Will DORA regulation change the way Financial Institutions and Crypto Assert Service Providers utilize technology providers like Fireblocks? In this riveting episode, Matthias Bauer-Langgartner (Head of Policy Europe, Chainalysis) sits down with Jason Allegrante (Chief Legal & Compliance Officer, Fireblocks), to answer this question and to demystify the intricacies of the EU’s Digital Operational Resilience Act (DORA) and its implications on technology providers, crypto companies and financial institutions.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 155.
Public Key Episode 155: How Fireblocks is Shaping the Future of Digital Asset Security
Will DORA regulation change the way Financial Institutions and Crypto Assert Service Providers utilize technology providers like Fireblocks?
In this riveting episode, Matthias Bauer-Langgartner (Head of Policy Europe, Chainalysis) sits down with Jason Allegrante (Chief Legal & Compliance Officer, Fireblocks), to answer this question and to demystify the intricacies of the EU’s Digital Operational Resilience Act (DORA) and its implications on the digital asset space.
The duo navigate through regulatory frameworks and assess how the recent Bybit hack becomes a poignant example demonstrating the urgent need for operational resilience and improved cybersecurity protocols in the industry.
Jason leverages his public sector and traditional financial legal acumen to cover the challenges and opportunities presented by DORA and the need for a global standard when it comes to material business matters in crypto, highlighting custody technology.
Quote of the episode
”DORA basically says that if you’re going to be a third party technology service provider to a financial institution or CASP in the European Union, then there are certain standards that you’re going to have to meet or else the financial institution or the CASP, basically isn’t going to be able to work with you.”
– Jason Allegrante (Chief Legal & Compliance Officer, Fireblocks)
Minute-by-minute episode breakdown
2 | Jason’s transition from public sector and traditional legal to digital asset frameworks
4 | Fireblocks: Secure and flexible digital asset custody platform
7 | Could Bybit Hack have been avoided using Fireblock’s technology?
12 | DORA’s Impact on technology providers, CASPs and financial institutions
19 | Challenges and strategies for DORA Compliance in Financial Services
24 | Navigating MiCAand DORA compliance challenges for EU crypto service providers
30 | Will DORA raise standards or stifle innovation?
33 | Challenges of regulating DeFi within traditional financial frameworks
37 | Global regulatory shifts in cybersecurity and digital assets with the USA taking the lead?
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: Fireblocks: The simplest and most secure way to work with digital assets
- Blog: What is MPC (Multi-Party Computation)?
- Learning: Fireblocks Academy: Education and training for every role, stage and learning style
- Report: “The New Frontier of Crypto Security” Report: Navigating the Latest Threats With Best-in-Class Security
- Report: The Chainalysis 2025 Crypto Crime Report (Download Your Copy Today)
- Conference: Chainalysis Links NYC (April 1 & 2, 2025) * Get Tickets Now!
- Blog: Preventing Large-Scale Crypto Hacks: Key Security Measures for Exchanges
- Blog: International Action Dismantles Notorious Russian Crypto Exchange Garantex
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: Building trust in blockchain
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Matthias Bauer-Langgartner *Host* (Head of Policy Europe, Chainalysis)
- Jason Allegrante (Chief Legal & Compliance Officer, Fireblocks)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcripts
Matthias
Hello everyone. My name is Matthias Bauer langard and I head up European policy at Chainalysis. Today, I’m really excited to have a fabulous guest with us. We’ve got Jason here. Jason, so great to have you on the podcast today. Hey, thanks for having me. Yeah, thank you so much for joining. You know, we talked about recording this podcast for quite a while on the EU’s digital operational resilience Act, or in short, Dora now with the recent by bit hack, it feels even more topical and timely to talk about this. So I’m really looking forward to actually going a little bit deeper into this regulatory framework. But first, Jason, you are chief legal and compliance officer at fireblocks are obviously a leading platform for storing, transferring and issuing digital assets. You manage a really broad portfolio of legal, regulatory, commercial and also compliance matters. You joined five years ago, but I’m really interested. What did you actually do before that time?
Jason A.
Yeah, so I actually really consider myself a traditional financial services lawyer. So I have a tradfi background. It’s been a really interesting journey for me. I got into financial services right at the start of my career. Listen, there’s there’s no child that you know raises their hand and says to their parents, I want to be financial services lawyer, it’s something that I got into, something I got into as a function of the financial crisis of oh 809, it really, it really underscored, for me, the importance of financial services in people’s lives. I mean, the whole economy was impacted at the time. So you know that that’s kind of what led me down that path in 2018 I wanted to make a change. Obviously, I wanted to find a way to leverage the expertise I had developed over time. But I was also looking for kind of a new adventure. I found myself in crypto, and honestly, it was a better decision for someone with my background then, then I even realized at the time I made it right. So the reason I say that right is a lot of what we do today is reasoning by analogy to existing financial services law. We’ll probably get into that a bit with with Dora and some other stuff today, but so much of the conversation because we, we, we are struggling right, to figure out a way to understand the innovation in the space. We’re struggling to figure out a way to create legal frameworks that are directly applicable to digital assets that enable the innovation to thrive and flourish. And so what we’re using, right, what we have right, which is traditional financial services frameworks and so, so in my role today, you know, I’m able to be the bridge between the tradfi world and the emerging digital asset economy. And it’s been, it’s been really, it’s been really great.
