The GENIUS Act Sets the Stage. But Who Writes the Security Playbook?

The passage of the GENIUS Act marks a turning point: the United States now has a federal framework governing payment stablecoins, and with it, a clear signal that traditional finance is moving onchain in earnest. But if you read the Act closely, you'll notice that it's intentionally light on specifics, which introduces real challenges for stablecoin issuers.

Principles Without Playbooks

The GENIUS Act establishes high-level requirements around reserve management, redemption rights, security, and operational resilience. Rulemaking authority is largely deferred to relevant regulatory agencies: the OCC, the Federal Reserve, the FDIC, the NCUA, and state regulators. Early proposed rules and guidance from those bodies have largely followed the same pattern, offering principles-based frameworks that establish what issuers must achieve without prescribing how to achieve it.

The result is a significant open question: what do "security" and "operational resilience" actually mean for blockchain-based stablecoin infrastructure?

Stablecoin issuers operate across a layered stack (smart contracts, the underlying blockchain protocol, and operational infrastructure) with distinct risk profiles at each level that don't map cleanly onto the control frameworks banking regulators have spent decades refining for traditional financial infrastructure. Principles like "maintain adequate operational resilience" are a starting point, but not a security standard for onchain finance.

The Controls Gap Is the Compliance Gap

The absence of specific blockchain security controls in existing guidance means that issuers have to figure it out themselves, face an uphill battle when applying for a license, or find themselves unprepared when examiners come knocking.

Rather than waiting for a prescriptive rulebook, the harder question is: against what standard should we be measuring ourselves?

Bridging that gap requires building a shared understanding of what blockchain-specific security controls look like in practice: identifying risks, applying technical mitigations, establishing governance structures, and developing assessment methodologies that address security rigor across the whole blockchain application stack. That work extends beyond stablecoin issuers to the financial services and technology institutions that are custodying, distributing, or settling against stablecoins, who carry their own third-party and operational risk obligations to supervisors.

The security standard for onchain finance must be built from the ground up, informed by the realities of how blockchain systems operate, where they can fail, and how they can be made resilient.

The Cost of Waiting for Final Rules

Some issuers are tempted to hold off until final rules are published. But security posture doesn't improve overnight, and the parallel to traditional security programs is instructive. Standing up SOC 2 or ISO 27001 compliance for the first time is notoriously painful; the first year is spent building processes, assigning ownership, and generating the documentation trail that auditors expect. It gets easier over time, but only because the institutional muscle memory is there. Blockchain security programs are no different.

Issuers who start now will move through that difficult first phase before licensing windows open. Those who wait will face regulators while still building the foundation. A vulnerability in a smart contract doesn't wait for the OCC to finalize its guidance before it gets exploited. The market and reputational consequences of a security incident are immediate.

A Global Dimension: The EU Is Already There

While the U.S. works through the GENIUS Act implementation timeline, other jurisdictions aren't waiting. The EU's MiCA regulation has established enforceable requirements for asset-referenced tokens and e-money tokens today. DORA (the Digital Operational Resilience Act) imposes operational resilience obligations on financial institutions broadly, including those operating blockchain-based products. The EU's Cyber Resilience Act, expected in force in 2027, will further extend horizontal cybersecurity expectations to products with digital elements.

For stablecoin issuers operating in European markets, or with European institutional counterparties, these are present obligations. MiCA has applied to stablecoin issuers since June 2024 and DORA since January 2025, with supervisory expectations continuing to sharpen.

How OpenZeppelin Assesses Stablecoin Security Risk

OpenZeppelin's approach starts with a structured risk assessment that spans the full stack. We assess the controls implemented to address identified risks, mapping them against our internal framework and against the expected requirements emerging from the GENIUS Act and associated rulemaking, across U.S. and EU regulatory contexts. That gap assessment becomes the basis for prioritized recommendations on how issuers can improve their security posture across their people, processes, and technology, calibrated to the realities of blockchain.

That means evaluating risks at three layers:

1. The smart contract application layer: What are the access control models? How are upgrades managed? What attack surfaces are introduced by the stablecoin system's logic, and how does it interact with external protocols, oracles, or bridges?
2. The blockchain protocol layer: How does the underlying chain behave under adversarial conditions? What assumptions does the issuer's system make about finality, ordering, or validator behavior?
3. The operational layer: How are privileged keys managed and protected? What does incident response look like? How are third-party dependencies tracked and assessed?

The output is a set of artifacts that demonstrates security posture in an auditable way, aligned with expected regulatory requirements and industry best practices. Issuers who undertake this exercise will be better positioned for streamlined licensing compliance when GENIUS opens up for applications. The same methods apply across regulatory frameworks, including MiCA and DORA in the EU and the HKMA's Stablecoins Ordinance regime in Hong Kong.

The Role of Industry in Setting the Standard

The gap in blockchain-specific security controls in current regulations presents an opportunity to help define what rigorous security looks like, to surface the technical controls that mitigate real blockchain risks, and to build those standards into the regulatory fabric before they get filled in by less-informed defaults.

For OpenZeppelin, that means engaging with regulators, bringing technical depth to policy conversations, and working with issuers to implement controls that go beyond the minimum. OpenZeppelin actively participates in global standards bodies including ISO, the Enterprise Ethereum Alliance, and the Blockchain Security Standards Council to help build the foundation a global market needs as it moves onchain.

For stablecoin issuers navigating GENIUS Act compliance, that means a documented risk assessment, mapped controls, and a security posture ready for examiner review, built before the licensing window opens.

FAQs

What is the GENIUS Act and what does it require for stablecoin security?

The GENIUS Act is the first federal U.S. framework governing payment stablecoins. It sets high-level requirements around reserves, redemption, and operational resilience, but defers detailed rulemaking to agencies like the OCC. What blockchain-specific security controls issuers must actually implement remains undefined.

What blockchain security controls should stablecoin issuers implement for GENIUS Act compliance?

Issuers should address risks across three layers: smart contract vulnerabilities (access controls, upgrade mechanisms, logic errors), blockchain protocol-level risks (finality assumptions, chain-specific behaviors), and operational risks (key management, incident response, third-party dependencies).

How can stablecoin issuers prepare for GENIUS Act licensing before final rules are published?

By conducting technical risk assessments now. Issuers who identify gaps, implement controls, and document their security posture ahead of licensing will be better positioned for streamlined compliance. Security infrastructure takes time to build, and starting early creates a meaningful advantage.

Does the EU have stablecoin security requirements in effect today?

Yes. EU issuers are subject to MiCA and DORA, which impose enforceable security and operational resilience requirements now. OpenZeppelin works with EU issuers to assess their posture against both frameworks, making this relevant for any issuer operating in or entering European markets.