MiCA Compliance for CASPs: ICT, Operational Resilience and DORA Obligations
MiCA compliance for CASPs in 2026: ICT systems security, authorisation conditions, governance and operational resilience with the DORA overlap fully explained.
In this article ↓
- Short answer
- Who is a CASP under MiCA?
- MiCA authorisation: what CASPs must demonstrate
- MiCA ICT and security requirements for CASPs
- Governance obligations under MiCA
- How DORA applies to CASPs
- MiCA and DORA: complementary, not duplicative
- MiCA CASP timeline
- Evidence: what a CASP needs to maintain
- Related reading
- Primary sources
- FAQ
- Who qualifies as a CASP under MiCA?
- When did MiCA CASP provisions apply?
- Does DORA apply to CASPs?
- What is the relationship between MiCA and DORA for ICT compliance?
- What ICT evidence does a CASP need for MiCA authorisation?
- What is the MiCA Article 143 transitional period?
- Does every CASP need threat-led penetration testing (TLPT)?
- Where should a CASP confirm its competent authority and authorisation requirements?
Last reviewed: 1 June 2026
This page covers MiCA authorisation requirements for CASPs, with DORA as the operative ICT framework. For a side-by-side comparison of DORA and MiCA obligations across all in-scope entities, see DORA vs MiCA: 2026 Compliance Guide →.
Key takeaways
- MiCA — Regulation (EU) 2023/1114 — Title V provisions for crypto-asset service providers applied from 30 December 2024. Entities providing services under national law before that date may operate until 1 July 2026 under MiCA Article 143 transitional measures (subject to national variation).
- CASPs authorised under MiCA are explicitly in DORA scope as financial entities under DORA Article 2 — ICT risk, incident reporting, resilience testing and third-party oversight obligations apply from 17 January 2025.
- MiCA governs authorisation and conduct. DORA governs ICT operational resilience. For an authorised CASP, both apply simultaneously — with DORA as the operative ICT risk framework.
- Fastest path: confirm CASP authorisation status and competent authority → stand up the DORA ICT risk management framework → align MiCA governance and ICT evidence with DORA deliverables → maintain a single operating model.
Short answer
A crypto-asset service provider in 2026 operates under two EU-level regulations at once.
MiCA — Regulation (EU) 2023/1114 — governs who can provide crypto-asset services in the EU, on what conditions, and with what ongoing obligations on governance, prudential requirements, conduct of business and client protection. Title V provisions for CASPs have applied since 30 December 2024.
DORA — Regulation (EU) 2022/2554 — governs ICT risk management, incident reporting, resilience testing and ICT third-party risk for EU financial entities, including authorised CASPs. DORA has applied since 17 January 2025.
The practical implication is that a CASP needs a MiCA-compliant conduct and governance framework alongside a DORA-compliant ICT operational resilience programme. Evidence from DORA — ICT risk register, incident workflows, Register of Information, resilience test records, board reporting — also supports the MiCA supervisory picture on operational risk. The two frameworks are not duplicative: they address different dimensions. Well-designed programmes share a core evidence layer rather than running two parallel documentation projects.
For a worked engagement case, see the CASP MiCA and DORA readiness case study.
Who is a CASP under MiCA?
Under MiCA, a crypto-asset service provider is any legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis, and that is authorised under MiCA to do so (MiCA Title V, Chapter 1).
MiCA defines ten categories of crypto-asset service:
- Custody and administration of crypto-assets on behalf of clients
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for funds
- Exchange of crypto-assets for other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Placing of crypto-assets
- Reception and transmission of orders for crypto-assets on behalf of clients
- Providing advice on crypto-assets
- Providing portfolio management on crypto-assets
- Providing transfer services for crypto-assets to clients
Entities providing any of these services in the EU generally require CASP authorisation under MiCA. Certain EU-regulated entities — credit institutions, investment firms, electronic money institutions, market operators and EU central securities depositories already authorised under sector-specific law — may provide specified crypto-asset services under a notification procedure rather than a full CASP authorisation. Entity-specific legal analysis is required before assuming an exemption applies.
