA in Austria. The FMA’s strict yet transparent process ensures that only robust and well-governed entities receive the coveted European authorization, reinforcing Austria’s reputation for financial integrity. The regulator actively encourages early dialogue with applicants to streamline the authorization process, a critical low-frequency keyword phrase that highlights a key tactical advantage for new market entrants.

Key Crypto-Asset Service Provider (CASP) Activities Under MiCA

The MiCA regulation, implemented in its entirety as of late 2024 (with stablecoin provisions in mid-2024), covers ten distinct Crypto-Asset Services. Any entity providing these services on a professional basis in Austria must seek FMA authorization.

CASP Service (MiCA Article 3(1)(19))	Key Requirement/Impact
Custody and Administration of Crypto-Assets on behalf of clients (HF)	Most stringent capital requirement (€150,000 minimum initial capital). Mandatory client asset segregation and strict insolvency protections.
Operation of a Trading Platform for Crypto-Assets (HF)	Requires robust operational resilience (DORA compliance) and market integrity controls. Second-highest capital threshold (€125,000).
Exchange of Crypto-Assets for Fiat Currency (MF)	Requires stringent AML/KYC protocols and full implementation of the EU Travel Rule for all transactions.
Reception and Transmission of Orders for Crypto-Assets (MF)	Focus on suitability and appropriateness assessments for retail clients (investor protection).
Execution of Orders for Crypto-Assets on behalf of clients (LF)	Compliance with best execution policy and rigorous conflict-of-interest management.
Placing of Crypto-Assets (LF)	Includes public offering activities, subject to White Paper notification or approval by the FMA.
Portfolio Management of Crypto-Assets (LF)	Requires high standards of professional conduct, risk management, and fiduciary duty.
Transfer Services for Crypto-Assets (LF)	Must comply with the Transfer of Funds Regulation (TFR), extending AML/CFT obligations.

The CASP Authorization Roadmap

The process for obtaining a MiCA CASP authorization in Austria is exhaustive and typically spans 9 to 12 months from the initial preparation to final FMA approval. It is a multi-stage marathon, not a sprint, demanding precision in legal, financial, and technological documentation.

Pre-Application and Corporate Setup

Legal Entity Establishment: The applicant must be a legal person incorporated in the EU, with a registered office in a Member State where they conduct at least part of their services. Establishing an Austrian GmbH (Limited Liability Company) is the standard and preferred route for many.
Initial FMA Engagement: Prospective applicants are strongly advised to schedule an introductory meeting with the FMA to present their business model and receive preliminary guidance on classification and scope. This early dialogue FMA step is a critical MF keyword, mitigating future application risk.
Governance and Management: Appointment of a fit and proper board (at least one director must be EU-resident with the place of effective management in the EU) and a nominated, qualified AML Officer (FM-GwG compliance officer) are mandatory immediate steps.

The Application Dossier: Core Requirements

The CASP application dossier is comprehensive, aligning with Articles 62 and 63 of MiCA. Completeness and quality of documentation are non-negotiable for a smooth process.

Application Component	FMA Focus
Detailed Business Plan (HF)	Three-year financial projections, comprehensive analysis of target markets, technological infrastructure strategy, and organizational chart. Must demonstrate the capacity to operate as a going concern.
Governance and Internal Controls (MF)	Risk Management Framework, Conflict of Interest Policy, Outsourcing arrangements (must comply with DORA), and Business Continuity Policy (including ICT Business Continuity Plans).
AML/CFT Policies & Procedures (HF)	Fully compliant with FM-GwG and MiCA. Includes robust KYC due diligence systems, transaction monitoring protocols, and suspicious activity reporting (SAR) workflows. Must address FATF Travel Rule enforcement for all crypto transfers.
Prudential Safeguards (Capital) (MF)	Proof of Minimum Initial Capital (MIC) held in the company’s own funds (ranging from €50,000 to €150,000, depending on the services provided). Must also provide proof of an insurance contract or equivalent guarantee for professional indemnity.
Fit and Proper Assessment (LF)	Detailed CVs, reference letters, and criminal record checks for all directors, senior management, and beneficial owners (BOs). Must prove professional competence and probity.
Safekeeping of Client Assets (LF)	Policies detailing the segregation of client funds (both fiat and crypto) and the use of cold-wallet insurance and secure custody solutions.

