Skip to main content
DORAMiCA

DORA vs MiCA: 2026 Compliance Guide for EU Fintechs and CASPs

By Andrey GubarevCISM, CDPSE, SABSA20+ years in cybersecurity and complianceLinkedIn ↗

DORA vs MiCA for EU fintechs and CASPs in 2026: scope, authorisation, ICT risk, incident reporting, TLPT and operational resilience obligations explained today.

In this article
  1. DORA vs MiCA: the short answer
  2. DORA vs MiCA at a glance
  3. Which regime owns which question?
  4. DORA in scope: what changed in 2025-2026
  5. MiCA in scope: dates that matter through 2026
  6. MiCA Article 143 transitional measures and the 1 July 2026 cliff
  7. Who is in scope?
  8. DORA financial entities relevant to crypto and fintech
  9. MiCA-authorised or MiCA-relevant entities
  10. Scope map for common CASP models
  11. What CASPs must do in 2026
  12. Incident reporting and operational resilience
  13. One incident workflow, two regulatory paths
  14. MiCA authorisation and transitional period
  15. Side-by-side: what a CASP actually files under each regime
  16. DORA and MiCA evidence index
  17. Common pitfalls
  18. 30-day CASP readiness plan
  19. FAQ
  20. Does MiCA replace DORA for crypto firms?
  21. Does DORA apply before MiCA authorisation?
  22. Are all CASPs required to perform threat-led penetration testing?
  23. What if our CASP application is still pending on 1 July 2026?
  24. Do we need separate DORA and MiCA evidence sets?
  25. How does MiCA interact with PSD2/EMD for EMTs?
  26. Which jurisdictions matter most for CASP planning?
  27. Related NCA guides
  28. Related reading
  29. Primary sources
  30. Bottom line

Last reviewed: 30 April 2026

DORA vs MiCA: the short answer

DORA and MiCA are two distinct EU regulations that increasingly intersect for crypto-asset firms operating in the Union:

  • DORARegulation (EU) 2022/2554 — governs digital operational resilience for financial entities: ICT risk management, incident reporting, resilience testing and ICT third-party risk.
  • MiCARegulation (EU) 2023/1114 — governs issuance of crypto-assets and the provision of crypto-asset services in the EU: authorisation, conduct, market abuse, consumer protection and prudential requirements.

For MiCA-authorised CASPs and issuers of asset-referenced tokens (ARTs), both frameworks apply. MiCA defines the licence, services and conduct perimeter. DORA defines the digital operational resilience operating model for the same financial entity.

The practical rule for 2026: do not build a MiCA programme first and a DORA programme later. Build one governance and evidence base with two regulatory views.

DORA vs MiCA at a glance

TopicDORAMiCACASP impact
Subject matterDigital operational resilience for financial entitiesMarkets in crypto-assets: issuance, services, conduct and authorisationBoth regimes apply once the CASP is authorised under MiCA
Status in 2026Applies since 17 January 2025Titles III-IV apply since 30 June 2024; main regime applies since 30 December 2024Authorisation, conduct and resilience evidence are live issues
AuthorisationNo DORA licence; DORA attaches to entities already in scopeMandatory MiCA authorisation by national competent authorityMiCA authorisation creates the CASP operating perimeter
Scope of entitiesFinancial entities listed in Article 2, including authorised CASPs and ART issuersCASPs, ART issuers, EMT issuers, offerors and persons seeking admission to tradingCASPs sit in both frameworks
ICT riskCore requirement: governance, framework, controls, testing, incidents, third partiesICT resilience is not the main MiCA frameworkBuild ICT resilience to DORA and use it as MiCA evidence where relevant
Incident reportingMajor ICT-related incidents and voluntary significant cyber-threat notificationMiCA-specific notifications and conduct / market integrity eventsOne incident workflow with DORA and MiCA decision points
Resilience testingRisk-based testing programme; TLPT for entities identified by competent authoritiesNo equivalent TLPT regimeDORA drives resilience test evidence
Third-party ICT riskRegister of Information, lifecycle oversight and contract provisionsMiCA application and governance evidence may include outsourcing / operational arrangementsOne supplier model, mapped to both views
Supervisory routeFinancial competent authority / ESA technical standardsNational competent authority under MiCA, ESMA coordination in defined areasAuthority mapping matters by Member State
Best evidence modelICT risk, incident, testing, BCDR, supplier and board evidenceAuthorisation, governance, conduct, prudential and disclosure evidenceOne evidence index with DORA and MiCA columns

Which regime owns which question?