MiCA authorisation: what CASPs must demonstrate
To obtain and maintain authorisation as a CASP, an entity must meet and continue to meet the conditions set out in MiCA Title V. Core ongoing requirements include:
| Condition area | What MiCA requires |
|---|---|
| Legal form and registered office | Legal person; registered office in an EU Member State; effective management conducted in that Member State |
| Management body | Fit and proper members; sufficient time commitment; diversity of experience; good repute |
| Governance | Clear organisational structure; well-defined lines of responsibility; internal controls; policies and procedures |
| Own funds | Minimum own-funds requirements calibrated to the specific crypto-asset services provided |
| ICT systems | ICT systems and security access protocols appropriate to ensure security, integrity and confidentiality of data |
| Business continuity | Documented business continuity policy maintained and tested |
| Record keeping | Systems for recording transactions, client data and communications |
| Safeguarding | Measures protecting clients' crypto-assets and funds from the CASP's own assets |
| Complaints handling | Accessible complaints procedure and record of complaints handled |
The national competent authority of the Member State where the CASP is registered handles authorisation. Once authorised, the CASP can passport services across the EU under the MiCA notification mechanism.
For jurisdiction-specific NCA contacts, see the DORA National Competent Authorities hub.
MiCA ICT and security requirements for CASPs
MiCA requires CASPs to use ICT systems and security access protocols that are appropriate to ensure the security, integrity and confidentiality of data — in accordance with DORA where applicable.
This cross-reference to DORA in MiCA's ICT requirement is intentional. For CASPs that are DORA financial entities — which all authorised CASPs are, under DORA Article 2 — DORA is the operative ICT risk framework. MiCA does not impose a separate ICT risk management regime on top of DORA. DORA compliance satisfies the MiCA ICT requirement for financial entities within DORA scope.
In practice, the DORA ICT risk management framework (DORA Articles 5–16) covers the MiCA ICT requirement:
| DORA delivery | MiCA ICT relevance |
|---|---|
| ICT risk management framework (DORA Article 6) | Governance of ICT security, integrity and confidentiality |
| Asset and dependency inventory | Identifying systems supporting crypto-asset services |
| ICT risk register | Identifying and managing risks affecting client data and service continuity |
| Security controls | Technical and organisational access protocols and safeguards |
| Incident management (DORA Articles 17–23) | Detecting and responding to events affecting data or service availability |
| ICT third-party oversight (DORA Articles 28–44) | Managing cloud, infrastructure and data service providers |
Business continuity. MiCA requires CASPs to maintain and operate a documented business continuity policy. This aligns with DORA's ICT business continuity and disaster recovery requirements under DORA Articles 11 and 12. A DORA-compliant BCDR programme satisfies the MiCA business continuity obligation. For a practical guide, see DORA Business Continuity and Disaster Recovery.
Incident notification. MiCA requires CASPs to notify their competent authority of material operational incidents. DORA creates a tiered, detailed incident classification and reporting regime for major ICT-related incidents — with prescribed timelines for initial notification, intermediate report and final report under DORA Article 19. For CASPs, DORA incident reporting is the operative regime for ICT-related events. For full timelines, see DORA Incident Reporting.
Governance obligations under MiCA
MiCA requires CASPs to maintain a clear and transparent governance structure with well-defined lines of responsibility and accountability. The main obligations:
- Management body: Members must be of good repute, hold appropriate knowledge, skills and experience, give sufficient time commitment, and collectively reflect diversity of experience.
- Internal control framework: CASPs must maintain adequate internal controls — including compliance and risk management functions — proportionate to the nature, scale and complexity of their services.
- Policies and procedures: Written policies covering governance, risk management, conflicts of interest, complaints, safeguarding and ICT must be maintained, reviewed periodically and available to supervisors on request.
- Regular review: Governance arrangements must be reviewed after any material change in service scope, technology stack or regulatory context.
Board-level ICT risk oversight is required under both DORA (DORA Article 5) and MiCA governance requirements. A single DORA-standard board reporting pack — covering ICT risks, incidents, third-party exposure, remediation status and testing results — satisfies both obligations. For board reporting guidance, see DORA Board Responsibilities for EU Financial Entities.
How DORA applies to CASPs
CASPs authorised under MiCA are explicitly listed as financial entities in DORA Article 2. All five DORA pillars apply from 17 January 2025: ICT risk management (Articles 5–16), incident management (Articles 17–23), resilience testing (Articles 24–27), ICT third-party risk (Articles 28–44) and information sharing (Article 45).
