DORA Compliance for Crypto Companies — Digital Resilience Act 2025

DORA Compliance for Crypto Companies — Digital Operational Resilience Act Guide 2025

DORA — the Digital Operational Resilience Act (Regulation (EU) 2022/2554) — has applied to all MiCA-authorized CASPs since January 17, 2025. Every crypto-asset service provider operating in the EU must now implement a comprehensive ICT risk management framework covering five mandatory pillars: risk governance, incident classification and reporting, resilience testing, third-party ICT risk management, and information sharing. NCAs assess DORA compliance as part of CASP authorization and ongoing supervision. Our DORA compliance packages cover gap analysis, framework implementation, incident procedures, third-party registers, and staff training — delivered in 6–12 weeks, priced from €8,000.

What Is DORA and Why Does It Apply to CASPs?

The Digital Operational Resilience Act (DORA — Regulation (EU) 2022/2554) is the EU's framework for managing ICT risk in the financial sector. It entered into application on January 17, 2025, simultaneously with MiCA's full implementation and DORA's own regulatory technical standards. DORA aims to ensure that EU financial entities — including crypto-asset service providers — can withstand, respond to, and recover from ICT-related disruptions and cyber threats.

DORA explicitly includes CASPs authorized under MiCA and issuers of asset-referenced tokens (ARTs) in its scope under Article 2(1)(f). This means every firm seeking or holding a MiCA CASP authorization must implement DORA's five pillars as a mandatory regulatory requirement — not a voluntary best practice. NCAs assess DORA compliance as part of the CASP authorization process and in ongoing supervisory review.

DORA introduces proportionality: smaller, simpler CASPs benefit from simplified requirements under Article 16 (simplified ICT risk management framework for micro and small enterprises). Our gap analysis identifies your applicable tier and tailors the compliance package accordingly.

DORA Is Already Applicable — No Grace Period for CASPs

DORA entered into application on January 17, 2025. There is no transition grace period for CASPs. Any CASP seeking MiCA authorization in 2025 or 2026 must submit a DORA-compliant ICT risk management framework as part of its NCA application. NCAs across the EU have confirmed they are reviewing DORA compliance in CASP authorization assessments. See also: AML/KYC Services and MiCA Compliance Consulting for the complete compliance picture.

The 5 DORA Pillars for MiCA CASPs

DORA organizes ICT risk management obligations into five interconnected pillars. Every CASP must address all five, with the depth of implementation proportionate to the entity's size, risk profile, and complexity.

ICT Risk Management Framework (DORA Chapter II, Art. 5–16)

The foundation of DORA compliance. CASPs must establish, implement, and maintain a sound and documented ICT risk management framework: an ICT risk management strategy, policies and procedures covering identification, protection, detection, response, and recovery; an ICT asset inventory; business continuity and disaster recovery plans; and regular ICT risk assessments. The management body is responsible for approving and overseeing the ICT risk management framework — DORA places explicit board-level accountability for ICT risk.

ICT Incident Classification and Reporting (DORA Chapter III, Art. 17–23)

CASPs must establish procedures to identify, classify, and report major ICT-related incidents. Major incidents must be reported to the NCA in three stages: initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within 1 month of resolution. Classification criteria are defined by ESMA/EBA joint regulatory technical standards. Voluntary reporting of significant cyber threats (not yet incidents) is also encouraged. Internal incident registers must be maintained.

Digital Operational Resilience Testing (DORA Chapter IV, Art. 24–27)

CASPs must conduct regular ICT testing to assess their digital operational resilience: at minimum, vulnerability assessments and basic testing annually for smaller CASPs. Significant CASPs are subject to advanced Threat-Led Penetration Testing (TLPT) at least every 3 years — coordinated with the NCA, using qualified external testers and real-world threat intelligence. TLPT is based on the TIBER-EU framework and tests live production systems. We assist with TLPT scoping, NCA coordination, and remediation of findings.

ICT Third-Party Risk Management (DORA Chapter V, Art. 28–44)

CASPs must manage ICT risk arising from third-party service providers — cloud platforms, data centers, custody technology, KYC/AML technology providers. Requirements include: a third-party ICT risk management policy; a complete register of all ICT third-party contracts; pre-contract due diligence; contractual provisions on security, audit rights, incident notification, data portability, and exit strategies; and annual review of the register. Contracts with cloud providers (AWS, GCP, Azure) and other critical ICT vendors must be updated to include DORA-required provisions.

Information Sharing (DORA Chapter VI, Art. 45)

CASPs may voluntarily participate in arrangements to share cyber threat intelligence and information with other financial entities in the crypto sector. Voluntary information sharing is encouraged by DORA to improve collective sector resilience. Participation requires appropriate internal procedures to ensure that shared information is handled confidentially and does not breach AML tipping-off obligations or data protection requirements. We advise on information sharing participation and the procedural safeguards required.

DORA Compliance Services for CASPs

Our DORA compliance package is purpose-built for MiCA CASPs — delivered as a complete, fixed-price engagement covering all five DORA pillars:

🔍

DORA Gap Analysis

Assessment of your current ICT risk management maturity against DORA's five pillars. Identifies every gap, applicable DORA tier (standard vs. simplified), and a prioritized remediation roadmap. Delivered in 2–3 weeks.

