MiCAR Enforcement Act (MiCA-VVG)

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. Federal Act implementing Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA-VVG; MiCA-Verordnung￾Vollzugsgesetz) MiCAR Enforcement Act (MiCA-VVG) Original Version: published in Federal Law Gazette I 111/2024 Amendments (in Federal Law Gazette I unless stated otherwise): 5/2026 Note about this translation: this consolidated version reflects all amendments up to and including the one published in the Federal Act published in Federal Law Gazette I 5/2026. Date: 14.04.2026

MiCAR Enforcement Act (MiCA-VVG) 2 / 28 SECTION 1: AUTHORITIES Competent Authority Article 1. (1) The Austrian Financial Market Authority (FMA; Finanzmarktaufsichtsbehörde) is the competent authority for Austria pursuant to Article 93(1) of Regulation (EU) 2023/1114 on markets in crypto-assets and amending Regulations (EU) 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, OJ L 150, 09.06.2023, p. 40, in the version amended by Regulation (EU) 2023/2869, OJ L 2023/2869, 20.12.2023. Irrespective of the tasks assigned to it in other Federal Acts, the FMA shall exercise the tasks and powers conferred upon competent authorities pursuant to Article 93(1) of Regulation (EU) 2023/1114 and shall monitor compliance with the provisions set out in this Federal Act and in Regulation (EU) 2023/1114 as well as any delegated legal acts and implementing acts enacted based on that Regulation. (2) The FMA shall take into account European convergence in respect of supervisory tools and supervisory procedures in the enforcement of this Federal Act, Regulation (EU) 2023/1114, as well as any delegated and implementing acts enacted based on that Regulation. For this purpose, the FMA shall apply the Guidelines, Recommendations and other measures decided by the European Banking Authority (EBA) or the European Securities and Markets Authority (ESMA) (Regulation (EU) No. 1095/2010) within the scope of application of Regulation (EU) 2023/1114. The FMA may deviate from the guidelines and recommendations, provided that justified grounds exist to do so in particular where they conflict provisions set out under national law. (3) The FMA is the ESAP collection body for information pursuant to Article 88 (1) of Regulation (EU) 2023/1114 as defined in Article 2 point 2 of Regulation (EU) 2023/2859 pursuant to Article 110a (3) of Regulation (EU) 2023/1114 and shall make this information accessible in the ESAP. (4) The FMA is the collection body as defined in Article 2 point 2 of Regulation (EU) 2023/2859 pursuant to Article 3 (2) of Regulation (EU) 2023/2859 for the collection of information on a voluntary basis listed in Regulation (EU) 2023/1114. (5) The FMA may determine, by means of a Regulation, a specific format, additional meta data to be included and the submission modalities for the submission of data pursuant to paras. 3 and 4, if this appears expedient taking into consideration rules under European Union law. (6) The FMA shall be empowered as the controller under data protection law pursuant to Article 4 point 7 of Regulation (EU) 2016/679 in conjunction with the tasks pursuant to paras. 3 and 4 for processing personal data as defined in Regulation (EU) 2016/679. Cooperation in ongoing supervision Article 2. (1) The FMA may allow inspections, expert opinions or analyses to be conducted by experts in the performance of its duties and powers pursuant to Regulation (EU) 2023/1114 or this Federal Act.

MiCAR Enforcement Act (MiCA-VVG) 3 / 28 (2) The FMA and the Oesterreichische Nationalbank shall cooperate closely regarding the duties and powers conferred upon the FMA pursuant to Regulation (EU) 2023/1114 or this Federal Act in relation to the supervision of issuers of asset-referenced tokens (ARTs) and issuers of e-money tokens (EMTs) that are credit institutions pursuant to Article 1 para. 1 of the Banking Act (BWG: Bankwesengesetz), published in Federal Law Gazette no. 532/1993, or electronic money institutions pursuant to Article 1 para. 2 no. 2 of the E-Money Act 2010 (E-Geldgesetz 2010), Federal Law Gazette I No. 107/2010. The regulations contained in Article 3 paras. 8 and 9, Article 70 para. 1 nos. 3 and 4 as well as paras. 1a to 1e, Article 70a para. 2, Article 71 and Article 79 paras. 1 to 4a and paras. 5 to 8 BWG shall apply accordingly. (3) Where there is a close cooperation between the FMA and the Oesterreichische Nationalbank with regard to the duties and powers conferred upon the FMA pursuant to Regulation (EU) 2023/1114 or this Federal Act in conjunction with the supervision of issuers of asset-referenced tokens that are not credit institutions pursuant to Article 1 para. 1 BWG or e-money institutions pursuant to Article 1 para. 2 no. 2 of the Electronic Money Act (E-Geldgesetz 2010), then the regulations set out in Article 70 para. 1 no. 3 first and fourth sentence and no. 4 as well as paras. 1a and 1d, Article 71 and Article 79 paras. 1 to 4a and paras. 5 to 8 BWG shall apply accordingly to this cooperation. (4) The tasks, rights and obligations of the Oesterreichische Nationalbank with regard to the supervision of payment institutions in accordance with Article 44a of the National Bank Act (NBG; Nationalbankgesetz 1984) published in Federal Law Gazette no. 50/1984 shall remain unaffected by the provisions of this Federal Act. (5) The FMA and the Oesterreichische Nationalbank shall perform the duties, powers and obligations conferred on them by this Federal Act and Regulation (EU) 2023/1114 only to the extent that exercising them is not reserved to the European Central Bank under the provisions of Regulation (EU) no. 1024/2013 on conferring specific tasks on the European Central Bank relating to the prudential supervision of credit institutions, OJ L 287, 29.10.2013, p. 63, in the version of the corrigendum in OJ L 218, 19.08.2015, p. 82. SECTION 2: SUPERVISION AND PROCEDURAL PROVISIONS General supervisory powers Article 3. (1) The FMA shall be authorised at all times in relation to the monitoring of the observance of the regulations contained in this Federal Act, in Titles Two to Six of Regulation (EU) 2023/1114 as well as any delegated acts and implementing acts issued based on that Regulation irrespective of the powers conferred upon it in other Federal Acts:

1. to require any person to provide information and documents which the FMA considers could be relevant for the performance of its duties:

MiCAR Enforcement Act (MiCA-VVG) 4 / 28 a. to inspect the books, documents, and data carriers of the legal entities listed in Article 3(1) (35) points a or b of Regulation (EU) 2023/1114, and to receive copies thereof, b. to request information from a legal entity listed in Article 3(1) (35) points a or b of Regulation (EU) 2023/1114 and its bodies, and to summon and question persons, c. to request existing recordings of telephone calls and data submissions from a legal entity listed in Article 3 (1) (35) points a or b of Regulation (EU) 2023/1114, and d. to collect information from the auditors of a legal entity listed in Article 3(1) (35) points a or b of Regulation (EU) 2023/1114, 2. to suspend, or to require a crypto-asset service provider to suspend, the provision of crypto￾asset services for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that Regulation (EU) 2023/1114 or this Federal Act has been breached, 3. to partially or totally prohibit the provision of crypto-asset services, if Regulation (EU) 2023/1114 or this Federal Act have been breached, 4. to disclose, or to require a crypto-asset service provider to disclose, all material information which might affect the provision of the crypto-asset services concerned, in order to ensure the protection of the interests of clients, in particular retail holders, or the smooth operation of the market, 5. to make public the fact that a crypto-asset service provider fails to fulfil its obligations, 6. to suspend, or to require a crypto-asset service provider to suspend, the provision of crypto￾asset services where the FMA considers that the crypto-asset service provider’s situation is such that the provision of the crypto-asset service would be detrimental to the interests of clients, in particular retail holders, 7. to require the transfer of existing contracts to another crypto-asset service provider in cases where a crypto-asset service provider’s authorisation is withdrawn pursuant to Article 64 of Regulation (EU) 2023/1114, subject to the agreement of the clients and the crypto-asset service provider to which the contracts are to be transferred, 8. where there is a reason to assume that a person is providing crypto-asset services without authorisation, to order the immediate cessation of the activity without prior warning or imposition of a deadline, 9. to require offerors, persons seeking admission to trading of crypto-assets, or issuers of asset￾referenced tokens or e-money tokens to amend their crypto-asset white paper or further amend their modified crypto-asset white paper, where the crypto-asset white paper or the modified crypto-asset white paper does not contain the information pursuant to Articles 6, 19 or 51 of Regulation (EU) 2023/1114, 10. to require offerors, persons seeking admission to trading of crypto-assets, or issuers of asset￾referenced tokens or e-money tokens, to amend their marketing communications, where the

