.svg)
The EU’s Digital Operational Resilience Act (DORA) is front of mind for financial entities and regulators alike, and set to be challenging for crypto-asset service providers (CASPs) in particular.
January 17, 2025 is a day that should be marked in every financial institution’s calendar — it is the day DORA will go live and firms will be expected to be in full compliance.
“There is not that long left to comply and the implementation window is getting smaller very quickly,” said Simon Treacy, senior associate at Linklaters.
DORA is a wide-reaching piece of regulation, with implications across the market. No firm in the EU’s financial services ecosystem escapes its grip, including investment firms to insurers to payments institutions to crypto-asset service providers.
Furthermore, fines for non-compliant financial institutions could amount to 1 percent of their average daily worldwide turnover in the preceding fiscal year.
This fine will also be able to be levied every day until the financial entity is found to have achieved compliance.
"There is a lot of work going on in the financial services industry as a whole to prepare for DORA, and crypto firms that want to be MiCA-authorised are beginning to pay attention,” said Treacy.
Johannes Wirtz, a partner at Bird & Bird, agreed, pointing out that one will come with the other with the Markets in Crypto-Assets regulation (MiCA) and DORA.
“This will give them quite a lot of work at the same time, whereas those who are licensed under something like a banking or payment licence have a smaller step,” he said. “Being required to deal with MiCA, DORA and also AML requirements with TFR is a big package."
"Looking at some markets, crypto firms are not aware that this is coming,” he warned. “With MiCA at the same time, this will be a lot of work.”
Treacy continued to tell Vixio that no one can expect special treatment in their compliance with the regulation.
“It is very descriptive in some areas, with lots of detailed rules around how you build resilience,” he said. “Firms will need to show they are resilient to ICT-related incidents such as failed IT upgrades, cyberattacks, and data breaches, for example."
It is possible that the sector's relative lack of maturity in regard to regulation is what makes DORA much more challenging for the crypto-asset sector.
"DORA is a big underestimated concern. 70 or 80 percent of crypto-asset service providers could be wiped out by the need to comply with both MiCA and DORA,” said Jerome Dickinson, founder of avroytech, a crypto consultancy.
Dickinson even warned that only the strongest exchanges are likely to survive. “With MiCA and DORA bringing up standards, the barriers to entry are only getting higher for the market, which should in turn lead to some concentration.”
"Crypto firms are starting on this regulation a lot further back than other entities,” he pointed out.
"Many unregulated but critical third party tech providers that crypto exchanges rely on to operate are still unaware or unprepared for DORA, which becomes applicable from January 2025,” Dickinson warned.
According to the lawyer, these include crypto wallet infrastructure providers and/or blockchain analytics firms.
“Facing significant challenges and compliance costs throughout 2024, firms need to take proactive steps to grasp the new requirements.
“There are potential benefits though, as this could eventually provide them a competitive edge,” he said.
Some firms could fall out of scope
There is also some respite for different segments of the crypto sector, as indicated by Anja Blaj, policy expert at the European Crypto Initiative.
“We strongly believe that a vast majority of CASPs, e-money tokens or asset-reference tokens (ART) issuers should fall outside the scope of DORA’s mandatory threat-led penetration test processes, and several other requirements, as they are not reaching the levels of maturity from the ICT perspective which would require them to follow the same suit as other financial entities,” she said.
Blaj added that it is important to emphasise that the reference to MiCA establishes a strong premise under which the definition of a CASP is not subject to change.
This means that CASPs or ART issuers that are not authorised under MiCA and other entities or actors that do not identify as CASPs, including non-custodial wallet providers, software developers, validators, delegators, miners, block explorers, providers of APIs or decentralised protocols and applications, shall not only fall outside the scope of MiCA but are also outside the scope of DORA.
“With that being said, noting that this has not yet been fully clarified, stakeholders within the crypto industry should first consider whether they can be perceived as a CASP, EMT, or ART issuer or an ICT service provider and whether DORA provisions may apply to their businesses,” said Blaj.
“If the answer is yes, they should further adapt to the requirements. When seeking further guidance on compliance, they should pay extra attention to the requirements regarding subcontracting, especially if or when subcontracting entities outside the EU market, and requirements regarding penetration testing."
Country-by-country readiness
Wirtz said that, as it stands, there are countries that are perhaps more prepared for DORA than others, and crypto-asset firms authorised in these countries will have had to already follow local compliance requirements.
"I think that DORA will be tough for most of the financial sector, but will also depend on what member states have done already.”
For example, in Germany, a lot of digital resilience and risk management requirements are already applied to crypto firms.
“If you take a look at AMLD5 rules, member states could implement licence or registration requirements,” said Wirtz. “If there is a licence requirement, crypto-asset service providers have more or less the same rules as other institutions.”
However, in other EU countries there is a lot more work to be done for these types of firms to come up to scratch.
“Some regulators have really taken a close look and set out clear requirements,” said Wirtz.
“However, other jurisdictions with just a registration requirement have done more tick-box procedures. This could mean that crypto firms won't be prepared and have policies and procedures in place."
Meanwhile, Antonio Lanotte, Italian ambassador for the Global Blockchain Business Council, said that the countries who operate a shorter transition period for MiCA will be the ones to watch for how crypto companies find complying with DORA.
“Member states such as Lithuania and most likely Austria will probably shorten the grand-fathering clause following the letter from ESMA of last October,” he said.
The grand-fathering period refers to the optional transitional measure under MiCA that grants member states the ability to allow entities already providing crypto-asset services in their jurisdiction to continue providing those services from December 30, 2024 until as late as July 1, 2026, depending on the duration chosen.
“In the cases of Lithuania and Austria will probably be a good test for the remaining European countries,” he said.