Matthias
Yeah. I mean, you were looking for an invention. I’m pretty sure you found one with crypto. One with crypto. There’s nothing like a dull day in crypto. Indeed, I’ve also seen that you did. You worked at the Federal Reserve in New York before. So we both, we both have, like, a regulatory background,
Jason A.
yeah, and again, again, it’s, it’s, it is. So the federal reserve it was an amazing place, and it was an amazing time. As I said, I got into financial services because of the financial crisis. I had been in law school during the financial crisis. I had been studying what was happening at the New York Federal Reserve Bank. You know, you had Tim Geithner, who I believe is the president of the bank at the time, taking extraordinary actions to stabilize the economy, I was able to go and work there immediately after law school. That was an incredible experience. And as I said, a time of great transformation at the Federal Reserve Bank of New York as well as the Federal Reserve System writ more broadly. And again, that experience has been so applicable today. What I learned there, right? Because, again, on behalf of our we’re not we’re a software company. We’re not a regulated business ourselves, but so many of the customers we interface with are being able to go into a room with those customers with credibility, with a background, you know, that says, I’ve been here, I understand the perspective, and then again, like act as that bridge between tradfi and digital assets, explaining to the regulator what it is that we’re doing in the digital asset space, how it, how it, you know, is or is not, similar to concepts that they’re familiar with. And then take those learnings and go back to the customer, or go back to our, you know, executive team, and say, Hey, this is what we’re hearing from the regulators. And let me put those, let me put that in terms right that we can understand as a software company, that skill has been hugely helpful.
Matthias
Oh yeah, I couldn’t agree more. I mean, I also have a traditional finance background, working at multiple regulators, and also having had a little hand in the micro regulation. But today we’ll talk a little bit about Dora. But before we go into. Dora and digital operational resilience. I wanted to ask you if you could give us a quick overview of fire blocks, so who they are, what to do before we talk about operational resilience.
Jason A.
Sure, absolutely. So. As I said, we primarily view ourselves as a software company, so we’re in the business, developing and licensing a proprietary software platform. It’s an enterprise grade software solution, and our mission with this software platform is to enable every business that wants to be in the digital asset space to do so safely and securely. Right? And so listen, we, you know, there are a lot of product features that that enable us to do this, right? The first and foremost is our our wallet and our wallet infrastructure, right? So we’re, in addition to being a software company, we’re a security first company. So the security features around the wallet, around the key management. This is, this is our core value proposition, always has been. And then, you know what’s really interesting, right? About, about wallets, about, you know, custody is, in fact, how different it is than traditional custody. So you think about traditional custody, right? And it’s, it’s, honestly, it’s very boring, right? It’s gold bar. It’s gold bars sitting in a vault somewhere, right? And sitting at the Federal Reserve Bank of New York in the basement. And you know, all they’re supposed to do is, you know, they’re supposed to sit there in the digital asset space, the wallet is something very different. It is, of course, Paramount that the digital assets remain safe and secure in the wallet that they’re managed in. However, the wallet is also the jumping off point for every operation you want to conduct in the digital asset space, and that’s why, on top of our wallet and on top of our multi layered security architecture around the around the wallet, we have things like the fire block network, which is a way of connecting to and interacting with other players within the ecosystem that could be exchanges, that could be liquidity providers, that could be on and off ramps, that could be bilateral counterparties, right? So, so the wallet is really the jumping off point for the digital asset experience. Again, it’s not just other destinations. It’s functionality as well. Right? Do I want to be able to interact with the defi protocol? Do I want to be able to take my assets and stake them and perhaps participate in yield? Do I want to tokenize, right? Do I have to? Am I a financial institution sitting on real, real world assets with the tokenization use case. So we have built on top of the wallets all of these functions, and that enables our customers not only to come and store and administer their digital asset holdings, but then to participate in a broader ecosystem of digital asset use cases.
Matthias
Amazing. I mean, obviously, you know, custody solutions are vital in the crypto asset space, and as the reason heck with bybit has shown. You know, Prudential safety and soundness of firms and hacks and cyber security are really, really closely interlinked. Crypto is and remains, to some extent, bear instruments, so making sure that you that you actually have security around that and the right functionality is paramount. It’s much easier to hack into a cryptocurrency exchange and cipher of one and a half billion US dollars than carrying the weight of gold worth one and a half billion dollars out of old when, when I looked at fire blocks technology, the one thing that stood out to me was MPC, multi party computation. And I was wondering if, if you also see that as a vital part of like, the security features you have. And maybe just give a quick overview of what MPC is and what multi SIG is. I’ve got a follow up questions or a question on that. That’s, that’s why I think it would be interesting to hear. What do you think?
Jason A.
