The Ultimate DORA Compliance Checklist for Crypto Businesses

If you run a crypto business, you really can't ignore DORA, the EU's Digital Operational Resilience Act. DORA sets strict rules to shield your operations from risks like cyberattacks or third-party failures.

A solid DORA compliance checklist helps you catch weak spots, avoid big fines, and maintain your customers' trust. Missing these requirements could mean heavy penalties and a damaged reputation.

This guide lays out the key steps and straightforward actions to help you follow DORA's rules. You'll learn what to review, why it matters, and how to stay ahead of regulators. 

Understanding DORA and its impact on crypto businesses

Image source: Data Dynamics

The Digital Operational Resilience Act (DORA) defines what crypto‑asset service providers and issuers of asset‑referenced tokens must do to protect their information and communication technology (ICT) systems.

It brings in strict standards for risk management, incident reporting, and third‑party oversight to keep financial services stable.

What is the Digital Operational Resilience Act (DORA)?

DORA is a European Union regulation that boosts digital operational resilience in the financial sector. Organizations need to make sure their systems can handle major ICT-related incidents like cyberattacks, software bugs, and outages.

DORA covers various financial entities, including crypto asset service providers (CASPs), banks, payment providers, trading platforms, and crowdfunding platforms. The goal is to eliminate risks that come with digital tech in finance.

Unlike older laws, such as the EU's EBA Guidelines on ICT and Security Risk Management or NIS Directive, DORA consolidates cybersecurity, risk management, third-party checks, and digital testing into a single framework. You get one set of clear rules, replacing fragmented approaches.

The five pillars of DORA regulation

Image source: Adoptech

DORA stands on five main pillars:

1. ICT risk management: Spot, assess, and control risks tied to your tech stack.
2. Incident reporting: Report all major ICT incidents to European Supervisory Authorities (EBA, ESMA and EIOPA).
3. Digital operational resilience testing: Run regular tests to make sure your defenses hold up.
4. Third-party risk management: Keep a close eye on vendors and ICT service providers.
5. Information sharing: Share info about digital threats within the industry.

Each pillar helps you focus on the most critical parts of your ICT setup and keeps you ready for digital threats.

Why DORA matters for crypto asset service providers (CASPs)

DORA matters for CASPs—think exchanges, wallet providers, and token issuers—because it directly applies to any business handling crypto assets. If you’re in this group, you need to meet all DORA requirements to keep your ICT safe and reliable.

Tech or security failures can disrupt your business and put customers’ funds at risk. DORA compliance makes you responsible for spotting threats early and reacting quickly when something goes wrong, including keeping tabs on third parties like cloud providers who support your business.

Meeting DORA standards shows regulators and customers that your systems are secure and you’re prepared for cyber threats. It can help build trust and reduce operational risks.

Penalties for non-compliance

DORA enforcement began on January 17, 2025. If you’re not compliant, you could face big fines or even restrictions on your business.

According to the Infosecurity Magazine, organizations that fail to comply with regulations could face penalties of 2% of their total global annual revenue or €10 million, whichever is higher.

Third-party organizations may be subject to fines of up to 1% of their average global daily turnover for each day of non-compliance, with this penalty lasting for a maximum of six months.

The DORA also introduces individual accountability for business leaders regarding compliance failures within their companies, with potential fines reaching up to €1 million.

EU authorities have the power to investigate and act against companies that don’t follow the rules. They’ll check your ICT risk management, reporting, and vendor oversight.

Relationship between DORA, MiCA, GDPR, and NIS2

DORA works alongside other major EU rules. The Markets in Crypto-Assets Regulation (MiCA) covers how crypto assets are issued and traded, focusing on transparency and consumer protection. DORA complements MiCA and targets your tech and operational resilience.

GDPR deals with personal data management. DORA is about keeping your systems up and running. Still, some overlaps exist as data breaches must be reported under both regulations.

NIS2 is a broader cybersecurity directive for critical sectors, while DORA is finance-specific. Crypto-asset service providers (CASPs) may fall under NIS2 and DORA, requiring dual compliance.

Knowing how DORA connects with MiCA, GDPR, and NIS2 helps you build a compliance plan that covers ICT security, data privacy, and crypto asset risks.

DORA Compliance Checklist: Key steps and actions

This DORA compliance checklist outlines the key measures organizations must take to meet the regulation’s strict requirements and strengthen their digital operational resilience.

Step 1: Assess your business's scope under DORA

Image source: Metomic

First, figure out if your crypto business falls under DORA. It targets financial entities established in the EU.

However, according to Article 2 of DORA, non‑EU firms may also need to comply if they operate in the EU or provide ICT services to EU financial entities.

