Fintech 2025 Comparisons

Fintech Market in Austria

Austria has positioned itself as one of the top jurisdictions in the EU for fintech companies, start-ups and crypto-asset service providers (CASPs) including token-based protocols and projects.

EU regulations have driven a significant shift in the fintech market, particularly through the Markets in Crypto Assets Regulation (MiCAR) and the Digital Operational Resilience Act (DORA). These regulations have increased legal certainty, enabling companies to assess the legal situation regarding crypto-assets, with an increased focus on traditional financial institutions. However, MiCAR and DORA also bring significant regulatory hurdles which need to be analysed closely. This has not held back an increasing number of international companies who are choosing to obtain MiCAR authorisation in Austria. As a result, Austria is home to one of the largest CASPs in the EU.

Implementation of MiCAR

The most significant effect comes from the practical implementation of MiCAR (as well as DORA) as companies move from assessing the legal situation and obtaining an authorisation to operational readiness. In Austria (and Europe in general) regulatory scrutiny around anti-money laundering (AML) and cybersecurity is likely to intensify. Smaller scaled business and fintech companies will need to align their business models with stricter governance, reporting and risk management standards.

Artificial Intelligence (AI)

AI is increasingly being explored in the fintech sector, particularly for automating compliance tasks and enhancing customer interactions. Adoption remains cautious, as many fintechs in Austria are currently more focused on decentralised finance (DeFi) and crypto-asset services, where regulatory attention is high. The complexity and ongoing implementation of MiCAR have led firms to prioritise legal and operational compliance over the integration of AI-driven technologies. As a result, broader adoption of AI in fintech is expected to accelerate once the regulatory framework under MiCAR is firmly established.

The fintech landscape in Austria is shaped by a mix of established players and innovative start-ups. One prominent market participant has evolved into a full-service platform, offering both crypto-asset services and traditional financial products, effectively bridging the gap between conventional finance and blockchain-based financial services. This hybrid approach reflects a growing trend among legacy players to diversify their offerings in response to customer demand and increasing regulatory clarity.

At the same time, a number of start-ups are focusing on the tokenisation of real-world assets such as gold, diamonds or other tangible goods. These tokens are often bundled into structured products, aiming to provide new investment opportunities through blockchain technology. This business model raises complex regulatory questions, particularly around the distinction between crypto-assets under MiCAR and financial instruments governed by MiFID II.

The most common fintech business models (“verticals”) include:

• services related to crypto-assets: this involves the exchange, custody and transfer of crypto-assets regulated under MiCAR in the EU;
• tokenisation: this refers to linking real-world assets (eg, real estate, securities) into digital tokens on a blockchain, enabling fractional ownership and more efficient transferability;
• open banking and payment services: this uses application programming interfaces (APIs) to enable third-party access to banking data and infrastructure, enhancing innovation in payments and account services;
• digital lending and crowdfunding: this involves platforms that facilitate loans or capital raising, bypassing traditional banks. They are regulated under EU frameworks; and
• DeFi: this involves blockchain-based financial services (eg, lending, trading) that operate without intermediaries. This area is still largely unregulated but is under increasing scrutiny because of risks and scale.

Austria’s regulatory regime for fintech industry participants is primarily regulated by MiFID II and MiCAR. MiFID II governs traditional financial instruments and the entities offering them, including investment firms, trading venues and portfolio managers. Meanwhile, MiCAR introduces a harmonised regime for crypto-asset services and issuers that fall outside the scope of existing EU financial regulation.

The key legal implication is that only one of these frameworks can apply to a specific activity (either an asset qualifies as a financial instrument under MiFID II or as a crypto-asset under MiCAR). This distinction is critical because it determines the applicable licensing regime, ongoing obligations and supervisory authority. Firms must carefully assess the legal classification of their product or service before going to market. In practice, this has made the analysis of whether an asset constitutes a financial instrument or a crypto-asset more important than ever.

On this basis, the following regulatory regimes might be applicable.

MiCAR

MiCAR specifically regulates transparency and disclosure obligations for the offering and trading of crypto-assets, authorisation requirements and ongoing supervision of CASPs. MiCAR also places a strong emphasis on consumer protection rules for the issuing, trading and custody of crypto-assets as well as rules for fighting market abuse at crypto trading venues. MiCAR therefore has three main pillars which are all derived from traditional financial regulation.

The first pillar regulates the public offering of crypto-assets. Public offering means a communication to persons in any form, and by any means, presenting sufficient information on the terms of the offer and the crypto-assets to be offered so as to enable potential holders to decide whether to purchase those crypto-assets or not. A crypto-asset white paper must be drawn up, notified to the competent supervisory authority and published before the start of the public offer. It must be publicly available for as long as persons hold the crypto-asset, ie, potentially indefinitely. If an asset referenced token (ART) is to be offered publicly, the white paper must also be approved by a supervisory authority.

The second pillar regulates crypto-asset services. MiCAR distinguishes between two groups of CASPs:

• companies that acquire a licence under MiCAR; and
• companies that already hold a licence to provide traditional financial services, such as credit institutions.

CASPs must have their registered office in an EU member state where they conduct at least part of their service business. They must also have their place of effective management in the EU and at least one of the managers must be an EU resident. All CASPs are subject to general obligations, ie, to act honestly, fairly and professionally in the best interest of the customer. In addition, specific special provisions apply to CASPs depending on the specific crypto-asset service that is being provided. For example, in the case of custody of crypto-assets, CASPs must maintain a register for their clients, in which ownership positions and rights of clients are recorded.

The third pillar is the market abuse regime specific to crypto-assets and CASPs. These rules cover: the requirement to publicly disclose insider information; the prohibition of insider trading; the prohibition of unlawful disclosure of insider information; and the prohibition of market manipulation and detection of market abuse.

Tokenisation

The regulatory regime applicable to issuers offering tokenised assets depends on the classification of the underlying asset. If the asset is a share in a company that it is a security token then the traditional financial regulatory regime applies. If gold, cars or other real estate are being tokenised, the crypto-asset may either be classified as a so-called ART or a “standard” crypto-asset. As a result, either MiCAR or MIFID II apply.

