The Digital Operational Resilience Act (DORA) is now fully applicable across the European Union. While all financial entities are concerned, crypto-asset service providers (CASPs) face unique technical and operational risks. This article provides a legal and operational guide to DORA compliance tailored for CASPs operating in the EU.

In February 2025, a single vulnerability was enough to hack ByBit for over $1.4 billion – a record now etched at the top of the leaderboard of rekt.news: cybersecurity is therefore not an option, but the sine qua non condition for the trust of regulators…and investors.

The DORA Regulation provides the normative response to this threat: since January 17, 2025, it mandates all financial actors, including CASPs, to adhere to a harmonized framework of digital operational resilience covering ICT risk governance, incident management, advanced penetration testing, and control of third-party providers. 

Experience shows, however, that superficial compliance almost always fails; DORA requires structured anticipation, embedded today in the same strategic timeline as MiCA, followed by continuous management based on risk indicators and periodic reviews.

An extended scope of application

The regulation concerns almost all regulated financial entities in the European Union, including: 

• crypto-asset service providers;
• credit institutions; 
• investment firms; 
• management companies;
• insurance companies; 
• trading platforms;
• occupational pension institutions; and
• rating agencies, etc. 

Third-party cyber service providers are also concerned insofar as they intervene in the critical functions of financial entities. This means that the regulation does not apply solely to the CASPs themselves, but also to all their technological partners.

For example, a custodian provider, a cloud host storing transactional data, or an IT security provider responsible for monitoring network flows will be subject to certain obligations under the regulation. These entities must comply with the contractual, technical, and organizational requirements imposed by regulated entities, failing which they will not be able to engage with CASPs.

However, certain exemptions are provided for the following entities: 

• alternative investment fund managers;
• insurance and reinsurance companies;
• institutions managing pension schemes with fewer than fifteen members; and
• insurance, reinsurance, and ancillary insurance intermediaries that are microenterprises or small or medium-sized enterprises.

Key obligations under DORA

Entities must adopt a cyber risk governance framework based on several pillars:

• appointment of a DORA officer (CISO);
• involvement of the governing body, responsible for approving the resilience strategy and overseeing its implementation (Example: establishment of an ICT steering committee with the CISO, the DPO, the CTO, and/or the legal officer to assess risk indicators (number of ongoing critical vulnerabilities, client SLA compliance rate, etc.);
• identification of critical assets and cyber dependencies;
• development of a business continuity strategy including IT recovery plans;
• monitoring and management of incidents, with an obligation to notify major incidents to the authorities (Example: implement a monitoring dashboard: KPI including “Time to Detect” (TTD) and “Time to Recover” (TTR) made available to the ICT Committee.);
• conducting regular resilience tests, including advanced tests every three years for critical entities; and
• regulation of relationships with cyber service providers, with strict contractual obligations.

Entities must also maintain an up-to-date incident register, a cyber service provider register, and implement alert indicators.

Sector-specific risks for CASPs

Beyond general cyber requirements, CASPs must consider sector-specific risks related to their activities and the crypto sector:

• conservation of crypto-assets: the management of custodial or non-custodial wallets entails increased risks in the event of compromise of private keys;
• particularly high risk of hacking or theft: CASPs are prime targets for sophisticated attacks (phishing, ransomware, smart contract attacks), with often significant and irreversible impacts; and
• complex technical environment: the ecosystem relies on a chain of interdependent actors – liquidity providers, technological custody providers, blockchain infrastructures, oracles, etc. These dependencies create increased vulnerabilities to manage within the DORA framework.

Application of a principle of proportionality 

DORA provides for a specific regime applicable to micro-enterprises, i.e. those which, according to the European definition, employ fewer than 10 persons and generate a turnover or total balance sheet of less than 2 million euros.

Although subject to the principles of the Regulation, these entities benefit from proportionate measures and reduced requirements, particularly in the following areas:

• documentation of cyber policies; 
• obligations regarding advanced penetration testing; and
• detailed reporting requirements;

The objective is to avoid regulatory overload for these structures while ensuring an adequate level of protection and resilience.

Monitoring and sanctions

National authorities are vested with enhanced powers: they may conduct on-site inspections, require documents, order corrective measures, and even impose fines. Each Member State may also introduce criminal sanctions. Documentation of policies and traceability of actions are therefore essential. The AMF expects stakeholders to address the issue at the application stage and to be able to respond to a genuine compliance approach.