The Financial Technology Law Review: Austria


Generally, the Austrian financial services market is known for its fairly strict licensing requirements. While not targeted at fintech in particular, depending on a fintech's proposed activities, these may impact its business model. Also, the Austrian Financial Market Authority (FMA) is known for its rather strict administrative practice when evaluating whether market participants provide regulated services without a licence. Fintechs are therefore well advised to carefully scrutinise their business models against regulatory requirements applicable in Austria.

A 'regulatory sandbox' for fintech companies has been in place since 1 September 2020. The FMA Sandbox allows fintech businesses to benefit, on a temporary basis, from less restrictive licensing requirements than other market participants – while, on the other hand, extensive disclosure and cooperation obligations with the FMA apply for fintech. According to the FMA, the FMA Sandbox aims to simplify the procedures for fintechs to become a supervised entity. Hence, full licensing requirements are not entirely disapplied but moved in a notional timeline to a point in time when the fintech has already been operating to a limited extent under the FMA Sandbox regime. As part of the FMA Sandbox, fintechs could also cooperate with established and supervised market participants that have fintech business models. The requirements for being included in the FMA Sandbox are (among others) a business model that is based on information and communications technology, that licensing requirements for that business model cannot be excluded and that the business model is (from a technical perspective) already ready for testing. The purpose of the FMA Sandbox is to accelerate the market readiness of such a business model in a controlled environment, while the fintech is able to resolve any regulatory issue that may exist at the same time. Applicants will need a business plan also evidencing the fulfilment of all requirements for inclusion in the sandbox. The regulator may grant a temporary banking, Markets in Financial Instruments Directive (MiFID) II or Payment Services Directive (PSD) II licence for fintech companies included in the FMA Sandbox. If the test phase should be successful, the fintech will typically leave the confines of the FMA Sandbox with a financial services licence no longer subject to restrictions.

While the FMA Sandbox is generally a positive step, its benefits versus potential burdens need to be balanced by fintech. On the one hand, fintechs can test their business model in a controlled environment. On the other hand, fintechs are supervised, need to obtain a temporary licence (which is subject to a licensing procedure under the sandbox regime) and more importantly need to open up their technology to the FMA. Depending on their exact business model, fintechs are advised to carefully scrutinise whether they may be better off seeking a 'traditional' licence from the FMA – which may, in certain circumstances, subject them to maybe even less restrictive supervision by the FMA. At the time of writing, only one fintech has applied and been granted access to the FMA Sandbox.

Independent of the FMA Sandbox, the FMA is generally aware of the need for fintechs to obtain legal certainty about the applicable regulatory framework, which can be overwhelming for market participants who are unfamiliar with financial services regulation. The FMA has therefore launched a dedicated web-based platform for fintechs, the FMA FinTech Navigator,2 which allows fintechs to liaise with the FMA on questions concerning the supervisory laws (e.g., whether a proposed business activity may trigger licensing requirements or the like). Also, in a Q&A-style questionnaire, fintechs can self-check certain standard business models against possible licensing requirements under Austrian law.

The FMA tends to be supportive when approached in a respectful and constructive manner. However, latest practice has shown that replies by the FMA take longer than in the past, and – depending on the exact business model – the FMA is exercising more intense scrutiny than previously. If a business model is or may be subject to licensing requirements, the FMA is expected to indicate this to the applicant. Should this be the case, fintechs should explore potential alternatives, including partnering with licensed market participants (which could act as fronting banks, for example). White-labelling is becoming increasingly relevant for fintechs.

Furthermore, at present there are no special tax incentives available for fintech companies. Fintech start-ups, however, will benefit from the same incentives as other start-ups. These incentives apply, inter alia, when companies are newly founded and the core of these incentives is relief from certain statutory taxes and stamp duties. Also, there are various institutions providing support (also in terms of funding) to start-ups and fintechs. One such institute is the Austrian Promotional Bank,3 which has already provided more than €1 billion in funding to start-up companies.


i Licensing and marketing

Licensing requirements and marketing restrictions will very much depend on a fintech company's business model and the scope of proposed activities.

Generally, different licensing requirements may apply under the Austrian Trade Code or financial supervisory laws.