DLT Pilot Regime

The DLT Pilot Regime (Regulation (EU) 2022/858), allows for temporary exemptions from specific MiFID II and CSDR rules to test trading and settlement of tokenised financial instruments on distributed ledger technology (DLT). The DLT Pilot Regime is therefore only applicable to business models involving tokenised financial instruments. Participants must be authorised and apply for specific permission from the Financial Market Authority (FMA), which co-ordinates with the European Securities and Markets Authority (ESMA).

Digital Lending and Crowdfunding

Digital lending is regulated under Austrian national law (eg, the GewO for lending licences or as part of banking services under the BWG), depending on the structure. Crowdfunding is regulated at the EU level by the EU Crowdfunding Regulation (ECSPR). Platforms must be authorised as European Crowdfunding Service Providers (ECSPs) and will be supervised in Austria by the FMA. The AIFMD or national securities laws may also apply, depending on the product structure.

DeFi Platforms

DeFi is not explicitly regulated in Austria or the EU. However, where DeFi platforms facilitate regulated activities, such as trading financial instruments or custody, they may fall under MiFID II, MiCAR or anti-money laundering (AML) obligations, depending on the degree of decentralisation and control. The FMA and ESMA emphasise a “substance over form” approach, meaning regulatory obligations may still apply even if no clear legal entity is involved. Regulatory gaps remain due to the cross-border, anonymous nature of DeFi.

Misclassification can result in non-compliance with licensing and conduct rules, especially given that national supervisory authorities like the FMA are closely aligned with EU-wide enforcement trends.

Industry participants in Austria may use various compensation models (direct fees, commissions, spreads or bundled pricing) depending on their regulatory status.

Under MiFID II, firms must ensure all costs are transparent, fair and are disclosed in advance. This includes providing a clear cost and charges disclosure, especially for investment services. Inducements (eg, third-party commissions) are only allowed if they enhance service quality and are fully disclosed.

Under PSD II and the Austrian Payment Act, payment service providers must clearly disclose all fees before contract conclusion and provide easy access to pricing information.

For crypto-asset services under MiCAR, CASPs must inform clients about fees, charges and how prices are determined, ensuring transparency and avoiding misleading pricing structures.

The regulatory framework for fintechs has increasingly converged with that for traditional financial institutions. MiCAR introduces a harmonised regime for crypto-asset services, imposing licensing, organisational and conduct requirements that mirror many of the obligations already applicable to banks and investment firms under traditional regulatory frameworks, such as MiFID II and CRD/CRR.

While fintechs operating under MiCAR are now subject to prudential regulation, disclosure obligations and investor protection requirements, they are not permitted to engage in banking services, such as accepting deposits or offering payment accounts, unless they are licensed under the Austrian Banking Act. In contrast, banks benefit from specific exemptions under MiCAR and are permitted to issue ARTs without needing to obtain a separate MiCAR authorisation.

Austria also promotes innovation through its Regulatory Sandbox, which was launched by the FMA in 2020. The Regulatory Sandbox offers fintechs the opportunity to test innovative business models in a controlled environment, often with a simplified supervisory approach. The Regulatory Sandbox is not available to legacy players.

In addition, particular fintech business models may fall outside the scope of MiCAR, especially where crypto-assets qualify as financial instruments under MiFID II (eg, security tokens) or where services do not involve custody, exchange or transfer of crypto-assets. In these cases, fintechs may be subject to different regulatory requirements, depending on the specific business model.

Austria has a Regulatory Sandbox which is managed by the FMA. It is aimed at supporting fintech innovation in a controlled environment. The Regulatory Sandbox is designed to allow firms to test innovative business models that fall under financial market regulation but may involve legal or technical uncertainties.

The Regulatory Sandbox operates through four phases.

• Applying for the Regulatory Sandbox: applicants submit an application to the FMA. Eligibility criteria include the use of ICT, readiness for market testing and alignment with the public interest. An expert committee, the Regulatory Sandbox Advisory Board, provides an opinion on the application’s suitability.
• Support: once admitted, the FMA establishes a dedicated supervisory team to work closely with the participant. This phase involves defining test parameters, milestones and any licensing requirements necessary for the test phase.
• Test phase: the participant conducts licensed activities within the agreed parameters under FMA supervision.
• Final report and exit: after testing, the FMA evaluates the results. The business model then either transitions to regular supervision with a full licence or exits the Regulatory Sandbox if the participant decides not to pursue further regulatory approval.

Participation in the Regulatory Sandbox is limited to a maximum of two years. While there are no fees for admission, standard charges apply for administrative decisions of the FMA, such as granting a licence. The Regulatory Sandbox does not offer regulatory exemptions, as all legal requirements must be met.

The FMA acts as the central regulatory authority for companies situated in Austria. It oversees licensing, supervision and enforcement for banks, investment firms, payment institutions and CASPs. Its jurisdiction extends to both prudential and conduct supervision. This includes the enforcement of AML requirements. The FMA therefore functions as a one-stop authority for most fintech business models operating within the Austrian financial market.

Companies providing services in Austria without having obtained the necessary licence or authorisation also fall under the jurisdiction of the FMA. Industry participants situated in another EU member state fall under the jurisdiction of their home member state.

While the FMA does not formally issue “no-action” letters in the same way as US regulators such as the SEC do, Austrian law provides for a functionally equivalent instrument: the Auskunftsbescheid under Section 23 of the Financial Market Authority Act (FMABG).

According to Section 23 of the FMABG, any party can request an official and legally binding confirmation from the FMA regarding the applicability or interpretation of specific provisions of financial market law in relation to a particular set of facts. The FMA will then issue an administrative decision (Auskunftsbescheid) stating whether the activity described falls within the scope of financial market regulation and whether it requires a licence or triggers other legal obligations. This binding legal assessment provides legal certainty to the applicant and while not labelled a “no-action” letter, it fulfils a similar function: it allows market participants to proceed with a proposed activity with assurance that the FMA will not take enforcement action based on the facts submitted. In practice, the Auskunftsbescheid can be seen as the Austrian equivalent of a “no-action” letter.

