Learn

DORA: Make It or Break It

Christopher Grilhaut des Fontaines
September 10, 2024
Read time:

Why the Digital Operational Resilience Act (DORA) is important for custodians and regulated financial institutions in the EU, how to prepare for it, and what areas still need further clarification.

The Digital Operational Resilience Act (DORA) is on the horizon, with its full implementation set for January 17, 2025. This regulation, alongside the Markets in Crypto-Assets (MiCA) Regulation, is poised to reshape how custodians, regulated financial institutions, and crypto service providers (CASPs) in Europe approach operational resilience, particularly concerning their digital infrastructure. For institutions involved in crypto custody or services, understanding and preparing for DORA is critical—not only to ensure compliance but also to protect their operations from increasing cybersecurity risks and regulatory scrutiny.

DORA primarily targets the “cybersecurity resilience” of financial institutions, but the ripple effects extend far beyond internal systems. As noted in a criticality assessment Dfns ordered from Avroy Tech: third-party providers, especially those in crypto infrastructure like Dfns, may be classified as “Critical Third-Party Providers (CTPPs)” if they play a significant role in supporting essential business functions. This means companies like Dfns, which offer crypto wallet infrastructure to regulated entities such as banks and CASPs, could be subject to additional oversight, depending on their market share, reliance, and the substitutability of their services. In this post, we’ll discuss why DORA is important for custodians and regulated financial institutions, how to prepare for it, and what areas still need further clarification.

We want to give a special thanks to Florian Ernotte, Mathieu Hardy, and Jerome Dickinson from Avroy Tech, a tech legal and regulatory consultancy, for their invaluable help with the criticality assessment based on MiCA and DORA Level 2 requirements. Their expertise was key in guiding us through these complex regulations.

What DORA is and why it matters

Custodians and other financial institutions are no strangers to regulation, but DORA introduces a new dimension: *digital resilience*. Unlike GDPR or PSD2, which focus primarily on privacy or payments, DORA mandates that financial institutions ensure the operational resilience of their ICT infrastructure (Information and Communication Technology). This includes everything from ensuring the security of internal systems to managing external ICT service providers.

In short, DORA aims to improve the digital operational resilience of financial institutions in the EU by:

  1. Ensuring institutions can handle disruptions in their ICT systems.
  2. Managing risks from third-party ICT providers, especially critical ones.

For custodians, who often rely on external technology providers for digital asset wallet infrastructure, DORA’s emphasis on third-party risk management is particularly important. The criticality assessment of Dfns highlights that companies providing such services may soon fall under strict regulatory oversight. For example, as a wallet service, Dfns serves large systemic banks and payment service providers that are heavily regulated and critical to the global financial system. If Dfns, or any similar provider, fails to meet DORA's resilience standards, it could trigger significant disruptions across the financial ecosystem, impacting millions of transactions, funds and clients. Same could be said for RPC nodes (e.g. Quicknode, Chainstack, etc.), data (e.g. Kaiko, Chainlink) and other infrastructure components. 

One of the key thresholds for a provider to be designated as a CTPP under DORA is a 10% market share of the total EU CASP market or the total value of assets handled by the provider. This threshold subjects providers to more rigorous oversight, including annual audits, governance assessments, and potentially hefty penalties for non-compliance, which could reach “1% of daily worldwide turnover”.

Key terms and concepts to know

Before diving into practical steps, here are some key terms related to DORA and MiCA:

  • ICT Risk: Any risk related to using information and communication technologies, including cybersecurity threats.
  • Critical Third-Party Provider (CTPP): A third-party provider deemed critical to the functioning of financial institutions and subject to regulatory oversight.
  • CASPs: Crypto Asset Service Providers, as defined by MiCA, which must comply with both MiCA and DORA regulations.
  • Systemic Institutions: Financial institutions identified as critical to the global or local financial system.
  • Substitutability: How easily a service or provider can be replaced without causing significant disruption.

