Contributed By Kinstellar Rechtsanwalts GmbH
Austria’s financial services regulatory framework is shaped by a combination of directly applicable EU legislation and national implementing acts. As most core regulatory requirements derive from EU directives and regulations, Austria’s regime is closely aligned with the European financial services regulatory framework. This framework is supplemented by domestic provisions and supervisory guidance issued by the national competent authorities, the Austrian Financial Market Authority (Finanzmarktaufsichtsbehörde, FMA) and the Austrian National Bank (Oesterreichische Nationalbank, OeNB).
Overview of Key Financial Services Provisions in Austria
The key elements of financial services law in Austria are set out below. Please note that directly applicable EU regulations, including the legal framework of the Single Supervisory Mechanism (SSM) and of the Single Resolution Mechanism (SRM), are not included in this overview.
The FMA is further authorised to issue binding regulations in certain areas determined in the above-mentioned legal acts.
The FMA provides an English language translation of most of the above-mentioned legal acts on their website: www.fma.gv.at/en/national/supervisory-laws/.
Commercial Provision of Regulated Financial Services in Austria
Austria regulates a broad and comprehensive spectrum of financial products and services, covering traditional banking activities, investment services, insurance services, payment services, e-money issuance, fund management and crypto-asset services.
As a general principle, the commercial provision of financial services in Austria requires a respective regulatory license granted by the FMA or, for banks that take deposits and provide lending business, the European Central Bank (ECB). Financial services are considered to be carried out on a commercial basis if they are performed independently, on a regular basis, and with the intention of generating income. This definition is interpreted broadly, meaning that even business models with low transaction frequency may fall within the definition if the activity is organised and intended to produce income over time.
Licensing obligations apply when a regulated financial service is provided to corporate or retail clients located in Austria, irrespective of the provider’s jurisdiction of establishment. As a result, foreign financial institutions may become subject to Austrian licensing requirements if their activities are deemed to be conducted in or directed into Austria. The assessment typically focuses on both the nature of the service and the factual manner in which it is provided, including distribution channels, marketing practices and the service provider’s local footprint.
Overview of Regulated Financial Services
Regulated banking services include:
Regulated investment services include:
Regulated insurance services include:
Regulated payment and e-money services include:
Regulated investment fund services include:
For regulated crypto-asset services, see 2.3 Crypto-assets.
Although Austrian law provides for certain exemptions from licensing, the FMA interprets these exemptions narrowly. In practice, the authority conducts a granular, case-by-case analysis that evaluates not only the wording of statutory provisions but also the economic substance of the business model, relevant administrative practice and applicable Austrian case law. As a result, determining whether a particular business model or activity falls within the regulatory perimeter typically requires a detailed and nuanced assessment of both the legal framework and the specific factual circumstances. Even minor variations can influence the regulatory classification and licensing outcome.
To a certain extent, Austria recognises reverse solicitation, whereby a client located in Austria initiates contact with, or requests services from, a foreign financial service provider exclusively on the client's own initiative. However, the FMA takes a conservative and restrictive view of this concept. It expects firms relying on reverse solicitation to demonstrate clearly that no form of marketing, outreach, or solicitation targeting Austrian clients, directly or indirectly, preceded the client’s approach. In practice, this restrictiveness means that foreign firms must exercise particular caution, as any activity that could be construed as targeting the Austrian market risks triggering licensing obligations, despite an assertion of client-initiated contact.
Markets in Crypto-Assets Regulation (MiCAR)
Austria’s regulatory landscape for crypto‑assets is now primarily governed by EU legislation, most notably the Markets in Crypto‑Assets Regulation, Regulation (EU) 2023/1114, (MiCAR). MiCAR became fully applicable at the end of 2024, marking a fundamental shift from Austria’s previously AML‑driven domestic regime, which was centred around registration requirements under the Austrian Financial Markets Anti‑Money Laundering Act (Finanzmarkt-Geldwäschegesetz), to a single, harmonised EU‑wide licensing and conduct‑of‑business regime for crypto‑asset issuers and crypto‑asset service providers (CASPs). MiCAR harmonises rules for issuance, public offerings, admission to trading and the provision of crypto‑asset services across the EU. As a result, Austria now applies a passportable licensing framework comparable in structure to MiFID II or the Payment Services Directive II, with the FMA acting as the competent national authority for authorisation and ongoing supervision under MiCAR. The introduction of MiCAR has therefore aligned Austria’s crypto‑asset regulatory environment with the EU regulatory model and largely replaced the former national regime.
