Legal-Updates
Legal-Updates

Regulatory Update in Austria: Q1 2026

Austria';s regulatory landscape has shifted considerably in recent months, with new obligations taking effect across corporate governance, employment, taxation, and financial compliance. For international businesses operating in or expanding into Austria, staying current with austria regulatory 2026 developments is not optional - it is a prerequisite for avoiding penalties and maintaining good standing. This guide summarises the most material changes from the first quarter, explains their practical implications, and highlights the steps businesses should take now.

Corporate governance and company law: recent amendments affecting Austrian entities

Austria';s company law framework, anchored in the Unternehmensgesetzbuch (UGB) and the GmbH-Gesetz, has seen targeted amendments that affect both domestic and foreign-owned entities. The most significant change concerns beneficial ownership reporting under the Wirtschaftliche Eigentümer Registergesetz (WiEReG). Authorities have tightened the verification cycle, requiring entities to re-confirm or update their beneficial ownership entries more frequently than before. Companies that fail to submit timely confirmations now face escalating administrative fines, with the first notice typically issued within weeks of a missed deadline.

A non-obvious requirement that catches many foreign founders is the obligation to update the WiEReG register not only when ownership changes but also when the personal data of a beneficial owner - such as a passport number or address - is updated. In practice, this means that even a routine address change at the shareholder level can trigger a mandatory filing. Many underestimate how quickly the Finanzpolizei cross-references commercial register data against WiEReG entries, making discrepancies visible almost immediately.

The Firmenbuch, Austria';s commercial register maintained by the competent district courts, has also introduced a streamlined electronic submission pathway for certain amendments. While this reduces processing time for straightforward changes - typically from several weeks to around five to ten business days - it places greater responsibility on the submitting notary or lawyer to ensure that documents meet the new digital formatting standards. Errors that previously resulted in a request for correction now trigger automatic rejection, requiring a full resubmission.

For GmbH entities specifically, the minimum share capital rules remain unchanged, but the documentation requirements for capital contributions made in kind have been clarified. An independent auditor';s valuation report is now explicitly required for non-cash contributions above a defined threshold, and the report must be filed with the Firmenbuch simultaneously with the formation documents. A common mistake is commissioning the valuation after the notarial deed is signed, which delays registration by several weeks.

Employment law developments: new obligations for Austrian employers

Austria';s employment law has always been layered, combining the Angestelltengesetz, the Arbeitsverfassungsgesetz, and numerous collective agreements (Kollektivverträge). Recent changes have added further obligations, particularly around pay transparency and flexible working arrangements.

The EU Pay Transparency Directive has been transposed into Austrian law, introducing new requirements for employers with more than a defined number of employees. Employers must now provide salary range information in job postings and respond to employee requests for comparative pay data within a specified timeframe. The Gleichbehandlungskommission, Austria';s equal treatment commission, has been given expanded investigative powers to audit compliance. Businesses that have not yet reviewed their internal pay structures and documentation practices should treat this as an urgent priority.

Flexible working arrangements have also been addressed. Recent amendments to the Arbeitszeitgesetz clarify the conditions under which employees may request a shift to a four-day working week or a compressed schedule. Employers are not automatically obliged to grant such requests, but they must respond in writing within a defined period and provide reasons if they refuse. Failure to respond is treated as a constructive refusal, which carries its own legal consequences. In practice, founders should consider updating their standard employment contract templates and internal HR procedures to reflect these new response obligations.

A further development concerns the posting of workers. Austria has strengthened its enforcement of the EU Posted Workers Directive through amendments to the Lohn- und Sozialdumping-Bekämpfungsgesetz (LSD-BG). Foreign companies sending employees to work in Austria, even for short assignments, must now register the posting through the online portal of the Zentrales Koordinationsbüro (ZKO) before work begins - not on the first day of work. Penalties for late registration have increased, and inspections by the Finanzpolizei have become more frequent in sectors such as construction, logistics, and IT services.

Tax and fiscal compliance: key changes for businesses in Austria

Austria';s tax framework has seen several adjustments that affect corporate income tax, VAT, and transfer pricing. The Körperschaftsteuergesetz (KStG) remains the primary statute governing corporate taxation, but recent amendments have introduced new rules on interest deductibility and hybrid mismatches, aligned with the OECD';s BEPS framework.

