Blockchain 2024

Last Updated June 13, 2024

Austria

Law and Practice

Author



STADLER VÖLKEL is a leading full-service law firm based in Vienna, Austria. Founded in 2016, the firm has earned a reputation for providing the highest-quality advice, particularly in technology-related areas such as blockchain/DLT. Crypto and related financial services regulation has been a core practice area of STADLER VÖLKEL since its inception. The firm works with a wide range of clients, including global crypto exchanges and other CASPs, mining operators, staking service providers, credit and financial institutions, payment service providers, crypto ATM operators, token issuers, and DeFi protocol developers, among others.

Austria has positioned itself as one of the top EU jurisdictions for crypto-asset service providers (CASPs) and token-based protocols and projects. This is primarily due to its already existing large community. Every year in May, an updated version of the “Blockchain Landscape Austria” is released (see here). The 2024 update shows that 42 new players chose Austria as their base for EU operations. The overarching theme in the market is currently adapting to the new rules established by the EU Markets in Crypto Assets Regulation (MiCA).

Highlights of the Austrian Market

The “Blockchain Landscape Austria” map underscores the substantial size and diversity of Austria’s cryptocurrency market, featuring 230 active participants. To give some highlights, Austria is home to Europe’s largest Bitcoin ATM provider and one of the largest EU-based CASPs. It is also home to one of the largest operators of validators on Ethereum, and before the switch to proof-of-stake, the world’s largest Ether mining pool. The first security token offering approved by any EU regulator was carried out in Austria (by the author of this contribution). The world’s first and to this day most successful postal stamp with a blockchain twin was issued in Austria.

Asset Tokenisation

More than ten tokenisation providers offer their services, and there are multiple businesses already operating on the basis of asset tokenisation. Business models span a diverse range of sectors, from tokenised car sharing, energy communities, wine, precious metals, gemstones, or real estate investments. Moreover, tokenisation is not limited to tangible assets; it is also being applied to financial instruments. Tokenised securities, or security token offerings, have become increasingly common tools in Austria’s corporate finance landscape. Additionally, Austria is home to one of the few EU-regulated entities that provide security token exchange services.

Austria’s NFT Scene

Austria’s NFT scene is also very mature. Besides the above-mentioned crypto stamp, a number of NFT-based online games were developed in Austria, and the technology is used on a continuous basis to tokenise art – eg, of world-famous Austrian painter Gustav Klimt.

Mining, DAOs, DeFi

Mining companies are represented in Austria, and DAO projects show how decentralised decision-making can be achieved. A lot of protocols have chosen Austria as their operational base. Several Swiss foundations behind numerous protocols use Austria as their EU and MiCA gateway. Moreover, Austria is home to truly decentralised finance (DeFi) protocols, which operate without any regulatory supervision, as confirmed by the Austrian Financial Market Authority (FMA).

Consulting Firms, Tax and Legal Advisers

Since the community is so large, a growing number of consulting firms, tax and legal advisers have built extensive expertise. It is safe to say that anyone choosing Austria as their EU hub will find experienced advisers that can help get everything operational quickly.

Crypto-assets Are Subject to Ownership

As a civil-law jurisdiction, the primary legal source for rules on ownership, and property law in general, is codified in the Austrian General Civil Code. In contrast to other civil-law jurisdictions such as Germany, under Austrian law the concept of ownership is not limited to tangible assets. Intangible (crypto-)assets can also be subject to ownership and other property rights, provided the technology used ensures that transactions of such crypto-assets are recorded immutably and third parties have no way of disposing of one’s crypto-assets. This is the case with decentralised public blockchains such as Bitcoin or Ethereum. Property law principles are also applied to smart contract-based token protocols on public chains, again provided that third parties are excluded from disposing of one’s tokens. Centralised or permissioned DLT is treated differently, however. Those systems, and the crypto-assets based on them, are seen as software-as-a-service and are therefore not subject to property law principles.

Legal Classification of a Transaction Request

Coming back to public and decentralised DLTs, a transaction request on those systems is not viewed as a contractual offer but rather as an offer of a reward made to all miners or validators who partake in the mining/validation process. Because of this classification, users and miners/validators do not form contracts with one another but a miner/validator can still claim the reward offered alongside the transaction request if he or she is able to record the desired transaction in a block. This means that miners or validators on public blockchains do not form contracts with one another either.

Transfer of Ownership in Crypto-assets

The transfer of ownership of crypto-assets based on public and decentralised DLT (such as Bitcoin or Ether) is subject to general property law principles. Besides an agreement (eg, purchase agreement) which serves as the basis for the ownership transfer, Austrian law requires a “mode of transfer”. In its most basic form, this is a handover of the asset. In the context of blockchain this means an on-chain transaction. However, other modes of transfer are valid as well; eg, constitutum possessorium or tradition brevi-manu where ownership is transferred without any on-chain transaction occurring.

Crypto-asset, Asset-Referenced Token, E-money Token, Utility Token

Since MiCA was adopted, the terminology used in Austria has shifted somewhat. The term “crypto-asset” is now exclusively used as defined in MiCA, meaning, put simply, any DLT-based digital representation of value or rights. Besides that, MiCA introduced three additional definitions, namely “asset-referenced tokens”, “e-money tokens”, and “utility tokens”. The first two are new concepts altogether, and at their core they cover tokens which purport to maintain a stable value in relation to either an official currency (e-money tokens) or other asset (asset-referenced tokens). Unfortunately, in the case of utility tokens, the EU legislature opted not to adopt the broader market definition, namely a class of crypto-asset distinct from security tokens that covers a wide range of use cases. Instead, under the new regulations, utility tokens are narrowly defined as crypto-assets solely intended to provide access to a good or a service supplied by its issuer.

