The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU’s binding framework to ensure financial institutions and their critical technology providers can withstand, respond to and recover from severe ICT disruptions. It applies to 21 categories of financial entities – including banks, insurers, payment firms, and crypto-asset service providers (CASPs) under MiCA. DORA entered into force on 16 January 2023 and became fully enforceable on 17 January 2025. From that date, supervised entities must demonstrate compliance across five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information-sharing. Non-compliance can trigger fines of up to 2 % of global annual turnover.

2026 is a transition year: supervisory authorities will shift from manual to automated incident reporting, and the European Commission is required under Article 58 to review and potentially strengthen the regulation by 17 January 2026. Companies that missed the January 2025 deadline are strongly advised to launch immediate gap assessments, third-party audits, and phased remediation programmes – prioritising ICT risk management frameworks and resilience testing – to limit exposure to penalties and supervisory interventions.

For blockchain, crypto, and fintech innovators, DORA is not merely regulatory overhead; it represents a strategic recalibration of operational resilience, integrating rigorous, McKinsey-level risk disciplines with the inherent volatility of distributed-ledger and digital-asset ecosystems in order to protect innovation without suppressing it.

DORA Rules for Blockchain Companies That Work with Fintech or Crypto Partners (Third-Party & CTPP Risks)

Blockchain providers delivering infrastructure or services to regulated financial entities fall into scope as ICT third-party providers (ICT TPPs). Even if the blockchain firm itself is not a financial entity, contracts with EU banks, fintechs or CASPs trigger downstream obligations. Clients must register these relationships, perform risk-based due diligence, and impose contractual clauses covering audit rights, exit strategies, subcontracting limits, and incident reporting. If the service is deemed critical and the provider reaches concentration thresholds, it can be designated a Critical Third-Party Provider (CTPP) by the European Supervisory Authorities (ESAs), leading to direct oversight, on-site inspections and potential remedial measures. Early alignment with DORA standards is now a commercial necessity for retaining and winning EU financial clients.

Do Non-Financial, Non-Crypto Blockchain Companies Need to Comply with DORA in 2025?

Pure-play blockchain companies with no exposure to regulated financial entities or their critical functions remain outside DORA’s direct scope. Examples include NFT platforms for digital art, tokenised real-world assets for non-financial use cases, or enterprise permissioned networks used solely in supply chain. As long as no service supports a financial entity’s critical or important functions, no compliance obligations apply. However, many large financial institutions are extending DORA-style questionnaires to all suppliers to reduce shadow risk, creating a de facto market expectation even for non-regulated use cases.

DORA Compliance for Crypto Companies in the EU: CASPs, MiCA and New Resilience Requirements

EU-based crypto-asset service providers authorised under MiCA are in full scope as financial entities. DORA adds operational resilience obligations on top of MiCA’s conduct rules: board-level ICT risk frameworks, mandatory reporting of major incidents within 4 hours (initial) and 72 hours (detailed), annual penetration testing, threat-led resilience testing at least every three years, and robust third-party risk management. Smaller CASPs face the highest relative burden; industry estimates place full compliance costs between €500,000 and €2 million for mid-sized operators. Compliance is now a prerequisite for maintaining MiCA authorisation and accessing EU institutional capital.

DORA Impact on Crypto Companies Outside the EU (UK, US, Singapore, Switzerland)

Non-EU crypto firms are not directly supervised under DORA, but contractual and market-access pressures create strong indirect effects. Any EU-regulated client must assess the resilience of non-EU providers and include DORA-aligned clauses in service agreements (uptime guarantees, data localisation, breach notification within 24–48 hours). Failure to meet these standards risks exclusion from EU counterparty networks and liquidity pools. UK firms face a parallel but non-identical regime under the Bank of England/FCA critical third-party framework, requiring dual compliance playbooks for many operators.

How the DORA Act Affects Fintech Institutions in Europe in 2025 and Beyond

Fintechs – whether payment providers, lending platforms, robo-advisors or neobanks – are treated the same as traditional banks under DORA’s proportionality principle. They must implement a full ICT risk management framework with board oversight, maintain a register of all ICT contractual arrangements, conduct regular resilience testing, and manage concentration risk with third-party providers. Initial implementation costs typically range from 5–10 % of annual IT spend, but the regulation creates a level playing field and accelerates institutional partnerships for compliant players.

DORA 2025 Summary: Key Takeaways for Blockchain, Crypto and Fintech Leaders

• 17 January 2025 was the hard deadline – compliance is now mandatory
• 2026 will see intensified supervisory convergence, automated reporting, and the first wave of enforcement actions.
• Direct scope: all EU financial entities + their critical ICT providers.
• Indirect scope reaches global blockchain and crypto firms serving EU clients.
• Proactive resilience is no longer optional; it is the new competitive baseline for accessing Europe’s financial ecosystem.

Companies that treat DORA as a strategic investment rather than a compliance exercise will gain preferred-partner status, lower funding costs, and a measurable resilience edge in an increasingly hostile cyber environment.

Sources:

https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
https://www.digital-operational-resilience-act.com
https://www.legalnodes.com/article/dora-compliance
https://fintechmagazine.com/articles/how-eus-dora-rules-reshape-global-financial-technology