The interest limitation rule, which caps the deductibility of net borrowing costs at a percentage of EBITDA, has been clarified through administrative guidance issued by the Bundesministerium für Finanzen (BMF). The guidance addresses how the rule applies to intra-group financing arrangements and confirms that certain infrastructure-related financing may qualify for an exemption. Businesses with significant intercompany debt should review their existing structures against this guidance, as the BMF has signalled that transfer pricing audits will focus on this area in the coming months.

On the VAT side, the Umsatzsteuergesetz (UStG) has been amended to address the treatment of digital services and platform economy transactions. Marketplace operators that facilitate sales by third-party sellers are now deemed suppliers for VAT purposes in a wider range of scenarios, shifting the compliance burden from individual sellers to the platform. This change has significant implications for Austrian businesses operating digital marketplaces, as well as for foreign platforms with Austrian customers. The Finanzamt Österreich, the central tax authority, has published updated guidance on how to determine when the deemed supplier rule applies.

Transfer pricing documentation requirements have also been tightened. Austrian entities that are part of a multinational group must maintain a master file and a local file in accordance with the OECD Transfer Pricing Guidelines, and these must be available for submission to the Finanzamt within a defined period after a request is made. A common mistake is treating transfer pricing documentation as a year-end exercise rather than an ongoing process. In practice, founders should consider maintaining contemporaneous documentation throughout the year, particularly for intercompany service agreements and royalty arrangements.

If your business is navigating these tax changes and needs a structured review of its Austrian compliance position, contact info@vlolawfirm.com. We can assist with documents and filings across corporate tax, VAT, and transfer pricing matters.

Financial services and AML compliance: regulatory tightening in Austria

Austria';s financial services sector is regulated primarily by the Finanzmarktaufsicht (FMA), the financial market supervisory authority, and the Oesterreichische Nationalbank (OeNB). Recent quarters have seen a marked increase in supervisory activity, driven in part by updated EU-level requirements under the revised Anti-Money Laundering Directive and the forthcoming EU AML Authority (AMLA) framework.

The Finanzmarktgeldwäschegesetz (FM-GwG) has been amended to extend customer due diligence obligations to a broader range of entities, including certain crypto-asset service providers now regulated under the EU';s MiCA Regulation. Austrian businesses that deal in crypto assets must register with the FMA and implement full AML programmes, including customer identification, transaction monitoring, and suspicious activity reporting. The FMA has made clear that it will not grant grace periods for entities that were previously operating in a regulatory grey area.

For traditional financial institutions and payment service providers, the FMA has issued updated supervisory expectations on the governance of AML programmes. Specifically, the FMA expects firms to demonstrate that their compliance function has sufficient resources and independence, and that senior management receives regular, substantive AML reporting. Firms that rely on outsourced compliance functions must ensure that the outsourcing arrangement meets the FMA';s standards for oversight and accountability.

A practical scenario worth noting: a foreign fintech company establishing an Austrian subsidiary to passport services across the EU will now face a more rigorous licensing review than in previous years. The FMA has increased the depth of its fit-and-proper assessments for key function holders and is requesting more detailed business plans and financial projections. Founders should budget for a licensing timeline of at least several months and engage local counsel early in the process.

A second scenario involves an existing Austrian payment institution that has expanded its product range to include crypto-asset services. Such an entity must assess whether its existing FMA authorisation covers the new activities or whether a separate MiCA registration is required. The answer depends on the specific services offered, and a common mistake is assuming that an existing licence automatically extends to new asset classes.

Data protection and digital regulation: new enforcement priorities in Austria

Austria';s data protection framework is governed by the Datenschutzgesetz (DSG) and the EU General Data Protection Regulation (GDPR). The Datenschutzbehörde (DSB), Austria';s data protection authority, has signalled a shift in enforcement priorities for the current period, focusing on three areas: data transfers to third countries, cookie consent mechanisms, and the use of AI-driven profiling tools.

On data transfers, the DSB has been active in reviewing standard contractual clauses (SCCs) and transfer impact assessments following the Schrems II line of case law. Businesses that transfer personal data outside the European Economic Area must maintain up-to-date transfer impact assessments and be prepared to demonstrate that supplementary measures are in place where the legal framework of the destination country does not provide equivalent protection. The DSB has issued informal guidance indicating that it will prioritise complaints involving transfers to jurisdictions with broad government access to data.

Cookie consent has become a renewed enforcement focus following a series of decisions by the DSB and the European Data Protection Board. Austrian websites that use analytics or advertising cookies must obtain freely given, specific, informed, and unambiguous consent before placing non-essential cookies. Pre-ticked boxes and consent obtained through dark patterns are explicitly non-compliant. Businesses should audit their cookie banners and consent management platforms against current standards, as the DSB has shown willingness to impose fines even for first-time violations.

