Crypto Law Profile
EU regulation applying from Jan. 17, 2025 that harmonizes ICT risk, incident reporting, resilience testing, ICT third-party risk and critical-provider oversight for financial entities, including MiCA CASPs and ART issuers.
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, commonly known as DORA, is the European Union’s in-force operational-resilience framework for financial entities and certain ICT third-party service providers. The regulation entered into force on Jan. 16, 2023 and has applied from Jan. 17, 2025. For crypto markets, DORA is most relevant because its scope includes crypto-asset service providers authorized under MiCA and issuers of asset-referenced tokens.
DORA is not a crypto-only law. It is a horizontal financial-sector resilience regulation covering banks, insurers, investment firms, payment institutions, market infrastructures, fund managers, crypto-asset service providers, asset-referenced token issuers, and other financial entities. Official supervisory materials describe DORA as a common legal framework for ICT risk across the EU financial sector, replacing a fragmented set of operational-risk expectations with harmonized digital-resilience rules.
The crypto connection runs through MiCA authorization. A crypto-asset service provider or issuer of asset-referenced tokens that falls within DORA must treat ICT resilience as a regulated financial-services obligation, not merely an internal technology matter. This includes governance, testing, incident reporting, ICT outsourcing controls, registers of ICT third-party arrangements, and cybersecurity-related information-sharing mechanisms.
DORA is commonly organized around five operational pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and voluntary information-sharing on cyber threats. EIOPA and ESMA also identify an EU-level oversight framework for ICT third-party providers designated as critical for the financial sector.
The ICT risk-management pillar requires financial entities to maintain governance, controls, procedures, technical tools, continuity arrangements, and oversight structures designed to preserve resilient operations. The management body remains accountable for ICT risk governance, and Level 2 technical standards add detail on ICT asset management, encryption, network security, change management, access control, detection, response, and business continuity.
DORA harmonizes how financial entities classify, manage, and report major ICT-related incidents and significant cyber threats. Implementing and delegated acts adopted under DORA specify incident-classification criteria, report content, time limits, standard forms, templates, and procedures. The framework is designed to help competent authorities coordinate faster where incidents affect cross-border or interconnected financial services.
Resilience testing is another core part of the regime. Financial entities must maintain testing programs that can include vulnerability assessments, scenario-based testing, source-code reviews, network-security reviews, and, for selected entities, threat-led penetration testing. DORA also requires a more formal approach to ICT third-party risk, including contract controls, registers of information, subcontracting assessments, and monitoring of services supporting critical or important functions.
DORA created a direct EU oversight layer for ICT third-party service providers designated as critical. On Nov. 18, 2025, the European Supervisory Authorities published the first list of designated critical ICT third-party providers, including cloud, infrastructure, data, and technology firms used across the EU financial system. The ESAs said the objective is to promote sound ICT risk management by critical providers and assess whether they have appropriate governance and resilience frameworks.
As of June 5, 2026, DORA is in force and applicable across the European Union. The ESAs published the first annual overview of major ICT-related incidents under DORA on June 3, 2026, showing the framework has moved from implementation into supervisory reporting and oversight. The profile should be read together with MiCA, national competent-authority implementation, EU Level 2 standards, and related cybersecurity frameworks such as NIS2 where applicable.
Applies to a broad set of EU financial entities, including MiCA-authorized crypto-asset service providers and asset-referenced token issuers.
Requires governance, controls, policies, procedures and technical tools to identify, protect, detect, respond, recover and learn from ICT risk.
Harmonizes classification, management and reporting of major ICT-related incidents and significant cyber threats to competent authorities.
Requires testing programs and, for selected entities, advanced threat-led penetration testing to assess operational resilience.
Requires controls for ICT service-provider arrangements, including policies, registers of information, contractual terms and subcontracting assessments.
Creates ESA-led oversight for ICT third-party service providers designated as critical for the EU financial sector.
Allows financial entities to exchange cyber-threat information and intelligence through voluntary information-sharing arrangements.
Applies requirements with proportionality, including simplified ICT risk-management treatment for certain smaller or less interconnected entities.
European Parliament and Council adopted Regulation (EU) 2022/2554 on digital operational resilience.
DORA was published in the Official Journal as Regulation (EU) 2022/2554.
ESMA states that DORA entered into force on Jan. 16, 2023.
Initial DORA delegated regulations on ICT risk, incident classification and third-party policy were published.
DORA became applicable to in-scope EU financial entities.
The ESAs published the first list of designated critical ICT third-party providers under DORA.
The ESAs published the first annual overview of major ICT-related incidents under DORA.
Council of the European Union, European Banking Authority, European Commission, European Insurance and Occupational Pensions Authority, European Parliament, European Securities and Markets Authority, National competent authorities
Asset-referenced tokens, Crypto assets, Digital assets
This profile covers DORA as an EU financial-sector operational-resilience framework. It is not a crypto-only law and should be read with MiCA, Level 2 standards, national competent-authority guidance and related cybersecurity regimes.