Crucial Sentence Highlight: The FMA demands that the Anti-Money Laundering Officer provides documented evidence of professional fitness and personal probity, as this role is the cornerstone of Austria’s commitment to financial market integrity.

Compliance Checklist for CASP Authorization (Post-MiCA)

This checklist represents the high-level compliance pillars that must be demonstrated application:

Corporate Structure: Legal entity established in the EU (Austria preferred).
Initial Capital: Proof of holding Minimum Initial Capital (€50k, €125k, or €150k).
Governance: EU-resident director and place of effective management in the EU.
AML/CFT: Designated AML Officer and full adherence to FM-GwG and Travel Rule.
Cybersecurity: Implementation of Digital Operational Resilience Act (DORA) requirements, including ICT response and recovery plans and regular penetration tests.
Consumer Protection: Documented complaints-handling procedures and good conduct obligations (acting honestly, fairly, and professionally).
Audit/Reporting: Capacity for ongoing supervision and tax reporting (compliance with DAC8).

Financial, Technical, and Legal Deep Dive

Minimum Initial Capital (MIC) and Ongoing Financial Requirements

The MiCA regulation introduced tiered capital requirements, replacing the single solvency requirement of the prior VASP regime. This is a vital area for financial planning for any prospective Austrian crypto business.

CASP Service Type	Minimum Initial Capital (MIC) Requirement	Variable Threshold (Additional)
Custody/Admin, Operating a Trading Platform, Underwriting, Placing with Firm Commitment (HF/MF)	€150,000	One-quarter of the preceding year’s fixed overheads.
Exchanging for Fiat/Crypto, Execution of Orders, Portfolio Management, Transfer Services (MF)	€125,000	One-quarter of the preceding year’s fixed overheads.
Reception & Transmission of Orders, Providing Advice, Non-Guaranteed Placing (LF)	€50,000	One-quarter of the preceding year’s fixed overheads.

Crucial Sentence Highlight: Applicants must demonstrate not only the required Minimum Initial Capital but also the financial capacity to maintain the variable minimum threshold (one-quarter of the previous year’s fixed overheads), ensuring long-term financial stability and prudential oversight.

The Digital Operational Resilience Act (DORA) and ICT Compliance

Effective since late 2024, the DORA Regulation has been fully integrated into the FMA’s CASP authorization review. DORA mandates that CASPs have a robust framework to withstand, respond to, and recover from all types of ICT-related disruptions and threats.

This includes:

A comprehensive Information and Communication Technology (ICT) risk management framework.
Detailed ICT Business Continuity Plans and response and recovery plans.
Regular execution of advanced operational resilience testing (e.g., penetration-testing reports).
Strict management of third-party ICT service providers (outsourcing agreements).

The FMA’s focus on cybersecurity measures and operational resilience under DORA is a direct response to the increasing sophistication of attacks on digital asset service providers.

Detailing MiCA CASP Authorization Requirements

Governance and Organizational Requirements: The Pillars of FMA Trust

Obtaining MiCA CASP Authorization requires demonstrating impeccable governance arrangements. The FMA is hyper-focused on this aspect, demanding that the CASP’s internal structure is capable of ensuring sound and prudent management and the protection of client interests.

Management Body and Fit and Proper Criteria

It is mandatory to have an EU-resident director and to conduct a rigorous fit and proper assessment for all members of the management body and beneficial owners (BOs).

FMA Vetting Process: Each individual must provide detailed curricula vitae, clean criminal records, and affiliation checks, proving both professional competence in digital assets and personal probity. The FMA verifies that management possesses sufficient knowledge, skills, and experience to manage the risks associated with the provided crypto-asset services.
Time Commitment: Board members must document that they dedicate enough time to their duties, especially regarding complex MiCA compliance and DORA operational oversight. Failure to meet the fit and proper criteria is one of the most common reasons for delays or refusals of FMA authorization.

Conflict of Interest Policy (MiCA Article 66)

CASPs are required to establish, implement, and maintain an effective Conflict of Interest Policy. This is critically important, especially for Trading Platforms for Crypto-Assets and Portfolio Management of Crypto-Assets providers.

The policy must identify, prevent, manage, and disclose potential conflicts of interest between the CASP, its management, employees, and clients.
Mandatory Disclosure: If a conflict cannot be prevented, the CASP must disclose it to the client in a clear and non-misleading manner before providing the service.

