Digital Trust Frameworks

💥 The Hidden Threat No One Talks About in Web3: Dependencies Most teams in Web3 focus all their security efforts on smart contracts, audits, fuzzing, formal verification… But here’s the uncomfortable truth: attackers have moved on. They’re no longer just targeting your contracts. They’re targeting your toolchain, the npm packages, libraries, and dependencies that your dApp quietly relies on every single day. 🧨 A single compromised dependency can: - Inject malicious code into your build or deployment pipeline - Exfiltrate private keys or API secrets - Modify your front-end logic to drain user wallets - Go unnoticed for months, even in open-source repositories - Even if your contracts are audited and verified, your app might still be at risk before it’s even deployed. 🔐 How we can protect our Web3 stack: - Pin dependencies and lock versions (package-lock.json, yarn.lock) - Avoid abandoned or unmaintained libraries - Use private or verified registries - Monitor your build process and GitHub repos for suspicious changes - Include CI/CD and dependency reviews in every audit process

🇪🇺What Does #DORA Mean for the #EU Fintech Landscape? 📍What is the Digital Operational Resilience Act (DORA)? Cyberattacks on EU financial infrastructure more than doubled in 2023, and with the growth of AI, predictions point to a steady increase in cyberattacks in 2024. The thought of AI-powered cyberattacks is scary, and rightfully so. Cybersecurity is more important than ever, and digital resilience must be a top priority for European financial institutions. The Digital Operational Resilience Act (DORA) entered into force on 16 January 2023 and will apply on 17 January 2025. DORA aims to ensure financial institutions such as banks, investment firms, trading platforms, among others, have a much more resilient and secure ICT infrastructure against potential cyber threats. DORA is aimed to prevent cases like the recent global IT outage. 📍What does DORA cover? First and foremost, the priority of the Digital Resilience Act is ensuring financial institutions’ ICT departments are resilient to these threats by focusing on several crucial areas such as: . ICT risk management: Institutions must account for their ICT department organisation, risk-management framework, protocols, and applications, among others. . IT third-party risk management: Financial institutions must monitor third-party risk and conduct analysis throughout the contract duration. . IT incident reporting: If an incident occurs, institutions must monitor, log, classify, and report the incident to the designated party. . Testing operational resiliency: Institutions must create testing programmes and constantly monitor their IT security resilience to establish a risk base. . Information exchanges: The DORA Act encourages financial institutions to share information and intelligence on cyber threats by notifying the authorities. 📍How will DORA impact the EU #fintech landscape? There are events most organisations don't plan for — from internet or electricity shortages to even cyberattacks as DORA wants to prevent. Creating a sturdy ICT security practice takes time and effort, but it also creates business resiliency and stability, which are very important but sometimes easily dismissed. New regulations always lead to challenges, like the MiCA Act, for example, which made crypto platforms just as compliant as any other financial platform. DORA will force management to take a much more proactive stance and constantly stress-test their IT operational resiliency. Conversely, fintech managers must ensure suppliers and business partners take their IT security seriously with their third-party risk management. Source: Louis Thompsett & FinTech Magazine Learn more: https://lnkd.in/dWBwD4Cy

The ESAs DORA guide explains the framework's objectives, principles, structure, activities, processes, and expected outcomes. It covers CTPP designation based on criticality, risk assessment, and detailed oversight activities including ongoing monitoring, requests for information, general investigations, and inspections. The document also outlines the issuance of non-binding recommendations for identified deficiencies and subsequent follow-up procedures to ensure compliance, ultimately aiming to enhance digital operational resilience and financial system stability across the EU. https://lnkd.in/d4KNQpV7

🚨 #DORA #Compliance & Third-Party Risk: Are You Ready? 🚨 Financial institutions are facing a new era of operational resilience with the Digital Operational Resilience Act (DORA) being effective since January. One of the biggest challenges? Managing third-party vendors in a way that aligns with these stringent requirements. 🔍 Why does this matter? DORA makes it clear: Your vendors are an extension of your operational risk and their failures can become yours. That means financial organizations must step up their Third-Party Risk Management (TPRM) game to ensure compliance. Here’s how to get ahead of the curve: 1️⃣ Centralize Vendor Risk Management – Map out all third-party relationships and continuously monitor their risk profiles. 2️⃣ Go Beyond Initial Due Diligence – Ongoing risk assessments are key. DORA mandates that vendors’ resilience capabilities be regularly tested and reviewed. 3️⃣ Establish Incident Reporting Protocols – Ensure third parties have clear procedures for reporting cyber incidents in real time to minimize damage. 4️⃣ Include DORA-Specific Clauses in Contracts – Ensure outsourcing agreements reflect the regulatory obligations placed on your organization. 5️⃣ Stress Test Your Vendors – Don’t just take their word for it - run simulations to assess their operational resilience in real-world scenarios. 🚀 Proactive compliance is the best compliance. Now is the time to strengthen your vendor risk management framework and ensure resilience across your entire digital supply chain.