This is the fastest way to avoid duplication.

QuestionPrimary regimePractical answer
Can the firm provide crypto-asset services in the EU?MiCAConfirm authorisation, transitional status and service perimeter
Can the firm withstand ICT disruption?DORAMaintain ICT risk, BCDR, testing and third-party evidence
Is the CASP's governance adequate?MiCA + DORAMiCA for authorisation / conduct governance; DORA for ICT risk oversight
How are ICT incidents classified and reported?DORAUse DORA classification, notification and evidence workflow
How are conduct, market abuse or customer-impact events handled?MiCARoute through MiCA-specific governance and authority channels
Are critical ICT suppliers controlled?DORAMaintain Register of Information, criticality, contracts and exit evidence
Are customer disclosures and crypto-asset services compliant?MiCAMaintain MiCA service, disclosure, complaints and conduct evidence
Does the board understand operational resilience?DORA + MiCAUse one board pack with separate ICT resilience and MiCA conduct views

For a CASP, DORA is not a side annex. It is the operational resilience layer under the licensed business.

DORA in scope: what changed in 2025-2026

DORA has applied since 17 January 2025. The deadline question is closed. In 2026 supervisors, partner banks and counterparties examine operating evidence:

  • ICT risk management framework approved by the management body and reviewed on a defined cadence;
  • ICT-related incident management aligned with the EU technical standards on classification and reporting;
  • digital operational resilience testing programme;
  • threat-led penetration testing (TLPT) where the entity is identified by competent authorities under Article 26;
  • ICT third-party risk lifecycle, Register of Information and contractual provisions for ICT services supporting critical or important functions.

For CASPs and ART issuers, being a "financial entity" under DORA Article 2 means the framework applies. What each entity implements should be calibrated by proportionality to size, risk profile, nature, scale and complexity.

MiCA in scope: dates that matter through 2026

MiCA — Regulation (EU) 2023/1114 — entered into force in 2023 with staggered application dates set out in MiCA Article 149:

  • 30 June 2024 — Titles III and IV apply: rules for issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs).
  • 30 December 2024 — the main MiCA regime applies, including Title V on the authorisation and operating conditions for crypto-asset service providers (CASPs).

MiCA Article 143 transitional measures and the 1 July 2026 cliff

MiCA Article 143 allows an entity providing crypto-asset services in a Member State before 30 December 2024 to continue under existing national rules until 1 July 2026.

The permission ends earlier if MiCA authorisation is granted or refused. Member States could also shorten this by national option.

On 17 April 2026, ESMA issued a public statement on the end of the MiCA transitional periods. The safe operating message is:

  • after 1 July 2026, an entity providing crypto-asset services to clients in the EU without MiCA authorisation should expect enforcement risk and must not assume continued grandfathering;
  • Member State transitional options and national supervisory practice still matter;
  • a pending application should not be treated as a substitute for authorisation after the transitional period ends.

For CASPs that have applied for authorisation but have not received a decision, the practical exposure window is narrow. The compliance plan should include both the MiCA authorisation file and the DORA evidence base.

Who is in scope?

DORA financial entities relevant to crypto and fintech

  • Crypto-asset service providers authorised under MiCA
  • Issuers of asset-referenced tokens under MiCA
  • Credit institutions, payment institutions and electronic money institutions
  • Investment firms, central counterparties and trading venues
  • ICT third-party service providers under the separate DORA oversight framework where designated

MiCA-authorised or MiCA-relevant entities

  • CASPs providing services such as custody, exchange, execution, placing, reception and transmission, advice, portfolio management or transfer services
  • Issuers of asset-referenced tokens (ARTs)
  • Issuers of e-money tokens (EMTs)
  • Offerors and persons seeking admission to trading of crypto-assets other than ARTs and EMTs

A MiCA-authorised CASP or ART issuer is therefore in DORA scope as a financial entity. An EMT issuer may also sit across MiCA, e-money / payment services law and DORA depending on the entity and activity.

