Your RPC endpoint is no longer just infrastructure. Under MiCA and DORA, it is a regulated operational dependency — and most firms are running it through a shared US endpoint with no contract language, no residency guarantees, and no exit plan.
The regulatory frame changed
DORA has applied to EU financial entities since January 2025. MiCA licensing is now the operating reality for crypto-asset service providers across the bloc. Together they do something subtle but important: they reclassify your blockchain node access from "developer tooling" to ICT third-party risk.
If reading chain state or broadcasting transactions supports a critical or important function — settlement, custody operations, proof-of-reserves, on-chain monitoring — DORA expects you to treat the provider like any other critical ICT vendor. That means contractual audit rights, documented exit strategies, concentration-risk assessment, and incident reporting obligations that flow down to the vendor.
Most RPC providers were not built for that conversation. They were built for hackathon developers on freemium tiers.
Why shared endpoints strain DORA
The default industry product is a multi-tenant RPC gateway: thousands of customers on the same fleet, routed through the same load balancers, often across jurisdictions the customer never sees. That model creates specific problems for a regulated firm:
- No performance isolation. A noisy neighbor's NFT mint degrades your settlement reads. DORA's operational-resilience testing expects you to characterize failure modes; you cannot characterize a tenant population you can't see.
- Opaque topology. You often cannot answer "which legal entity, in which country, served this request?" — a question your regulator can and will ask.
- Concentration risk. When several of your critical functions ride one shared provider — and that provider itself rides one cloud region — your register of information has a single point of failure you didn't design.
- Thin contracts. Click-through terms rarely include audit rights, subcontractor transparency, or termination assistance. DORA Article 30 expects all three for critical functions.
None of this means shared endpoints are useless. For prototyping and non-critical analytics they are the right buy — cheap, instant, disposable. We tell clients this directly. The problem is running production settlement logic on them and calling it resilience.
GDPR and the data your node sees
Node traffic is not anonymous. RPC request logs pair IP addresses with wallet addresses and query patterns — a combination that European regulators treat as personal data. If those logs land on servers outside the EU, you have a cross-border transfer to justify.
For a dora blockchain infrastructure review this becomes concrete fast: where do request logs live, how long are they retained, who is the processor, and is there a DPA that survives scrutiny? A MiCA compliant RPC provider should answer in one page. Many cannot answer at all, because their logging pipeline was designed for product analytics, not Article 28.
The clean solution is architectural, not contractual: an Ethereum RPC endpoint in Europe, with logs that never leave EU jurisdiction and retention you set, not inherit.
Bitcoin: the compliance blind spot
The managed-node market is EVM-first. Ethereum, L2s, the usual suspects — well served. Bitcoin is the gap. Firms handling BTC custody, settlement, or monitoring often discover their "enterprise" provider offers Bitcoin as an afterthought: no dedicated option, weaker SLAs, sometimes proxied through a third party they won't name.
That fourth-party opacity is exactly what DORA's subcontracting provisions target. If your BTC flows are a critical function, "we resell someone else's Bitcoin nodes" is not an acceptable answer.
We run both Ethereum and Bitcoin RPC live under Binari Nodes — same latency engineering, same health-aware failover, same observability stack on both chains. Bitcoin is a first-class citizen, not a checkbox.
The vendor due-diligence checklist
Before your next contract renewal, put these to your provider in writing:
- Topology disclosure. Which legal entities and data-center jurisdictions serve our traffic? Any subcontractors?
- Data handling. Where are request logs stored, what do they contain, what is retention, is there a GDPR-grade DPA?
- Isolation. Dedicated nodes or shared fleet? Can you demonstrate performance isolation under load?
- Audit and exit. Do we get audit rights? What does termination assistance look like — can we export state and cut over without downtime?
- Incident obligations. Notification windows, root-cause commitments, and whether their incident process maps to your DORA reporting timelines.
- Non-EVM parity. Same SLA and same architecture for Bitcoin as for Ethereum, or is BTC subcontracted?
A provider that answers all six crisply is rare. A provider that gets defensive on question one has answered all six.
The pattern that passes review
The architecture we deploy for regulated clients is boring on purpose: dedicated, EU-resident nodes per client, containerized from day one, with health-aware failover across at least two EU locations. Observability exports — latency percentiles, sync status, error budgets — feed directly into the client's own DORA evidence pack. p99 latency is the design target, not the average, because settlement systems fail at the tail.
Development and staging run on our managed on-premise infrastructure to keep cloud burn low during the build; CI/CD promotes to the client's AWS, GCP, or Azure at launch, with on-prem production options for firms with hard data-sovereignty requirements. If the cost math matters to you — and it should — we broke down the self-hosted versus managed trade-off in detail.
The honest summary: if node access touches nothing critical, keep your shared endpoint and spend the money elsewhere. If it touches settlement, custody, or anything a regulator would call important, the shared-tier discount is the most expensive line item you have.
Running chain infrastructure inside a MiCA or DORA perimeter? Talk to us — we reply within one business day.