MiCAR Enforcement Act (MiCA-VVG) 5 / 28 marketing communications do not comply with the requirements set out in Articles 7, 29 or 53 of Regulation (EU) 2023/1114, 11. to require offerors, persons seeking admission to trading of crypto-assets, or issuers of asset￾referenced tokens or e-money tokens, to include additional information in their crypto-asset white papers, where necessary for financial stability or the protection of the interests of the holders of crypto-assets, in particular retail holders, 12. to suspend an offer to the public or an admission to trading of crypto-assets for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that Regulation (EU) 2023/1114 has been breached, 13. to prohibit partially or totally an offer to the public or an admission to trading of crypto-assets, if Regulation (EU) 2023/1114 or this Federal Act was breached, or where there are reasonable ground to suspect that Regulation (EU) 2023/1114 or this Federal Act will be breached, 14. to suspend, or require a crypto-asset service provider operating a trading platform for crypto￾assets to suspend, trading of the crypto-assets for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that Regulation (EU) 2023/1114 or this Federal Act has been breached, 15. to prohibit trading of crypto-assets on a trading platform for crypto-assets partially or totally where they find that Regulation (EU) 2023/1114 or this Federal Act has been breached, or where there are reasonable grounds for suspecting that the Regulation will be breached, 16. to suspend or prohibit marketing communications, where there are reasonable grounds for suspecting that Regulation (EU) 2023/1114 or this Federal Act has been breached, 17. to require offerors, persons seeking admission to trading of crypto-assets, issuers of asset￾referenced tokens or e-money tokens or relevant crypto-asset service providers to cease or suspend marketing communications for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that Regulation (EU) 2023/1114 or this Federal Act has been breached, 18. to make public the fact that an offeror, a person seeking admission to trading of a crypto-asset or an issuer of an asset-referenced token or e-money token, fails to fulfil their obligations pursuant to Regulation (EU) 2023/1114 or this Federal Act, 19. to disclose, or to require the offeror, the person seeking admission to trading of a crypto-asset or the issuer of the asset-referenced token or e-money token, to disclose all material information which may have an effect on the assessment of the crypto-asset offered to the public or admitted to trading in order to ensure the protection of the interests of holders of crypto-assets, in particular retail holders, or the smooth operation of the market, 20. to suspend partially or totally, or require the relevant crypto-asset service provider operating the trading platform for crypto-assets to suspend, the crypto-assets from trading where the FMA considers that the situation of the offeror, the person seeking admission to trading of a crypto-asset or the issuer of an asset-referenced token or an e-money token is such that

MiCAR Enforcement Act (MiCA-VVG) 6 / 28 trading would be detrimental to the interests of the holders of crypto-assets, in particular retail holders, 21. where there is a reason to assume that a person is issuing asset-referenced tokens or e-money tokens without authorisation or a person is offering or seeking admission to trading of crypto￾assets other than asset-referenced tokens or e-money tokens without a crypto-asset white paper notified pursuant to Article 8 of Regulation (EU) 2023/1114, to order the immediate cessation of the activity without prior warning or imposition of a deadline, 22. to take any type of measure to ensure that an offeror or a person seeking admission to trading of crypto-assets, an issuer of an asset-referenced token or an e-money token or a crypto-asset service provider comply with Regulation (EU) 2023/1114 including to require the cessation of any practice or conduct that the FMA consider contrary to that Regulation, 23. to carry out on-site inspections or investigations at sites other than the private residences of natural persons, and for that purpose to enter premises in order to access documents and other data in any form; Articles 119 to 122 of the Code on Criminal Procedure 1975 (StPO; Strafprozeßordnung 1975), published in Federal Law Gazette no. 631/1975, and the principle of legality and proportionality pursuant to Article 5 StPO shall apply accordingly; where the affected party opposes the FMA’s intended measure, then where necessary the Federal Administrative Court (BVwG; Bundesverwaltungsgericht) must decide on the FMA’s request by means of a decision. The FMA shall be required to justify its request for an inspection and the submit it to the Federal Administrative Court along with the relevant files, 24. Inspections and investigations, including the conducting of on-site inspections, are to be conducted by its own inspectors or to be outsourced to external auditors, external auditing companies or other experts, 25. to require the removal of a natural person from the management body of an issuer of an asset￾referenced token or of a crypto-asset service provider, 26. to request any person to take steps to reduce the size of its position or exposure to crypto￾assets, 27. where no other effective means are available to bring about the cessation of the breach of Regulation (EU) 2023/1114, and in order to avoid the risk of serious harm to the interests of clients or holders of crypto-assets to take all necessary measures, including by requesting a third party or a public authority to implement such measures, to: a. remove content or restrict access to an online interface or to order the explicit display of a warning to clients and holders of crypto-assets when they access an online interface, b. order a hosting service provider to remove, disable or restrict access to an online interface, or c. order domain registries or registrars to delete a fully qualified domain name and allow the competent authority concerned to register it, and

MiCAR Enforcement Act (MiCA-VVG) 7 / 28 28. to require an issuer of an asset-referenced token or e-money token, pursuant to Article 23(4), 24(3) or 58(3) of Regulation (EU) 2023/1114, to introduce a minimum denomination amount or to limit the amount issued. (2) Irrespective of Article 2 paras. 1 to 3 regarding inspections by the Oesterreichische Nationalbank, for an inspection pursuant to para. 1 nos. 3 to 5, the bodies engaged shall be issued a written inspection engagement and they shall verify their identity and present the inspection engagement, without being requested to do so, prior to commencing the inspection. Otherwise, Article 71 paras. 1 to 6 BWG shall apply accordingly. Supervisory powers for averting a threat to the fulfilling of obligations Article 4. (1) To avert a threat for the fulfilment of the obligations of a legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114 in accordance with this Federal Act, Titles Two to Six of Regulation (EU) 2023/1114 or any delegated legal acts and implementing acts, the FMA may, irrespective of the powers conferred upon it in Article 3 para. 1 and other Federal Acts, the FMA may order temporary measures by way of an administrative decision, that cease to apply at latest 18 months after taking effect. In particular, the FMA may issue administrative decisions which:

1. prohibit the withdrawal of capital and earnings as well as distributions of capital and earnings either partially or totally,
2. completely or partly prohibit directors of a legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114 from managing the company, while simultaneously notifying the body responsible for appointing the directors; the responsible body must re-appoint the corresponding number of directors within one month; in order to be legally effective, such appointments require the consent of the FMA, which is to be refused, if the newly appointed directors do not appear suitable for the purpose of averting the aforementioned threat,
3. appoint an expert supervisor (government commissioner), who belongs to the legal or auditing profession; the supervisor, who shall be afforded full rights pursuant to Article 3 para. 1, shall a. prohibit the legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114 from conducting all business that is suited to exacerbate the aforementioned threat, and b. in the event the legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114 has been partially or fully prohibited from continuing transactions, to allow individual transactions that will not exacerbate the aforementioned threat,
4. completely or partly prohibit the continuation of business operations. (2) The FMA may at the government commissioner’s request appoint a deputy, where and for as long as is necessary for important reasons, especially due to the temporary incapacitation of the government commissioner. The same provisions shall apply to the appointment of any deputy as

MiCAR Enforcement Act (MiCA-VVG) 8 / 28 well as their rights and duties as for the government commissioner. With the approval of the FMA, the government commissioner may use suitably qualified persons to perform their duties, where doing so is necessary considering the scope and difficulty of the duties. The FMA’s approval must name these persons by name and must also be legally delivered to the legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114. Such persons shall act on instructions from and on behalf of the government commissioner or their deputy. (3) The FMA shall obtain recommendations about suitable government commissioners from the Austrian Bar (Österreichischer Rechtsanwaltskammertag) and the Chamber of Professional Accountants and Tax Advisors (Kammer der Wirtschaftstreuhänder). If a government commissioner needs to be appointed pursuant to para. 1 no. 3 or a deputy pursuant to para. 2, and where it is not possible to make such an appointment based on such notifications, then the FMA shall notify the competent bar association or Chamber of Professional Accountants and Tax Advisors for the registered office or head office of the legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114, for them to name a suitably qualified lawyer or auditor as government commissioner. In cases of imminent danger, the FMA may appoint:

