A FinTelegram Analysis of the Austrian FMA’s Rapid CASP Authorisations and What It Means for EU Crypto Regulation
Executive Summary
Austria’s Financial Market Authority (FMA) is aggressively positioning Vienna as a gateway to the European crypto market. With six MiCA-licensed crypto-asset service providers (CASPs)โincluding two exchanges with substantial regulatory baggageโthe FMA has emerged as one of the EU’s most prolific MiCA licensing authorities. However, this regulatory sprint raises serious questions: Is Vienna on track to become the new “Cyprus of crypto,” or does the FMA possess the capacity to supervise globally active exchanges with histories of enforcement actions?
The Austrian MiCA Licence Roster
The FMA has issued MiCA authorisations to six CASPs as of December 2025[web: 95][web: 101][web: 202]:
| Company | Licence Date | HQ/Origin | Notable Issues |
|---|---|---|---|
| Bitpanda | April 2025 | Austria (domestic) | Clean record; long-standing FMA relationship |
| Bybit EU GmbH | May 2025 | Dubai/Singapore | $1.5B hack (Feb 2025); DNB โฌ2.25M fine; Russian user exposure (~20โ27% of traffic) |
| AMINA (Austria) AG | Oct 2025 | Switzerland (Amina Bank group) | Regulated banking group |
| Cryptonow GmbH | Oct 2025 | Switzerland | First Swiss firm to receive Austrian MiCA licence |
| FIOR Digital GmbH | Nov 2025 | Austria | Domestic fintech |
| KuCoin EU Exchange GmbH | Nov 2025 | Seychelles/Hong Kong | $297M DOJ settlement (Jan 2025); Seychelles FSA rejection; founders departed |
Of these six licensees, only Bitpanda and FIOR Digital are genuinely Austrian companies. The remainder are foreign platformsโincluding two (Bybit and KuCoin) with significant enforcement historiesโthat have chosen Vienna as their EU regulatory gateway.
The EU MiCA Licence Landscape: Is Vienna Leading?
Noโbut Austria punches above its weight.ย The latest data shows Germany and the Netherlands lead in absolute CASP licence numbers:
| Jurisdiction | CASP Licences | Notable Features |
|---|---|---|
| Germany (BaFin) | ~12โ18 | Largest market; established fintech hub |
| Netherlands (AFM) | ~9โ14 | Strict AML regime; early MiCA implementer |
| Malta (MFSA) | ~5 | ESMA criticism for inadequate authorisation processes |
| France (AMF) | ~3โ6 | Threatening to block passported licences |
| Austria (FMA) | 6 | Includes KuCoin, Bybit |
| Cyprus (CySEC) | ~2โ3 | Revolut recently licensed |
Austria’s six licences place it alongside Malta and ahead of Cyprusโbut the composition of those licences is the issue. While Germany and the Netherlands have licensed primarily domestic or established players, Austria has become a favoured destination for offshore exchanges seeking EU access.
The Cyprus and Malta Comparison: Warning Signs
The FMA’s licensing trajectory draws uncomfortable parallels to two jurisdictions with troubled crypto regulatory histories:
- Malta:ย ESMA’s July 2025 peer review criticised the MFSA for granting licences without adequately assessing material risks, including governance, conflicts of interest, and AML/CFT control. The review found Malta’s authorisation processes only “partially” met expectations. Malta has since pushed back against proposals to centralise CASP supervision at ESMA level.
- Cyprus:ย CySEC was the regulator of choice for binary options brokers during the 2010s “Cyprus era,” a period marked by widespread retail investor harm and eventual regulatory crackdowns. While CySEC has since tightened standards, Cyprus has been slower to issue MiCA licences, with Revolut obtaining approval only in October 2025.
Austria’s risk:ย By authorising exchanges like KuCoin (convicted in the US) and Bybit (hacked for $1.5 billion, significant Russian exposure), the FMA is inviting comparisons to Malta’s permissive licensing approachโand to Cyprus’s historical role as a regulatory “light-touch” jurisdiction for questionable financial services firms.
Internal and External Criticism
Remarkably, the FMA itselfโalongside France’s AMF and Italy’s CONSOBโhas co-authored a position paper calling for strengthened MiCA supervision. The September 2025 joint statement warned:
- MiCA’s application is “fragmented across jurisdictions”
- National authorities cannot require cybersecurity certification at the authorisation stage
- The location of large CASPs outside the EU “weakens the reach of European regulation”
- Supervisory convergence “quickly reaches its limits”
The three regulators proposed direct ESMA supervision of significant CASPsโa tacit admission that national authorities may lack the resources and extraterritorial reach to supervise globally active exchanges.
France’s AMF has gone further, warning it may refuse to honour MiCA passports from other jurisdictionsโa threat that would undermine the entire single-market framework.
Verdict: Is Vienna the MiCA Hub?
Partiallyโbut for the wrong reasons.ย Vienna is not the EU’s largest MiCA licensing centre (that honour goes to Germany and the Netherlands), but it has become disproportionately attractive to offshore exchanges with regulatory baggage. The FMA’s willingness to license KuCoinโten months after a $297 million US guilty pleaโand Bybitโmonths after a $1.5 billion hack attributed to North Korean state actorsโraises legitimate questions about the depth of due diligence applied.
The FMA may not yet be “the new CySEC,” but its trajectory deserves scrutiny. If the Austrian regulator continues to authorise exchanges that other jurisdictions have fined, rejected, or placed on warning lists, Vienna risks becoming a regulatory arbitrage destinationโprecisely the outcome MiCA was designed to prevent.
For lawyers and compliance professionals advising crypto firms, Austria offers speed and accessibility. For regulators concerned about investor protection and systemic risk, the FMA’s licensing record warrants close monitoring.
