Finding DORA : What it Means For “Critical” Tech Businesses Supporting EU Crypto Exchanges
This week we explore the EU Digital Operational Resilience Act’s (DORA) significant implications for unregulated tech service providers offering 'critical' services to EU crypto exchanges (CASPs).
Key Highlights:
DORA’s Scope: Focuses on the cybersecurity resilience of all EU regulated financial entities, including CASPs.
Tech Providers' Role: DORA extends to important & “critical” third-party ICT providers (CTPPs) serving CASPs.
Potentially In-Scope Services: Likely encompassing wallet infrastructures, Blockchain analytics, Staking-as-a-Service, Travel rule providers, Peer-to-peer trading software, cloud, and KYC services in the crypto context.
CASPs’ Role in Assessing Criticality: DORA mandates CASPs to manage ICT-related risks and categorize their third-party tech providers as important or critical, ensuring alternative solutions are available.
Criteria for Criticality: Still being refined by EU regulators, but generally, the fewer alternatives and the higher the cost and complexity of migrating to other solutions, the more likely a service will be deemed critical.
Implications for Critical Tech Services: CTPPs must adhere to DORA, establishing internal governance & control frameworks, fulfilling reporting requirements, and undergoing oversight by EBA or ESMA, including mandatory contractual provisions with CASP clients (e.g., access rights, exit strategies).
Non-Compliance Penalties: CTPPs risk fines up to EUR 5 million for non-compliance.
Final Thoughts:
Many crypto tech providers are still unaware or unprepared for DORA, which becomes applicable from Jan 2025. Facing significant challenges and compliance costs throughout 2024, proactive steps are crucial now to grasp the new requirements. However, CTPPs adeptly navigating this process could secure a competitive edge in the rapidly evolving EU crypto market!