Cryptocurrency firms operating in member states of the European Union will be required to beef up their cybersecurity and risk management as the economic bloc implements a new regulation. EU authorities recently announced that the Digital Operational Resilience Act (DORA) took effect on January 17, a comprehensive and harmonized regional regulatory framework that will govern the digital operational resilience of financial institutions and crypto firms in member nations. The New Regulation EU authorities consider the DORA policy as a crucial step to enhance the digital operational resilience framework of financial institutions operating in the countries that are part of the regional bloc, saying that the new regulation aims to address the inconsistencies and gaps in the cyber risk management within the bloc. The DORA regulation does not only apply to financial institutions and banks because it also covers crypto-asset service providers, insurance companies, investment firms, and management companies. Cryptocurrency businesses in the European Union are subject to new cybersecurity regulations as DORA takes effect on January 17. How Will It Impact VASP? Analysts see that the cybersecurity and resilience practices of virtual asset service providers (VASP) in the European bloc will be greatly affected by the imposition of DORA. Legal intelligence JD Supra stated that one of the provisions under the new EU rule is developing and reviewing ICT third-party risk management strategies such as having mandatory provisions in contracts with ICT service providers and “a registry of information documenting all existing contractual arrangements.” This DORA provision would affect VASPs in the region because financial entities in the EU will be compelled to have a comprehensive register of their contractual arrangements with third-party IT service providers. An official of the crypto exchange Gemini believes that DORA is essential to improve the financial sector’s operational resilience against ICT-related risks. “In readiness for DORA, we have implemented a Digital Operational Resilience Strategy, an ICT risk management framework, ensured clear governance structures, and adopted best practices to ensure the continuity, security and resilience of our services,” Gemini head of Europe Mark Jennings explained. Expanding MiCA Rule Crypto analysts said that the new EU regulation is seen to expand the Markets in Crypto-Assets Regulation (MiCA), saying that the goal of DORA is to enhance the resiliency of crypto firms against disruptions and cyberattacks, protecting investors and boosting market integrity. An executive of the crypto infrastructure firm MoonPay said that the new regulation would have a considerable impact on MiCA-licensed crypto companies. “All crypto asset service providers licensed under MiCA are subject to the DORA requirements,” MoonPay’s deputy general counsel and head of Ireland Matt Sullivan said. Sullivan revealed that their crypto infrastructure firm is already taking steps to become a DORA complaint entity. MoonPay got its MiCA license from the Dutch Authority for the Financial Market only last December 30, 2024. A Challenge To Small Service Providers Wormhole Foundation general counsel Cathy Yoon said that VASPs can deal with the provisions of DORA and have more likely implemented strict cybersecurity measures to maintain their compliance with the new regulation. However, Yoon worried that startups and smaller service providers might find it difficult to get their DORA compliance. “Taking a proactive approach to security and building out cybersecurity measures in line with DORA may have significant implications for smaller service providers, especially startups with limited capital to comply with DORA,” Yoon said. Featured image from Dataddo Blog, chart from TradingView