Ask yourself these questions

• Do you provide services as a financial institution or have customers in the EU?
• Are your activities similar to traditional finance, like lending, trading, or managing assets?
• Does your platform have legal or management ties to the EU?

Take a good look at your company’s structure. List your activities, check which are regulated, and see if you process or hold client funds.

Getting a handle on this early makes it easier to start the rest of your DORA compliance checklist.

Step 2: Define your specific compliance obligations

Map DORA’s five pillars to your organization’s structure and operations (see Articles 5–49). Align each requirement with your processes, services, and risk profile for effective compliance. It will clarify obligations and help prioritize resources and actions for greater impact.

‍

Image source: MEGA International

DORA focuses on managing risks from third-party ICT providers. List all outside companies that help you with important business tasks, and then see which ones are considered CTPPs based on impact, reliance, and substitutability.

Set up strong due diligence, monitoring practices, and solid contracts to manage these relationships and ensure operational resilience.

Many DORA requirements overlap with existing EU regulations like GDPR and NIS2. Conduct a gap analysis to identify these overlaps, simplify compliance, reduce duplication, and strengthen your regulatory position.

Step 3: Implement ICT risk management framework

Image source: GRC Docs

According to Article 5, you need a strong ICT risk management framework to protect your business, technology, and customer assets.

List all your ICT systems—servers, wallets, trading platforms, cloud services. It helps you find weak spots faster. Tag them as "critical" if their failure would disrupt financial services.

ICT risk shows up in all sorts of ways. Hacks, system failures, data leaks, service‑outage scenarios—you name it. Risk management strategies should include at least annual risk assessments, with quarterly reviews for high-risk entities or after major incidents.

Use strong cybersecurity measures, as required by Article 10. Here are a few basics:

• Keep software up to date
• Use firewalls and encryption
• Require strong, unique passwords
• Add multi-factor authentication (MFA)
• Train your team to spot threats

ICT risk management framework isn't just about blocking attacks. It's about bouncing back quickly if something goes wrong.

With some planning and regular reviews, you can make your crypto business safer and more reliable.

Step 4: Establish incident response and reporting procedures

Image source: Synechron

To stay DORA-compliant, you need a clear, organized incident response plan for managing ICT incidents. It lets you know what to do before, during, and after a problem, as required by Article 17 and Article 18.

Decide if incidents are “major” or “minor” based on their impact. Detecting major ones like security breaches or significant system failures triggers mandatory reporting obligations under DORA.

You must report it to your national competent authority (NCA) or ESMA and EBA for cross-border incidents (Article 20).

Prepare and send:

1. Initial report within 4 hours with key incident details
2. Intermediate (detailed) report within 72 hours with the root cause and mitigation
3. Final report within 1 month after the intermediate report with forensic analysis and prevention measures

Keep open lines of communication with regulators and stakeholders. Use secure channels and send clear updates as the situation unfolds.

Step 5: Conduct digital operational resilience testing

Regular testing helps make sure your crypto business’s systems can handle cyber threats and outages.

Under DORA Articles 25-27, you’re expected to run vulnerability assessments (quarterly), penetration testing (annually), and threat-led penetration testing (TLPT) every three years.

1. Vulnerability assessments scan your systems for known security gaps
2. Penetration testing simulates attacks to see how your systems hold up
3. TLPT uses realistic scenarios to simulate advanced threats and vulnerabilities

A good testing plan usually includes these steps:

• Planning: Decide what to test, who’s doing it, and when
• Execution: Run the tests and write down the results
• Remediation: Fix whatever problems you find

Document all your actions to show compliance and continuous improvement under DORA.

Step 6: Manage third-party ICT risks effectively

Crypto businesses work with outside tech providers all the time. To stay DORA-compliant, you have to manage third-party risk carefully (Articles 28-32).

Start by identifying and classifying your critical ICT third-party providers (CTPPs). These are vendors whose services are vital to your operations.

• Check the provider's reputation and experience
• Review their cybersecurity policies
• Confirm regulatory compliance
• Assess financial stability
• Check incident history

Before signing anything, make sure your contracts spell out obligations and contingency planning. You need to know what happens if a provider fails or can't deliver. Cover data protection, service levels, and exit clauses.

Set up regular reviews and required reports to catch issues early. Schedule yearly or event-driven risk assessments to maintain compliance and operational resilience.

Step 7: Develop a business continuity management plan

Image source: Continuity2

According to Article 12, you need to have a business continuity and disaster recovery plan to prepare for all kinds of disruptions.

• Identify your critical systems and assets
• Set up clear security controls to protect those areas
• Include steps to recover operations after an incident

Your plan should cover restoring services, protecting assets, and notifying users if something goes wrong. Contact lists, checklists, and backup procedures are helpful, too.