For most CASPs, the practical starting point is the ICT risk management framework, the Register of Information and an incident classification workflow. For a gap analysis approach, see the DORA Gap Analysis hub and DORA Third-Party ICT Risk.
For the full DORA vs MiCA comparison — which regime owns which obligation, side-by-side evidence tables, and the 30-day CASP readiness plan — see DORA vs MiCA: 2026 Compliance Guide →.
MiCA and DORA: complementary, not duplicative
The two regulations govern different dimensions of CASP operations:
| Dimension | Governed primarily by |
|---|---|
| Who can provide crypto-asset services | MiCA (authorisation requirement) |
| Conduct of business and client protection | MiCA (conduct obligations) |
| ICT systems, security and operational resilience | DORA (operative ICT risk framework for financial entities) |
| ICT incident reporting to NCA | DORA Articles 17–19 (for ICT-related incidents) |
| Operational resilience testing | DORA Articles 24–27 |
| Safeguarding client assets and funds | MiCA |
| Governance and management body oversight | Both — complementary requirements, one programme |
| Prudential own-funds requirements | MiCA |
A CASP benefits from building one operating model — DORA as the ICT backbone, MiCA as the authorisation and conduct layer — rather than running two parallel documentation programmes. Evidence reuse is the practical objective, not conflation of legal obligations.
For the full DORA vs MiCA comparison, see DORA vs MiCA: 2026 Compliance Guide.
MiCA CASP timeline
| Event | Date |
|---|---|
| MiCA published in the EU Official Journal | 9 June 2023 |
| MiCA entered into force | 29 June 2023 |
| MiCA Title III (asset-referenced tokens) and Title IV (e-money tokens) applied | 30 June 2024 |
| MiCA Title V — CASP provisions applied | 30 December 2024 |
| DORA applied (including for authorised CASPs) | 17 January 2025 |
| MiCA Article 143 transitional period ends | 1 July 2026 |
Article 143 transitional note: An entity that was lawfully providing crypto-asset services in a Member State under national law before 30 December 2024 may continue operating during the Article 143 transitional period, which runs until 1 July 2026 for most jurisdictions. Some Member States use the Article 143 option to shorten this period below 1 July 2026. Entities in a transitional period must apply for MiCA authorisation and confirm the exact national deadline with their competent authority. After the transitional period, operating without MiCA authorisation is not permitted. Do not assume the 1 July 2026 date applies in all Member States without NCA confirmation.
Evidence: what a CASP needs to maintain
An authorised CASP in 2026 must be able to demonstrate compliance across both regimes. The evidence landscape by area:
| Area | MiCA evidence | DORA evidence | Reuse possible? |
|---|---|---|---|
| Governance | Governance framework, management body records, policies | ICT risk management framework, board minutes on ICT risk | Partly — one governance record, dual framing |
| ICT risk | ICT risk narrative in authorisation materials | Live ICT risk register, control owner matrix, remediation tracker | No — DORA requires operating evidence, not a static narrative |
| Incidents | Operational incident handling policy; NCA notification records | Incident log, classification rationale, submitted DORA reports | Partly — one incident intake, separate notification tracks |
| Outsourcing | Service provider dependency description | Register of Information, Article 30 contract gap tracker | No — DORA requires a full structured register |
| Resilience | Business continuity policy | Test programme, DR test records, remediation tracker | No — DORA requires tested, documented resilience with findings |
| Board reporting | Management body operational risk overview | ICT risk report, decision log, remediation status | Partly — one board pack, dual framing |
The practical approach is a shared evidence index — one document owner per area, with annotations showing which obligation each artefact supports. This avoids duplicate maintenance and makes regulatory reviews and partner due diligence faster. For a template, see DORA Evidence Index Template.
Aligning MiCA authorisation with a live DORA evidence programme?
A 90-day programme delivered by a vCISO with CASP experience under Central Bank of Cyprus, Bank of Lithuania and FCA supervision — no pitch, just where you stand.
