Skip to main content
DORAMiCA

DORA vs MiCA: 2026 Compliance Guide for EU Fintechs and CASPs

DORA vs MiCA explained for EU fintechs and CASPs in 2026: scope, deadlines, authorisation, ICT risk, incident reporting, TLPT, and operational resilience obligations.

Last reviewed: 27 April 2026

DORA vs MiCA: the short answer

DORA and MiCA are two distinct EU regulations that increasingly intersect for crypto-asset firms operating in the Union:

  • DORARegulation (EU) 2022/2554 — governs digital operational resilience for financial entities. ICT risk management, incident reporting, resilience testing, and oversight of critical ICT third parties. Applied since 17 January 2025.
  • MiCARegulation (EU) 2023/1114 — governs issuance of crypto-assets and the provision of crypto-asset services in the EU. Authorisation, conduct, market abuse, consumer protection, and prudential requirements.

For MiCA-authorised CASPs and issuers of asset-referenced tokens (ARTs), both frameworks apply: MiCA defines the licence and the conduct rules; DORA defines the operational resilience obligations on the same entity. Obligations are scaled by entity size, nature and complexity (proportionality), so what each CASP must implement varies — but the framework applies.

DORA vs MiCA at a glance

TopicDORAMiCACASP impact
Subject matterDigital operational resilience for financial entitiesMarkets in crypto-assets — issuance and servicesBoth regimes apply once authorised under MiCA
Status in April 2026Applies since 17 January 2025Main regime applies since 30 December 2024 (Titles III–IV for ARTs/EMTs since 30 June 2024)Authorisation must be in place; transitional grandfathering ends 1 July 2026
AuthorisationNo DORA licence — applies to entities already in scopeMandatory MiCA authorisation by national competent authorityAuthorisation is the prerequisite for all MiCA conduct rules
Scope of entitiesFinancial entities listed in Article 2 — incl. MiCA-authorised CASPs and issuers of ARTsCASPs, issuers of ARTs, issuers of EMTs, offerors of crypto-assetsCASPs sit in both — DORA via "financial entity" definition, MiCA via licence
ICT riskArticle 5–15: framework, governance, asset register, controlsLimited ICT-specific provisions — defers to DORA for resilienceBuild to DORA, attest to MiCA where overlap
Incident reportingMajor ICT incident: initial within 4 h of classification (≤24 h from detection); intermediate 72 h; final 1 monthOperational/conduct incidents reported to NCA per MiCA chaptersTreat ICT incidents under DORA; conduct incidents under MiCA
Resilience testingArticle 25 annual programme; Article 26 TLPT every 3 years for entities identified by competent authoritiesNo equivalentDORA programme drives the testing artefact set
Third-party riskArticle 28–30: register of information, contractual provisions, oversight of critical ICT third partiesMiCA conduct rules on outsourcingMaintain a single register satisfying both
Penalties / enforcementNCA-led; possible administrative penaltiesNCA-led; administrative penalties + supervisory measures; ESMA coordinationDual exposure — same conduct breach can trigger both

DORA in scope: what changed in 2025–2026

DORA has applied since 17 January 2025. The deadline question is closed. In 2026 supervisors and partner banks examine operating evidence:

  • ICT risk management framework approved by the management body and reviewed at least annually (Article 6).
  • ICT-related incident management aligned with the Joint Technical Standards on classification and reporting.
  • Annual digital operational resilience testing (Article 25), with threat-led penetration testing (TLPT) at least every three years for financial entities identified by competent authorities under Article 26 — TLPT is not universal.
  • ICT third-party risk register and Article 30 contractual provisions for arrangements supporting critical or important functions.

For CASPs and ART issuers, being a "financial entity" under DORA Article 2 means the framework applies; what each entity implements is calibrated by proportionality to its size, nature, scale and complexity, and to the criticality of its services.

MiCA in scope: dates that matter through 2026

MiCA — Regulation (EU) 2023/1114 — entered into force in 2023 with staggered application dates set out in MiCA Article 149:

  • 30 June 2024 — Titles III and IV apply: rules for issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs).
  • 30 December 2024 — Main MiCA regime applies in full, including Title V on the authorisation and operating conditions for crypto-asset service providers (CASPs).

MiCA Article 143 transitional measures and the 1 July 2026 cliff

MiCA Article 143 allows an entity providing crypto-asset services in a Member State before 30 December 2024 to continue under existing national rules until 1 July 2026, or until MiCA authorisation is granted or refused — whichever is sooner. Member States could shorten this by national option.

On 17 April 2026, ESMA issued a public statement on the end of the MiCA transitional periods. The key supervisory message:

  • After 1 July 2026, any entity providing crypto-asset services to clients in the EU without a MiCA authorisation is in breach of MiCA and must cease the relevant activities.
  • National competent authorities are expected to take enforcement action against entities continuing without authorisation.

For CASPs that have applied for authorisation but have not received a decision, the entity remains in scope of national transitional rules — but the practical exposure window narrows fast.

Who is in scope?