The Austrian Trade Code will apply whenever (1) the activity is of a commercial nature and (2) is provided in Austria, as long as no regulated activity is conducted (i.e., because in this case special financial supervisory rules apply). Depending on the activities to be provided, the trade licence may be free or regulated. A regulated trade licence bears additional burdens.

If the proposed activities are regulated under financial services laws, specific licensing requirements will apply. In a nutshell, Austria has transposed the relevant EU framework legislation under MiFID II, the E-Money Directive, the Alternative Investment Fund Manager Directive (AIFMD) and PSD II. In addition, as a general guideline, fintech companies should be aware that almost all of the services listed in Annex 1 to Capital Requirements Directive (CRD) IV require a banking licence in Austria. This may be significantly more burdensome than expected as compared to their home state legislation. For instance, such activities include trading with currencies and financial instruments.

Some typical activities of fintechs have the potential to be licensed or otherwise regulated services: (1) internet platforms or app solutions that offer trading venues for tokens or placement services for tokens, in particular security tokens (see Section V.iii); (2) initial coin offering (ICOs), initial token offerings (ITOs) or initial exchange offerings; (3) crypto miners in certain circumstances where money is collected from the market; or (4) setting up an investment management company or automated digital advisory company.

Special restrictions on marketing fintech services (in addition to general requirements under competition laws) generally do not apply as long as the activities are not regulated or the products do not constitute financial instruments or securities. Restrictions will apply if regulated services or securities and financial instruments are involved. It is recommended that fintech companies explore specific marketing restrictions that may apply to their specific use case. In particular, marketing via emails and cold calling is heavily restricted in Austria. Apart from some exceptions (e.g., where the receiver has consented or where previous business relationships exist), generally, no emails may be sent for the purposes of direct marketing.

ii Cross-border issues

The Single European Passport is available for regulated companies under, inter alia, CRD IV, MiFID II, the E-Money Directive, the AIFMD and PSD II. This means that fintech companies that are regulated under their home Member State laws and possess a banking licence, a licence as a payment services provider pursuant to PSD II, a licence as an alternative investment fund manager under the AIFMD, a licence a e-money institute or a licence as an investment firm under MiFID II may passport their licence into Austria and provide their services in Austria without having to first obtain a licence from the FMA.

Where fintech companies do not provide regulated services and are not licensed under their home Member State legislation, no passport is generally available. To the extent that the Austrian Trade Code applies (see Section II.i), services may be provided in Austria on a temporary basis only under the EU freedom of services without a trade licence. If a service is targeting the Austrian market on a continuous basis or if the services are continuously provided in Austria, a trade licence will be required (see Section II.i).

Generally, no reverse solicitation exemption will apply (the MiFID II reverse solicitation exemption will only be available to regulated entities from non-European Economic Area (EEA) Member States). This means that licensing requirements will generally apply when a foreign person is acting in Austria. The FMA's approach appears to be much stricter than that of the trade authority. As regards regulated services, to determine whether a regulated business is conducted in Austria, regulatory practice as applied by the FMA focuses on the place where the offer to enter into a contract is made or where the offer is accepted. As a general rule, market operators will be deemed to carry out licensed banking activities in Austria as soon as any counterparty located in Austria is in a position to enter into relevant, legally binding commitments.

This approach applies irrespective of the means of communication involved. In terms of traditional mail, it will therefore be sufficient if the place of sending and posting the offer to enter into a relevant contract or the acceptance thereof is in Austria. With regard to services offered via the internet, licensing requirements will usually be triggered if clients located in Austria find themselves in the position – technically and legally – to enter into relevant commitments legally binding on them.

This view has further been corroborated by the Austrian Supreme Court in a decision regarding loans granted cross-border by a Swiss bank. Furthermore, case law with respect to a securities portfolio of an Austrian client that was managed outside of Austria (in this instance, the United States) confirmed that advisory services in respect of such portfolio have to be considered to be provided at the place where the customer at the time of provision of these services is located, irrespective of whether such service is provided from outside of Austria via telephone, facsimile, letter, email or similar. Case law further held that the conclusion of an agreement on portfolio management services (to be provided abroad) in Austria was sufficient to conclude that financial services were subject to Austrian licensing requirements.

