The European Union’s Digital Operational Resilience Act (DORA) has officially come into effect as of January 17, expanding cybersecurity requirements for cryptocurrency businesses across the region. The regulation marks a significant step towards enhancing the operational resilience of financial entities, including Virtual Asset Service Providers (VASPs).

Strengthening Cybersecurity in Crypto

DORA aims to bolster the EU’s existing Markets in Crypto-Assets Regulation (MiCA), focusing on protecting investors and ensuring market integrity. Under the new rules, financial entities must maintain a detailed register of their contractual arrangements with third-party IT service providers, ensuring robust infrastructure and effective risk management.

Matt Sullivan, deputy general counsel and head of Ireland at crypto infrastructure firm MoonPay, highlighted the critical impact of DORA on MiCA-licensed crypto firms. “All crypto asset service providers licensed under MiCA are subject to the DORA requirements,” Sullivan stated.

MoonPay, which secured its MiCA licence from the Dutch Authority for the Financial Market in December 2024, has already taken proactive steps to meet DORA’s standards. These include reviewing third-party vendor relationships, creating a DORA-compliant vendor register, and preparing additional documentation for information systems.

Focus on Operational Resilience

The broader aim of DORA is to ensure financial institutions, including crypto firms, can withstand disruptions such as cyberattacks and IT failures. Mark Jennings, head of Europe at Gemini crypto exchange, described DORA as a cornerstone of the EU’s efforts to mitigate ICT-related risks.

“In readiness for DORA, we have implemented a Digital Operational Resilience Strategy, an ICT risk management framework, clear governance structures, and best practices to ensure the continuity, security, and resilience of our services,” Jennings said.

Impact on Third-Party Providers

DORA not only targets VASPs but also extends its scope to third-party service providers, such as IT vendors, used by crypto firms. Cathy Yoon, general counsel at the Wormhole Foundation, noted that many crypto businesses have already implemented advanced cybersecurity measures due to the inherent risks in the sector.

However, smaller third-party service providers may struggle to meet DORA’s stringent requirements. Yoon warned this could lead to consolidation within the service provider landscape, as smaller firms with limited resources may face challenges in achieving compliance.

Ensuring Compliance and Investor Protection

Chris Denbigh-White, head of security at Elwood Technologies, emphasised the importance of cybersecurity, third-party risk management, and incident response protocols under DORA. He noted the regulation’s potential to enhance operational resilience across the industry.

“We are seeing more clients focus on operational resilience, and we believe DORA ultimately will support the protection of investors and the market overall,” Denbigh-White said.

A New Era for Crypto Regulation

The implementation of DORA signals a new era for cryptocurrency regulation in the EU, strengthening investor protections and fostering greater confidence in digital asset markets. While larger firms may be well-prepared, the regulation poses challenges for smaller players, particularly third-party providers, to align with the heightened standards.

As the industry adapts, DORA’s impact will likely reshape operational practices, promoting greater resilience against the risks associated with digital finance.