MiCA License in Austria 2026

MiCA vs old Austrian VASP registration: what changed and why it matters in 2026

MiCA changed Austrian crypto regulation from a mainly AML-centered entry framework into a full authorization regime for CASPs. Under the old Austrian VASP logic, the focus was heavily on AML registration and monitoring. Under MiCA, the focus expands to include governance, prudential safeguards, safeguarding, conduct, outsourcing, complaints handling, and operational resilience.

The business consequences are substantial:

• Passporting: MiCA creates an EU authorization model with cross-border notification mechanics; the legacy framework did not provide equivalent EU-wide market access.
• Service perimeter: MiCA defines specific CASP services, so founders must map their exact activities to legal categories rather than using broad “crypto business” language.
• Governance: The management body, qualifying shareholders, outsourcing controls, and internal policies are reviewed in a more structured and prudential way.
• Safeguarding: Client asset handling, segregation, reconciliation, and disclosures become central licensing issues.
• ICT and DORA: Technology is no longer a background matter. It is part of the regulated control environment.
• Regulatory overlap: MiCA does not replace MiFID II, PSD2, e-money, or banking rules where those regimes are actually triggered.

For founders, the practical shift is this: under the old model, many businesses treated compliance as onboarding plus monitoring. Under MiCA, compliance starts at product design. If your wallet architecture, order-routing logic, fiat flows, token classification, and vendor stack are not aligned before filing, the application becomes slower, more expensive, and harder to defend.

This is why RUE treats MiCA license in Europe work as a regulatory design exercise, not just a document production exercise.

What businesses can no longer rely on the legacy framework

Businesses that provide custody, exchange, trading platform operation, order execution, order transmission, portfolio management, crypto advice, placing, or transfer services generally cannot treat legacy VASP-style logic as sufficient in 2026. The same is true for firms that want credible EU passporting or institutional banking relationships.

The exact transition position can depend on service scope, timing, and how the business was structured historically. But as a strategic matter, new market entrants should design directly for full MiCA/CASP authorization, not for a legacy framework that no longer reflects the main regulatory reality.

Which services are covered by an Austria MiCA license

MiCA covers specific crypto-asset services, not crypto business in the abstract. For a founder, this is the most important perimeter question because the authorization scope, capital planning, governance design, and operational controls all depend on the exact service set.

The core CASP services generally include:

• Custody and administration of crypto-assets on behalf of clients;
• Operation of a trading platform for crypto-assets;
• Exchange of crypto-assets for funds;
• Exchange of crypto-assets for other crypto-assets;
• Execution of orders for crypto-assets on behalf of clients;
• Placing of crypto-assets;
• Reception and transmission of orders for crypto-assets on behalf of clients;
• Providing advice on crypto-assets;
• Providing portfolio management on crypto-assets;
• Providing transfer services for crypto-assets on behalf of clients.

Each category has different compliance consequences. For example, a custody-heavy model raises deeper safeguarding, wallet governance, reconciliation, and incident-response questions than a pure advisory model. A trading platform model raises stronger market conduct, order handling, surveillance, and systems resilience issues. A transfer-service model creates immediate Travel Rule and wallet-attribution complexity.

One nuance many competitors miss: transfer services are not just a technical wallet function. They can materially change your AML architecture because you need reliable originator and beneficiary data flows, sanctions screening logic, and clear exception handling for unhosted wallets and incomplete counterparty information.

RUE typically starts with a service matrix that maps feature → legal service bucket → control consequence → possible overlap regime. That approach reduces misclassification risk before the first draft of the application is written.

Business models that often require additional licensing beyond MiCA

MiCA does not cover every tokenized or crypto-adjacent business model. Some models trigger parallel or alternative regimes.

• MiFID II: if the token qualifies as a financial instrument, MiCA may not be the main regime at all.
• EMI / credit institution rules: issuers of e-money tokens (EMTs) are subject to a different regulatory logic and cannot assume a standard CASP authorization solves issuance.
• PSD2 / payment services: fiat payment flows, stored value, or execution patterns may create payment-regulatory questions.
• Banking / lending / fund rules: staking, lending, yield, treasury pooling, or return-generating structures may move outside a clean MiCA perimeter.
• AIFMD or collective investment analysis: pooled crypto strategies can create fund-structuring issues rather than pure CASP issues.

A practical decision tree is essential. If you are tokenizing securities, offering yield, issuing stable-value products, or embedding fiat payment functionality, you should test the model against EMI/PSP licensing, tokenisation under MiCA, and broader financial-services rules before choosing Austria as your home state.

