DORA implementation for MiCAR application

DORA adds complexity to MiCAR application

As of April 22, 2024, the licensing portal for crypto service providers (CASPS) of the Dutch Authority for the Financial Markets (AFM) is open; an important moment for both the Dutch and the European crypto-asset market. The upcoming licensing requirement does not remain without challenges for the sector. The MiCAR requirements have a significant impact on the organization of current companies, as does the nearly simultaneous entry into force of DORA (Digital Operational Resilience Act), the legislation aimed at achieving digital and operational resilience against cyber risks.

In recent months, CASPs have started preparing their applications for the MiCAR license. These preparations have revealed that the regulations, which are often referred to as 'MiFID light' due to their scope, introduce a wide range of new obligations for service providers that their organizations are not yet equipped to handle. For example, CASPs must adapt their IT infrastructure, set up compliance and risk management processes and hire staff for positions that are currently unfilled and/or non-existent. This demands substantial investments of time, resources and finances to cultivate the essential knowledge and expertise.

The simultaneous application of DORA will pose one of the major challenges for parties preparing their license applications. Specific DORA requirements are requested in the license application under the section 'ICT systems and related security arrangements’. DORA demands that these service providers meet strict standards in digital and operational resilience. This necessitates additional efforts from parties who are applying for their MiCAR license. DORA will also pose a challenge for the AFM. CASPs are the first parties to be assessed for DORA compliance as part of the licensing process. These parties will be the first to learn how high the bar is set regarding the DORA requirements imposed by the regulator. The assessment in our earlier blog post, which described the expectation of a shake-out, seems to be becoming more concrete. With MiCAR and DORA on the horizon, the timelines for license applications from CASPs are challenging due to the short transition period in the Netherlands. The new requirements for CASPs require a lot of time and resources, and an application will only be processed if it is complete. This means that policies and procedures based on both MiCAR and DORA are part of the completeness of the application. However, this challenge also presents an opportunity: the crypto market can develop itself as a mature group of service providers in the financial sector.