Scope map for common CASP models

Business modelMiCA viewDORA viewMain operating risk
Crypto custody providerCASP service authorisation, safeguarding and conduct controlsICT risk, key management, access control, incident and BCDR evidenceLoss of access, key compromise, supplier outage
Crypto exchange / brokerCASP authorisation, order handling, market integrity and complaintsPlatform resilience, incident classification, supplier and testing evidenceTrading outage, data integrity issue, customer impact
Transfer service providerCASP transfer service and AML / operational controlsAvailability, transaction integrity, incident and supplier evidenceFailed transfers, chain analytics dependency, API outage
ART issuerMiCA Title III issuance, governance and reserve-related obligationsDORA financial entity scope and ICT resilience evidenceReserve process disruption, wallet / platform dependency
EMT issuerMiCA Title IV plus e-money / payment-services alignmentDORA applies where the entity is a financial entityPayment continuity, redemption process, core banking dependency
CASP using group technology companyMiCA authorisation remains with CASPIntra-group technology may be ICT third-party / dependency evidenceInformal service ownership and weak exit assumptions

This table is not a legal scope opinion. It is an operating map for evidence planning.

What CASPs must do in 2026

WorkstreamWhat to doEvidence to keep
MiCA authorisationConfirm authorised, refused, pending or transitional status by Member StateAuthorisation file, NCA correspondence, service perimeter
DORA scopeConfirm CASP / ART issuer status under DORA Article 2Scope note, entity map, licence map
ICT riskMap systems, critical functions, controls and ownersICT risk framework, risk register, control map
IncidentsAdd DORA major ICT-related incident decision pointsIncident workflow, classification log, authority route
TestingRun a risk-based digital operational resilience testing programmeTest plan, tabletop, findings, remediation tracker
TLPTConfirm whether competent authority identification appliesTLPT scope decision or rationale
SuppliersMap ICT third-party arrangements supporting critical or important functionsRegister of Information, contract gap tracker, exit assumptions
Board reportingReport ICT risk and MiCA operating risk in one governance cadenceBoard pack, decision log, risk acceptance
Evidence indexReconcile DORA and MiCA artefactsEvidence index with owner, location, review date

The highest-risk sequencing mistake is to wait for MiCA authorisation before building DORA evidence. A CASP application and a DORA operating model should be prepared in parallel.

Incident reporting and operational resilience

DORA's incident-reporting cadence under Articles 17-19 follows the Joint Technical Standards on major incident reporting:

  • Major ICT-related incidents — once an incident is classified as major:
    • initial notification — within 4 hours after classification, and no later than 24 hours after the entity becomes aware of or detects the incident;
    • intermediate report — within 72 hours of the initial notification;
    • final report — within one month of the latest intermediate report, including root cause and remediation.
  • Significant cyber threats — voluntary notifications. There is no mandatory cyber-threat reporting regime under DORA.

MiCA carries its own conduct, authorisation-condition, market-integrity and customer-impact notification routes. For a CASP, the practical answer is: ICT incidents on the DORA path; MiCA-specific conduct events on the MiCA path; same incident-management process.

One incident workflow, two regulatory paths

EventDORA pathMiCA pathEvidence note
Cloud outage affecting custody platformAssess ICT-related incident and major-incident criteriaAssess customer / service continuity and authorisation-condition impactKeep detection, classification, customer impact and supplier evidence
Key management system compromiseAssess major ICT-related incident and security impactAssess safeguarding, conduct and customer notification implicationsUse one incident log with DORA and MiCA decisions
Trading platform outageAssess ICT service disruption and financial / client impactAssess service obligations, complaints and market integrity impactCapture duration, transactions affected and remediation
Complaint surge after technical failureDORA if caused by ICT disruptionMiCA complaints / conduct route likely relevantLink complaints evidence to incident root cause
Market abuse surveillance failureDORA only if ICT disruption or control failure meets criteriaMiCA / market abuse governance path likely primaryKeep control failure, duration and remediation evidence
Supplier breachAssess third-party ICT incident and critical function impactAssess service, customer and outsourcing implicationsUse supplier contract and notification evidence

This table prevents a common failure: classifying an event only as a technical incident while missing MiCA conduct consequences, or treating a conduct issue as a MiCA-only matter while missing DORA ICT reporting.