Virtual Currency, Cryptocurrency

The term crypto-asset replaces the term “virtual currency” which was introduced by the 5th Anti Money Laundering Directive. Put simply, virtual currency is a digital representation of value that is used as a means of exchange. While this term will vanish from Austrian law with MiCA’s full applicability, its meaning will continue to be used in the Austrian Income Tax Act under the name of “cryptocurrency”. Virtual currency or cryptocurrency can be viewed as a subclass of the term crypto-asset (namely digital representation of value, as opposed to digital representation of rights).

Pointer Tokens

The term “pointer token” is used in connection with real-world asset tokenisation where a custodian is involved. The pointer token then refers to a specific piece of a commodity (gold coins, gemstones, wine bottles, etc) or to a percentage of co-ownership in a commodity (cars, yachts, paintings, real estate, etc). Through the transfer of the pointer token, the custodian is instructed to hold the asset for the new token holder instead of the previous one (thereby transferring ownership in the asset; see also 2.3 Tokenised Securities).

Security Tokens

The term “security token” refers to any “transferable security” in the sense of MiFID II, which instead of a physical paper note uses the blockchain as transaction register. Note that security tokens are not regulated under MiCA but under MiFID II only (and the respective national implementation acts).

Non-fungible Tokens or NFTs

Finally, the term “non-fungible token” or “NFT” is used to describe crypto-assets which are not covered under MiCA due to their uniqueness; eg, because each single piece is linked to a specific piece of digital art.

Tokenised Securities Are Subject to MIFID II

The supervisory regime for transferable securities is harmonised by the EU Markets in Financial Instruments Directive (MiFID II). Austria implemented the regime in the Securities Supervision Act 2018. The term “transferable securities” in Austria is defined by way of reference to MiFID II. The Directive defines the term as those classes of securities that are negotiable on the capital market, with the exception of instruments of payment. MiFID II goes on to give examples, such as shares in companies, bonds or other forms of securitised debt, including depositary receipts in respect of shares or bonds.

Methods of Tokenisation

Transferable securities can be tokenised in two distinct ways. Debt claims (bonds, profit participation rights, etc) can be tokenised directly by linking the claim to the possession of a token. This is achieved simply through clauses in the security terms. As a result, the transfer of the claim requires the transfer of the token. This approach requires the application of property-law principles to the crypto-asset to which the claim is linked. If this is not the case, for example when a private permissioned blockchain is used, then this approach is not viable to create a tokenised security from an Austrian civil-law perspective.

In such cases the security can still be tokenised, however, by tokenising co-ownership in a physical global note of that security. A custodian is in possession of the global note; eg, a bank. Tokens are used to indicate to the custodian whom they should hold the global note for. On the basis of the security’s terms, any transfer of a token on the blockchain is viewed by the custodian as an instruction to now co-possess the global note for the new token holder, thereby also transferring co-ownership in the security. This method of tokenisation can be used for virtually any tangible asset.

Stablecoins Are Subject to MiCA

The supervisory regime for stablecoins is fully harmonised by MiCA. MiCA distinguishes between e-money tokens and asset-referenced tokens. E-money tokens are crypto-assets that purport to maintain a stable value by referencing the value of one official currency. Asset-referenced tokens are a type of crypto-asset that is not an e-money token and that purports to maintain a stable value by referencing another value or right or a combination thereof.

Algorithmic Stablecoins Are Subject to MiCA

Since merely purporting to maintain a stable value suffices, stablecoins with no functional peg at all are also covered by this definition. Since neither definition makes any reference to a particular mechanism of how to maintain the peg, the definitions also cover algorithmic stablecoins. Note, however, that Title III and IV MiCA lay out a number of obligations for issuers of such tokens which are in direct conflict with how an algorithmic stablecoin maintains its peg.

MiCA Does Not Cover Fully Decentralised Protocols

This does not mean that algorithmic stablecoins are completely unattainable under MiCA, however. The solution is to structure the protocol in a “fully decentralised manner” and “without any intermediary”. Such systems do not fall within the scope of MiCA (see MiCA Recital 22). However, this raises questions about the precise meaning of “without an intermediary” and “in an exclusively decentralised manner”. Put simply, a protocol that operates without the need for any party to fulfil promises qualifies under these criteria. One could also use the term “trustless” to characterise fully decentralised systems.

NFTs Are Not Covered by MiCA

Currently, crypto-assets that are unique and not fungible with other crypto-assets, including digital art and collectibles (non-fungible tokens or NFTs) are not covered by any regulatory acts in Austria. MiCA does not apply (see MiCA Recital 10 and 11) and no national laws or regulation exist.

From a legal perspective, NFTs are not characterised by the use of any particular technology. Using ERC-721 or any other technical NFT standard has therefore no bearing on the legal qualification of that token as an NFT. Instead, one must ask whether or not the tokens are sufficiently similar to essentially all represent the same use case and therefore same value. A good example in the real world is bank notes. Each note has a unique identifier printed on it – its serial number. One could argue that from a technical perspective, bank notes are therefore non-fungible. But viewed from a use-case angle, it becomes apparent that the notes are, in fact, interchangeable and therefore all represent the same value.

NFTs Are Subject to General Consumer Protection Legislation

NFTs do not exist in a legal vacuum, however. As they are typically sold to consumers or traded over the internet, the EU Consumer Rights Directive must be observed. This Directive, implemented in Austria in the Consumer Protection Act and the Distance and Off-Premises Transactions Act, provides for extensive disclosure requirements and generally a 14-day right of withdrawal from a purchase (unless an exemption applies).

Both volatile crypto-assets such as Bitcoin but also stablecoins such as Tether and others can be used as a means of exchange in Austria. In fact, a growing number of companies accept crypto as payment, in particular in cross-continent transactions.  There are no legal restrictions on the size of a crypto payment, whether large or small.

Any type of crypto-asset can be used as collateral under Austrian law. While for the transfer of ownership, an on-chain transaction is only one of multiple acceptable modes of transfer (see 2.1 Ownership), a pledge over crypto-assets is less flexible. If the crypto-assets in question are currently with the pledgor then an on-chain transaction to an address of the pledgee is required. If the crypto-assets are already in possession of the pledgee but owned by the pledgor (eg, where a CASP uses crypto-assets held for the user) for the pledge to be validly established and enforceable, the pledgor must make visible note of the pledge in its books. In effect, the same principles apply that govern the establishment of collateral arrangements over tangible assets.