So, it’s, it’s, you know, to, I’m just the lawyer, right? So, I mean, I’m gonna give you the lawyers answer, right? But, you know, MPC means, stands for multi party computation. It’s similar in some respects, to something like multi SIG, but it’s also very different. It’s a technology that’s been around for a long time. Ours is again, a proprietary deployment of but like really, what it comes down to are reducing points of failure within the key management process, right? So what you want to do is, you want to take the key material right the access material, if you will, to be able to read and write with the wallet, and you want to distribute that over multiple secure areas. So with our solution, the customer is in control. Fireblocks is not able to access the wallet. You. Uh, the the key material sufficient to do that is delivered into the hands of the customer. Along with that, there’s a backup and recovery package that also goes into the hands of the customer. This allows them to reconstitute the key. Should there ever be, you know, an operational failure event, and then in business as usual, business as usual, as I said, the customer has the controlling key, but there are shards of the key that are secured in online, you know, cloud based enclaves, protected again by by secure infrastructure. And these portions of the key, which are required to sign any transaction, are governed exclusively in in our deployment by biologic set, right? So what that enables a customer to do really right, is like customize across multiple kinds of transactions and multiple kinds of operational events, right? So for example, if you want to change the rules governing the keys. You might set that for the highest level of security possible. That would make it really hard, for example, for a hacker to come in attempt to change the rule without you knowing right, and then do something malicious, similar, similarly, right. You might set, you might set it such that the operator is able to do a transaction of, say, 1000 $1,000 equivalent in digital assets. But you might then change it right, and say, Okay, we have someone trying to attempt a transaction of over a billion dollars. That’s gonna that’s gonna signal a higher level of security and or alerts, and those keys, which are stored in those secure enclaves, are not going to come down and sign a transaction unless that data set is that, that logic set is satisfied,
Matthias
right? I understand so firebox really is a pretty flexible platform for custody and, you know, issuing of digital assets. You’re not providing services yourselves, but you’re a technical infrastructure provider. You know that the question that I had was around multisig and MPC, and the reason being the bybit hack. And for everyone who hasn’t heard about the bybit Hack, a quick, quick rundown, there’s a great blog on the Genesis website for further information. But on the February 21 bybit, really prominent cryptocurrency exchange, experienced a significant security breach. Significant security breach and lost nearly 1.5 billion worth of eth. And this incident really is the largest digital heist in the history of cryptocurrency. Fortunately, bybit is actively collaborating with industry experts, including us Genesis, to track and trace stolen funds and also using newest threat detection systems like hexagate, the firm which is recently acquired, we were able to already recover 40 million US dollars, which is great. Now when you look at at at the by big tech, what actually happened was, in short, that that by the employees wanted to perform a routine crypto transfer from the cold wallet into the hot wallet. Bybit operates a multi SIG process to sign transactions. So it’s essentially a series of transactions that have to be deployed before transaction can be can be initiated. That’s a pretty common process, but what happened here was the designing devices themselves were compromised, and so that the signers actually saw a transaction on the screen. There was another transaction they they eventually signed. So they did sign a different transaction, and the hackers were able to siphon off one and a half million, one and a half billion US dollars, which just shows, you know how cipher incidents can lead to a very rapid and direct loss of customer funds. And you know, the question that that I had given that multi SIG processes were involved, was if MPC technology could have helped, or would have been part of that solution.
Jason A.
Yeah. I mean, let me, let me approach your question from two angles, right? I mean, so we look at it. We look at it in two ways. One is kind of a broad based perspective. What does an incident like this say about the maturity of the of the industry, and what does it say about the state of custody in general? And then the second question, and we are always asking ourselves this question, going back to, you know, FTX, right? It’s Could, could a deployment of the fireblock system have prevented this? The reason we want to be able to answer, the reason we want to be able to answer that question, right, is because, you know, what do we need to introduce into our platform to make that, make the answer that question yes, if it’s not already Yes, pulling back right to the to kind of like a broad based perspective on this, you know, we think by we think what’s happening by bit, which is terrible, you know, it is also an opportunity for the industry. It’s an opportunity to reflect, to take stock of where we are from our perspective. This is, this is an OP, this, this is an opportunity as an. Industry to come together and coalesce around standards for custody, right? As I said, like custody is not traditionally the most exciting issue in this space. It is absolutely fundamental, and it’s critical that we get it right, not just for each individual service provider like bybidd, although, of course, you know, we never want to see this happen, but for the integrity of the industry as a whole. When I think about the trajectory of this industry and the opportunity before us, right, we have mica coming into force and effect in the European Union. The situation in the United States is rapidly evolving and hopefully improving, at least as far as the outlook for digital asset adoption. In order for us to to, you know, realize the promise of this technology in this industry, we have to find a way collectively, to ensure that these events do not happen and do not happen with any frequency or regularity, if they happen at all. We think a great place obviously, we’re a custody technology provider. We think a great place to start that conversation is with and around standards for custody technology. And, you know, that kind of like, leads into the second point, which is, could a different custody technology deployment have prevented this? I think there is evidence that the answer here is yes, right. What’s one of the most, you know, interesting things I heard about, about by bit, was basically that the system, for the most part, designed as it was intended, right? Sorry, operated as it was designed. And, and, you know, I think whether, obviously, there was a hack here, right? And we know the UI was compromised and all that. But these are HSM devices being, you know, basically used for blind signing transactions in a multi in a multi SIG system, right? And we just talked about it, right? There are differences between a multi SIG and an MPC. So could, could a destination address have been changed on the fire block system, again, like, as I said earlier, without somebody becoming aware of that? I don’t think so. If it had been proper, if, as I said, the logic, the logic set, had been properly calibrated, could a billion plus dollars have been moved without the properly calibrated logic set right having been been triggered to prevent that transaction. You know, again, I think there’s reason to believe it could not. And so again, it just, it just points to the fact that if we’re thoughtful about this there, there is a very good chance a lot of these loss of friends could have been prevented with the proper deployments of different systems. And so again, I think, I think there, I think there are better options. I’m not saying in every case that fire blocks is that option, but I am saying that there are things that we can pay attention to and that we can make sure our exchanges, particularly as we move into a regulatory environment where there’s VASP and CASP regulation, right that touches on exchanges, I think we can move to an end state where we’re being really thoughtful about the kind of custody systems we want in place. Again, we can’t control for everything. We can’t control for human error, and you know, as I said, like deployments that don’t make sense, or all those things, but we can make sure that the systems are in place that at least have the capabilities and the multi layer security architecture that would prevent these incidents in the future.