In Austria, the grandfathering period under Art 143 MiCAR lasted twelve months for CASPs that had provided services in accordance with the applicable law before 30 December 2024. It therefore ended on 31 December 2025. This means that with effect from 1 January 2026, only MiCAR-authorised CASPs can provide crypto-asset services in Austria.
Importantly, MiCAR does not apply where a crypto‑asset or related activity falls within the scope of an existing EU financial services framework. Austria follows the following delineations strictly.
Consequently, determining the applicable regime requires a precise legal and technical analysis of the specific crypto‑asset’s features and the economic substance of the service provided.
Types of MiCAR-Regulated Crypto-Assets
There are three types of crypto-assets regulated under MiCAR.
Types of MiCAR-Regulated Crypto-Asset Services
Regulated crypto-asset services under MiCAR are:
The above-listed services, if provided on a commercial basis in Austria, require a license as a CASP.
Dual-Pillar Supervisory System
Austria’s financial‑market supervision operates under a dual‑pillar system, meaning that supervisory responsibilities are shared between two domestic institutions, the FMA and the Oesterreichische Nationalbank (OeNB).
The FMA is the authority mainly responsible for formal supervisory decisions and for licensing and enforcement. The FMA cooperates closely with the OeNB.
The OeNB is responsible for operational supervision, supervisory data and analysis, as well as system‑wide stability monitoring.
Tasks and Responsibilities of the Austrian Financial Market Authority (FMA)
The FMA is Austria’s integrated and independent financial services regulator. The FMA is responsible for the prudential and conduct supervision of banks, insurance undertakings and pension funds, payment institutions and e‑money institutions, investment firms, fund managers and crypto‑asset service providers.
The FMA is also responsible for issuing binding regulations and administrative decisions, including licensing, licence withdrawals, the removal of managers, and for imposing administrative penalties. The FMA enforces market conduct and AML/CTF rules. As of 1 January 2026, the FMA is also responsible for monitoring and implementing national and international financial sanctions ordered by the EU and the United Nations (UN). These competences were transferred from the OeNB to the FMA.
The FMA further assumes the role of the national competent banking resolution authority, with powers relating to crisis management, bank resolution and recovery planning.
The FMA supervises all major financial sectors across their life cycles, from licensing, ongoing supervision and enforcement to a potential market exit. Its jurisdiction covers both prudential and conduct matters across all regulated financial services segments in Austria.
Oesterreichische Nationalbank (OeNB)
The OeNB supports the FMA in the prudential supervision of credit institutions, conducting onsite inspections and off‑site analyses on behalf of the FMA. Furthermore, the OeNB is responsible for off‑site supervisory analysis, including risk assessments, data processing, financial reporting analysis and stress testing. It also performs macro‑prudential analysis and monitors overall financial stability in Austria.
Austria’s regulatory framework relies not only on statutory law and EU legislation, but also on extensive soft‑law materials published by the FMA and by the three European supervisory authorities: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
These materials include circulars, guidelines and supervisory expectations. They play a central role in shaping supervisory practice and interpreting regulatory requirements.
While soft law does not have the force of legislation, it is highly relevant in practice, as it sets out supervisory expectations and enforcement approaches. Therefore, supervised institutions are expected to take it into account, even though it does not constitute formal legislation.
The most relevant categories of soft law in Austria include:
All supervisory materials are published on the FMA’s website and are also partially available in English.
Austria implements Basel III through EU law, primarily the Capital Requirements Regulation, Regulation (EU) No 575/2013 (CRR) as amended, and the Capital Requirements Directive, Directive 2013/36/EU, (CRD) as amended. This means Austria’s implementation timeline is tied to the EU‑wide implementation of the final Basel III reforms.
Specifically, the EU is implementing the remaining Basel III regulations through the Capital Requirements Regulation III, Regulation (EU) 2024/1623 (CRR III), and the Capital Requirements Directive VI, Directive (EU) 2024/1619 (CRD VI). CRR III has been directly applicable since 1 January 2025. CRD VI has not been implemented in Austria. As an EU directive, it requires national transposition, with most provisions becoming applicable from 11 January 2026 once the implementing legislation enters into force. Therefore, certain provisions may have direct effect following the expiry of the transposition deadline. See also 6.1. Financial Services Reforms.
