New Rules Expand MiCA’s Scope and Strengthen Cybersecurity Measures
The European Union’s Digital Operational Resilience Act (DORA) officially came into effect on 17 January, bringing significant changes to how cryptocurrency businesses manage cybersecurity and operational risks. These regulations extend the framework established by the Markets in Crypto-Assets Regulation (MiCA), aiming to bolster resilience against cyberattacks, IT disruptions, and other operational challenges.
Under DORA, financial entities, including virtual asset service providers (VASPs), must maintain a comprehensive register of their contractual relationships with third-party IT service providers. This measure is designed to ensure robust risk management and secure infrastructure, ultimately safeguarding investors and promoting market integrity.
Implications for MiCA-Licensed Crypto Firms
The new rules have profound implications for crypto firms licensed under MiCA. Matt Sullivan, deputy general counsel and head of Ireland at MoonPay, highlighted the act’s significance, stating, “All crypto asset service providers licensed under MiCA are subject to the DORA requirements.”
MoonPay, which secured its MiCA licence from the Dutch Authority for the Financial Market in late 2024, has been actively working to comply with DORA. “We’ve mobilised internal teams to ensure our policies, procedures, and processes align with DORA’s standards,” Sullivan noted. The firm has updated third-party vendor relationships, compiled a DORA-compliant vendor register, and prepared additional documentation for information systems.
Similarly, Mark Jennings, head of Europe at Gemini crypto exchange, described DORA as a cornerstone of the EU’s approach to enhancing the financial sector’s operational resilience. “We’ve implemented a Digital Operational Resilience Strategy, an ICT risk management framework, clear governance structures, and best practices to ensure the continuity, security, and resilience of our services,” Jennings said.
Impact on Third-Party Providers and Startups
DORA’s scope extends beyond VASPs, affecting crypto asset issuers such as Circle, the issuer of the USD Coin (USDC) stablecoin. Cathy Yoon, general counsel at the Wormhole Foundation, observed that many VASPs already employ rigorous cybersecurity measures, often surpassing those of traditional financial institutions. However, smaller third-party service providers may struggle to meet DORA’s requirements.
“Startups with limited resources could face challenges in building cybersecurity measures to align with DORA,” Yoon said. This could lead to a consolidation of service providers, favouring those with robust security practices that meet institutional needs.
Focus on Resilience and Risk Management
Chris Denbigh-White, head of security at Elwood Technologies, emphasised the importance of DORA in ensuring comprehensive risk management. “DORA’s application entails robust cybersecurity, third-party risk management, and incident response protocols,” he said.
Elwood Technologies has developed operational resilience solutions to help institutions navigate the new digital asset regulations. “We are seeing increased client focus on resilience, and DORA will ultimately support investor protection and overall market stability,” Denbigh-White added.
A New Era for EU Crypto Regulation
As DORA becomes a regulatory reality, it underscores the EU’s commitment to creating a secure and resilient financial ecosystem. By enforcing stringent cybersecurity measures, enhancing risk management, and expanding the MiCA framework, the act aims to protect investors and maintain market integrity in the fast-evolving cryptocurrency landscape.