Business Continuity and Outsourcing Oversight

A Business Continuity Policy is mandated by MiCA. It must include ICT Business Continuity Plans, which are tightly integrated with DORA requirements.

Outsourcing Arrangements: If the CASP outsources critical operational functions (e.g., custody solutions, IT infrastructure, AML monitoring), these outsourcing agreements must be meticulously documented and meet the strict standards of MiCA and DORA. The FMA requires that outsourcing does not impair internal control or hinder ongoing FMA supervision.

AML/CFT Compliance: The Uncompromisable FMA Requirement

In Austria, AML/CFT compliance is the cornerstone. The FM-GwG (Financial Market Money Laundering Act) and its integration with MiCA position Austria as one of the most demanding jurisdictions.

The Role of the AML Officer (FM-GwG Compliance Officer)

The appointment of a qualified AML Officer (and a deputy) with adequate resources is compulsory.

Reporting Obligation: The AML Officer bears personal responsibility for suspicious activity reporting (SAR) to the Austrian Financial Intelligence Unit (FIU). The FMA requires this officer to have direct access to the management body and sufficient independence.
Risk-Based Approach (RBA): The CASP must implement a risk-based approach to AML/KYC, regularly updating its client risk assessment and geo-political risk matrix, especially considering the heightened monitoring of international sanctions.

FATF Travel Rule Enforcement (FM-GwG Extension)

Full FATF Travel Rule enforcement for all crypto-asset transfers is the operational standard.

Data Collection Threshold: Unlike some other jurisdictions, Austria and the FMA require the collection and transmission of originator and beneficiary data (e.g., name, address, account number/transaction ID) for all transactions, regardless of the amount, underscoring its commitment to thorough regulatory oversight.
Self-Hosted Wallet Dilemma: Transactions involving self-hosted wallets are not exempt from AML obligations. CASPs must apply enhanced due diligence (EDD) measures, using technology to confirm wallet ownership or assess the risk associated with un-identified counterparties.

Ongoing Transaction Monitoring and Screening

The implementation of advanced transaction monitoring systems to detect suspicious activity patterns and continuous sanctions screening of all participants (including beneficial owners and wallet addresses) are subject to ongoing FMA supervision.

Request more information

Send Request

Consumer Protection and Conduct of Business Rules (MiCA Title VII Detailed)

MiCA introduces strict conduct of business rules, conceptually similar to MiFID (Markets in Financial Instruments Directive) but tailored for digital assets.

Good Conduct Obligations (MiCA Article 66)

CASPs must act:

Honestly, fairly, and professionally.
In the best interests of their clients.
Ensure that all marketing communications are fair, clear, and non-misleading and consistent with the published White Paper.

Suitability and Appropriateness Test (Investor Protection)

For services involving advice (Providing Advice on Crypto-Assets) and portfolio management (Portfolio Management of Crypto-Assets), CASPs must perform a suitability test to assess the client’s investment objectives, financial situation, and knowledge.

For less complex services (e.g., exchange of crypto-assets for fiat currency), an appropriateness test is conducted to ensure the client understands the risks associated with the product.
This investor protection obligation makes Austrian CASPs highly attractive to institutional investors seeking regulated counterparties.

Complaints-Handling Procedures

CASPs are obliged to maintain effective and transparent complaints-handling procedures, readily accessible to clients. The FMA requires these procedures to be publicly available and ensure timely and fair resolution of complaints.

DORA Compliance: ICT and Operational Resilience

With the full entry into force of DORA (Digital Operational Resilience Act), ICT compliance has become a binding legal requirement for CASP in Austria.

DORA Compliance Checklist for CASPs

To comply with DORA, CASPs must complete the following key steps, which the FMA will strictly verify:

ICT Risk Management Framework: Implementation of a comprehensive ICT risk management framework to identify, measure, control, and monitor all ICT-related risks.
ICT Incident Management: Establishment of ICT incident management procedures for logging, classifying, and timely reporting of major ICT-related incidents to the FMA.
Digital Operational Resilience Testing: Regular (at least annual) performance of digital operational resilience testing, including penetration tests and testing of ICT business continuity plans.
Third-Party Risk Management: Strict management of risks associated with third-party ICT service providers (e.g., cloud providers). Outsourcing contracts must include the CASP’s right to audit and the FMA’s right to inspect.

