MiCA + FMA Reality for an Austrian Web3 Startup in 2026

If you are building a Web3 product out of Austria in 2026, two regulators sit on your roadmap: the FMA (Finanzmarktaufsicht) and Brussels via MiCA (Regulation EU 2023/1114). The short version. If you touch custody, exchange, brokerage, portfolio management, advice, or transfer of crypto-assets for third parties, you need a CASP authorization. Capital floors land at EUR 50k, 125k, or 150k depending on service class. Austria's transitional regime expires 30 June 2026, so the runway is short.

This guide is engineering perspective, not legal advice. We have shipped crypto products under MiCA-adjacent scoping (Scramble Pay, Scramble Wallet, Zybra Money) and we treat compliance as architecture, not paperwork.

Who actually needs a CASP license in Austria?

If you provide any of the ten regulated crypto-asset services on a professional basis in Austria or to Austrian customers, you need a Crypto-Asset Service Provider authorization from the FMA. The ten services per MiCA Art. 3(1)(16):

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform
• Exchange of crypto-assets for funds
• Exchange of crypto-assets for other crypto-assets
• Execution of orders
• Placing of crypto-assets
• Reception and transmission of orders
• Providing advice on crypto-assets
• Portfolio management
• Providing transfer services for crypto-assets on behalf of clients

If your product offers none of these, you may still hit the Token Issuer rules (whitepaper, marketing, ongoing disclosure) if you mint and offer a crypto-asset to the public or seek admission to trading.

What are the capital requirements per CASP class?

MiCA Annex IV sets prudential floors. Three buckets:

On top of the floor: own funds must equal the higher of the capital floor or one quarter of the previous year's fixed overheads. Practical reading. A pure custody wallet startup with EUR 800k/year fixed overheads needs EUR 200k in own funds, not 125k.

What is the Austrian transitional regime status in mid-2026?

Austria opted for the maximum 18-month transitional window. VASPs that were registered with the FMA before 30 December 2024 can keep operating under the prior FM-GwG regime until 30 June 2026. After that, no CASP authorization means no business in Austria. The FMA fast-track grandfathering process exists, but you need a complete application well before the cutoff. If you have not filed by mid-2026, you are out of time.

What does the whitepaper requirement look like for a token issuance?

If you issue a crypto-asset that is neither an asset-referenced token (ART), an e-money token (EMT), nor a security, you fall under Title II. Required deliverables before public offering:

1. Whitepaper per Art. 6 with the specific Annex I content blocks (issuer, project, rights attached, technology, risks, environmental impact).
2. Notification to the FMA at least 20 working days before publication.
3. Marketing communications consistent with the whitepaper, identifiable as marketing, with a link to the whitepaper.
4. Right of withdrawal for retail buyers for 14 calendar days on Art. 4 offers.

Utility tokens that grant access to a good or service provided by the issuer get a lighter regime if the good or service exists. If it is a pre-launch promise of future utility, you are in Title II proper.

What about NFT projects?

MiCA Recital 11 carves out crypto-assets that are unique and not fungible. In practice that means a 1/1 art piece is out of scope. But large fungible collections (10k PFP drops with shared traits) are at material risk of being treated as fungible by the FMA. The test the regulator applies. Are the units interchangeable in economic terms? If yes, MiCA applies, whitepaper required. We have seen scoping conversations where the same code, contract, and art style get different verdicts based on collection size and trading-platform listing intent.

Can we run a DAO from Austria?

The FMA treats fully decentralized protocols outside MiCA scope per Recital 22. The catch. Most projects calling themselves DAOs run a multisig with a small admin set, a legal-entity foundation, a treasury contract with upgrade authority, and a frontend operator. Each of those touch-points pulls you back into scope. Operating a frontend that routes users to the protocol can count as "reception and transmission of orders" depending on UX. Running a treasury that pays contributors against revenue can hit the issuer rules. Architecture matters. If you want the Recital 22 carve-out, the protocol needs to be genuinely permissionless, immutable, and operator-free, and the off-chain entity must not behave like a service provider.

"Compliance is product architecture, not paperwork. Decide your CASP class before you write the first <a href="/glossary/#smart-contract">smart contract</a>."

What are the FMA touch-points I will actually hit?

From the engineering seat, three FMA touch-points dominate the calendar:

• Authorization application. Full file with governance, ICT, AML, custody segregation policies, business plan, three-year financials. Pre-filing meetings with the FMA are standard and worth the time.
• Ongoing reporting. Quarterly prudential reporting, annual ICAAP/ICT report, incident reporting under DORA which applies to CASPs from January 2025.
• FMA Regulatory Sandbox. Available for novel business models. Good fit for products that need a regulator-blessed scoping decision before scaling. Application window is typically twice per year.

What does the build-side checklist look like?

This is where engineering meets the rulebook. Non-exhaustive, what we ship for clients in this space:

1. Custody segregation. Client crypto-assets and funds segregated from the firm's own. Wallet labels, on-chain proofs, daily reconciliation.
2. Key management. HSM or threshold signing scheme. Disaster recovery tested, not theoretical.
3. Travel Rule. FATF Recommendation 16 plus EU TFR Regulation 2023/1113. IVMS 101 payloads for transfers above EUR 1,000.
4. Market abuse surveillance. If you run a trading venue, wash-trading and insider-dealing detection on-chain and off.
5. Complaints handling. Logged, time-bounded, escalation path documented.
6. ICT and DORA. Tested business continuity, third-party register, threat-led penetration testing if classified as significant.

We build and harden the code. External firms perform the audits. We do not, and you should not pick a vendor who claims to do both.

What does this cost in build-time?

From Wavect's engagement history in crypto: a clean Class 2 CASP MVP including custody segregation, Travel Rule integration, AML screening, basic compliance dashboards, and the technical documentation pack the FMA expects, lands in a 12 to 24 week build window. Whitepaper engineering review (correctness, technical claims, risk section) is a separate two to four week track. The actual licensing legal work is your law firm's billable, not ours.