In a digital world, this strict approach particularly poses issues for globally active companies. In this context, companies that may be, or are, subject to Austrian licensing requirements (but have not obtained one) should exercise scrutiny as regards their marketing campaigns. FMA is known for checking whether unlicensed companies that provide licensable business advertise to Austrian customers or target the Austrian market. This includes checking whether apps are available in the Austrian versions of the Android or iOS app stores and whether home pages are offered in the German language or contain specific contact information for Austrian customers. Unlicensed companies that provide licensable business should hence consider including on their websites geo-barriers for clients located in Austria.

Digital identity and onboarding

In Austria, the 'citizen card' and a mobile phone signature allow for a secure and authentic electronic signature. A person may officially sign documents via authentication by smartphone app or via a dedicated website. By law, this qualified electronic signature has the same effect as a handwritten signature.

The electronic citizen card and the mobile phone signature is also available to non-Austrian citizens, although the person must be a permanent resident of Austria. The citizen card can be obtained and the mobile phone signature can be activated in various ways; for example, via the online tool of the Austrian tax authorities or in certain Austrian banks or authorities acting as registrars.

In addition, under the 'ID Austria' brand, the functionality of the citizen card has been extended. At least within Austria, ID Austria also serves as a limited digital ID card for its holders.

Fully digitised onboarding of clients should generally be feasible but will very much depend on the technical infrastructure available. The legal framework for digitised onboarding is set by the FMA in its Ordinance on Online Identification (the FMA Online Identification Ordinance). Many banks use third-party providers to comply with the rather strict standards for online identification set in the FMA Online Identification Ordinance (e.g., conduct of the identification by educated personnel in a separate room with access control, live identification) by way of outsourcing. This onboarding is most commonly conducted via videoconference, where an operator verifies the identity of the customers in compliance with the FMA Online Identification Ordinance. The Ordinance has recently been revised by the FMA. Under the revised Ordinance, the personal interaction of an employee can be replaced by artificial intelligence that conducts certain analysis of the ID documents provided by the client, subject to this procedure meeting certain conditions (e.g., the biometric identification procedures must be permissible pursuant to Article 9(2)(a) of Regulation (EU) 2016/679 (the General Data Protection Regulation (GDPR)) and the obliged entity takes appropriate technical and organisational measures to achieve a level of protection appropriate to the risk within the meaning of Article 32 of the GDPR).

Digital markets, payment services and funding

i Payment services

Payment services are regulated under the Payment Services Act, implementing PSD II. Certain services, such as issuing payment instruments or providing money transfers, are regulated and require a payment services licence.

Exemptions as outlined in PSD II also apply in Austria. The most important exemption relates to the provision of payment services in a limited network. This means, for example, where a payment instrument is only accepted by very few vendors for a specific product (e.g., gas payment cards issued by gas station operators for payment of gas only) or by one vendor for a limited number of products or services or in a limited number of places (e.g., its stores), the issuance of such instruments will not necessarily trigger licensing requirements.

Upon request of the customer, banks are required to provide third parties access to a customer's account. This was intended, inter alia, to help fintech start-ups with innovative business models that depend on such data (e.g., platforms for combined access to bank accounts held with different banks).

ii Collective investment schemes

Collective investment schemes are largely regulated under Austrian law in the form of a fund or alternative investment fund (AIF). Depending on how they are structured, collective investment schemes may qualify as undertakings for the collective investment in transferable securities (UCITS) under the Austrian Investment Fund Act or AIFs under the Austrian Alternative Investment Fund Manager Act. An AIF can take whatever legal form possible and is not limited to fund entities similar to UCITS. For instance, some forms of private equity instruments (e.g., shares in private limited partnerships) may qualify as AIFs under Austrian law. But also, less obvious forms have been deemed as AIF by the FMA: a crypto mining company, for instance, was held to be an AIF. This was based on that mining company offering crypto mining plans to customers where customers could participate in income generated from the company mining certain cryptocurrencies. When managing or offering an AIF, licensing or registration requirements will apply.

