The European Commission is one step closer to implementing EU rules on crypto‑assets and cybersecurity for the financial sector, with the recent adoption of a number of technical standards in the form of delegated and implementing acts. The acts complete and complement the Regulation on Operational Resilience (DORA) and the Regulation on Markets in crypto‑assets (MiCA), both of which will begin to fully apply soon. The Commission’s overarching objective in the area of digital finance is to enable individuals and businesses to take advantage of the benefits new financial technologies offer, while also managing the risks they can pose.
Status of implementation
The DORA and MiCA frameworks comprised 12 and respectively 35 different legal mandates for the development of delegated acts, regulatory technical standards and implementing technical standards. The European Supervisory Authorities, or ESAs (namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)) were tasked with developing and submitting these technical standards to the Commission over the course of 2024. The development of the standards has been carried out in close cooperation with the national competent authorities and relevant stakeholders, following periods of consultations and discussions with the sector organised by the ESAs during 2023 and 2024
Upon their submission, the Commission must scrutinise the legality of these standards and organise their adoption process. Following the adoption by the Commission, the delegated regulations, including the regulatory technical standards (RTS) undergo a three‑month scrutiny period by the European Parliament and Council. Once this is done, they are published in the Official Journal of the European Union.
Overview of standards
DORA
DORA will strengthen the ability of financial firms to withstand cyber‑related disruptions and threats and ensure a swift recovery if incidents do occur. The framework also includes an oversight mechanism of critical third‑party providers of ICT services to financial entities, such as cloud service providers.
The DORA standards further specify how financial entities should manage ICT risk, report incidents, and carry out resilience testing. They also further specify certain oversight related aspects. Most of these standards have been adopted:
The Commission is currently finalising the review of the RTS on threat‑led penetration testing (ESA draft available here) and the RTS on subcontracting (ESA draft available here) with adoption planned for early 2025.
MiCA
MiCA will support innovation by providing for the proportionate regulatory and supervisory treatment of issuers of crypto‑assets and crypto asset service providers, enabling them to scale up their business within the single market. At the same time, MiCA aims to address the risks to investor/consumer protection, market integrity and financial stability that crypto‑assets can pose.
MiCA contains around 35 different mandates for delegated acts, regulatory technical standards and implementing technical standards. The ESAs (namely ESMA and the EBA) delivered these drafts in the course of 2024. The Commission has since been able to adopt many of these draft standards. Some have, following scrutiny by the European Parliament and Council, been published in the Official Journal. Others have been adopted but are still subject to scrutiny. Finally, some are yet to be adopted.
More specifically, the Commission has adopted the delegated acts on the criteria for significance of asset‑referenced tokens and e‑money tokens, the intervention powers of authorities as well as the EBA powers when acting as the supervisor for significant asset‑reference tokens and e‑money tokens since February 2024. In autumn, the Commission also adopted the standards on
- the process for complaints handling
- the procedure for the authorisation of crypto‑asset service providers and the notification by certain financial entities of their intention to provide crypto‑asset services
- the standards relevant to cooperation arrangements of supervisory powers
- standards in relation to the prevention of market abuse
- the operation of supervisory colleges
- the prudential standards on own funds and some of the reporting standards for stablecoins
- the standard for the template of the white papers
- the standards on acquisition of qualifying holdings in issuers of asset‑referenced tokens and crypto‑asset service providers
- the standards on the presentation of sustainability indicators and adverse impacts on climate.
The Commission has requested amendments to the drafts communicated by the ESAs in the case of the standard on conflicts of interest for issuers of stablecoins and crypto‑asset service providers as well as the standard regarding the authorisation process for issuers of asset‑referenced tokens. Once the amendments requested have been implemented, these standards will be adopted too.
Finally, the legal review of the draft standard regarding record‑keeping of crypto‑asset services, activities, orders and transactions as well as the draft standards on liquidity requirements for stablecoins is being finalised, with adoption expected shortly. Finally, the Commission is also starting the review of the recently received draft standard on monitoring, detection and notification of market abuse. Once these last standards are adopted, the framework for crypto‑assets will be complete.
Next steps
MiCA will apply fully from 30 December (provisions related to “stablecoins” apply since 30 June 2024) and DORA from 17 January 2025. The legal obligation to comply with the various provisions of these frameworks starts from these respective dates.
Where the relevant standards have been adopted by the Commission but are still subject to scrutiny review by the Parliament and the Council, the persons subject to the requirements must apply the provisions introduced in MiCA or DORA, taking into consideration the specifications introduced in the relevant delegated and implementing acts adopted by the Commission but not yet published (see overview above).
The Commission emphasises the importance for financial entities to adopt a robust, structured approach in order to meet their obligations in a timely manner and to engage with supervisors. In this regard, a recent statement on DORA application was published by the ESAs on 4 December 2024.
Related links
Back to the Finance news hub