Matthias
Yeah, absolutely agree. I mean, if there is a certain degree of criminal intent and capabilities, it’s really hard for regulatory frameworks to put something in place that works 100% I think you will never reach that point. The other thought that I had around this hack was really that it shows that probably relying on just static concepts of cybersecurity, like auditing specific smart contracts, for example, that essentially just reflect a certain point in time when it comes to security, is probably not the way the way forward anymore. We probably need to be much more proactively approaching cyber security with real time monitoring and essentially levering and leveraging this transparent trans transactional transparency that blockchains give us, if, yeah, if someone is interested in diving a little bit deeper into into that sort of stuff, have a look at that. Yeah. Hex A unused acquisition here at genensis that essentially does that. So third party monitoring systems signing and validating transactions and smart contracts. I mean, you said it a few, a few times, Jason, standardization, new standards, let’s talk a little bit about Dora, the digital operation resilience act. Is that you know the first 10. To actually make sure that operational resilience is is regarded as something even more crucial, given that you know, ICT providers, information and communication technology providers, increasingly important to deliver financial services. They’re much more integrated into the way financial services work globally, thinking about cloud, all sorts of analytical companies, you name it. What is, what is Dora, and what is it trying to do?
Jason A.
Dora, from our perspective, is really interesting. It’s really challenging. But again, I would put it in the context of what I what I just said about the need to maybe find ways right, to introduce standards and raise the bar right. But so sorry. You know, at a kind of a high level, Dora is a kind of third party risk management. So concepts of third party risk management. Have you know existed for decades? Right? If you’re a financial institution and you’re onboarding a critical vendor, whether that’s you know, your your back office, ledgering systems, or you know, other other sorts of vendors and operational components, you’re going to need to consult third party risk management guidance, and you’re going to need to put in place certain safeguards and monitoring, et cetera. Dora takes that concept and extends it to something called ICT providers. For our purposes, we can just call them technology service providers. So again, in different contexts, I would argue that technology service providers have always kind of been caught up in concepts of third party risk management. Dora is a very explicit extension of that into the world of third party technology service providers. And Dora basically says that if you’re going to be a third party technology service provider to a financial institution or CASP in the European Union, then there are certain, certain standards that you’re going to have to meet, or else the financial institution or the cast basically isn’t going to be able to work with you, right and right and so in that sense, it’s not, it’s not a rule that is directly applicable to third party technology service providers, right? These are the like fire blocks. These are largely unregulated companies, but they basically have an indirect application, right? So to the extent you would like to as a company, continue to compete for the business of financial institutions and CASP then, then you will have to bring your your business and your business operations basically up to standard to continue to be competitive for that business in the European Union,
Matthias
right? So, so Dora is essentially European Framework to ensure that operational resilience is a serious matter. There are third party, well, technology providers, you called them, oversight mechanisms in place. There is a proper risk management in place. So I’m just talking about financial institutions. So maybe let’s, let’s start again. So Dora is not about regulating technology providers. It’s about regulating financially regulated entities. So banks, I mean,
Jason A.
I mean,
Matthias
and Cass, it
Jason A.
is, and it isn’t
Matthias
classical lawyers answer,
Jason A.