MiCA authorisation and transitional period

  • Apply early. MiCA authorisation is national-competent-authority-led, and timelines vary by Member State.
  • Treat the application as a control-evidence exercise. Governance, capital, AML/CFT, conflicts of interest, ICT risk, BCDR documentation, complaints handling and outsourcing arrangements can all become part of the review.
  • Plan for parallel DORA scrutiny. As soon as authorisation is granted and the entity is in DORA scope, DORA obligations apply as a financial entity. Do not sequence it as "MiCA first, DORA later."
  • Watch national transitional shortenings. Some Member States use the Article 143 national option to shorten the transitional period below 1 July 2026. Confirm the local cut-off.
  • Do not assume pending status solves the cliff. After the transitional period, providing crypto-asset services without authorisation creates enforcement exposure.

Side-by-side: what a CASP actually files under each regime

The discovery question we hear most often: "as a MiCA-authorised CASP, what does each regulator actually want to see?" The two evidence sets overlap less than the policy text suggests.

ArtefactDORA viewMiCA viewSame evidence?
Authorisation fileNot a DORA artefactCore MiCA application packNo, MiCA-only
ICT risk management frameworkCore DORA framework approved and reviewed under governanceSupports operational-resilience credibility in authorisation / supervisionYes, DORA artefact relied on in MiCA context
ICT risk registerDORA risk ownership, treatment and control evidenceSupports governance and operational risk narrativeShared evidence
Register of InformationDORA Article 28 ICT third-party arrangementsSupports supplier / outsourcing view where relevantShared base, DORA format
Incident classification taxonomyDORA Article 18 and related technical standardsMiCA conduct / customer / market-integrity events use a separate logicOne workflow, different triggers
Major ICT incident notificationDORA reporting pathNot a MiCA filing by defaultSeparate filing
Conduct / complaints eventDORA only if ICT-related and reportableMiCA path likely relevantSeparate filing, shared incident log
TLPT scope decisionDORA Article 26, authority-led identificationNo equivalent MiCA requirementDORA-only
Whitepaper / public disclosuresNot applicableART / EMT / crypto-asset disclosure obligationsMiCA-only
BCDR evidenceDORA Articles 11-12 continuity and recovery evidenceSupports operational continuity narrativeShared evidence
Board / management-body reportingICT risk, incidents, testing, suppliers and remediationMiCA conduct, prudential and service governanceCombine into one pack with two views

The clean operating model: one underlying control set, two regulator views. CASPs that try to maintain a "DORA pack" and a separate "MiCA pack" duplicate work and produce inconsistent narratives.

DORA and MiCA evidence index

Evidence artefactDORA ownerMiCA ownerRefresh trigger
Entity and licence mapCompliance / legalCompliance / legalAuthorisation, service or jurisdiction change
ICT risk frameworkICT risk ownerGovernance owner relies on itAnnual review or material change
ICT risk registerRisk / security / technologyOperational risk inputQuarterly or material risk change
Incident workflowIncident manager / complianceConduct / customer-impact ownerIncident, tabletop or authority-route change
BCDR test reportOperations / technologyGovernance / continuity ownerAnnual test or material service change
Register of InformationSupplier / ICT risk ownerSupplier / outsourcing evidence ownerSupplier, contract or function change
Contract gap trackerLegal / procurement / riskLegal / operationsContract renewal or new critical supplier
Complaints handling evidenceNot DORA unless ICT-relatedMiCA conduct ownerComplaints trend or process change
Board packCEO / COO / risk ownerCEO / compliance / conduct ownerEach management-body review
Remediation trackerControl ownersControl ownersWeekly or monthly until closure

This evidence index is useful because it shows where one artefact can support both regimes and where separate filings remain necessary.

