In a significant move towards the fortification of the cybersecurity framework in the financial space, the European Union authorities have enforced a comprehensive and harmonized regional regulatory framework known as the Digital Operational Resilience Act (DORA). The act came into effect on January 17 and is designed to enhance the digital operational resilience of crypto firms and financial institutions operating within the member states of the European Union.
Understanding the Digital Operational Resilience Act (DORA)
European authorities view DORA as a vital instrument to uplift the digital operational resilience of financial institutions and fill in the existing gaps and inconsistencies in managing cyber risks within the EU. The regulation is not limited to banks and financial institutions. It also covers a wide spectrum of entities, including cryptocurrency service providers, insurance companies, investment firms, and management companies. In essence, DORA brings new cybersecurity regulations for cryptocurrency businesses operating in the European Union.
Implications for Virtual Asset Service Providers (VASP)
The imposition of DORA is anticipated to play a significant role in revolutionizing the cybersecurity and resilience practices of VASPs within the European Union. According to legal intelligence firm JD Supra, a prominent provision in the new EU rule revolves around developing and reviewing ICT third-party risk management strategies. This includes having mandatory provisions in contracts with ICT service providers and maintaining a registry of all existing contractual arrangements. This rule is bound to impact VASPs since all financial entities within the EU will now be required to maintain a comprehensive registry of their contractual arrangements with third-party IT service providers.
Insights from Crypto Firm Gemini
Mark Jennings, Head of Europe at crypto exchange Gemini, asserted the importance of DORA in enhancing the financial sector’s resilience against ICT-related risks. “In preparation for DORA, we have executed a Digital Operational Resilience Strategy, adopted a robust ICT risk management framework, ensured clear governance structures, and embraced best practices to anchor the continuity, security, and resilience of our services,” Jennings asserted.
Extension of the Markets in Crypto-Assets Regulation (MiCA)
Crypto experts opine that the DORA regulation is poised to expand upon the regulations provided under MiCA. The primary purpose of DORA is to augment the resilience of crypto firms against disruptions and cyberattacks—foreshadowing enhanced investor protection and elevated market integrity. As per Matt Sullivan, Deputy General Counsel and Head of Ireland at MoonPay, “All crypto-asset service providers licensed under MiCA are subject to the DORA requirements.” He added that MoonPay has already initiated steps to comply with DORA.
Implications for Small Service Providers
There’s been speculation, however, that startups and smaller service providers might struggle to adhere to the regulations under DORA. Wormhole Foundation’s General Counsel, Cathy Yoon, emphasized that such entities may find the process of compliance burdensome, especially given their limited capital.
Frequently Asked Questions
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is a comprehensive regulatory framework imposed by the European Union to enhance cybersecurity and risk management among financial institutions and crypto firms operating within its member states.
How will DORA impact VASPs?
DORA will significantly impact Virtual Asset Service Providers (VASPs) as it necessitates the development and review of ICT third-party risk management strategies. This includes having mandatory contract provisions with ICT service providers and maintaining a comprehensive registry of all contractual arrangements.
Who falls under the purview of DORA?
DORA applies not only to financial institutions and banks but also to crypto-asset service providers, insurance companies, investment firms, and management companies within the European Union.