DORA – New EU cybersecurity law for Crypto
Published on 31st Jan 2024
Crypto-assets are digital in their nature, but in many ways resemble traditional assets. In line with the EU's Regulation on Markets in Crypto-assets ("MiCAR"), crypto-assets are digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar (DLT).
As the economic value of crypto-assets is stored directly "on-chain”, embedded within the DLT tokens, security of the distributed ledger technology and related digital services gains critical importance. This does not go unnoticed by the regulators.
In this piece we will take a look at the newest EU regulation on cybersecurity in the financial sector – the Digital Operational Resilience Act ("DORA") – and its impact on the crypto-assets market.
Cybersecurity in crypto – key issues
Crypto-assets are often compared to cash. Value of those two asset classes is based on completely different mechanisms, that's a fact. However, when considering security, it becomes apparent that many risks are similar. In both cases money laundering and financing of terrorism are the key issues. Both cash and crypto-assets can be directly held (controlled) by the holder. It is one of their main features, but usually it is neither convenient nor safe to keep substantial amounts of those assets in self-control. If one collects lots of cash, it is easier to safe-keep and liquidate it using an intermediary, such as a bank. Similarly in crypto. A user who often transacts on crypto needs a more functional solution than a cold-wallet. That's where custody services (hot-wallets) come into play and key risks along with them.
If a service provider holds someone else's assets, there is always a risk that it may lose them. The more assets are kept by the custodian, the bigger the risk for the financial sector is. Thus, custody wallets became one of regulated crypto-asset services that can be provided only by licensed entities.
Together with the risks of financial nature, crypto-assets introduce novel challenges. As crypto-assets are data registered in the distributed ledger (e.g., blockchain), their security is depending directly on the security of the underlying DLT infrastructure. DLTs are in most cases open-source software, supported by a community of users and developers. Usually there is no entity that has any legal obligations related to the functioning of the ledger. Severe malfunctions or vulnerabilities of DLTs, if exploited, may lead to irreversible loss of funds. As opposed to the traditional financial system, it can be difficult to find someone liable for such an event. Additionally, self-control of the assets makes the user more vulnerable to phishing and loss of the funds due to user's own negligence (e.g., deleting the private keys).
EU Regulations on crypto-assets
The aforementioned MiCAR is the fundamental regulatory framework for the crypto-market in the European Union. MiCAR lays down uniform requirements for:
- the offer to the public and admission to trading on a trading platform of:
- asset-referenced tokens (ARTs),
- e-money tokens (EMTs),
- crypto-assets other than ARTs and EMTs
- crypto-asset service providers (CASPs).
What is DORA?
In parallel to MiCAR, principles for crypto cybersecurity were introduced in the Digital Operational Resilience Act (DORA). This regulation sets out a new EU framework for managing ICT risks in the financial sector. The new rules impose a number of obligations on all financial institutions and their critical third-party ICT services providers.
DORA aims to consolidate and update ICT risk management requirements, currently held separately in various legal acts. It sets up a comprehensive framework in areas such as:
- ICT risk management,
- ICT incident management,
- operational resilience testing,
- management of third-party ICT service providers.
Who is subject to DORA?
DORA introduces a number of requirements for almost all financial institutions. It applies to "traditional" financial entities such as credit institutions, payment institutions, investment firms, insurance companies, insurance intermediaries and many others.
As mentioned earlier, because of the recent regulations the crypto-assets market is already considered a part of the financial sector. As a result, some crypto-businesses are treated like financial institutions. DORA is a good example, as it will apply to the following crypto-business:
- crypto-asset service providers (CASPs),
- issuers of asset-referenced tokens.
In respect of CASPs, DORA will be obligatory for the following examples of crypto-business: custodial wallets, exchanges and other trading platforms, placing of crypto-assets, providing advice on crypto-assets, crypto-assets portfolio management. In principle - activities that pose risks to someone's crypto-assets will typically fall under this category.
Issuers of asset-referenced tokens will also need to comply with DORA. Asset-referenced token is a type of a crypto-asset that purports to maintain a stable value by referencing another value, a right or a combination of these, including one or more official currencies. This definition covers a wide range of stablecoins whose value refers to, e.g., gold, real estate, financial instruments, other crypto-assets. Issuer means a natural or legal person, or other undertaking, who issues crypto-assets. Issuance refers to the first sale of a crypto-asset of an issuer.
DORA will also apply to those crypto-business, who already are part of "traditional finance", namely: credit institutions, investment firms and other financial institutions. Under MiCA that will refer especially to the issuers of e-money tokens.
Obligations under DORA
CASPs and ARTs issuers need to consider that DORA is a comprehensive regulation. As financial institutions, they are required to establish an ICT risk management framework. They must identify, classify, and document ICT-related business functions, as well as manage ICT incidents. They should prepare information security policies, incident detection mechanisms, ICT business continuity plans, backup strategies, and ICT incident communication plans. Additionally, these entities are required to provide mandatory cyber-security training for their staff.
The regulation mandates regular testing of critical ICT systems and applications, covering various aspects, such as open-source analysis, network security assessments, scenario testing, and penetration testing.
DORA also requires financial institutions to manage their relations with third party ICT service providers. It is necessary to assess the provider, develop and implement an exit strategy and have in place a written contract that meets the regulatory requirements. "ICT services" is a broad term, which covers most of the services that relate to IT, e.g., software maintenance and cloud computing. As a result, legal requirements will apply not only to IT outsourcing contracts (as it used to be) but also to many other ICT-related agreements.
Administrative penalties and personal liability
Based on both MiCA and DORA, supervisory authorities will have numerous supervisory and investigative powers, including, e.g., the right to require any relevant data and information, perform inspections and mandate instructions.
Establishment of proper administrative penalties and remedies has been delegated to the discretion of the EU Member States. DORA Regulation provides only minimum requirements in this regard. The supervisory authorities will publish information on any decision imposing administrative penalties. What is controversial, they will also publish information on the identity of the person responsible. Supervisory authorities will be able to refrain from publishing information on the identity only in justified situations.
How to deal with DORA?
Being ready for DORA requires serious involvement from the senior management, including appointment of a person responsible for ICT risk management. It is crucial to understand the impact of DORA on your organisation. Train your management and team. Assess how new requirements affect your offering and business network. Be ready for questions from the supervisory authority – audit your organisation and prepare materials on your compliance with DORA. Verify and – if necessary – renegotiate your contracts with third party with ICT services providers. Set up DORA compliance processes and organisation, to manage ICT risks and follow the requirements.
Timeline can be challenging, as DORA shall apply from 17 January 2025 and MiCA shall apply from 30 December 2024, with the exception that Title III (ASSET-REFERENCED TOKENS) that includes provisions for issuers shall apply from 30 June 2024. Time to act is now.