CRD VI in Austria: A Sharper Supervisory Architecture – Legislative Draft Published

03 June 2026 – need2know

The implementation of CRD VI in Austria started with a Ministerial Draft. It will not be a mere box-ticking exercise; it alters the DNA of bank governance, executive onboarding, transaction engineering, and capital allocation in Austria.

In our need2know, bpv Huegel Finance & Regulatory partner Ingo Braun outlines five main features of the proposed changes in “CRD VI in Austria: A Sharper Supervisory Architecture – Legislative Draft Published”.

How is your institution preparing for the upcoming ex-ante Fit & Proper checks and the integration of ESG transition plans into your SREP framework?

Share your thoughts or reach out directly to discuss the legal implications for your business.

Ministerial Draft 108/ME XXVIII. GP is not a routine transposition exercise. It recalibrates supervision across the Austrian Banking Act (BWG), the Austrian Financial Market Supervisory Authority Act (FMABG), the Austrian Savings Bank Act (SpG), the Austrian Investment Firms Act (WPFG) and the Austrian Credit Servicers and Credit Purchasers Act (KKG).

  • Fit & Proper Redefined: Suitability becomes an ongoing duty through strict pre-checks and continuous tracking.
  • Risk Scope Expanded: Green and digital assets (ESG/crypto) now face mandatory risk management.
  • Global Gates Closed: A unified framework and stronger enforcement tools eliminate regulatory arbitrage for third-country branches.
  • Transaction Gates Tightened: Pre-notification procedures and standardized reviews to enforce stricter prudential screening.
  • Supervisory Guardrails Sharpened: Macro buffers receive precision tuning alongside strict cooling-off rules to ensure FMA integrity.

Fit & proper: more process, more discipline

Suitability is moving from a one-off check to a continuous governance duty. Institutions must clear appointments in advance, keep monitoring them, and act fast when a mandate no longer fits:

  • Pre-appointment assessment becomes mandatory.
  • Ongoing reassessment is required.
  • Key-function holders are generally subject to internal suitability assessment.
  • Governance must reflect skill depth and diversity.
  • Board oversight must cover risk, ESG and supervision.
  • Larger institutions must file suitability application already upon clear intention to appoint.

Risk Governance – ESG becomes prudential

ESG is moved out of the margins and into the supervisory core. Institutions will need to identify, measure and manage ESG risk across short-, medium- and long-term horizons.

  • ESG becomes part of risk governance.
  • Transition planning must be horizon-based.
  • The FMA may reflect ESG in SREP and stress testing.
  • Larger banks face deeper analytical expectations.
  • Direct and indirect crypto-securities positions require appropriate risk-management strategies.

Third-country branches reset

Austria is introducing a clearer regime for branches of third-country credit institutions, with supervision tied to scale, activity profile and systemic relevance. The aim is straightforward: less arbitrage, more control.

  • Branches are placed into a harmonised framework.
  • Qualified branch status depends on supervision and AML factors.
  • The FMA gains stronger enforcement tools.

The strict core banking service prohibitions of Art. 21c CRD VI are already fully reflected in Austria’s existing license regime, meaning the local framework seamlessly absorbs the new EU baseline.

Transactions face tighter gates

Prudentially relevant transactions will move into a more standardised pre-notification and review process. That includes qualifying holdings, major asset transfers, and mergers or demergers.

  • New standardized pre-notification requirements and explicit powers for FMA to intervene.
  • Prudential soundness remains the key test.
  • Reputation and viability stay central.
  • AML and CTF risks remain in scope.

Macroprudential rules shift

The package also sharpens macroprudential calibration, including the systemic risk buffer and the framework for systemically important institutions. At the same time, it strengthens safeguards around the FMA itself.

  • Systemic risk buffer (SyRB) calibration becomes more precise.
  • Global/Other Systemically Important Institutions (G-SII/O-SII) rules align more closely with CRD VI.
  • Cooling-off and term-limit rules are tightened at the FMA.
  • Enforcement powers are reinforced.

What institutions should do

Banks, branches and groups should test their governance, transaction and compliance processes. Particular attention should be given to board appointments, key-function documentation, branch structures and ESG governance.

  • Review fit and proper procedures.
  • Map new notification workflows.
  • Assess branch and group structures.
  • Close ESG governance gaps.

 

Author:
Ingo Braun

Practice group:
Finance & Regulatory

The summary (as a PDF).

Our use of cookies

We use necessary and functionality cookies to make our site work. We only use analytics cookies to improve our website if you enable them. By using this tool for individual settings of the cookies, we will send a cookie to your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookies Policy.

Necessary Cookies Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect the website functions.

Functionality Cookies

Functionality cookies allow users to customise how a website looks for them: they can remember usernames, language preferences and regions. We use functionality cookies for storing your user preferences and remembering if you have been to the site before so that messages intended for first-time users are not displayed to you. These cookies do not collect information about you that could be used for marketing purposes and do not remember where you have been on the Internet.

You may disable these cookies with the button, but you should be aware that any preferences will be lost and you will have to make them again on your next visit. It is also possible that the website will not work properly or you will lose some functionality.

Analytics cookies (including US providers)

"Web analytics cookies" collect aggregated information about user behaviour to improve our website. We would like to use such cookies from Google Analytics to improve our website by collecting and evaluating information about the use of our website. The provider of Google Analytics is Google LLC, which is based in the USA. The USA is not certified by the European Court of Justice as having an adequate level of data protection. In particular, there is a risk that your data may be accessed by US authorities for control and monitoring purposes and that no effective legal remedies are available against this. By activating the button under "Web analytics cookies (including from US providers)", you agree that we may set these cookies and that you also agree to the transfer of data to the USA. You can revoke your consent at any time via the cookie settings on our website.