This January, the EU’s Digital Operational Resilience Act (DORA) will come into force, along with a number of other EU crypto regulations, and it is poised to usher in a new era for technology providers – in both the traditional and digital asset markets.
Fireblocks is ready for this transition, and we’ve been helping our clients prepare for the new digital asset regulations in recent months as the deadlines approach. But what will the rules mean for the industry, and what are the key requirements that regulators in the EU want to see?
What is DORA and why is it happening?
DORA is a new set of EU regulations that officially come into force on January 17th 2025. DORA looks to introduce significantly higher standards for managing information and communication technology (ICT) as regulators aim to strengthen operational resilience at companies that are part of the global financial market infrastructure.
DORA has significant implications for firms operating throughout the digital asset ecosystem, whether they are licensed crypto-asset service providers (like custodians) or traditional regulated financial institutions. The importance of digital operational resilience and protecting against cyberattacks, along with the attendant reputational risks, has always been important for these companies. DORA now provides a more expansive set of regulations aimed at ensuring enhanced protections for the European financial system, harmonized across the twenty-seven member states. As firms are heavily reliant on communications technology, including technology supplied by third party partners, DORA aims to ensure that companies are ready and prepared for outages and cyberattacks that result from the vulnerabilities in these systems. Regulators are right to be raising the bar.
What will DORA require?
DORA will require companies to consider their internal digital security and resilience preparedness, as well as that of their third-party service providers¹. The rules aim to strengthen the operational resilience of EU financial institutions by achieving two core objectives:
- Making sure that firms are equipped to handle outages and disruptions affecting their ICT infrastructure, and
- minimizing the risk that third-party supplier glitches or cyberattacks impact the European financial system
Preparations for DORA have been moving full steam ahead in the traditional financial services sector, where market participants are already expecting compliance with the new rules. Fireblocks has helped both digital and traditional institutions efficiently prepare for DORA by having our own systems and registrations approved early, allowing clients to be secure in the knowledge that they are working with a DORA-compliant infrastructure.
Who will be impacted by DORA?
Regulated financial institutions, including crypto-asset service providers (CASPs) licensed under the Markets in Crypto-Assets Regulations (MiCA), will be heavily impacted by the new rules. They will have to make sure that they have detailed response plans for incidents such as cyberattacks and hacks, and they will have to conduct regular stress testing exercises and install monitoring systems to prove they can withstand and recover from such events. By focusing on third-party relationships, regulators are also making sure to minimize negative ripple effects from a single service provider to the overall industry and the systemically important players within it.
How will DORA affect the digital asset industry?
Before 2024, many EU companies in the digital asset space operated without licenses, facing minimal regulatory and compliance challenges. In July 2024 MiCA came into force and the EU digital asset markets entered a new era. With DORA following a few short months later in January 2025, and this new regulatory environment could prove challenging for smaller players in the space. It is possible, even likely, that there will be a wave of consolidation in the European market as regulatory burdens increase.
Regardless, clear rules are certainly a benefit for the industry on the whole. The EU’s approach to establish boundaries, high standards, and a well-defined regulatory framework are a sign of the industry’s maturation. Even if more regulation translates into higher costs overall, better investor protection and the weeding out of sub-standard providers are worthy objectives for the digital asset industry.
In the short term, DORA may present a hurdle that some firms will struggle to overcome. In the long run, the rules will be a boon for the digital asset industry. DORA lays the foundation of higher standards and stronger operational resilience – which will help to fuel the growth of the entire ecosystem.
Interested in learning more about how Fireblocks approaches security and operational resiliency? Request a demo today to speak with our team.
¹Indeed, some infrastructure and technology companies will be labeled as critical third-party providers (CTPP) if their size and scope is such that they play a key role in maintaining the health of the ecosystem. This criticality classification will likely happen sometime late 2026.