In addition, companies can engage in informal consultations with the FMA or submit inquiries to clarify the regulatory classification of their activities. These inquiries are not a substitute for formal decisions of the FMA or licensing procedures but provide specific legal certainty to fintech companies (and are usually issued much faster than the Auskunftsbescheid).

Under traditional supervisory law, strict requirements apply when outsourcing regulated functions. The outsourcing entity remains fully responsible for the proper performance of the outsourced activities and must ensure that the outsourced function meets the same regulatory standards as if it were performed internally.

Outsourcing agreements must explicitly reflect regulatory obligations, which have been outlined in guidelines by the European Banking Authority (EBA). These guidelines apply to credit institutions and CASPs who must also adhere to its principles. Agreement must contain at least the following:

• a clear description of the outsourced services;
• oversight, control and audit rights,
• the conditions for sub-outsourcing;
• termination clauses; and
• reversibility of the outsourcing.

Outsourcing of regulated services is only permitted to vendors who are authorised themselves. For example, a third party entrusted with the custody of crypto-assets must hold a valid CASP licence. It is not just preferable but mandatory, as regulated (ie, authorised) status is a precondition when outsourcing any regulated services.

The Digital Markets Act (DMA) defines gatekeepers as large digital platforms that control access to core platform services, such as online search engines, social networks, app stores or messaging services. These companies occupy a central position between businesses and end users, giving them the power to set the rules for access and competition.

To prevent unfair practices and ensure a level playing field, the DMA imposes specific obligations and prohibitions on gatekeepers. These include:

• prohibiting self-preferencing (eg, ranking own services higher);
• ensuring interoperability with third-party services; and
• allowing users to uninstall preinstalled apps or change defaults.

Gatekeepers are designated by the European Commission based on quantitative thresholds (eg, annual turnover, number of users) and qualitative criteria. Once designated, they must comply with the rules under the DMA or face significant fines and enforcement actions.

CASPs under MiCAR act as gatekeepers and bear regulatory responsibility for activities conducted on their website or through their platform. Among other things, only authorised crypto-asset services are provided. Where services are provided which licences are not necessary for, those services must have been described to the FMA during the licensing procedure. White papers are published for each crypto-asset (if applicable) and anti-market abuse measures are implemented.

The FMA actively monitors the financial market to identify and pursue instances of unauthorised business activities. In these cases, the FMA is authorised to take enforcement action.

These measures may include:

• the issuance of cease and desist orders;
• administrative penalties;
• the publication of warnings to the public; and
• where appropriate, the referral of matters to the competent criminal authorities.

To support these efforts, the FMA maintains a public warning list and encourages the reporting of suspicious or potentially unauthorised financial services.

Fintech firms, including robo-advisers and crypto service providers, must not only comply with financial regulation but also with a range of non-financial rules, particularly in the areas of data protection (eg, General Data Protection Regulation (GDPR), cybersecurity (eg, DORA, NIS2), marketing and software development. These regulations impose strict requirements on data use, IT security, algorithm governance and advertising practices.

Unlike legacy financial institutions, fintechs often face greater compliance challenges because of their reliance on automated processes, development of complex software and digital marketing strategies. While legacy players benefit from established compliance frameworks, fintechs must integrate these regulatory requirements into their innovative business models from the outset.

Industry participants are reviewed by external auditors, legal and compliance advisors, IT security firms and industry associations. Statutory audits and specific regulatory reviews are required for licensed firms.

Larger or legacy players also conduct regular internal and IT audits, while smaller fintechs often rely on external consultants. Industry bodies contribute by promoting best practices and voluntary codes, although these are not legally binding.

Some fintech companies, in the crypto-assets field in particular, offer unregulated products such as staking or DeFi-related services alongside regulated services like custody or exchange of crypto-assets. These are often provided through the same legal entity and on the same website (or via affiliated companies), depending on the structure.

The FMA also monitors the unregulated business of a licensed entity. For example, in the authorisation procedure of CASPs, the applicant also has to provide detailed information on any unregulated business that might be conducted.

AML and sanctions rules significantly affect both regulated and unregulated fintechs. EU-harmonised AML rules apply to all regulated entities, including CASPs under MiCAR. While the core obligations are similar, legacy players often have more established compliance infrastructures.

Unregulated fintechs may still be subject to basic AML obligations under the Austrian Trade Act. Overall, AML compliance is a key supervisory focus, with increasing scrutiny across all sectors.

Austria’s AML and sanctions rules closely follow the Financial Action Task Force (FATF) standards, which are either implemented on an EU level or directly via national laws, such as the Austrian Financial Market Anti-Money Laundering Act.

Austrian law allows for the provision of regulated products or services from another jurisdiction under a reverse solicitation scenario without triggering local licensing requirements, provided the client initiates the contact and the firm does not actively market or solicit in Austria.

The reverse solicitation exemption for CASPs states that if an EU client independently and exclusively initiates the request for a crypto-asset service or activity from a third country firm, the requirement for that firm to obtain a MiCAR licence does not apply to providing the service or activity to that client. In other words, this exemption permits third country firms to offer crypto-asset services to EU clients who approach them entirely on their own initiative, without needing a MiCAR licence.

Different asset classes require different business models because of their distinct characteristics and regulatory treatment.

• Security tokens: these are classified as financial instruments under MiFID II. Their inclusion in a robo-adviser’s service must comply with the full suite of MiFID II requirements, including suitability assessments, best execution and appropriateness tests. ESMA has published guidelines on robo-advice, specifying particular aspects of suitability requirements of MiFID II including robo-advice. To ensure clients fully understand robo-advisory services, firms should clearly inform them about the level of human involvement and how to request human interaction. Clients should also be made aware that their responses directly influence the suitability of the investment recommendations. In addition, firms must explain what sources of information are used to generate advice. For example, whether the service relies solely on an online questionnaire or also accesses other client data.
• Crypto-assets: these fall outside the scope of MiFID II but are captured under MiCAR. Business models offering robo-advice on crypto-assets must therefore comply with MiCAR’s requirements. While MiCAR establishes suitability obligations similar (but not identical) to those under MiFID II, robo-advisers need to adapt their systems to account for the higher risk profile and speculative nature of crypto-assets. In addition, MiCAR includes specific rules that differ from those in MiFID II, which robo-advisers must carefully consider and implement.

