If you work in risk, compliance, or financial services and you have not yet mapped the regulatory landscape for digital assets, the window for getting ahead is closing fast.
Three regulatory frameworks are reshaping how organisations handle crypto-assets, digital operational resilience, and virtual currency business: the EU’s Markets in Crypto-Assets Regulation (MiCA), the Digital Operational Resilience Act (DORA), and the New York Department of Financial Services (NYDFS) BitLicense.
Each tackles the same fundamental problem from a different angle: how do you protect consumers, maintain financial stability, and prevent illicit activity in a world where value moves on blockchains? This article breaks down each framework, explains what they mean for risk managers, and shows where they overlap and diverge.
MiCA: The EU’s Single Rulebook for Crypto-Assets
The Markets in Crypto-Assets Regulation (EU 2023/1114) is the European Union’s first comprehensive legal framework for crypto-assets not already covered by existing financial services legislation.
It entered into force in June 2023, with stablecoin rules (asset-referenced tokens and e-money tokens) applying from June 2024 and full CASP (Crypto-Asset Service Provider) requirements effective from 30 December 2024.
The headline numbers tell the story: over 40 CASP licences issued as of mid-2025, over €540 million in penalties already levied, and a hard deadline of 1 July 2026 for all grandfathering periods to expire across member states. After that date, no CASP can legally operate in the EU without MiCA authorisation.
What MiCA covers.
MiCA classifies crypto-assets into three categories. Asset-Referenced Tokens (ARTs) maintain value by referencing multiple currencies, commodities, or assets. E-Money Tokens (EMTs) are pegged to a single fiat currency and follow an e-money-style regime.
All Other Crypto-Assets cover utility tokens, meme coins, and everything else not already regulated as a financial instrument.
For each category, MiCA sets rules on white paper disclosure (similar to a securities prospectus), reserve backing and liquidity requirements for stablecoins, governance and organisational standards, market abuse prevention, and consumer protection including withdrawal rights.
Capital requirements.
CASPs face minimum capital thresholds based on activity type: €50,000 for advisory services, €125,000 for custody and exchange operations, and €150,000 for trading platforms. These are minimum floors. Regulators can and do set higher requirements based on risk assessments.
The passporting advantage.
Once authorised in one EU member state, a CASP can “passport” services across all 27 countries without needing separate licences.
This is a significant competitive advantage over fragmented regimes like the US, and it’s why Germany (18 licences), the Netherlands (14), France (6), and Malta (6) have become the primary CASP hubs in 2025.
Penalties.
Non-compliance carries administrative fines up to €5 million or 10% of annual turnover (whichever is higher), licence revocation, and personal liability for executives including industry bans. These are not theoretical threats. Regulators are actively enforcing.
For risk managers, MiCA demands a structured compliance risk assessment that maps your organisation’s crypto-related activities against each MiCA obligation.
If you are a pension fund or institutional investor with digital asset exposure, your third-party due diligence on custodians and exchanges now needs to verify MiCA authorisation status.
DORA: Digital Operational Resilience for Financial Entities
While MiCA regulates what crypto firms can do, the Digital Operational Resilience Act (EU 2022/2554) regulates how resilient they and all other financial entities must be.
DORA became directly applicable across all EU member states on 17 January 2025, covering approximately 22,000 financial entities including banks, insurers, investment firms, payment institutions, and notably, MiCA-regulated CASPs.
DORA exists because the financial sector’s dependence on technology has outpaced its ability to manage the associated risks. A single ICT failure at a major cloud provider can cascade across markets, and the EU decided that voluntary resilience standards were not enough.
DORA’s five pillars.
The regulation is built on five requirements. First, ICT risk management: entities must maintain a comprehensive framework to identify, monitor, prevent, and mitigate ICT-related risks.
Management bodies must approve and oversee this framework and receive cyber training. This aligns directly with the IT risk management lifecycle that best-practice organisations already follow.
Second, incident management and reporting: entities must detect, classify, and report major ICT incidents to regulators. Initial notifications must be submitted within hours, with follow-up root cause analysis.
Third, digital operational resilience testing: regular testing programmes including, for systemically important entities, threat-led penetration testing (TLPT).
Fourth, ICT third-party risk management: comprehensive registers of all ICT service provider arrangements, with mandatory contractual provisions covering SLAs, audit rights, exit strategies, and incident notification. Fifth, information sharing: voluntary sharing of cyber threat intelligence between financial entities.
Critical third-party providers (CTPPs).
In November 2025, the European Supervisory Authorities designated 19 ICT service providers as critical under DORA, including AWS, Microsoft Azure, and Google Cloud. These CTPPs are now subject to direct EU regulatory oversight.
Financial entities that rely on designated CTPPs must ensure their contractual arrangements comply with DORA’s requirements or risk supervisory action.
Penalties.