It is widely accepted in Austrian legal literature that smart contracts can be used to make contractual offers, to receive such offers, and also to form contracts between two or multiple parties. Austrian courts will not follow the doctrine of “code is law”, however. Rather, they will use the legal toolkit of interpretation to decide what a reasonable party was able to expect from interacting with another party using smart contracts.

Note, this does not mean that any interaction with a smart contract must automatically be viewed in contractual terms or must result in the conclusion of a contract. It is also widely accepted that smart contracts can be used without any contracts being concluded. This is the case when a protocol is structured to operate in a fully decentralised manner and without any intermediary (see 2.4 Stablecoins).

MiCA – the Legal Basis for all Crypto-asset Services in Austria

In Austria, MiCA is the legal basis for the provision of all crypto-asset services as well as for token issuings. The Austrian MiCA Implementation Act stipulates that the FMA is the competent authority for all MiCA-related matters.

Rules for Public Offers

MiCA sets out general requirements for the public offering of crypto-assets within the EU. Public offer is a communication to multiple people in any form, and by any means, presenting sufficient information on the terms of the offer and the crypto-assets to be offered so as to enable prospective buyers to decide whether to purchase those crypto-assets. Any communication, including publishing information on a website, or recommendations by influencers in video messages or at events can constitute a public offer. Any public offer of crypto-assets is subject to the following requirements:

  • Only legal entities may publicly offer crypto-assets in the EU. The legal entity does not have to be established in Austria or elsewhere in the EU, however.
  • A crypto-asset White Paper must be drawn up, notified to the Austrian FMA, and published prior to the start of the public offer. It must be publicly available for as long as any person holds the crypto-asset; ie, potentially indefinitely. If an asset-referenced token is to be offered publicly, the White Paper must not only be notified but also be approved by the FMA.
  • In addition, all offerors must comply with certain general principles. These include, among other things, acting honestly, fairly and professionally, communicating in a fair, clear and non-misleading manner, avoiding and, if necessary, disclosing conflicts of interest, acting in the best interests of the holders of the crypto-assets, and generally treating all holders equally.

These requirements for the public offer of crypto-assets do not apply if:

  • the crypto-asset is offered for free;
  • the crypto-asset is automatically created as a reward for the maintenance of the distributed ledger or the validation of transactions;
  • the offer concerns a utility token providing access to a good or service that exists or is in operation; or
  • the holder of the crypto-asset has the right to use it only in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror.

MiCA also provides for exclusions based on the nature of the offering. A White Paper is not required if:

  • an offer is made to fewer than 150 natural or legal persons (note: it is not the number of buyers that is decisive, but the number of persons to whom an offer is made);
  • over a period of 12 months, the total consideration of an offer does not exceed EUR1 million; or
  • an offer is addressed solely to qualified investors where the crypto-asset can only be held by such qualified investors; qualified investors are, for example, regulated companies, particularly large companies, public bodies or institutional investors.

Rules for CASPs

The following crypto-asset services are covered by MiCA:

  • custody and administration of crypto-assets;
  • operation of a trading platform for crypto-assets;
  • exchange of crypto-assets for funds or other crypto-assets;
  • execution of orders for clients;
  • placing of crypto-assets;
  • reception and transmission of orders;
  • providing advice on crypto-assets and portfolio management; and
  • crypto-asset transfer services.

All crypto-asset service providers are subject to certain general obligations. These include the duty to act honestly, fairly and professionally in the best interests of the customer. Further, it includes a duty to provide fair, clear and not misleading marketing communications and to warn of risks.

MiCA provides certain prudential requirements; eg, minimum capital requirements, as well as certain governance arrangements to be put in place. It further requires, as a general principle, that all service providers store crypto-assets and funds securely, and in a way that, in case of insolvency of the CASP, the crypto-assets and funds of the clients are protected. For Austria, this means rights for segregation and preferential rights in case of insolvency must exist (also see 4.1.6 Resolution or Insolvency Regimes).

All CASPs must also have a functioning complaint management system and adequate procedures to identify, prevent, manage and disclose conflicts of interest. Outsourcing may only be undertaken in accordance with MiCA requirements, and each CASP must have a plan in place to properly manage its business should the outsourcing provider cease operations.

In addition to these general obligations, MiCA imposes a number of specific obligations, each of which affects providers of certain services.

Pre-licensing Discussions With the Austrian FMA

The Austrian FMA provides a roadmap (available here) as well as additional information (available here) for CASPs intending to set up operations in Austria. It actively encourages future applicants to reach out as early as possible for informal preliminary discussions to allow sufficient time for preparation and co-ordination. When requesting a meeting, the FMA asks that a questionnaire be completed (available here). Note that both the pre-licensing discussions as well as the whole licensing proceedings can be conducted in English.

Presence Requirements Under MiCA

All CASPs wishing to file an application with the Austrian FMA must also have their registered office in Austria where they conduct at least part of their services. They must also have their place of effective management in Austria, and at least one of the managers must be an EU resident. A CASP licensed in Austria may provide its services throughout the EU; this may be done either under the freedom of establishment (eg, through a branch), or under the freedom to provide services (ie, without establishment).

