top of page

Adoption of the DORA regulation in Estonia and its importance for MICA license applicants

Government discussing DORA regulation

As you already know from our previous post, according to the draft of MICA domestic regulation (KRÜTS in Estonian), crypto-asset service providers and cryptoasset issuers will be brought under the supervision of the Estonian Financial Supervision Authority-Finantsinspektsioon.

In addition, the draft aims to simplify the raising of capital in the securities market. The proposed regulation also ensures the domestic implementation of three regulations of the European Parliament and the Council (abbreviated as MiCAR, DORA, and TFR). The Government initiated the draft on April 1 of this year.

In the Riigikogu, the leading committee of the bill is the finance committee. The bill passed the first reading on April 9. To pass the bill, it is necessary to pass the second and third reading in the plenary assembly.


In addition to the above, The Government of Estonia has recently given its approval for new cyber security requirements aimed at financial firms based Digital Operational Resilience Act (DORA).


Let’s have a closer look at the DORA bill and elaborate on its connections with MiCA.


The goal of implementing DORA regulation in Estonia in the context of crypto services is to achieve a high level of digital activity of cryptocurrency service providers and asset-based token issuers level, reduce the risk of financial disturbances and instability, and thereby increase the use of cryptocurrency services protection of customers, cryptocurrency owners and investors.

Here are the 4 cornerstones of DORA:

DORA cornerstones


These requirements are intended to enhance their ability to prevent cyber attacks, which can lead to service disruptions, financial losses, and leaks of sensitive information.


DORA centers on digital operational resilience within the financial sector, with the aim of protecting against risks related to information and communication technology (ICT).


This regulation will take effect from January 17, 2025, and will apply generally to all financial market sectors, including most entities in Estonia supervised by the Finantsinspektsioon. Its objective is to enhance the resilience of the European financial market against the threat of cyber attacks, and thus contribute to a high level of protection for investors and consumers within the European Union.


The regulation consolidates, updates, and enhances existing rules that address digital risks in the financial sector. Given the high level of digitalization and connectivity in financial services, the regulation recognizes that ICT incidents and a lack of operational resilience may increasingly affect the financial robustness of financial market participants.


The framework is ambitious, setting qualitative standards for the ICT security of supervised entities and the handling of ICT-related incidents.

It also establishes standards for centrally controlled resilience tests and a European monitoring program for critical ICT service providers. Implementation of this framework will require new structures and communication interfaces between the various stakeholders involved, including supervised entities, and national, and European authorities.


Given the increasing geopolitical risks of cyber threats, the financial sector has become three times more likely to be targeted by cyber attacks than any other sector. This makes it all the more essential to prevent such attacks from occurring. In the event of an attack or disruption, a business needs to have a plan of action in place to ensure that services can be quickly resumed while also safeguarding customer data.


Moreover, companies must have mechanisms in place to immediately detect cyber-attacks and technology-related issues that could result in outages. If an attack is detected, the company must react immediately to prevent damage from increasing. This includes identifying vulnerable points as soon as possible and taking measures to address them. Continuous learning is also part of the management framework, starting with the cyber hygiene of all staff and ending with the company's ability to learn from incidents.


Financial companies must report any serious incidents related to ICT to both the Financial Supervision Authority and the State Information System Board. Customers must also be notified if the incident affects their financial interests.


Companies must regularly test their digital agility to assess their preparedness to handle incidents, identify weaknesses and deficiencies, and address them. Larger and more systemically important financial companies must conduct threat intelligence-based testing every three years.


The regulation applies to the entire financial sector, including banks, insurance companies, payment institutions, and investment companies, with some exceptions. The principles of proportionality have been taken into account, and "milder regulation" applies to some companies. Micro-enterprises that employ less than ten people and whose annual turnover and/or annual balance sheet total does not exceed 2 million euros are currently exempt from the regulation.


Asset-based token issuers and crypto-asset service providers must start implementing the requirements set forth in the DORA regulation from January 17, 2025.


bottom of page