Cyber Security Measures and Technology Infrastructure

The FMA requires the CASP’s technological infrastructure to be state-of-the-art and adhere to industry best practices. This includes:

Using multi-signature cold storage solutions for client crypto-asset segregation.
Implementing multi-factor authentication (MFA) for all critical systems.
Continuous monitoring and updating of cyber security protocols to protect against Distributed Ledger Technology (DLT)-specific threats.

Tax Reporting Obligations (DAC8/CARF)

As previously noted, marks the enforcement of DAC8 and CARF (the global reporting standard). This requires Austrian CASPs to make substantial investments in data collection and reporting systems.

Reportable Data: CASPs must collect and automatically transmit to the tax authorities (via the FMA/OeNB): KYC data (Tax ID, nationality, place of birth), transactional information (gross amount, type of crypto-asset, fair market value, number of units) for all reportable transactions (exchange, sale, transfers).
Challenge of Legacy Data: Companies have had to retrospectively invest in systems capable of processing and reporting on transactions starting from January 1, 2026, creating a massive challenge for compliance infrastructure. Austria, with its early adoption of tax clarity, is now at the forefront of enforcing these international tax standards.

Mandatory Internal Compliance Frameworks (MiCA Articles 62 & 64)

The quality and completeness of a CASP’s internal policies are the single most significant determinant of success in the FMA’s MiCA authorization process. The regulator will scrutinize these documents to ensure the entity is not merely a “letterbox” but possesses the internal capacity for sound and prudent management.

Comprehensive Risk Management Framework (RMF) Template

While the Business Plan addresses strategy, the Risk Management Framework (RMF) demonstrates the CASP’s ability to identify, measure, monitor, and control all risks inherent to crypto-asset services. The RMF must be a living document, proportional to the nature, scale, and complexity of the CASP’s activities, as mandated by MiCA Article 64.

The FMA expects the RMF to be managed by an independent function, with reports going directly to the Management Body.

Core Components of the MiCA RMF for FMA Submission

RMF Component	MiCA/FMA Requirement	Risk Examples (CASP-Specific)
1. Risk Governance Structure	Clear definition of roles (Management Body, Risk Officer) and reporting lines. Must demonstrate the RMF is independent of the operational functions.	Governance Risk: Lack of separation between trading and custody functions; insufficient board experience in IT/crypto.
2. Risk Identification & Categorisation	Methodology for continuous identification of new risks. Must cover all MiCA-defined risk types.	Market Risk: Extreme volatility impact on corporate treasury or liquidity provisioning. Custody Risk: Loss or theft of private keys; counterparty risk from external custodian.
3. Operational Resilience Risk (DORA)	Integration of DORA requirements: ICT risk, business continuity, and third-party risk management (detailed below).	ICT Risk: Smart contract vulnerabilities; DDoS attacks; data integrity failure.
4. Client Protection Risk	Focus on risks related to service provision and conduct of business.	Mis-selling Risk: Inadequate suitability/appropriateness testing leading to client losses. Conflict of Interest: Front-running client orders.
5. Financial Crime Risk (AML/CFT)	Documentation that the RMF integrates the FM-GwG risk assessment and Travel Rule compliance risks.	Sanctions Risk: Processing transactions involving a sanctioned wallet address (e.g., mixing service addresses).
6. Risk Monitoring & Reporting	Use of Key Risk Indicators (KRIs) and reporting frequency. Requirement for annual review and stress testing of the RMF.	KRI Example: Number of failed security patches; latency spikes on trading engine; unusual spike in SAR filings.

The RMF must explicitly address the liquidity risk associated with the custody of assets and the potential need to rapidly liquidate or transfer assets in a stressed market scenario without negatively impacting client interests.

Outsourcing and Third-Party ICT Risk Management Policy (DORA Integration)

CASPs frequently outsource core functions (e.g., cloud hosting, custody, AML screening software). MiCA and the Digital Operational Resilience Act (DORA) impose extremely strict requirements on these arrangements to prevent the CASP from becoming an empty “letterbox entity.”

The FMA demands that the CASP maintains full responsibility and control, regardless of the outsourced function. This is articulated in a dedicated Outsourcing Policy.