Minimum capital for MiCA license in Austria: what founders usually misunderstand

The minimum capital for an Austria MiCA license is not one universal number. The commonly cited own-funds levels under MiCA are EUR 50,000, EUR 125,000, and EUR 150,000, and the relevant threshold depends on the services provided. If your model combines several CASP services, you usually plan against the highest applicable band.

The second common misunderstanding is mixing company formation capital with regulatory own funds. An Austrian GmbH has its own company-law capitalization rules. MiCA own funds are a separate prudential concept. You may satisfy one and still fail the other.

The third misunderstanding is treating the legal minimum as the real funding need. It is not. The FMA will look at whether the business can operate safely, not merely whether it can be incorporated. A credible applicant should show enough funding for governance, compliance, staffing, technology, audit, office, and remediation cycles after submission.

Regulatory capital vs company formation capital

Company formation capital creates the legal vehicle. Regulatory own funds support the regulated activity. They serve different purposes and should be documented separately in the application.

• GmbH capital belongs to Austrian company law and incorporation mechanics;
• MiCA own funds belong to prudential supervision and service risk;
• Operating runway belongs to business viability and supervisory credibility.

In practice, founders should prepare a capital memo that reconciles all three layers. This is one of the easiest ways to prevent contradictory numbers across the business plan, financial projections, and shareholder funding documents.

Simple budget formula for 2026 applicants

A realistic 2026 budget is: regulatory own funds + setup costs + 12 months burn + contingency reserve. That formula is simple, but it reflects how regulators and banking partners actually think.

Typical cost buckets include:

• One-off: incorporation, legal drafting, regulatory analysis, policy set, application assembly, translations/notarization where needed;
• Annual recurring: office, directors, MLRO/compliance, accounting, audit, legal support, ICT security, regtech, Travel Rule tooling, blockchain analytics;
• Contingency: remediation rounds, vendor replacement, additional staffing, independent reviews.

RUE usually advises founders to budget for at least one post-submission remediation cycle. That single assumption makes planning materially more realistic.

Application dossier: documents you need for a successful Austria MiCA license filing

A strong Austria MiCA license dossier is a coherent evidence package, not a stack of disconnected PDFs. The FMA will test whether the documents tell one consistent story about your services, ownership, controls, technology, and financial viability.

The core dossier usually includes:

• Program of operations describing services, client types, jurisdictions, channels, and operational flow;
• Business plan and financial projections with realistic assumptions and downside scenarios;
• Corporate documents, constitutional documents, registration extracts, and ownership chart;
• UBO and qualifying holding disclosures with source-of-funds evidence;
• Governance arrangements, board structure, role descriptions, conflicts framework, and delegation matrix;
• AML/CFT framework, business-wide risk assessment, onboarding rules, monitoring logic, sanctions controls, and suspicious activity process;
• Travel Rule operating model including data fields, messaging approach, exception handling, and counterparty due diligence;
• Safeguarding and reconciliation policies for client assets and client funds where relevant;
• Complaints handling policy and consumer communication framework;
• Outsourcing policy and vendor register with oversight, SLAs, audit rights, and exit planning;
• ICT and cybersecurity documentation including architecture, access governance, incident response, BCP/DR, logging and monitoring;
• DORA-relevant control documentation for ICT risk, third-party oversight, and resilience testing;
• Fit and proper packages for directors and key function holders.

The best way to manage the dossier is to assign an owner to each document and force cross-consistency checks. For example, the outsourcing map must match the ICT architecture, the business plan must match the revenue logic, and the AML risk assessment must match the actual services and target geographies. Most weak applications fail on these internal contradictions, not on missing buzzwords.

Core legal and corporate documents

Corporate documents establish who is applying, who controls the applicant, and whether the structure is transparent enough for supervision.

• Articles / constitutional documents and corporate registry extracts;
• Ownership chart from immediate shareholders to UBOs;
• UBO disclosures and identification documents;
• Qualifying holding data for 10%+ holders;
• Source-of-funds / source-of-wealth evidence;
• Board resolutions and authorization records for the filing.

Where foreign documents are involved, founders should plan for notarization, apostille, sworn translation, and timing mismatch between corporate issuance dates and filing deadlines.

Governance, AML/CFT and internal controls

The FMA expects a control framework that is proportionate, but real. That means governance documents must show who owns risk, who approves exceptions, who monitors compliance, and how issues escalate to management.

• Governance map with board, management, compliance, AML, risk and ICT responsibilities;
• AML manual tailored to the business model;
• Business-wide ML/TF risk assessment;
• CDD/EDD procedures for retail, corporate and higher-risk clients;
• Sanctions and adverse media controls;
• Travel Rule workflow and data retention logic;
• Training plan and independent review approach.

