1.1. The regulatory landscape

The increasing adoption and popularity of cryptocurrencies highlight the need for robust security measures and resilience – this is not merely an individual concern but becoming a matter of preserving trust and preventing systemic risks in the financial market as a whole.^{(1)As an example Binance tried offering the Binance debit card offering european residents to convert and spend crypto currencies in online and physical stores. For various reasons the services closed in EEA in 2023 (Binance, 2022)} As the technology advances in this field its increasingly important to have legislative measures who effectively captures the unique threat landscape for crypto-asset service providers, such as private key theft and smart contract vulnerabilities.

The European Union has recognized the need for stringent security measures in the financial sector through the implementation of Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (DORA). While DORA set forth the most detailed legal framework for cybersecurity in the Union, it is not the only framework that applies to crypto asset service providers (CASP).

The implementation of Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) highlights the critical role of DORA in ensuring digital operational resilience for CASPs, see article 68 (7). MiCA covers all crypto assets that are not already regulated by existing EU financial service regulation, such as E-money tokens, asset-referenced tokens, utility tokens and unbacked crypto-assets that doesn’t qualify as financial instruments under MiFID II.

Note that because the scope of application for DORA and MiCA are different, it is important to do a case-by-case assessment of the applicable rules and regulations for the entity in question.

1.2. Aspects of difference between traditional financial entities and CASPs

CASPs enjoy several advantages that enable them to address both operational resilience and compliance in ways that traditional financial entities may struggle to replicate. A key advantage is their low technical debt. Most CASPs operate on modern, cloud-based infrastructure paired with blockchain technology. Generally speaking, this results in a lower technical debt than the legacy systems that dominate traditional financial entities.

For example, the decentralized nature of many crypto architectures enables scalable and flexible solutions, such as decentralized identity management or automated risk monitoring tools. These solutions can improve resilience by enhancing security and ensuring that compliance requirements are met more efficiently.

Note that because the scope of application for DORA and MiCA are different, it is important to do a case-by-case assessment of the applicable rules and regulations for the entity in question.

Another distinct advantage for CASPs is their ability to leverage automation and new technologies. The automation of tasks like monitoring, reporting, and auditing can help to reduce human error and increases the overall efficiency of compliance. This flexibility makes it easier for them to integrate tools like machine learning for anomaly detection, AI-based fraud prevention, and blockchain analytics. Additionally, tools that automatically audit smart contracts for vulnerabilities help prevent security flaws before the contracts are deployed.

On the other hand, the need for transparency is greater because CASPs don’t leverage the general trust that traditional financial entities have struggled to build over years. Incidents could therefore have a greater impact on the reputational damage of CASPs. Furthermore, decentralisation and innovation can also imply greater reliance on third parties and less capacity for reintegrating ICT services back into the CASPs internal environment. Meaning that while vendor security and third-party risk management also is a priority for traditional financial entities, it should be one of the top priorities for CASPs that heavily rely on outsourced ICT services.

2.1. Introduction to DORA

MiCA article 68 (7) and (8) underscores the importance of a comprehensive risk management framework to safeguard ICT systems, focusing on reliance on third-party service providers, availability, authenticity, integrity and confidentiality. Nevertheless, MiCA must also be read in correlation with DORA, which provides a detailed description of such risk management frameworks.

DORA consists of four chapters of material requirements for the cybersecurity of financial entities. Chapter II gives an in-depth legal framework for ICT risk management frameworks, building on the principles of identification, protection, detection, response and recovery.^{(2)Building upon recognized frameworks such as NIST (Pascoe, 2024)} Chapter III gives detailed requirements on ICT-related incident management, classification and reporting. Chapter IV focuses on digital operational resilience testing and Chapter V covers ICT third party risk. All of which are important to have a holistic and comprehensive outlook on digital operational resilience for CASPs. However, as previously mentioned, the unique nature of CASPs may result in different focuses, and different priorities than for the more traditional financial entities.

2.2 ICT risk management framework and proportionality

DORA mandates that financial entities need to develop and document comprehensive ICT security policies, procedures, protocols, and tools to protect information assets and ICT assets, see article 6 (1). Paragraph 2 of article 6 further elaborates that the ICT risk management framework needs content that is “necessary to duly and adequately protect all information asset and ICT assets…”. The wording clearly nodding to a principle of proportionality as is highlighted in DORA art.4.

The specific material content of the ICT risk management framework is further elaborated in DORA as well as the several Commission Delegated regulations, also called regulatory technical standards (RTS) under the regulation.^{(3)See especially Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework (RTS 2024/1774)}

The RTS 2024/1774 on the ICT risk management framework stipulate that financial entities subject to DORA encompass a diverse array of sizes, structures, internal organizations, and levels of complexity, as highlighted in Recital 1.

Article 2 of the RTS 2024/1774 contains a detailed list of what the entities ICT risk management framework needs to achieve. The goals spanning from ensuring the security of networks in litra a, to guaranteeing business continuity in litra d. By phrasing the goal of the ICT risk management framework like this, the regulator to some extent allows the entities a discretion in determining how to best achieve this. Especially for CASPs operating in the boundaries of the traditional financial sector this discretion is important to tailor an ICT risk management framework to their needs.

We can see the same nod to proportionality when RTS 2024/1774 uses known principles of information security such as “risk tolerance levels” and “residual risk”. The RTS balances the need for visibility on these topics but doesn’t specify the minimum tolerance level for the entities, see article 3. Still, RTS 2024/1774 contains several requirements regarding the responsibility and organisation of the ICT risk management framework, see article 2 (2).^{(4)For example specific requirement regarding overarching strategy, formal approvals by management bodies, as well as responsibilities and consequences of staff.}

RTS 2024/1774 goes into detail when discussing specific policies and procedures for asset management in article 4 and 5. The balance of proportionality is further pushed by even elaborating on specific controls regarding encryption and cryptographic controls. While both asset management and encryption are key aspects to ensure availability and confidentiality, and it is understandable why the regulator choses to emphasise these topics, it also affects the CASPs ability to determine and tailor the content of their own ICT management framework.

2.3 Connection with MiCA

On February 15 of 2025, RTS 2025/299 was introduced as a supplement to MiCA. Appropriately, it references Articles 11 and 12 of DORA in its opening paragraph. The RTS 2025/299 introduces further obligations specifically aimed at ensuring the continuity and consistency in the delivery of crypto-asset services. While business continuity is emphasized in several clauses of DORA, including articles 11, 24, and 25, RTS 2025/299 provides additional, detailed specifications tailored specifically for CASPs.

RTS 2025/299 emphasizes the differences between traditional financial entities and entities operating in crypto assets, such as CASPs. Focusing again on business continuity and proportionality the goal of the RTS is clearly to ensure operational resilience in the services that CASPs provide. Not only do the RTS emphasize the business continuity plans for CASPs, but it also underscores the need for information distribution to clients and customers in the event of business disruptions involving permissionless distributed ledgers, see article 4 (2) and (3).

Additionally, there is a focus on continuous improvement, and CASPs must also perform periodic testing of their business continuity plans, note article 5 of the RTS 2025/299. For CASP, scenario based crypto-specific tests are perhaps even more important. Threats such as smart contract exploits, private key theft, and blockchain consensus attacks can all impact business continuity for CASPs in various ways. RTS 2025/299 also contain the requirement to document testing activity in writing and submitting it to the management, see article 5(3). Subsequently also making it subject for supervisory authorities review during audits.