How does DORA relate to MiCA for crypto firms?

They are separate obligations. DORA governs operational and ICT resilience; MiCA governs the crypto market itself, including market-abuse surveillance under Article 92. A CASP must meet both.

When did DORA start applying to CASPs?

DORA has been in force and fully applicable since 17 January 2025. The register of information was among the first deliverables national authorities collected.

DORA for crypto firms (CASPs): the practical guide

Q: Does DORA apply to crypto firms?

Yes. Crypto-asset service providers authorised under MiCA are financial entities under DORA, so DORA's ICT risk rules apply — including exchanges, custodians, brokers, portfolio managers and advisers. DORA has applied since 17 January 2025.

Q: What does DORA require of CASPs?

Five things: an ICT risk-management framework, ICT incident detection and reporting, digital operational resilience testing, third-party ICT risk management (including a register of information on all ICT providers), and information sharing on cyber threats.

If you're a crypto-asset service provider authorised under MiCA, you're a financial entity under DORA — and DORA has applied in full since 17 January 2025. This is the practical version: who's in scope, the five things you actually have to do, the one deliverable supervisors ask for first, and how DORA sits alongside MiCA. Written for small CASPs, not 200-page law firm memos.

In one line: DORA makes you prove your tech won't fall over — an ICT risk framework, incident reporting, resilience testing, third-party oversight (with a register of information), and threat-sharing. The register is the first concrete thing to get right.

Does DORA apply to you?

Almost certainly, if you do any of the regulated crypto activities under MiCA. DORA treats CASPs as financial entities, so it covers:

Exchanges and other trading platforms
Custody and wallet providers
Brokers and firms executing or placing orders
Portfolio managers and advisers on crypto-assets

Size brings proportionality — a genuine microenterprise (under 10 staff and under €2m) follows a simplified ICT risk framework — but the core obligations, including the register of information, still apply. Being small reduces the depth expected, not the duty.

The five pillars, in plain English

1. ICT risk management

A documented framework owned by your management body: identify your critical systems and the business functions that depend on them, set controls, and keep it current. This is the backbone the other four hang off.

2. ICT incident management & reporting

Detect, classify and log ICT incidents — and report major ones to your national competent authority within DORA's timelines. You need a process, not just goodwill, with clear severity thresholds.

3. Digital operational resilience testing

Test your systems for weaknesses on a regular basis — vulnerability assessments, scenario tests, and for the largest entities, threat-led penetration testing. Most small CASPs sit at the proportionate end of this.

4. ICT third-party risk management

Know and govern every ICT provider you rely on — cloud, custody tech, data feeds, KYC vendors. This is where the register of information lives: a structured inventory of every ICT contractual arrangement, with criticality, sub-outsourcing and exit terms.

5. Information sharing

You may share cyber-threat intelligence with other financial entities. Voluntary, but encouraged — and a sign of a mature programme.

The register of information — start here

Of everything in DORA, the register of information is the most concrete and the one supervisors collect first. It's a structured record of all your contractual arrangements with ICT third-party providers — over 60 mandatory fields across interlinked tables covering provider identity, contract terms, the functions supported, criticality, data locations and sub-outsourcing chains. It is not a one-off: it has to stay current as providers, contracts and criticality change.

Done in a raw spreadsheet, it's error-prone — national authorities validate submissions against a long list of rules, and small inconsistencies bounce. A guided builder that enforces the structure and the relationships between tables saves the rework.

Build your DORA register the right way — free

Start the free register builder →

Guided, structure-checked · free to start

DORA and MiCA: two obligations, not one

This trips up a lot of crypto firms. DORA and MiCA are separate and you need both:

	DORA	MiCA
Governs	Your operational & ICT resilience	The crypto market & your conduct in it
Headline duty	ICT risk framework + register	Market-abuse surveillance (Art 92) + STORs
Status	In force since 17 Jan 2025	Full CASP authorisation by 1 July 2026

So a trading CASP needs a working DORA programme and a market-abuse surveillance system under MiCA Article 92. We cover both — see the MiCA Article 92 surveillance guide.

What "good" looks like for a small CASP

A short, real ICT risk framework your management body has actually signed off — not a 90-page template nobody reads.
A complete, current register of information that passes validation.
An incident process with severity thresholds and a known reporting route.
Proportionate testing evidence — and a calendar so it keeps happening.
For trading firms: a market-abuse surveillance system that demonstrably runs.

Where the clock standsDORA — in force · MiCA — 1 July 2026DORA has applied since 17 Jan 2025 (your register is already due); MiCA's surveillance obligation bites at full CASP authorisation by 1 July 2026.

Common questions

Does DORA apply to crypto firms?

Yes — MiCA-authorised CASPs are financial entities under DORA, so its ICT-resilience rules apply: exchanges, custody, brokers, portfolio managers and advisers. In force since 17 January 2025.

What does DORA require of CASPs?

Five pillars: ICT risk management, incident detection and reporting, resilience testing, third-party risk management (including the register of information), and information sharing.

How does DORA relate to MiCA?

They're separate. DORA covers operational and ICT resilience; MiCA covers the crypto market, including Article 92 market-abuse surveillance. A CASP must satisfy both.

General information, not legal advice. Confirm the current requirement against DORA (Regulation (EU) 2022/2554), its technical standards, MiCA (Regulation (EU) 2023/1114) and your national competent authority before you rely on it.