Skip to main content
DORA Auditor

DORA vs MiCA: How the Two Overlap for Crypto Firms

Last updated: 3 authoritative sourcesDORA Auditor Editorial Team

MiCA (Regulation (EU) 2023/1114) governs the authorisation and conduct of crypto-asset markets; DORA governs the digital operational resilience of the ICT systems those same firms rely on. A MiCA-authorised crypto-asset service provider is a financial entity under DORA, so the two apply together, they address different risks, not competing ones.

Two regulations, one firm

MiCA and DORA are both part of the EU's digital-finance package. MiCA decides whether and howa firm may offer crypto-asset services; DORA decides how resilient that firm's technology must be. For a crypto-asset service provider, both bite at once.

Side-by-side

AspectMiCADORA
Primary focusCrypto-asset market authorisation & conductICT operational resilience
Applies toCASPs, token issuersCASPs plus ~20 other financial-entity types
Core obligationsAuthorisation, disclosures, market-abuse rules, safeguardingICT risk framework, incident reporting, testing, third-party risk
Applies since30 December 2024 (CASP provisions)17 January 2025

Where they overlap in practice

Both regimes care about safeguarding client assets, business continuity, and outsourcing. A CASP can reuse much of its MiCA governance and risk-management work when building its DORA ICT risk-management framework and third-party register, but DORA adds specific ICT testing, incident-classification, and contractual requirements that MiCA does not cover.

Frequently asked questions

Do crypto firms have to comply with both MiCA and DORA?
What is the difference between MiCA and DORA?
Which applied first, MiCA or DORA?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. Regulation (EU) 2023/1114 (MiCA), EUR-Lex
  3. ESMA, Markets in Crypto-Assets Regulation (MiCA)