1. a lawyer, or
2. an external auditor as a temporary government commissioner. This appointment will cease to be effective upon appointment of a lawyer or an external auditor in accordance with the first sentence or pursuant to para. 1 no. 3. (4) The government commissioner is to be remunerated by the FMA with a fee (function fee) which is commensurate to the work involved in supervision and the expenses incurred for this purpose. The government commissioner is entitled to submit invoices for each previous quarter and after the termination of his/her activities. The FMA shall pay such remuneration without delay after reviewing the invoice. Supervisory powers in the event of breaches of obligations Article 5. (1) If a legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114 breaches provisions of this Federal Act, Titles Two to Six of Regulation (EU) 2023/1114 or any delegated legal acts and implementing acts issued based on that Regulation, the FMA may, irrespective of the powers conferred upon it in Article 3 para. 1 and other Federal Acts
3. instruct the legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114, under threat of a coercive penalty, to restore legal compliance within a time frame commensurate to the circumstances, and
4. in the case of repeated or continued breaches partially or totally prohibit the directors of the legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114 from managing it.

MiCAR Enforcement Act (MiCA-VVG) 9 / 28 A prohibition pursuant to no. 2 shall not be permissible, where it would be inappropriate based on the nature and severity of the breach and where it may be reasonably expected that the restoration of legal compliance may be expected by repeating the procedure pursuant to no. 1; in that case, the initial coercive penalty imposed must be enforced and the instruction repeated with the threat of a larger coercive penalty. Submission of administrative decisions prohibiting the conducting of business (Untersagungsbescheide) to the Commercial Register Court (Firmenbuchgericht) Article 6. Administrative decisions in which directors are prohibited from managing a legal entity listed in Article 3 (1) (35) point a or b of Regulation (EU) 2023/1114, as well as any repealing of such a measure, are to be submitted by the FMA to the Commercial Register Court (Firmenbuchgericht) for entry in the Commercial Register (Firmenbuch). Specific supervisory powers in relation to market abuse Article 7. (1) The FMA shall be authorised at all times, within the scope of its monitoring of compliance with the regulations contained in Title VI of Regulation (EU) 2023/1114 (prevention and prohibition of market abuse involving crypto-assets) and any delegated legal acts and implementing acts issued based on this Title of the Regulation in addition to Articles 2 to 5 of this Federal Act, and irrespective of the powers conferred upon it in other Federal Acts,

1. to access any document and data in any form, and to receive or take a copy thereof,
2. to require or demand information from any person, including those who are successively involved in the transmission of orders or conduct of the operations concerned, as well as their principals, and if necessary, to summon and question any such person with a view to obtain information,
3. to carry out on-site inspections or investigations at sites other than the private residences of natural persons, in particular searches (Article 117 no. 2 and no. 3 lit. a of the Code on Criminal Procedure (StPO; Strafprozessordnung)) and to receive access to premises for that purpose, in order to inspect documents and data of any form, where reasonable grounds exist that documents or data that relate to the subject matter of the inspection or investigation, that may be relevant for proving insider trading, market manipulation or breaches against the obligations for the disclosure of inside information,
4. to refer matters further for criminal prosecution,
5. to request existing data traffic records held by a telecommunications operator, where there is a reasonable suspicion of a breach and where such records may be relevant to the investigation of a breach of Articles 88 to 91 of Regulation (EU) 2023/1114,
6. to apply to freeze or confiscate assets, or both, where doing so appears necessary for averting collapse, with the FMA being required to estimate the amount of the profit gained or loss

MiCAR Enforcement Act (MiCA-VVG) 10 / 28 avoided, where identifying or calculating this amount is not possible or would be unduly burdensome to do so, 7. to impose a temporary prohibition on the exercise of professional activity, 8. to take all necessary measures to ensure that the public is correctly informed, including by correcting false or misleading disclosed information, including by requiring an offeror, person seeking admission to trading or issuer or other person who has published or disseminated false or misleading information to publish a corrective statement. (2) Articles 5 and 119 to 122 StPO shall apply to inspections and investigations pursuant to para. 1 no. 3 subject to the proviso that the procedural provisions pursuant to Article 153 paras. 2, 4 to 7 and 9 of the Stock Exchange Act 2018 (BörseG 2018; Börsegesetz 2018) published in Federal Law Gazette I no. 107/2017 shall apply in relation to searches pursuant to Article 117 no. 2 lit. b StPO, although the Federal Administrative Court (Bundesverwaltungsgericht) shall apply instead of the Vienna Regional Criminal Court(Landesgericht für Strafsachen Wien), a reference to Article 13 para. 1 or 2 or Article 14 para. 1 no. 2 shall apply instead of a reference to Article 154 or Article 155 para. 1 no. 2 BörseG 2018, and a reference to Article 7 para. 1 no. 1 shall apply instead of a reference to Article 153 para. 1 no. 1 BörseG 2018. (3) The granting of information about data relating to communications pursuant to Article 134 no. 2 StPO shall be permissible if requested by the FMA, where there is a justified suspicion of an infringement against Article 13 (except in the cases of breaches against Article 90 (1) or (2) of Regulation (EU) 2023/1114) or Article 14 para. 1 no. 2, and if it is to be expected that doing so may facilitate the clarification of the infringement, and where based on certain facts it is able to be assumed that data relating to the guilty party may be identified. The procedural provisions pursuant to Article 153 paras. 4 to 6 and 8 BörseG 2018 shall apply, although the Federal Administrative Court (Bundesverwaltungsgericht) shall apply instead of the Vienna Regional Criminal Court (Landesgericht für Strafsachen Wien), a reference to Article 13 para. 1 or 2 or Article 14 para. 1 no. 2 shall apply instead of a Reference to Articles 154, 155 para. 1 no. 2, 163 and 164 BörseG 2018. For the purpose of this paragraph, including the applicable procedural provision, the granting of information about master data pursuant to Article 134 no. 1a StPO and of information about access data pursuant to Article 134 no. 1b StPO shall be treated like the granting of information about data relating to communications pursuant to Article 134 no. 2 StPO. (4) The provisions of this Federal Act shall remain unaffected by the provisions of Section 14 of the Telecommunications Act 2021 (TKG 2021; Telekommunikationsgesetz 2021), published in Federal Law Gazette I No. 190/2021. (5) Article 3 para. 2 shall apply in the case of on-site investigations pursuant to para. 1.

MiCAR Enforcement Act (MiCA-VVG) 11 / 28 Powers in relation to product intervention Article 8. Irrespective of the powers conferred upon it based on provisions under Federal law, the FMA shall be authorised to define measures pursuant to Article 105 (1) of Regulation (EU) 2023/1114 in the public interest by means of a Regulation or an administrative decision. Criteria for assessing knowledge and competence of natural persons when advising about crypto-assets Article 9. The FMA shall publish the necessary criteria for the assessment of the knowledge and competence that natural persons giving advice or information about crypto-assets, or a crypto-asset service on behalf of crypto-asset service providers are required to possess under the first sentence of Article 81 (7) of Regulation (EU) 2023/1114. The FMA may define the criteria by means of a Regulation taking into consideration European practices. Reporting Article 10. (1) Crypto-asset service providers, issuers of asset-referenced tokens and issuers of e￾money tokens shall submit reports about the master data relating to the entity to the FMA without delay following the end of each calendar half-year in accordance with the Regulation pursuant to para. 4. Irrespective of this, issuers of asset-referenced tokens and issuers of e-money tokens shall be required to notify any change in master data without delay. The report regarding employee headcount must only be reported at the end of each year, to be received by 31 January of the following year at the latest. (2) Crypto-asset service providers, issuers of asset-referenced tokens and issuers of e-money tokens shall submit reports about other data relating to the entity to the FMA without delay following the end of each calendar quarter in accordance with the Regulation pursuant to para. 4. (3) In the event of a deferral of publication of insider information pursuant to Article 88 (2) of Regulation (EU) No 2023/1114 issuers, providers or persons seeking admission to trading, shall contact the FMA directly following the disclosure of the insider information about the deferral, and to explain to the FMA in writing the extent to which the conditions for a deferral pursuant to Article 88 (2) of Regulation (EU) No 2023/1114 were met. (4) The FMA:

1. shall, with the consent of the Federal Minister of Finance, issue a Regulation defining the reporting dates, layout and content of the reports, as well as the reporting frequencies pursuant to paras. 1 and 2 and in this context observe the following points: a. the reporting contents, frequencies and dates of the implementing technical standards harmonised across the European Union (Regulation (EU) No 2023/1114) including their scope of application,

MiCAR Enforcement Act (MiCA-VVG) 12 / 28 b. the need for meaningful reporting for the purpose of ongoing supervision of crypto￾asset service providers, issuers of asset-referenced tokens and issuers of e-money tokens, c. equivalent reporting data, that is already available to the FMA based on other Federal Acts, and d. the national economic interest in a functioning financial market as well as financial stability, 2. may define the deadlines, specific formats and content of the reports pursuant to para. 3 by means of a Regulation, and in so doing shall observe the following: a. the reporting contents, frequencies and dates of the implementing technical standards harmonised across the European Union (Regulation (EU) No 2023/1114) including their scope of application, b. the need for meaningful reporting for the purpose of ongoing supervision of reporting agents pursuant to Article 88 (3) of Regulation (EU) 2023/1114, and c. the national economic interest in a functioning financial market as well as financial stability, 3. may stipulate in this context: a. a frequency for reporting individual items other than one set forth in para. 1 or para. 2, b. the submission of reports by issuers of asset-referenced tokens or issuers of e-money tokens pursuant to paras. 1 and 2 exclusively to the Oesterreichische Nationalbank, provided that doing so does not interfere with the performance of its duties in accordance with this Act or other Federal Acts, c. with regard to reporting pursuant to para. 2 to define the value from which issuers of asset-referenced tokens are required to observe the reporting obligations pursuant to Article 22 (2) of Regulation (EU) 2023/1114, 4. may in so doing stipulate that other data in relation to the undertaking pursuant to para. 2 are to be provided: a. information on the balance sheet, off-balance sheet items, on the income statement and compulsory disclosures in the notes, b. in the case of reporting by issuers of asset-referenced tokens, information that permits an assessment and monitoring of Article 35 as well as Article 43 (4) of Regulation (EU) 2023/1114 and the delegated act issued in accordance with Article 43 (11) of Regulation (EU) 2023/1114, and in the case of reporting by issuers of e￾Money tokens, information that permits an assessment and monitoring of Article 11 of the E-Money Act 2010 as well as Article 56 in conjunction with Article 43 (4) of Regulation (EU) 2023/1114 and the delegated act issued in accordance with Article 43 (11) of Regulation (EU) 2023/1114,

MiCAR Enforcement Act (MiCA-VVG) 13 / 28 c. in the case of reporting by issuers of e-money tokens denominated in a currency that is the official currency of a Member State, information that permit the assessment and monitoring of Article 22 para. 1 to 2 and Article 56 of Regulation (EU) 2023/1114, d. in the case of reporting by issuers of significant e-money tokens or significant asset￾referenced tokens, information that permit an evaluation and monitoring of Articles 117 and 119 of Regulation (EU) 2023/1114, and e. in the case of reporting by crypto-asset service providers, information regarding crypto￾asset services, activities, orders and transactions, that permit the FMA to perform its supervisory tasks and to take enforcement measures. (5) In the event of reporting content being defined pursuant to para. 4 no. 3 lit. b, the Oesterreichische Nationalbank shall deliver an expert opinion about the relevant reporting and FMA Regulations issued for this purpose. (6) Following consultation of the Oesterreichische Nationalbank, the FMA may stipulate by means of a Regulation that the submissions pursuant to para. 3 as well as Article 4 (3) third subparagraph, Article 8 (1) and (2), Article 12 (2), Article 16 (2) second subparagraph, Article 17 (1) points a and b, Article 18 (1), Article 23 (4), Article 24 (1) second subparagraph, Article 25 (1), and (2) second subparagraph, Article 29 (5), Article 33, Article 34 (2) and (7), Article 36 (10), Article 41 (1) and (2), Article 44 (1), Article 46 (2), Article 47 (3), Article 48 (1), (6) and (7), Article 51 (12), Article 53 (5), Article 55 second subparagraph, Article 55 third subparagraph, Article 57 (1), Article 60 (1) to (6), Article 62, Article 65 (1), Article 69, Article 83 (1) and (2) and Article 85 (2) of Regulation (EU) 2023/1114 are to be made by purely electronic means or in a standardised format by means of electronic submission, and are required to correspond to certain specific formats, technical minimum requirements and procedures for transmission. (7) In the case of the Regulation pursuant to para. 6, the FMA shall be guided by the principles of economy and expediency, ensuring that the data remains electronically available to the FMA and the OeNB at all times and supervisory interests are not compromised. The FMA shall take appropriate arrangements to allow individuals subject to reporting requirements or, where applicable, individuals they have charged with submitting the reports on their behalf, to verify over an appropriate period of time whether the reporting data submitted by them or by the person charged with submitting the reports is correct and complete. (8) The definition by means of a Regulation pursuant to para. 6, under which the reporting mentioned therein is to be made exclusively in electronic form or in a standardised form by means of electronic transmission that is required to correspond to specific formats, technical minimum requirements and procedures for transmission, shall only be permissible where such forms of reporting, formats, technical minimum requirements and procedures for transmission are in line with the applicable rules in Regulation (EU) 2023/1114 that apply for the respective reporting and the rules contained in the associated regulatory and implementing technical standards. (9) reporting pursuant to para. 4, Article 22 (1) and (2), Article 43 (4), the delegated act issued in accordance with Article 43 (11), and Article 56 (3) of Regulation (EU) 2023/1114 is to be submitted to

MiCAR Enforcement Act (MiCA-VVG) 14 / 28 the OeNB, where it relates to issuers of asset-referenced tokens or issuers of e-money tokens. The OeNB shall ensure that the FMA has access by automated means at all times to the following data: (10) The Oesterreichische Nationalbank shall perform the standardised onward transmission stipulated under union law of reporting pursuant to para. 4, Article 22 (1) and (2), Article 43 (4), as well as the delegated act issued in accordance with Article 43 (11), and Article 56 (3) of Regulation (EU) 2023/1114 where it relates to issuers of asset-referenced tokens or issuers of e￾money tokens. SECTION 3: MEASURES UNDER ADMINISTRATIVE LAW Administrative penal provisions Article 11. Any person who

1. in contravention of Article 4 of Regulation (EU) 2023/1114 makes an offer to the public of crypto-assets other than asset-referenced tokens or e-money tokens or seeks the admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens in contravention of Article 5 Regulation (EU) 2023/1114,
2. in contravention of Article 16 of Regulation (EU) 2023/1114 offers asset-referenced tokens to the public or seeks the admission to trading of asset-referenced tokens, or in contravention of Article 48 of Regulation (EU) 2023/1114 offers e-money tokens to the public or seeks the admission to trading of e-money tokens, or
3. in contravention of Article 59 of Regulation (EU) 2023/1114 offers crypto-asset services, commits an administrative offence and shall be fined up to EUR 700 000 by the FMA or up to double the amount of the gain arising from the breach or any loss avoided from the breach, where this amount is able to be determined. Other administrative penal provisions Article 12. (1) Any person who
4. breaches one of the requirements regarding the content and form of the crypto-asset white paper pursuant to Article 6 of Regulation (EU) 2023/1114 or the associated obligations contained in Implementing Technical Standards issued based on Article 6(11) of Regulation (EU) 2023/1114 or Regulatory Technical Standards issued based on Article 6(12) of Regulation (EU) 2023/1114,
5. breaches one of the requirements regarding the marketing communications relating to an offer to the public of a crypto-asset other than an asset-referenced token or an e-money token, or to the admission to trading of such a crypto-asset pursuant to Article 7 of Regulation (EU) 2023/1114,
6. breaches the obligations relating to the submission of the crypto-asset white paper and of the marketing communications pursuant to Article 8 of Regulation (EU) 2023/1114,