The current settlement cycle remains T+2, which means that settlement takes place two business days after the trading day, as specified by the Central Securities Depositories Regulation (Regulation (EU) No 909/2014, CSDR). The CSDR has been amended by Regulation (EU) 2025/2075 to introduce a T+1 settlement cycle in Austria for securities transactions on 11 October 2027, in line with the EU‑wide implementation date.
The FMA supports this EU‑wide transition and is closely monitoring the implementation process. The move to T+1 will be accompanied by various organisational and technical changes for market participants. The FMA recommends market participants to look at the roadmap published by the EU T+1 Industry Committee on 30 June 2025 to prepare for the transition. The roadmap contains practical recommendations, including changes in trading times as well as greater levels of automation and standardisation of processes.
Applicable ESG Requirements
Austria follows the EU Sustainable Finance framework, which applies either directly or through transposition into national law.
Key components of this framework include the Sustainable Finance Disclosure Regulation, Regulation (EU) 2019/2088 (SFDR), and the EU Taxonomy Regulation, Regulation (EU) 2020/852. These regulations impose extensive transparency and disclosure obligations on financial market participants and on financial products with sustainability‑related characteristics. Together, they form a core part of the legal and regulatory landscape applicable in Austria to ESG‑related investment products and sustainability disclosures.
In addition to this, the Austrian Banking Act and the Austrian Trade Act (Gewerbeordnung) contain certain sustainability‑related provisions requiring non‑financial disclosures, including sustainability disclosures.
The FMA supports implementation by issuing guidance and setting supervisory expectations to ensure compliance with these requirements.
See also 6.1. Financial Services Reforms.
Mitigation of Greenwashing
The SFDR, together with its associated regulatory technical standards adopted under Commission Delegated Regulation (EU) 2022/1288, is specifically intended to mitigate greenwashing risks by requiring detailed and standardised disclosures regarding sustainability characteristics, sustainability objectives and principal adverse impacts. In addition, the ESG Rating Regulation, Regulation (EU) 2024/3005, will introduce a harmonised supervisory framework for ESG rating providers. This regulation is expected to apply from mid‑2026 and will enhance oversight of ESG ratings and their use in marketing and investment decision‑making.
Nationally, the FMA issues supervisory guidance and expectations regarding the integration of sustainability risks into governance and risk‑management frameworks. The FMA has also updated its supervisory guidance to explicitly address risks of misleading or unsubstantiated ESG‑related claims. The FMA’s 2025 sustainability guidance expressly states that greenwashing risks are now a supervisory priority and form part of updated supervisory expectations for regulated entities. In particular, the FMA applies the ESMA Guidelines on the use of ESG or sustainability-related terms in fund names, which are intended to protect investors from unfounded or exaggerated sustainability claims. To monitor ongoing compliance with these requirements and to reduce the risk of greenwashing, the FMA conducts targeted supervisory activities for checking disclosures as well as compliance with the disclosed investment strategy.
Enforcement Actions
Although Austrian sources have not explicitly reported sanctions against a specific undertaking to date, the regulatory framework indicates ongoing supervisory scrutiny, heightened enforcement readiness and active oversight of ESG‑related disclosures and marketing.
Regulatory Approach Towards AI
Austria’s financial regulators, the FMA and the OeNB, have recognised artificial intelligence (AI) and digital risk as key supervisory priorities. Recent supervisory communications emphasise the need for transparency, governance and ongoing supervisory dialogue regarding the use of AI in banking systems, decision‑making processes and risk models. This includes active engagement with supervised entities on the nature of AI applications, their governance and their potential risk implications.
The FMA and OeNB have made resilience and digitalisation a priority for banking supervision in 2026. The regulators have announced that they will enter into a structured dialogue with banks regarding their AI applications and develop and communicate a supervisory approach to AI-based tools used by financial institutions. However, they have yet to issue any guidance in this regard.
Regulatory Requirements Addressing AI
AI also appears indirectly in Austrian supervisory communications through the EU’s Digital Operational Resilience Act, Regulation (EU) 2022/2554, (DORA), which applies from January 2025. Both the FMA and OeNB continue to push ahead with the implementation of DORA standards.
Furthermore, the directly applicable EU AI Act, Regulation (EU) 2024/1689, which sets out harmonised rules on AI, establishes a comprehensive risk‑based framework for AI systems used in financial services. Partially applicable as of August 2024 and fully applicable as of August 2027, it imposes requirements relating to transparency, documentation, data governance, human oversight and risk management.
