AML DORA compliance for crypto and fintech businesses in the EU is no longer a documentation exercise. Regulators are conducting substantive reviews — examining whether policies are operationally implemented, whether monitoring systems produce meaningful alerts, and whether the management body understands the firm’s risk exposure. A compliance programme that exists on paper but does not function in practice is an aggravating factor in an enforcement action, not a mitigating one.
At VoltLegal, we build compliance programmes for crypto exchanges, CASPs, payment institutions, and fintech companies that work operationally — not just documents that satisfy a licensing checklist and then sit unused.
AML/CFT compliance under MiCA and AMLD6
CASPs authorised under MiCA are designated obliged entities under the EU’s anti-money laundering framework. This means full AML/CFT obligations apply — not a simplified regime. The applicable framework combines MiCA’s CASP-specific requirements with the broader obligations under the Anti-Money Laundering Directives and, from 2026, direct supervision by the Anti-Money Laundering Authority (AMLA) for the largest cross-border firms.
AMLA launched in 2026 and will directly supervise the highest-risk cross-border CASPs and financial institutions at EU level. For firms that fall under AMLA’s direct supervision perimeter, the supervisory relationship shifts from the home NCA to the EU-level authority — a fundamental change in how compliance is reviewed and enforced.
Core AML/CFT requirements for CASPs under MiCA:
- Customer due diligence (CDD) — identity verification, beneficial ownership identification, and business purpose assessment for all clients. Enhanced due diligence for higher-risk clients, politically exposed persons, and cross-border relationships
- Transaction monitoring — real-time and retrospective monitoring for suspicious activity patterns. Blockchain analytics integration for crypto-specific risk indicators. Alert triage and investigation workflows that produce documented decisions
- Travel Rule (TFR) — Regulation (EU) 2023/1113 requires originator and beneficiary information to accompany all qualifying crypto-asset transfers. Implementation requires technical integration with counterparty CASPs and a defined policy for unhosted wallet interactions
- Suspicious transaction reporting — STR submission to the national FIU with documented investigation trails. AMLA’s June 2025 update highlighted persistent gaps in VASP Travel Rule compliance and STR quality as enforcement priorities
- Sanctions screening — real-time screening against EU restrictive measures, OFAC, and other applicable sanctions lists. Blockchain address screening for sanctioned wallets and entities
- MLRO function — a qualified Money Laundering Reporting Officer with direct access to the management body, sufficient authority to escalate concerns, and documented oversight of the AML programme
The distinction that matters for regulators: policies answer what you intend to do. Operating procedures answer how your team actually does it. A regulator examining your AML programme will test both — and the gap between the two is where most firms fail supervisory review.
DORA compliance for financial entities
DORA has applied to all regulated financial entities in the EU since January 17, 2025. It applies to CASPs under MiCA, payment institutions, electronic money institutions, investment firms, and their critical ICT third-party service providers. The regulation is not aspirational — supervisors are conducting reviews and expect documented, tested, operational frameworks.
ICT risk management framework — documented identification, classification, and treatment of ICT risks. Business impact assessments for critical systems. Recovery time and recovery point objectives that are tested, not assumed.
ICT incident classification and reporting — clear criteria for classifying incidents as “major” under DORA’s regulatory definition. Major incidents must be reported to the competent authority promptly, with root cause analysis and remediation timelines. The reporting window is tighter than most firms expect — firms that have not built detection and escalation procedures before an incident will not meet reporting obligations.
Digital operational resilience testing — annual testing requirements for all entities, with advanced Threat-Led Penetration Testing (TLPT) required for significant financial institutions. Testing must be documented, results must be reviewed by the management body, and remediation must be tracked.
Third-party ICT provider management — one of the most underestimated requirements. DORA requires documented registers of ICT outsourcing arrangements, DORA-aligned contractual clauses with critical providers, and enhanced due diligence for unregulated vendors. Accountability for compliance remains with the financial entity — outsourcing to a cloud provider or compliance technology vendor does not transfer regulatory responsibility.
A common error: firms assume that international frameworks like ISO 27001 or SOC 2 satisfy DORA. They provide a useful foundation but do not cover DORA’s specific requirements — particularly mandatory incident reporting timelines, regulatory notification procedures, and the contractual obligations toward ICT providers. A gap analysis between your existing framework and DORA is the starting point.
Travel Rule — practical implementation
The Travel Rule under Regulation (EU) 2023/1113 has no transitional period. It requires CASPs to collect, verify, and transmit originator and beneficiary information for all qualifying crypto-asset transfers at the time of transfer.
Implementation requires four components that most firms underestimate in their initial compliance planning:
Technical integration — connection to a Travel Rule protocol (TRISA, OpenVASP, or a commercial solution) to exchange data with counterparty CASPs. Not all counterparty CASPs are reachable — a policy for unhosted wallet transfers and non-responsive counterparties is required.
Unhosted wallet policy — transfers to and from unhosted (self-custodied) wallets trigger additional requirements. The appropriate level of due diligence for unhosted wallet interactions depends on the risk profile of the transfer and the client. Regulators have been explicit that blanket blocking of unhosted wallet transfers is not compliant — a risk-based approach is required.
Data quality and retention — Travel Rule data must be accurate, complete, and retained for the required period. Inaccurate beneficiary data is a compliance failure regardless of whether the transfer itself was suspicious.
Sanctions integration — Travel Rule data flows must be integrated with sanctions screening. A transfer that passes Travel Rule data checks but is not screened against sanctions lists is a separate compliance gap.
CARF and DAC8 — tax reporting obligations
From January 2026, EU member states are implementing DAC8 — the EU’s transposition of the OECD’s Crypto-Asset Reporting Framework (CARF). CASPs and other reporting crypto-asset service providers must collect, verify, and report detailed user transaction data to their home tax authority, which exchanges it automatically with other EU member states.
Reporting obligations cover crypto-to-fiat trades, crypto-to-crypto swaps, transfers to unhosted wallets above thresholds, and NFT transfers in certain circumstances. The first reporting period for most jurisdictions is the 2026 calendar year, with reports due in 2027.
Firms that have not implemented CARF/DAC8 data collection workflows by the start of the reporting period will face a retroactive data problem that is operationally difficult to resolve.
Our AML DORA compliance EU mandate covers:
Our compliance mandate covers:
- AML/CFT programme design — policies, operating procedures, risk appetite statements, and governance frameworks that function operationally
- MLRO support — qualification assessment, role definition, and ongoing advisory support for the MLRO function
- Travel Rule implementation — protocol selection, unhosted wallet policy, counterparty management framework
- DORA gap analysis — mapping your existing ICT framework against DORA requirements and identifying remediation priorities
- DORA documentation — ICT risk management framework, incident classification procedures, third-party ICT provider register and contractual review
- Sanctions programme — screening policy, blockchain address screening integration, escalation procedures
- CARF/DAC8 readiness — data collection requirements, reporting workflow design, jurisdictional scope analysis
- Regulatory examination preparation — mock regulatory reviews, gap analysis against NCA examination frameworks, management body briefings
- Ongoing compliance retainers — regulatory monitoring, policy updates, NCA correspondence management
AML DORA compliance EU – talk to us
If you are building a compliance programme from scratch, preparing for a regulatory examination, or reviewing your existing framework against current NCA expectations, we start with a structured gap analysis before any programme work begins.
Book a 30-minute consultation to discuss your compliance requirements and where your current programme may have gaps against MiCA, DORA, and AMLD6 expectations.