Book a free 15-min call →Related reading
- DORA vs MiCA: 2026 Compliance Guide for EU Fintechs and CASPs
- Case Study: MiCA and DORA Readiness for a CASP
- DORA Gap Analysis: A Practical Guide for EU Fintechs
- DORA Third-Party ICT Risk: Articles 28–30 Guide for 2026
- DORA Incident Reporting 2026: Initial Notification, Intermediate and Final Report Timeline
- DORA Business Continuity and Disaster Recovery: Articles 11–12 Roadmap
- DORA National Competent Authorities — selected jurisdiction guides
- vCISO for EU Fintechs: 2026 Guide to Scope, Evidence and Retainers
Primary sources
- Regulation (EU) 2023/1114 — MiCA, EUR-Lex
- Regulation (EU) 2022/2554 — DORA, EUR-Lex
- ESMA — Markets in Crypto-Assets Regulation (MiCA)
- MiCA Article 143 — Transitional measures
- EBA — Digital Operational Resilience Act (DORA)
- EBA — Markets in Crypto-Assets Regulation (MiCA)
FAQ
Who qualifies as a CASP under MiCA?
A crypto-asset service provider is any legal person providing one or more of MiCA's ten defined crypto-asset services on a professional basis in the EU, and authorised to do so under MiCA. Services include custody, trading platform operation, exchange of crypto-assets for funds or for other crypto-assets, order execution, placing, reception and transmission of orders, advice, portfolio management and transfer services. Certain EU-regulated entities (credit institutions, investment firms, EMIs, market operators) may provide specified services under a notification procedure rather than a full CASP authorisation.
When did MiCA CASP provisions apply?
MiCA Title V provisions for crypto-asset service providers applied from 30 December 2024. Entities lawfully providing crypto-asset services under national law before that date may continue during the Article 143 transitional period, which runs until 1 July 2026 in most Member States. Some Member States shorten this period. Confirm the exact deadline with the relevant national competent authority. After the transitional period, operating without MiCA authorisation is not permitted.
Does DORA apply to CASPs?
Yes. CASPs authorised under MiCA are explicitly listed as financial entities in DORA Article 2. DORA has applied since 17 January 2025. All five DORA pillars — ICT risk management (Articles 5–16), incident management (Articles 17–23), resilience testing (Articles 24–27), ICT third-party risk (Articles 28–44) and information sharing (Article 45) — apply to CASPs in the same way they apply to payment institutions, EMIs and other financial entities.
What is the relationship between MiCA and DORA for ICT compliance?
MiCA requires CASPs to maintain ICT systems and security access protocols appropriate to ensure security, integrity and confidentiality of data — explicitly in accordance with DORA where DORA applies. For authorised CASPs, DORA is the primary ICT risk framework. A DORA-compliant ICT programme satisfies the MiCA ICT systems requirement. The two regulations are complementary, not duplicative: MiCA governs authorisation and conduct, DORA governs ICT operational resilience.
What ICT evidence does a CASP need for MiCA authorisation?
For MiCA authorisation, a CASP must demonstrate appropriate ICT systems and security protocols, a business continuity policy and adequate governance arrangements. In practice, this requires an ICT risk narrative, governance documentation and a description of ICT controls in the authorisation application package. For ongoing supervision, live DORA evidence — ICT risk register, incident records, Register of Information, test results, board reporting — provides the operational substantiation that supervisors and partner banks look for.
What is the MiCA Article 143 transitional period?
MiCA Article 143 allows entities that were lawfully providing crypto-asset services in a Member State under national law on 30 December 2024 to continue operating while applying for MiCA authorisation. The transitional period ends on 1 July 2026 at the EU level. Some Member States use the Article 143 national option to shorten this period below 1 July 2026. Entities in a transitional period should confirm their exact deadline with their competent authority, as the safe assumption is the national cut-off date rather than the EU backstop.
Does every CASP need threat-led penetration testing (TLPT)?
No. TLPT under DORA Article 26 applies only to financial entities identified by competent authorities based on specific criteria — systemic importance, size, ICT risk profile and service criticality. CASPs not identified for TLPT still need a proportionate digital resilience testing programme (backups, DR tests, incident exercises, vulnerability assessments) under DORA Article 24, but TLPT is not a universal CASP obligation.
Where should a CASP confirm its competent authority and authorisation requirements?
The national competent authority for the Member State where the CASP is — or will be — registered handles MiCA authorisation. ESMA maintains a public register of authorised CASPs. For jurisdiction-specific NCA contacts and guidance on DORA reporting channels, see the DORA National Competent Authorities hub.