Regulatory Attitude Towards Fintech
Austria’s regulator generally adopts a constructive and innovation‑friendly, though prudentially conservative, approach to fintech. The overarching philosophy is to support innovation without lowering supervisory standards.
A key feature of Austria’s pro‑innovation stance is the FMA Regulatory Sandbox, established in September 2020. The Regulatory Sandbox is designed to allow innovative fintech business models to be tested under a temporary licence, provide intensified cooperation and supervisory support, facilitate a smoother path to full authorisation once the testing phase is complete, and to allow the FMA to deepen its supervisory understanding of emerging technologies and business models. If the test proves successful, firms generally exit the sandbox with the appropriate financial services licence.
This framework is complemented by the FMA’s FinTech Point of Contact and the FinTech Navigator, which provide guidance to firms on regulatory classification, licensing requirements and supervisory expectations. Notwithstanding this supportive environment, fintech firms operating in areas such as anti‑money laundering, payment services, electronic money, investment services and virtual asset services remain subject to the full scope of applicable regulatory obligations, including comprehensive AML/CFT regimes and financial conduct rules.
Central Bank Digital Currency in Austria
Austria and its central bank, the OeNB, are actively involved in the Eurosystem project to develop a digital euro, which would function as a central bank digital currency (CBDC) for the euro area.
Austria is not developing its own national CBDC. Instead, it participates fully in the ECB-led digital euro project, which is intended to introduce a form of digital central-bank money available to households and businesses across the eurozone.
The Eurosystem entered a new development phase in November 2025, running until 2027, focusing on technical preparations, rulebook development and pilot testing. If EU legislators adopt the necessary framework in 2026, a pilot could begin in 2027, with the earliest possible issuance around 2029. The OeNB has contributed extensive consumer‑preference research and emphasises that a digital euro would complement, not replace, cash.
Regulatory protections for vulnerable retail customers in Austria are primarily driven by EU‑level consumer and investor protection frameworks, including the national implementation of MiFID II, the Consumer Credit Directive and the Payment Services Directive II. These regimes impose wide‑ranging conduct‑of‑business obligations, such as suitability and appropriateness assessments, fair and comprehensible disclosure obligations, product‑governance safeguards, and requirements designed to protect retail clients who may be exposed to financial, informational, or situational vulnerability.
Nationally, the FMA’s core contribution to retail‑customer protection lies in its prudential oversight and enforcement of legal conduct standards, including monitoring banks’ capital adequacy and ensuring compliance with statutory consumer‑facing rules. Beyond these EU‑mandated requirements, Austria has not introduced a separate, standalone framework specifically dedicated to “vulnerable customers”. Instead, the FMA operates a multi‑layered set of supervisory and consumer‑protection initiatives – including financial‑education materials, anti‑fraud warnings, transparency campaigns and oversight of complaints‑handling systems – all of which function as practical protections for consumers who may be at heightened risk.
The FMA’s supervisory expectations consistently emphasise ethical conduct, transparent pricing, fair‑treatment principles and enhanced consumer awareness. The authority also issues frequent public warnings on its website regarding unauthorised providers and scams, a measure specifically intended to protect consumers vulnerable to misleading or fraudulent online offerings.
In practice, supervised institutions are expected to incorporate vulnerability considerations into their internal conduct‑risk framework.
EU-Level Initiatives
Shadow banking, commonly referred to as non‑bank financial intermediation (NBFI), is addressed in Austria primarily through EU‑level regulatory and supervisory initiatives.
In particular, Austria relies on the following EU frameworks to govern the principal NBFI:
Systemic‑risk monitoring and potential macroprudential measures are coordinated at the EU level through the European Systemic Risk Board (ESRB) and the EBA, which periodically issue recommendations to Member States on vulnerabilities in market‑based finance.
Austrian Measures in Addition to EU-Level Initiatives
Neither the FMA nor the OeNB have introduced standalone regulations specifically targeting shadow banking. Instead, the risks traditionally associated with shadow‑banking activities, such as liquidity transformation, maturity transformation, or leverage outside the banking sector, are supervised within Austria’s macroprudential and financial‑stability framework, notably through the OeNB and the Austrian Financial Market Stability Board (Finanzmarktstabilitätsgremium, FMSG), Austria’s macroprudential policymaking body.
