DORA Compliance For Web3 Projects: What You Need To Know

Digital threats are undoubtedly ever-evolving. To address this, the European Union has taken a significant step to fortify its financial sector’s cybersecurity. The Digital Operational Resilience Act (DORA) is set to reshape the landscape of digital security in finance, with far-reaching implications for both traditional institutions and emerging Web3 projects. 

As a Web3 audit security firm, Hacken is leading the charge in helping projects navigate this new regulatory environment with our DORA Compliance, a new service at Hacken.

What Is DORA?

The Digital Operational Resilience Act (DORA) establishes a unified regulatory framework for digital operational resilience in the financial sector across the European Union. Recognizing the critical role of Information and Communication Technology (ICT) in the functioning of financial services, DORA ensures that financial entities, including banks, payment providers, investment firms, and crypto-asset service providers, can effectively withstand and recover from ICT-related disruptions. By harmonizing rules across Europe, the most comrepehsive regulation to-date regulation eliminates inconsistencies and ensures a robust approach to managing ICT risks.

DORA introduces comprehensive requirements for ICT risk management, incident reporting, and digital operational resilience testing. It also emphasizes oversight of critical third-party ICT providers to address potential systemic risks. With its implementation beginning in January 2025, DORA aims to safeguard financial stability, enhance consumer confidence, and support the smooth functioning of the internal market in an era of increasing digitalization​.

For a more in-depth exploration of DORA’s implications and compliance strategies, you might find our webinar insightful:

Why Is DORA Needed?

As financial services increasingly rely on digital infrastructure, the sector faces vulnerabilities that could disrupt operations, jeopardize market integrity, and harm consumers. The legislation aims to address these risks by establishing a harmonized framework for managing cyber risks, ensuring that financial entities are equipped to prevent, respond to, and recover from ICT-related disruptions.

DORA Objectives:

• Harmonize financial system resilience
• Enhance market stability
• Increase consumer confidence
• Fill gaps in existing regulations

DORA Objectives For Crypto

For the crypto and DeFi industry, historically plagued by exploits and frauds with total losses from hacks nearing $10 billion, DORA is a transformative step forward. By including crypto-asset service providers within its scope, DORA aims to enhance trust and foster long-term stability in the innovative yet risky decentralized technology.

ESMA Recommendations

European Securities and Markets Authority (ESMA), alongside the EBA and EIOPA, collectively known as the European Supervisory Authorities (ESAs), plays a key role in DORA’s implementation. In 2019, the ESAs issued advice advocating a unified approach to ICT risks and strengthening digital resilience across the EU.

ESMA’s responsibilities under DORA include providing technical guidance, developing frameworks, and ensuring compliance. Key ESMA recommendations include:

• External cybersecurity audits on a regular basis for financial entities and critical ICT providers.
• Broader evaluations for management members, including reputational checks on fraud prevention, anti-money laundering compliance, and adherence to financial services law.

Through these measures, ESMA seeks to harmonize resilience standards, reduce systemic ICT vulnerabilities, and bolster trust and stability in the EU financial market. 

MiCA Regulations & DORA

The Markets in Crypto-Assets (MiCA) regulation introduces a comprehensive framework for crypto-asset service providers (CASPs), such as centralized exchanges, custodians, and other service providers, requiring them to obtain a CASP license and ensuring exchanges are liable for customer losses. It also regulates the issuance of new crypto assets through mandatory white paper requirements and imposes stricter oversight on stablecoins, including licensing obligations. With its new supervisory architecture, MiCA aims to provide clarity, security, and accountability in the crypto market. For players aiming for MiCA compliance, adhering to DORA regulations is crucial, as it establishes the operational resilience and cybersecurity foundation.

---

Who Is Affected by DORA?

DORA’s scope extends to all financial entities in the EU, including banks, fintech, investment firms, insurance, as well as crypto-asset service providers (CASPs) authorized under MiCA. 

Category	Description
Credit institutions	Banks and other financial institutions offering credit services.
Payment institutions	Includes those exempted under Directive (EU) 2015/2366.
Account information service providers	Providers offering account-related services.
Electronic money institutions	Includes those exempted under Directive 2009/110/EC.
Investment firms	Firms engaged in investment activities.
Crypto-asset service providers	Authorized under MiCA, including issuers of asset-referenced tokens.
Central securities depositories	Entities managing securities and ensuring settlement.
Central counterparties	Organizations that facilitate trading between parties.
Trading venues	Platforms enabling financial instrument trading.
Trade repositories	Entities maintaining records of trade data.
Managers of alternative investment funds	Includes hedge funds, private equity, etc.
Management companies	Companies overseeing collective investment schemes.
Data reporting service providers	Entities facilitating data submissions and analytics.
Insurance and reinsurance undertakings	Firms providing insurance and reinsurance services.
Insurance intermediaries	Includes reinsurance and ancillary intermediaries.
Institutions for occupational retirement provision	Pension funds and similar entities.
Credit rating agencies	Organizations issuing credit ratings.
Administrators of critical benchmarks	Responsible for maintaining financial benchmarks.
Crowdfunding service providers	Platforms facilitating crowdfunding projects.
Securitization repositories	Entities handling securitization transaction data.
ICT third-party service providers	Providers offering critical ICT services to financial entities.

Crypto and DeFi Services Potentially In-Scope of DORA

In addition to CASPs, DORA’s scope is likely to affect blockchain-based entities that are increasingly integral to the financial ecosystem:

• Wallet infrastructure services
• Staking-as-a-Service
• Blockchain analytics
• Peer-to-peer trading software
• KYC services
• Cloud services

To operate within the EU’s regulatory framework, crypto, and DeFi entities must align with DORA’s stringent operational resilience and cybersecurity standards, ensuring they can mitigate risks and maintain compliance in this rapidly evolving sector.