MiCAR Enforcement Act (MiCA-VVG) 15 / 28 4. breaches the obligations relating to the publication and availability of the crypto-asset white paper and of the marketing communications pursuant to Article 9 of Regulation (EU) 2023/1114, 5. breaches the objections in relation to the publication of the result of the offer to the public pursuant to Article 10 (1) of Regulation (EU) 2023/1114, 6. breaches the objections in relation to the publication of the result of the number of units of the crypto-assets in circulation pursuant to Article 10 (2) of Regulation (EU) 2023/1114, 7. breaches the safeguards pursuant to Article 10 (3) of Regulation (EU) 2023/1114, 8. breaches the requirements in relation to the modification of published crypto-asset white papers and of published marketing communications pursuant to Article 12 of Regulation (EU) 2023/1114, 9. breaches the obligations in relation to the right of withdrawal of retail holders pursuant to Article 13 of Regulation (EU) 2023/1114, 10. breaches the obligations of offerors of crypto-assets other than asset-referenced tokens or e￾money tokens pursuant to Article 14 of Regulation (EU) 2023/1114, or 11. breaches the obligations of persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens pursuant to Article 14 of Regulation (EU) 2023/1114, commits an administrative offence and shall be fined up to EUR 700 000 by the FMA or up to double the amount of the gain arising from the breach or any loss avoided from the breach, where this amount is able to be determined. (2) Any person who

1. breaches one of the requirements for credit institutions regarding the offer to the public of asset-referenced tokens or their admission to trading pursuant to Article 17 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 17 (8) of Regulation (EU) 2023/1114.
2. breaches one of the requirements regarding the content and form of the crypto-asset white paper for asset-referenced tokens pursuant to Article 19 of Regulation (EU) 2023/1114 or the associated obligations contained in Implementing Technical Standards issued based on Article 19 (10) of Regulation (EU) 2023/1114 or Regulatory Technical Standards issued based on Article 19 (11) of Regulation (EU) 2023/1114,
3. breaches the obligations regarding reporting on asset-referenced tokens pursuant to Article 22 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 22 (6) of Regulation (EU) 2023/1114 or Implementing Technical Standards issued based on Article 22 (7) of Regulation (EU) 2023/1114,
4. breaches one of the obligations regarding restrictions on the issuance of asset-referenced tokens used widely as a means of exchange pursuant to Article 23 of Regulation (EU) 2023/1114,

MiCAR Enforcement Act (MiCA-VVG) 16 / 28 5. breaches the requirements in relation to the modification of published crypto-asset white papers for asset-referenced tokens pursuant to Article 25 of Regulation (EU) 2023/1114, 6. breaches the obligation to act honestly, fairly and professionally in the best interest of the holders of asset-referenced tokens pursuant to Article 27 of Regulation (EU) 2023/1114, 7. breaches the obligations relating to the publication and continuing availability of the crypto￾asset white paper pursuant to Article 28 of Regulation (EU) 2023/1114, 8. breaches one of the requirements regarding marketing communications relating to an offer to the public of an asset-referenced token, or to the admission to trading of an asset￾referenced token pursuant to Article 29 of Regulation (EU) 2023/1114, 9. breaches one of the obligations regarding complaints-handling procedures for holders of asset-referenced tokens pursuant to Article 31 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 31 (5) of Regulation (EU) 2023/1114. 10. breaches one of the obligations regarding the identification, prevention, management and disclosure of conflicts of interest pursuant to Article 32 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 32 (5) of Regulation (EU) 2023/1114. 11. breaches the obligations relating to the notification of changes to the management body and provision of information pursuant to Article 33 of Regulation (EU) 2023/1114, 12. breaches the governance arrangements pursuant to Article 34 of Regulation (EU) 2023/1114, 13. breaches the requirements regarding own funds pursuant to Article 35 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 35 (6) of Regulation (EU) 2023/1114. 14. breaches the requirements regarding the holding of a reserve of assets, its composition or management pursuant to Article 36 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 36 (4) of Regulation (EU) 2023/1114. 15. breaches one of the obligations in relation to the custody of reserve assets pursuant to Article 37 of Regulation (EU) 2023/1114, 16. breaches the requirements regarding the investment of the reserve of assets pursuant to Article 38 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 38 (5) of Regulation (EU) 2023/1114. 17. breaches one of the obligations in relation to the rights of redemption of holders of asset￾referenced tokens pursuant to Article 39 of Regulation (EU) 2023/1114, 18. breaches the prohibition of granting interest in relation to asset-referenced tokens pursuant to Article 40 (1) of Regulation (EU) 2023/1114, 19. breaches the prohibition of granting interest when providing crypto-asset services related to asset-referenced tokens. pursuant to Article 40 (2) of Regulation (EU) 2023/1114,

MiCAR Enforcement Act (MiCA-VVG) 17 / 28 20. breaches the obligations regarding the acquisition and disposal of holdings in issuers of asset￾referenced tokens pursuant to Article 41 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 42 (4) of Regulation (EU) 2023/1114. 21. breaches one of the requirements in relation to the recovery plan pursuant to Article 46 of Regulation (EU) 2023/1114, 22. breaches one of the requirements in relation to the redemption plan pursuant to Article 47 of Regulation (EU) 2023/1114, 23. breaches one of the requirements in relation to the issuance and redeemability of e-money tokens pursuant to Article 49 of Regulation (EU) 2023/1114, 24. breaches the prohibition of granting interest in relation to e-money tokens pursuant to Article 50 (1) of Regulation (EU) 2023/1114, 25. breaches the prohibition of granting interest when providing crypto-asset services related to e-money tokens pursuant to Article 50 (2) of Regulation (EU) 2023/1114, 26. breaches one of the requirements regarding the content and form of the crypto-asset white paper for e-money tokens pursuant to Article 51 of Regulation (EU) 2023/1114 or the associated obligations contained in Implementing Technical Standards issued based on Article 51 (10) of Regulation (EU) 2023/1114 or Regulatory Technical Standards issued based on Article 51 (15) of Regulation (EU) 2023/1114, 27. breaches one of the requirements regarding marketing communications relating to an offer to the public of an e-money token, or to the admission to trading of an e-money token pursuant to Article 53 of Regulation (EU) 2023/1114, 28. breaches one of the requirements in relation to the investment of funds received in exchange for e-money tokens issuance and redeemability of e-money tokens pursuant to Article 54 of Regulation (EU) 2023/1114, or 29. breaches one of the requirements in relation to the recovery and redemption plan pursuant to Article 55 of Regulation (EU) 2023/1114, commits an administrative offence and shall be fined up to EUR 700 000 by the FMA or up to double the amount of the gain arising from the breach or any loss avoided from the breach, where this amount is able to be determined. (3) Any person who

1. breaches one of the requirements for certain financial entities in relation to the provision of crypto-asset services pursuant to Article 60 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 60 (13) of Regulation (EU) 2023/1114 or Implementing Technical Standards issued based on Article 60 (14) of Regulation (EU) 2023/1114,
2. breaches the obligation for establishing, implementing and maintaining procedures pursuant to Article 64 (8) of Regulation (EU) 2023/1114,

