Brussels 2.0

The Brussels 2.0 DARTE session took place on March 14th, 2025, at the Breydel Building of the European Commission in Brussels. Organized with the support of the European Commission, DLT Finance, and Project Catalyst, this roundtable continued the series' mission of fostering legal clarity within MiCAR and related regulatory frameworks. This session focused on the harmonisation of the Digital Operational Resilience Act (DORA) and the EBA Outsourcing Guidelines, the application of the proportionality principle, and the integration of Decentralised Finance (DeFi) within existing EU regulations.

The session opened with a keynote by Joachim Schwerin, Principal Economist at the European Commission – DG GROW. Rabia Karaarslan Turkut from DLT Finance then led the first discussion on overlapping outsourcing requirements, emphasizing the need for streamlined compliance across MiCAR, DORA, and the EBA guidelines. Miguel Vaz from Hauck Aufhäuser Digital Custody followed with a presentation on the proportionality principle and its implications for smaller institutions. Finally, Anne-Grace Kleczewski from MME closed the session with a deep dive into the complexities of DeFi integration by regulated entities, underlining the importance of clear definitions and regulatory taxonomy.

Download the Report

9b31d025-f5fd-42a3-9268-bd9acb0c1943 3.jpg

Harmonisation of DORA and EBA Outsourcing Guidelines

This session focused on the overlapping requirements under DORA, MiCAR, and the 2019 EBA Outsourcing Guidelines, which collectively create operational and compliance burdens for CASPs. Participants discussed the lack of harmonisation between these frameworks—particularly regarding outsourcing registers, subcontracting chains, and critical versus non-critical function definitions. The discussion highlighted that outdated guidelines and redundant obligations undermine regulatory efficiency and legal certainty.

Proportionality Principle under DORA and MiCAR

This session examined the disproportionate compliance burdens smaller CASPs face under DORA’s operational resilience requirements. The conversation addressed challenges around intragroup outsourcing, duplicate auditing requirements, and the overall cost of ICT provider compliance. Participants underscored the risk that such burdens may lead to market concentration and inhibit innovation across the sector.

Call to Actions

Regulators and industry should collaborate to align outsourcing obligations across DORA, MiCAR, and the upcoming EBA Guidelines on Third-Party Risk Management.
National Competent Authorities (NCAs) should be encouraged to adopt unified reporting mechanisms, such as BaFin’s "Notification of Outsourcing" model.
EBA should explicitly waive the outdated 2019 Outsourcing Guidelines and expedite the release of updated guidelines tailored to MiCA-licensed entities.

Call to Actions

NCAs should formally apply the proportionality principle to reduce the regulatory burden on smaller CASPs and startups.
Industry associations should propose frameworks for recognizing intragroup risk management procedures as sufficient for compliance.
Regulators should support the adoption of pooled and standardized audit models to eliminate redundant ICT provider audits across jurisdictions.

DeFi Integration by CASPs under DORA

This session explored the regulatory uncertainty surrounding the integration of DeFi protocols by centralized actors. Participants emphasized that DeFi cannot easily be classified as an ICT service provider under DORA due to its decentralized and non-custodial nature. The absence of definitions, decentralization criteria, and taxonomy makes compliance for DeFi-integrated CASPs complex and unclear.

Call to Action

Industry experts should develop and promote clear definitions and decentralization metrics to facilitate regulatory understanding of DeFi.
Regulatory guidance should distinguish between DeFi integrations that support core, ancillary, or unregulated services.
The European Commission and ESAs should clarify whether and how DeFi protocols fall under DORA’s scope, ensuring legal certainty without compromising decentralization.