Why the EU’s Digital Asset Regime is About Resilience

In the current geopolitical and cyber-risk environment, digital operational resilience has become a priority across financial services. Digital assets in Europe are now being brought firmly into that perimeter. The EU regulatory framework increasingly treats digital assets as part of the core financial system, with regulation focused not only on market activity but also on the infrastructure that supports it. The two key pillars, the Digital Operational Resilience Act (DORA) and the Markets in Crypto-Assets Regulation (MiCAR), are complementary regulations that work together, aiming to create a secure, harmonised and resilient financial ecosystem.

MiCAR provides the regulatory framework, licensing and operational rules for crypto-asset service providers (CASPs) while DORA mandates strict, uniform cybersecurity and ICT risk management requirements for financial entities, including CASPs. In essence, this means that for a digital asset company to operate legally in the EU under MiCAR, it must also be digitally operationally resilient as defined by DORA.

How DORA and MiCAR affect each other

DORA forms an integral part of gaining a MiCAR license. For a CASP to obtain a licence to operate in the EU (and continue to ensure it complies with regualotry requirements once licensed), it must comply with DORA’s strict standards on ICT risk management, incident reporting and testing. Compliance is not a separate, optional step but a required part of the licence application process.

• Increased operational requirements and scrutiny: DORA imposes detailed requirements on CASPs regarding how they handle IT risks. This means that CASPs must have a fully documented and functioning ICT framework in place for their MiCAR licence to be approved.
• Enhanced third-party risk management: DORA forces stricter oversight over outsourcing to ICT service providers, including cloud service providers, a common practice among crypto firms. Under MiCAR, CASPs are responsible for the services they offer but DORA ensures they have robust contracts and security standards when using third-party ICT service providers.
• Harmonised incident reporting: Both regulations require reporting of incidents to authorities but DORA streamlines this process, creating a unified framework for reporting ICT-related incidents that affect a crypto service provider.
• Board-level accountability: DORA mandates direct involvement from a firm’s management body in overseeing ICT risks. This complements MiCAR’s governance requirements, ensuring leadership takes direct responsibility for the digital safety of the crypto assets they manage.
• Proportionality for smaller firms: Recognising that not all crypto entities are the same size, DORA allows for a proportional application of rules, which means smaller, less complex firms might not face the same heavy requirements as large, systemic entities, while still needing to comply with the regulations.

In summary, MiCAR tells digital assets firms how to provide crypto-asset services, while DORA tells them how to keep their critical or important functions and related ICT systems safe while doing so.

Creating the trust substrate upon which innovation can scale

The biggest barrier to digital asset adoption is trust, not technological capability. Fortunately, distributed ledger technology has transparency, traceability, and immutability built into it; operational failures historically occur when private keys to access assets are lost through human error or the actions of malicious actors (hacks, fraud).

For financial services firms, institutional-grade custody incorporating bank-grade or military-grade controls becomes the mechanism through which trust is enshrined. Stronger custody standards therefore benefitthe entire digital asset ecosystem because systemic confidence increases market participation.

Custody is also increasingly the foundation layer for higher-value services such as staking, lending, tokenisation of real-world assets, securities or financial instruments. If custody resilience is weak, the entire stack is fragile. Even more reason to enshrine digital operational resilience for digital asset custodians and their partners alike.

DORA as a trust multiplier across the supply chain

Digital asset custodians rely heavily on ICT providers since no firm is fully vertically integrated. By introducing standardised contractual clauses, performance monitoring requirements, incident reporting frameworks and testing obligations, DORA levels the playing field, effectively raising the resilience maturity of vendors, not just regulated firms.

From a client perspective, whether the failures are caused by third parties or by the custodians themselves is irrelevant. While custodians can outsource activity, they cannot outsource responsibility. In this environment, clear ownership and accountability are critical to maintaining trust. DORA’s third-party risk management pillar provides a methodology and governance structure for managing complex multi-vendor environments, including intra-group outsourcing and shared service centres. Cross-border digital asset business models make this particularly important. DORA reinforces accountability to clients regardless of vendor involvement. EU regulation is thus exporting resilience standards into the private technology supply chain.

MiCAR also sets clear rules, in article 75–8, on the liability of CASPs that offer custody and administration services regarding the loss of any crypto-assets or of the means of access to the crypto-assets. This applies where the loss results from an incident that is attributable to them.

DORA – the exporter?

Ultimately, the EU’s digital asset regime is not about legitimising crypto hype. Instead, it is about embedding the same resilience expectations that underpin traditional finance into the digital asset world.

By hard-wiring trust into digital asset custody and imposing accountability across outsourcing chains, MiCA and DORA are helping to elevate digital assets into institutional-grade financial infrastructure. A harmonised EU framework provides predictability, enforceability, and cross-border consistency, all of which are prerequisites for institutional adoption. Other jurisdictions like the UK are now looking at this framework to see which elements they wish to emulate as they finalise their crypto regulatory regime. DORA’s principles may yet travel outside the EU’s borders.