DORA compliance for CASPs in the context of Dutch MiCA applications

With the introduction of the Markets in Crypto-Assets Regulation (EU) 2023/1114 (MiCA but also known as MiCAR) in 2023, and the applicability of the Regulation on Digital Operational Resilience for the financial sector (EU) 2022/2554 (DORA) in January 2025, the compliance landscape for cryptoasset service providers (CASPs) is undergoing major transformation. Cyber security is no longer a 'nice-to-have' but a 'must-have' to be able to continue operating the CASP. In this article, we share key market insights from our experience in assisting CASPs with getting DORA-compliant in the context of their MiCA applications.

MiCA and relevance of DORA for CASPs

MiCA forms part of the European Commission's wider digital finance strategy, and creates a new regulatory regime for cryptoassets across the European Union. MiCA defines crypto-assets (spelling reflects use in the legislation) as a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology (DLT) or similar technology.

One of the main objectives of MiCA is establishing licensing and supervisory regimes for CASPs, including strict compliance with governance, risk management, and anti-money laundering (AML) obligations. Without a CASP licence, a person or institution may not offer crypto-asset services within the European Union. Competent authorities at Member State level are primarily responsible for supervising CASPs and enforcing requirements under MiCA. See here and here for more information on MiCA.

While MiCA focuses on the operational and regulatory framework for crypto-asset providers, DORA adds a layer of compliance that is essential for ensuring digital operational resilience, by imposing strict requirements on ICT risk management, incident handling, third-party oversight, and digital resilience testing. In the context of MiCA, DORA's relevance for CASPs is not merely a supplementary requirement but an integral part of the licence application process, and since the applicability of DORA in January 2025 the licensing burden has grown significantly for CASPs applying for a MiCA licence. Non-compliance with DORA may even lead to CASP director liability under the Dutch Civil Code, given that DORA places specific responsibilities and obligations on the management body, which will usually include the directors of a CASP. Licence applicants must therefore not only be fully prepared for compliance with crypto-specific governance and operations, but also for a mature and documented DORA framework.

MiCA applications in the Netherlands

In the Netherlands, the Dutch Financial Markets Authority (AFM) is the licensing authority for providers of (new) crypto services and is responsible for most of the regular supervision of compliance with the requirements applicable to these crypto services. On its website, the AFM urges CASPs to apply for a licence in a timely manner, as the lead time for a licence application is generally at least five months. In practice, we have observed this taking longer with the AFM scrutinising applications in detail – often referring to specific subsections of subsections of the regulatory technical standards that are meant to standardise DORA implementation.

Before submitting the application and during the application process, there are several steps CASPs can take to ensure they meet DORA requirements and MiCA requirements related to DORA, and to limit the number of follow-up questions by the AFM:

• Ensure the application is complete and all documents have been properly drafted and reviewed before submission, to expedite the process and to keep the follow-up questions from the AFM to a minimum. If the submission is incomplete, the AFM may decide not to review it further.
• In addition to mapping the business functions (and determining which are critical and which are important) – make sure your assets and risks have been identified and documented in a register. This can be an Excel sheet or cloud-based tooling, but this is essential to enable drafting policies and enforcing any ICT risk management framework.
• Completing the DORA documentation always requires a significant commitment in terms of time and other resources, and it makes sense to make sure you align the documentation to account for any plans for a more formal ISMS-certification (e.g. ISO 27001). Even if you have no plans to get certified, aligning your framework with industry standards will give comfort to people familiar with them and enhance your chances of approval. That said, note that being ISO 27001 compliant does not automatically equal DORA compliance and vice-versa.
• Clarify the meaning and priority of 'policies' vs 'strategies' vs 'plans' vs 'procedures' vs 'processes'. These terms do not have a uniform definition but in order to enforce a coherent ICT risk management framework that can be approved by the AFM, organisations need to ensure that the purpose of each type of documentation is made clear. Such distinctions need to be used consistently throughout your submission.
• The documentation needs to form a coherent whole and your ICT risk management framework must align with your generic risk management framework. Where you decide to deviate, this should be made explicit and the rationale explained.
• Be clear on the scope and intended audience of each document. The overall framework should demonstrate control and be assigned to the appropriate level within the organisation in a way that is proportionate to the risk and activities. Each document should also clearly document the sanctions for non-compliance.
• Ensure the information is tailored to the specific activities of a CASP. Identifying standard risks applicable to financial entities in general is not considered sufficient, as we have seen in follow-up questions from the AFM asking to provide information tailored to the activities of a CASP.
• Generic language (such as ‘sufficient,’ ‘timely,’ ‘adequate,’ etc.) should always be qualified and operationalised. It should be clear what these terms mean in the context of the CASP, who determines whether something is sufficient, timely or adequate, and how this is determined.
• If any follow-up question from the AFM is unclear, do not hesitate to ask for clarification during the process. The AFM is generally responsive.
• Within the AFM, the evaluation of the licence application seems to be divided across different subject matter experts. As a result, we have seen instances where the AFM has overlooked certain documents or failed to include them in their initial assessment. Accordingly, it can be helpful to cross-refer explicitly to other documents and summarise the reason for referencing them.

Find out more

Taylor Wessing has assisted numerous CASPs and other financial entities in getting DORA compliant in the Netherlands and in other European jurisdictions. Struggling to draft and implement DORA compliance? Reach out to the experts at Taylor Wessing.