808bits

DORA Exit Strategies for Digital-Asset Custody: What a Reviewer Actually Wants to See

2026-06-05 · 4 min

DORA (Regulation (EU) 2022/2554, in application since January 2025) requires financial entities to maintain documented exit strategies for ICT third-party providers supporting critical or important functions, and to manage concentration risk on those providers. For most ICT services, firms can lean on familiar patterns: data export, parallel running, a migration plan to an alternative vendor.

Digital-asset custody platforms break those patterns in an interesting way: the thing you need to take out is not data. It’s signing capability over assets on-chain, and whether you can actually take it out depends on cryptographic facts about your setup, not on contract clauses.

Why custody exits are different

When a firm’s wallet infrastructure runs on an MPC custody platform (Fireblocks, Cobo, BitGo, Dfns, Copper and peers), the platform typically holds some key shares and the customer holds a recovery backup. The exit question is therefore not “can we migrate our records” but:

  • Can we reconstruct signing capability from the customer-held backup, independently of the vendor’s systems being available?
  • Does that backup actually cover all current key material, or only what existed when it was created?
  • Once we can sign, can we actually move everything, including assets that are staked, locked, or sitting inside smart-contract positions?

A paper exit plan that doesn’t answer these three questions describes an exit that may not exist.

The good news: independent exit paths mostly exist

The major MPC custody vendors have converged on a customer-held-backup model with open-source offline recovery tooling. This is the structural fact that makes a credible exit plan possible at all: reconstruction does not require the vendor’s cooperation or continued existence. If your vendor doesn’t offer an independent, offline, verifiable recovery path, that absence is itself a concentration-risk finding.

What separates a paragraph from a plan

Most exit-strategy documentation for custody reads like this: “In the event of provider failure, keys will be recovered from the encrypted backup using the provider’s published recovery tooling.” One sentence, technically true, and untested. A reviewer who probes it will ask five questions:

1. When was recoverability last demonstrated?

Not “do you have a backup” but “when did you last prove the backup works.” A verification run dated three years ago, or never, is the most common gap. Credible: verification on a defined schedule, with each run producing dated evidence.

2. What does the backup cover?

Backups are point-in-time; workspaces grow. Credible: a reconciliation of backup contents against current key material, so the coverage gap is a known, monitored number rather than a surprise discovered mid-crisis.

3. Is the verification independent?

Several vendors now market DORA exit-strategy support as a feature, and it’s better than nothing. But a vendor attesting to its own escapability is precisely the kind of evidence a reviewer discounts: the scenario being tested is the one where that vendor is gone. Credible: the verification can be (and has been) executed by your own staff or an independent party, offline, without vendor involvement.

4. What happens after key reconstruction?

Reconstructed keys let you sweep simple balances. They do not unstake bonded positions, exit DeFi collateral, or unlock vesting contracts. Those need protocol-specific runbooks and realistic timelines (unbonding periods are measured in days to weeks). Credible: an asset inventory split into sweepable now versus runbooked with timeline, so the plan states honestly how long a full exit takes and which value is illiquid during it.

5. Has anyone rehearsed it?

DORA’s broader resilience-testing logic applies: an untested plan is a hypothesis. Credible: a periodic exercise, even on a test workspace, executed by the people who would do it for real, with deviations recorded.

A note for Swiss firms

DORA binds EU entities, but the perimeter is wider than it looks from Zug or Zurich: EU group entities, EU clients pushing requirements down the chain, and FINMA’s own operational-resilience expectations all point the same direction. The five questions above are jurisdiction-agnostic; only the letterhead of the reviewer changes.

The test to apply to your own documentation

Read your custody exit strategy and ask: does it contain any evidence, or only intentions? Dates, signed verification results, coverage numbers, drill records, named runbooks, versus “will be recovered using published tooling.”

Intentions describe an exit someone hopes exists. Evidence describes one that does.