FMA’s Critical Outsourcing Scrutiny Points

Retention of Control (MiCA Article 73): The CASP must demonstrate that the outsourcing arrangement does not diminish the quality of its internal controls or the FMA’s ability to supervise it. The CASP must have sufficient personnel to actively monitor and supervise the service provider.
Notification Obligation (DORA Article 28): The CASP must notify the FMA in advance of any planned contractual arrangement for the use of ICT services that support a critical or important function. This pre-notification gives the FMA the right to object.
Audit and Access Rights (DORA/MiCA): The outsourcing contract must grant the CASP, the FMA, and the OeNB (Austrian National Bank) unrestricted right of access and inspection to the premises, data, and systems of the third-party service provider, including their sub-contractors. This clause is non-negotiable for critical functions.
Exit Strategy: The policy must include a clear, documented exit strategy for the outsourced function, detailing how the CASP would transfer the function back in-house or to another provider without disruption to services (e.g., migrating from one cloud provider to another).

Template: Critical Outsourcing Contract Requirements

The policy must outline the mandatory clauses for every outsourcing contract:

Contractual Requirement	Regulatory Source	Purpose
Description of Service	MiCA Article 73(1)(a)	Precise details of the outsourced functions, including the location (jurisdiction) where the service is provided.
Performance Standards	MiCA Article 73(1)(b)	Explicit Service Level Agreements (SLAs), Recovery Time Objectives (RTOs), and Recovery Point Objectives (RPOs) that align with the CASP’s BCP/DRP and DORA requirements.
Data Security & Protection	DORA Article 30	Clauses mandating compliance with GDPR, specific encryption standards, and data segregation protocols.
Termination Rights	MiCA Article 73(1)(f)	Clear conditions under which the CASP can terminate the contract without penalty (e.g., material breaches, failure to comply with FMA instructions, or if the provider’s financial status deteriorates).
Sub-Outsourcing Control	MiCA/DORA	The third party must obtain the CASP’s prior written consent before sub-outsourcing any part of the critical service.

The FMA views the Register of Information on ICT Third-Party Service Providers (mandated by DORA) as a living, critical document. This register must be updated constantly and reported to the FMA at least yearly.

Financial and Personnel Deep Dive: FMA's Prudential Scrutiny

The FMA’s assessment goes beyond checking if the required minimum capital is present on day one. It assesses the CASP’s long-term financial stability and the integrity of its leadership.

Detailed Calculation of the Variable Capital Threshold

The Minimum Initial Capital (MIC) (€50k, €125k, or €150k) is only the first floor of the prudential safeguard requirement. The CASP must at all times hold safeguards equal to the higher of the MIC or one-quarter of the preceding year’s fixed overheads (FOR).

The FMA requires a detailed methodology showing how the CASP calculates its Fixed Overheads (FO).

Defining Fixed Overheads (FO)

Fixed Overheads are calculated using the total expenses from the latest audited annual accounts (or projected expenses for the first 12 months for new applicants), minus specific variable or non-recurring items.

Item Type	Treatment	Accounting Examples (MiCA Exclusions)
Total Expenses	Starting Point	Salaries, Rent, Utilities, IT Hosting, Legal Fees, Regulatory Fees.
Minus Variable Remuneration	Excluded	Fully discretionary bonuses, performance-related pay. Only the fixed, contractual portion of salary is included in FO.
Minus Shareholder Profits	Excluded	Distribution of profits and other appropriations of profits.
Minus Non-Recurring Expenses	Excluded	Extraordinary legal settlement costs, one-off office relocation costs, non-ordinary IT write-offs.

The resulting figure is the Fixed Overheads (FO). The variable capital requirement (FOR) is $FO / 4$ .

Example:

If a CASP’s projected total operational expenses for Year 1 are €800,000, and €100,000 is deemed variable remuneration/non-recurring costs:

Fixed Overheads (FO) = €800,000 – €100,000 = €700,000
Fixed Overheads Requirement (FOR) = €700,000 / 4 = €175,000

If this CASP is a Class 3 provider (MIC = €150,000), it must hold €175,000 (€175k > €150k). The FMA will demand proof of this higher amount.

The Internal Capital Adequacy Assessment Process (ICAAP)

Although MiCA is not as stringent as the Investment Firms Regulation (IFR) regarding the ICAAP, the FMA still expects the CASP to conduct an internal assessment to determine if the minimum regulatory capital is truly sufficient to cover all internal and external risks. This internal assessment, often called ICARA (Internal Capital Adequacy and Risk Assessment) or similar, must include:

Stress Testing: Running scenarios that analyze the impact of a sharp drop in trading volume, a major cyber-incident, or a prolonged market downturn on the CASP’s liquidity and solvency.
Contingency Planning: Detailing how the CASP would recapitalize itself or initiate an orderly wind-down if a risk materializes.