it is it, isn’t it? Is it? When you know when, when you think about again, I’m very much in favor of finding ways to raise the standards for providers of custody solutions, for example. But when you think about a company like fireblocks, right? We’re a software company. Software is not regulated, has never been regulated, and we’re not, in fact, saying it should be regulated. But when you think about, okay, how would you get to a place where you can, you can have higher standards, right? Well, financial institutions are regulated, heavily regulated, and they always have been. And now we’re having, now we’re having come into place VASP style regulation. That’s called CASP in the European Union, but that’s virtual asset service providers, or service providers in the digital asset space. So these institutions are regulated, and what you can do is you can say to these institutions, you know, we don’t think you’re fit to do business here, or you’re not up to our standards, unless you have adopted guidelines for operational risk, operational risk management, including guidelines that apply to your selection of critical vendors. Those are vendors who provide services, right that support critical functions. I think custody is absolutely one of those. And. So as as a regulator, you say, okay, so I don’t have a jurisdictional hook into the software industry, right? That’s, that’s not something we’ve done or interested in doing, but I do have a jurisdictional hook into the financial institutions, and then into the vast and the cast. And so what we’ll do is we’ll put a regulation into place on these institutions, so these institutions will get in trouble if they don’t comply. But then you you know, you recognize that that’s going to have a downstream impact. And what you’re going to do is, you know, you’re going to raise the bar for an end for for service providers, and again, if it’s not to say that they can’t continue to provide services that don’t meet the heightened standards of Dora they can, they just can’t continue to do it in this segment of regulated businesses. And for those who want to right, they’re going to have to find a way to come into compliance. And so, so I say, I say yes and no right? Like, you know, like the impact, the impact of doing something like this is not unknown. It will have the effect of raising the bar for competition in the service provider space to financial institutions. But you know, again, a good thing about it is that the way it’s been done is smart. It doesn’t, it doesn’t kind of cross the line into the regulation of industries that have not been traditionally regulated. But to say that it’s, you know, not intended to or has the impact of raising imposing standards on those service providers that you know, it’s not entirely true, right? Yeah.
Matthias
No, that that makes a lot of sense. So, and I think that’s really important point that you make here, that even service providers who are providing services to EU regulated financial institutions will be indirectly captured by Dora, which is something quite unique about this framework. When you, when you, I mean, you’ve got so many clients in that segment, obviously, and you have been working on preparing yourself for Dora for quite a while now. And what I mean, what are the what are the key principles of Dora? You mentioned ICT, risk management, then? Well, reporting, incident reporting is another one. I think, digital testing, third party risk management you already mentioned as well. Out of those principles, what are the most challenging ones for you in order to prepare and make sure that you are compliant with Dora, in order for your your clients to be compliant with Dora, and what are you struggling most? What was the most challenging part for you or for your clients?
Jason A.
Yeah, it’s, it’s, it’s, it’s been a real journey. It’s been a real journey. I mean, Dora just, I think, came into effect, I want to say in January of this year, yeah, 17th, yeah. January 17. We’ve, we’ve been dealing with it for six months before that, right? We have, as you said, we have a number of customers who are directly impacted. We work with financial institutions all over the world, but in particular in the European Union, these are pretty sophisticated customers. And so, because they have great legal teams who are who are on top of everything that’s going on. They were coming to us six months ago and saying, What are you guys doing to come into Dora compliance and and in fact, you know, we’ve already been through a process with a European regulator basically on, basically, basically under Dora, assessing our fitness. Yeah, and we, and that was a process we went through with a customer. We had folks on site in the European Union, sitting with the customers, sitting with the regulators, you know, and you know, how do you prepare for that process, right? I mean, the the first time is a major learning experience, you know, as as a manager of the the legal team, you know, we sit down, we parse the text of the regulation, and we come up with our best interpretation. But it’s, honestly, it’s the jumping off point for a conversation, right? Because, you know, our legal interpretation of what it says on the paper, right, might mean something very different to our security team, right it and it might have implications, cost implications, you know, whatever it is that are unknown to us, lawyers just sitting there parsing texts, and it becomes clear to us once we start interfacing with the other functions within the company. And then the other reason I say it’s a conversation is because, you know, the regulator also comes with expectations, as does the customer. And so kind of, as you’re going through that for the first time, everyone is kind of working through together what is going to be, you know, sufficient to get fireblocks and the customer through this examination with the best possible outcome. What I love about this company is that, you know. So we got through that process, but that was just the beginning of our journey, right? So coming out of that process, it was okay. Let’s sit down. Let’s talk about things we could have done better. You know? What were the lessons learned here? And then, how can we, how can we, how can we, like, work with our customers on an offering or on a package or, you know, a set of services right that makes the platform as likely to be Dora compliant in any particular deployment, right? And so, like, so, you know, that’s an iterative process. But so, you know, we came out of that first examination and we basically said, okay, like, let’s, let’s get even better than where we started, and let’s work with our customers to make sure that they’re super comfortable on a going forward basis, that firebox is prepared in every relevant facet to go through this again.
Matthias
How big would you see that gap between pre Dora and Dora compliance? Is it a massive leap for financial institutions or technology providers like fire blocks? Because we all know, you know, outsourcing rules have been here for nearly 10 years now, and you know, many other rules. So how much, how much of a change is it really for you guys and for financial institutions?
Jason A.
