Skip to content

Business glossary

DORA (Digital Operational Resilience Act)

DORA (Regulation EU 2022/2554) is the EU's regulatory framework requiring financial sector entities to manage and mitigate ICT risk, ensure operational resilience against digital disruptions, and impose contractual standards on their technology providers. It became directly applicable across all EU member states, including Spain, from 17 January 2025.

Digital

What Is DORA?

The Digital Operational Resilience Act (DORA — Regulation EU 2022/2554) is an EU regulation that directly applies in all member states — no national transposition required. It became effective from 17 January 2025, making it one of the most significant pieces of financial sector legislation to take effect in recent years. DORA is part of the broader EU Digital Finance Package and operates alongside, rather than replacing, other obligations such as GDPR and NIS2.

Its central objective is to ensure that banks, insurers, investment firms, payment institutions, and a wide range of other regulated financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Who Is Covered?

DORA has an exceptionally wide scope within the financial sector, covering:

  • Credit institutions (banks)
  • Payment institutions and e-money institutions
  • Investment firms and fund managers (UCITS, AIFMs)
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers (CASPs) under MiCA
  • Central counterparties and central securities depositories
  • Trade repositories and securitisation repositories
  • Critical ICT third-party service providers (CTPPs) — directly subject to oversight by EU supervisory authorities

Proportionality applies: microenterprises and smaller entities benefit from simplified regimes in certain areas.

Five Pillars of DORA Compliance

1. ICT Risk Management

Entities must maintain a comprehensive, documented ICT risk management framework covering identification, protection, detection, response, and recovery. This must be reviewed by the management body at least annually and after major ICT incidents.

2. ICT Incident Reporting

A three-tier reporting obligation applies for major ICT-related incidents:

  • Initial notification: within 4 business hours of classification
  • Intermediate report: within 72 hours
  • Final report: within one month

Reporting is made to the competent national authority (Banco de España for banks, CNMV for investment firms, DGSFP for insurers in Spain). Voluntary reporting of significant cyber threats is also encouraged.

3. Digital Operational Resilience Testing

Entities must carry out regular ICT system testing, including:

  • Basic testing (vulnerability scans, network assessments) — annually for most entities
  • Threat-Led Penetration Testing (TLPT): every three years for significant entities, coordinated with national authorities using the TIBER-EU framework

4. Third-Party Risk Management

This is arguably DORA’s most operationally demanding pillar. Entities must:

  • Maintain a complete register of all ICT third-party service providers
  • Conduct pre-contract due diligence on all providers
  • Include mandatory contractual clauses (covering service levels, audit rights, sub-outsourcing, business continuity, data location, and exit strategies) in all ICT service contracts
  • Identify critical third-party dependencies and manage concentration risk

The European Supervisory Authorities (EBA, ESMA, EIOPA) designate Critical Third-Party Providers (CTPPs) who are then subject to direct EU-level oversight.

5. Information and Intelligence Sharing

DORA explicitly encourages financial entities to participate in information-sharing arrangements on cyber threats. Participation in ISAC-style bodies (sector information sharing and analysis centres) is promoted.

Interaction with NIS2

Many financial entities are also in scope for NIS2, but DORA takes precedence (lex specialis) for those entities’ ICT risk and incident reporting obligations in the financial sector. NIS2 continues to apply to general cybersecurity governance aspects not covered by DORA.

Penalties in Spain

The Banco de España, CNMV, and DGSFP act as competent authorities for DORA in Spain, with sanctioning powers aligned with existing sectoral frameworks. DORA itself mandates that member states establish penalties for infringements, with the expectation of administrative fines at GDPR-comparable levels.

How BMC Can Help

We advise financial entities and their ICT vendors on DORA compliance programmes, contract reviews for mandatory DORA clauses, ICT risk framework design, incident classification and reporting procedures, third-party register construction, and TLPT programme coordination.

Frequently asked questions

When did DORA become applicable in Spain and who enforces it?
DORA (Regulation EU 2022/2554) became directly applicable across all EU member states including Spain from 17 January 2025. No national transposition was required. In Spain, enforcement is by the Banco de España for banks, CNMV for investment firms, and DGSFP for insurers, with sanctioning powers aligned with existing sectoral frameworks.
Which Spanish financial entities must comply with DORA?
DORA covers a wide range of financial sector entities: credit institutions, payment and e-money institutions, investment firms, fund managers (UCITS, AIFMs), insurance and reinsurance companies, crypto-asset service providers under MiCA, central counterparties, and critical ICT third-party service providers designated by EU supervisory authorities. Microenterprises benefit from simplified regimes in certain areas.
What are the DORA incident reporting deadlines for Spanish financial entities?
DORA imposes a three-tier reporting obligation for major ICT incidents: an initial notification within 4 business hours of classifying the incident as major, an intermediate report within 72 hours, and a final report within one month. Reporting is made to the competent Spanish authority (Banco de España, CNMV, or DGSFP). Voluntary reporting of significant cyber threats is also encouraged.
How does DORA affect contracts with technology suppliers in Spain?
DORA's third-party risk management pillar requires financial entities to include mandatory contractual clauses in all ICT service contracts, covering service levels, audit rights, sub-outsourcing conditions, business continuity arrangements, data location, and exit strategies. Existing contracts must be reviewed and updated. Entities must also maintain a complete register of all ICT third-party providers.
How does DORA relate to NIS2 for Spanish financial sector companies?
Many Spanish financial entities are in scope for both DORA and NIS2. DORA takes precedence as lex specialis for ICT risk management and incident reporting obligations specific to the financial sector. NIS2 continues to apply to general cybersecurity governance aspects not covered by DORA. Companies must assess obligations under both frameworks.

Related service

Legal

Discover our services in this area

Related sectors

Technology & Startups Financial Services

Related terms

NIS2 Directive ISO 27001 (Information Security Management System) Business Continuity & Disaster Recovery (BCP/DRP) Enterprise Risk Management (ERM)

Related Articles

Dec 2025

Family Business Sector: Challenges for 2026

Jun 2024

Financial Sector: Compliance Landscape 2024

Dec 2024

Logistics Sector: Supply Chain and Compliance 2024

Mar 2024

Manufacturing Sector: Nearshoring and Spain Opportunities

Back to glossary

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact