DORA: Compliance and risk management for cryptoasset service providers

ICT risk management

Cryptoasset providers should establish a robust and effective ICT risk management framework. This framework should provide for the identification, analysis and assessment of all potential risks associated with the information and communication technologies used in the provision of their services.

It is essential to implement measures to mitigate these risks.  Therefore, they must implement robust authentication and authorization mechanisms to restrict access to systems and data to authorized personnel. They must also implement periodic processes to identify, evaluate and correct vulnerabilities in the systems and software used. Appropriate technical and organizational measures should also be taken to protect customer data, including encryption, access control and secure data disposal. It will also be necessary to develop and implement disaster recovery plans to restore services in the event of interruptions or failures.

Notification of incidents:

Cryptoasset providers are obliged to notify the competent authorities of any serious incident that may affect the provision of their services or represent a significant risk to the security of their systems or data.

The notification must be made immediately and must include all relevant information about the incident, such as the nature of the incident, the date and time it occurred, the impact on services and the measures being taken to mitigate the risk.  In this sense, it is necessary to describe the type of incident that has occurred, the time, the services affected and the scope, the measures that have been taken to contain the incident, mitigate its effects and restore the affected services, as well as the contact details of the person or team responsible for managing the incident.

The notification of serious incidents must be made as soon as possible, and in any case within 72 hours from the moment the incident becomes known.

The Regulation does not provide an exhaustive definition of what is considered a serious incident. However, it provides some examples that can serve as a reference, such as cyber incidents (a ransomware attacks, denial of service (DDoS), unauthorized intrusions, data leaks, etc.); hardware or software failures (f allos in critical systems, loss of data, data corruption, etc.); natural disasters (earthquakes, floods, fires, etc.); power outages (prolonged power outages, power grid failures, etc.); human error (operational rrors that may have a significant impact on security or service delivery).

Operational resilience testing:

Cryptoasset providers should conduct periodic operational resilience testing to assess their ability to withstand and recover from disruptions or failures in their information and communications systems.

Operational resilience testing is a set of drills or exercises designed to assess an organization’s ability to respond to different risk scenarios, such as cyber attacks, hardware or software failures, natural disasters or power outages.

These tests allow identifying vulnerabilities in the organization’s systems and processes, as well as evaluating the effectiveness of contingency and disaster recovery plans.

Supervision and control:

The competent authorities have the power to supervise and monitor the compliance of cryptoasset providers with the DORA Regulation. Among them, they may request from cryptoasset providers any information they deem necessary to verify their compliance with the DORA Regulation. They may also conduct inspections at the cryptoasset providers’ premises to verify compliance with the DORA Regulation. They may also require cryptoasset providers to take corrective measures if they detect non-compliance with the DORA Regulation.

If non-compliance is detected, the authorities may impose sanctions, such as fines or even suspension of the activity.

Additional obligations for cryptoasset custody service providers:

The DORA Regulation establishes specific additional obligations for cryptoasset custody service providers.

These obligations include, among others, the segregation of customers’ cryptoassets from the provider’s own funds, the implementation of strict controls over the management of cryptographic keys and the performance of periodic audits by independent auditors.

Si te ha interesado este artículo no dudes en leer:

DORA: Impact on Transparency, Investor Protection and Governance

DORA introduces a series of measures aimed at increasing transparency in the financial sector, both for investors and for the competent authorities.

How can ILP Abogados help you comply with the DORA Regulation?

At ILP Abogados, we have a team of cryptocurrency lawyers who can help you comply with the obligations of the DORA Regulation.

It is important to keep in mind that cryptoasset law is not a commodity. Hiring a lawyer based on price can be a costly mistake. It is essential to choose a lawyer who has experience in the sector and who can offer you a personalized and quality service.

At ILP Abogados, we are committed to providing our clients with the highest quality legal services. We have a team of lawyers specialized in crypto-assets who have extensive experience in the sector. We offer you personalized advice tailored to your specific needs.

Conclusion

The DORA Regulation is an important regulation that has a significant impact on cryptoasset service providers. It is important that you comply with the obligations of this regulation to avoid penalties and protect your business. At ILP Abogados, we can help you comply with the Regulation.

If you liked this article, you may also find it interesting to read the following one:

DORA: The new regulatory regime for crypto-asset markets