Fostering FinTech Innovation Through the Creation Of Regulatory Cyber Resilience

Updated: Mar 17

in the DLT & Crypto-Assets Framework

Simona Ramos

EU Horizon 2020 MSCA

BAnDIT Project: (advanced Blockchain Attacks and Defense Techniques): Grant Agreement


A blockchain is a peer to peer distributed ledger that records transactions between two or more

parties in a verifiable and permanent way by storing them into a sequence of blocks. The blocks

are linked together into a chain which is secured using cryptographic primitives and a randomized

lottery mechanism. Each block contains a secure digest (or hash) of the previous block, an

unforgeable proof from the lottery, a timestamp, and a list of transactions. One of the main

advances that blockchain technology brings is the idea that once recorded the transaction in the

block, it cannot be (easily) altered without alteration of the previously recorded blocks (Vujicic et

al, 2018).

Blockchain technology came to be known with the development of Bitcoin, a cryptocurrency

developed in 2009 by Satoshi Nakamoto, a pseudonymous name given to the unknown creator

(or creators) that gave birth to this decentralized cryptocurrency (Nakamoto, 2009). After the

creation of Bitcoin, the so-called “crypto market” saw a rapid take-off with the introduction of a

vast number of new cryptocurrencies. Today, there are more than 2,000 crypto-assets

outstanding (ESMA, 2019). The definition of “crypto asset” varies among countries. Also, crypto

assets may have different features and/or functions, hence many regulations have come up with

additional sub-categories. In one of the latest EU regulatory proposals on the crypto-asset

ecosystem (MiCA), crypto assets are referred as “digital representations of value or rights which

may be transferred and stored electronically, using distributed ledger”.

Nevertheless, in spite of their transparency, decentralization and suitability for further

applications, crypto assets are still considered a novelty and are characterized as a risky asset

class (Borri, 2019). While the distributed nature of blockchain technology reduces the cyber risks

that centralized market infrastructures have (such as the single point of failure) it is still subject

to other types of cyber risks (Saad et al, 2019), (Apostolaki et al, 2017). On these grounds, many

countries worldwide have issued warning notices for their citizens advising them of the potential

dangers of investing in crypto assets. In general, governmental measures span from restrictive,

permissive to encouraging. Although in reality, given the decentralized nature of this system, is

extremely hard to enforce a severe restrictive measure such as a ban (Ellul et al, 2020).

The ESMA (European Securities and Markets Authority) identified the most significant risks

regarding crypto assets as fraud, cyber-attacks, money laundering, and market manipulation. In

particular, ESMA emphasized that technology-specific risks are still under addressed while certain

existing requirements may not be easily applied or may not be entirely relevant in a DLT

framework (ex. GDPR). Recently, the EU Commission and the Council jointly declared their

commitment to establish a legal framework that will harness the potential opportunities that

crypto assets may offer while in the same time mitigate the associated risks they may pose to

European users and businesses.

Most recently, in an effort to determine the legal status of crypto-assets, as part of the “Digital

Finance Package” initiative, the EU issued two regulatory proposals. One proposal on “Markets

in Crypto-Assets”, which if applied would amend the already existing Directive (EU) 2019/1937

and a proposal for a regulation of the European Parliament and of the Council on a “pilot regime

for market infrastructures based on distributed ledger technology”. The main objectives of these

proposals are to a) provide legal certainty, b) to support innovation & remove the regulatory

obstacles which may be constraining fintech development, c) to protect European users,

investors and business by enabling trust and confidence in the market integrity and d) to maintain

financial stability on European grounds.

The new proposed regulation on DLT market infrastructure (under Article 6) is aimed to introduce

new requirements in order to tackle the novel risks pertaining to DLT. In other words, it sets a

norm for DLT infrastructure holders to provide market participants, clients, users and investors

with clear and honest information on how to carry out their functions and activities when

applying DLT, to ensure that overall IT and cyber arrangements related to the use of DLT are

adequate and to safeguard users’ funds and assets (ex. DLT transferable securities) if needed.

Also, under Article 9 of the same proposed regulation, it is maintained the need for cooperation

between the DLT market infrastructure, competent authorities and ESMA. As mentioned, DLT

market infrastructures must inform competent authorities and ESMA of any evidence of hacking,

fraud or other serious malpractice, technical or operational difficulties which may pose risks to

investor protection, market integrity or financial stability. As seen in (Ramos et al, 2020), markets

react to information regarding cyber-attacks and timely notification may make difference in

safeguarding users funds and restoring network security.

Introducing needed cyber security requirements is set to be proportionate to the nature, scale

and complexity of the DLT market infrastructure. Likewise, in order to ensure integrity and

security, competent authority of a DLT market infrastructure should be allowed to request an

audit in order to ensure that the overall IT and cyber arrangements are fit for purpose (paragraph


It is important that the overall cyber arrangements of the two proposed regulations, aim to

protect user funds from hacking, degradation, illegal access, loss, cyber-attack or theft, however

not much further explanation of the required technical measures is given. The proposed

regulation imposes a safekeeping mechanism for client funds in form of cash or cash equivalent,

DLT transferable securities, or the means of access to such DLT transferable securities, including

in the form of cryptographic keys, but it recognizes the existence of a regulatory gap regarding

reliability and safety requirements: “At the same time, regulatory gaps exist due to legal,

technological and operational specificities related to the use of DLT and crypto-assets that qualify

as financial instruments. For instance, there are no transparency, reliability and safety

requirements imposed on the protocols and smart contracts underpinning crypto-assets that

qualify as financial instruments. The underlying technology could also pose some novel forms of

cyber risks that are not appropriately addressed by existing rules.”