Within this structure, NBFI risks are tracked as part of broader assessments of market‑based finance, rather than as a separate regulatory domain. The OeNB’s Financial Stability Reports repeatedly emphasise that although non‑bank intermediation has expanded in Europe, the Austrian market remains bank‑dominated, and non‑bank activities do not currently pose systemic risk.
Recent national supervisory and financial‑stability publications emphasise Austria’s active participation in EU‑level consultations and ESRB monitoring exercises concerning macroprudential measures for NBFIs, reflecting their growing role in the financial system.
However, to date, no distinct Austrian regulatory initiatives or policy proposals addressing shadow banking have emerged beyond the existing EU framework and the initiatives of the ESRB and European supervisory authorities.
License Application Process
The authorisation of financial services firms in Austria is handled by the FMA, with banking licenses for CRR credit institutions (ie, banks that at least take deposits and provide lending business) falling under the direct responsibility of the ECB via the SSM. The authorisation process is formal, documentation‑intensive and highly structured.
The process begins with a formal application to the FMA, accompanied by supporting documentation. For banking licenses, applications are submitted to the FMA, which then forwards them to the ECB for decision under the SSM’s “common procedures”. Applications for other regulated activities such as investment services, payment and e-money services, insurance services and crypto-asset services, are exclusively assessed by the FMA. The scope of documentation depends on the type of license sought and the regulated activities to be performed.
The FMA reviews the application and may request additional information during the assessment process. In particular, during the assessment, the FMA may request further documentation, hold “fit and proper” interviews with managing directors, ask for refinements to risk frameworks, and engage in multiple rounds of clarification with applicants.
While the specific content depends on the type of entity and the regulated activities sought, core components typically include:
To support applicants, the FMA maintains detailed regulatory resources. Fintech applicants may additionally utilise the FMA’s “FinTech‑Navigator” or apply to the FMA Regulatory Sandbox, which enables regulated testing under close supervision.
Decision and Granting of Authorisation
If all statutory requirements are fulfilled, the ECB issues the final administrative decision for CRR credit institutions; for all other financial service providers, the FMA issues a licence.
A key principle of Austrian administrative law is that the FMA has no discretion to refuse authorisation if the applicant meets all legal requirements. Conversely, if one or more requirements are not met, the FMA must refuse authorisation or may issue a decision imposing corrective measures.
Once granted, the licence becomes effective immediately, and the entity becomes subject to ongoing supervision.
Legal Remedies
FMA licensing decisions are administrative decisions and may be appealed to the Austrian Federal Administrative Court (Bundesverwaltungsgericht). Further appeals to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof, VwGH) or Austrian Constitutional Court (Verfassungsgerichtshof, VfGH) are available under specific statutory conditions (eg, alleged procedural violations, constitutional issues, or fundamental legal questions).
ECB licensing decisions follow the appeal mechanisms applicable under EU law, including possible recourse to the ECB Administrative Board of Review.
FMA Regulatory Sandbox
The FMA Regulatory Sandbox supports innovative FinTech business models by easing their path into financial supervision through close interaction with the FMA, without reducing regulatory standards. It is available to both FinTech start-ups and established market participants, including cooperations involving unlicensed entities. Admission requires an application to the FMA, which assesses the technological nature, regulatory relevance, innovative character, market readiness and potential risks of the business model.
Once admitted, participants work closely with the FMA to define the scope, duration and conditions of its testing phase. Where required, a temporary licence or registration is granted, allowing the provision of regulated services under enhanced supervision. After completion of the test, the project either transitions into regular supervision or continues in an adjusted form outside the regulatory framework.
Typical Timeframes for Authorisations
Austrian law does not specify a statutory minimum or maximum assessment period for authorisation procedures. In practice, the duration of an authorisation procedure depends on the type of licence, the complexity of the business model, and the completeness of the license application. Consequently, the FMA evaluates applications on a case‑by‑case basis. For most regulated activities, the authorisation process typically takes several months, in most cases one year. For banking licences in particular, an authorisation period of one year or longer is common.
The FMA also offers a Regulatory Sandbox to support innovative business models, see 5.1. Process. Although it does not shorten the formal authorisation process, it facilitates early supervisory engagement.