Financial entities face fines up to 2% of total annual worldwide turnover. CTPPs face fines up to €5 million (or €1 million for individuals). Regulators can also suspend ICT service agreements or prohibit entities from contracting specific providers.
For organisations that already run business continuity plans for IT, DORA raises the bar significantly. Your BIA must explicitly cover ICT dependencies and third-party concentration risk. Your testing programme needs documented evidence of resilience.
And your board must demonstrate active oversight of ICT risk, not just sign-off on a policy document. The NIST cybersecurity KRI framework provides a useful starting point for building the monitoring dashboards that DORA expects.
NYDFS BitLicense: America’s Strictest Crypto Regime
While the EU built MiCA as a unified continental framework, the United States still lacks a single federal crypto law. Into that vacuum stepped the New York State Department of Financial Services (NYDFS), which in 2015 introduced the BitLicense under 23 NYCRR Part 200. It remains the most comprehensive state-level crypto regulatory regime in the US.
Any business conducting virtual currency business activity with New York residents, whether based in New York or operating remotely, must obtain either a BitLicense or a limited purpose trust charter from NYDFS. Activities covered include transmitting, buying, selling, storing, or issuing virtual currency for customers.
Key requirements.
The BitLicense application is notoriously rigorous, running through a 44-page regulatory checklist. Capital requirements are assessed case-by-case based on financial position, transaction volume, total liabilities, and liquidity rather than fixed minimums.
Applicants must demonstrate robust AML/KYC programmes, cybersecurity infrastructure (NYDFS has its own cybersecurity regulation, 23 NYCRR Part 500), business continuity and disaster recovery plans, consumer protection and disclosure standards, comprehensive books and records, and regular independent audits.
Licensees face ongoing supervision through regular NYDFS examinations and must report any fraud, data breach, or hack promptly.
Stablecoin guidance.
In June 2022, following the Terra/UST collapse, NYDFS issued some of the world’s clearest stablecoin requirements. USD-backed stablecoins issued by regulated entities must be fully backed by high-quality liquid assets (US Treasury bills or fully collateralised reverse repos), held with US-chartered banks and segregated from operational funds, audited monthly by independent accountants with public attestations, and redeemable 1:1 in US dollars on demand. In 2025, NYDFS expanded this guidance with tighter redemption timeframes and reporting obligations.
Enforcement track record.
NYDFS does not hesitate to act. Its first enforcement action against a licensed crypto business was a $30 million settlement with Robinhood Crypto in August 2022 for AML and cybersecurity deficiencies.
The regulator has also rejected applications outright (Bittrex in 2019, citing capital concerns and lax AML controls) and expanded its oversight scope in 2022 guidance to cover “virtual currency-related activities”, a broader category than the original “virtual currency business activity.”
For risk professionals conducting qualitative risk assessments for IT infrastructure, BitLicense requirements should inform your control environment design. The NYDFS cybersecurity regulation (Part 500) predates many other financial sector cyber rules and contains prescriptive requirements that overlap with both DORA and ISO 27001.
How These Three Frameworks Compare
At a high level, MiCA, DORA, and BitLicense share common DNA: protect consumers, ensure operational resilience, prevent financial crime, and maintain market integrity. But they differ in scope, approach, and enforcement philosophy.
Regarding scope, MiCA applies to crypto-asset issuers and CASPs across the EU, DORA applies to all financial entities (including CASPs) and their ICT providers across the EU, and BitLicense applies to virtual currency businesses serving New York residents regardless of location.
Regarding licensing, MiCA offers a single passportable licence across 27 countries, BitLicense is state-level with no reciprocity, and DORA does not create a separate licence but adds resilience requirements on top of existing authorisations.
Regarding capital, MiCA sets minimum capital thresholds by activity type, BitLicense assesses capital case-by-case, and DORA does not directly set capital requirements but mandates ICT risk provisioning.
Regarding third-party oversight, DORA is the most prescriptive with its CTPP designation and direct regulatory oversight of ICT providers, MiCA addresses third-party custody and outsourcing, and BitLicense requires sub-custodians to meet equivalent regulatory standards.
Regarding penalties, MiCA allows fines up to 12.5% of turnover, DORA up to 2% of worldwide turnover, and BitLicense relies on NYDFS enforcement powers including fines, licence revocation, and referral to criminal authorities.
The critical overlap for risk managers is this: if your organisation operates crypto-related services in the EU, you are simultaneously subject to MiCA (for crypto-specific rules) and DORA (for operational resilience).
In New York, BitLicense wraps both sets of concerns into a single regime. Understanding where these frameworks reinforce each other and where they create additional requirements is essential for efficient compliance.
What This Means for Risk Managers
These three regulations collectively signal that digital asset regulation is converging toward traditional financial services standards. If you manage risk at an institution with any crypto exposure, direct or through third parties, here is what to prioritise.