MiCAR Enforcement Act (MiCA-VVG) 18 / 28 3. breaches one of the obligations in relation to the cross-border provision of crypto-asset services pursuant to Article 65 of Regulation (EU) 2023/1114, 4. breaches the obligations to act honestly, fairly and professionally in the best interests of clients pursuant to Article 66 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 66 (6) of Regulation (EU) 2023/1114, 5. breaches the prudential safeguards pursuant to Article 67 of Regulation (EU) 2023/1114, 6. breaches the governance arrangements pursuant to Article 68 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 68 (10) of Regulation (EU) 2023/1114. 7. breaches the obligations relating to the notification of changes to the management body and provision of information pursuant to Article 69 of Regulation (EU) 2023/1114, 8. breaches one of the obligations in relation to the safekeeping of clients’ crypto-assets and funds pursuant to Article 70 of Regulation (EU) 2023/1114, 9. breaches one of the obligations regarding complaints-handling procedures for clients pursuant to Article 71 (1) to (4) of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 71 (5) of Regulation (EU) 2023/1114. 10. breaches one of the obligations regarding the identification, prevention, management and disclosure of conflicts of interest pursuant to Article 72 (2) to (4) of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 72 (5) of Regulation (EU) 2023/1114. 11. breaches the obligations in relation to the outsourcing of services or activities to third parties pursuant to Article 73 of Regulation (EU) 2023/1114, 12. breaches the obligations in relation to the orderly wind-down of crypto-asset service providers pursuant to Article 74 of Regulation (EU) 2023/1114, 13. breaches the obligations in relation to the providing custody and administration of crypto￾assets on behalf of clients pursuant to Article 75 of Regulation (EU) 2023/1114, 14. breaches the obligations regarding the operation of a trading platform for crypto-assets pursuant to Article 76 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 76 (16) of Regulation (EU) 2023/1114. 15. breaches the requirements in relation to the exchange of crypto-assets for funds or other crypto-assets pursuant to Article 77 of Regulation (EU) 2023/1114, 16. breaches the obligations in relation to the execution of orders for crypto-assets on behalf of clients pursuant to Article 78 of Regulation (EU) 2023/1114, 17. breaches the obligations in relation to the placing of crypto-assets pursuant to Article 79 of Regulation (EU) 2023/1114, 18. breaches the obligations in relation to the reception and transmission of orders for crypto￾assets on behalf of clients pursuant to Article 80 of Regulation (EU) 2023/1114,

MiCAR Enforcement Act (MiCA-VVG) 19 / 28 19. breaches the obligations in relation to providing advice on crypto-assets and providing portfolio management of crypto-assets pursuant to Article 81 of Regulation (EU) 2023/1114, 20. breaches the obligation in relation to providing transfer services for crypto-assets on behalf of clients pursuant to Article 82 (1) of Regulation (EU) 2023/1114, or 21. breaches the obligations regarding the acquisition and disposal of holdings in issuers of crypto-asset service providers pursuant to Article 83 of Regulation (EU) 2023/1114 or the associated obligations contained in Regulatory Technical Standards issued based on Article 84 (4) of Regulation (EU) 2023/1114 commits an administrative offence and shall be fined up to EUR 700 000 by the FMA or up to double the amount of the gain arising from the breach or any loss avoided from the breach, where this amount is able to be determined. (4) Any person who breaches one of the reporting obligations pursuant to Article 10 paras. 1 or 2 or Regulations issued pursuant to Article 10 para. 4 nos. 1, 3 or 4 or pursuant to Article 10 paras. 6 or 9, commits an administrative offence and shall be fined up to EUR 60 000 by the FMA. Administrative penal provisions against market abuse Article 13. (1) Any person who

1. breaches Article 89 (2) of Regulation (EU) 2023/1114, by engaging in insider dealing pursuant to Article 89 (1) or (4) of Regulation (EU) 2023/1114, or
2. breaches Article 89 (2) of Regulation (EU) 2023/1114, by using inside information pursuant to Article 87 or Regulation (EU) 2023/1114, either directly or indirectly, for own account or on the account of others, for purchasing or disposal of such crypto-assets, or
3. breaches Article 89 (2) in conjunction with Article 89 (3) point a of Regulation (EU) 2023/1114, by recommending or inducing based on inside information about crypto-assets for third parties to purchase or dispose of them, or
4. breaches Article 89 (2) in conjunction with Article 89 (3) point b of Regulation (EU) 2023/1114, by recommending or inducing based on inside information about crypto-assets for third parties to cancel or amend an order relating to these crypto-assets, or
5. breaches Article 90 (1) or (2) of Regulation (EU) 2023/1114, by unlawfully disclosing inside information, or
6. breaches Article 91 (1) of Regulation (EU) 2023/1114 by means of market manipulation, by engaging in activities pursuant to Article 91 (2) or (3) of Regulation (EU) 2023/1114 commits an administrative offence and shall be fined up to EUR 5 million by the FMA or up to triple the amount of the gain arising from the breach or any loss avoided from the breach, where this amount is able to be determined. (2) In the case of the actions being conducted in para. 1 no. 1 or 6 being conducted deliberately, the attempt to do so is punishable.

MiCAR Enforcement Act (MiCA-VVG) 20 / 28 (3) Paras. 1 and 2 shall apply for persons pursuant to Article 89 (5) of Regulation (EU) 2023/1114. Where the person that has access to inside information pursuant to Article 89 (6) in conjunction with Article 89 (1) of Regulation (EU) 2023/1114 is a legal person, then paras. 1 and 2 shall also apply for the natural persons who were involved or influenced the decision to conduct the purchase or disposal, or to cancel or amend an order for the account of relevant legal person. Other administrative penal provisions against market abuse Article 14. (1) Any person who

1. fails to observe the organisational requirements or reporting obligations regarding the prevention and detection of market abuse pursuant to Article 92 (1) to (4) of Regulation (EU) 2023/1114, or breaches the associated obligations contained in Regulatory Technical Standards issued based on Article 92 (2) of Regulation (EU) 2023/1114, or
2. fails to observe the obligations regarding the publication of insider information pursuant to Article 88 (1) or (2) of Regulation (EU) 2023/1114 or Article 88 (3) of Regulation (EU) 2023/1114 in conjunction with Article 10 para. 3 and a Regulation issued pursuant to Article 10 para. 4 no. 2, or breaches the association obligations contained in Implementing Technical Standards issued pursuant to Article 88 (4) of Regulation (EU) 2023/1114,
3. breaches Article 110a (1) of Regulation (EU) 2023/1114, by failing to submit the information pursuant to Article 88 (1) of Regulation (EU) 2023/1114 or by failing to submit it in the prescribed manner at the same time as disclosing this information to the FMA, or
4. breaches Article 110a (2) of Regulation (EU) 2023/1114, by failing to obtain a legal entity identifier (LEI), commits an administrative offence and shall be fined up to triple the amount of the gain arising from the breach including any loss avoided from the breach, by the FMA, with regard to nos. 3 and 4 shall be fined up to EUR 60 000, and with regard to nos. 1 and 2 where the amount is able to be determined, or fined up to EUR 5 million with regard to no. 1, or fined up to EUR 1 million with regard to no. 2. (2) Any person who refuses to cooperate with the FMA with regard to an investigation, inspection or request in relation to the FMA’s powers pursuant to Article 7 para. 1 nos. 1 to 8, commits an administrative offence and shall be fined up to triple the amount of the gain arising from the breach including any loss avoided from the breach by the FMA, where the amount is able to be determined, or fined up to EUR 1 million. Penal provisions relating to legal persons Article 15. (1) The FMA may impose fines on legal persons if persons who either acted individually or as part of a body of a legal person and who have a managerial role within the legal person based on:
5. a power of representation of the legal person, or

MiCAR Enforcement Act (MiCA-VVG) 21 / 28 2. an authority to take decisions on behalf of the legal person, or 3. an authority to exercise control within the legal person have breached one of the obligations listed in Article 11, Article 12 Article 13 para. 1 or 2, or Article 14. (2) Legal persons may also be held responsible for one of the breaches of the obligations listed in Article 11, Article 12 Article 13 para. 1 or 2, or Article 14, where such a breach by a person acting on behalf of the legal person occurred due to a lack of supervision or control by a person acting for the legal person named in para. 1. (3) The fine pursuant to para. 1 or para. 2 shall be:

1. up to EUR 2.5 million for the breaches listed in Article 14 para. 1 no. 2, or
2. up to EUR 5 million for the breaches listed in Article 11 and Article 12, or
3. up to EUR 15 million for the breaches listed in Article 13 para. 1 or 2 and Article 14 para. 1 no. 1, or
4. up to 4 percent of annual turnover for the breaches listed in Article 14 para. 1 no. 2, or
5. up to 3 percent of annual turnover for the breaches listed in Article 11 no. 1 and Article 12 para. 1, or
6. up to 5 percent of annual turnover for the breaches listed in Article 11 no. 3 and Article 12 para. 3, or
7. up to 12.5 percent of annual turnover for the breaches listed in Article 11 no. 2 and Article 12 para. 2, or
8. up to 15 percent of annual turnover for the breaches listed in Article 13 paras. 1 or 2 and Article 14 para. 1 no. 1, or
9. up to double the respective amount for the breaches listed in Article 11 and Article 12, and up to triple the respective amount for the breaches listed in Article 13 para. 1 or 2 and Article 14 of the gain arising from the breach including any avoided loss, where the amount is able to be determined. The total annual turnover pursuant to no. 8 shall be determined based on the most recently adopted annual financial statement. Where the legal person is a parent undertaking or a subsidiary of a parent undertaking, which is required to draw up a consolidated financial statement in accordance with Directive 2013/34/EU on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Directives 78/660/EEC and 83/349/EEC, OJ L 182, 29.06.2013, p. 19, last amended by Delegated Directive (EU) 2023/2775, OJ L 2023/2775, 21.12.2023, then the authoritative total annual turnover is the total annual turnover of the relevant type of income according to the relevant accounting provisions, that was stated in the last available consolidated accounts adopted by the competent body of the ultimate parent undertaking. Where the FMA is unable to determine or calculate the bases for the total turnover, then it shall estimate them. In so doing, all relevant circumstances shall be taken into account that are relevant for the estimate.