Simplified Licensing

MiCA distinguishes between two groups of CASPs, namely (i) companies that acquire their first license under MiCA, and (ii) companies that already hold a license to provide (traditional) financial services. For companies that already hold a financial services license, MiCA outlines which services can be provided by which entities:

  • Credit institutions are generally allowed to provide all crypto-asset services.
  • Central securities depositories are allowed to hold and administer crypto-assets for customers.
  • Investment firms may provide services equivalent to those activities for which they are licensed in connection with financial instruments; ie, custody and administration, operation of a trading platform, exchange for funds or other crypto-assets, execution of orders for clients, placement, reception and transmission of orders, advisory services or portfolio management.
  • E-money institutions may issue e-money tokens and provide custody and administration on behalf of customers as well as transfer services for these electronic money tokens.
  • Funds managers (undertakings for collective investment in transferable securities – UCITS, and alterative investment funds – AIF) may provide such services that are equivalent to the management of individual portfolios and ancillary services for which they have a license; ie, acceptance and transmission of orders, advisory services, or portfolio management.
  • A market operator may operate a trading platform for crypto-assets.

These companies may provide the respective crypto-asset services after following a certain procedure. First, the companies must notify the FMA at least 40 working days in advance and provide certain information. This includes, among other things, a business plan and descriptions of various internal processes. The FMA will review the information within 20 working days and may request additional information as necessary. The company may provide the services once the requested information has been fully provided to the FMA.

Regular Licensing

A simplified procedure is only available to the above-mentioned companies which are already supervised. All other companies must submit an application for authorisation to the FMA. MiCA contains detailed information on the application procedure and the necessary documents. After examining the application, the FMA can and will issue improvement orders and request additional information. MiCA provides multiple grounds to reject a license application. The most important ones in practice are concerns about the personal reliability of managers or beneficial owners or deficient internal control procedures.

If marketing is conducted, the marketing communications must be clearly identifiable as such, it must be fair, clear and not misleading, consistent with the information in the White Paper and it must reference the White Paper and contain certain disclaimers and statements set forth in MiCA. For documentation purposes, marketing communications must also be posted on the offeror’s website. If the public offer of a crypto-asset is concerned, no marketing may be conducted prior to the publication of the White Paper (if a White Paper is required in that particular case).

Austria has implemented the 5th EU Anti-Money Laundering Directive (AMLD5) in the Financial Markets Anti-Money Laundering Act. This Act applies to all CASPs. The central element of money laundering prevention is the due diligence obligations that so-called obliged entities must apply to their customers. The general due diligence obligations include, among other things:

  • establishing and verifying the identity of the customer and the beneficial owners;
  • assessing and obtaining information about the purpose and intended nature of the business relationship;
  • obtaining and verifying information about the source of the funds used; and
  • continuously monitoring the business relationship and updating the information, data and documents obtained about the customer. 

The due diligence obligations must therefore not only be applied to new customers, but reviews and updates must also be carried out periodically, as well as when there are indications of changes.

The FMA is tasked with ensuring that both management and beneficial owners of all supervised entities are professionally suitable and personally reliable. To ensure this is the case, potential buyers as well as potential targets of an acquisition have to notify the FMA ahead of any binding agreement. The legal basis for the ensuing ownership control procedure is an ordinance issued by the FMA (Ownership Control Ordinance 2016).

As part of the notification to the FMA, the following general documents must be submitted:

  • proof of identity and legal existence;
  • copy of the current articles of association;
  • list of the management bodies and personally liable persons;
  • current, meaningful description of the business activities;
  • list of the beneficial owners;
  • CVs of all involved parties; and
  • information on the personal reliability.

In practical terms, it is highly advised to approach the FMA as soon as possible and long before any binding agreement between acquirer and seller is reached.

Segregation Requirement Under MiCA

MiCA requires CASPs to implement procedures that guarantee the segregation of client assets from their own assets. The segregation must be maintained at all times, ensuring that in the case of insolvency, the client assets are protected and can be promptly returned to the rightful owners without being subject to the claims of general creditors. Furthermore, CASPs are required to have strong internal control mechanisms to monitor this segregation of assets. This includes regular audits and reconciliations to ensure compliance with the segregation requirement. Lastly, CASPs must also provide clear and regular reporting to clients about the status and location of their assets.

Implementation Under Austrian law

In Austria, the Insolvency Act stipulates that crypto-assets can generally be part of the insolvency estate. The Act grants a right to segregation to anyone who can show that they have certain rights in rem or personal rights to crypto-assets in the insolvency estate. Whether a right to segregation exists must be assessed exclusively in accordance with the general principles of Austrian property law. The most frequent reason for segregation is ownership or co-ownership. Therefore, to comply with MiCA’s segregation requirement, it must be ensured that a CASP’s clients are actually owners of the crypto-assets held for them by the CASP. For details on ownership over crypto-assets under Austrian law see 2.1 Ownership.

There is no applicable information in this jurisdiction.

No Current Specific Limitations to Crypto-asset Exposure

There are currently no specific limitations under Austrian law on crypto-asset exposure of regulated entities. UCITS funds could invest (within the boundaries of generally applicable limitations) into units of other funds holding crypto-assets; a direct investment is not permissible for UCITS funds. An AIF can invest (again, within the boundaries of generally applicable limitations) into regular crypto-assets (Bitcoin, Ether, etc) which are not to be classified as security tokens.

CRR III and BCBS Standard on Crypto-asset Exposure

Under the upcoming CRR III which will be directly applicable also in Austria, rules on crypto-asset exposure will be implemented for the first time. These rules are loosely based on the revised Basel Committee on Banking Supervision’s standard on the prudential treatment of crypto-asset exposures (but limited to the most restrictive aspects of the BCBS standard).

The Basel standard distinguishes between two main groups of crypto-assets: Group 1 and Group 2. Both groups are further divided into two subgroups. Group 1 crypto-assets include tokenised traditional assets (Group 1a) and crypto-assets with effective stabilisation mechanisms (Group 1b) if they meet four specific classification conditions. Group 1a instruments are also referred to in the industry as security tokens (see 2.2 Categorisation and 2.3 Tokenised Securities) and Group 1b instruments as stablecoins (see 2.4 Stablecoins). Group 1 crypto-assets are generally subject to the same capital requirements as the underlying risk positions (ie, the underlying asset for Group 1a or the reference asset for Group 1b).

