DORA and Compliance for Multi-Country Blockchain Payment System

Question

I'm a developer working on a blockchain-based payment system that will be used in multiple EU countries. Given the regulatory landscape, how does DORA affect our project, and what specific compliance measures should we be planning for?

Executive Summary

In developing a blockchain-based payment system for use across multiple EU countries, understanding the implications of the Digital Operational Resilience Act (DORA) is essential. The following key points summarize what your project must consider for DORA compliance:

  • DORA’s Regulatory Scope: Your payment system may be categorized as a ‘financial entity’, particularly if it functions as a crypto-asset service provider, necessitating adherence to DORA’s stringent guidelines for digital operational resilience.
  • Resilient Information and Communication Technology (ICT) Framework: There must be robust internal governance to manage ICT risks, requiring continuous monitoring, control, and updating of ICT systems, protocols, and tools.
  • Incident Management Protocols: A comprehensive incident management process is mandatory, including detection, management, and structured reporting of ICT-related incidents, with clear responsibilities even when outsourcing this function.
  • Third-Party Risk Management: Integrating third-party ICT service provider risk management into your overall risk framework, while developing exit strategies for potential provider failures, is crucial.
  • Continuous Testing and Reporting: Regular digital resilience testing and transparent incident reporting to users are essential components of compliance, emphasizing a proactive and accountable approach to operational integrity.

By incorporating these compliance measures into your system’s foundation, your project can align with the EU’s regulatory standards and cultivate durable digital resilience.

Assumptions

  1. Scope of the Payment System: The blockchain-based payment system is assumed to be a complex system with functionalities that may impact the financial sector and potentially fall under the category of financial entities as addressed in DORA.
  2. Targeted Users and Entities: It is assumed that the system will be available to both consumers and financial institutions.
  3. Interconnectedness with Financial Entities: The payment system is assumed to be designed to interact with other financial systems and entities within the EU.
  4. Data Handling: It is presumed that the system will handle financial transactions, which may involve processing personal data and sensitive financial information.
  5. Jurisdictional Presence: We will assume that the developer has or plans to have a legal entity established within the EU, making DORA’s provisions directly applicable to the project.

Legal trace

DORA’s Scope and the Payment System’s Qualification as a Financial Entity

Account information service providers, referred to in Article 33(1) of Directive (EU) 2015/2366, are explicitly included in the scope of this Regulation, taking into account the specific nature of their activities and the risks arising therefrom. … electronic money institutions and payment institutions exempted pursuant to Article 9(1) of Directive 2009/110/EC of the European Parliament and of the Council and Article 32(1) of Directive (EU) 2015/2366 are included in the scope of this Regulation even if they have not been granted authorisation in accordance Directive 2009/110/EC to issue electronic money, or if they have not been granted authorisation in accordance with Directive (EU) 2015/2366 to provide and execute payment services. Recital 37

The explicit inclusion of account information service providers and the broadened scope to incorporate electronic money institutions and payment institutions, even if exempt under certain directives, underlines DORA’s extensive reach across financial services. This implies that emerging financial technologies providing similar services are likely intended to be covered.

Without prejudice to paragraphs 3 and 4, this Regulation applies to the following entities: […]

  • (f) crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens; […]
  • (u) ICT third-party service providers. Article 2, paragraph 1

Assuming the blockchain-based payment system is recognized as a crypto-asset service provider authorized under the relevant EU regulations concerning crypto-assets, it can be classified under DORA as a ‘financial entity’. This could also include an association as an ‘ICT third-party service provider,’ if the system provides critical ICT services to financial entities.

ICT Risk Management Framework

Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 6(4), in order to achieve a high level of digital operational resilience. Article 5(1)

For the blockchain-based payment system, there must be internal governance in place to manage ICT risks effectively, suggesting a requirement for active enforcement and review at the organizational control level.

Financial entities shall maintain updated ICT systems, protocols and tools that are: appropriate to the magnitude of operations supporting the conduct of their activities… Article 7(a)

Updating and maintaining ICT systems are critical, implying the need to ensure that systems are reliable and can efficiently handle data processing and stress conditions.

Financial entities shall continuously monitor and control the security and functioning of ICT systems and shall minimise the impact of ICT risk through the deployment of appropriate ICT security tools, policies and procedures. Article 9(1)

There is a demand for ongoing and proactive stance on the security and control of ICT systems, which includes continuous monitoring and control, as well as the deployment of appropriate tools to minimize ICT risk.