MiCAR Enforcement Act (MiCA-VVG) 22 / 28 Other measures under administrative procedural law Article 16. Irrespective of other powers conferred upon it in accordance with this Federal Act or other administrative regulations, the FMA may also impose the following measures under administrative law:

1. in the case of one of the administrative offences listed in Article 11, Article 12, Article 13 paras. 1 or 2 or Article 14 para. 1 the publication of the responsible natural or legal person and the type of the breach,
2. in the case of one of the administrative offences listed in Article 11, Article 12, Article 13 paras. 1 or 2 or Article 14 para. 1, to order the responsible natural or legal person to cease the conduct that gives rise to the breach and to desist from a repeat of it,
3. with regard to the administrative offences listed in Article 11 no. 3, Article 12 para. 3, Article 13 paras. 1 or 2 or Article 14 para. 1 a temporary prohibition that prevents the members of the crypto-asset service provider’s management body responsible for the breach, or other natural persons responsible for the breach from performing managerial duties at a crypto-asset service provider,
4. in the event of a repeated offence of the administrative offences listed in Article 13 paras. 1 or 2 or Article 14 para. 1 no. 1, a prohibition for at least 10 years for any member of the management body of a crypto-asset service provider, or any other natural persons held responsible for the breach, from exercising management functions in a crypto-asset service provider,
5. with regard to the administrative offences listed in Article 13 paras. 1 or 2 or Article 14 para. 1 a temporary prohibition of any member of the management body of a crypto-asset service provider or any other natural person who is held responsible for the breach, from dealing on own account,
6. with regard to the administrative offences listed in Article 13 paras. 1 or 2 or Article 14 para. 1 the disgorgement of the gains arising from the breach or avoided losses, where the amount is able to be determined,
7. with regard to the administrative offences listed in Article 13 paras. 1 or 2 or Article 14 para. 1 the withdrawal or suspension of the authorisation of a crypto-asset service provider. Exercising of supervisory and sanctioning powers Article 17. (1) When determining the manner and amount of the administrative penalties and other actions under administrative procedural law, the FMA shall take all relevant circumstances into consideration, including as applicable:
8. the severity and duration of the breach,
9. whether the breach has been committed intentionally or negligently,
10. the degree of responsibility of the natural or legal person responsible for the breach,

MiCAR Enforcement Act (MiCA-VVG) 23 / 28 4. the financial strength of the natural or legal person responsible for the breach as may particularly be deduced, for example, from the annual income and net assets of the responsible natural person, from the total turnover of the responsible legal person, 5. the amount of gains realised or losses avoided by the breach by the natural or legal person responsible for the breach, provided that these amounts are able be determined, 6. the losses sustained by third parties as result of the breach, provided that these amounts can be determined, 7. the level of cooperation of the natural or legal person responsible for the breach with the competent authority, without prejudice to the requirement to ensure the disgorgement of gains (profits gained or losses avoided) by that person, 8. previous breaches against Regulation (EU) 2023/1114 or this Federal Act by the natural or legal person responsible for the breach, 9. measures taken by the person responsible for the breach to prevent a repeat occurrence of the breach, 10. the impact of the breach on the interests of holders of crypto-assets and clients of crypto-asset service providers, in particular retail holders. (2) In performing its duties and powers for imposing sanctions under administrative procedural law or other measures under administrative procedural law pursuant to Articles 10 to 15 and Article 17, the FMA shall cooperate closely with the competent authorities of other Member States to ensure that the sanctions imposed under administrative procedural law and other measures under administrative procedural law are appropriate and guarantee compliance with Regulation (EU) 2023/1114 and this Federal Act. The FMA shall coordinate their actions with those of the competent authorities of other Member States in order to avoid duplication and overlaps when exercising their supervisory and investigative powers and when imposing administrative sanctions and other administrative measures in cross-border cases. Publication of measures and sanctions Article 18. (1) A decision imposing a sanction under administrative procedural law or another measure under administrative procedural law for a breach against Regulation (EU) 2023/1114 or this Federal Act shall be published by the FMA on its official Internet presence without delay, once the natural or legal person subject to that decision has been informed of that decision. The disclosure shall be required to at least contain information about the type and character of the breach as well as the identity of the responsible natural or legal persons. This obligation shall not apply to decisions that lead to the imposing of measures that ore of an investigatory nature.(2) If the FMA, following a case-by-case assessment of the proportionality of the relevant information, considers that announcing the identity of the legal persons or the identity or the personal data of the natural persons would be disproportionate, or if such an announcement would jeopardise financial market stability or an on-going investigation, the FMA may either

MiCAR Enforcement Act (MiCA-VVG) 24 / 28

1. only publish the decision to impose a sanction or another measure, once the reasons for not publishing it cease to exist; or
2. only publish the decision to impose a sanction or another measure on an anonymised basis in a manner in accordance with national law, where such an anonymised announcement ensures an effective protection of the personal data concerned; or
3. refrain from publishing the decision imposing a sanction or another measure, if it believes the options pursuant to no. 1 or 2 to be sufficient to ensure that: a. the stability of the financial markets is not endangered, or b. proportionality is preserved by publishing such decisions with regard to measures which are deemed to be of a minor nature. Where a decision is taken to anonymously publish a sanction or another measure, the announcement of the relevant data may be postponed for a reasonable period of time, in the case that it is expected that the reasons for anonymised publication will cease to exist during that period. (3) The person affected by this publication may make an application to the FMA to review the lawfulness of the disclosure pursuant to para. 1 in a procedure that shall result in an administrative decision. In this case, the FMA shall announce the initiation of such proceedings in the same way as the original publication. If, during this review, it is found that the publication was unlawful, the FMA shall correct the publication or, at the request of the person subject to this publication, either revoke it or remove it from its website. (4) In the event the decision underlying the publication pursuant to para. 1 is appealed against, then this as well as the outcome of this procedure shall be published in the same manner as the original publication. In the event suspensory effect is granted for such an appeal in a procedure in a court of law, then the FMA shall also make this known. If the appeal is granted, then the FMA shall correct the publication pursuant to para. 1 or shall at the request of the person subject to this publication, either revoke it or remove it from its official website. (5) The FMA shall ensure that every announcement as well as any amendment shall be accessible on its Internet presence from the point of time of its publication for a period of five years. Publication of the personal data shall however only be maintained for as long as none of the criteria for an anonymised publication are fulfilled. SECTION 4: OTHER SUPERVISORY AND PROCEDURAL PROVISIONS Reporting to ESMA and EBA Article 19. (1) The FMA shall submit annual aggregated information to ESMA and EBA about all sanctions under administrative procedural law and other administrative measures pursuant to Articles 11 to 16 and Article 18 para. 1.