What you should expect from DORA

As finance becomes increasingly digital, operational resilience and cybersecurity are now critical concerns for institutions interacting with the broader financial ecosystem. DORA introduces a comprehensive framework that not only governs how institutions protect their own systems but also how they manage and monitor third-party service providers. This is particularly important as modern financial operations become more complex and vulnerable, with constant threats from cyberattacks and system disruptions. By focusing on ICT risk management, third-party dependencies, and systemic importance, DORA places new responsibilities on custodians to ensure their operations, and those of their service providers, are resilient and compliant. By preparing early, custodians can strengthen their operations, avoid penalties, and enhance their ability to navigate the growing risks of the digital financial landscape.

Addressing ubiquitous cybersecurity threats

In the digital age, cybersecurity is a top concern for custodians who are responsible for safeguarding clients' assets. A single breach or outage could have devastating effects—not only financially, but also reputationally. Custodians have historically managed risks related to financial assets, but now they must address the evolving threats tied to their digital infrastructure. According to DORA, all regulated financial institutions will be required to maintain robust ICT risk management frameworks that address vulnerabilities, including those related to cybersecurity incidents, human errors, or technological failures.

For custodians, this means a shift from focusing solely on protecting assets like securities or cryptocurrencies, to implementing comprehensive cyber defense mechanisms that can quickly detect, mitigate, and recover from potential disruptions. DORA’s requirements for incident response plans (IRP), regular stress testing, and continuous monitoring are designed to ensure that institutions can withstand and rapidly recover from attacks or disruptions.

For example, custodians dealing with crypto assets are particularly vulnerable to phishing attacks, wallet breaches, and other forms of cybercrime, given the anonymity and irreversibility of crypto transactions. Under DORA, institutions are required to adopt preventative measures and continuously monitor for suspicious activities, enabling them to address security risks proactively rather than reactively.

The lurking danger of third-party risk

One of the most significant challenges DORA addresses is third-party risk management. Custodians and financial institutions often depend on external providers for critical ICT services—whether it’s cloud computing, payment processing, or, in the case of crypto custodians, wallet services. These dependencies create a vulnerability, as any failure or breach in the third-party service provider's system could disrupt the institution’s ability to operate securely.

DORA places the onus on financial institutions to identify, assess, and manage the risks posed by these third-party providers. This goes beyond traditional vendor management. Institutions must determine which third-party providers are "critical" and report them to regulators. This includes providers that manage critical or important business functions—functions without which the institution would not be able to fulfill its regulatory obligations or continue operations.

The criticality assessment of Dfns conducted by Avroy Tech serves as a prime example of how custodians must now evaluate the dependencies they have on external providers. As a provider of crypto wallet infrastructure to several major financial institutions, Dfns could be classified as a “Critical Third-Party Provider” under DORA. For custodians relying on such critical service providers, the failure to properly manage these relationships could lead to severe consequences. Disruptions in critical infrastructure—such as the loss of access to wallets or transaction processing services—could prevent custodians from accessing or securing client assets, leading to financial losses or breaches of regulatory obligations.

Systemic importance and market impact

Custodians often play a systemic role in the financial ecosystem, meaning that their smooth functioning is critical to the stability of broader financial markets. Custodians hold and manage the assets of institutional investors, hedge funds, and other financial entities, facilitating the flow of capital and ensuring that transactions are settled securely. For this reason, the operational failure of a custodian could have far-reaching consequences, triggering disruptions across multiple institutions and markets.

Under DORA, this systemic importance is recognized and addressed. Systemically important institutions, such as “global systemically important institutions (G-SIIs)” or “other systemically important institutions (O-SIIs)”, must take extra care to ensure the resilience of their ICT systems. The criticality assessment of Dfns highlights the reliance of major systemic banks on their services. For example, if a provider like Dfns were to face significant downtime or a cybersecurity breach, it could impact not only its direct customers but also the wider financial network that relies on these services.

One of DORA’s requirements is for custodians to ensure that they have redundancy plans in place for such critical services. This means identifying alternative service providers or ensuring that systems are designed to be resilient to disruptions. However, the reality is that for many financial institutions, especially those operating in the digital asset space, the number of truly substitutable service providers is limited. For example, there are only a handful of providers with the technical capabilities and trust required to handle highly sensitive operations like crypto custody (e.g. Dfns, Fireblocks, Bitgo, Taurus).

Custodians must also navigate “substitutability risks”, as DORA requires them to assess whether their critical providers can be replaced easily. This adds complexity to the process, as simply having an alternative is not enough—the alternative must be viable and capable of providing the same level of security, scalability, and regulatory compliance.

Compliance and potential penalties

The compliance burden under DORA is not trivial. For custodians and other financial institutions, failure to comply with DORA could result in hefty penalties. DORA allows for fines of up to 1% of daily worldwide turnover for severe non-compliance. This makes the cost of not adhering to the regulation extremely high, both in terms of financial penalties and potential reputational damage.

For example, if a custodian relies on a third-party provider like Dfns, which has been designated as a CTPP, and that provider fails to comply with DORA’s resilience requirements, both the provider and the institution could face significant consequences. Custodians must ensure that their contracts with third-party providers include clauses that address regulatory compliance, audit rights, and incident reporting. This ensures that both parties are aligned in their compliance efforts and that the institution is not caught off guard by regulatory actions taken against their service provider.

Moreover, institutions are required to implement ICT risk management frameworks that not only cover their own operations but also extend to their third-party providers. This includes regular stress testing, incident response plans, and ongoing monitoring of their service providers’ resilience. The criticality assessment of Dfns emphasizes the importance of having robust contingency plans in place to deal with service interruptions or failures, which is a critical aspect of DORA compliance.

Embedding resilience into organizations

While DORA outlines clear technical and governance requirements, training and awareness are equally critical to building operational resilience. No matter how advanced an institution's technology is, its effectiveness can be severely compromised if staff are not properly trained to respond to incidents, manage risks, and adhere to regulatory protocols. 

Under DORA, it is not enough for institutions to focus on their IT teams; operational resilience must be embedded across the entire organization. This requires ongoing training programs that raise awareness among all employees—from C-suite executives to frontline staff—about the importance of cybersecurity, operational risks, and incident response. For custodians, this means training not only the teams responsible for managing digital infrastructure but also those in customer-facing roles who may be the first to detect or respond to a security incident. For example, a phishing attack targeting a customer service representative could lead to compromised client assets if the representative isn’t aware of the procedures to escalate the issue and mitigate risks. Ongoing training on evolving threats, new regulatory requirements, and changes to internal systems is vital. 

Additionally, conducting incident response simulations and stress tests helps ensure that staff are not only aware of risks but also know how to act when faced with a real crisis. Institutions should also encourage a culture of reporting and transparency. Under DORA, incident reporting is mandatory, and failure to report incidents in a timely and accurate manner can result in penalties. By fostering an environment where employees feel comfortable reporting suspicious activity, institutions can improve their incident detection and response times.

How to achieve DORA readiness

First and foremost, custodians should conduct a gap analysis of their current ICT infrastructure. This involves evaluating the resilience of their internal systems and the extent to which they depend on third-party providers like Dfns for critical functions. DORA mandates that all financial institutions have robust ICT risk management policies in place, covering everything from cybersecurity protocols to incident response plans.

For instance, the criticality assessment emphasizes the importance of having contingency plans for the discontinuation of services from a CTPP. What happens if a critical service provider goes down or is compromised? According to DORA, financial institutions must ensure that alternative providers are available, or at the very least, have a clear and tested disaster recovery plan. However, this raises a challenge in markets like crypto, where there are limited providers of highly specialized infrastructure, such as secure multi-party computation (MPC) wallets.

The assessment also points to the need for updating contractual agreements with third-party providers. Under DORA, contracts must include provisions for regulatory audit rights, incident reporting, and detailed service level agreements (SLAs). These contracts should be airtight, not only to meet regulatory requirements but to protect financial institutions from potential risks posed by third-party failures.

One area of ambiguity in DORA, which the criticality assessment notes, is the definition of “critical” and “important” functions. While the regulation outlines broad criteria, there is still some uncertainty around the precise thresholds that will trigger a CTPP designation. For example, while Dfns serves several large systemic institutions, it remains unclear how regulators will interpret its overall market impact in comparison to competitors. This lack of clarity underscores the importance of “proactive compliance”. Custodians cannot afford to wait for final regulatory guidelines. Instead, they should begin aligning their internal processes with DORA’s principles now, ensuring they are prepared to manage third-party risks effectively. 