Securities and investments

The offering of tradeable securities, such as bearer shares or bonds, is subject to prospectus requirements under the Prospectus Regulation and the Austrian Capital Markets Act 2019 (CMA) supplementing the Prospectus Regulation. Exemptions to the prospectus requirements are available.

Furthermore, as well as the offering of securities, the public offering of investments is also subject to prospectus requirements under the CMA. An investment is the offer of any form of right that is not a tradeable security, provided that a group of persons invests in a project or company or asset and shares the risk associated with the investment. An investment prospectus is considerably less burdensome than a security prospectus and follows the scheme as outlined by an annex to the CMA. Generally, the same exemptions to prospectus requirements as with respect to securities also apply to the offering of investments. Typical forms of investments are, for example, subordinated loans, profit participation rights and limited partnership shares.

If securities and investments are issued below an amount of €5 million, only a simplified prospectus is required and is optional. This simplified prospectus does not follow the schemes under the Prospectus Regulation, but a specific scheme as annexed to the CMA. The advantage of the prospectus being slimmer and less burdensome to produce is, however, accompanied by the disadvantage that passporting of the simplified prospectus into other EEA Member States is not possible. This limits fundraising via such simplified prospectus to Austria, unless the offering of the securities in other EEA Member States is done in reliance on a official exemption from prospectus requirements under the Prospectus Regulation.

Alternative financing instruments

Under the Alternative Financing Act (AFA), initially introduced to help small and medium-sized enterprises (SMEs) conduct crowdfunding by a set of rules allowing easier access to funding, simplified requirements to obtaining funding apply. While donation or rewards-based crowdfunding was not subject to any substantial restrictions, typical crowdfunding campaigns involving the collection of money from the public for investment purposes was usually subject to prospectus requirements under the CMA (see Section IV.ii, 'Securities and investments').

Since the end of 2021, the rules of the AFA have stood as an alternative to crowdfunding under the rules of Regulation (EU) 2020/1503 (the EU Crowdfunding Regulation).

The AFA is aligned with the CMA. The AFA applies to the issuance of securities and investments under reliance on an exemption from prospectus requirements under the CMA. The simplified framework does not solely apply to SMEs. Rather, all sorts of issuers (including licensed entities) are able to make use of the simplified rules.

Under the AFA, securities may be issued without the need to prepare a prospectus if the total amount of each issuance does not reach €2 million. This, however, does not mean that such issuances are not regulated. Issuers will need to prepare a key information document that will disclose essential information about the issuer and the relevant project to investors. Still, the burden to prepare a (simplified) prospectus and (with respect to securities) get the prospectus approved by the regulator (FMA) has been lifted – which should help reduce costs for issuers.

Regard must be had to the following restrictions: (1) the aggregate outstanding amount of all investments raised via the AFA may not exceed €5 million over a period of seven years; (2) the aggregate amount of all securities and investments issued pursuant to the AFA may not exceed €2 million over a 12-month period; and (3) the aggregate outstanding amount of all securities and investments in the European Union may not exceed €5 million over a period of 12 months (including crowdfunding offers under the EU Crowdfunding Regulation). If by new issuances these thresholds would be exceeded, any such new issuance will require a prospectus under the CMA (see Section IV.ii, 'Securities and investments'). There are limits to the amounts that retail investors may invest in alternative financing instruments (generally €5,000 in a 12-month period), which will need to be taken into account when determining the target market for such an instrument.

Issuers of securities are not bound to rely on the simplified rules. They may continue to prepare a full EU securities prospectus (e.g., when this is beneficial for placement of the securities or the like or passporting of the prospectus is intended); in this case, the rules of the AFA will not apply to such issuances.

iii Lending

Lending is a licensable banking activity under Austrian law. There are no exemptions for peer-to-peer lending or start-up companies; however, the FMA does not appear to pursue private individuals who participate in peer-to-peer lending platforms. The intermediation of loans can also be a licensable banking activity, unless certain exemptions apply, in which case only a regulated trade licence will be required (see Section II.i).

