With the start of the application of EU Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), which began to apply on 17 January 2025, entities operating in the financial sector in Europe have faced a new challenge related to security and digital operational resilience. DORA introduces comprehensive requirements concerning ICT risk management, digital resilience testing, the reporting of major incidents, and the supervision of external providers of technology services. This regulation covers a broad range of financial entities operating in the EU market.
Among the entities covered by the regulation are not only key financial institutions such as banks, investment firm, or insurance undertakings, but also a range of other entities, including, among others, payment service providers, electronic money institutions, trading venues, and crypto-asset service providers (CASPs).
DORA strengthens the framework of responsibility for digital operational resilience in the financial sector, covering not only regulated institutions, but also the relationships with their key ICT service providers. In practice, this means that entities providing external cloud services, infrastructure, software, or transaction systems for financial institutions may become subject to DORA requirements indirectly, through contractual obligations, and in certain cases also directly, as so-called critical ICT service providers.
As a result, the question increasingly arises whether this regulation may also be relevant to the Web3 market. In particular, this concerns blockchain network operators, developers of decentralised protocols, DAO-type structures, and other entities providing infrastructure based on DLT (Distributed Ledger Technology).
In the view of Wojciech Ługowski, attorney-at-law and managing partner at Lawarton, the answer is not clear-cut; however, the importance of this issue is steadily increasing alongside the growing role of blockchain solutions in the financial sector.
The entities covered by the DORA Regulation include, in particular:
- banks and credit institutions,
- investment firms and fund managers,
- payment service providers and electronic money institutions,
- entities operating trading venues for financial instruments,
- crypto-asset service providers (CASPs),
- external ICT service providers whose services are critical to the functioning of financial institutions.
Blockchain as ICT infrastructure – is it even possible?
One of the fundamental features of blockchain technology is its decentralisation, valued by users for its resilience to failures, the absence of a single point of control, and a high level of transparency. For this reason, blockchain is often perceived as “too decentralised” to fall within the scope of regulations such as DORA. In the classical understanding, blockchain infrastructure does not have a single operator, a central authority, or one institution responsible for the functioning of the network.
In practice, however, the operation of many DLT networks is underpinned by specific entities and organisational mechanisms, such as foundations or consortia developing the protocol, selected validating nodes, protocol upgrade mechanisms, or centralised off-chain components, including user interfaces, cross-chain bridges, and integration layers.
If such components are provided or maintained for the needs of financial institutions, such as banks, trading platforms, or issuers of certain types of tokens, they may be classified as ICT services within the meaning of DORA, and the entities providing them may fall within the scope of this regulation.
Importantly, DORA does not address blockchain technology as such, but rather the specific manner in which it is used in a regulated environment. Regulatory responsibility may therefore rest with the entity that provides interfaces, manages custodial wallets, develops the protocol, or maintains the technological infrastructure supporting financial functions.
What does “digital operational resilience” mean in practice?
Within the meaning of DORA, digital operational resilience refers to the ability of financial institutions to ensure the continuity and security of ICT systems, including in situations where they rely on the services of external technology providers.
The Regulation requires entities covered by DORA to have organisational and technical frameworks in place that enable, in particular:
- the identification and management of technological risk,
- effective response to ICT incidents and the reporting of major incidents to the competent supervisory authorities,
- regular testing of system resilience (including penetration testing in specified cases),
- the maintenance and testing of business continuity plans and disaster recovery plans (BCP, DRP),
- the documentation and ongoing monitoring of operational security.
In practice, this means that entities from the Web3 sector that provide ICT services to financial institutions may be required to meet specific security standards, report incidents, and cooperate in resilience testing.
For many Web3 projects, this may entail the need to gradually build compliance structures, clearly assign responsibilities, and develop basic policies and procedures—areas that decentralised protocols have often avoided to date.
Does decentralised = outside regulation?
DORA does not require centralisation – it requires responsibility.
In the case of financial institutions, this responsibility lies with regulated entities, including where they make use of decentralised solutions or the services of external technology providers.
In practice, this means that if a Web3 application, protocol, or infrastructure supports the activities of entities covered by DORA, its creators or operators should take into account the need to adapt their solutions to specific standards of security and business continuity – primarily within contractual relationships with regulated institutions, and in particular cases also within a direct supervisory regime.
If your application, protocol, or infrastructure supports entities covered by DORA, in practice this means the need to adapt to its rules. Some DAOs, foundations, and teams may be forced to formalise their activities (for example, through a legal entity), designate compliance contact persons, and prepare for cooperation with supervisory authorities.
An entity providing ICT services to the financial sector cannot rely solely on “decentralisation” – it must be able to demonstrate that its solutions operate in a secure, transparent, and resilient manner.
What should be done today?
- Check whether your product or service is used by institutions covered by DORA.
- Assess whether your infrastructure supports business continuity or processes operational data.
- Prepare basic security policies, documentation, and a responsibility structure.
If cooperation with regulated entities is planned, it is advisable to prepare in advance for questions concerning DORA compliance. In the realities of the financial market, digital resilience means not only regulatory compliance, but also trust.
Summary
DORA was not designed with the Web3 market in mind, however, it is increasingly affecting its participants.
Projects developing solutions used by the financial sector must take into account that their technologies, regardless of the degree of innovation or decentralisation. will be assessed through the lens of digital operational resilience requirements.
In practice, this means the need to prepare for meeting specific standards of security, business continuity, and responsibility, particularly in relationships with regulated institutions.