Understanding Article 60 of MiCA
The Markets in Crypto-Assets (MiCA) Regulation introduces notification requirements for financial entities seeking to provide crypto-asset services in the European Union. Under Article 60, entities must submit a detailed notification that includes key ICT and cybersecurity documentation, ensuring compliance with DORA (Digital Operational Resilience Act) and other regulatory frameworks.
At Konkrit Solutions, we assist financial entities in preparing and submitting comprehensive documentation to meet MiCA’s technical and cybersecurity requirements. Below, we outline the ICT-related requirements under Article 60 and how we can support firms in achieving compliance.
Key ICT Requirements Under Article 60 of MiCA
1. Technical Documentation
Entities must provide detailed technical documentation covering their ICT systems, security arrangements, and Distributed Ledger Technology (DLT) infrastructure (if applicable). This includes:
- ICT Risk Management Framework
- A structured approach to identifying, managing, and mitigating ICT risks.
- A detailed explanation of ICT systems, security protocols, and governance structures.
- Policies and systems ensuring data security, integrity, availability, and confidentiality.
- Identification of Critical ICT Services
- A list of critical ICT services supporting key functions.
- Identification of whether these services are internally managed or outsourced.
- Compliance with outsourcing arrangements and ICT third-party risk management.
- Security and Incident Management
- A description of security policies, monitoring systems, and incident response frameworks.
- Mechanisms for reporting ICT-related incidents in accordance with DORA and MiCA.
2. Cybersecurity Audit (Third-Party Assessment)
Entities are required to conduct a cybersecurity audit, covering:
- Organizational & Physical Security
- Assessment of internal cybersecurity measures.
- Review of physical security controls protecting IT infrastructure.
- Vulnerability and Network Security Assessments
- Evaluation of ICT systems against known vulnerabilities and emerging threats.
- Review of network security configurations.
- Configuration Reviews
- Assessment of ICT asset configurations supporting critical or important functions, ensuring alignment with security best practices.
- Evaluation of system hardening measures, firewall configurations, and endpoint security settings to reduce attack surfaces.
- Penetration Testing
- Black Box Testing: Simulates an external attack with no prior knowledge of the system.
- Grey Box Testing: Simulates an authenticated user attack to assess privilege escalation risks.
- White Box Testing: Involves full disclosure of system architecture for a comprehensive security assessment.
- Smart Contract Cybersecurity Review
- Source code analysis of any smart contracts used in crypto-asset services
3. ICT Systems Audit Reports
Entities must submit audit reports detailing:
- DLT infrastructure (if applicable) and its security arrangements.
- Any independent ICT system audits conducted prior to notification.
4. Non-Technical Summary
A simplified summary of the technical documentation and cybersecurity audits in clear, non-technical language to ensure accessibility for regulatory reviewers.
5. Transfer Services (if applicable)
For firms offering crypto-asset transfer services, the following must be documented:
- ICT and human resource measures addressing operational and cybersecurity risks.
- Strategies to prevent and mitigate risks during transfers.
How Konkrit Solutions Can Help
At Konkrit Solutions, we provide end-to-end support in preparing the required documentation for MiCA compliance, including:
- Technical Documentation & ICT Risk Frameworks – We draft comprehensive policies, procedures, IT architecture plans, and IT risk assessments tailored to regulatory requirements.
- Cybersecurity Audits & Assessments – We conduct independent cybersecurity reviews, including penetration testing, vulnerability assessments, and DLT security audits.
- Regulatory & Compliance Consulting – Our team ensures that all documentation meets MiCA and DORA standards, facilitating a smooth notification process.
- Business Impact Analysis (BIA) & Resilience Planning – We assist firms in identifying critical ICT risks and ensuring business continuity under MiCA.
Prepare for MiCA Compliance with Konkrit Solutions
Meeting MiCA’s Article 60 notification requirements can be complex, but our expertise in ICT risk management and cybersecurity ensures your firm is fully prepared.