Furthermore, factoring is a licensed banking activity under Austrian law. More precisely, the purchase of receivables, including loans, requires a banking licence. The assignment of receivables is also subject to an ad valorem stamp duty in the amount of 0.8 per cent of the assigned value. Certain exemptions to the stamp duty may apply; for example, assignments in the course of a factoring transaction or an assignment of receivables to a securitisation special-purpose entity. No perfection requirements apply with respect to an assignment of receivables. The assignment will be valid once agreed between the parties or in accordance with the terms of the contract. However, a third-party debtor may raise defences and may also declare set-off against the new assignee until being notified of the assignment.

iv Digital marketplaces

Legal requirements for digital marketplaces will depend on the assets that are traded or offered via these marketplaces: where securities are offered and traded, a marketplace could – depending on the exact services offered – qualify as either a stock exchange, multilateral trading facility (MTF) or organised trading facility (OTF). To operate a stock exchange, MTF or OTF, the operator must be licensed. In addition, participating in underwriting third-party securities issues as well as related services (third-party securities underwriting business) is subject to a banking licence under the Austrian Bank Act. Where only investments (see Section IV.ii) are offered or traded, a regulated trade licence (see Section II.i) may be required.

In terms of ICOs and cryptocurrencies, a platform will be subject to the above requirements where the coins or tokens are qualified as investment or security (see Section V.iii). Trading platforms for genuine cryptocurrencies – such as Bitcoin and Ether, which do not have an issuer that is collecting money from the public – will usually require no financial services licence but may require a free trading licence (see Section II.i).

Crowdfunding platforms can be subject to the above licensing requirements, depending on their exact business and services offered. To avoid licensing requirements, platforms in Austria have taken different approaches – some do not include securities (including security tokens), while others limit the services so that in fact no licensed service is provided. Often, these platforms are reduced to mere marketing platforms but operators refrain from offering trading (selling or purchasing) securities and tokens or placement of these instruments.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

There is no specific regulation of blockchain technology in Austria. The FMA considers the current legislation to be technology neutral.

i Genuine cryptocurrencies (Bitcoin and Ether)

Cryptocurrencies without an issuer that are generated via a blockchain protocol using mining and distributed ledger technology – such as Bitcoin and Ether – are not considered currencies or financial instruments or tradeable securities in Austria.

This means that trading in such cryptocurrencies is not a regulated activity, but depending on the business model, a trade licence may be required (see Section II.i). Nevertheless, if the underlying asset of a derivative instrument consists of cryptocurrencies, this derivative instrument may qualify as a financial instrument under MiFID II. It may be assumed that the same should apply if the value of a token is linked to cryptocurrencies such as Bitcoin or Ether. However, it is not clear that stablecoins linking a token to a fiat currency are treated the same by the FMA. Rather, it appears that the FMA treats such stablecoins as e-money.

The applicable anti-money laundering (AML) rules extend to custodian wallet providers and platforms for exchanging cryptocurrencies. These providers now need to file a registration with the FMA and must evidence a compliance programme ensuring full adherence to AML rules.

ii Payment tokens

Slightly different from cryptocurrencies like Bitcoin and Ether, tokens can also take the form of payment tokens that have a similar function to Bitcoin and Ether but are issued by an entity or person.

Currently, some market participants are trying to establish stablecoins that are effectively mirroring a fiat currency such as the euro. These coins could, for example, be used to pay for goods and services – if the service provider was willing to accept such coins and if some other person was willing to exchange such coins either against fiat currency or potentially also other types of cryptoassets. Depending on the exact features, such payment tokens could qualify as e-money and issuing such payment tokens may require a licence as an e-money institute. A licence under the Banking Act or the Payment Services Act may also be required; for example, for issuing payment instruments or for providing payment services. There are exemptions from licensing requirements available that would need to be scrutinised on a case-by-case basis.

No securities prospectus (see Section V.iii) is required to issue payment tokens.

iii Fundraising via tokens

Fundraising via tokens is generally subject to the same rules as any other form of fundraising (see Section IV.ii). These rules apply when funds are raised in Austria irrespective of whether the issuer or offeror is domiciled in Austria or acting from abroad.

