MiCA Survival Guide · Section 3
The Core Challenge: The DORA & IT Gauntlet
The technical barrier that stops most applicants
Key IT & DORA requirements you must meet
ICT Risk Management
ICT Risk Management Framework (Articles 5-16)
What you must submit
- Digital Operational Resilience Strategy: How your ICT framework supports business objectives, risk tolerance levels, clear information security objectives with KPIs, documented ICT reference architecture.
- ICT Asset Inventory & Classification: Complete inventory of all ICT-supported business functions, classification and documentation of all information assets, mapping of configuration and interdependencies, identification of all third-party ICT dependencies.
- Protection & Prevention Measures: Information security policies (availability, authenticity, integrity, confidentiality), network and infrastructure management with automated isolation capabilities, strong authentication mechanisms (MFA), documented ICT change management processes.
Third-Party Risk
Third-Party ICT Risk Management (Articles 28-30)
Financial entities remain fully responsible for DORA compliance despite outsourcing. Competent authorities must have full access to data and business premises of ICT service providers.
Pre-contractual due diligence required
- Whether arrangement covers critical or important functions
- Impact on operational resilience and continuity
- Supervisory authority access possibilities
- Conflicts of interest assessment
- ICT concentration risk evaluation
- Use of up-to-date security standards
Incident Reporting
ICT Incident Reporting (Articles 19-20)
Three-stage reporting system
1
Initial notification
Within 4 hours of classifying incident as major
Maximum 24 hours from awareness. Must contain: basic facts, incident type, affected services, estimated impact, and initial mitigation.
2
Intermediate report
Within 72 hours of initial notification
Even if no status changes. Must include: root cause analysis (if available), full impact scope, and ongoing recovery measures.
3
Final report
Within 1 month of latest intermediate report
Complete post-incident review, final root causes, resolution details, impact assessment, and remediation plans.
What constitutes a "major" ICT incident
- Unauthorized access to systems
- Significant service disruption (>X hours for critical functions)
- Data breach affecting customer PII
- Loss or attempted theft of crypto-assets
- Successful cyber attack
Resilience Testing
Digital Resilience Testing (Articles 24-27)
Comprehensive testing program required
- Vulnerability assessments and scans
- Open source analyses
- Network security assessments
- Gap analyses
- Physical security reviews
- Scenario-based tests
- Compatibility testing
- Performance testing
- End-to-end testing
- Source code reviews (where feasible)
Custody & Security
Custody & Asset Segregation Requirements
MiCA custody obligations (Article 75)
- Legal and operational segregation: Client crypto-assets held on separate blockchain addresses from corporate assets with clear identification on distributed ledgers.
- Custody policies: Comprehensive internal rules minimizing loss risk, available in summarized electronic format upon request.
- Register of positions: Shows each client's entitlement to crypto-assets, quarterly statements minimum.
- Strict liability regime: Custodian liable for loss of crypto-assets or private keys, measured at actual market value lost.
Hot wallet vs. cold wallet best practices
COLD STORAGE 80–90%
Cold wallet requirements
- ✓ Offline storage of private keys
- ✓ HSMs with FIPS 140-2 Level 3+ certification
- ✓ Physical security measures (vaults)
- ✓ Geographic distribution
- ✓ Regular audits and verification
HOT STORAGE 10–20%
Hot wallet requirements
- ✓ Multi-factor authentication
- ✓ Real-time monitoring and anomaly detection
- ✓ Transaction velocity limits
- ✓ Insurance coverage for holdings
- ✓ Fraud detection system integration