Building Compliance in the EU’s Crypto Market: MiCA and DORA as the New Regulatory Backbone

4 August 2025

Licences, Corporate Clients, Blockchain & Cryptocurrency

The EU’s Regulatory Leap in Crypto Compliance

In 2025, the European Union (EU) introduced a major shift in the regulation of crypto-assets and related financial services. Through the coordinated rollout of three key regulations—the Markets in Crypto-Assets Regulation (MiCA), the Digital Operational Resilience Act (DORA), and the Anti-Money Laundering Regulation (AMLR)—the EU created a harmonised legal framework that governs how CASPs conduct trading, manage operational risks, and perform KYC and AML functions.

Each regulation serves a distinct legal purpose, but collectively they form an integrated compliance environment aimed at enhancing market integrity, digital resilience, and financial transparency across the EU’s growing crypto sector.

We recently hosted a Webinar bringing together professionals from the legal, fintech, and crypto sectors for a focused discussion on how MiCA, DORA, and AMLR are reshaping the EU’s regulatory framework for digital assets. We explored Bulgaria’s new Crypto Asset Markets Act, licensing and governance rules for CASPs, cross-border legal implications, and how these regulations operate in tandem. 

MiCA: Regulating Crypto Trading and Market Conduct in the EU

The Markets in Crypto-Assets Regulation (MiCA) is the EU’s first unified framework specifically regulating crypto-asset trading and service providers. It defines which activities are permitted for CASPs, outlines licensing requirements, and introduces strict obligations for market conduct.

In 2025, the European Securities and Markets Authority (ESMA) issued its final guidelines under MiCA, targeting market abuse within the crypto space. These include crypto-specific practices such as: wash trading, spoofing on centralised and decentralised platforms, miner-extractive value (MEV) manipulation, pump-and-dump schemes coordinated via social media.

CASPs are now required to operate real-time market surveillance systems, maintain internal investigation protocols, and report suspicious activity. Importantly, the obligation to report is based on reasonable suspicion, not definitive proof, requiring a traceable internal compliance process.

DORA: Securing CASP Infrastructure and Digital Resilience

The Digital Operational Resilience Act (DORA) extends ICT risk and cybersecurity obligations to CASPs, bringing them in line with traditional financial institutions in the EU.

DORA requires CASPs to: implement ICT risk management, including real-time system monitoring, encryption, and access controls; report ICT-related incidents within strict timeframes (as fast as four hours in critical cases); conduct regular penetration testing of critical systems; manage third-party risk through detailed vendor contracts, audit rights, and exit strategies; align with harmonised supervisory standards across EU member states.

By treating CASPs as critical financial entities, DORA ensures that crypto trading and service platforms meet high standards of digital operational resilience, safeguarding customer assets and data.

Interconnected Compliance Between MiCA and DORA

One of the most significant changes introduced by the EU’s new crypto regulatory framework is the interdependence of legal obligations across MiCA and DORA. Consider the following practical scenario:

A cybersecurity incident, such as the compromise of a customer onboarding platform or KYC provider, would fall under DORA’s ICT-related incident reporting rules, which require notification to regulators within specific timeframes. But the same incident may also mean that personal or financial data collected during KYC processes has been compromised, requiring revalidation of customer identities under AMLR, and potentially a review of recent trading activity to determine if compromised accounts were used to conduct market manipulation, which would bring MiCA into scope.

This example shows how a single event can cascade across multiple regulations, requiring CASPs to maintain integrated surveillance and incident response systems that comply simultaneously with MiCA and DORA.

Supervisory Convergence: Coordinated Oversight Across the EU

Supervisory authorities within the EU are aligning their enforcement strategies. ESMA has integrated DORA-compliant inspection protocols into its MiCA enforcement activities. Meanwhile, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and the forthcoming Anti-Money Laundering Authority (AMLA) are collaborating on technical standards, risk assessments, and sector-wide supervision.

National competent authorities are now conducting joint audits, sharing intelligence, and issuing unified guidance to reduce fragmentation across the EU.

Conclusion

To remain compliant and competitive in the EU market, CASPs must: conduct full compliance gap analyses across MiCA and DORA; integrate surveillance and ICT controls into a unified workflow; update governance documents and internal policies to reflect the new regulatory structure; prepare for penetration testing that evaluates both technical resilience and market conduct compliance; revise third-party contracts to include clauses on audit rights, business continuity, and regulatory access.

MiCA and DORA are not independent silos. Together, they represent the foundation of a sustainable, secure, and transparent crypto environment in the EU.

For more information, please contact us at AML@newbalkanslawoffice.com

© New Balkans Law Office 2025

The Bulgarian and dual-qualified lawyers of New Balkans Law Office are regulated by the respective Bar of their registration. New Balkans Law Office is a brand name of Legal Services EOOD, a company registered under Bulgarian law. Reg’d No. 202331677. Further details are available here.

© New Balkans Law Office 2025