Group 2 includes crypto-assets that do not fulfil all four classification conditions. In the opinion of the Basel Committee, they represent an increased risk compared to Group 1 crypto-assets and are therefore subject to a new conservative capital approach. Virtual currencies that function purely as a medium of exchange, such as Bitcoin or Ether, are always classified as Group 2 crypto-assets. Under certain conditions, hedging transactions for the respective risk position are recognised as Group 2 crypto-assets. Such crypto-assets then fall into group 2a. The risk weight and the required capital for crypto-assets in Group 2a are therefore similar to that of Group 1. Only if neither the four classification conditions, nor the requirements for the recognition of hedging transactions, are met does the crypto-asset fall into Group 2b. A risk weight of 1,250% is then applied by default.

Austria has a regulatory sandbox. It is established with the Austrian FMA and it allows start-ups and existing regulated entities alike to test innovative business models under regulatory supervision in a controlled environment.

In order to participate, applicants must provide a comprehensive description of the business model, including how it works, the technology involved, and the expected benefits. Applicants must further demonstrate a significant economic interest, showing potential benefits to the financial market or economy in Austria. Also, the business model should be ready for market testing, implying that it has moved beyond the conceptual stage and is prepared for real-world application.

An application must be filed with the Austrian FMA. The filing can also be done in English. The FMA conducts a preliminary review and hands the application over to the Regulatory Sandbox Advisory Council, consisting of representatives from the Ministry of Finance, FMA, Austrian National Bank, and other experts. This council assesses the economic interest, market readiness, and testing feasibility of the business model. Based on the council’s assessment, the FMA makes its final decision on whether to admit the applicant to the sandbox.

There is no applicable information in this jurisdiction.

In Austria, several regulatory bodies are relevant to businesses or individuals using blockchain technology. Each of these bodies has its own scope of jurisdiction and regulatory approach to blockchain and digital asset firms:

  • FMA: The FMA is the primary regulator for financial markets in Austria. It oversees banks, insurance companies, pension funds, securities firms, and CASPs. The FMA’s jurisdiction includes enforcing compliance with AML regulations, supervising the financial health of institutions, and ensuring consumer protection. The FMA requires CASPs to comply with strict AML and counter-terrorist financing (CTF) regulations (see 4.1.4 Anti-money Laundering and Counter-Terrorism Financing (AML/CTF) Requirement).
  • Oesterreichische Nationalbank (OeNB): The OeNB is Austria’s central bank, monitoring financial stability in Austria. While the OeNB does not directly regulate CASPs, its role in financial stability makes it an important stakeholder in the ecosystem.
  • Ministry of Finance (Bundesministerium für Finanzen, BMF): The BMF oversees fiscal policy, taxation, and the overall financial regulation landscape in Austria. It plays a key role in legislative processes related to financial regulation, including the implementation of EU directives and, most recently, MiCA.

Within the Austrian Chamber of Commerce, CASPs are organised in the subdivision for financial service providers and crypto-asset service providers. This body is tasked with representing the interests of the industry in legislative proposals and serving as a single point of contact for other stakeholders. In addition, the Digital Assets Association Austria, a voluntary interest group, promotes the interests of the industry.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

Austria has implemented a special tax regime for crypto-assets in the Income Tax Act. In the Act, the definition of virtual currency (as introduced by the 5th Anti-Money Laundering Directive) is used to define the newly introduced term of “cryptocurrency”. Income from cryptocurrencies is classified as income from capital, subjected to a special tax rate of 27.5%. This encompasses income from staking, airdrops, bounties, and hard forks, which are taxed upon sale rather than receipt. For domestic taxpayers, capital gains from cryptocurrency transactions must be reported, and capital gains tax (KESt) must be deducted by CASPs headquartered in Austria.

Austrian law does not provide for ESG requirements. Note, however, that MiCA mandates that issuers of crypto-assets as well as CASPs must disclose the principal adverse impacts of the technology underlying a certain crypto-asset on the environment, specifically related to the consensus mechanisms used. This includes the environmental and climate-related impacts of mining or other processes used to validate transactions on the blockchain.

Blockchain-based products and services are subject to the EU General Data Protection Regulation (GDPR). In practice, the Regulation plays a role only when it comes to centralised market participants such as CASPs or token issuers. It is also relevant when a smart contract is used to provide services to others. In the case of fully decentralised systems (see 2.4 Stablecoins) and speaking from a practical perspective, the GDPR becomes a non-issue. The so-called right to be forgotten can be maintained by storing personal data on the blockchain only in encrypted form and storing a separate decryption key for every data entry stored on the blockchain. If someone exercises their right to be forgotten, this request can be complied with by simply deleting the decryption key associated with the data entry to be deleted.

STADLER VÖLKEL

Seilerstätte 24
1010 Vienna
Austria

+43 1 997 10 25

+43 1 997 10 25 - 99

ov@sv.law www.sv.law
Author Business Card

Trends and Developments


Author



STADLER VÖLKEL is a leading full-service law firm based in Vienna, Austria. Founded in 2016, the firm has earned a reputation for providing the highest-quality advice, particularly in technology-related areas such as blockchain/DLT. Crypto and related financial services regulation has been a core practice area of STADLER VÖLKEL since its inception. The firm works with a wide range of clients, including global crypto exchanges and other CASPs, mining operators, staking service providers, credit and financial institutions, payment service providers, crypto ATM operators, token issuers, and DeFi protocol developers, among others.