I think, I think so. Listen for for financial institutions, I think it’s a paradigm shift in the way they think about certain segments of service provider, right? So you know their their challenges identifying what are our critical functions, who are the ICT providers that are going to come under the, you know, the highest level of scrutiny, which are ones that are going to come under, like, second tier levels? And then, what are we? What are we doing as a financial institution to make sure that we’ve diligence those service providers in a way that gets us comfortable as the financial institution that’s actually subject to the rule, going in front of our regulator, you know, and saying, with confidence, I’ve selected this service provider for X, Y and Z reasons, including my conviction that this is going to be a Dora compliant service provider, right? So I think that’s the challenge for the challenge for the financial institution, I think for a company like firebox, and really all service providers, right? I think the first question is, what’s your starting point? So again, we consider ourselves like first and foremost software company and a cybersecurity company, and so the investment we’re making every year in cybersecurity, both maintaining the place where we’re at, but also getting better, is massive. And so for us, for us coming into this process, right the gap between where we were and where we needed to be was was arguably not as great as it might be for some other service providers who are starting off in a different place, what’s, what is, what is, and what I think will continue to be challenging about Dora right, is that just some of the requirements are time consuming, and because they’re time consuming, they’re expensive. And I think finding a way to create a scalable, repeatable DORA process. Right is, is, is kind of like the, the interesting business challenge here. And so, like, I’m thinking about things like, one of maybe the hardest things that we’ve been dealing with right is, like, there are audit rights that have to be given to the customer. There are, there are audit rights, I think, as well, that have to be given to the regulator. And so as a business, again, you’re trying to run a security team. You’re trying to run an office that’s, you know, you know, in operating business, you know, when are the regulators coming on site? Are they coming on site? What acts, you know, what do they need access to? Right? Like, trying to, trying to project and control for this, right? Is, is really a big challenge, and that’s, that’s the sort of thing that can be really time consuming, really expensive. And, you know, I think to the extent that we have identified gaps, it was like, Okay, how do we, how do we build a framework that makes sense for a customer and that makes sense for the regulator around stuff like these access and auto rates.
Matthias
And I mean given that massive part of Dora really is around understanding your ICT, risk, managing that risk, incident reporting, governance, penetration testing, did you see a difference in preparedness when you compare tradfire firms, for example, global even global banks to even globally operating cryptocurrency exchanges.
Jason A.
Yeah, again, I think so. I mean this, this maybe gets us into, like, one of the challenges we’re going to see with the implementation of Mika, right? So. So what’s, what’s, one of the things that’s really interesting, right? Is that there has been so much focus and attention on mica, which will have a major impact. I’m going to get into that in just a second here. But Dora was basically, was basically running on a parallel timeline of implementation with mica and and it, I think it was, it received much less attention, and was much less well understood, although I think its impact is also incredibly significant. And so if I could just try to draw out that connection between these two things, right? So with mica, you have the European Union introducing this new category of registrant called CASP, crypto asset service provider. This is a version of what at the international level is called VASP virtual asset service provider. But basically it says, if you’re providing services in the digital asset space, you are probably going to have to come in and register as a CASP, which means operating under a license. It also means a few other things, right? It means new compliance obligations, and it also, interestingly, means that you have to become Dora compliant. So Dora applies to financial institutions and also casps for for what’s, what’s and this goes to your question, I think what’s different about the financial institutions versus the casps, right? Is that the financial institutions have been under concepts of third party risk management, as I said, for a very long time. And so for the financial institution, this sort of analysis is not necessarily new, right? They have a muscle here, and it has to be flexed in a different way, but they have that muscle that’s developed for the CASP. You could be a digital asset exchange. You could be a digital asset custodian, whatever business you’re operating. And for you know, as long as you can remember, as an operator of that business, you’ve been operating basically without any sort of regulatory framework for, you know, however, however long now you’re coming under mica, which, as I said, has its own challenges right around compliance and other things, but then you’re getting hit with this double whammy of Dora, right? And so now you have to develop this muscle that you never had before, of like really robust third party risk management assessment. And if you’re a digital asset company, you probably have some pretty significant and critical third party technology service providers, right? And so, so for these firms in particular, I think, I think this is a really tough transitional period, right? You’re dealing with the implementation of mica, which has its own requirements, but then you’re also getting hit with Dora, which has these third party risk management requirements, which I think are probably not as well known to casps as aorta financial institutions.
Matthias
I totally agree. I mean, casps will be busy here in Europe over the next year and probably beyond that. Not only Mika, which is a massive game changer, from like, AML, the CFT focused regimes into, like, really holistic Prudential conduct rules. So that’s, that’s, that’s a massive game changer. And Dora, I think, I think too, you know, listening to you, I really do understand that it’s Dory is not only about cybersecurity. It’s much broader than that. It’s about like operational resilience of the entire financial services sector and crypto and both sides need to be well, well prepared for that. It seems like it’s even like a cultural shift, and alongside Mika. That’s that’s a pretty, pretty tough gig cast to have at the moment. And then, actually, I think they have to deal with the triple. There’s also the travel rule, which sits alongside Mika and and Dora as well. But I think Doris is also reacting to that, potentially looking at fines and potential enforcement, there’s extremely high fines, up to 2% of global turnover if you’re in compliant with with Dora. Even, as you said before, Casper and regulated financial services, if they don’t comply with Dora, they there’s even the possibility of withdrawing their license in Europe, and essentially ending the operations here alongside liability for executives, so something like a senior managers regime here, one thing that I was was interested in, because you mentioned the costs of Dora and, you know, obviously there’s loads of costs to compliance In some instances, that also translates, however, into a competitive advantage, because things get safer. When I thought about Dora, I was really wondering, are you sort of like, worried about Dora or excited about Dora? And the reason why I ask is because Dora is quite prescriptive, and it sets a really high bar in terms of documentation and third party risk management well and the. Standing, managing and mitigating. Do you think Dora will actually boost cyber security developments, and, you know, even even even fuel investments into new technologies like AI and and these sorts of things, or and essentially become a competitive advantage? Or, do you think that this prescriptive regime will actually hinder developments in the EU and and essentially make it harder for firms to compete with with other firms globally. So is Dora like going to be a catalyst for innovation and cyber security, or do you think it is a massive disadvantage and over regulation.
