The European Union’s new Digital Operational Resilience Act (DORA) went into effect on January 17th, significantly impacting how crypto firms operate within the EU. This comprehensive regulation aims to boost cybersecurity and risk management across the financial sector, including crypto.
What is DORA and Who Does it Affect?
DORA isn’t just for banks. It applies to a wide range of financial institutions, including:
- Crypto-asset service providers (VASPs)
- Insurance companies
- Investment firms
- Management companies
Essentially, any company dealing with digital finance in the EU needs to comply.
How DORA Impacts Crypto Businesses (VASPs)
DORA forces VASPs to seriously upgrade their cybersecurity practices. This includes things like:
- Stricter third-party risk management: VASPs must carefully manage their relationships with IT service providers, keeping detailed records of all contracts.
One Gemini executive praised DORA, stating that their company has already implemented a comprehensive strategy to meet the new requirements. This includes establishing clear governance and adopting best practices to ensure service security and continuity.
DORA’s Relationship with MiCA
DORA expands on the existing Markets in Crypto-Assets Regulation (MiCA). While MiCA focuses on market regulation, DORA strengthens the overall resilience of crypto firms against cyberattacks and disruptions, ultimately protecting investors and market integrity. Companies already licensed under MiCA are automatically subject to DORA’s rules. One MoonPay executive confirmed their company is actively working towards DORA compliance, having recently received their MiCA license.
Challenges for Smaller Players
While larger firms might find DORA manageable, smaller VASPs and startups face a significant challenge. The cost of implementing the necessary cybersecurity measures could be substantial, potentially hindering smaller companies’ ability to comply. This is a major concern for many in the industry.