Introduction: The Overarching Theme

MiCA preparation dictates everyday business

As Europe progresses steadily towards the full applicability of the EU Market in Crypto Assets Regulation (MiCA), which fully harmonises the crypto industry across all EU member states, preparing for this new legal regime is the overarching theme of recent developments in Austria’s crypto industry:

  • Notably, the Austrian Financial Market Authority (FMA) has prepared early for its role under MiCA and supervisory tasks. It gives clear guidance as to requirements and the licensing process.
  • Crypto-asset service providers (CASPs), token issuers, as well as layer 1 and layer 2 protocol developers alike are analysing MiCA and what it will mean for them.
  • The traditional financial industry is also having a close look and preparing for licensing under the new regime. After all, and this cannot be stressed enough, MiCA was not written as a regulation for the crypto industry but to incentivise the traditional financial market participants to enter the ring.
  • Not only are Austria and the EU making preparations, but third-country CASPs are also gearing up. This is mostly due to the strict reverse solicitation rules, which had not previously applied to CASPs. These rules even target some of the commonly used “grey-area methods” that allowed third-country financial service providers to make themselves visible without breaking existing EU non-solicitation rules.
  • In addition, the EU Data Act has (undeservedly so) sparked controversy among protocol developers because it supposedly mandates developers to include a kill switch in smart contracts.

What is MiCA, actually?

MiCA is a complex framework. It introduces, for example, the obligation to draw up a (standardised) crypto-asset White Paper before offering crypto-assets to the public in the EU or listing crypto-assets on an EU exchange. Additional requirements apply to issuers of asset-referenced tokens and e-money tokens, two newly introduced legal concepts. CASPs wishing to conduct business in the EU must set up shop in an EU member state and must obtain a license. MiCA also prohibits market abuse in the crypto markets, including market manipulation and insider dealing.

This article cannot provide an in-depth explanation of all of MiCA’s intricacies. If you would like to learn more, please consider downloading our booklet on blockchain in Europe at gomica.eu, which is a compendium on MiCA compliance, or reading the MiCA commentary “Crypto-Assets” (ISBN 3406777864).

Other legal sources

Note that while MiCA is certainly at the core of crypto-asset regulation in Austria and Europe, it is far from the only legal source to consider. There are a number of guidelines and delegated regulations, including regulatory technical standards (RTS) and Implementing Technical Standards (ITS) adopted by the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA). In fact, it is becoming increasingly difficult to keep track of all the delegated legal acts. There is no central index by any EU body known to us keeping track of all consultation papers, final reports, delegated regulations or guidelines. Therefore, we maintain such an index ourselves at gomica.eu/resources.

How the Austrian FMA is Preparing for MiCA: EU’s Leading Regulator

Why the FMA is a good choice

Non-EU CASPs should consider opening their EU base in Austria. This automatically leads to the Austrian FMA becoming the competent regulator for their business. There are a number of factors that play into this consideration:

  • English as default: Most importantly, the Austrian FMA accepts communication in English, not only in regular emails but also with respect to all documents that need to be prepared and submitted by applicants in licensing proceedings.
  • Ample experience: The Austrian FMA has extensive experience with a huge number of business models in the crypto industry. For some background on how this came about, see the excursus below.
  • Preliminary discussions: The Austrian FMA actively encourages all interested companies to contact it as early as possible to allow sufficient time for preparation and co-ordination. Those companies that are already making concrete preparations to apply for authorisation as CASPs in Austria are invited to inform the FMA of their interest in scheduling an introductory meeting. Details of how to contact the FMA can be found in its roadmap for CASPs.
  • Early application: Interested entities will be able to submit an application for authorisation as a CASP from 1 October 2024 onwards. The FMA already provides the application form on its information page for CASP applicants.
  • Central location: Austria’s central location in Europe is a plus. Additionally, it shares a border with Switzerland where many protocols set up Swiss foundations in the past. This proximity and the shared German language allow for an easy EU-market entry from Switzerland.

Excursus: How Austria’s FMA became Central Europe’s “crypto regulator”

It cannot be stressed enough that Austria’s financial markets regulator FMA has an exceptionally strong understanding of blockchain/DLT and almost any business model in the crypto industry. This should not come as a surprise considering the dynamics that played out in the decade before the EU legislature stepped in by adopting MiCA, in particular relating to the differing legal views the Austrian FMA held as compared to German regulator BaFin.

As early as 2013, BaFin decided to categorise Bitcoins as units of account within the meaning of the German Banking Act. It arrived at its conclusion before discourse on the legal quality of Bitcoin had even fully begun in Germany. The argumentation was correspondingly criticised as unsubstantiated and based on incorrect assumptions. The impact of BaFin’s enforced perspective had dramatic consequences for the nascent German crypto industry. These repercussions were evident long before the flaws in BaFin’s legal interpretations became apparent, as a more nuanced understanding of this new phenomenon evolved.

In contrast, the Austrian FMA took a different approach. In 2014, it declared itself not competent for business models relating to Bitcoin. This regulatory reluctance was not due to major differences in the legal traditions between the two EU member states, but was rather due to the realisation that crypto-assets on public blockchains differed fundamentally from financial instruments. This relaxed approach allowed the industry to develop unhindered in Austria. For this reason, a number of crypto entrepreneurs with German roots settled in Austria to test their business models. This, in turn, provided the FMA with ample opportunity to gain exposure to a diverse range of business models, enabling it to accumulate a level of expertise that remains unparalleled.

To this day, the Austrian FMA continues to play a leading role as an opinion leader at the EU level. It was, for example, a driving force behind the current ESMA draft guidelines on reverse solicitation.

How CASPs Prepare for MiCA: An Industry Grows Up

To prepare for providing MiCA services, future CASPs need to take a series of strategic and operational steps to ensure compliance. We generally recommend the following steps:

  • Understand MiCA’s requirements: Begin by familiarising yourself with the full text of the regulation. Identify specific requirements and obligations for your type of service.
  • Internal assessment: Conduct a gap analysis to compare current capabilities and processes against MiCA requirements. Identify areas requiring new policies, procedures, or system upgrades. Engage senior management and key stakeholders to ensure alignment and support. Form a cross-functional team, including compliance, legal, IT, risk management, and business operations.
  • Develop a notification package: Prepare the required application or notification information as detailed in MiCA. Outline the types of crypto-asset services to be offered and marketing plans. Describe mechanisms, policies, and procedures to ensure compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. Detail the risk assessment framework for managing money laundering and terrorist financing risks. Provide the plan to ensure continuity of services. Include details of ICT systems and security arrangements. Explain how clients’ crypto-assets and funds will be segregated. If applicable, describe the operating rules and procedures to detect market abuse. Provide a non-discriminatory commercial policy and the pricing methodology for crypto-assets. Outline the policy for executing orders on behalf of clients (if applicable) and ensure that personnel providing advice or managing portfolios have the necessary expertise.
  • Implement necessary systems and controls: Upgrade IT systems to support crypto-asset services securely. Implement robust cybersecurity measures to protect against hacking and fraud. Enhance AML/CTF frameworks to address crypto-specific risks. Establish monitoring systems for regulatory compliance and risk management. Implement procedures for the segregation and protection of client assets. Ensure transparency and fairness in client communications and service delivery.
  • Training and development: Train staff on new policies, procedures, and systems related to crypto-asset services. Ensure ongoing education on regulatory updates and best practices in the crypto space. Develop educational materials to inform clients about crypto-asset services, risks, and safeguards.
  • Notification and authorisation: Submit the complete application (or notification) package to the competent authority. Be prepared to interact with regulators, address any queries, and provide additional information if required.
  • Ongoing compliance and monitoring: Monitor regulatory developments and update policies and procedures accordingly. Regularly review and improve risk management and compliance frameworks. Establish regular internal audits and reporting mechanisms to ensure ongoing compliance. Maintain transparent communication with regulators and stakeholders.

How Protocols Adapt to MiCA in Austria: A Push Towards Decentralisation

DeFi not covered by MiCA

MiCA is often viewed by protocol developers as an impending regulatory presence just over the horizon. Many developers do not wish to become regulated under MiCA. Fortunately for them, there is a way out. Decentralised protocols, such as the entire area of decentralised finance (DeFi), do not fall within the scope of MiCA.

Recital 22 of MiCA states that crypto-asset services that are provided in a fully decentralised manner without any intermediary, should not fall within the scope of the regulation. While recitals are not a binding part of MiCA, they do bear weight. It is basically a recognition by the EU legislature that smart contracts can be published in an immutable manner, in such a way that an unlimited audience can access them, and that these smart contracts can provide functionality without the involvement of any third party.

When is DeFi truly DeFi?

Of course, immediately the question arises as to what exactly is meant by “without an intermediary” and “in an exclusively decentralised manner”. The utilisation of smart contracts in providing crypto-asset services (or financial services, for that matter) does not automatically confer a status of decentralisation. Companies can use smart contracts to provide crypto-asset services or financial services in their own name. In such cases, the smart contract is merely a tool used by a company.

At the end of the day – or at the end of the legal analysis – sufficient decentralisation can more or less be equated with trustlessness. If nobody needs to trust that other parties stick to promises, and if the protocol continues functioning even if its developers disappear, the protocol is usually sufficiently decentralised so as to not fall within MiCA. The details are, obviously, more complex.

The concept of decentralisation is well understood in Austria, and also by the FMA, which has dealt with fully decentralised systems in the context of financial services in the past and has concluded that they do not fall within financial market regulation and developers are not subject to the FMA’s supervision. Against this backdrop, a number of developers are currently reviewing whether their protocols are sufficiently decentralised to not fall within MiCA.

How TradFi Prepares for Crypto Business Under MiCA: The Equivalence Regime

As stated earlier, MiCA was not written for the crypto industry but rather as a way for established financial market participants to engage in crypto-asset services. This can best be observed in Article 60 of MiCA, which establishes an equivalence regime between financial market services and crypto-asset services (but not the other way round). Traditional financial service providers are allowed to engage in certain crypto-asset services. In particular:

  • Credit institutions may provide all MiCA crypto-asset services.
  • Central securities depositories (CSDs) can provide custody and administration of crypto-assets on behalf of clients. Custody and administration of crypto-assets are equated to managing securities accounts.
  • Investment firms may offer crypto-asset services equivalent to the investment services for which they are authorised under MiFID II. Specific services are equated to corresponding financial services under MiFID II, such as custody, trading, exchange, and advice.
  • Electronic money institutions (EMIs) can provide custody, administration, and transfer services for crypto-assets related to e-money tokens they issue.
  • UCITS (undertakings for collective investment in transferable securities) management companies and AIFMs (alternative investment fund managers) can offer crypto-asset services equivalent to portfolio management and non-core services for which they are authorised.
  • Market operators can operate a trading platform for crypto-assets.

This only requires a notification of their competent regulator which must include a programme of operations detailing the types of crypto-asset services and marketing plans, descriptions of internal control mechanisms, risk assessment frameworks, business continuity plans, ICT systems, security arrangements, procedures for segregating client assets, custody policies, trading platform rules, commercial policies, execution policies, qualifications of personnel providing advice or managing portfolios, and details of the crypto-assets involved.

How Third-Country CASPs Are Preparing for MiCA: No More Reverse Solicitation

Current status of reverse solicitation rules

As of writing, ESMA has completed its consultation process regarding its draft guidelines on reverse solicitation under MiCA. Its final report has not yet been published, however.

What is reverse solicitation?

Generally, third-country firms may not solicit clients in the EU as they are not authorised to provide CASP services in the Union. There is only one exemption, namely if the client, on their own initiative and without solicitation, contacted the firm and requested the service, the third-country firm may provide it (Article 61 of MiCA). The rationale for this exemption is that clients shall not be excluded from using third-country firms if they choose to do so without having been solicited by such firms.

In any case, it should be understood as applying in very limited and narrow circumstances. Although often referred to as the reverse solicitation exemption, it is actually a prohibition: a prohibition on third-country firms soliciting clients established or situated in the Union, unless the crypto-asset service was explicitly requested by the client without any solicitation. It also states that in order to make sure that clients of CASPs benefit from full rights and protections afforded to them under MiCA and that EU CASPs are not put at a competitive disadvantage compared to third-country firms vis-à-vis EU clients, it is important to actively protect EU-based investors and MiCA-compliant CASPs from undue incursions by non-EU and non-MiCA compliant entities.