Security tokens

If tokens are structured as tradeable securities, they are most commonly referred to as security tokens and may be qualified as financial instruments and transferable securities, provided such security tokens are freely tradeable in a similar way to securities (presumably the case with any ERC-20 token). Hence, the public offer of such tokens may be subject to prospectus requirements (see Section IV.ii). However, there is also a significant advantage for issuers when tokens are considered as securities, as they will be able to benefit from prospectus passporting rules that would otherwise not be available for ICOs or ITOs. On the other hand, such qualification might adversely impact certain business models of fintech companies. For example, trading in security tokens may require a banking licence in Austria, advising customers on investments in security tokens might be considered as investment advice under MiFID II, and accepting and transmitting orders for security tokens may also be regulated under the Austrian Securities Supervision Act 2018.

As outlined in Section IV.ii, the offering of investments is also subject to investment prospectus requirements under the CMA. Whenever these investments are represented in token form, particular scrutiny must be applied. This is because the FMA considers investments that are 'tokenised' (i.e., issued in token form) to be tradeable securities for the purposes of prospectus requirements (see Section IV.ii). Hence, these tokens also qualify as security tokens. This means that these ICOs/ITOs will require a securities prospectus instead of the more simplified investment prospectus (see Section IV.ii).

All exemptions from prospectus requirement and the easements contained in the AFA should also apply to security tokens and ICOs/ITOs.

Utility tokens

Utility tokens are usually structured like vouchers and grant holders the right to exchange their tokens against goods or services (of the issuer or service partners). These tokens are qualified as payment instruments by the FMA. However, the FMA considers the limited network exemption under PSD II to be applicable, provided that the tokens are only accepted by the issuer of the tokens and a limited number of service partners (see Section IV.i). Otherwise, a licence under the Payment Services Act, implementing PSD II, may be required.

iv Tax treatment

Income tax and capital gains tax

Cryptocurrencies are treated as immaterial and non-consumable assets for income tax purposes. Interest and gains resulting from cryptocurrencies and tokens are subject to capital gains tax. If held for one's private assets, gains resulting from trading cryptocurrencies are tax-free if the cryptocurrencies are held for longer than one year.

The mining of cryptocurrencies is considered a commercial activity subject to income tax. The same applies to trading cryptocurrencies or operating a Bitcoin ATM.


According to the Austrian Ministry of Finance, in accordance with Case C-254/14 of the European Court of Justice (Hedqvist), exchanging fiat currency (e.g., the euro) against cryptocurrencies is not subject to VAT. The same applies to cryptocurrency mining.

If goods and services are delivered in exchange for Bitcoin or other cryptocurrencies, the goods and services are taxed the same way as payment effected in fiat currency (e.g., the euro). The amount of tax is calculated in accordance with the value of the cryptocurrency at the time of the exchange.

Other new business models

i Self-executing contracts

There is currently no special legal framework in place for self-executing contracts ('if this then that' (IFTTT)). Any such smart contract would therefore need to fit into existing Austrian civil law rules on contract formation, rights and remedies, enforcement and potential termination or dissolution. When using smart contracts, various legal uncertainties will exist: from the choice of law, to jurisdiction in the case of conflict, to questions of warranties and potentially the need to reverse a transaction.

Bearing in mind the above, smart contracts appear as suitable instruments to execute certain transactions that have been agreed off-chain (e.g., a smart contract to execute a sale and purchase of tokens). In this case, the smart contract itself does not establish the obligation but rather the automation of the smart contract (IFTTT) enables automatic settlement.

Like any other form of contract, if one party wishes to enforce its rights under the contract in Austria, it will need to prove that the other party in fact entered into it. It is largely unclear how such evidence capable of standing up before an Austrian court could be produced in the case of self-executing contracts (smart contracts), but this is ultimately a question about what is technically feasible to prove the identity of the contracting parties; for example, the implementation of an authentic electronic signature (see Section III).

ii Fully automated investment process

For licensing purposes under the Austrian Banking Act or the Austrian Securities Supervision Act 2018, it does not matter whether regulated activities are provided in fully automated form or whether an employee is acting on behalf of the investment company. Hence, entities that offer fully automated investment advice or fully automated portfolio management services will also require the respective licences under Austrian law.

iii Websites comparing products

There is no general rule prohibiting a website that compares different financial products. However, there is a thin line between the mere comparison of the features of regulated products and being seen to offer or market those products to the public. Website operators are well advised to take into account the specific marketing rules in the various legal acts applicable to financial products, including the Securities Supervision Act 2018, the Investment Fund Act and the CMA.

iv Decentralised exchanges

Decentralised exchanges allow for peer-to-peer transactions between customers without the operator or a central counterparty or intermediary being involved. To the extent that the decentralised exchange facilitates the trading of securities and security tokens, a licence under the Austrian Banking Act or the Securities Supervision Act 2018 may be required (see Section IV.iv).

