One essential component of the cybersecurity strategy of the European Union is the adoption of the Digital Operational Resilience Act (DORA). DORA is intended to improve the IT security of businesses in the European Union. The EU Commission submitted a draft proposal for the regulation already in September 2020 which has been accepted by the EU Council in the meantime. The EU Commission, the Council and the European Parliament will therefore negotiate the final form of the DORA regulation in their trilog-negotiations over the next couple of months. DORA as a EU regulation will be directly applicable to all affected market participants. Those are primarily financial companies such as banks and insurance companies, investment firms and payment institutions. According to the current draft proposal, DORA will nevertheless also be applicable to providers of crypto services, issuers of crypto assets and specific other tokens with asset-like properties. The crypto industry will have to adapt their business models to the new regulation. DORA is expected to go into effect in 2024. 

Which Obligations Will DORA Impose on Businesses?

DORA is intended to improve the resilience of financial businesses against external attacks on the IT and aigainst other IT-related risks. The ever increasing digitalization within the financial industry and the resulting need for a continuously functioning IT of financial businesses justifies the implementation of uniform minimum standards regarding the IT security of financial businesses for the entirety of the European Union. DORA intends to obligate affected businesses to regularly participate in IT stress-tests and it will stipulate specific minimum requirements regarding the handling of IT-related risks and IT incidents as well as a uniform regulation regarding the designs of the internal risk-management of the affected businesses. Financial businesses often outsource their IT systems and therefore also the IT security management to third-party service providers. These service providers will also have to implement the requirements stipulated by DORA. 

How Will DORA Affect Crypto Businesses?

IT security aspects are essential to the crypto service industry. The loss or the accidental disclosure of private keys for crypto assets of clients regularly implies the realization of the maximal business-related risk for businesses from the crypto industry. Therefore, DORA is intended to be applicable to crypto service providers and token issuers alike. Which actual businesses and issuers will insofar fall under the the scope of DORA will be determined by the Markets in Crypto Assets Regulation (MiCAR) of the European Union, which currently is also in its draft state. This regulation will define crypto service providers as e.g. providers of custody services for third parties regarding crypto assets, as operators of crypto exchanges, operators of other crypto exchange services and as providers of advisory or brokerage services related to crypto assets. Issuers of crypto tokens are also intended to be subjected to the stipulations of DORA, if their tokens are in any way connected to assets or rights for the token holder. As a result, the vast majority of the crypto industry will have to adhere to the new stipulations. The industry will therefore have to oblige to a lot more administrative obligations, but DORA will surely also lead to a further and welcome professionalization of European crypto businesses.

Attorney Lutz Auffenberg, LL.M. (London)