If you use web3 or crypto libraries in your project, please be aware that many of the Solana and WalletConnect packages on NPM today are malicious. Take, for example, solanacore and walletcore-gen, published today, and another package, Solana-login, published a couple of weeks ago. These packages employ multiple attack techniques, including dropping an infostealer on any system that installs the package and exfiltrating sensitive data to an attacker-controlled domain. If your project has web3/crypto dependencies, please ensure they are legit! This is no joke. I've submitted solanacore and walletcore-gen to the OSV malicious packages list and asked NPM to pull the packages, but it tends to take several weeks before NPM removes them. In the meantime, people are still downloading these packages and potentially being compromised. #softwaresupplychain #dependencies Solana Foundation WalletConnect Foundation npm, Inc.

Last week, the Cayman Islands Monetary Authority published a revealing review of 11 registered VASPs. Their findings? 36% lacked succession planning 45% had no internal audit plans 82% had no formally approved cybersecurity responsibilities 80% hadn’t audited their custody frameworks Now imagine you’re a crypto investor or institution looking to work with a VASP. Wouldn’t you want assurance these risks are being managed? Enter MiCA. The EU’s Markets in Crypto-Assets (MiCA) regulation is shaping up to do what Cayman and others are only now catching up to: ✅ Enforce rigorous governance ✅ Mandate clear custody procedures ✅ Require robust internal controls ✅ Impose real cybersecurity oversight ✅ Align with FATF, EBA, and global AML standards That’s why MiCA-licensed CASPs (Crypto Asset Service Providers) won’t just be compliant. They’ll be attractive. To banks. To fintechs. To institutional clients from the US to the Middle East to Asia. While MiCA keep the small and new players out of the industry hindering innovation. MiCA could become the seal of credibility in a fractured regulatory landscape. And that creates a real strategic edge for the EU-based providers able to meet the standards. In a world where trust is currency, EU CASPs might just be about to cash in. Do you think MiCA will set the new global bar? #MiCA #CryptoCompliance #VASPs #EURegulation #Custody #AML #Cybersecurity #CIMA #CASPs #RegulatoryStandards #CryptoEurope #MiCAready

MiCA, DORA, and AMLA, What It Means for Crypto Service Providers The EU is ramping up its regulatory game, and the crypto space is feeling the heat. Between MiCA, DORA, and the newly emerging AMLA, compliance is no longer just a checkbox, it’s a significant investment in time, money, and resources. Key Updates You Need to Know: • MiCA: The Markets in Crypto Assets Regulation came into force on December 30, 2024, laying out strict rules for licensing, investor protection, and governance for CASPs. • DORA: The Digital Operational Resilience Act followed on January 17, 2025, requiring robust cybersecurity and ICT frameworks. • AMLA: The Anti-Money Laundering Authority is taking shape with Bruna Szego recently appointed as chair. The Executive Board will follow by Easter, with key decisions on geographical representation in the works. The Bigger Picture For crypto asset service providers, this trifecta of regulations means: • Rising operational costs: From ICT investments to AML monitoring systems, there’s no shortcut to compliance. • Increased scrutiny: MiCA and AMLA are designed to close loopholes and enhance transparency, raising the bar for market participants. • Strategic planning: Aligning with these frameworks requires a proactive approach to governance, risk, and technology. Why This Matters This is about more than staying compliant it’s about building trust in the crypto ecosystem. With MiCA and DORA already here, and AMLA gearing up for enforcement, organisations must act now to avoid being left behind. The European Anti-Financial Crime Summit 2025 on May 7 in Dublin will be a key event to unpack all of this and more. With leaders from regulators, fintech, banking, and law enforcement, there will be no shortage of insights on how the crypto space can navigate these regulatory waves. What’s your take on MiCA, DORA, and AMLA. Progressive or Decel for Crypto Innovators? #crypto #regulation #mica #dora #amla #compliance #antimoneylaundering #financialcrime #cryptoservices

30th December- Cryptocurrencies enter a comprehensive regulatory framework in the EU under MiCA (Markets in Crypto-Assets)! MiCA is a monumental step forward in bringing clarity and trust to the crypto space in Europe. By establishing a unified framework across the EU, it tackles long-standing issues like regulatory inconsistencies, investor protection, and financial stability. Under this framework, crypto-asset service providers (CASPs) will need to adhere to stringent licensing requirements, ensure robust market abuse prevention measures, and comply with transparency rules that prioritize investor safety. The inclusion of stress testing, liquidity management, and own funds requirements by the European Banking Authority (EBA) underscores the depth of this regulation in aligning crypto with traditional financial standards. This is a much-needed shift from this era of crypto to a more structured, secure, and innovation-friendly environment. As someone from the crypto industry, I see this as a pivotal moment—not just for Europe, but as a template for global crypto regulations. The adoption of MiCA demonstrates the importance of balancing innovation with safeguards, ensuring that technology serves the greater good without compromising financial integrity. In India, where crypto adoption is rising, we can learn from MiCA’s approach. A well-defined regulatory framework can foster innovation, attract global investors, and protect citizens from risks like fraud and instability. It's time we initiate similar conversations to unlock crypto’s full potential while addressing its challenges responsibly.