Unclear areas to watch out for

DORA, while comprehensive, still contains some areas that are unclear or still under development. These grey areas can pose challenges for custodians and CASPs, but they also offer opportunities to navigate the landscape smartly and avoid common pitfalls.

Unclear thresholds for CTPP designation

While DORA provides general criteria for determining whether a third-party provider is critical, some aspects are still ambiguous. For example, while the 10% market share or total value of assets thresholds seem clear on paper, the actual application of these rules can vary depending on how data is reported by financial entities to regulators. As noted in the Dfns assessment, precise market share figures are hard to gauge, and providers often rely on rough estimates. Custodians should closely monitor regulatory developments and ensure they have a thorough understanding of how these thresholds will be applied.

ℹ️ Tip: Conduct regular assessments of your third-party providers and stay in close contact with them regarding their market share and criticality. This will help you anticipate any potential designation as a CTPP and prepare for any compliance measures early on.

Navigating incident reporting requirements

DORA places heavy emphasis on incident reporting, but there is still some uncertainty around what constitutes a "major" incident and the specific timelines for reporting. While the regulation mandates timely reporting, financial institutions are left to determine the severity of incidents on a case-by-case basis.

ℹ️ Tip: Establish internal thresholds for incident severity and develop a clear process for reporting both internally and to regulators. Automating parts of this process can help reduce the burden and ensure consistent reporting.

Substitutability of critical providers

DORA requires financial institutions to assess the substitutability of their critical third-party providers. However, in sectors like crypto, the number of providers with the necessary technical expertise and infrastructure may be limited. The criticality assessment of DFNS highlights that although there are competitors, switching providers can be technically complex and costly, especially for smaller institutions.

ℹ️ Tip: Have a contingency plan that includes alternate providers where possible, but also work on improving contractual terms with your current provider to ensure data portability and exit strategies are in place. This will allow for a smoother transition in case of service disruptions.

Lack of guidance on overlapping compliance with MiCA

One of the trickiest aspects of DORA compliance is navigating its overlap with MiCA. Both regulations impose ICT risk management obligations, but the exact relationship between the two is not always clear. MiCA primarily governs the market conduct of crypto asset providers, while DORA focuses on operational resilience, leaving room for interpretation in certain areas like incident reporting and governance requirements.

ℹ️ Tip: Treat MiCA and DORA compliance as interconnected frameworks. Align your compliance efforts to meet the requirements of both, focusing on areas such as ICT risk management, incident reporting, and contractual provisions with service providers. Regular legal and compliance reviews will help you stay ahead of any conflicting or overlapping obligations.

Preparing for 2025 and beyond

As DORA’s 2025 deadline approaches, custodians and CASPs must be vigilant. While the regulation is designed to foster greater digital resilience, the burden of compliance will fall on financial institutions and their service providers. While some providers may not yet meet all the criteria to be designated as a CTPP, shifts in the market or client base could change that overnight. For custodians relying on such providers, the key to navigating this evolving regulatory landscape lies in staying informed, conducting regular risk assessments, and maintaining a flexible compliance strategy.

Furthermore, financial institutions should closely monitor DORA’s implementation progress. The criticality assessment mentions that many of DORA’s rules are still under development, and regulators may adopt stricter interpretations over time. Early compliance, therefore, is not just about avoiding penalties—it’s about ensuring that institutions can continue operating smoothly in an increasingly regulated environment.

As regulations like DORA and MiCA converge, the future of financial and crypto services will hinge on operational resilience. Custodians and financial institutions that take early action—by strengthening their internal ICT frameworks, securing robust contracts with third-party providers, and staying ahead of regulatory changes—will be best positioned to thrive in this new landscape.

In conclusion, while DORA presents significant challenges, it also offers an opportunity for custodians to bolster their digital defenses and emerge as leaders in operational resilience. The financial world is increasingly digital, and those who adapt to the new rules quickly will find themselves ahead of the competition, armed with the robust infrastructure needed to withstand whatever comes next.

Authors