DORA for crypto-asset service providers.
MiCA-licensed CASPs fall under DORA's full operational resilience framework. Matproof brings the same controls that satisfy traditional financial institutions to crypto-asset businesses — with MiCA-specific extensions.
Why this matters now
MiCA took effect end of 2024 for stablecoin issuers, mid-2025 for CASPs. DORA applies in parallel from January 17, 2025. Many crypto-native businesses are meeting banking-grade operational resilience expectations for the first time.
- Crypto-native businesses often have different operational maturity than traditional finance
- Hot wallet / cold wallet security is DORA-scope
- Smart-contract risk management straddles DORA (operational) and MiCA (market integrity)
- Third-party custody, node providers, and bridges create ICT supply-chain complexity
How Matproof covers DORA for Crypto-Asset Service Providers
ICT risk framework for crypto-native stack
Extends DORA Art. 5-15 controls to cover node infrastructure, wallet management systems, smart-contract operations, and on-chain monitoring alongside traditional ICT systems.
TLPT scoping for crypto businesses
DORA Art. 26-27 TLPT requires threat-led testing. For CASPs, this includes wallet infrastructure and exchange logic, not just corporate IT.
MiCA + DORA dual mapping
MiCA operational-resilience requirements (Art. 14 for stablecoin issuers, Art. 58 for CASPs) overlap DORA. Matproof maps both — one evidence pipeline.
Incident classification for crypto
DORA's significance thresholds need crypto-specific interpretation: wallet compromise, chain reorganization impact, oracle failures, bridge hacks.
In scope
- MiCA-licensed Crypto-Asset Service Providers (CASPs)
- Stablecoin issuers (EMTs, ARTs)
- Crypto exchanges, brokers, custodians
- Portfolio managers and crypto investment advisers
- Crypto-native payment services integrating with traditional banking
Frequently asked questions
How does DORA interact with MiCA?+
MiCA is the crypto-specific market-conduct and licensing regulation. DORA is the cross-sector operational resilience regulation. Both apply to CASPs in parallel — MiCA governs product, licensing, market integrity; DORA governs ICT risk management, incident handling, third-party risk. Many operational controls satisfy both. Matproof cross-maps the control sets.
Is TLPT required for crypto businesses?+
TLPT under DORA Art. 26-27 applies to significant financial entities — defined by size, interconnectedness, and systemic importance. Most large CASPs and all authorized stablecoin issuers fall into scope. Smaller CASPs do standard penetration testing under Art. 24-25. Matproof helps determine which tier applies based on your specific profile.
How does smart-contract risk fit DORA's ICT risk framework?+
Smart contracts are ICT assets under DORA — they process information and impact financial operations. DORA Art. 9 requires robust ICT security measures; for smart contracts this means code audits, formal verification where proportionate, bug bounty programs, upgrade-path controls, and operational incident procedures. Matproof's control library includes smart-contract-specific controls mapped to DORA articles.
Ready to start with DORA?
30-minute demo tailored to Crypto-Asset Service Providers. We show you exactly how Matproof covers DORA for your sector.