Intellectual property and data protection

i Intellectual property

A business model as such cannot be protected under Austrian law. However, depending on the business model, some aspects relating to it (such as software solutions or inventions necessary to facilitate the business activities) may be subject to protection under local Austrian intellectual property rules.

ii Patent

Patent protection will be available for all inventions in the technical sector that are new, do not derive from prior art in an obvious manner and can be commercially used.

The Austrian Patent Act excludes certain inventions, products and methods from patent protection, including scientific theories and mathematical methods, aesthetic creative forms, plans and methods for intellectual activities, games or business activities, and computer programs.

Patent protection grants protection for up to a maximum of 20 years.

iii Utility patent and design patent

Protection as a utility patent will be available for all inventions in the technical sector that are new, derive from an inventive step and can be commercially used. Excluded from protection are, inter alia, scientific theories and mathematical methods, aesthetic creative forms, plans and methods for intellectual activities, games or business activities, and computer programs. However, unlike patents, utility patents may also be used to protect programming logic underlying data processing software. A utility patent is granted for a maximum period of 10 years.

Protection as a design patent is available for new and characteristic designs. If a design results solely from a technical function, no protection will be granted. A design patent is granted for a period of five years, which can be extended by further five-year periods up to a maximum term of 25 years.

iv Copyright

Unique intellectual creations are protected by the Austrian Copyright Act. As well as works of art (paintings, films, etc.) and literature, copyright protection may extend to software (including source codes) and databank solutions under Austrian law, provided that these achieve the status of unique intellectual creations. Under Austrian law, the creator is always a natural person. Legal persons cannot be creators within the meaning of the Austrian Copyright Right Act but may, of course, be granted (exclusive or non-exclusive) rights of usage or exploitation.

In terms of software protection, the Austrian Supreme Court held that what is protected is not a work result achieved by a software application, but the individually shaped problem solving achieved by combining many programming steps. A prerequisite for the protection of the programming steps is that they have a certain complexity. In another case, the Supreme Court decided that computer programs have the necessary complexity; for example, if the task at hand allowed for several solutions and the programmer had sufficient freedom of thought to develop individual features. This is to be assumed either in the case of complex programs or if an unusual degree of experience, skill and expertise is manifested in the work. It is also decisive whether a program is newly created or whether the programmer can essentially fall back on already existing program modules.

The copyright ends 70 years after the (last) creator's death.

v Employee inventions

Patents and utility patents

Generally, an employee who creates an invention while being employed by his or her employer nevertheless has the right to patent protection. A contractual arrangement to the contrary is possible but will only be valid to the extent that it concerns 'service inventions'. A service invention is any invention (1) whose creation was part of the activities that the employee was tasked to provide, (2) that was inspired by the services provided by the employee to his or her employer, and (3) that was facilitated to a substantial extent through use of the resources of the employer.

The employee is nevertheless entitled to appropriate additional compensation for each invention, unless the employee was expressly employed for the purpose of creating inventions for the use of the employer. Ultimately, the employment contract will need to be analysed under labour law to determine whether compensation is owed by the employer to the employee.

The rules applicable to patents will also apply mutatis mutandis to utility patents.

Design patents

If the creation of the design patent was part of the activities that the employee was tasked to provide and the design patent is part of the business area of the employer or if the design patent was created by the employee by order of the employer, the employer will have the right of protection. There is no provision in the Austrian Design Patent Act that would provide for additional remuneration of the employee. Hence, questions of additional remuneration will predominantly be a question of employment or labour law with a specific focus on the contractual arrangement between the parties.