Legacy financial institutions are increasingly adopting robo-advisory technologies, often through hybrid models that combine digital advice with human oversight. Key developments include the following.

• Modular deployment: established players often integrate specific elements of robo-advice such as automated portfolio balances, digital onboarding or suitability assessments into existing discretionary portfolio management structures, rather than overhauling their entire business model.
• Compliance automation: to meet MiFID II and MiCAR requirements more efficiently, legacy firms are leveraging robo-adviser infrastructure to automate parts of the suitability and product governance processes. This includes the use of algorithms for assessing client preferences, including ESG considerations.
• Partnerships: rather than building in-house, many legacy players acquire or partner with fintechs to speed up implementation and reduce time-to-market, while ensuring alignment with regulatory requirements.

Best execution of customer trades remains a critical issue, particularly as robo-advisers handle a growing volume of client orders across traditional and digital assets. Several challenges and considerations emerge. These are as follows.

• Execution quality monitoring: under MiFID II, firms must take all sufficient steps to obtain the best possible result for clients, considering price, costs, speed and likelihood of execution. Robo-advisers must embed these considerations into their algorithms and demonstrate ongoing monitoring, especially for less liquid assets like specific tokens.
• Crypto-asset execution: for crypto-assets, best execution is more complex due to fragmented markets, limited reliable price discovery and high volatility. Robo-advisers must define clear execution policies, including when and how they source prices from multiple execution venues, especially if some assets are only traded on unregulated exchanges. These policies must be disclosed to customers.
• Automated routing and conflicts of interest: algorithms may default to specific execution venues or counterparties for efficiency or cost reasons, which may introduce conflicts of interest. Firms must identify and manage these in line with the applicable regulatory obligations.

There are significant regulatory differences between loans to individuals and loans to small businesses or other entities. Loans to individuals are primarily governed by consumer protection laws such as the Austrian Consumer Credit Act. The Mortgage and Real Estate Credit Act governs mortgage or real estate-related loans. These laws impose strict requirements on transparency, interest rate caps, creditworthiness assessments and the right of withdrawal.

Loans to small businesses and other non-consumer borrowers are generally treated as commercial loans and are subject to less regulation (in particular the requirements set out for consumers do not apply, allowing more contractual flexibility). Depending on the lender’s size and portfolio, regulations on large credit exposures under the Banking Act may apply, imposing concentration limits and additional risk management requirements.

In summary, consumer loans face tighter supervision and stronger safeguards than commercial loans.

Underwriting processes in the industry vary but generally include creditworthiness assessments, risk scoring, verification of borrower information and affordability checks. For consumer loans, these processes are heavily shaped by consumer protection laws which mandate thorough credit assessments and responsible lending.

For commercial loans, underwriting is less prescriptive, giving lenders more discretion to design risk models and due diligence processes based on their internal policies and risk management. However, prudential regulations and internal risk management standards, especially for larger institutions also influence underwriting practices.

The Austrian Central Bank (OeNB) has issued guidelines on credit approval processes and credit risk management. These guidelines aim to assist financial institutions in designing and implementing robust credit approval systems and may also influence the underwriting process.

Fintech lenders obtain fiat funding for loans through various methods. Each method has its own legal and regulatory implications.

Peer-to-peer lending involves directly matching borrowers with investors through a digital platform. This model typically requires licensing and may fall under securities laws if the investment instruments offered to lenders qualify as securities. Platforms must also comply with consumer protection, AML/KYC and data privacy regulations. In addition, depending on the structure, peer-to-peer lending may qualify as credit brokerage under the Austrian Banking Act, which could trigger additional regulatory requirements.

Lender-raised capital refers to funds raised through equity or debt by the fintech itself. While lending by itself may not require a licence, raising capital can trigger securities law requirements, disclosure obligations and potentially regulatory oversight around leverage or fund use, eg, raising capital via a subordinated loan by numerous private lenders qualifies as an investment (Veranlagung) under Austrian law and might require publication of a prospectus or so-called information sheet depending on the amount of money raised.

Taking deposits as traditional banks do requires a banking licence. This route brings the strictest oversight, including capital adequacy, liquidity requirements and mandatory participation in deposit insurance schemes. It also subjects the company to intensive conduct and prudential supervision.

Securitisation involves bundling and selling loans to investors as asset-backed securities. This method engages securities laws, requiring transparency, risk retention and often the use of separate legal entities to ensure legal separation of assets. Regulatory focus here is on investor protection.

Syndication of fiat currency loans does take place in online lending, especially for larger loans or institutional lending platforms. Syndication may occur at origination (multiple lenders commit upfront) or post-origination (the loan is partially transferred or “participated” out to others).

When several credit institutions agree to jointly extend a loan, it is referred to as a syndicated loan. The formation of the credit syndicate and the mutual rights and obligations of the participants are primarily shaped by contractual practice. Under Austrian civil law, a syndicated loan arrangement is typically classified as a civil law partnership (Gesellschaft bürgerlichen Rechts). This legal structure governs the internal relationship between the syndicate members, including rights, obligations and liability, unless otherwise contractually modified.

If the platform facilitates syndicated lending, it may be considered credit intermediation or credit brokerage under the Austrian Banking Act and therefore require authorisation. Under the Austrian Banking Act, syndicated loans are also subject to special balance sheet rules. These rules determine how these exposures are reported and risk-weighted on the books of the participating institutions.

Under Austrian law, payment processors may use existing payment rails or implement new ones. However, both approaches are subject to regulation under the Austrian Payment Services Act (ZaDiG 2018), which implements the EU’s PSD II.

Most processors operate on established systems like the SEPA or card networks. When doing so, they must be licensed as:

• payment institutions; or
• electronic money institutions, depending on the services provided.

