The European Union's Digital Operational Resilience Act (DORA) is set to impact cryptocurrency businesses as it takes effect on January 17. This legislation broadens the scope of the Markets in Crypto-Assets Regulation (MiCA) and mandates enhanced cybersecurity and risk management practices for firms operating in the region.
With DORA now in force, virtual asset service providers (VASPs) in the EU must adopt rigorous cybersecurity measures. Financial entities are required to maintain a detailed register of their contractual agreements with third-party IT service providers to ensure robust infrastructure and effective risk management.
The introduction of DORA aims to bolster resilience against disruptions, such as cyberattacks and IT failures, ultimately enhancing investor protection and market integrity.
Significant Impact on MiCA-Licensed Firms
According to Matt Sullivan, deputy general counsel and head of Ireland at MoonPay, a crypto infrastructure company, DORA will notably affect firms licensed under MiCA. He stated, “All crypto asset service providers licensed under MiCA are subject to the DORA requirements.” MoonPay, which obtained its MiCA license from the Dutch Authority for the Financial Market on December 30, 2024, is actively working to ensure compliance with DORA. Sullivan mentioned that the company has mobilized teams to review and update vendor relationships and compile a register aligned with DORA requirements.
Mark Jennings, head of Europe at Gemini crypto exchange, emphasized that DORA is crucial for enhancing the operational resilience of the financial sector against ICT-related risks. “In preparation for DORA, we have implemented a Digital Operational Resilience Strategy and an ICT risk management framework, ensuring clear governance structures and adopting best practices for service continuity and security,” he noted.
DORA's Reach to Third-Party Providers
Cathy Yoon, general counsel at the Wormhole Foundation, pointed out that DORA's scope affects not only VASPs but also crypto asset issuers, such as Circle, the issuer of the USD Coin (USDC). She argued that many crypto asset service providers have already implemented stringent cybersecurity measures, often surpassing those of traditional financial institutions.
However, Yoon cautioned that smaller service providers, particularly startups with limited resources, may struggle to meet DORA's requirements. This could lead to a consolidation of service providers to ensure they can offer the highest security standards necessary for compliance.
Chris Denbigh-White, head of security at Elwood Technologies, stated that DORA necessitates a focus on cybersecurity, third-party risk management, and incident response protocols. He mentioned that companies are increasingly prioritizing operational resilience and believes that DORA will ultimately benefit investor protection and market stability.
In summary, DORA represents a significant step in enhancing cybersecurity measures within the EU's crypto landscape, promoting resilience and integrity in the sector.
.png)
.jpg)
