The EU recently welcomed two regulatory frameworks that will significantly impact the cryptocurrency and digital asset space: the Markets in Crypto-Assets Regulation (MiCA), which came into full effect on December 30, 2024, and the Digital Operational Resilience Act (DORA), which became applicable as of January 17, 2025.
MiCA introduces a new licensing regime for businesses in the EU offering crypto services that span payments, operating a crypto exchange, digital asset wealth advisory, investing or trading on behalf of others, issuing stablecoins and custodial or administration services. In the MiCA regulatory framework, entities operating within this scope will be referred to as crypto-asset service providers (CASP) or crypto-asset issuers.
DORA, on the other hand, is an EU adopted directive that seeks to address the critical gap in the operational resilience of financial institutions in the EU, especially when it comes to information communication technologies (ICT) risks. The Act “explicitly targets ICT risks, introducing clear rules for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.”
With these two regulatory frameworks now in place, most CASPs in the EU are required to comply with both. The next section of this article will provide a checklist of the most important aspects of MICA and DORA, including some of the existing solutions that currently exist to help businesses keep up to date with these new regulations.
Security Compliance Requirements
CASPs in the EU looking to comply with MiCA and DORA regulations are required to place a strong emphasis on the issue of security. Both regulatory frameworks have outlined multiple provisions to ensure the security of EU consumers, some of which overlap.
But before going into the details, companies looking for MiCA and DORA security compliance solutions do not have to do the heavy lifting. There are several effective solutions that have already been rolled out to address this gap; a good example of such an innovation is Trugard, a data-driven platform designed to proactively identify smart contract risks.
Trugard’s GraphQL-powered API detection suite features several tools that can assist EU CASPs and other financial entities to seamlessly comply with MiCA and DORA. They include a source code analyzer (Xcalibur), bytecode analysis and reverse engineering/decompliation solutions, all of which are specifically designed to detect malicious activity before funds are compromised.
That said, let’s dive into some of the major security provisions under MiCA and DORA.
Transparency and Accountability (MiCA)
Companies that are subject to the MiCA regulatory framework have an obligation to be transparent and accountable towards the consumers and respective market regulators. Some of the major provisions under this section include whitepaper disclosure requirements, clarity and accuracy in the marketing and communication of promotional materials and regular audits for crypto custodial service providers.
Cybersecurity and Operational Resilience (DORA)
As mentioned in the introduction, DORA mainly focuses on enhancing the ICT health of EU-based financial institutions. The Act includes several obligations to achieve this goal; information and communication technology (ICT) risk management, voluntary reporting of major ICT incidents, digital operational resilience testing, measures for the sound management of ICT third-party risk and intelligence sharing in relation to cyber threats and vulnerabilities.
Governance and Oversight (MiCA and DORA)
Both MiCA and DORA are keen on the governance and oversight of financial entities or CASPs operating in the EU. MiCA has set out key provisions, including the authorization and supervision of CASPs by the relevant National Competent Authorities (NCAs), effective organizational and governance structures and established risk management procedures to identify, assess and reduce operational-related risks.
Similarly, DORA also provides guidance on governance and oversight, including a requirement on rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities and rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities.
Financial Stability and Consumer Protection (MiCA)
MiCA features several provisions for CASPs to be deemed as financially sound. One of the requirements is a minimum capital of between 50,000 to 150,000 Euros, the amount varies depending on the type of CASP. In addition, this regulation introduces provisions on insider trading and market manipulation.
Alignment with Long-Term Goals/Innovation
Both the MiCA and DORA regulatory frameworks are designed to align with the EU’s long-term goals in the broader financial market space; fostering innovation while ensuring financial stability and consumer protection. The two regulations are expected to achieve these goals by introducing legal certainty, market integrity, harmonization across EU member states and supporting technological advancements.
Legal Compliance Requirements
As expected, MiCA and DORA include quite a number of legal obligations for CASPs and financial service providers in the EU. This section will highlight some of these requirements to provide a clearer perspective for affected entities.
Obtain Necessary Licenses and Authorizations (MiCA)
MiCA stipulates licensing requirements for CASPs operating in the EU; they are required to obtain the necessary authorization from the relevant National Competent Authorities (NCAs), depending on the state where they are registered. For instance, entities based in Germany will be required to seek authorization from BaFin while those in France will be regulated under the country’s financial markets regulator, the Autorité des Marchés Financiers (AMF).
Submit Required Documentation (MiCA and DORA)
Once CASPs have identified the right NCAs to seek authorization from, the next step is to submit required documentation. For MiCA, this documentation includes company identification and legal structure, business plan, internal governance and risk management, operational systems and IT infrastructure, capital requirements and consumer protection.
Meanwhile, DORA’s documentation requirements focus on ICT Risk Management Framework, Incident Reporting and Recovery Plans, Outsourcing and Third-Party Risk, Cybersecurity and Data Protection, Testing and Auditing of Systems and Operational Resilience Reporting.
Whitepaper Publication (MiCA)
MiCA is particularly keen on the publication of a whitepaper, especially for the issuers of e-money and asset-referenced tokens. It should provide critical information such as details about the offeror or the person seeking admission to trading, as well as information about the issuer if they differ from the offeror or trading applicant.
The whitepapers should also provide other important information about the project, rights and obligations attached to the asset, underlying technology and potential risks.
“Offerors, persons seeking admission to trading, or operators of trading platforms for crypto-assets other than asset-referenced tokens or e-money tokens shall notify their crypto-asset white paper to the competent authority of their home Member State.” reads part of Article 8 of the MiCA regulation.
Compliance with Operational and Security Requirements
It goes without saying that legal requirements for both MiCA and DORA encompass operational and security requirements. Entities seeking to obtain licenses from the respective NCAs have to demonstrate that they are already compliant with the operational and security requirements mentioned in the previous section.
Data Protection and Privacy Compliance
The third and final compliance checklist focuses on data protection. Notably, DORA’s provisions in this particular section are more comprehensive given that it focuses on ICT risks compared to MiCA whose goals lean towards establishing a comprehensive licensing regime for the digital asset industry in the EU.
That said, let’s highlight two of the important obligations for entities when it comes to data protection and privacy compliance.
Personal Data Handling and GDPR Compliance (MiCA)
MiCA requires CASPs to comply with the General Data Protection Regulation (GDPR), this means that they need to obtain explicit consent from users for processing their data, ensure data minimization and guarantee transparency in how personal data is used.
ICT Risk Management and Data Protection (DORA)
As already mentioned earlier, DORA mandates that financial entities in the EU must have a robust ICT framework in place. This framework’s scope also covers requirements on data integrity and confidentiality. For example, the risk assessments must include the identification of risks related to personal data processing and its protection across all ICT systems, services, and third-party providers.
Conclusion
MiCA and DORA frameworks will play a major role in shaping the regulatory framework for digital assets in the EU. More importantly, these two regulations will likely set a precedent in the adoption of crypto regulatory frameworks across the world.
The U.S. is already following suit, President Trump recently signed an executive order which is expected to be the first step towards establishing a federal regulatory framework. Section 4 of this order provides for the establishment of the President‘s Working Group on Digital Asset Markets which will be responsible for proposing the framework as well as assessing the feasibility of a national digital asset stockpile.
With the advancements in the EU and U.S., it is only a matter of time before regulators globally implement comprehensive crypto frameworks to support innovation and protect consumers looking to venture into the digital asset industry.