Reporting Obligations and Incident Management

Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. Article 17(1)

A compliant incident management process must be developed that involves not only detection and management procedures but also a structured notification process.

Financial entities may outsource the reporting obligations under this Article to a third-party service provider. In case of such outsourcing, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements. Article 19(5)

Although outsourcing is an option, there is a need to ensure that any contractual arrangement with third-party service providers encapsulates the accountability standards as defined by DORA.

Relationship with Third-Party Service Providers

Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 6(1), and in accordance with the following principles […] Article 28(1)

Risk management of third-party ICT providers must be part of the larger risk management strategies, requiring the identification of any third-party blockchain service providers.

Financial entities shall put in place exit strategies […] to take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part […] Article 28(8)

An exit strategy is essential if there is reliance on third-party ICT services for critical functions, necessitating preparedness to switch providers or internalize services without disrupting operations.

Testing and Resilience Measures

Financial entities, other than microenterprises, shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6. Article 24(1)

An ongoing evaluation process for ICT-related incidents is mandated, underscoring that testing is not a one-time event but a continuous part of risk management practices.

Financial entities shall only use testers for the carrying out of TLPT, that […] possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing. Article 27(1)(b)

The client must be diligent in selecting testers with expertise in blockchain technologies and the particular threats faced by such systems, which underscores the need for specialization in resilience testing.

Transparency and Reporting to Users

This Regulation should require credit institutions, payment institutions, account information service providers and electronic money institutions to report all operational or security payment-related incidents — previously reported under Directive (EU) 2015/2366 — irrespective of the ICT nature of the incident. Recital 54

Entities developing and using blockchain-based payment systems must be aware of the stringent reporting requirements for all payment-related incidents.

The requirements laid down in this Chapter shall also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions. Article 23

The client must align with established communication strategies and reporting protocols, ensuring transparent and compliant incident management procedures.

In summary, the blockchain-based payment system, if classified as a ‘financial entity’ under DORA, would have to adhere to a holistic set of regulatory obligations—ranging from an all-encompassing ICT risk management framework, stringent incident reporting mechanisms, regular testing and resilience assessments, through to transparent communication with users and robust partnerships or exit strategies with third-party service providers. The developer should incorporate these considerations into the system’s foundational structure to ensure compliance and foster digital operational resilience within the EU’s regulatory landscape.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.

Details

In this supplemental response, we examine additional pertinent information that complements our prior analysis on how the Digital Operational Resilience Act (DORA) may affect your blockchain-based payment system in the EU. We provide expanded insights and considerations to aid in your strategic planning and compliance efforts in accordance with DORA and related EU regulations.

Legal trace

Given the irrelevance of the suggested excerpts, as noted in the legal assistant’s assessment, we will not include them in our supplemental answer. Instead, we focus on providing new information to address further considerations for compliance with DORA.

Identifying Additional Guidance from European Supervisory Authorities

We explored sources beyond DORA to identify relevant EU guidelines related to ICT risk management that may impact blockchain-based payment systems.

Reviewing Implementation Dates and Transitional Provisions

Our research did not uncover implementation dates or transitional provisions, outside of those mentioned in DORA, that would require direct reference in this context.

Analysis of Local Implementation Variances within EU Countries

Our review revealed no specific local variances in the implementation of DORA’s requirements by EU member states that would require quoting at this time; however, it remains crucial to monitor local developments as the regulatory landscape evolves.

Best Practices for Engagement with Regulators

Unfortunately, no specific excerpt available to us outlines the best practices for engaging with financial regulators in the EU on new fintech developments, but we advise maintaining strong communication channels with relevant regulatory bodies.

Insights into Upcoming Regulatory Changes

As such legislative processes are dynamic, we have no quotes at this stage to share regarding forthcoming regulatory changes. Staying informed through official EU channels and fintech regulatory updates is advisable.

Additional External Resources for Compliance Strategy Development

No specific excerpts are available that list external resources. Nevertheless, seeking partnerships with compliance consultants, legal experts, and technical advisors who specialize in EU financial regulatory matters can be beneficial.

In lieu of quoting the excerpts, over which we’ve established there is no added benefit, we’ve instead sought to expand our guidance in a way that can further your understanding and readiness for navigating the digital operational resilience regulatory framework within the EU. We advise continued diligence in staying abreast of the evolving regulatory context and consulting with specialized experts where necessary to ensure the compliance and success of your blockchain-based payment system.