Cryptocurrency companies operating in European Union member states will be required to strengthen their cybersecurity and risk management as the economic bloc implements new regulations.
EU authorities recently announced that the Digital Operational Resilience Act (DORA) came into force on January 17, a comprehensive and harmonized regional regulatory framework that will govern the digital operational resilience of financial institutions and crypto companies in member countries.
The new regulations
EU authorities view the DORA policy as a crucial step to strengthen the digital operational resilience framework of financial institutions operating in countries that are part of the regional bloc, saying the new regulation aims to address inconsistencies and gaps in managing cyber risks within the EU. the block.
The DORA Regulation does not only apply to financial institutions and banks as it also covers crypto-asset service providers, insurance companies, investment firms and management companies.
Cryptocurrency businesses in the European Union are subject to new cybersecurity regulations as DORA takes effect on January 17.
How will this impact VASP?
Analysts believe that the cybersecurity and resilience practices of virtual asset service providers (VASPs) in the European bloc will be greatly affected by the imposition of DORA.
Legal Intelligence JD Supra said one of the provisions of the new EU rule is to develop and review third-party ICT risk management strategies, such as the inclusion of mandatory provisions in contracts with ICT service providers and “an information register documenting all existing contractual agreements”.
This DORA provision would affect VASPs in the region as EU financial entities will be obliged to maintain a full record of their contractual arrangements with third-party IT service providers.
An official at cryptocurrency exchange Gemini believes DORA is critical to improving the financial sector’s operational resilience to ICT-related risks.
“In preparation for DORA, we implemented a digital operational resilience strategy, an ICT risk management framework, ensured clear governance structures and adopted best practices to ensure the continuity, security and resilience of our services”, explained Mark Jennings, Head of Europe at Gemini. .
Extension of the MiCA rule
Crypto analysts said the new European regulations are expected to expand the Regulation of Markets in Crypto Assets (MiCA), saying DORA’s aim is to improve the resilience of crypto companies against disruptions and cyberattacks, by protecting investors and strengthening market integrity.
An executive at crypto infrastructure company MoonPay said the new regulations would have a significant impact on MiCA-licensed crypto companies.
“All crypto asset service providers licensed under MiCA are subject to DORA requirements,” said Matt Sullivan, MoonPay Deputy General Counsel and Head of Ireland.
Sullivan revealed that his crypto infrastructure company is already taking steps to become a DORA complaint entity. MoonPay only obtained its MiCA license from the Dutch Financial Market Authority on December 30, 2024.
A challenge for small service providers
Wormhole Foundation General Counsel Cathy Yoon said VASPs can handle DORA’s provisions and are more likely to have implemented strict cybersecurity measures to maintain compliance with the new regulations.
However, Yoon is concerned that startups and small service providers will struggle to achieve DORA compliance.
“Taking a proactive approach to security and developing DORA-compliant cybersecurity measures can have significant implications for smaller service providers, especially startups with limited capital to comply with DORA,” said Yoon .
Featured image from Dataddo blog, chart from TradingView
