MiCA licensees must comply with DORA's ICT framework. Most crypto firms are unprepared for the operational demands.

The Digital Operational Resilience Act (DORA) entered full application in January 2025, establishing a comprehensive framework for ICT risk management across EU financial services. MiCA-authorized crypto-asset service providers fall within DORA's scope, adding another layer of compliance obligations that many firms have yet to address.

What DORA requires

The DORA regulation mandates several operational capabilities:

ICT risk management framework: Documented policies and procedures for identifying, protecting against, detecting, responding to, and recovering from ICT-related risks. This isn't just having a security policy. It's demonstrating a comprehensive, board-approved framework with regular testing.

Incident classification and reporting: Major ICT incidents must be reported to regulators within specific timeframes. Initial notification within 4 hours of classification, intermediate report within 72 hours, final report within one month. The classification criteria are detailed and non-negotiable.

Digital operational resilience testing: Regular testing of ICT systems including vulnerability assessments and, for significant entities, threat-led penetration testing (TLPT) at least every three years.

Third-party risk management: Oversight of ICT service providers including cloud providers, SaaS vendors, and infrastructure partners. Contracts must contain specific provisions, exit strategies must be documented, concentration risk must be assessed.

Why crypto firms struggle

Traditional financial institutions have had years to build ICT risk frameworks. Banks, insurers, and investment firms faced escalating requirements long before DORA. They have compliance teams, documented procedures, and testing programs in place.

Most crypto firms don't. They've operated in a regulatory gray zone where security was important but formalized ICT governance was optional. DORA changes that.

The practical gaps are significant:

Documentation: Many firms lack written ICT policies at the level DORA requires
Testing: Penetration testing happens, but threat-led testing with specific DORA methodology is different
Third-party oversight: Cloud provider contracts rarely contain DORA-required provisions
Incident response: Most firms can detect and respond to incidents, but not within DORA's reporting timeframes

What compliance looks like

A DORA-compliant crypto firm needs:

Board-level accountability: Senior management must approve ICT risk policies and receive regular reports. Someone at director level must own operational resilience.

ICT risk management function: Either dedicated staff or clearly assigned responsibilities for ICT risk assessment, monitoring, and reporting.

Business continuity and recovery plans: Documented, tested, and updated plans for maintaining operations during and after ICT disruptions.

Third-party register: A maintained register of all ICT third-party service providers with risk assessments and contractual terms reviewed annually.

Incident management process: Clear procedures for classifying incidents, escalating appropriately, and reporting to regulators within required timeframes.

The enforcement picture

European Supervisory Authorities (EBA, ESMA, EIOPA) have joint oversight of DORA implementation. For MiCA-authorized CASPs, ESMA and national competent authorities will assess compliance as part of ongoing supervision.

The first year of DORA enforcement focuses on foundational requirements: ICT risk frameworks, incident reporting capability, third-party registers. Threat-led penetration testing requirements phase in based on entity significance.

Firms that obtained MiCA authorization without addressing DORA should expect supervisory questions. The regulations are linked, and regulators know which firms treated DORA as an afterthought.

The ESMA digital finance guidance includes DORA implementation resources for crypto firms.