EU updates MiCA and digital operational resilience

MiCA update

Cryptocurrency Markets Regulation (MiCA)¹ is part of the European Commission’s September 2020 Digital Finance Package, which includes other regulatory initiatives such as a pilot scheme for market infrastructures based on distributed ledger technology² and the Digital Operational Resilience Act (DORA).³

MiCA will apply:

• Firstly, from June 30, 2024, for asset tokens (ART) and e-money tokens (EMT); AND
• Secondly, from December 30, 2024, in all other matters, in particular regarding Crypto Asset Service Providers (CASPs).

With MiCA, the European Union (EU) is, for the first time, adopting a harmonized regulatory framework for the cryptocurrency market that applies to both traditional financial sector institutions and new players emerging in the cryptocurrency ecosystem.⁴ These entities must meet a number of specific requirements to benefit from a regulated status recognized across the EU in the form of a European passport, and must (depending on their current legal status) notify their national financial authorities or apply for authorization from their sectoral supervisory authority.

Luxembourg’s Financial Sector Supervisory Authority (CSSF) is preparing for the upcoming application of MiCA. As usual, the CSSF intends to take a proactive approach and is already inviting entities implementing specific projects to (i) provide services as a CASP or (ii) issue an ART or EMT to contact it now to start an initial dialogue. Entities already supervised by the CSSF should contact their usual CSSF contact point; entities not yet supervised by the CSSF should contact the CSSF at [email protected].

DORA update

In light of the growing risks associated with information and communication technologies (ICT) and the increase in digitalization and interconnectedness, DORA was created to further strengthen digital operational resilience in the EU financial sector by introducing a common legal framework. DORA contains comprehensive policies on ICT risk management, ICT incident management, ICT third party risks, digital operational resilience testing and voluntary exchange of information/intelligence on cyber threats.

DORA largely covers the EU financial sector and its scope has been extended to 20 different types of financial entities listed in Art. 2 DORA. DORA will apply directly to these financial entities in the EU from January 17, 2025.

The relevant Directive (EU) 2022/2556, which aims to include a reference to DORA in all financial sector directives, must be implemented into national law by each EU Member State. Luxembourg started the implementation process in August 2023.

Footnotes

¹ Regulation (EU) No 2023/1114.
² Regulation (EU) 2022/858; see our blog post from March 7, 2023.
³ Regulation (EU) 2022/2554.
⁴ MiCA complements existing EU frameworks such as Directive 2014/65/EU on markets in financial instruments (MiFID II).