EU’s new ‘DORA’ rules come into effect: What does it mean for crypto?

Cryptocurrency businesses in the European Union are subject to new cybersecurity regulations as the Digital Operational Resilience Act (DORA) takes effect on Jan. 17.

DORA impacts cybersecurity and resilience practices by virtual asset service providers (VASP) in the region.

To comply with DORA, financial entities in the EU are required to have a comprehensive register of their contractual arrangements with third-party IT service providers to ensure safe infrastructure and risk management.

The new DORA regulations further expand the EU’s Markets in Crypto-Assets Regulation (MiCA), aiming to improve resilience against disruptions such as cyberattacks and IT failures, ultimately targeting stronger investor protection and market integrity.

DORA has a significant impact on MiCA-licensed firms

Matt Sullivan, deputy general counsel and head of Ireland at the crypto infrastructure firm MoonPay, said that DORA has a significant impact on MiCA-licensed crypto firms.

“All crypto asset service providers licensed under MiCA are subject to the DORA requirements,” Sullivan told Cointelegraph.

MoonPay, which secured its MiCA license from the Dutch Authority for the Financial Market on Dec. 30, 2024, has taken steps to address a significant amount of ongoing work to maintain DORA compliance.

“We have mobilized internal teams to undertake additional tasks to ensure our policies, procedures, and processes continuously comply with DORA’s requirements,” Sullivan said, adding:

“Actions we’ve taken include reviewing and updating third-party vendor relationships, compiling a DORA-compliant register of vendors and preparing additional documentation for our information systems.”

Mark Jennings, head of Europe at Gemini crypto exchange, said DORA is a cornerstone of the EU’s efforts to enhance the operational resilience of the financial sector against ICT-related risks.

“In readiness for DORA, we have implemented a Digital Operational Resilience Strategy, an ICT risk management framework, ensured clear governance structures, and adopted best practices to ensure the continuity, security and resilience of our services,” he added.

DORA targets third-party providers used by VASPs

According to Cathy Yoon, general counsel at the Wormhole Foundation, the scope of DORA will impact not only VASPs like crypto exchanges but also crypto asset issuers like the USD Coin (USDC) stablecoin’s issuer Circle.

“It could be argued that many CASPs [VASPs] have already implemented rigorous cybersecurity measures, often more stringent and more robust than those found in more traditional financial institutions due to the nature of crypto itself,” Yoon said.

Related: Standard Chartered debuts crypto services in Europe with new license

As VASPs may find themselves well-positioned to deal with DORA, the same may not be true for party service providers used by CASPs, she said, adding:

“Taking a proactive approach to security and building out cybersecurity measures in line with DORA may have significant implications for smaller service providers, especially startups with limited capital to comply with DORA.”

Eventually, one possible result of DORA’s application could be a consolidation of those service providers to have the best security practices possible in place and to meet the requirements of institutions that fall under DORA, Yoon said.

Chris Denbigh-White, head of security at Elwood Technologies, said that DORA’s application means ensuring things like cybersecurity, third-party risk management and incident response protocols.

“We can help institutions prepare for the new digital asset regulations such as DORA by providing clients with Energy Management System and Power Management System solutions that were built with operational resilience in mind,” Denbigh-White said.

“We are seeing more clients focus on operational resilience and believe DORA ultimately will support the protection of investors and the market overall,” he added.

Magazine: How crypto laws are changing across the world in 2025