Jason A.
Listen, regular regulation always changes the competitive landscape, right? And it creates opportunities for some and for others. So, you know, I think, I think the challenging thing about Dora, and I’ve already talked about it right, is that it is, it is a high bar to meet. And as I said, even, even for a company like firebox, we’re constantly investing in our in our cybersecurity, you know, there, there were things that we felt for door compliance purposes could be done better. And, you know, we invest in those things, you know, but when, when you set a really high bar, right? I mean, you you do make it challenging for some right to raise their game to the level of being able to meet that standard, and so and so, you know, again, I’ve been, I’ve been talking about the impact of Dora, and I’ve been saying that, you know, service providers will continue to be able to provide services, but to the extent they want to be competitive in the market for Financial Institution Customers, right? You’re going to have to, you’re going to have to make the capital expenditures to be competitive in that market. And the reality is, when you introduce a rule like this, right? Is not everyone is going to do it. And you know, hopefully for good reasons, right? Like they have a different angle on the market. But so, so, so anyway, that’s that, I mean, that’s, that’s kind of like, that’s the the the expense of compliance is kind of the downside of Dora, and it will have competitive impact. I am still though of, of two minds about Dora, and the other, the other side is, is really positive and hopeful, actually. So I see in Dora a great opportunity. You know, we kind of started at the top talking about by bit, and we talked about the idea of standards that could be at the national level, or at the motion multinational level, basically for custody solutions, for for the infrastructure layer of this digital asset space. And I think as a legal construct, right, the Dora model is actually a really good one. And, you know, I think, I think reasonable minds can disagree about the content right of Dora and whether that’s the right approach, you talked about some of the more punitive stuff, you know, managers, regime type stuff, you know. So we could disagree about the content there. But I think in terms of the way that this reaches and attached, attaches to the service provider community is, in some ways, very elegant, right? It again, it doesn’t cross that red line of going into the regulation of software. Software providers can continue to provide software. It’s just that if you want to service this segment of the market in particular, you’re going to have to, you know, you’re going to have to reach a higher standard. And I think that’s a good way for creating a set of service providers and a set of services right that are gold or platinum plated, right and and so again, for just from a legal perspective, a legal construct perspective, I look at Dora as a kind of a model, and it’s something I think about all the time as I go out and I talk to regulators now, and when I talk about things like custody standards, I do have in the back of my head something like Dora. And maybe that, maybe the content of what I’d like to see is, you know, has a different emphasis, but I think as a way of reaching the service provider community and raising the bar for regulated institutions, which are obviously providing really important services to the market. I think Dora could actually be a good starting place.
Matthias
Oh, interesting. Yeah. No, definitely. Let’s see how, you know the proof is in the pudding. So let’s see how it is implemented, and how the industry can actually, can actually cope, and we’ll see the impact of Dora hopefully soon. Ish, you said regulation of software, and you’re happy that Dora is not doing that, and obviously mica is not covering any true defi, truly decentralized services. I was just wondering about defi in the Dora con. Text, you know, given an increase in decentralized networks, permissionless networks, defi services, defi products, how do how do you think firms will be able to be compliant with Dora and all the documentation, reporting and auditing rights that are attached to those while at the same time maintaining the decentralization of services or services they interact with in the defi space, for example, do you think that that is still possible?
Jason A.
I mean, listen, there’s, there’s a reason the European Union delayed rulemaking on defy and that’s because it’s not easily solvable, and unfortunately, I don’t think we’re going to solve it here today, but a few minutes. But, you know, I think this is one of the most interesting legal questions in the space. So I started off by saying that, you know, I’m a financial services lawyer, and my background is tradfi, and that I spend a lot of my time analogizing between the frameworks that apply in traditional finance to what’s going on the digital asset space. The big, the biggest challenge that we face from a legal perspective, right, is the fact that our traditional frameworks and financial services are intermediary based. Right, which is to say and Dora is a great example of this right, which is to say that the regulation falls on some sort of intermediary, whether that’s a financial institution or someone else. Right, what defi and what smart contracts do right is they make a direct challenge to our basic legal conception about how to regulate things, right? They take out that intermediary there, you know, there’s, there’s nothing there but the contract after it’s been coded and released, right? There’s nothing there but the contract itself. And the contract itself can’t be held responsible, or so we say, and so, and so, you know, and so, so, so deep defy is, always, has always posed a challenge. And I think the resolution of that question, and again, I don’t have the, I don’t have the answer here today, but I think the resolution of that question, who’s who’s responsible? If anyone is responsible, I think that’s one question, right? And then I think the second, I think the second question is, just forget, forgetting the concept of liability or responsibility is, how do we make sure that these smart contracts are safe? How do we make sure that they operate in ways that are intended? I think this gets the questions of operational resilience right. And and, you know, I think, honestly, I think if we can even solve the second question first, right? Yeah, then I think that gets us, you know, a good deal of the way there. Hopefully we don’t have to find a responsible person, because nothing has
Matthias
gone wrong. Yeah, exactly. That will be ideal. And that’s, that was roughly what I was trying to hint at at the beginning, that I think when it comes to smart contracts at defi, our current regulatory thinking doesn’t really bite here, and I think we still need to figure out what we actually want to do in the defi space. It’s way too early to to rush into a specific type of concept, I think, but the one thing that we can do now is actually ensure that our security standards are higher and and really think more about proactive cyber security threats, detection mitigation strategies in that space. And that’s, you know, that’s why I think we should. We should think more about real time monitoring, rather than just auditing, as we traditionally have. Because, Jason, you’ve got, you’ve got a global role. So you see it all. Do you think that the EU has has landed another blockbuster with Dora, and there’s going to be many, many countries following Dora’s example? Or do you think that Dora will be in its, you know, in its way, it is designed very prescriptive. I mean, I’m pretty sure you know that at the beginning of Dora, the negotiation started way back in 2020, it was even considered to have templates, contractual templates, for each for a variety of services. So it’s extremely, extremely prescriptive. Do you think that concept would actually be adopted in different jurisdictions? What do you where do you see the regulatory landscape evolving to it’s on a global level?