Keep your plan simple and clear. Your team should be able to follow it in any emergency. Update it when you add new systems or assets—don’t let it get stale.

Step 8: Define governance, roles, and responsibilities

Image source: Freepik

Clear governance is key for DORA compliance. Everyone should know what they’re responsible for regarding risk and data protection. Senior management (typically the Board of Directors) needs to get involved, assume full responsibility, and actively oversee security policies and decisions (Article 5).

Here are some of the main roles your company should define:

• Chief Information Security Officer (CISO): Handles cybersecurity, risk detection, and response
• Data Protection Officer (DPO): Makes sure your business follows data privacy laws
• Compliance Officer: Checks and independently reviews if your company meets all regulatory requirements

Assigning these responsibilities avoids confusion and makes DORA reporting way easier.

You’ll also want clear internal policies and procedures so staff know what to do in common situations. Document these steps and update them when new risks come up.

Regular training keeps your team sharp and ready for changes. Hold basic sessions on security posture and DORA guidelines. That way, staff know their roles and how to spot and report risks quickly.

Step 9: Organize documentation and record-keeping

According to Articles 5, 17, 24, 28, and related sections, keeping your DORA compliance docs in order is critical for meeting regulatory standards. Make sure every step of your compliance process is documented.

Your compliance team should collect and store:

• Risk assessments to show risk management efforts
• Incident reports to track past incidents
• Training logs to record staff awareness
• Vendor reviews to monitor third-party compliance

These records show proof of your DORA compliance during audits.

Authorities might request these docs at any time. Organize them in a secure document management system to find what you need quickly.

Set up access controls. Only let authorized compliance team members view or edit these files. That’ll protect sensitive data and cut down on mistakes.

Evaluate and update your documents on a regular schedule. Outdated paperwork can cause issues during audits or regulatory checks.

Step 10: Schedule regular audits and assurance activities

Image source: Freepik

If you want to stay DORA-compliant, follow Articles 5–14,  28–30 and 24–27, and schedule regular audits and assurance activities. These reviews help make sure your processes match regulatory standards and show that your crypto business is operating safely.

Internal audits should happen at least once a year. Check IT controls, monitoring processes, and how you handle vulnerabilities.

Some common internal audit methods are:

• Staff interviews
• Spot checks of documentation
• Testing backup and recovery plans
• Reviewing logs and monitoring reports

External audits and regulatory exams can happen yearly or when authorities ask. Keep your documents and evidence organized so you’re ready. Tools for continuous monitoring—like automated compliance checkers and security dashboards—can warn you if something needs attention.

If you find something wrong during an audit, act fast. Make a list of findings, assign owners, and set deadlines for fixes. It proves to regulators that you’re serious about continuous improvement and ready to demonstrate DORA compliance if anyone asks.

Step 11: Implement your DORA compliance technology stack

Picking your technology stack really matters for DORA compliance. You want tools that handle security, reporting, and documentation without any difficulties.

• Pick platforms with solid cybersecurity features
• Check that tools meet EU regulatory standards
• Find solutions that work together

Follow Articles 5–16 and start by jotting down the main areas where your crypto business needs support. Here are some typical tech needs for DORA:

• Security: Firewalls, encryption, access control
• Monitoring: SIEM platforms, alerting software
• Automation: Workflow tools, automated scripts
• Documentation: Record management platforms
• Reporting: Dashboard and analytics software

Integration matters. If your tools connect easily, tracking incidents and sharing reports with regulators becomes less painful.

Don’t just take the vendor’s word for it. Look up reviews from other crypto businesses.

Think about your company’s size and needs. A small startup probably doesn’t need the same stack as a big exchange. Lots of tools have free trials, so try before you buy.

Step 12: Cooperate with regulators and supervisors 

Working with regulators is a core part of DORA compliance. You’ll need to connect with national and European Supervisory Authorities, such as EBA, ESMA, and EIOPA, to share info, submit reports, and sort out any issues (Article 32).

Report important events regularly:

• System security incidents
• Critical disruptions
• Key financial risks

The EU uses this info to spot and respond to risks that could affect the financial system.

Stay ready for questions. Regulators might ask for extra details or clarification about anything odd. Set up a plan for handling these requests.

Keep your records tidy. Appoint someone on your team to handle communication with regulators. It’ll make responses quicker and show you’re serious about compliance.

Supervisory examinations can happen without much warning. Make sure your documentation, systems, and response teams are always ready.

Staying prepared shows you’re committed to DORA compliance and helps keep your business out of trouble.