FMA’s Fit & Proper Scrutiny: Documentation and Vetting Process

The FMA’s vetting of the Management Body (Directors) and the AML Officer is rigorous, reflecting Austria’s commitment to financial integrity. The “Fit” component relates to professional competence, and the “Proper” component relates to personal integrity (probity).

Core Documentation Requirements

For every key individual, the following is required and scrutinized:

Detailed CV: Must clearly demonstrate experience in the financial sector or the technology/digital assets sector. Generic management experience is often insufficient.
Clean Criminal Records: From the country of residence and all countries where the person has resided for the past 10 years.
Declaration of Interests/Time Commitment: Declaration that the individual has sufficient time (e.g., not over-committed to too many external roles) to properly discharge the duties of a CASP director and handle complex MiCA/DORA compliance.
Affiliation Checks: Detailed disclosure of all current and past positions (especially in failed companies or companies subject to regulatory sanctions).

The FMA’s Fit & Proper Test and Interview

The FMA reserves the right to, and frequently does, conduct a Fit & Proper Test or an interview (often referred to as an Eignungsprüfung). This is particularly common for the CEO, the Compliance Officer, and the AML Officer.

The Test: Focuses on the candidate’s theoretical knowledge of MiCA, DORA, FM-GwG, and Austrian corporate/supervisory law (e.g., general duties of a director).
Key Areas of Questioning:
- Specific knowledge of blockchain technology and DLT risks.
- Understanding of MiCA’s conduct of business rules (e.g., best execution, handling conflicts).
- Ability to implement and oversee the DORA ICT Risk Management Framework.
- Knowledge of FATF Travel Rule enforcement and high-risk AML scenarios.

Failure to satisfy the FMA in this assessment, particularly regarding the AML Officer, is a definitive reason for application delay or refusal. The FMA will assume the candidate lacks the necessary professional suitability.

Strategic Outlook

The MiCA White Paper and Public Offerings

For issuers planning a Public Offer or Admission to Trading of crypto-assets (excluding Asset-Referenced Tokens (ARTs) and E-Money Tokens (EMTs), which have stricter requirements), the preparation, FMA notification, and publication of a White Paper are mandatory.

White Paper Content: MiCA sets strict content requirements, including information about the issuer, the rights and obligations of holders, the underlying technology, and a detailed and clear risk disclosure statement.
Notification vs. Approval: For “standard” crypto-assets (non-ARTs/EMTs), the FMA receives notification of the White Paper, whereas for ARTs and EMTs, prior FMA approval is required, commensurate with their systemic importance. CASPs that also act as issuers must integrate these requirements into their MiCA authorization strategy.

Post-Authorization, Ongoing Supervision, and Penalties

Obtaining the Austrian CASP license is merely the starting line. Ongoing FMA supervision includes regular audits and the right of inspection.

Sanction Risks: Non-compliance with MiCA regulations, FM-GwG (AML/CFT), or DORA can result in significant administrative penalties, public censure, and ultimately, withdrawal of the CASP license. Fines can reach €5,000,000 or $3\%$ of annual turnover, underscoring the severity of regulatory compliance.
Harmonization and ESMA/EBA: The FMA actively collaborates with ESMA (European Securities and Markets Authority) and EBA (European Banking Authority). Decisions and recommendations from these pan-European bodies are quickly incorporated into Austrian regulatory practice.

Final Summary: Austria’s Leadership in Regulated Digital Finance

Austria has not just adopted MiCA; it has become the gold standard for implementing European digital asset legislation. The path to the Austrian Crypto License is the path to MiCA CASP Authorization, demanding not only financial stability (€50k – €150k MIC) but also unparalleled operational and technological maturity (DORA compliance).

Investors and entrepreneurs who successfully navigate the stringent FMA authorization process gain not just the right to operate, but a golden ticket to providing crypto-asset services across the world’s largest regulated market – the EU Single Market. Austria, with its clear tax policy and strict yet fair regulator, offers the most reliable platform for scaling a digital finance business in the new, fully regulated era.