Fees for Authorisation and Certain Supervisory Activities
Fees for authorisation and certain supervisory activities are governed by the FMA Fee Regulation (Gebührenverordnung) based on the Austrian Financial Market Authority Act (Finanzmarktaufsichtsbehördengesetz). Authorisation fees payable depend on the specific licence sought and become payable when the authorisation is granted. For example, the fee for a banking license is EUR10,000, while the fee for a license as an investment firm or a payment institution is EUR8,000.
Senior individuals within authorised financial services firms are subject to direct regulatory requirements, although supervision and regulation is primarily exercised at the regulated entity level.
Fit and Proper Requirements for Members of the Management Body
In particular, senior individuals in authorised financial services firms are subject to a comprehensive “Fit and Proper” regime as defined by legal provisions and aligned with EU supervisory standards. This means that members of the management body (managing directors and supervisory board members) as well as key function holders, such as the head of AML and the head of compliance must meet “Fit and Proper” requirements at all times, which include sufficient professional qualifications, relevant experience, good reputation and adequate time commitment. These requirements are assessed by the FMA at the time of authorisation and on an ongoing basis, and material changes must be notified to the FMA.
For institutions under ECB direct supervision, the ECB performs the formal fit and proper assessment, but Austrian requirements still apply.
Personal Liability for Breaches of Regulatory Obligations and Lack of Fit and Proper Requirements
In addition, senior individuals, in particular members of the management board, can be held personally responsible for breaches of regulatory obligations. Under Austrian administrative criminal law, members of the management board are personally liable for ensuring compliance with regulatory requirements, unless the relevant law provides otherwise or responsible officers have been appointed. Even after appointing responsible officers, board members remain personally liable if they intentionally fail to prevent a violation. The respective legal entity is jointly liable for fines imposed on board members or responsible officers.
Further, if the FMA concludes that a board member lacks reliability, professional suitability, or integrity, and therefore not fully in compliance with the fit and proper requirements, it may open a supervisory procedure to address these deficiencies. The FMA can then order the respective legal entity to remove the individual from the board, prohibit the individual from performing management functions, impose coercive fines, and further escalate supervisory measures until the deficiencies are remedied.
Austria’s regulatory landscape in 2026 is defined primarily by the transposition and implementation of EU legislative acts, with the FMA and the OeNB aligning their supervisory priorities to meet the demands of an evolving European framework. Across banking, consumer finance, asset management, crypto-assets, sustainability and financial crime, Austrian institutions face a demanding compliance agenda at both national and EU level.
Banking and Prudential Regulation
The transposition of CRD VI into Austrian law, requiring amendments to the Austrian Banking Act, has been delayed by approximately three months from its planned 15 January 2026 effective date. CRD VI forms part of the EU Banking Package alongside CRR III and responds to longstanding weaknesses in the EU prudential framework, including fragmented national rules, regulatory arbitrage, inconsistent supervision of third-country branches and emerging ESG and governance risks. CRD VI introduces reforms across four core areas: market access for non-EU banks, supervisory powers and sanctions, corporate governance and ESG-driven risk management requirements.
CRR III applies directly, with key provisions in effect from 1 January 2025. Transitional arrangements apply to participations and the output floor for IRB banks. The Basel IV market risk rules – specifically the Fundamental Review of the Trading Book (FRTB) – have been postponed to 1 January 2027 to support competitiveness, with the possibility of a further delay.
On the macroprudential side, the Austrian Financial Market Stability Board (FMSG) has recommended that the FMA raises the systemic risk buffer applicable to commercial real estate exposures, setting the rate at 2% from 1 July 2026 and increasing it to 3.5% from 1 July 2027. These increases must be anchored via an amendment to the FMA’s Capital Buffer Regulation (Kapitalpuffer-Verordnung) during 2026. The recommendation reflects ongoing supervisory concern about risk concentration in the commercial real estate sector and Austria’s broader commitment to macroprudential resilience.
Consumer Credit
To transpose the revised EU Consumer Credit Directive, Directive (EU) 2023/2225, Austria has chosen not to amend its existing Consumer Credit Act but instead to adopt an entirely new regime, the Austrian Consumer Credit Act 2026 (Verbraucherkreditgesetz 2026, VKrG 2026),
National implementation was required by November 2025, and the new framework is expected to apply to all consumer credit agreements concluded from 20 November 2026.
The VKrG 2026 marks a significant modernisation of Austrian consumer lending law, with its most notable structural change being a substantial expansion of scope. The regime now captures categories of credit agreements previously excluded, most significantly:
The expanded scope is accompanied by materially enhanced pre-contractual information obligations, aiming to ensure that consumers receive clear, comprehensive, and comparable information before entering into a credit agreement.