In other words, although certain jurisdictions have proposed or introduced regulatory

frameworks which provide assurances regarding the financial market and operations surrounding

cryptocurrencies, there is still a lack of assurances in terms of the core technology & cyber

security measures associated with it (Ellul et al, 2020). It should be noted that high cybersecurity

resilience is a precondition to sustainable innovation in an increasingly digitalized financial sector,

where protecting users, businesses and investors is a priority. In the recent years there has been

an exponential increase in number and severity of cyberattacks related to DLT and crypto-assets,

which has left many dubious in regard to the validity and trustworthiness of the DLT systems.

While, recent regulatory efforts in the European Union have been a step forward, further

research is needed in this domain. Besides identifying control points which can be used to apply

regulation (ex. crypto exchanges, wallet providers) a more relevant “use-case” analysis is needed.

Certain experts have argued for regulating technology via the agents who form the de facto

governance of public blockchain, e.g., by the imposition of certain fiduciary duties to core

developers and dominant miners (Walch, 2016). Nevertheless, having in mind that most public

blockchains are built on an open source software code, certain problems arise from this

approach. In other words, treating core developers and dominant miners as fiduciaries could

deter them from participating in what may be considered a socially beneficial projects, due to a

fear of potential liability - and without them contributing code and processing power (under

PoW) the system risks disappearing.

Moreover, core developers and dominant miners are usually not compensated highly enough to

bare the accountability standard of a fiduciary, and in a different case of elevated compensation

fees there could be a significant increase in the cost associated with running and using this

technology (Walch, 2016). Also, due to the way PoW system works, honest but rational miners

can have the incentive to eventually join pools and the colluding group will increase in size until

it becomes a majority, thus having the possibility to perform a majority attack and “double

spend”(Eyal and Sirer, 2018).

While cyber related challenges may be an opportunity for further regulation, a contradictory

unregulated perspective rooted in the paradigm of free-market approach could also be

considered as an alternative. In other words, considering cyber related problems as a “diminisher

of user trust” could incentivize market players (ex. crypto exchanges) to improve their cyber

resilience and compete better with alternatives. For example, instead of regulating a central

point such as a crypto exchange in order to ensure safety of user fund/assets, an alternative

would be to leave the establishment of cyber resilience for the crypto exchanges itself, which

could invest in cyber resilience as a way to strengthen user trust and attract more new members.

Also, instead of applying a fiduciary duty to dominant miners, an alternative measure could be

for public blockchains to improve the incentive design of the system, thus deterring miners from

acting dishonestly and improving the resilience towards majority and other similar attacks.


This work was funded by H2020 ITN Marie Skłodowska Curie Action grant n. 814284 ”BAnDIT” as

part of the EU Horizon 2020 program. The work was partially carried out at LINCS (Laboratory of

Information, Networking and Communication Sciences) and Nokia Bell Labs in Paris during the

CoViD-19 pandemic. The BAnDIT project (advanced Blockchain Attacks and Defense Techniques)

is an Innovation Training Network (ITN) for European Industrial Doctorates (EID) funded under

the European Commission’s H2020 Marie Skłodowska - Curie Programme. The project is led by

Universitat Pompeu Fabra and the other main participant is Nokia Bell Labs France. More

information about the project can be found at:


M. Apostolaki, A. Zohar, and L. Vanbever. Hijacking bitcoin: Routing attacks on cryptocurrencies. In 2017 IEEE Symposium on Security and Privacy (SP), pages 375–392, 2017

D. Vujicic, D. Jagodic, and S. Randjic. Blockchain technology, bitcoin, and ethereum: A brief overview. In 2018 17th International Symposium INFOTEH-JAHORINA (INFOTEH), pages 1–6, 2018.

S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. White Paper. 2008.

N. Borri. Conditional tail-risk in cryptocurrency markets. Journal of Empirical Finance, 50(C):1–19, 2019.

I. Eyal and E. Gun Sirer. Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM, 61(7):95–102, June 2018. ISSN 0001-0782. doi: 10.1145/3212998. URL

M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and A. Mohaisen. Exploring the attack surface of blockchain: A systematic overview. ArXiv, abs/1904.03487, 2019.

J. Ellul, J. Galea and M. Ganado. Regulating Blockchain, DLT and Smart Contracts: a technology regulator’s perspective. ERA Forum 21, 209–220 (2020).

A. Walch. Code(rs) We Trust: Software Developers as Fiduciaries in Public Blockchains’ 2018.

S. Ramos, F. Pianese, and E.Oliveiras. A Great Disturbance in the Crypto: Understanding Cryptocurrency Returns under Attacks (Working Paper) September, 2020.

European Securities and Market Authority. Advice - initial coin offerings and crypto-assets, 2019. URL esma50-157-1391 crypto advice.pdf.

Proposal for a Regulation Of The European Parliament And Of The Council on a pilot regime for market infrastructures based on distributed ledger technology COM/2020/594 final. October, 2020.url: https://eurlex.

Proposal for a Regulation Of The European Parliament And Of The Council On Markets in Crypto-assets (MiCA), and amending Directive (EU) 2019/1937 COM/2020/593 final October, 2020. url: https://eurlex.

#fosteringfintech #cryptoassetsframework

27 views0 comments