FAQ

What is the single biggest change for existing VASPs in Austria now that the MiCA transition period is over (post-July 1, 2026)

The biggest change is the shift from registration (focused purely on AML/CFT under FM-GwG) to full MiCA authorization (focused on investor protection, prudential safeguards, and operational resilience). Existing Austrian VASPs must now demonstrate proof of Minimum Initial Capital (€50k, €125k, or €150k) and full compliance with DORA and the MiCA conduct of business rules. Simply being registered is no longer sufficient to operate legally.

Does the FMA accept applications for the CASP license in English, or must they be in German?

The FMA generally accepts key application documents, such as the Business Plan and core compliance policies, in English. However, all official corporate documents, legal forms, and certified extracts from the Austrian commercial register must typically be submitted in German or with a certified German translation. Engaging in early dialogue with the FMA will clarify which specific documents require formal translation.

Which MiCA service requires the highest Minimum Initial Capital (MIC) in Austria?

The highest MIC requirement, set at €150,000, applies to CASPs providing Custody and Administration of Crypto-Assets on behalf of clients (custodial wallets) and those operating as underwriters or placing crypto-assets with a firm commitment. This threshold reflects the high risk associated with holding client assets and the need for robust prudential safeguards.

How does DORA affect my existing IT security policies, and what specific reports does the FMA expect?

DORA (Digital Operational Resilience Act) transforms IT security from an operational concern into a legal requirement. The FMA now expects a comprehensive ICT Risk Management Framework, which must include mandatory annual digital operational resilience testing. Specifically, the FMA will demand to see recent penetration-testing reports and detailed ICT Business Continuity Plans demonstrating your capacity for quick recovery from major ICT-related incidents.

My business only facilitates crypto-to-crypto exchanges. Am I subject to the FATF Travel Rule, and what about self-hosted wallets?

Yes, absolutely. The FATF Travel Rule enforcement is mandatory in Austria for all crypto-asset transfers conducted by a CASP, including crypto-to-crypto exchanges. Furthermore, transfers involving self-hosted wallets (non-custodial wallets) are not exempt. The FMA requires the CASP to apply Enhanced Due Diligence (EDD) measures to ascertain the identity of the beneficial owner of the external, self-hosted wallet, or to rigorously assess the associated money laundering risk.

I am issuing a new utility token that is NOT an ART or EMT. Do I still need FMA approval for my White Paper?

No, not approval, but you still need FMA notification. For non-ART/EMT crypto-assets, you must prepare a MiCA-compliant White Paper and notify the FMA of your intention to publish it at least 20 working days in advance. Only issuers of Asset-Referenced Tokens (ARTs) or E-Money Tokens (EMTs) require prior FMA approval of their White Papers before any public offering.

What is the FMA’s primary concern regarding the management body of a CASP applicant?

The FMA’s primary concern is ensuring the sound and prudent management of the CASP. This hinges on two factors verified via the fit and proper assessment:

Professional Competence: Proving the management body has adequate knowledge of crypto-assets, financial risk, and technology.
Time Commitment and Independence: Ensuring that at least one EU-resident director dedicates sufficient time to their duties and is independent enough to enforce internal controls against conflicts of interest.

How will the new DAC8/CARF tax reporting obligations (starting 2026) affect my day-to-day operations?

From January 1, 2026, your operations are heavily impacted by mandatory DAC8 reporting. You must have systems in place to automatically collect and report detailed transactional information (gross amount, type of asset, fair market value) and KYC data (TIN, address, date of birth) for every reportable user to the Austrian tax authorities. This requires significant investment in specialized compliance infrastructure and data aggregation tools to avoid severe penalties.

Can I 'passport' my national Austrian VASP registration under the old FM-GwG to other EU countries?

No. The old national VASP registration under the FM-GwG was valid only in Austria and had no EU passporting rights. The whole purpose of the MiCA CASP authorization is to replace this fragmented system. Only the new MiCA CASP License, granted by the FMA, allows you to passport your services to all 26 other EU Member States.

What are the consequences of non-compliance with MiCA?

The consequences are severe, reflecting the FMA’s commitment to market integrity. Penalties can include: public censure, heavy administrative fines (up to €5,000,000 or $3\%$ of annual turnover), and ultimately, the withdrawal of the CASP license, immediately forcing the cessation of all crypto-asset services in the EU.