The VKrG 2026 also introduces a tightened framework for advertising. Under this framework, marketing may no longer suggest that taking credit will improve a consumer’s financial situation, that existing debts are irrelevant to creditworthiness, or that credit will elevate a consumer’s standard of living. Further, unsolicited lending is explicitly prohibited.
Austria’s creditworthiness assessment rules are considerably strengthened. If a lender determines that creditworthiness is insufficient, it will face a strict prohibition on granting credit, which is a significant departure from current law. Where assessments involve automated processing, consumers gain explicit rights to human interaction to express their views and to request a review of the automated decision. Lenders and intermediaries are expressly prohibited from using special-category data (eg, health data) or information harvested from social networks in their assessments.
Mandatory forbearance obligations are also introduced. Where a borrower falls into payment arrears, lenders will be required to offer forbearance measures, which may include refinancing, extension of the repayment period, reduction of interest rates, or partial debt forgiveness. This represents a meaningful shift in the contractual and regulatory relationship between lender and borrower in distress scenarios.
Finally, the long-standing perpetual withdrawal right, a distinctive feature of Austrian consumer credit law, will be abolished. It will be replaced by an absolute withdrawal deadline of 12 months and 14 days. This deadline does not apply where the defect concerns the withdrawal notice itself, preserving specific consumer protections in cases of non-compliant disclosures.
The sanctions regime is also reinforced: administrative fines will now apply to all breaches of the VKrG 2026, whereas previously not all infringements were sanctionable.
Alternative Investment Funds
Austria transposes AIFMD II, Directive (EU) 2024/927, through amendments to the Alternative Investment Fund Managers Act (Alternatives Investmentfonds Manager-Gesetz), with the amendments entering into force on 15 April 2026. AIFMD II pursues four principal objectives: stronger liquidity risk management, a harmonised EU legal framework for loan originating funds, greater transparency and reporting obligations, as well as stricter requirements governing delegation arrangements.
Of particular significance is the harmonised regime AIFMD II introduces for loan origination by alternative investment funds (AIFs). The Directive provides a definition of “loan origination” that encompasses both direct lending and lending conducted through special purpose vehicles, where the AIF or its manager structures or pre-agrees the loan terms. The focus is accordingly on arrangements in which the AIF functions as the originator – directly or indirectly – or is otherwise involved in setting the terms of a loan in which it subsequently invests.
The amendments to the AIFMG formally recognise the right of AIFs to originate loans and establish common rules governing such activity. In doing so, the Austrian legislature – consistent with the European legislator’s intent – acknowledges AIF lending as a legitimate and important alternative source of financing for the real economy, particularly for SMEs that face difficulties accessing traditional bank lending. This marks a significant development in the Austrian alternative investment fund landscape.
Sustainability Reporting
Austria implemented the EU Omnibus I package, which amends the Corporate Sustainability Reporting Directive, Directive (EU) 2022/2464 (CSRD), and the Corporate Sustainability Due Diligence Directive, Directive (EU) 2024/1760 (CSDDD), through an amendment to the Austrian Sustainability Reporting Act (Nachhaltigkeitsberichtsgesetz) in February 2026. The Omnibus I package seeks to reduce the administrative burden associated with sustainability reporting requirements, particularly for smaller entities within its scope, and is expected to result in targeted revisions to the scope, timing, and granularity of reporting obligations under the CSRD framework as transposed into Austrian law.
ESG Risk Management
Austrian institutions are preparing for materially enhanced ESG risk management requirements, reflecting revised guidelines issued by the European Banking Authority (EBA). The updated guidelines apply from January 2026 to significant institutions supervised directly by the ECB and will extend to non-significant and less complex institutions from January 2027.
Under the new framework, banks are required to integrate ESG risks – encompassing physical and transition risks associated with climate change, as well as broader environmental, social and governance considerations – into their Internal Capital Adequacy Assessment Process (ICAAP), Supervisory Review and Evaluation Process (SREP), and overall risk governance frameworks. This includes the development of forward-looking scenario analysis capabilities and robust data governance practices to support ESG risk identification, measurement and monitoring. The requirements reflect a broader regulatory expectation that ESG risks be treated as financially material risks, subject to the same rigour and discipline as traditional credit, market and operational risks.
