Blog

The German government has broken up. But what does this mean for the long-delayed adoption of the accompanying legislation for the MiCAR transition and which legal framework will the German crypto industry operate within as of 30 December 2024?

DORA places new demands on the digital resilience of financial companies, while the distinction between financial and ICT services raises questions in detail. Clear principles for interpreting the regulations are urgently needed to create legal certainty for the industry.

Crypto service providers from non-European countries such as the USA, Switzerland and the UK are also interested in doing business on the old continent under MiCAR. However, ESMA is making it more difficult for such companies to enter the market with its recommendations to the relevant national supervisory authorities.

With the Cyber Resilience Act (CRA), the EU has created a framework for cyber security in digital products that will apply from 2027. Software, smartphones and household appliances are all affected. Manufacturers, importers and retailers must take extensive measures to ensure compliance with the requirements and avoid sanctions.

The DORA significantly restricts the contractual freedom of financial companies and ICT third-party service providers by imposing a number of mandatory requirements on the drafting of contracts. This could put medium-sized financial companies in particular in a stronger negotiating position, while even large ICT providers will be obliged to implement the new requirements.

DORA obliges financial institutions to manage the ICT third-party risk through appropriate contract design. To this end, DORA specifies minimum content that is intended to strengthen the position of the financial institution and increase security. But what consequences does this have for future and existing contracts?

In a few months, all MiCAR provisions will be legally effective. This also includes the new rules on the prevention and prohibition of market abuse and insider trading. But which market participants must comply with the new strict obligations?

The drafting of contracts for software products in accordance with German law is often complex, which leads many providers to use sample contracts from the Internet or translated contracts from other jurisdictions. However, this approach harbors risks, as such contracts are often largely ineffective under German law or contain provisions that can lead to undesirable results in the event of a dispute.

DORA requires the financial companies affected to carry out regular tests of their digital operational resilience. But what do these tests actually involve and do all financial firms have to carry out the same tests?

BaFin already supervises a large number of financial companies and imposes a number of requirements on the IT used. DORA is now about to come into force. In future, the use of information and communication technology (ICT) will be governed by the requirements of DORA. But to what extent does DORA differ in its requirements from those already demanded by BaFin?

Asset investments under the German Asset Investment Act are not considered financial instruments under MiFID2 because they are based on national regulation. Can they therefore be subject to both German regulation as an asset investment and MiCAR regulation and what are the implications of this?

DORA imposes a number of new obligations on financial companies. This can be particularly burdensome for small companies. But who actually falls within the scope of the regulation and are the rules the same for everyone affected?