Skip article header Engineering

DORA for Crypto Firms: ICT Risk and Incident Reporting Explained

DORA for crypto firms explained: who it applies to, the five pillars, what CASPs must build, cost and penalties, and how DORA fits alongside MiCA.

Dmytro Nasyrov Founder & CTO, Pharos Production

June 19, 2026 3 min read 8 views

MiCA is not the only EU regulation a crypto business must meet. The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to financial entities, including crypto-asset service providers, from 17 January 2025. It governs how you manage technology risk, report incidents and oversee your ICT vendors. This article explains what DORA requires of crypto firms and what you have to build.

For the obligation checklist see our MiCA compliance checklist, and for the build see our MiCA compliance software development.

What is DORA?

DORA is the EU rulebook for digital operational resilience in financial services. Where MiCA covers conduct and authorisation, DORA covers whether your systems can withstand, respond to and recover from ICT disruptions. The two run in parallel, and a CASP must satisfy both.

Who DORA applies to

DORA applies to a broad set of financial entities, and crypto-asset service providers and issuers of asset-referenced tokens are explicitly in scope. Critical ICT third-party providers to those entities also fall under a dedicated EU oversight framework.

The five pillars of DORA

Pillar	What it requires
ICT risk management	A governance framework to identify, protect, detect, respond and recover
Incident management and reporting	Classify ICT incidents and report major ones to the competent authority
Digital operational resilience testing	Regular testing, with threat-led penetration testing for significant entities
ICT third-party risk	A register of information on ICT providers and contractual safeguards
Information sharing	Voluntary sharing of cyber-threat intelligence

What CASPs must build

An ICT-risk management framework with clear ownership and policies
Incident classification and reporting workflows for major ICT incidents
A maintained register of information for every ICT third-party provider
Resilience testing schedules and evidence, including penetration testing
Business continuity and recovery plans tied to your MiCA safeguarding obligations

DORA cost and penalties

DORA is a material budget line. In a Deloitte survey, 64% of financial entities expected to spend 2 to 5 million euro on DORA readiness. Breaches carry penalties of up to 2% of annual worldwide turnover, with personal liability for senior managers in serious cases.

How DORA fits with MiCA

Treat DORA and MiCA as one programme, not two. The incident-reporting, third-party register and resilience-testing evidence DORA wants should write to the same immutable audit trail as your MiCA controls, so a regulator sees one coherent system. Build the gap assessment against MiCA, the Transfer of Funds Regulation and DORA together.

Pharos Production builds MiCA compliance software with DORA ICT-risk and incident-reporting workflows where they apply. See the cost breakdown or request a gap assessment.

FAQ

Last updated: June 19, 2026

Quick answers to common questions about custom software development, pricing, process and technology.

Copy link Copies a direct link to this answer to your clipboard.

Yes. The Digital Operational Resilience Act applies to financial entities including crypto-asset service providers and issuers of asset-referenced tokens, from 17 January 2025.
Critical ICT third-party providers to those firms are also in scope.
Copy link Copies a direct link to this answer to your clipboard.

DORA (Regulation (EU) 2022/2554) applies from 17 January 2025. It runs in parallel with MiCA and the crypto Travel Rule, so a CASP must meet all three.
Copy link Copies a direct link to this answer to your clipboard.

ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing on cyber threats.
Copy link Copies a direct link to this answer to your clipboard.

DORA breaches carry administrative penalties of up to 2% of annual worldwide turnover, with personal liability for senior managers in serious cases. The exact penalty is set by your national competent authority.
Copy link Copies a direct link to this answer to your clipboard.

It varies by size. In a Deloitte survey, 64% of financial entities expected to spend 2 to 5 million euro on DORA readiness.
Building DORA evidence into the same system as your MiCA controls keeps the cost down.

/* No-JS: hide the custom accordion, show native <details> fallback. */ .section--faq .faqAccordeon { display: none !important; } .section--faq .faqAccordeon__nojsFallback { display: block !important; }

Does DORA apply to crypto firms?

Yes. The Digital Operational Resilience Act applies to financial entities including crypto-asset service providers and issuers of asset-referenced tokens, from 17 January 2025. Critical ICT third-party providers to those firms are also in scope.

When did DORA take effect?

DORA (Regulation (EU) 2022/2554) applies from 17 January 2025. It runs in parallel with MiCA and the crypto Travel Rule, so a CASP must meet all three.

What are the five pillars of DORA?

ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing on cyber threats.

What are the penalties for DORA non-compliance?

DORA breaches carry administrative penalties of up to 2% of annual worldwide turnover, with personal liability for senior managers in serious cases. The exact penalty is set by your national competent authority.

How much does DORA compliance cost?

It varies by size. In a Deloitte survey, 64% of financial entities expected to spend 2 to 5 million euro on DORA readiness. Building DORA evidence into the same system as your MiCA controls keeps the cost down.

Dmytro Nasyrov

Founder & CTO, Pharos Production

View full profile

Role: Founder and CTO, Pharos Production

Focus: Architecture, Web3 products, smart contract security, high-load systems

Experience: 23 years in production delivery

DORA for Crypto Firms: ICT Risk and Incident Reporting Explained

What is DORA?

Who DORA applies to

The five pillars of DORA

What CASPs must build

DORA cost and penalties

How DORA fits with MiCA

FAQ

Crypto Market Abuse: Wash Trading, Spoofing and What MiCA Title VI Requires

MiCA vs MiFID II: When Is a Token a Financial Instrument?

The 10 CASP Services Under MiCA and What Each One Requires

ART vs EMT: How MiCA Classifies Crypto-Assets and the Software Each Needs

MiCA Compliance Checklist 2026: CASP Authorisation, Travel Rule and Proof of Reserves

State of Smart Contract Audits 2026: What 30+ Pharos Engagements Tell Us About Cost, Quality and Coverage

State of Tech Due Diligence 2026: What Industry Data Tells Us About Buy-vs-Build, Architecture Risk and Vendor RFP Outcomes

State of Custom Software TCO 2026: What Industry Data Tells Us About Build Cost, Maintenance and Scaling Cliffs

State of FinTech Compliance Cost 2026: What Industry Data Tells Us About PCI DSS, SOC 2 and Multi-State MTL

State of Production AI Engineering 2026: What Industry Data Tells Us About Model Selection, Eval Sets and Drift

Your business results matter

What happens next?

Contact us

NDA

Plan the Goals

Finalize the Details

Sign the Contract

What is DORA?

Who DORA applies to

The five pillars of DORA

What CASPs must build

DORA cost and penalties

How DORA fits with MiCA

FAQ

★ Featured question. Does DORA apply to crypto firms?

★ Featured question. When did DORA take effect?

What are the five pillars of DORA?

What are the penalties for DORA non-compliance?

How much does DORA compliance cost?

Your business results matter

1 Contact us

2 NDA

3 Plan the Goals

4 Finalize the Details

5 Sign the Contract

Contact us

NDA

Plan the Goals

Finalize the Details

Sign the Contract