🏗️

ICT Risk Management Framework

Complete policy and procedure set: ICT risk strategy, ICT asset inventory, risk assessment methodology, BCP/DR plans, access control, patch management, and board-level ICT risk reporting template.

🚨

Incident Response Procedures

ICT incident classification matrix, major incident determination criteria, NCA reporting templates (initial / intermediate / final), internal escalation procedures, and incident register template.

📋

Third-Party ICT Register

Complete ICT vendor catalogue with criticality assessment, contract gap analysis against DORA Article 30 requirements, and a template for DORA-compliant contract provisions for cloud and technology vendors.

📚

DORA Compliance Manual

Consolidated DORA compliance manual covering all five pillars, tailored to your CASP's service types, technology stack, and team structure. Suitable for NCA submission as part of CASP authorization documentation.

🎓

Management Body and Staff Training

DORA awareness training for the management body (board-level ICT risk accountability under Art. 5) and operational training for IT, compliance, and operations teams on incident reporting, third-party risk management, and resilience testing obligations.

DORA Compliance for CASPs — FAQ

Does DORA apply to crypto-asset service providers?

Yes. DORA Regulation (EU) 2022/2554, Article 2(1)(f) explicitly lists CASPs authorized under MiCA and issuers of asset-referenced tokens as financial entities in scope. DORA has applied since January 17, 2025. Every MiCA-authorized CASP must implement the full ICT risk management framework, incident reporting, resilience testing, and third-party risk management obligations — there is no opt-out or grace period.

What is the ICT incident reporting timeline under DORA?

DORA Article 19 requires three-stage incident reporting to your NCA for major ICT incidents: (1) Initial notification within 4 hours of classifying an incident as major; (2) Intermediate report within 72 hours with updated impact assessment and status; (3) Final report within 1 month after resolution with root cause analysis. Classification of incidents as "major" is based on ESMA/EBA joint RTS criteria. Internal incident registers must be maintained regardless of reporting threshold.

What is TLPT (Threat-Led Penetration Testing)?

TLPT is an advanced cybersecurity testing methodology under DORA Article 26, required for significant CASPs every 3 years minimum. Unlike standard penetration testing, TLPT uses real-world threat intelligence to simulate sophisticated attacks against live production systems, testing people, processes, and technology simultaneously. TLPT is coordinated with the NCA and conducted by qualified external testers. DORA's TLPT framework aligns with the TIBER-EU framework. We assist with TLPT scoping, NCA coordination, tester selection, and remediation of findings.

How does DORA affect CASPs' relationships with cloud providers?

DORA Chapter V requires CASPs to assess, register, and manage ICT third-party risk. All contracts with cloud providers (AWS, Google Cloud, Azure) and other critical ICT vendors must include DORA-mandated contractual provisions: security standards, audit rights, incident notification obligations, data portability, and exit strategy. CASPs must also maintain a complete third-party ICT register and assess the criticality of each vendor. Contracts not updated to include DORA provisions create regulatory non-compliance risk.

What is the DORA third-party risk management requirement?

DORA requires CASPs to implement a comprehensive ICT third-party risk management framework: a board-approved policy; a complete register of all ICT third-party contractual arrangements; pre-contract due diligence; contracts meeting Art. 30 requirements (security, audit rights, incident notification, exit plans, data portability); annual register review; and exit plans for critical ICT providers. For providers designated as "critical ICT third-party providers" by ESMA, EU-level oversight rules additionally apply.

How do I prepare my CASP for DORA compliance?

DORA preparation involves five steps: (1) DORA gap analysis — assess current ICT risk management maturity; (2) ICT risk management framework — policies, procedures, governance, risk register; (3) Incident procedures — classification criteria, NCA reporting templates, internal escalation; (4) Third-party register — catalogue vendors, assess criticality, update contracts; (5) Training — management body ICT risk accountability, staff operational procedures. Our full DORA compliance package covers all five steps at €8,000–€30,000, delivered in 6–12 weeks.

Complete Compliance Coverage — DORA + MiCA + AML

DORA is one layer of the mandatory compliance framework for MiCA CASPs. Our team covers all regulatory requirements across the full compliance spectrum:

AML/KYC Services — Complete AML policy, CDD/EDD procedures, FATF Travel Rule implementation, and MLRO support. Required for every CASP authorization alongside DORA.
MiCA Compliance Consulting — Pre-authorization gap analysis, full CASP authorization support, NCA liaison, and post-authorization ongoing compliance monitoring including capital adequacy, reporting, and governance.
Legal Opinions — Token classification, CASP status determination, white paper review, and regulatory conflict opinions for crypto businesses.
MiCA CASP License Overview — Complete guide to MiCA requirements, jurisdiction selection, and EU passporting across all 27 EU member states.

Our compliance team has supported 140+ crypto businesses through EU authorization since 2019. We monitor ESMA and EBA joint RTS updates for DORA as they develop. Contact us for a free DORA gap assessment.