Specialist lawyer Lutz Auffenberg and his law firm Fin Law have specialized in the field of fintech and innovative technologies. In particular, blockchain technology and its regulation are at the center of his work. In his guest article he addresses the question of what the crypto industry will face with the Digital Operational Resilience Act (DORA).
This article is first on the Fin Law Blog appeared.
A key component of the European Union’s cybersecurity strategy is the passing of the Digital Operational Resilience Act (DORA). DORA aims to improve IT security in companies within the Union. The EU Commission presented a draft for the regulatory project as early as September 2020, which has meanwhile also been adopted by the Council of the EU. In the coming months, the Council and the European Parliament will therefore negotiate the final version of the draft DORA regulation with the EU Commission in the context of trialogue negotiations. As an EU regulation, DORA will be directly and immediately applicable to the affected market participants. These are primarily financial firms such as banks and insurance companies, investment firms, and payment institutions. According to the current proposal, however, DORA should also apply to providers of crypto services, issuers of crypto assets and certain other tokens worthwhile. The crypto industry will therefore have to adapt to further regulations of its business models. DORA is expected to come into force in 2024.
DORA is intended to improve the resilience of financial companies against external attacks on IT and other IT risks. The steadily increasing digitization of services in the financial sector and the absolute need for a constantly functioning IT in financial companies justify the introduction of uniform minimum standards in IT security for the entire European Union. In future, DORA will require affected companies to regularly participate in IT stress tests and define specific minimum requirements for dealing with IT risks and IT incidents as well as uniform rules for the design of the company’s internal risk management. Financial companies often outsource IT systems and thus also IT security management to third-party providers. These, too, should therefore have to implement DORA’s specifications in the future.
IT security aspects are essential in the field of crypto services. The loss or accidental disclosure of, for example, private keys to crypto values of customers usually mean the maximum business risk for companies in the crypto industry. For this reason, crypto service providers and token issuers should also be included in the scope of DORA. Which specific companies will be included will emerge from the Markets in Crypto Assets Regulation (MiCAR) of the European Union, which is also only a draft so far. There, crypto service providers are to be defined as providers of custody services in relation to crypto values for third parties, crypto trading platforms, other crypto exchange services, advisory or brokerage services in relation to crypto values. The issuers of crypto tokens should also have to adhere to the requirements of DORA, provided that their tokens are in any way linked to financial rights for token holders. As a result, the vast majority of the crypto industry will have to deal with the new requirements. The industry is burdened with further administrative obligations. However, DORA will certainly contribute to a further and welcome professionalization of European crypto companies.