Step 13: Facilitate information sharing and industry collaboration

Sharing threat intelligence helps you spot risks faster and react better. DORA encourages crypto firms to exchange real-time information about cyber threats (Article 45).

You connect with others facing the same issues when joining industry associations. These groups send alerts, share updates, and offer places to discuss challenges. You also get to help set standards for the whole sector.

Getting involved in advocacy groups means you’ll hear about the latest compliance tools and resources. It’s a good way to keep up with legal changes and see how others handle them.

Collaborative tools—like shared dashboards or secure messaging—make teamwork smoother when something goes wrong. They boost your resilience and help you respond faster.

Just make sure any info you share follows your privacy standards.

Step 14: Address common DORA compliance challenges

Crypto firms often operate in several countries, handling diverse local laws. Don’t forget to check out local rules, especially around stablecoin regulations.

Adapting to DORA means tweaking your processes but still keeping up with innovation. Keep improving your tech, but always double-check that it fits the latest EU crypto-asset laws.

Team training is significant, especially if you’re short on resources. Stick to basics like regular password changes and fast incident reporting.

New requirements show up all the time. Track them closely so your compliance steps don’t fall behind. Having a simple checklist helps your team react quickly and keeps audits from turning into chaos.

Step 15: Future-proof your DORA compliance program

Keeping up with new rules is just part of the job. Subscribe to industry newsletters and join DORA-focused forums to catch updates and spot new risks before they become problematic.

Build a compliance framework that can adapt as things change. Use tools and processes that let you update your policies without issues. Cloud-based documentation or a flexible risk management platform can make updates way easier.

What makes a compliance program scalable?

• Modular policies: Update only what you need when you need
• Automated tracking: Spot issues before they grow
• Audit trails: Keep a clear record of compliance changes

Keep improving—don’t just set it and forget it. Hold regular review meetings to see what’s working and what’s not. Ask your team for feedback. You might be surprised where the gaps are hiding.

Set up simple feedback loops, like monthly surveys or even an old-school suggestion box. Use what you hear to tweak your compliance approach.

That way, your DORA program can handle whatever comes next.

Partner with Legal Nodes for complete DORA compliance support

‍Legal Nodes brings a fresh approach to DORA compliance for crypto businesses, whether you're just starting or have an established firm. Our mission is to simplify compliance and corporate structuring so you can focus on innovation and growth.

Our team can help you choose the best jurisdiction that supports crypto innovation, providing coverage in 20+ countries through a wide partner network. Our centralized platform and global reach eliminate the complexity of managing multiple service providers and legal teams.

Legal Nodes collaborates with boutique law firms and independent legal, tax, and privacy experts worldwide. Many of our professionals have worked at top firms, so you always get solid guidance.

We understand that each business is unique, so we provide a customized compliance roadmap that matches your specific operational needs and risk profile and helps you achieve full DORA compliance.​ Our team will update you on every new DORA rule and regulatory change.

You'll also get a dedicated Virtual Legal Officer to work with you on compliance checks, licenses, marketing compliance, and ongoing legal advice.

Stay confident as rules change. Legal Nodes will help you understand new laws, adapt your processes, and keep your policies up to DORA's standards.

Ready to make compliance easier for your crypto business?

Get started with Legal Nodes today.

FAQs about DORA compliance checklist

What are the requirements for DORA compliance?

You need strong risk management and solid incident response plans. Regular testing matters, too.

Make sure your third-party vendors stay secure. Train your team and keep good records—you can't skip those steps.

What are the five pillars of DORA regulation?

The key pillars are ICT risk management and incident reporting. Digital operational resilience testing, third-party risk management, and information sharing round out the list. Each one covers a different side of your security setup.

How to prove DORA compliance?

Write up your policies and save logs that show your controls work. Keep reports handy to show you're finishing the required checks.

Sometimes, authorities will ask for your audit records. Be ready for reviews or inspections, just in case.

What are the key points of DORA regulation?

You've got to protect data and respond fast to incidents. Test your ICT systems and keep tabs on outside partners.

Sharing important updates with other organizations is part of the deal, too. It's all about keeping your operations safe.

How to get DORA compliant?

Start by reviewing your current processes and spot any gaps. Update your risk management, incident response, and vendor management.

Regular training and testing matter more than you might think. Don't let those slip through the cracks.

What are the penalties for noncompliance with DORA?

If you ignore DORA, you could face fines, be ordered to stop business, or deal with legal action. Penalties depend on your business size and what went wrong.

How to get ready for DORA?

Make a checklist of all your tasks. Set deadlines, get your team involved, and use tools to track where you stand.

Who does DORA apply to?

DORA covers financial firms—think banks, investment funds, and crypto businesses. If you provide critical ICT services to them, you're included, too.

‍