ESMA limits permissible reverse-solicitation

ESMA highlights that the term solicitation should be construed in the widest possible way. It includes banner advertisements, sponsorship deals, solicitation by any kind of affiliates such as influencers and other celebrities. This broad interpretation of the term solicitation, especially with respect to online activities and the use of banner advertising and the use of influencers and other celebrities, reflects the fact that crypto-assets and crypto-asset services are essentially offered online.

Similarly, a broad interpretation should be given to the person soliciting. It may be the third-country firm or any entity or person on its behalf. The relationship between the third-country firm and the person soliciting on its behalf does not necessarily need to be a contractual relationship – it may be explicit or implicit. For instance, if a third party is undertaking a marketing campaign or building the third-country firm profile in the Union, then the third-country firm would not be able to claim that there was no solicitation carried out and to rely on Article 61 of MiCA.

Also, timing is of the essence when a third-country firm relies on the reverse solicitation exemption. If the third-country firm meets all the conditions to rely on Article 61 of MiCA, it may only do so for a very short period of time. The third-country firm relying on the exemption is not allowed to subsequently offer the client further crypto-assets or services, even if such crypto-asset or service is of the same type as the one originally requested, unless they are offered in the context of the original transaction. Although the draft guidelines do not provide any definite time window during which the exemption may be used, the lapse of a month or even a couple of weeks between the provision of the crypto-asset service based on a request made on the client’s exclusive initiative and a subsequent offer by the third-country firm would exclude the application of Article 61.

Consequences for third-country CASPs

Third-country CASPs which have acquired EU customers in the past have to adapt to this new interpretation of the reverse-solicitation principle. Even sending a single email to an existing EU customer after 30 December 2024 may trigger EU regulators to initiate proceedings for unauthorised business. And while a CASP may hold the view that fines are of no concern, the regulator’s possibility to publish investor warnings – also known as naming and shaming – should suffice to encourage third-country CASPs to re-evaluate their customer information processes.

Why the EU Data Act’s Kill Switch Provision is Not What You Think

The industry seems to still be of the opinion that the upcoming EU Data Act will require all developers of smart contracts to include a “kill switch”. This is not the case. Since it is still a topic of contention, we chose to end this article by explaining why protocols do not have to worry.

What is the EU Data Act?

The Data Act is an EU regulation that sets out a harmonised framework on fair access to and use of data. It seeks to ensure that users of “connected products” that generate data concerning their performance, often referred to as the “Internet of Things”, can access and use the data generated by the use of these products, including by sharing them with third parties of their choice. The Data Act is in the final stages of the EU legislative process. It entered into force on 11 January 2024 and will apply (ie, be directly enforceable) from 12 September 2025.

What is the Data Act’s kill-switch obligation?

Article 36 of the Data Act obliges vendors of applications using smart contracts for executing data sharing agreements to ensure that those smart contracts comply with certain requirements, including ensuring that a mechanism exists to terminate the continued execution of transactions and that the smart contract includes internal functions which can reset or instruct the contract to stop or interrupt the operation. This is often referred to as a kill switch.

It is important to stress the italicised part of the above paragraph. The provisions of the Data Act regulating smart contracts, including the requirement to implement a kill switch, relate only to smart contracts used in the context of data sharing agreements under the Data Act. The Recitals to the Data Act make that abundantly clear. Recital 47 points out that smart contracts may reduce the costs in regular or repetitive transactions between data holders and data recipients. Recital 104 states that, to promote the interoperability of tools for the automated execution of data sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate in applications that support the implementation of agreements for data sharing. Recital 104 notes that the essential requirement to ensure that smart contracts can be interrupted and terminated implies mutual consent by the parties to the data sharing agreement.

Article 8 of the Data Act requires that, in cases where a data holder is obliged to make data available to a data recipient, it shall agree with a data recipient the arrangements for making the data available and shall do so under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner. Article 11 provides that a data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to data and to ensure compliance with the Data Act as well as with the agreed contractual terms for making data available.

Why is the kill switch not of importance?

It is in the context of these data sharing agreements between data holders and data recipients, as contemplated in Articles 8 and 11 of the EU Data Act, that the harmonised standards for smart contracts exist, including the requirement to implement a kill switch. In a decentralised system, miners or validators, but also protocol participants are – in almost all cases – not data holders or data recipients and therefore are not obliged to share data pursuant to the Data Act. They are also not subject to the Data Act’s smart contract requirements. However, developers could become subject to the smart contract requirements if they qualified as a manufacturer of a connected product, provider of a related service, data holder or data recipient and used smart contracts in the context of a data sharing agreement. That said, you would have to be creative to find an example where that would be the case.

STADLER VÖLKEL

Seilerstätte 24
1010 Vienna
Austria

+43 1 997 10 25

+43 1 997 10 25 - 99

ov@sv.law www.sv.law
Author Business Card

Law and Practice

Author



STADLER VÖLKEL is a leading full-service law firm based in Vienna, Austria. Founded in 2016, the firm has earned a reputation for providing the highest-quality advice, particularly in technology-related areas such as blockchain/DLT. Crypto and related financial services regulation has been a core practice area of STADLER VÖLKEL since its inception. The firm works with a wide range of clients, including global crypto exchanges and other CASPs, mining operators, staking service providers, credit and financial institutions, payment service providers, crypto ATM operators, token issuers, and DeFi protocol developers, among others.

Trends and Developments

Author



STADLER VÖLKEL is a leading full-service law firm based in Vienna, Austria. Founded in 2016, the firm has earned a reputation for providing the highest-quality advice, particularly in technology-related areas such as blockchain/DLT. Crypto and related financial services regulation has been a core practice area of STADLER VÖLKEL since its inception. The firm works with a wide range of clients, including global crypto exchanges and other CASPs, mining operators, staking service providers, credit and financial institutions, payment service providers, crypto ATM operators, token issuers, and DeFi protocol developers, among others.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.