DORA: Why Every EU Crypto Firm Must Master Digital Operational Resilience
The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — applies to CASPs as financial entities within the EU regulatory perimeter. DORA establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities, including comprehensive ICT risk management, incident reporting, resilience testing, and third-party risk management obligations.
For crypto-asset service providers, DORA compliance overlaps with and supplements MiCA’s operational requirements. While MiCA addresses crypto-specific regulatory obligations, DORA provides the cross-sectoral framework for ICT risk management that applies equally to banks, insurance companies, investment firms, and CASPs. The combination creates a demanding but coherent operational resilience framework.
DORA’s Scope for Crypto Firms
Which Crypto Entities Are Covered?
DORA explicitly includes CASPs authorized under MiCA in its scope (Article 2(1)(m)). This means all authorized CASPs must comply with DORA’s full requirements, including:
- ICT risk management framework
- ICT-related incident management, classification, and reporting
- Digital operational resilience testing
- ICT third-party risk management
- Information sharing arrangements
ART and EMT issuers that are authorized as credit institutions or electronic money institutions are also covered by DORA through their primary authorization.
Proportionality
DORA applies a proportionality principle, meaning requirements are scaled based on the entity’s size, risk profile, and complexity. Smaller CASPs may benefit from simplified requirements, but the core obligations still apply. The key proportionality factors are:
- Size and overall risk profile of the entity
- Nature, scale, and complexity of services, activities, and operations
- The entity’s systemic relevance
ICT Risk Management Framework
Core Requirements
CASPs must establish and maintain an ICT risk management framework that includes:
1. Governance and Organization
- The management body bears ultimate responsibility for ICT risk management
- Designation of a function or role responsible for managing ICT risk (may be the CISO or equivalent)
- Adequate budget allocation for ICT security
- ICT risk management strategy approved by the management body
- Regular reporting on ICT risks to the management body
2. ICT Risk Identification
- Identify, classify, and document all ICT-supported business functions, roles, and ICT assets
- Identify all sources of ICT risk, including internal threats, external threats, and vulnerabilities
- Perform risk assessments at least annually and upon major changes to the ICT infrastructure
- Maintain a current inventory of all ICT assets (hardware, software, network components)
3. ICT Protection and Prevention
- Implement policies and controls for logical and physical security
- Network security management including network segmentation and encryption
- Access control policies based on the principle of least privilege
- Strong authentication mechanisms (multi-factor authentication)
- Patch management and vulnerability management programs
- Data protection policies including encryption of data at rest and in transit
- Security monitoring and logging of ICT operations
4. ICT Detection
- Implement mechanisms to detect anomalous activities and ICT-related incidents
- Maintain detection capabilities that enable rapid identification of ICT incidents
- Allocate sufficient resources to monitoring ICT operations
5. ICT Response and Recovery
- ICT business continuity policy and ICT disaster recovery plan
- Backup policies and procedures with regular backup testing
- Recovery time objectives (RTOs) and recovery point objectives (RPOs)
- Communication plans for ICT-related incidents (internal and external)
- Post-incident reviews and lessons learned
6. ICT Learning and Evolution
- Collect and analyze information on vulnerabilities and cyber threats
- Incorporate lessons from ICT-related incidents and resilience testing into the ICT risk management framework
- Staff training and awareness programs on ICT security
Incident Reporting
Classification Framework
DORA requires CASPs to classify ICT-related incidents based on criteria including:
- Number of clients, counterparties, and transactions affected
- Duration of the incident
- Geographic spread
- Data losses and data integrity impacts
- Criticality of the services affected
- Economic impact
Reporting Obligations
Major ICT-related incidents must be reported to the competent authority:
- Initial notification: Without undue delay, and no later than 4 hours after classification as a major incident (or 24 hours after becoming aware of the incident, whichever is earlier)
- Intermediate report: Within 72 hours of the initial notification, providing an update on the incident including initial root cause analysis
- Final report: Within one month of the incident, providing a comprehensive analysis including root cause, impact, remediation actions, and measures to prevent recurrence
Voluntary Reporting
CASPs may voluntarily report significant cyber threats to the competent authority, even if they do not result in a major incident. This voluntary reporting supports systemic risk monitoring and threat intelligence sharing.
