General information only. CryptoRegHub provides summaries for informational purposes and does not constitute legal or compliance advice. Always verify with official sources and consult qualified legal counsel before making compliance decisions.
CryptoRegHub provides plain-English summaries of crypto regulations for informational purposes only. This does not constitute legal, compliance, or financial advice. Regulations change frequently — always verify information with official sources and consult qualified legal counsel before making any compliance decisions.
DORA (Regulation (EU) 2022/2554) applies to all financial entities regulated under EU financial law, which explicitly includes crypto-asset service providers authorised under MiCA. It entered into application on 17 January 2025, creating a comprehensive ICT (information and communications technology) risk management framework. DORA requires covered entities to have robust ICT risk management frameworks, conduct regular resilience testing (including threat-led penetration testing for significant firms), manage third-party ICT provider risk, and report major ICT incidents to competent authorities. CASPs that were operating under national transitional regimes on 17 January 2025 must still comply with DORA — the MiCA grandfathering period does not exempt firms from DORA obligations.
Applies to all crypto-asset service providers authorised under MiCA. Also applies to credit institutions, payment institutions, investment firms, e-money institutions, and other financial entities. Third-party ICT providers that are critical to the financial sector are subject to oversight by EU supervisory authorities.
Key requirements: (1) ICT risk management framework: policies, procedures and tools to identify, protect against, detect, respond to and recover from ICT risks. (2) ICT incident reporting: major ICT incidents must be reported to the competent authority (initial notification within 4 hours of classification, intermediate report within 72 hours, final report within 1 month). (3) Digital operational resilience testing: basic testing annually; advanced threat-led penetration testing (TLPT) every 3 years for significant entities. (4) ICT third-party risk management: register of all ICT providers; contractual requirements for key third-party providers. (5) Information sharing: firms encouraged to share cyber threat intelligence. (6) Oversight of critical third-party providers by ESMA, EBA and EIOPA.
Always refer to official sources to confirm current requirements. CryptoRegHub summaries are for general guidance only.
Large fines, licence revocation, or criminal referral risk
This summary is for general informational purposes only and does not constitute legal advice. Always verify with official sources and consult qualified legal counsel.