Austrian law also permits the development of new or proprietary payment systems, such as digital wallets or application programming interface (API) based transfer platforms. However, the creation of these systems still requires compliance with PSD II. If the processor holds customer funds or executes payment transactions on behalf of users, it must be licensed accordingly and ensure full compliance with rules on data protection, consumer rights and technical security.

Cross-border payments and remittances in Austria are regulated under the Austrian Payment Services Act, which aligns with the PSD II. Under the Financial Markets Anti-Money Laundering Act, payment service providers must implement customer due diligence (KYC), monitor transactions and report suspicious activities to the Austrian Financial Intelligence Unit.

The Transfer of Funds Regulation extends these obligations to crypto-asset transfers. Since 30 December 2024, crypto-asset transfers must include information on both the originator and the beneficiary, aligning with the rules already in place for fiat transactions. However, this requirement does not apply to peer-to-peer transfers or those involving unhosted wallets.

Regulated markets are traditional exchanges where financial instruments such as shares and bonds are traded. In Austria, they are governed by MiFID II and the Austrian Securities Supervisory Act. They are supervised by the FMA. Operators must be licensed and comply with strict rules on transparency, disclosure and investor protection. These platforms ensure pre and post-trade transparency, apply formal listing standards and maintain robust market oversight.

Multilateral Trading Facilities (MTFs)

MTFs are electronic platforms that match multiple third-party buy and sell orders in financial instruments. They operate similarly to exchanges but have more flexibility. MTFs are regulated under MiFID II and the Securities Supervisory Act and must be operated by licensed investment firms or market operators. They are subject to rules on fair and orderly trading, best execution and transparency, although generally with lighter listing requirements than regulated markets.

Organised Trading Facilities (OTFs)

OTFs are a similar platform to MTFs and are used for trading non-equity instruments like bonds and derivatives. Unlike MTFs, OTF operators may exercise limited discretion in order execution but cannot trade on their own account. OTFs are also regulated under MiFID II and the Securities Supervisory Act and may only be operated by licensed investment firms.

Crypto-Asset Trading Platforms

Crypto-asset trading platforms currently fall outside the scope of MiFID II unless the assets qualify as financial instruments. In Austria, they were regulated primarily under the Anti-Money Laundering Act and must register with the FMA. However, from now on, under MiCAR operating a crypto-asset trading platform qualifies as a crypto-asset service and authorisation from the FMA is required. Platforms need to meet CRR capital requirements and comply with rules on transparency, governance and consumer protection.

Crowdfunding Platforms

Crowdfunding platforms that facilitate public offerings of securities or loans are regulated under the EU Crowdfunding Regulation (ECSPR). They must be licensed as European Crowdfunding Service Providers (ECSPs) and are subject to oversight by the FMA. These platforms must comply with investor protection rules, disclosure obligations and fundraising limits (currently up to EUR5 million per project annually) and benefit from EU-wide passporting.

Different asset classes have different regulatory regimes.

Security tokens are qualified as financial instruments, such as shares or bonds. In Austria, they fall under the Securities Supervisory Act. They are subject to full capital markets regulation, including licensing, prospectus requirements and investor protection rules. Trading may only occur on regulated markets or authorised trading venues like MTFs or OTFs.

Crypto-assets that are not classified as financial instruments are regulated under MiCAR, which is now in force across the EU. MiCAR defines a crypto-asset as a digital representation of a value or of a right that is able to be transferred and stored electronically using DLT or similar technology. MiCAR establishes a uniform framework for issuing, offering and trading crypto-assets and applies to issuers and service providers offering custody, exchange and transfer services. These entities must be authorised and meet requirements related to governance, capital, conduct and consumer protection.

MiCAR distinguishes between three specific types of crypto-assets.

• ARTs: tokens linked to a basket of assets (eg, currencies, commodities). They face strict rules due to potential systemic impact.
• E-money tokens (EMTs): tokens pegged to a single fiat currency, functioning like digital money. They are subject to requirements similar to e-money institutions.
• Utility tokens: tokens granting access to a digital product or service. Issuers must publish a white paper and comply with marketing and conduct rules. However, they are otherwise subject to lighter regulation than ARTs and EMTs.

The emergence of both centralised and decentralised cryptocurrency exchanges has prompted significant regulatory developments in Austria and the EU.

Centralised exchanges are now fully regulated under MiCAR. This means they have to obtain authorisation as CASPs. They must comply with rules on governance, capital, custody, AML/CFT and consumer protection.

Decentralised exchanges (DEXs) present regulatory challenges due to the absence of a clear operator. MiCAR does not explicitly regulate DEXs, but if a party is identifiable and exercises control (eg, via front-end interfaces), it may fall under CASP obligations. Regulators may apply existing AML laws or interpret MiCAR provisions broadly to cover these cases. The EU has not established a clear regulatory position on DeFi.

Regulated Markets

Securities listed on regulated markets must meet strict requirements under the EU Prospectus Regulation. Issuers must submit an FMA-approved prospectus that is complete and clear. Ongoing obligations under the Market Abuse Regulation (MAR) and Transparency Directive apply, including disclosure of insider information and financial reports.

MTFs and OTFs

These platforms allow more flexible listing but still require compliance with MAR, particularly for market transparency and disclosure of insider information.

Crypto-Assets Under MiCAR

Under MiCAR, issuers of crypto-assets (excluding ARTs and EMTs) must submit a white paper to the FMA at least 20 days before publication. While not approved by the FMA, the white paper must be fair, clear and not misleading.

Industry Practice

In addition to legal requirements, platforms often apply internal standards such as legal classification, KYC checks, technical audits and business viability assessments to reduce risk and maintain credibility.

Order handling rules apply under MiFID II. Investment firms must handle client orders promptly, fairly and in the client’s best interest. This includes rules on order execution, aggregation, allocation and record-keeping. Firms must also have clear internal policies to ensure transparency and prevent conflicts of interest.

CASPs operating trading platforms for crypto-assets must, as part of their general conduct obligations, ensure fair and orderly trading, avoid conflicts of interest and act honestly and professionally. Unlike MiFID II, MiCAR does not impose order handling rules.

