DORA vs MiCA: How the Two Overlap for Crypto Firms
MiCA (Regulation (EU) 2023/1114) governs the authorisation and conduct of crypto-asset markets; DORA governs the digital operational resilience of the ICT systems those same firms rely on. A MiCA-authorised crypto-asset service provider is a financial entity under DORA, so the two apply together, they address different risks, not competing ones.
Two regulations, one firm
MiCA and DORA are both part of the EU's digital-finance package. MiCA decides whether and howa firm may offer crypto-asset services; DORA decides how resilient that firm's technology must be. For a crypto-asset service provider, both bite at once.
Side-by-side
| Aspect | MiCA | DORA |
|---|---|---|
| Primary focus | Crypto-asset market authorisation & conduct | ICT operational resilience |
| Applies to | CASPs, token issuers | CASPs plus ~20 other financial-entity types |
| Core obligations | Authorisation, disclosures, market-abuse rules, safeguarding | ICT risk framework, incident reporting, testing, third-party risk |
| Applies since | 30 December 2024 (CASP provisions) | 17 January 2025 |
Where they overlap in practice
Both regimes care about safeguarding client assets, business continuity, and outsourcing. A CASP can reuse much of its MiCA governance and risk-management work when building its DORA ICT risk-management framework and third-party register, but DORA adds specific ICT testing, incident-classification, and contractual requirements that MiCA does not cover.
Frequently asked questions
Do crypto firms have to comply with both MiCA and DORA?
Yes. A MiCA-authorised crypto-asset service provider is a financial entity under DORA Article 2, so it must meet DORA's ICT resilience rules in addition to MiCA's authorisation and conduct requirements.
What is the difference between MiCA and DORA?
MiCA regulates the crypto-asset market itself, authorisation, disclosures, market abuse, and conduct. DORA regulates the digital operational resilience of the ICT systems those firms run. They address different risks for the same entities.
Which applied first, MiCA or DORA?
Both are part of the EU digital-finance package. MiCA's provisions for CASPs applied from 30 December 2024, and DORA applied from 17 January 2025, so most CASPs face both within weeks of each other.