DORA for Crypto-Asset Service Providers (CASPs)
Crypto-asset service providers (CASPs)authorised under MiCA, and issuers of asset-referenced tokens, are within DORA's scope under Article 2. As newly regulated entities they must build DORA compliance alongside MiCA authorisation, covering all five pillars. DORA has applied since 17 January 2025.
MiCA and DORA together
MiCA governs authorisation and conduct for crypto-asset services; DORA governs their digital operational resilience. CASPs typically face both at once, often from a lower compliance baseline than incumbent financial entities. See our DORA vs MiCA overlap.
Where CASPs are exposed
- Custody and key-management systems as critical, high-integrity ICT assets.
- Heavy reliance on ICT third parties (cloud, node infrastructure, custody tech).
- Security and resilience testing of production systems.
Getting started
Stand up the ICT risk-management framework, inventory third parties into the register of information, and benchmark with the best DORA auditors for crypto.
Frequently asked questions
Are CASPs really covered by DORA?
Yes. Crypto-asset service providers and asset-referenced-token issuers authorised under MiCA are listed financial entities under DORA Article 2.
Do CASPs have to comply with both MiCA and DORA?
Yes. MiCA covers authorisation and conduct; DORA covers ICT operational resilience. The obligations are complementary.
What is the hardest part of DORA for crypto firms?
Often the third-party register and formalised governance, since many crypto firms rely on numerous ICT providers and start from a lighter compliance base.