Digital Operational Resilience Testing
Basic Testing
All CASPs must conduct, at least annually:
- ICT security testing (vulnerability assessments, network security assessments)
- Gap analyses against relevant standards and frameworks
- Software quality assurance testing
- Performance testing
- Penetration testing
Threat-Led Penetration Testing (TLPT)
CASPs that are systemically important or meet certain thresholds must conduct threat-led penetration testing (TLPT) at least every three years:
- TLPT must be conducted by independent external testers
- Testing scenarios must be based on real threat intelligence
- TLPT must cover critical or important functions of the CASP
- Results must be shared with the competent authority
- Remediation plans must address any identified vulnerabilities
ICT Third-Party Risk Management
Key Requirements
CASPs must manage the risks arising from their reliance on ICT third-party service providers:
Pre-contractual assessment:
- Due diligence on the ICT service provider’s capability, reliability, and security
- Assessment of concentration risk (over-reliance on a single provider)
- Assessment of the provider’s compliance with applicable regulatory requirements
Contractual requirements: DORA specifies minimum contractual provisions for ICT service agreements, including:
- Clear description of the services and service levels
- Data processing locations and notification of changes
- Data protection and confidentiality obligations
- Subcontracting conditions and notification requirements
- Access, audit, and inspection rights for the CASP and competent authority
- Exit strategies and transition provisions
- Cooperation with the competent authority
Ongoing monitoring:
- Regular assessment of the ICT service provider’s performance
- Monitoring of the provider’s security posture
- Maintenance of a register of all ICT service agreements (reported to the competent authority annually)
Critical ICT Service Providers
ICT service providers designated as “critical” by the European Supervisory Authorities (ESMA, EBA, EIOPA) are subject to a direct oversight framework:
- Lead Overseer appointed from among the ESAs
- Power to request information and documentation
- Power to conduct on-site inspections
- Power to issue recommendations and, ultimately, request that financial entities terminate or modify contractual arrangements
This provision is particularly relevant for CASPs that rely on cloud service providers (AWS, Azure, GCP), blockchain infrastructure providers, or specialized crypto custody technology providers.
Interaction with MiCA
DORA supplements MiCA’s operational requirements. Key interactions include:
| Requirement | MiCA Provision | DORA Provision |
|---|---|---|
| ICT governance | CASP governance requirements | ICT risk management framework |
| Cybersecurity | Technology and security standards for CASPs | Comprehensive ICT protection and detection |
| Incident reporting | CASP incident reporting | Detailed incident classification and reporting |
| Business continuity | CASP business continuity requirements | ICT business continuity and disaster recovery |
| Third-party risk | CASP outsourcing requirements | ICT third-party risk management |
| Testing | General operational resilience | Mandatory ICT security testing and TLPT |
Where MiCA and DORA overlap, DORA’s more detailed requirements generally prevail as the lex specialis for ICT risk management.
What This Means for Your Business
For CASPs: DORA compliance is not optional and is not secondary to MiCA compliance. Build your ICT risk management framework concurrently with your MiCA authorization preparation. The management body must actively oversee ICT risk — delegating everything to the IT department is insufficient.
For technology teams: DORA requires documented, tested, and auditable ICT risk management. Invest in security monitoring tools, vulnerability management platforms, and incident management systems. The 4-hour initial notification requirement for major incidents demands 24/7 monitoring capability.
For third-party service providers: If you provide ICT services to EU CASPs, expect increased due diligence requirements, contractual obligations, and potential regulatory oversight. Ensure your services meet DORA’s minimum contractual requirements and prepare for audit and inspection by your CASP clients and their regulators.
For compliance officers: Maintain a comprehensive register of all ICT service agreements and report it annually. Monitor concentration risk — over-reliance on a single provider is a regulatory red flag. Ensure incident response plans are tested regularly and updated based on lessons learned.