EU/Luxembourg Update on the Regulation on Markets in Crypto-Assets and the Digital Operational Resilience Act
By: Dr. Jan Boeing and Tanner Wonnacott
MiCA Update
The Regulation on Markets in Crypto-assets (MiCA)1 is part of the European Commission’s Digital Finance Package of September 2020, which includes other regulatory initiatives, such as the Pilot Regime for market infrastructures based on distributed ledger technology2 and the Digital Operational Resilience Act (DORA).3
MiCA will apply:
- First, as of 30 June 2024, regarding asset-referenced tokens (ART) and e-money tokens (EMT); and
- Second, as of 30 December 2024, for all other matters, in particular regarding crypto-asset service providers (CASP).
With MiCA, the European Union (EU) is adopting for the first time a harmonized regulatory framework for the crypto-asset market, which applies to both traditional institutions of the financial sector and new players emerging in the crypto ecosystem.4 These entities must meet a set of specific requirements to benefit from a regulated status recognized across the EU in the form of a European passport and need to either (depending on their current regulatory status) notify, or submit an authorization request with, their national financial sector supervisory authority.
The Luxembourg financial sector supervisory authority (CSSF) is preparing itself for the upcoming application of MiCA. As is usually the case, the CSSF intends to apply a proactive approach and already invites entities with specific projects to (i) provide services as a CASP or (ii) issue ART or EMT to contact it now to initiate a preliminary dialogue. Entities already supervised by the CSSF should contact their usual point of contact at the CSSF; entities not yet supervised by the CSSF should contact the CSSF at ipig@cssf.lu.
DORA Update
In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalization and interconnectedness, DORA was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework. DORA contains comprehensive rules with respect to ICT risk management, ICT incident management, ICT third-party risks, digital operational resilience testing, and voluntary exchange of information/intelligence on cyber threats.
DORA largely covers the EU financial sector with a scope of application extended to the 20 different types of financial entities listed in article 2 of DORA. DORA will be directly applicable to those financial entities in the EU as of 17 January 2025.
The corresponding Directive (EU) 2022/2556, the aim of which is to include in all financial sector directives a cross-reference to DORA, needs to be implemented into national law by each EU member state. Luxembourg has started the implementation process in August 2023.
Footnotes
1 Regulation (EU) No 2023/1114.
2 Regulation (EU) 2022/858; see our blog post of 7 March 2023.
3 Regulation (EU) 2022/2554.
4 MiCA is complementary to the existing EU framework, such as to Directive 2014/65/EU on markets in financial instruments (MiFID II).