The rise of peer-to-peer trading platforms is a challenge for both traditional and fintech players. This is because they bypass intermediaries, reduce costs and increase user control. For traditional firms, it pressures margins and disrupts established business models. Fintechs must adapt by integrating peer-to-peer features as well as complying with increasing regulatory challenges.

Regulatory challenges include identifying responsible parties, ensuring AML/KYC compliance, safeguarding users and applying existing financial rules to decentralised or disintermediated models, especially where no clear operator exists.

As of 28 March 2024, the EU has implemented a general ban on payment for order flow (PFOF) through Article 39a of the Markets in Financial Instruments Regulation (MiFIR). This prohibition applies to investment firms acting on behalf of retail clients and opt-in professional clients. It prevents them from receiving any fee, commission or non-monetary benefit from third parties for executing or forwarding client orders to a particular execution venue.

Member states where PFOF practices existed before the ban may grant a transitional exemption, allowing these practices to continue domestically until 30 June 2026, provided they notify ESMA by 29 September 2024.

Trading in Austria and the EU is governed by key principles under MAR and MiFIR. The regulatory framework is aimed at ensuring market integrity and investor protection.

MAR prohibits insider trading, market manipulation and unlawful disclosure of inside information. It also sets rules on disclosure, insider lists and suspicious transaction reporting.

MiFIR supports integrity through transparency rules requiring pre and post-trade disclosure and transaction reporting to regulators for market surveillance.

For financial instruments, high frequency and algorithmic trading are regulated under MiFID II, which mandates that investment firms engaging in algorithmic trading:

• implement effective systems and risk controls to ensure their trading systems are resilient, have sufficient capacity and prevent the sending of erroneous orders or any activity that may create or contribute to a disorderly market;
• notify their home national competent authority (NCA) and the NCA of each trading venue where they engage in algorithmic trading;
• maintain records of their trading algorithms and provide information to NCAs upon request; and
• ensure their systems cannot be used for any purpose that is contrary to MAR or the rules of a trading venue.

For crypto-assets, MiCAR does not explicitly regulate algorithmic or high frequency trading. However, CASPs operating trading platforms must ensure fair and orderly trading and act honestly and professionally.

Operating in a principal capacity means a firm trading using its own capital and taking positions for its own account rather than acting as an agent for clients. In Austria and the EU, firms engaging in this activity must be authorised as investment firms under the Securities Supervisory Act and MiFID II.

Under MiFID II, a firm operating in a principal capacity, ie, trading on its own account using its own capital must obtain authorisation for the investment service of “dealing on own account” (MiFID II, Annex I, Section A, point 3).

If the firm engages in market making, providing continuous liquidity by quoting buy and sell prices, it must also obtain authorisation for this activity and notify the relevant trading venue and the FMA in Austria. This includes meeting additional obligations such as maintaining quote presence and ensuring orderly market conduct.

In some cases, depending on the firm’s broader operations, it may also need authorisation for other services like “execution of orders on behalf of clients” or “operation of an MTF/OTF.”

Regulations in Austria do not make a distinction between investment funds and dealers engaging in trading activities.

Dealers (eg, broker-dealers or market makers) are typically authorised as MiFID II investment firms, trading on their own account or executing client orders. They are subject to conduct, capital and organisational requirements.

Investment funds (eg, UCITS or AIFs), by contrast, are not licensed under MiFID II but regulated under fund-specific regimes (UCITS Directive, AIFMD). Their trading is part of portfolio management and they cannot provide MiFID services unless through a separately licensed manager.

Programmers are not directly regulated for writing trading algorithms. However, if they work for an investment firm, their code (the activity of the investment firm) must comply with regulatory standards. If they use the algorithm themselves for trading, they may require authorisation.

While insurtech companies in Austria leverage advanced technologies for automated underwriting and risk assessment, these processes are not explicitly dictated by regulation. They must comply with the overarching legal framework governing insurance operations, which includes the:

• Insurance Supervision Act 2016. This establishes the regulatory framework for insurance companies, including licensing requirements and operational standards;
• Insurance Contract Act. This governs the contractual relationships between insurers and policyholders, outlining obligations and rights;
• GDPR. This ensures the protection of personal data, which is particularly relevant when insurtech companies process customer information for underwriting purposes; and
• Insurance Distribution Directive (IDD). This sets out standards for the distribution of insurance products, ensuring that customers receive appropriate advice and information.

Different types of insurance, such as life, annuities, property and casualty are treated differently by both industry participants and regulators because of their distinct risk profiles, product structures and legal obligations.

Life and annuity insurers face stricter capital, disclosure and consumer protection rules because of the long-term nature and savings element of their products.

Meanwhile, property insurers are regulated in terms of solvency and pricing but have more flexibility in product design.

Regulatory frameworks like Solvency II, VAG 2016 and the IDD apply across all types of insurance but with different provisions depending on the line of business.

Regtech providers are not directly regulated merely for offering technological solutions. However, they may become subject to regulation depending on their activities.

• If they perform regulated functions. For example, if a regtech company conducts customer due diligence (eg, KYC checks) on behalf of a financial institution, they may need to register or obtain authorisation.
• If they handle sensitive data. Providers must comply with data protection laws like GDPR, ensuring the secure processing and storing of personal data.
• If they offer services that fall under financial regulations. If a regtech solution crosses into areas that are considered financial services, the provider might be required to obtain appropriate licences or authorisations.

Financial services firms typically require technology providers to agree to strict contractual terms covering performance, accuracy, compliance and risk. These include:

• service level agreements;
• warranties;
• audit rights;
• liability clauses; and
• data protection obligations.

While many of these terms reflect industry custom and risk management standards, specific provisions, particularly those related to outsourcing, data protection and regulatory compliance, are mandated by regulations such as MiFID II, PSD II and GDPR.

Traditional financial institutions, including banks, are cautiously exploring blockchain integration within the financial services sector. Under MiCAR, banks are recognised as traditional players and are permitted to issue ARTs and EMTs, provided they obtain the necessary authorisations.