The use of AI tools in HR processes - such as automated CV screening or performance scoring - has attracted specific attention. Under the EU AI Act, which is now progressively entering into force, certain AI applications in employment contexts are classified as high-risk and require conformity assessments, documentation, and human oversight mechanisms. Austrian employers using such tools should assess their obligations under both the AI Act and the GDPR, as the two frameworks interact in important ways.

Practical implications and compliance priorities for international businesses

For international businesses with Austrian operations, the cumulative effect of these changes is a materially higher compliance burden across multiple functions. The key practical priorities can be summarised as follows.

  • Beneficial ownership: verify that WiEReG entries are current and that any changes to shareholder data have been reflected within the required timeframe.
  • Employment: update job posting templates to include salary ranges, review HR procedures for responding to flexible working requests, and ensure that any posted workers are registered with the ZKO before they begin work in Austria.
  • Tax: review intercompany financing arrangements against the updated interest limitation guidance, confirm that transfer pricing documentation is being maintained on an ongoing basis, and assess whether platform economy VAT changes affect your business model.
  • AML and financial services: if your business deals in crypto assets, confirm whether FMA registration is required and implement a full AML programme if it is not already in place.
  • Data protection: audit data transfer mechanisms, cookie consent tools, and any AI-driven HR processes for compliance with current DSB expectations and the AI Act.

In practice, founders should consider conducting a structured compliance gap analysis across these five areas rather than addressing each issue in isolation. Many of the changes interact - for example, AI tools used in HR may simultaneously trigger GDPR, AI Act, and employment law obligations. A coordinated approach reduces duplication and ensures that no obligation falls through the gaps.

We can help structure the setup correctly the first time. If your business needs a comprehensive review of its Austrian regulatory position, contact info@vlolawfirm.com.

Frequently asked questions

What is the most immediate compliance risk for a foreign company with an Austrian subsidiary?

The most immediate risk for most foreign-owned entities is the WiEReG beneficial ownership register. Austrian law requires that beneficial ownership information be kept current at all times, not just at the point of formation. A change in the personal data of a beneficial owner - even something as routine as a new passport number - triggers a mandatory update. The Finanzpolizei cross-references commercial register data against WiEReG entries regularly, and discrepancies can result in fines that escalate quickly. Foreign founders often assume that the register only needs to be updated when ownership changes hands, which is incorrect. Engaging a local lawyer or compliance provider to monitor and maintain the register entry is a cost-effective way to manage this risk.

How long does it take to obtain FMA authorisation for a new financial services business in Austria, and what does it cost?

The FMA licensing process for payment institutions and e-money institutions typically takes several months from the submission of a complete application, though the timeline can extend further if the FMA requests additional information or if the application involves novel business models. The process involves a detailed review of the business plan, financial projections, governance arrangements, and the fit-and-proper status of key function holders. Professional fees for preparing a licensing application - covering legal, compliance, and financial advisory work - generally start from the low tens of thousands of euros and can be significantly higher for complex applications. State fees charged by the FMA are separate and vary by licence type. Businesses should budget conservatively and engage counsel well before they intend to begin operations.

Does the EU AI Act affect Austrian businesses that use AI tools only internally, for example in HR?

Yes, the EU AI Act applies to AI systems used within the EU regardless of whether they are customer-facing or internal. AI systems used in employment contexts - such as automated CV screening, performance evaluation, or workforce monitoring - are classified as high-risk under the AI Act. This means that Austrian employers using such tools must carry out conformity assessments, maintain technical documentation, implement human oversight mechanisms, and register the system in the EU database for high-risk AI systems. These obligations apply to both developers and deployers of AI systems, so an Austrian employer that purchases an off-the-shelf AI HR tool from a third-party vendor still has its own compliance obligations. The interaction with GDPR is also significant, as automated decision-making in employment contexts may require a legal basis and may give employees the right to request human review.

Conclusion

Austria';s regulatory environment has become more demanding across corporate, employment, tax, financial services, and data protection law. Businesses that act early - updating registers, reviewing contracts, and auditing compliance programmes - will be better positioned than those that wait for enforcement action. The changes described in this guide are interconnected, and a coordinated compliance approach is more efficient than addressing each area separately.

VLO Law Firms advises international clients on regulatory compliance and corporate matters in Austria. We can assist with beneficial ownership filings, employment contract updates, tax structure reviews, FMA licensing applications, and data protection audits. To request a consultation, contact: info@vlolawfirm.com