Today marks a significant milestone in the financial sector: the EU Digital Operational Resilience Act (DORA) officially takes effect. Like many others around the Nordics and indeed the entire EU, we at Danske Bank have been working hard to prepare for this moment. So, what makes DORA different, and how does the world of operational resilience change starting today? 1. Operational Resilience Becomes a Regulatory Imperative DORA isn’t just a framework; it’s a paradigm shift. It moves operational resilience from a best practice to a legal requirement across the EU. Financial entities are now mandated to not only manage risks within their organization but to also ensure the resilience of their third-party providers, especially critical ICT service providers. 2. A Focus on Testing, Not Just Compliance Under DORA, resilience isn’t about ticking boxes. It’s about stress-testing your systems against real-world threats—cyberattacks, operational disruptions, or systemic failures—and demonstrating your capacity to maintain critical services in extreme conditions. 3. Bridging Cybersecurity and Risk Management Traditionally, cybersecurity and operational risk management have been siloed. DORA integrates them, creating a cohesive approach to managing risks that span technology, processes, and third-party dependencies. Again, while some have done this previously, it’s no longer optional. 4. Transparency and Accountability With mandatory reporting of major ICT incidents and the requirement to maintain a robust incident response framework, DORA increases accountability across the board. It demands that organizations not only respond to threats effectively but also report transparently to regulators and stakeholders - who have themselves been working hard to prepare for this. What Changes Today? For many of us in the financial sector, DORA isn’t a starting line—it’s a checkpoint. If your organization has been preparing effectively, today should feel like a natural extension of your resilience strategy. However, DORA brings clarity and consistency across the EU. Starting today, regulators will expect more than words; they’ll want evidence that your organization can adapt, recover, and thrive in the face of adversity. Why Does This Matter? Operational resilience isn’t just about compliance—it’s about trust. In a world where financial services are increasingly interconnected, disruptions don’t just hurt individual organizations; they ripple across the ecosystem. By enforcing resilience at all levels, DORA raises the bar for the entire industry. As we step into this new regulatory landscape, the question isn’t whether you’re compliant—it’s whether you’re resilient enough to lead the way. What are your thoughts on today? I’ll be surprised if any of you post that you’re glad the work is done; for myself, I feel like this is the latest step in what promises to continue to be a high-focus area!

In the latest episode of The New Money Podcast, I sat down with Dr. Ulli Spankowski - Founder of BISON App and Chief Digital Officer at Boerse Stuttgart Group. Ulli didn’t just build a crypto app. He built a regulated platform that now drives 25% of revenue at a 160-year-old stock exchange. This is a masterclass in how crypto goes institutional. Here are my 3 key takeaways👇 1. Europe’s crypto edge is regulatory clarity “Once there is a license, there is a legit business.” That’s how Ulli described the impact of MiCAR. MiCAR gave institutions the framework they needed to move. Regulation didn’t just reduce risk - it created legitimacy. If you’re building in crypto: – Treat compliance as distribution. It builds trust at scale. – Regulation doesn’t slow you down - lack of it does. – A license is a wedge. Institutions won’t move without one. Regulatory clarity isn’t just a box to check - it’s how you unlock the market. 2. Forget tokenomics. The real moat is brand reputation. Bisons target customers aren’t 22-year-old degen traders. They’re 35–65, investing 5–7 figures - and expecting Swiss-level safety. Ulli knew from day one: – Trust beats features – Location, licensing, and brand matter – No one wires money to an app they don’t believe will still exist in 5 years Reputation isn’t earned in a bull market - it’s built to survive the bear. 3. TradFi x Web3 is becoming the new default. Ulli didn’t build Bison alone. He partnered with Börse Stuttgart to gain what most crypto companies lack: – Institutional-grade trust – Instant distribution – Regulatory credibility That wasn’t a workaround. It was the strategy. Today, we’re seeing it everywhere: – Robinhood acquires Bitstamp – Visa integrates with Circle – Mastercard partners with Kraken TradFi and web3 aren’t colliding. They’re consolidating. Thanks Dr. Ulli Spankowski for the great convo! Also thanks to Stefanie Möllner, Simone Barilla, and Sebastian Kraft for making this happen! Listen to the full episode. Link in the comments.