An employer will be granted an unlimited right of usage for computer programs that are created by an employee in fulfilling his or her duties in relation to the employer. However, the employee retains the right to be named as the creator. There is no provision in the Austrian Copyright Act that would provide for additional remuneration of the employee. Hence, questions of additional remuneration will predominantly be a question of employment or labour law with a specific focus on the contractual arrangement between the parties.

vi Data protection

Data protection in Austria is governed by the GDPR and by the Austrian Data Protection Act (supplementing the GDPR).

Under the GDPR, personal data that allows for the identification of natural persons is protected and subject to a strict regime. Any person about whom data is processed (the data subject) has certain rights under the GDPR that cannot be derogated from. These rights include the right to obtain transparent information from the controller, the right to obtain rectification of inaccurate personal data, the right to erasure (right to be forgotten), the right to restriction of further processing and the right to object to data processing.

Profiling of client data is part of many fintechs' business models and is covered by the GDPR. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is subject to specific regulation under the GDPR, including the right of the client to object.

Under the GDPR, where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. This may particularly apply to certain fintechs with business models built on extensive and elaborate data mining, processing or profiling.

Fines under the GDPR are quite hefty and range from between €10 and €20 million and 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is the higher.

In addition, strict banking secrecy applies under Austrian law. All client banking data is protected, even the information that a certain person is a client of a bank. Unlike the GDPR, banking secrecy will also protect legal persons. Any service provider acting for a bank in Austria (e.g., a fintech company providing outsourcing services for a bank) will be bound by banking secrecy by law. Hence, the outsourcing provider will be directly subject to the sanctions of a breach of banking secrecy, including criminal liability.

Data protection and banking secrecy need to be read together – where both are applicable, the stricter standard will prevail. This means that where data processing is permissible under the GDPR but not under banking secrecy, the data processing is not allowed. The same applies vice versa: where data processing is permissible under banking secrecy but not under the GDPR, the data processing is not allowed.

Year in review

Austrian crypto company Bitpanda has become the rising star in the Austrian fintech sector, achieving unicorn status in 2021, enabling the company to heavily expand in Austria as well as Europe and around the world. In 2021, regulatory practice of the FMA has shown that crypto-traders and wallet-providers are subjected by the FMA to exorbitant requirements under AML and know-your-customer (KYC) rules that, under Anti-Money Laundering Directive V, also apply to custodian wallet providers and certain crypto service providers. These service providers must be registered with the FMA. As part of the registration, the providers need to present a business plan to the FMA as well as a detailed description of internal control systems and their strategies to ensure compliance with AML and KYC rules. Regulatory practice has shown that the FMA is applying much stricter standards than are usual, even in the area of regulated financial service providers. While regulated entities such as banks and investment firms need to comply only with specific Austrian AML/KYC rules if they operate via a branch office in Austria, crypto services acting in-bound from outside of Austria are subjected by the FMA to the full set of Austrian AML/KYC requirements and even need to appoint a money laundering officer who is knowledgeable in Austrian law. These strict requirements represent a substantial burden for foreign crypto companies.

Outlook and conclusions

Following the entry into force of the FMA Sandbox, it remains to be seen whether more fintechs will make use of this opportunity to test their business models without having to obtain a full financial services licence (see Section I). As mentioned above, given the wide disclosure obligations with regard to the FMA, fintechs should carefully consider whether the benefits of the FMA Sandbox outweigh the additional burdens.

One possible solution for fintechs to operate without a licence and without participating in the FMA Sandbox would be to partner with existing and regulated market participants (white-labelling). Any licensable activities would formally be provided by the regulated partner entities, while fintech companies would undertake to provide those entities with specific fintech solutions or act as an outsourcing provider. This would allow them to establish unique and innovative business models while adhering to the regulatory framework. If a business model proves successful, fintech companies could decide at a later stage to seek the required licences themselves.

In terms of fundraising, the EU Crowdfunding Regulation has applied since 10 November 2021 and opens up new fundraising opportunities without the need for a full capital markets prospectus, including crowdfunding via a single European passport. While they are not specifically targeted at fintechs or fintech start-ups, these new opportunities will also be usable by fintechs.


1 Stefan Paulmayer is a partner at CMS Reich-Rohrwig Hainz Rechtsanwälte GmbH.

The Law Reviews content