MiCAR & DORA: What Companies Seeking a MiCAR License in Liechtenstein Must Know from an IT Security Perspective

Liechtenstein is emerging as one of Europe’s most forward-thinking hubs for regulated blockchain and fintech companies. Many digital asset service providers, banks, asset managers, custodians, wallet providers and trading platforms are currently seeking a MiCAR license to gain early regulatory approval ahead of the EU-wide implementation. Anyone pursuing a MiCAR license must also think about DORA. Without demonstrable digital operational resilience, no license will be granted or will be sustainable in the long term.

1. Two EU Regulations, One Goal: Trust in Digital Finance

The Markets in Crypto-Assets Regulation (MiCAR) defines who may issue, trade, or safeguard crypto-assets in the EU and under what conditions.The Digital Operational Resilience Act (DORA) defines how these entities must secure and maintain the resilience of their IT systems.

Both regulations take effect in January 2025 and apply directly across the EU and the EEA, including Liechtenstein.

2. MiCAR Focus: Governance, Transparency, Investor Protection

Applicants for a MiCAR license (e.g. token issuers, custodians, exchanges) must demonstrate:

• A clear organizational structure with well-defined responsibilities

• IT-supported internal control systems

• Documented cybersecurity measures proportional to their risk profile

• Business continuity and outsourcing risk management

In other words, while MiCAR is primarily a legal and governance framework, IT security readiness is a key prerequisite for licensing.

3. DORA Adds the Technical Backbone

DORA goes beyond traditional cybersecurity. It requires firms to prove their ability to withstand and recover from digital disruptions — from cyberattacks to cloud outages.

Core DORA requirements include:

1. ICT Risk Management – Identify, assess, and mitigate all technology-related risks.

2. Incident Reporting – Mandatory notification of major ICT incidents within tight deadlines.

3. Resilience Testing – Regular penetration tests, scenario simulations, and recovery exercises.

4. Third-Party Oversight – Full control and auditability of critical IT and cloud providers.

5. Governance – Ultimate accountability rests with the management board.

4. The Liechtenstein Context

The FMA Liechtenstein (Financial Market Authority) is actively integrating both MiCAR and DORA into its supervisory framework.Applicants must be able to demonstrate:

• How DORA-related security measures are implemented or planned

• How ICT systems and dependencies are documented

• How audit trails and test results are maintained and made available to regulators

Change the bank:

• Basic criteria within DORA are relevant for your MiCAR application.

• Substance is required - not only in process compliance but also (IT) security compliance

• Who is going to be your CISO taking care about the technical requirements?

Run the bank:

• Without DORA-aligned IT governance, no MiCAR application will hold up during or after approval.

• Retrofitting compliance later is costly, complex, and risky.

5. Five Key IT-Security Priorities for MiCAR Applicants

1. Information Security & Risk Framework

Establish an ISMS (Information Security Management System) aligned with ISO 27001 or equivalent. It structures policies, controls, and risk analysis.

2. Identity & Access Management (IAM)

Access to wallets, trading platforms, and key management systems must be role-based, logged, and periodically reviewed.

3. Business Continuity & Disaster Recovery (BCM/DR)

Comprehensive continuity and recovery plans are essential. DORA requires evidence of testing under realistic conditions.

4. Cloud & Third-Party Governance

Most MiCAR candidates rely on external hosting or cloud environments. Contracts must include DORA-compliant clauses — e.g. audit rights, data-location rules, and exit strategies.

5. Security Monitoring & Incident Reporting

Implement a SIEM solution and an incident-response workflow that ensures timely escalation and regulatory notification to the FMA.

6. Integrating MiCAR and DORA: Compliance by Design

Firms that build DORA compliance into their MiCAR strategy from the start avoid duplication and delays.Examples:

• MiCAR requires internal controls → DORA defines how to technically enforce and monitor them.

• MiCAR demands governance → DORA specifies management’s accountability for ICT resilience.

By aligning both frameworks, companies achieve regulatory stability, operational security, and a lasting competitive advantage.

7. Recommended Roadmap

1. Initial Gap Analysis: Map MiCAR and DORA requirements against current processes.

2. Assign Responsibilities: Involve executive management early.

3. Run a DORA Compliance Check: Measure security maturity and identify gaps.

4. Prioritize Measures: Quick wins (e.g., updated policies) vs. long-term projects (e.g., ISMS rollout).

5. Automate Documentation & Reporting: Build audit readiness into daily operations.

Conclusion

MiCAR opens the door to the European digital-asset market.DORA ensures that door stays securely locked against operational risks.For firms in Liechtenstein, achieving MiCAR licensing success means treating DORA as a foundational element, not an afterthought. IT security is the backbone of regulatory credibility.

Our DORA-Compliance-Check helps MiCAR applicants in Liechtenstein strengthen their technical and organizational resilience in line with DORA — pragmatic, audit-ready, and FMA-compliant.