Originally published March 23, 2026 · Revised April 24, 2026

MiCA & DORA: Where We Actually Stand

The EU did not shift into a new regulatory regime in July 2026. DORA has been applicable since 17 January 2025. MiCA has been fully applicable since 30 December 2024. What remains are specific transitional provisions — and the operational question of whether regulated institutions can actually produce the evidence that already-applicable rules demand.

Two Regulations, Different Timelines, One Shared Demand

MiCA and DORA cover different subject matter but share one characteristic: both require evidence, not merely documentation. A compliance binder will not satisfy a BaFin auditor. What will satisfy them is timestamped, signed, independently verifiable data that proves an assessment was correct at the time it was made.

MiCA

Markets in Crypto-Assets

Governs stablecoins (EMT/ART), crypto-asset service providers (CASPs), and token issuers. Title III (ARTs) and Title IV (EMTs) have been applicable since 30 June 2024. Titles I, II, V–VII have been fully applicable since 30 December 2024. CASP authorizations follow the national transitional regime under Art. 143, ending 1 July 2026 unless Member States extended.

DORA

Digital Operational Resilience

Applies to virtually every EU financial entity: banks, insurers, investment firms, payment institutions, crypto-asset service providers, trading venues. ICT risk management, incident classification and reporting, third-party risk, and digital operational resilience testing became enforceable on 17 January 2025.

Actual Regulatory Timeline

30 June 2024

MiCA Titles III & IV applicable

Asset-referenced tokens (ARTs) and e-money tokens (EMTs) subject to MiCA obligations; issuance without authorization restricted.

30 December 2024

MiCA fully applicable

Remaining titles, including Title V (CASP authorization regime), enter application. National transitional regime under Art. 143 begins.

17 January 2025

DORA applicable EU-wide

ICT risk management, incident reporting, resilience testing, Register of Information and third-party-risk obligations become directly enforceable. National competent authorities (e.g. BaFin) begin supervisory engagement.

30 March 2026

BaFin Register of Information submission

First submission deadline for the DORA Art. 28 Register of Information under national reporting schedules.

1 July 2026

End of MiCA Art. 143 CASP transitional period

Crypto-asset service providers operating under national pre-MiCA regimes must hold a MiCA authorization (subject to any extensions granted under Art. 143(3)). This is not a new DORA deadline.

10 July 2027

AMLR most provisions apply

The EU single AML rulebook, including harmonized CDD and transparency rules for digital assets.

Stablecoin MiCA Status — As of Late April 2026

FeedOracle continuously monitors stablecoin authorization status, reserve quality, peg behaviour, and custody arrangements. Verdicts are produced per-token against MiCA Titles III/IV and rendered as a traffic-light decision (PASS / WARN / BLOCK). The top five stablecoins by market capitalization illustrate the current picture:

USDC & EURC

PASS. Circle holds an EMI-level authorization recognised in France. ESMA register entries present. Reserve composition disclosed.

USDT

BLOCK. Tether has no EU authorization. Major EU venues have delisted. The peg itself is stable — authorization is binary.

RLUSD

WARN. Ripple authorization is pending via Standard Custody. Reserve attestations published, but not yet recognised under MiCA.

DAI

WARN. No issuer entity fits the MiCA issuer definition. Decentralized governance creates an open regulatory question.

The full assessment across 100+ tokens, with ES256K-signed evidence and on-chain anchoring, is available in the live Ampel Dashboard.

DORA: What Regulated Entities Must Actually Prove

DORA is not a checklist. It is structured around obligations that each require auditable evidence:

1ICT risk management (Art. 5–16) — documented risk framework, regular assessments, management-body-level reporting. Not a binder — a living system.
2Incident classification & reporting (Art. 17–23) — major ICT incidents reportable under the ITS 2024/1772/1773 schedule: initial notification without undue delay (4h target), intermediate report within 72h, final report within one month.
3Digital operational resilience testing (Art. 24–27) — annual basic testing for all in-scope entities. Threat-led penetration testing (TLPT) at least every three years for entities designated as significant.
4Third-party risk management (Art. 28–44) — contractual provisions under Art. 30 (eight standard plus seven CIF clauses), Register of Information submission under the ITS, concentration-risk assessment for critical third-party providers.

The Evidence Problem

Most organizations still approach compliance through PDFs and spreadsheets. An analyst downloads data from a public website, pastes it into a file, and archives the result. Months later an auditor asks: "Can you prove this data was correct at the moment you made your decision?"

In most setups, the honest answer is no. The upstream source updated. The PDF was overwritten. The spreadsheet carries no audit trail. There is no timestamp, no signature, no way to independently re-verify.

This is the operational gap FeedOracle is designed to close.

How FeedOracle Produces Verifiable Evidence

Every response from the FeedOracle platform carries four layers of evidence:

1. ECDSA signature (ES256K) — cryptographic proof of authenticity
2. SHA-256 content hash — tamper detection for each data point
3. ISO 8601 timestamp — exact moment of data retrieval
4. On-chain anchor — XRPL and Polygon transaction references for permanent record

verify: /.well-known/jwks.json → public keys for independent verification
docs: docs.html · Trust Policy · metrics

What Regulated Institutions Can Do Now

✓Run a MiCA pre-flight — identify which stablecoins your operations touch; confirm authorization status against the ESMA register with signed evidence. Live dashboard →
✓Assess DORA evidence readiness — FeedOracle evaluates the DORA articles your entity is subject to with traffic-light status, identified gaps, and owner-assigned remediation.
✓Start producing signed evidence today — every FeedOracle API call produces a signed, timestamped, verifiable artefact. Begin building the audit trail now, not the week before supervisory engagement.
✓Connect via MCP — 44 MCP servers · 590+ evidence tools · direct integration with Claude, Cursor and any MCP-compatible client. MCP integration →

Start With 500 Free Units

Live Dashboard Console

Disclaimer: FeedOracle provides verifiable compliance evidence infrastructure. This article does not constitute legal advice, investment advice, audit certification or regulatory approval. Regulatory interpretation for your specific entity and jurisdiction remains with qualified legal, compliance and audit professionals. Dates and article references reflect the Official Journal of the European Union as of the revision date above.