When Does the Digital Operational Resilience Act Come Into Force?

DORA regulation entered into force on January 16, 2023, and will apply from January 17, 2025. This gives Web3 projects a crucial window to prepare and ensure compliance before the regulation takes full effect.

What’s the Consequences of Not Complying?

Noncompliance with DORA can result in administrative or even criminal penalties determined by a “competent authority” of each EU member state, while critical ICT providers face fines of up to 1% of their average daily global turnover per day for up to six months until compliance is achieved.

For example, if a critical ICT provider with an average daily global turnover of €10,000,000 remains non-compliant for 180 days, they could face a daily fine of €100,000, resulting in a total penalty of €18,000,000.

When deciding the penalty amount, the lead overseer will consider:

• How serious and how long the non-compliance lasted.
• Whether the non-compliance was intentional or accidental.
• How cooperative the ICT provider was during the process.

Besides financial penalties, failing to comply with DORA can be costly due to operational disruptions and reputation damage.

---

DORA Requirements

ICT Risk Management Framework

Developing an ICT Risk Management Framework is a fundamental requirement under DORA. Companies need to perform a detailed gap analysis to assess their current ICT risk landscape and identify vulnerabilities. This framework must integrate into broader operational strategies, ensuring consistent risk management and mitigation. For example, a financial institution might implement extractor monitoring for real-time detection of potential threats and adopt automated protection measures to prevent incidents.

Cybersecurity Measures

Organizations must establish robust cybersecurity measures to safeguard their infrastructure. This includes regular penetration testing to uncover vulnerabilities, continuous monitoring for real-time threat detection, and implementing incident response plans to quickly mitigate attacks. For instance, deploying security audits and automated protection tools can enhance both prevention and response capabilities.

Incident Classification and Reporting

DORA requires entities to establish clear protocols for detecting, classifying, and reporting ICT-related incidents. Structured reporting processes are essential for compliance, ensuring accurate and timely submissions to regulators. Companies might use root cause analysis tools to investigate incidents and streamline their reporting systems to meet regulatory deadlines.

Cyber Resilience Testing

Entities must conduct regular cyber resilience testing, such as Threat-Led Penetration Testing (TLPT), to simulate real-world attack scenarios. These tests assess the organization’s resilience to advanced threats and highlight areas requiring improvement. For example, basic penetration testing could address common vulnerabilities, while TLPT focuses on high-risk attack vectors impacting critical systems.

Third-Party Risk Management

Under DORA, managing risks associated with third-party service providers is critical. Companies must monitor and assess their vendors’ compliance with ICT security standards. For instance, implementing TLPT for critical providers ensures their systems align with regulatory expectations. Additionally, contracts with third parties should mandate regular audits and establish clear incident reporting procedures.

Benefits of DORA for Web3 Projects

Complying with DORA may seem daunting, but it offers several benefits, especially for Web3 projects that have suffered losses, thefts, and devastation from cyber incidents. Some of the benefits are:

• Enhanced security posture
• Improved operational resilience
• Increased trust from users and partners
• Better preparedness for cyber threats
• Alignment with global best practices in cybersecurity
• Avoidance of penalties

---

DORA Preparation Roadmap

From January 2025, entities must comply with requirements for risk management, incident reporting, and third-party oversight. Crypto businesses like exchanges and DeFi projects must adopt resilience measures, conduct cyber resilience testing, and implement incident reporting protocols.

Preparation involves a gap analysis to identify vulnerabilities, update ICT risk frameworks, manage third-party risks, and implement advanced testing such as Threat-Led Penetration Testing (TLPT).

How Hacken Can Help Your DORA Compliance

Hacken is the go-to provider for DORA compliance, leveraging its position as a top auditor in Europe and its ongoing cooperation with the European Commission’s EBSI. With 1500+ clients in Web3 and fintech, Hacken delivers tailored compliance strategies, implements ICT risk management frameworks, and conducts advanced digital resilience testing like TLPT. Clients benefit from detailed assessments that address compliance gaps, monitoring of third-party risks, and continuous support, culminating in the Hacken DORA Compliance Certificate upon completion.

Our package for DORA Compliance includes:

• DORA Readiness Assessment & Gap Assessment: We help clients clearly understand compliance gaps and non-conformities. Unlike competitors who only provide recommendations, Hacken delivers a detailed Remediation Strategy with tailored, step-by-step solutions to address the gaps.
• ICT Risk Management Frameworks: We develop and implement a compliant risk management strategy tailored to your Web3 project.
• Cybersecurity Solutions: From penetration testing to incident response, we ensure your project remains secure and resilient.
• Incident Reporting Tools: Hacken provides tools to help you identify, classify, and report incidents in accordance with DORA requirements.
• Threat-Led Penetration Testing (TLPT): Our TLPT services ensure your project is prepared to face advanced cyber threats.
• Third-Party Risk Management: We help you monitor and manage third-party risks to ensure compliance throughout your ecosystem.

Our team of experts understands the unique challenges faced by Web3 projects and can provide guidance on all aspects of DORA compliance.

Don’t let DORA compliance become a stumbling block for your Web3 project. With Hacken’s DORA Compliance Service, you can stay ahead of the regulatory curve and enhance your project’s security posture. 

Contact us today to ensure your project is ready for the future of digital operational resilience in the EU financial sector!

FAQ