Crypto-Assets and Digital Finance
Austria’s new Crypto Reporting Act (Krypto-Meldepflichtgesetz), which entered into force on 1 January 2026, requires crypto-asset service providers (CASPs) to record and report customer transaction data to the Austrian tax authorities. The Act aligns Austria with the EU’s DAC8 framework – the eighth amendment to the Directive on Administrative Cooperation in Direct Taxation, which mandates the automatic exchange of information on crypto-asset transactions between Member States – as well as the OECD’s Crypto-Asset Reporting Framework (CARF) and MiCAR. Reporting obligations for the 2026 tax year fall due by 31 July 2027, marking a fundamental shift in the transparency and compliance obligations applicable to Austria’s crypto sector.
MiCAR implementation remains a major regulatory priority throughout 2026, as the EU-wide crypto-asset regime moves from initial application toward operational consolidation and supervisory refinement. Austria’s FMA, together with the French Autorité des marchés financiers (AMF) and Italian Commissione Nazionale per le Società e la Borsa (CONSOB), has publicly called for centralised EU-level supervision of crypto-assets, citing fragmented enforcement across Member States as a systemic concern. These reform proposals are expected to feature prominently in political and supervisory discussions at the EU level throughout the year.
Sanctions Supervision
As of 1 January 2026, Austria has completed a major structural reform of its sanctions enforcement framework. Responsibility for monitoring and enforcing national and international financial sanctions has been transferred from the OeNB to the FMA, pursuant to legislation adopted by The Austrian Parliament in 2024. This reform centralises all sanctions-related supervisory powers under a single authority, streamlining the enforcement framework and aligning Austria’s institutional architecture more closely with the model adopted by a number of other EU Member States. The transfer encompasses supervisory, investigatory and enforcement functions, and is expected to result in a more integrated and risk-focused approach to sanctions compliance oversight. At the same time, the scope of supervised entities was expanded. As of 2026, the FMA’s sanctions supervision applies to all financial market participants, covering not only credit and financial institutions, but also payment institutions, investment firms, alternative investment funds managers, insurance undertakings and CASPs.
Digital Operational Resilience (DORA)
For Austrian financial institutions, 2026 marks the transition from the initial implementation phase of DORA to active, data-driven supervision by the FMA and OeNB. Both regulators have clearly signalled that the “set-up phase” of 2025 is over: institutions must now demonstrate effective operational resilience in practice, not merely formal compliance with DORA’s requirements on paper.
From 16 February 2026, the FMA requires Austrian institutions to submit updated Registers of Information containing complete details of all ICT service providers, subcontracting chains, critical dependencies and contractual safeguards. These registers form a central pillar of DORA’s supervisory architecture, enabling regulators to map and assess concentration risk and systemic dependencies across the financial sector. Institutions that have not yet achieved a satisfactory standard of ICT risk governance, third-party oversight and incident-response capability should expect heightened supervisory scrutiny.
AML Reform and the Establishment of AMLA
Austria is actively preparing for the implementation of the EU’s new, far-reaching anti-money laundering framework, which represents the most significant reform of EU AML/CFT rules in a generation. The reform introduces a single, directly applicable AML regulation, Regulation (EU) 2024/1624, which will replace the existing patchwork of national implementing measures with a uniform EU rulebook and establish the European Anti-Money Laundering Authority (AMLA) as the central EU-level AML supervisor.
The AMLA Regulation, Regulation (EU) 2024/1620, entered into force on 1 July 2025 and formally commenced operations on the same date. From 1 January 2026, AMLA assumed responsibility for drafting all AML-related Level two regulatory technical standards – a role previously carried out by the European Banking Authority (EBA). This transition marks a decisive shift toward harmonised and centralised rulemaking, with the goal of eliminating the national divergences that have historically undermined the effectiveness of the EU’s AML framework.
AMLA has defined three strategic priorities for 2026:
Looking ahead, AMLA will assume direct supervision of selected high-risk financial institutions from 1 January 2028.
Austrian institutions – particularly those with complex group structures, significant cross-border activity, or exposure to higher-risk client segments – should begin preparing for the prospect of direct AMLA oversight and the more intensive supervisory engagement this will entail.
Dominikanerbastei 11
1010 Vienna
Austria
+43 1 3860 700
vienna.office@kinstellar.com www.kinstellar.com/locations/detail/vienna-austria