MiCAR Enforcement Act (MiCA-VVG) 25 / 28 (2) When publishing sanctions under administrative procedural law and other measures under administrative procedural law the FMA shall notify these to ESMA at the same time. (3) The FMA shall also notify ESMA and EBA about all sanctions under administrative procedural law or other measures under administrative procedural law pursuant to Article 18 para. 1, that were imposed, but which were not published pursuant to Article 18 para. 2 no. 3, including any appeals lodged in this regard, as well as the outcomes of the appeal procedures. Right of appeal Article 20. The FMA’s decisions in the enforcement of Regulation (EU) 2023/1114 and this Federal Act are to be justified in accordance with legal acts under administrative procedural law. The right of appeal to the Federal Administrative Court (BVwG; Bundesverwaltungsgericht) exists against these decisions. In the event the FMA fails to reach a decision within six months of receipt of a submission that contains all the required information, then the legal remedy for an appeal on the grounds of delay shall exist. Special procedural provision Article 21. Fines imposed by the FMA pursuant to this federal act shall flow to the Federal Government. Costs Article 22. (1) The FMA’s costs arising from its activity as the competent authority pursuant to Article 93 (1) of Regulation (EU) 2023/1114 are allocated as costs of the Securities Supervision accounting group (Article 19 para. 1 no. 3 and para. 4 of the Financial Market Authority Act (FMABG; Finanzmarktaufsichtsbehördengesetz), published in Federal Law Gazette I no. 97/2001) and shall be refunded in accordance with paras. 2 to 4. (2) Issuers of asset-referenced tokens, issuers of e-money tokens and crypto-asset service providers shall be liable to pay costs. (3) The FMA shall form a common sub-accounting group for the purpose of reimbursing the costs for issuers of asset-referenced tokens, issuers of e-money tokens and crypto-asset service providers to be supervised by the FMA. (4) The amounts to be allocated to the parties liable to pay costs pursuant to para. 2 shall be prescribed by the FMA by means of an administrative decision; it shall be permitted to determine fixed amounts. The FMA shall determine more detailed rules regarding the breakdown of such costs, and their prescription by means of a Regulation. In particular, the following shall be defined:

1. the assessment base for the individual types of fees prescribed,
2. deadlines for payment notifications and time frame for payments by the parties liable to pay.

MiCAR Enforcement Act (MiCA-VVG) 26 / 28 When issuing Regulations containing rules pursuant to no. 1 the total assets shall be considered taking into account the supervised activities. Entities liable to pay costs shall provide the FMA with all required information regarding the bases for cost assessment. (5) The Oesterreichische Nationalbank shall

1. draw up a statement about the costs arising from the duties and activities in accordance with this Federal Act and allow this statement to be reviewed by the auditor pursuant to Article 37 NBG,
2. convey the audited statement to the Federal Minister of Finance and the FMA by 30 April of the respective following financial year,
3. publish the audited statement following submission pursuant to no. 2 on its website,
4. notify the Federal Minister of Finance and the FMA by 30 September every year of about the estimated costs arising from its duties and activities in accordance with this Federal Act, as well as the estimated annual average number of employees employed in performing duties and activities in accordance with this Federal Act, and
5. inform the Federal Minister of Finance and the FMA once a year about the annual average number of employees occupied with the tasks and activities in accordance with this Federal Act; such information may also be provided by means of a publication. SECTION 5: TRANSITIONAL AND FINAL PROVISIONS Transitional provisions Article 23. (1) Crypto-asset service providers, that have provided their services in accordance with the applicable law as registered virtual asset service providers pursuant to Article 2 no. 22 of the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt-Geldwäschegesetz), published in Federal Law Gazette I No. 118/2016, prior to 30 December 2024 shall be allowed to continue to do so until 31 December 2025 or until the time at which they are granted or refused an authorisation in accordance with Article 63 of Regulation (EU) 2023/1114, depending upon which occurs first. (2) For the 2026 and 2027 financial years, costs which are allocatable to the Sub-Accounting Group formed pursuant to Article 22 para. 3 of EUR 1 800 000 per annum shall be covered from the reserve formed pursuant to Article 20 para. 1 FMABG, as well as of a further EUR 700 000 per annum shall be covered from the reserve formed pursuant to Article 23a para. 8 FMABG. The annual total amount shall be deducted from the total costs of the Sub-Accounting Group formed pursuant to Article 22 para. 3, before the remaining amount of the difference is assigned to the parties liable to pay pursuant to Article 22 para. 2. (3) The reserves formed pursuant to Article 20 para. 1 and Article 23a para. 8 FMABG shall be replenished by the amounts withdrawn pursuant to para. 2, on a straight-line basis across the financial years 2028 to 2031. By way of derogation from Article 19 para. 2 third sentence FMABG these retransfers to the reserves shall count towards the costs that are assigned to the Sub-Accounting

MiCAR Enforcement Act (MiCA-VVG) 27 / 28 Group formed pursuant to Article 22 para. 3, and shall not count towards the limit of the allocation to the reserves pursuant to Article 20 Abs. 2 FMABG. By way of derogation from Article 19 para. 5 FMABG, the share of the costs for replenishing the reserve allocated to every individual entity liable to pay costs in the aforementioned Sub-Accounting Group for the 2028 to 2031 financial years shall be prescribed by means of a payment notice at the same time as the allocation of actual costs for the 2028 financial year, and upon which basis the entities liable to pay costs shall be required to contribute the prescribed total amount in four equal instalments to be paid by 15 January each year from 2030 to 2033. The contributions made towards costs shall be used exclusively for the purpose of retransfers to the reserves. Gender-neutral use of language Article 24. The designations for natural persons in this Federal Act shall apply to persons of all genders. Enforcement Article 25. The Federal Minister of Finance shall be responsible for enforcing this Federal Act. References Article 26. (1) Where references to other federal acts are made in this Federal Act, those acts are to be applied in their respective current versions. (2) Where reference is made in this Federal Act to Regulation (EU) 2023/1114, then, unless otherwise specified, Regulation (EU) 2023/1114 on markets in crypto-assets, and amending Regulations (EU) 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, OJ L 150, 09.06.2023, p. 40, in the version amended by Regulation (EU) 2023/2869, OJ L 2023/2869, 20.12.2023, shall apply. (3) Where reference is made in this Federal Act to Regulation (EU) No 2023/2859, then, unless otherwise specified, Regulation (EU) No. 2023/2859 establishing a European single access point providing centralised access to publicly available information of relevance to financial services, capital markets and sustainability, OJ L 2023/2859, 20.12.2023, in the version of the Directive (EU) 2024/1760, OJ L 2024/1760, 05.07.2024, shall apply. (4) Where reference is made in this Federal Act to Regulation (EU) No 2023/2869, unless otherwise specified, Regulation (EU) No 2023/2869 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions, OJ L 2023/2869, 20.12.2023, shall apply. (5) Where reference is made in this Federal Act to Regulation (EU) 2016/679, then, unless specified otherwise, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive

MiCAR Enforcement Act (MiCA-VVG) 28 / 28 95/46/EC (General Data Protection Regulation), OJ L 119, 04.05.2016. p. 1, as amended by the corrigendum in OJ L 74, 04.03.2021, p. 35, shall apply. Transposition Note Article 27. (1) This Federal Act serves to implement Regulation (EU) 2023/1114 on markets in crypto￾assets and amending Regulations (EU) 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, OJ L 150, 09.06.2023, p. 40, most recently corrected by OJ L, 2024/90275, 02.05.2024. (2) The Federal Act published in Federal Law Gazette I No. 5/2026 serves the effective enforcement of Regulation (EU) 2023/2859 as well as Regulation (EU) 2023/2869. Entry into Force Article 28. (1) This Federal Act shall enter into force on the following day after publication. (2) Article 1 paras. 3 to 6, Article 14 para. 1 nos. 2 to 4, the final part of Article 14 para. 1 and Article 26 paras. 3 to 5 and Article 27 in the version of the Federal Act published in Federal Law Gazette I No. 5/2026 shall enter into force on the following day after publication. Article 1 paras. 3 to 6, Article 14 para. 1 nos. 3 and 4 as well as the final part of Article 14 para. 1 in the version of the Federal Act amended in Federal Law Gazette I No. 5/2026 shall apply from 10 January 2030. The FMA shall inform ESMA by 9 January 2030 that it is the ESAP collection body pursuant to Article 110a (3) of Directive (EU) 2023/1114 and that it is the collection body pursuant Article 3 (2) of Regulation (EU) 2023/2859 for the collection of information on a voluntary basis listed in Regulation (EU) 2023/1114.