DORA financial entities (non-exhaustive)

  • Credit institutions, payment institutions, electronic money institutions
  • Investment firms, central counterparties, trading venues
  • Crypto-asset service providers authorised under MiCA
  • Issuers of asset-referenced tokens under MiCA
  • ICT third-party service providers — separate Lead Overseer regime

MiCA-authorised entities

  • CASPs providing services such as custody, exchange, transmission, advice
  • Issuers of asset-referenced tokens (ARTs)
  • Issuers of e-money tokens (EMTs) — additional alignment with PSD/EMD
  • Offerors and persons seeking admission to trading of crypto-assets other than ARTs and EMTs

A MiCA-authorised CASP or ART issuer is therefore in DORA scope as a financial entity.

What CASPs must do in 2026

  1. Confirm MiCA authorisation status. If still relying on the Article 143 transitional regime, plan for the 1 July 2026 cut-off and the ESMA-flagged enforcement environment.
  2. Map the entity into the DORA framework. ICT risk policies, asset register, incident classification taxonomy, third-party register, testing programme, board reporting.
  3. Calibrate to proportionality. Apply DORA proportionally to size, nature, scale and complexity. Document the proportionality rationale in the ICT risk management framework.
  4. Run the testing programme. Annual scenario-based testing under Article 25. Confirm whether the entity falls within Article 26 TLPT scope based on competent-authority criteria.
  5. Tighten ICT third-party arrangements. Article 30 contractual provisions for arrangements supporting critical or important functions, including cloud, key management, market data, custody infrastructure.
  6. Operate incident management. Wire the DORA cadence into ticketing and notification: classification → initial notification within 4 h after classification (≤24 h from detection) → intermediate at 72 h → final at 1 month.
  7. Reconcile DORA evidence and MiCA conduct evidence in a single audit-ready evidence pack — same underlying controls, two regulatory views.

Incident reporting and operational resilience

DORA's incident-reporting cadence under Articles 17–19 follows the Joint Technical Standards on major incident reporting:

  • Major ICT-related incidents — once an incident is classified as major:
    • Initial notification — within 4 hours after classification, and no later than 24 hours after the entity becomes aware of or detects the incident.
    • Intermediate report — within 72 hours of the initial notification.
    • Final report — within one month of the initial notification, including root cause and remediation.
  • Significant cyber threats — voluntary notifications. There is no mandatory cyber-threat reporting regime under DORA.

MiCA carries its own conduct-and-prudential reporting paths (e.g. notifications related to authorisation conditions, governance changes, complaints handling). For a CASP, the practical answer is: ICT incidents on the DORA path; MiCA-specific conduct events on the MiCA path; same incident-management process.

MiCA authorisation and transitional period

  • Apply early. MiCA authorisation is national-competent-authority-led, and timelines vary by Member State. Apply well before the 1 July 2026 cliff.
  • Treat the application as a control-evidence exercise. Governance, capital, AML/CFT, conflicts-of-interest policies, ICT risk and BCDR documentation, complaints handling, and outsourcing arrangements are all reviewed.
  • Plan for parallel DORA scrutiny. As soon as authorisation is granted, DORA applies in full as a financial entity. Don't sequence it as "MiCA first, DORA later" — the framework should already be in place.
  • Watch national transitional shortenings. Some Member States use the Article 143 national-option to shorten the transitional period below 1 July 2026 — confirm the local cut-off.

Common pitfalls

  • Treating DORA as an add-on after MiCA authorisation. DORA applies the moment the entity is in scope as a financial entity. Build the framework alongside the licence application.
  • Saying "CASPs must comply with all DORA requirements". The right framing: DORA applies, calibrated by proportionality. Document the proportionality reasoning.
  • Over-applying TLPT. Threat-led penetration testing under Article 26 applies at least every three years to financial entities identified by competent authorities — not to every CASP and not to every "critical entity".
  • Wrong incident-reporting cadence. Using a generic "24-hour rule" without the "after classification as major" qualifier; missing the 4-hour trigger; treating significant cyber threats as mandatory.
  • Two registers. Maintaining a separate "MiCA outsourcing list" and "DORA register of information" — wasteful. Build one, view two.
  • Assuming national grandfathering will extend. ESMA's 17 April 2026 statement was explicit: after 1 July 2026, no MiCA authorisation = no service to EU clients.

FAQ

Does MiCA replace DORA for crypto firms?

No. They cover different subject matter and apply in parallel. MiCA defines the licence and the conduct rules; DORA defines the digital operational resilience obligations on the same entity once it is in scope as a financial entity.

Are all CASPs required to perform threat-led penetration testing?

No. Article 26 TLPT applies at least every three years to financial entities identified by competent authorities based on criteria set out in the related Joint RTS. CASPs that are not so identified are out of scope of the mandatory TLPT requirement, although the entity may choose to test on a voluntary basis.

What if our CASP application is still pending on 1 July 2026?

Per ESMA's 17 April 2026 statement, after 1 July 2026 any entity providing crypto-asset services to EU clients without a MiCA authorisation is in breach of MiCA and must cease the activity. Pending applications do not extend the cliff.

Do we need separate DORA and MiCA evidence sets?

No. Build one underlying control set — ICT risk management, BCDR, third-party register, incident management — and present it through the lens that each regulator uses. Most artefacts are shared.

How does MiCA interact with PSD2/EMD for EMTs?

E-money token issuers must align with both MiCA Title IV and the e-money / payment-services regimes (PSD/EMD), depending on activities. ICT and resilience obligations for the same entity flow through DORA.

Primary sources