Common pitfalls

PitfallWhy it is riskyBetter approach
Treating DORA as an add-on after MiCA authorisationDORA applies when the entity is in scope as a financial entityBuild DORA evidence alongside MiCA authorisation work
Saying "CASPs must implement every DORA item in the same way"Overstates non-universal items such as TLPTSay DORA applies, calibrated by scope, proportionality and authority identification
Over-applying TLPTTLPT is not universal for every CASPRecord whether authority identification applies
Using a generic "24-hour incident rule"Misses DORA classification and 4-hour triggerUse DORA incident workflow with classification timestamps
Treating significant cyber threats as mandatory reportsDORA significant cyber-threat notification is voluntaryKeep voluntary-notification decision logic
Maintaining two supplier registersCreates inconsistent supplier evidenceMaintain one Register of Information and map MiCA supplier evidence
Assuming national grandfathering will extendArticle 143 has a hard EU backstop subject to national optionsConfirm national position and authorisation status
Ignoring intra-group technologyCASPs often depend on group engineering or infrastructureTreat intra-group ICT services as real dependencies

30-day CASP readiness plan

WeekActionOutput
Week 1Confirm MiCA authorisation / transitional status by Member StateLicence and authority map
Week 1Confirm DORA scope and entity perimeterDORA scope note
Week 2Map critical services, systems and suppliersCritical function and supplier dependency map
Week 2Build incident workflow with DORA and MiCA decision pointsUnified incident classification and notification process
Week 3Review ICT contracts and Register of Information inputsContract gap tracker and RoI update list
Week 3Prepare board pack viewICT risk, MiCA conduct risk, incidents, suppliers, remediation
Week 4Run one tabletop scenarioEvidence of timestamps, decisions, gaps and remediation
Week 4Build evidence indexOwner, location, review date and regulatory view for each artefact

This plan does not replace authorisation legal work. It gives the CASP an operating base that makes MiCA and DORA evidence consistent.

FAQ

Does MiCA replace DORA for crypto firms?

No. They cover different subject matter and apply in parallel. MiCA defines the licence and the conduct rules; DORA defines digital operational resilience obligations on the same entity once it is in scope as a financial entity.

Does DORA apply before MiCA authorisation?

DORA applies to entities in DORA scope. For CASPs, the clearest DORA trigger is MiCA authorisation bringing the entity into the DORA financial-entity perimeter. Transitional, group and provider scenarios may need separate analysis.

Are all CASPs required to perform threat-led penetration testing?

No. Article 26 TLPT applies at least every three years to financial entities identified by competent authorities based on the relevant criteria. CASPs that are not so identified are outside the mandatory TLPT requirement, although they may still perform advanced testing voluntarily.

What if our CASP application is still pending on 1 July 2026?

The safe position is not to treat a pending application as authorisation. MiCA Article 143 and ESMA's 17 April 2026 statement point to a hard transition risk after 1 July 2026, subject to the exact national facts and supervisory position.

Do we need separate DORA and MiCA evidence sets?

No. Build one underlying control set for ICT risk, BCDR, third-party risk, incident management and board reporting, then present it through DORA and MiCA views. Some artefacts remain MiCA-only, such as authorisation and disclosure materials.

How does MiCA interact with PSD2/EMD for EMTs?

E-money token issuers may need to align MiCA Title IV with e-money and payment-services regimes depending on activities. ICT and resilience obligations for a financial entity flow through DORA.

Which jurisdictions matter most for CASP planning?

Start with the Member State of authorisation and any jurisdictions where the entity provides services or relies on transitional arrangements. Cyprus, Malta, Estonia, Lithuania and Ireland often appear in fintech / CASP planning, but the correct route depends on the entity and service model.

Primary sources

Bottom line

DORA and MiCA are not competing frameworks.

MiCA decides whether and how the crypto-asset business is authorised and supervised. DORA decides whether the same financial entity can govern, protect, test and recover its ICT services.

For CASPs in 2026, the strongest operating model is one evidence base with two views: MiCA for authorisation and conduct, DORA for digital operational resilience.

About the author

Andrey Gubarev

Andrey Gubarev is the founder and vCISO of CyAdviso. He has 20+ years in cybersecurity and multi-year CISO experience at EU-licensed fintechs, including EMIs, payment institutions and CASPs. His work focuses on DORA, MiCA, ICT risk governance, outsourcing oversight, incident readiness and board-ready evidence.

Certifications: CISM, CDPSE, SABSA.

LinkedIn profile ↗fromCISO.com ↗