General information only. CryptoRegHub provides summaries for informational purposes and does not constitute legal or compliance advice. Always verify with official sources and consult qualified legal counsel before making compliance decisions.

BrowseEuropean UnionDORA
Verify recommended:14 April 2026·Source →

EU Digital Operational Resilience Act (DORA)

European UnionCrypto Exchanges/CASPsCustody/WalletsGeneral Crypto AssetsExchanges / CEX / DEXCustodians / Wallet ProvidersStablecoin IssuersPayment Service ProvidersFintech / NeobanksESMAEBAStablecoinsBitcoin / PoW assetsEthereum / PoS assetsRegulatory reportingCapital requirementsLicensing / Authorisation
In Force High risk
General information only — not legal advice

CryptoRegHub provides plain-English summaries of crypto regulations for informational purposes only. This does not constitute legal, compliance, or financial advice. Regulations change frequently — always verify information with official sources and consult qualified legal counsel before making any compliance decisions.

DORA (Regulation (EU) 2022/2554) applies to all financial entities regulated under EU financial law, which explicitly includes crypto-asset service providers authorised under MiCA. It entered into application on 17 January 2025, creating a comprehensive ICT (information and communications technology) risk management framework. DORA requires covered entities to have robust ICT risk management frameworks, conduct regular resilience testing (including threat-led penetration testing for significant firms), manage third-party ICT provider risk, and report major ICT incidents to competent authorities. CASPs that were operating under national transitional regimes on 17 January 2025 must still comply with DORA — the MiCA grandfathering period does not exempt firms from DORA obligations.

Who does it apply to?

Applies to all crypto-asset service providers authorised under MiCA. Also applies to credit institutions, payment institutions, investment firms, e-money institutions, and other financial entities. Third-party ICT providers that are critical to the financial sector are subject to oversight by EU supervisory authorities.

Key requirements

Key requirements: (1) ICT risk management framework: policies, procedures and tools to identify, protect against, detect, respond to and recover from ICT risks. (2) ICT incident reporting: major ICT incidents must be reported to the competent authority (initial notification within 4 hours of classification, intermediate report within 72 hours, final report within 1 month). (3) Digital operational resilience testing: basic testing annually; advanced threat-led penetration testing (TLPT) every 3 years for significant entities. (4) ICT third-party risk management: register of all ICT providers; contractual requirements for key third-party providers. (5) Information sharing: firms encouraged to share cyber threat intelligence. (6) Oversight of critical third-party providers by ESMA, EBA and EIOPA.

Obligation types

Regulatory reporting
Ongoing reporting to regulators
Capital requirements
Minimum capital or reserve requirements
Licensing / Authorisation
Requirement to obtain a licence or authorisation before operating

Penalties & fines

Administrative fine — financial entities
Failure to comply with ICT risk management or incident reporting requirements
Max: Up to 2% of total annual worldwide turnover
Applies to: MiCA-authorised CASPs and other financial entities
Administrative fine — critical ICT providers
Non-compliance by critical third-party ICT providers with oversight obligations
Max: Up to EUR 5,000,000 or 1% of average daily worldwide turnover (per day, for up to 6 months)
Applies to: Critical third-party ICT providers

Implementation timeline

Dec 2022
DORA published in EU Official Journal
Jan 2023
DORA entered into force
24-month implementation period began.
Jan 2025DEADLINE
DORA entered into application
All in-scope entities including MiCA-authorised CASPs must now comply. No grace period for crypto firms.

Official sources

Official text — EUR-Lex
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554
ESMA DORA page
https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
EBA — Digital Operational Resilience Act (DORA)
https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act

Always refer to official sources to confirm current requirements. CryptoRegHub summaries are for general guidance only.

Frequently asked questions

At a glance
JurisdictionEuropean Union
RegulatorESMA, EBA
Official nameRegulation (EU) 2022/2554 on digital operational resilience for the financial sector
StatusIn Force
Enacted27 Dec 2022
Effective from17 Jan 2025
Last verified14 Apr 2026
Penalty severity
High risk

Large fines, licence revocation, or criminal referral risk

Regulatory bodies
ESMA
European Securities and Markets Authority
Official website →
EBA
European Banking Authority
Official website →
Disclaimer

This summary is for general informational purposes only and does not constitute legal advice. Always verify with official sources and consult qualified legal counsel.