Jason A.
I think we’re entering a very interesting period, and I’m really excited to see what happens. So I mean, just to answer your question about Dora, I do, I do think there’s something there. I think there’s a sort of model there for service provider regulation. I don’t actually, as I said earlier, I don’t actually think, conceptually, it’s, it’s very new, right? I think concepts of third party risk management have been around for a long time. I. I do think concepts of third party risk management are useful, and Dora as the latest example, right, is great in that respect, but where I think broadly we’re going is potentially very different than the place we’ve been over the last couple of years. So the story as I tell it starts back in the financial crisis of oh 809, where I started my career. So when we came out of that financial crisis, from a regulatory perspective, we basically had global consensus at a principled level, coming out of the g20 and coming out of the g7 about, you know, these are the things we’re going to to to regulate the derivatives market right, and to reform financial services. And each country took that away, those those principled recommendations, and they created legislation right in the opinion that that got you, your your your method one and two in the United States, it got Dodd Frank and, you know, similar stuff all across the world. So my point, though, is is that we basically had global consensus, principled agreement, and then we had, you know, legislation following in lockstep thereafter. What we’ve seen over the last couple of years, and actually think the digital asset space is a great way to look at this, right? We’ve seen the geopolitical landscape fracture, and this has been reflected in the way that we’ve moved forward with the regulation of digital assets. So so we have had no global consensus. We have had multiple crises right in the space major loss events, right from Mt Gox to FTX to fight it. We’ve never had a coming together of of nations, and we’ve never had principled agreement on what to do about it. What we’ve had instead are individual actors moving forward. There are shared concepts like last regulation, but basically, it’s, it’s, you know, it’s, it’s, it’s been, it’s been individual states moving forward, when I think about some examples of that, right? I think about places like Singapore. I think about places like the UAE, where they have very active regulators. I think, of course, first and foremost about what’s been going on in the European Union, what I think is about to to potentially happen, right is we’re going to see the paradigm shift again. And I think this is, this like is completely contingent on what happens in the United States. But if, if the United States makes good on its promise to, you know, attempt to become the crypto capital of the world, right? I think we have a new point of polarity in this kind of like geopolitical mixture I’ve been describing, and we might have a new center. We might have a new center of gravity in a way that we haven’t seen before. And so there is a potential outcome here where the United States really enters into the space with regulatory frameworks, with, you know, economic wind and sales and, you know, issues rules which may or may not have anything to do with what the European Union has done, frankly, right? Because we see an administration that at least has vocalized a willingness to completely go its own way. And you know, if, if that happens, that could be a really powerful, you know, powerful new model right for the world to follow. And I think within, you know, a certain sphere of Western influence, we could see a lot of other countries following the United States as lead. I’ve spoken to many regulators who have basically said, we want to see what the United States does. And so I think, I think that’s that’s kind of a new thing we could see. Yeah,
Matthias
it certainly remains exciting to be in that space. And I’m really curious in like, about how it’s going to turn out. Because obviously, you know internationally how honest, or at least compatible regimes would be, would be the way forward on digital assets, including on operational resilience, because otherwise you will really, especially globally, operating companies will find it extremely difficult to be compliant with competing frameworks. More generally speaking, yeah, I think we are pretty much running out of time. Jason, thank you so much for your insight. Today. It was great to talk to you about Dora, and I think I’ve understood that Dora is not just another compliance rule, but it’s actually a mind shift, a mindset shift pushing financial institutions, and indirectly, also technical providers, to proactively approach cyber security and operational resilience, so you better all be prepared. Where can can people find more about you or fire block?
Jason A.
Us. Yes, sure. Folks can find me on on LinkedIn. Obviously they can find the [email protected] and, yeah, we’d, we’d love for folks to reach out
Matthias
if thank you so much for being here with us today, and I’m really looking forward to speaking soon again. Thank you. Thank you. Applause.