Despite this regulatory clarity, many banks remain hesitant to fully embrace crypto-assets because of concerns over volatility and the need for further regulatory guidance. The FMA has noted that institutional investors are awaiting more comprehensive regulatory frameworks before making significant investments in this area.

Erste Group Bank collaborated with ASFINAG to execute Europe’s first fully digital issuance of a debt financing instrument using a blockchain platform. This EUR20 million “Schuldscheindarlehen” was issued entirely through a permissioned blockchain, streamlining the process and reducing operational risks.

These developments indicate a growing interest among traditional financial institutions to integrate blockchain solutions to modernise operations.

The FMA has engaged in regulating blockchain and crypto-assets through the implementation of MiCAR. To facilitate compliance, the FMA has published detailed information on its website for CASP applicants, outlining the authorisation process and requirements. This includes information on the necessary documentation, timeframes and procedures to obtain the required licences under MiCAR.

The FMA has also issued an information document to assist applicants in preparing their submissions, providing clarity on the expectations and standards to be met. These initiatives demonstrate the FMA’s commitment to establishing a clear regulatory framework for blockchain and crypto-asset activities in Austria.

The FMA takes a proactive stance towards blockchain and crypto-asset regulation.

Blockchain-based assets are generally considered financial instruments in Austria. Under MiCAR, crypto-assets are classified into distinct categories. Each are subject to specific regulatory regimes.

• Financial instruments: tokens that qualify as financial instruments, such as security tokens representing shares or bonds, are governed by MiFID II and are excluded from MiCAR’s scope. Determining whether a token is a financial instrument depends on its rights and characteristics. ESMA has developed guidelines to clarify this classification.
• ARTs: these tokens aim to maintain a stable value by referencing multiple assets, including currencies, commodities or other crypto-assets. Issuers of ARTs must obtain authorisation, meet capital requirements and adhere to governance and disclosure obligations under MiCAR.
• EMTs: these reference a single official currency and are intended for payment purposes. They are subject to stringent requirements similar to those under the Electronic Money Directive, including authorisation, capital adequacy and redemption rights.
• Other crypto-assets: this category includes tokens that do not fall within the previous classifications. Issuers must publish a white paper detailing the token’s features and risks but are not subject to authorisation requirements.
• NFTs: these are unique and are generally excluded from MiCAR. However, if NFTs are issued in large series or are fungible in practice, they may fall within MiCAR’s scope.

In summary, the regulatory treatment of blockchain assets in Austria depends on their classification under MiCAR and MiFID II, with specific obligations tailored to each category.

Issuers of crypto-assets are subject to specific regulatory requirements, particularly concerning the initial offering of these assets.

Issuers of crypto-assets must be legal entities and have to draft, notify and publish a comprehensive white paper before making a public offer or seeking admission to trade. This white paper must include: detailed information about the issuer; the characteristics of the crypto-asset; the rights and obligations attached to it; the underlying technology; and associated risks. The white paper must be submitted to the competent supervisory authority and be made publicly available for as long as the crypto-asset is held by investors.

Issuers of ARTs and EMTs face more stringent requirements. They must obtain authorisation from their national competent authority and their white papers require formal approval before the tokens can be offered to the public or admitted to trading. These white papers must also detail the: stabilisation mechanisms; reserve assets; custody arrangements; and redemption rights associated with the tokens.

Specific exemptions to the white paper requirement exist, such as: offerings to fewer than 150 persons per member state; offerings not exceeding EUR1 million over 12 months; or distributions of crypto-assets for free (eg, airdrops). However, these exemptions do not apply to ARTs and EMTs, which are always subject to the full set of requirements.

Under MiCAR, blockchain asset trading platforms must obtain authorisation as CASPs from the national competent authority (eg, the FMA in Austria). They have to ensure fair, orderly and transparent trading, implement effective AML/KYC measures and take steps to prevent market abuse.

The specific licensing requirement depends on the platform’s business model. A CASP must obtain authorisation for one or more services, such as: the operation of a trading platform; the exchange of crypto-assets for funds or other crypto-assets; the execution of orders on behalf of clients; or the reception and transmission of orders.

In particular, the classification depends on whether:

• the CASP is acting as a principal counterparty;
• is matching client buy and sell orders; or
• is merely executing client orders without intermediation.

Secondary market trading, whether via intermediaries or peer-to-peer, is also covered under MiCAR. CASPs facilitating this trading must comply with conduct, governance and operational requirements. While peer-to-peer trading without an intermediary may fall outside the scope of full MiCAR, it remains subject to general legal standards, especially for fraud, AML and consumer protection.

Staking is not directly regulated as a standalone service under MiCAR. However, if staking involves a provider holding clients’ crypto-assets or private keys to perform staking operations, it may fall under the regulated activity of custody and administration of crypto-assets. In these cases, the service provider must be authorised as a CASP under MiCAR.

These staking services are considered ancillary to custody services and are subject to the same regulatory obligations. This includes requirements to segregate client assets, minimise the risk of loss and assume liability for any loss attributable to the provider.

According to ESMA, when staking is offered alongside other crypto-asset services, the provider must obtain explicit client consent. This is because staking may affect clients’ access to their assets.

Under MiCAR, the provision of crypto lending services is not explicitly regulated. Recital 94 of MiCAR states that it does not address the lending and borrowing of crypto-assets, including EMTs and therefore does not prejudice the applicable national law.

However, the European authorities (in particular EBA and ESMA) assess the feasibility and necessity of regulating the lending and borrowing of crypto-assets. This assessment is to be based on a report analysing recent developments in crypto-assets, including crypto lending and borrowing.

EBA and ESMA have identified several risks associated with crypto lending and borrowing, such as excessive leverage, information asymmetries, exposure to money laundering and terrorist financing (ML/TF) risks and systemic risks arising from re-hypothecation and collateral chains. These findings suggest that while crypto lending is not currently regulated under MiCAR, future regulatory measures may be considered to address these risks.

In the absence of specific EU-level regulation, the provision of crypto lending services may fall under national laws and regulations, which can vary between member states.