An advanced but useful addition is a control evidence map showing which system, team, or provider generates proof for each control. That makes the file much stronger because it moves the discussion from policy language to operational evidence.

ICT, cybersecurity and DORA-ready documentation

ICT documentation should explain how the platform works, how it fails, and how the firm remains in control when it fails.

• System architecture covering wallets, custody stack, exchange engine, APIs, cloud, nodes, and compliance tools;
• Access-control model with privileged access governance and maker-checker logic;
• Incident response plan with severity classification and escalation chain;
• Business continuity and disaster recovery with defined RTO/RPO assumptions;
• Third-party ICT register and criticality assessment;
• Testing schedule for vulnerability management, backup restoration, and resilience checks;
• Logging and evidence retention for audit trail integrity.

One operational nuance that materially improves readiness is to document manual fallback procedures for sanctions alerts, transfer holds, and wallet incidents. Regulators know systems fail. They want to see that governance survives failure.

Ongoing obligations after getting an Austria MiCA license

After authorization, your Austrian CASP enters continuous supervision. The core obligation is to remain compliant not only on paper, but in live operations.

The main ongoing obligation buckets are:

• Capital maintenance and board oversight of own funds;
• Governance maintenance, including suitability of directors and key persons;
• Safeguarding and reconciliation for client assets and funds where relevant;
• AML/CFT, sanctions screening, transaction monitoring, and suspicious activity escalation;
• Travel Rule operations for crypto transfers;
• Complaints handling and customer disclosure maintenance;
• Outsourcing oversight and periodic vendor review;
• ICT and DORA controls, including incident handling and resilience testing;
• Regulatory notifications when ownership, governance, or business model changes materially.

One practical lesson from regulated crypto operations is that the hardest part is not writing the policy set. It is maintaining a reliable evidence trail. Supervisors, auditors, banks, and counterparties will all ask for proof that controls work in practice. If your logs, reconciliations, approvals, and exception handling are not centralized and reviewable, the compliance burden compounds quickly.

Travel Rule, AML monitoring and sanctions screening

The Travel Rule is a data architecture problem as much as a legal one. Under Regulation (EU) 2023/1113, CASPs handling relevant transfers need originator and beneficiary information, screening logic, and exception management that work operationally.

In practice, this means:

• Capturing required transfer data fields in a structured format;
• Exchanging data with counterpart CASPs, often using market standards such as IVMS101;
• Screening wallets and counterparties before or during transfer execution;
• Escalating unhosted wallet or incomplete-data scenarios under documented rules;
• Maintaining audit logs for transfer decisions and holds.

Firms that bolt Travel Rule tooling on top of a legacy product stack often struggle because transaction IDs, customer IDs, wallet labels, and case-management records do not reconcile cleanly. Building that data model early is a major advantage.

DORA in practice for crypto firms

DORA requires management to govern ICT risk as a business risk, not just as an IT issue. For Austrian CASPs, that means the board and senior management must understand critical systems, dependencies, incidents, and testing results.

• Incident classification and escalation should be documented and rehearsed;
• Critical third-party providers should be identified, risk-rated, and contractually controlled;
• Resilience testing should be periodic and proportionate;
• Recovery assumptions should reflect the actual client-impact profile of the service;
• Management reporting should include meaningful ICT risk metrics, not only technical dashboards.

One strong practice is to maintain a single ICT dependency map linking each regulated service to the systems, vendors, and fallback procedures that support it. That document is useful for DORA, outsourcing oversight, incident response, and even banking due diligence.

How RUE supports MiCA Licence in Austria projects

RUE acts as legal architect, dossier manager, and execution partner for Austria MiCA license applications. We do not stop at company setup or template drafting. We coordinate the full chain:

• CASP perimeter analysis and service classification;
• Austrian entity setup and governance design;
• MiCA application document preparation;
• AML/CFT, sanctions and Travel Rule operating model;
• DORA and outsourcing documentation;
• banking strategy through our high-risk business bank account and Austrian bank account services;
• accounting and tax coordination through our accounting team and Austria crypto tax support;
• post-authorization governance and compliance maintenance.

For founders comparing jurisdictions, we also advise on alternatives such as MiCA Licence in Germany, MiCA Licence in Malta, MiCA in Lithuania, and MiCA in Poland where the business model may fit a different supervisory environment better.

Important note: this page is informational and does not constitute legal or tax advice. Final scope, capital, tax, and reporting conclusions should be confirmed against the exact business model and the law in force at the time of filing.