MiCA (Markets in Crypto-Assets Regulation) institutes uniform EU market rules for crypto-assets, requires CASPs to run cybersecurity measures aligned with DORA, prove staff competence, and document ICT and human-risk safeguards in their Article 60 notification. Social engineering training helps crypto firms satisfy the human side of those obligations and produce audit evidence.
π‘Β This guide is written for crypto and Web3 CISOs, IT managers, and compliance owners who already understand the regulation and need a clear path to operationalize the human-risk part.
Key takeaways
- MiCA is fully applied since December 30, 2024. The EU-wide transitional period ended on July 1, 2026, after which serving EU clients without authorization breaches EU law.
- MiCA's cybersecurity backbone is DORA. MiCA Article 68 requires CASPs to run cybersecurity measures aligned with the Digital Operational Resilience Act, which mandates staff awareness and training programs under its Article 13.
- People are the weak point crypto attackers target first. Help desks, treasury, and engineers with key access are hit through phishing, vishing, and deepfakes, not smart contract bugs.
- Training produces audit evidence. Simulation logs, completion records, and incident-drill results map directly to Article 60 documentation and DORA reporting expectations.
Learn more about DORA compliance β
What is MiCA?
MiCA is the EU's unified framework for crypto-assets and the firms that issue or service them. It replaces 27 national regimes with one rulebook covering authorization, consumer protection, market integrity, and operational security across all EU member states. It applies to two groups operating in the EU: crypto-asset issuers and crypto-asset service providers (CASPs), including exchanges, custody and wallet providers, trading platforms, transfer services, and advisors. If you target EU residents, MiCA applies regardless of where your entity sits.
What are MiCA's main cybersecurity requirements?
MiCA sets the obligation; DORA sets the detail. Under MiCA Article 68, CASPs must maintain sound governance, business continuity plans, secure ICT systems, and cybersecurity measures aligned with DORA. Article 60 then requires firms to document those measures in their authorization notification.
Here are the core cybersecurity expectations, drawn from MiCA Article 60 notification requirements and DORA:
| Requirement | What regulators expect | Where it sits |
|---|---|---|
| ICT risk management framework | Documented approach to identify, manage, and mitigate ICT risks, including governance | MiCA Art. 60 / DORA Art. 5β15 |
| Critical ICT service mapping | List of critical services, internal vs outsourced, with third-party risk controls | MiCA Art. 60 / DORA Art. 28β30 |
| Security and incident management | Monitoring, response frameworks, and incident reporting mechanisms | MiCA Art. 60 / DORA Art. 17β23 |
| Cybersecurity audit | Independent review: vulnerability assessment, network security, penetration testing | MiCA Art. 60 |
| Smart contract review | Source code analysis of contracts used in crypto-asset services | MiCA Art. 60 |
| Staff knowledge and competence | Personnel must understand crypto-assets, risks, and obligations relevant to their role | MiCA Art. 68 / ESMA guidelines |
| Human and operational measures | For transfer services, ICT and human resource measures addressing operational and cybersecurity risks | MiCA Art. 60 |
Two of these are explicitly about people, not systems: staff knowledge and competence, and the human resource measures required for transfer services. That is where social engineering defense becomes a named compliance input, not a nice-to-have.
Why does the human layer matter so much for crypto firms?
Crypto firms hold irreversible assets and run lean teams, which makes them a primary social engineering target rather than a secondary one. Attackers skip the hardened smart contract and go for the person who can approve a transfer, reset an account, or sign a transaction.
Recent incidents show the pattern: attackers impersonate executives and IT staff over voice and chat, use deepfakes to authorize fund movements, and phish developers to reach key material. We cover the underlying mechanics in our analysis of why crypto firms are primary social engineering targets and the social engineering threats targeting crypto and blockchain teams.
Read our real-world breakdown of a social-engineered token compromise analysis β
How do you build social engineering and awareness training into MiCA compliance?
Treat awareness training as the control that satisfies the human-risk requirements of MiCA Article 68 and DORA Article 13, and that generates the evidence regulators ask for under Article 60. The six steps below turn the obligation into a repeatable program.
Step 1: Map your human attack surface
Identify the roles an attacker would target to move funds, reset access, or reach key material. In crypto firms this is almost always the same short list, and each role needs a different training and simulation track.
| Role | Primary social engineering risk | Priority |
|---|---|---|
| IT help desk / support | Account reset and MFA bypass via impersonation | π΄ |
| Treasury / finance ops | Fraudulent transfer approval, deepfake CEO | π΄ |
| Engineers with key access | Phishing for credentials and seed material | π΄ |
| Executives | Whaling, voice cloning, fake board pressure | π΄ |
| Customer-facing staff | Pretexting to extract user or account data | π‘ |
| Contractors / vendors | Third-party access abuse | π‘ |
Step 2: Run a baseline simulation across channels
Measure real exposure before training. Run controlled phishing simulations, SMS-based smishing tests, and AI-powered vishing simulations that mirror the executive-impersonation and help-desk attacks crypto teams actually face. The baseline failure rate becomes your starting metric and your first piece of audit evidence.
Step 3: Assign role-based training
Generic annual training does not satisfy the competence expectation. Tailor content to each high-risk role so help desk staff learn callback verification, treasury learns out-of-band confirmation for transfers, and engineers learn to spot credential-harvesting pages. Our 2026 social engineering checklist for crypto CISOs breaks the role-by-role controls down further.
Step 4: Drill incident reporting against the clock
DORA expects employees to identify, escalate, and report ICT incidents quickly. Run drills that test whether staff recognize a suspected attack and report it through the right channel within your defined window. This connects awareness directly to your incident management obligations under MiCA Article 60 and DORA Articles 17 to 23.
Step 5: Document everything for the notification and audits
Every simulation, completion record, and drill result is evidence. Maintain audit-ready logs that show your training program exists, reaches the right roles, and improves over time. This feeds the non-technical summary and human-resource measures expected in the Article 60 notification.
Step 6: Measure, report, and repeat
Track failure rates, reporting rates, and time-to-report by role and over time. Run simulations on a recurring cadence rather than once a year, and report trends to your management body, which holds accountability for the ICT risk framework under DORA governance rules.
How does MiCA awareness training compare to a generic annual course?
| Element | Generic annual training | MiCA-aligned program |
|---|---|---|
| Targeting | One course for all staff | Role-based for help desk, treasury, devs, execs |
| Threats covered | Email phishing only | Phishing, smishing, vishing, deepfakes |
| Evidence | Completion certificate | Simulation logs, reporting metrics, drill records |
| Cadence | Once per year | Recurring, with trend reporting |
| Regulatory fit | Weak | Maps to MiCA Art. 60/68 and DORA Art. 13 |
If you are also scoping the wider operational resilience obligations, our DORA compliance guide covers the ICT framework that MiCA leans on.
Frequently asked questions
Not by name. MiCA Article 68 requires cybersecurity measures aligned with DORA and staff competence, and DORA Article 13 requires awareness and training programs. Together they make awareness training a practical requirement for CASPs.
The roles that can move funds or reset access: IT help desk, treasury and finance operations, engineers with key access, and executives. These are the most common social engineering entry points.
The EU-wide transitional period ends July 1, 2026. After that, providing crypto-asset services to EU clients without MiCA authorization breaches EU law.
Simulation results, completion records, and incident-reporting drills create audit-ready evidence that maps to Article 60 documentation and DORA's incident and governance expectations.
Corporate fines reach β¬5,000,000 or up to 12.5% of annual turnover. Individual executives face fines up to β¬700,000 and possible industry bans. Over β¬540 million in fines were issued by November 2025.
Build MiCA-ready human risk defense
See how Arsen helps crypto and Web3 firms simulate the phishing, vishing, and deepfake attacks their teams face, train high-risk roles, and produce the audit evidence MiCA and DORA expect.