The offering of cryptocurrency derivatives is regulated in the EU. Unlike crypto-assets under MiCAR, derivatives fall under MiFID II and MiFIR because they are classified as financial instruments.

This means that offering, trading or brokering crypto derivatives (eg, futures, options on Bitcoin) requires authorisation as a MiFID investment firm, with full compliance obligations (licensing, conduct of business rules, investor protection and market transparency).

In contrast, ARTs under MiCAR are not considered financial instruments unless they fall within the MiFID II definition. Therefore, while MiCAR governs the issuance and trading of crypto-assets, crypto derivatives are excluded from MiCAR and are regulated under traditional EU financial markets law.

DeFi is not yet regulated under EU law. However, activities facilitated by DeFi protocols may fall within existing regulatory frameworks.

According to a joint report by EBA and ESMA, DeFi remains a niche phenomenon, representing a small fraction of the global crypto-asset market. Nonetheless, the report highlights significant risks associated with DeFi, including money laundering, terrorist financing and vulnerabilities due to the lack of intermediaries.

The FMA has not issued specific regulations for DeFi. If a DeFi activity involves services that are regulated under existing laws then the entities involved may be subject to those regulations. For example, if a party facilitates the trading of security tokens or crypto-assets, by deploying a protocol, they cannot claim exemption from regulation simply because the service is decentralised.

While DeFi itself is not therefore explicitly regulated, the specific activities conducted within DeFi platforms may trigger existing regulatory obligations, depending on their nature and structure.

Funds that invest in blockchain assets are regulated based on the type of fund and the nature of the crypto-assets involved.

For UCITS funds, investment is limited to eligible assets as defined under the UCITS Directive. Most crypto-assets do not currently qualify as eligible assets, meaning UCITS cannot invest in them directly.

In contrast, alternative investment funds (AIFs), regulated under the AIFMD, have greater flexibility. A fund investing in crypto-assets, in whole or in part, may be structured and authorised as an AIF, provided it meets requirements on risk management, custody, valuation and investor disclosures.

Whether a crypto-asset qualifies as an eligible asset depends on its legal classification. Security tokens may be eligible if they are financial instruments under MiFID II, while non-MiFID crypto-assets (eg, utility tokens) typically are not.

Virtual currencies and blockchain assets are related but treated differently in regulation.

Under MiCAR, virtual currencies, such as bitcoin, are classified as a type of crypto-asset which are defined as digital representations of value or rights that can be transferred and stored using DLT. They fall under the general MiCAR framework when offered to the public or traded via authorised platforms.

Under the previous version of the Austrian FM-GwG, the term virtual currency referred to what is now defined as crypto-assets and these were primarily regulated for AML purposes (eg, under AMLD5 and the FM-GwG) and not as financial instruments.

The term blockchain assets is broader and includes virtual currencies, utility tokens, ARTs, EMTs and security tokens. Regulatory treatment depends on classification. For example, security tokens fall under MiFID II, while most other tokens are now regulated under MiCAR.

NFTs and NFT platforms in Austria are not generally part of the fintech regulatory framework unless specific conditions apply.

Under MiCAR, NFTs are explicitly excluded from the regulation, provided they are unique and not fungible with other tokens. This reflects the view that NFTs typically serve as digital representations of unique assets (eg, art, collectibles) rather than functioning as financial instruments or means of payment.

If NFTs are issued in large series or are effectively fungible (eg, fractionalised NFTs or collections with identical rights), they may be treated as crypto-assets under MiCAR. In these cases, the issuer or platform could fall within the regulatory framework, depending on the structure and functionality of the tokens.

Open banking in Austria is supported by the PSD II, which mandates banks provide licensed third-party providers with access to customer account data with the customer’s consent via secure APIs.

PSD II promotes competition, innovation and consumer choice by enabling new fintech services such as account aggregation and payment initiation. The FMA supervises compliance and banks must ensure API access and strong customer authentication (SCA).

Banks and technology providers address data privacy and security concerns in open banking through SCA, secure APIs and full compliance with GDPR. They must obtain explicit customer consent, implement encryption and access controls and ensure secure data processing. Regulatory oversight is shared between the FMA for PSD2 compliance and the Data Protection Authority for GDPR enforcement.

Fraud in the context of financial services and fintech is governed by Section 146 of the Austrian Criminal Code. Fraud occurs when a person intentionally deceives another about facts in order to obtain an unlawful financial gain for themselves or a third party. The deception must cause the victim to act, refrain from acting or tolerate something, resulting in a financial loss to themselves or another.

In the context of financial instruments, fraud may also fall under capital market laws, for example, misrepresentations in investment advice or securities offerings may constitute investment fraud, triggering additional penalties under criminal and administrative law (eg, under the Capital Markets Act or MAR). The FMA may also take enforcement action in cases involving misleading conduct in regulated financial services.

The FMA closely monitors financial fraud types that are especially relevant in the fintech and digital asset space. A key focus is on fraudulent online trading platforms, particularly those involving crypto-assets. These scams often involve fake websites posing as legitimate brokers, promising high returns on investments in cryptocurrencies, forex or stocks. These platforms simulate trading activity but misappropriate client funds.

Another major concern is cold calling, where fraudsters pose as financial advisors to pressure victims into investments (often in crypto or high-risk products). This practice is illegal in Austria.

In addition, impersonation of authorities is a growing issue. Scammers pretend to represent the FMA to extract payments or sensitive data. The FMA stresses that it never contacts individuals to request money or personal information.

Lastly, the FMA specifically warns about crypto fraud, including unlicensed providers, fake wallets and investment offers involving non-existent or misleading crypto projects. These scams often target inexperienced investors and operate across borders, making enforcement difficult.

A fintech service provider may be responsible for customer losses if the loss results from negligence, breach of contract, regulatory non-compliance or security failures (eg, weak authentication or system flaws). Under PSD II, liability rules apply for unauthorised payment transactions. Under the rules, unless the customer acted fraudulently or with gross negligence, the provider must typically reimburse the loss.

Under MiCAR, specific rules apply for CASPs providing custody services. Under these rules, clients have to suffer a crypto-asset loss as a result of an incident that can be attributed to the CASP.