Map your regulatory exposure. Identify which frameworks apply to your organisation based on geography, activity type, and customer base. An EU-based CASP serving US customers faces MiCA, DORA, and potentially BitLicense simultaneously. Your enterprise risk management framework should capture this multi-jurisdictional complexity.
Conduct a gap analysis. Compare your existing controls against each framework’s requirements. Many controls will overlap: AML programmes, cybersecurity policies, incident reporting, and business continuity plans serve multiple regulators.
Identify the highest common denominator and build to that standard rather than maintaining separate compliance tracks. A structured ISO 27001 risk assessment can serve as the backbone for both MiCA governance requirements and DORA’s ICT risk management framework.
Strengthen ICT third-party risk management. DORA’s third-party requirements are the most prescriptive, but all three frameworks demand robust vendor oversight. Maintain a complete register of ICT service providers, assess concentration risk (are you over-reliant on a single cloud provider?), and ensure contractual arrangements include audit rights, incident notification, and exit strategies.
Your cyber security key risk indicators should include metrics on third-party SLA compliance and vendor security ratings.
Build board-ready reporting. All three frameworks expect active board-level oversight of digital asset risk. DORA explicitly requires management body approval of ICT risk frameworks. MiCA holds executives personally liable for compliance failures. BitLicense demands governance structures that satisfy NYDFS examiners.
Your risk reporting should include regulatory compliance status, incident metrics, third-party risk dashboards, and capital adequacy relative to regulatory requirements. The three lines of defence model provides the governance architecture: 1st line owns day-to-day compliance, 2nd line sets policy and monitors, 3rd line audits and provides assurance.
Test your resilience. DORA mandates resilience testing. MiCA requires continuity arrangements. BitLicense demands disaster recovery plans. Integrate digital asset scenarios into your existing BCP/DR exercise programme.
What happens if your custodian’s HSM fails? If a key exchange goes offline during peak trading? If a critical cloud provider suffers a regional outage? These are not hypothetical scenarios; they are the events these regulations are designed to address.
Your data integrity risk assessment framework should cover the integrity of blockchain transaction records and custodial data alongside traditional data stores.
Looking Ahead: What to Watch in 2026 and Beyond
Several developments will shape this space in the coming months. The MiCA grandfathering deadline of 1 July 2026 will force a wave of licensing decisions, with non-compliant CASPs required to cease operations.
The European Commission’s interim report on MiCA’s application (due mid-2025, with follow-up expected in 2026) will assess whether the framework needs expansion to cover DeFi, lending, and staking.
DORA’s oversight framework for CTPPs will mature, with the first supervisory cycles for designated providers like AWS and Azure generating precedent. In the US, federal crypto legislation (the GENIUS Act on stablecoins, the CLARITY Act on market structure) may create a national framework that either complements or partially preempts state regimes like BitLicense.
And the UK’s FCA is developing its own crypto activity framework, with new rules for trading platforms, intermediaries, and DeFi expected in 2026.
For risk managers, the message is clear: build adaptable compliance architectures that can absorb regulatory change without requiring a full rebuild each time a new rule drops. Anchor your approach in established standards like ISO 27001, the CIS risk assessment method, and the five-step risk management process, and layer jurisdiction-specific requirements on top.
Next Steps: What To Do This Quarter
First, audit your digital asset exposure. This includes direct holdings, custodial relationships, exchange counterparties, and any ICT providers serving crypto-related functions. Second, verify the regulatory status of your crypto counterparties.
Are your EU-based custodians MiCA-authorised? Check ESMA’s interim MiCA register. Are your New York-facing service providers BitLicensed? Check the NYDFS NMLS database. Third, update your ICT risk register to reflect DORA requirements.
If you have not built a comprehensive ICT third-party service provider register, start now, as the first submission deadline to ESAs was 30 April 2025. Fourth, stress-test your incident response.
Can you meet DORA’s reporting timelines? Can you satisfy BitLicense’s prompt breach notification requirements? Fifth, brief your board. These regulations carry personal liability for executives. Make sure your leadership team understands the exposure and has approved the compliance roadmap.
Want to go deeper?
Explore more risk management and compliance content at riskpublishing.com. Related articles: GDPR risk assessment template, privacy risk assessment in Excel, ITIL change management risk assessment matrix, and CIS risk assessment method v2.0.
References and Further Reading
ESMA: Markets in Crypto-Assets Regulation (MiCA) Official Page
EIOPA: Digital Operational Resilience Act (DORA)
NYDFS: Virtual Currency Business Licensing (BitLicense)
Skadden: MiCA Update: Six Months in Application (July 2025)
Mayer Brown: DORA Takes Effect: Key Considerations (January 2025)
InnReg: MiCA Regulation Updated Guide (2026)
TRM Labs: New York State of Mind: NYDFS as a Crypto Regulator
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.