Spain's financial sector faces in 2025-2026 the densest regulatory period in two decades. The combination of DORA, NIS2, the new European AML architecture, MiCA for crypto-assets, ESG requirements under CSRD and the incoming PSD3 creates an unprecedented compliance landscape in both complexity and scope. This guide analyses the main challenges and their practical implications for credit institutions, investment firms, fund managers, payment service providers, insurers and crypto-asset businesses.
DORA: The Digital Operational Resilience Revolution
DORA (Digital Operational Resilience Act, Regulation EU 2022/2554) entered full application on 17 January 2025. Its objective is to ensure that the European financial sector can withstand, respond to and recover from any serious ICT-related operational disruption.
The scope is exceptionally broad: credit institutions, investment firms, fund managers, insurers, trading venues, central counterparties, MiCA crypto-asset service providers, electronic money institutions and payment service providers. Critical third-party ICT providers are subject to direct supervision by the European Supervisory Authorities (ESAs).
DORA’s five pillars require: an ICT risk governance framework with explicit board accountability; a system for classifying and notifying major ICT incidents (4-hour initial notification, 72-hour intermediate report, one-month final report); periodic resilience testing including advanced threat-led penetration testing (TLPT) every three years; rigorous third-party ICT provider risk management with mandatory contractual provisions; and cyber threat intelligence sharing between entities.
NIS2 and Its Interaction with DORA
NIS2, transposed in Spain, establishes security requirements for essential and important entities in critical sectors. For financial entities, DORA acts as lex specialis and supersedes NIS2 for network and information security purposes. However, entities must verify case by case that their DORA coverage is complete, as gaps may exist depending on activity type and competent supervisory authority.
NIS2 sanctions for essential entities reach up to 10 million euros or 2% of global turnover, while DORA provides for fines of up to 1% of average daily turnover per day of non-compliance — creating substantial financial exposure for extended non-compliance.
The New European AML Architecture: 6th Directive and AMLA
The anti-money laundering framework is undergoing its most profound reform since 2015. The legislative package adopted in May 2024 — Directive 2024/1640 (6th AML Directive), Regulation 2024/1624 (AML Regulation) and Regulation 2024/1620 (AMLA) — creates a new EU Anti-Money Laundering Authority (AMLA) based in Frankfurt with direct supervisory powers over the highest-risk financial entities across the EU.
Practical implications for financial entities include: updating customer due diligence policies with the new 15% beneficial ownership threshold; extending the obligated entity perimeter to MiCA CASPs; harmonised minimum staff training requirements; new harmonised EU-wide minimum sanction thresholds; and preparation for potential direct AMLA supervision for high-risk profile entities.
MiCA: The New Crypto-Asset Regulatory Framework
MiCA has applied in full across the EU since December 2024, imposing for the first time a harmonised regulatory framework on crypto-asset markets. CASPs operating in Spain must obtain CNMV authorisation or demonstrate an EU passport from another member state.
Key requirements — minimum capital of 50,000 to 150,000 euros depending on service type, client asset segregation, white paper obligations and AML designation as newly obligated entities — constitute significant burdens for the sector. Firms operating in the previous regulatory vacuum must have adapted their business models or face activity cessation.
ESG Reporting: Sustainability as Regulatory Obligation
The CSRD progressively expands the universe of entities required to report sustainability information under ESRS standards. Financial entities with more than 250 employees are subject from financial year 2025 onwards.
For the financial sector, ESG obligations have a dual dimension: as entities reporting their own sustainability performance under ESRS, and as capital allocators channelling investment toward activities classified under the European Taxonomy. The SFDR Regulation adds product-level sustainability disclosure obligations for asset managers.
Greenwashing risk — misrepresentation of a financial product’s sustainability features — is increasingly subject to supervisory scrutiny by ESMA and national competent authorities.
PSD3 and the Future of Payments
PSD3 and the new Payment Services Regulation (PSR) are in the EU legislative process with transposition targeted for 2027. Key changes include reinforced strong customer authentication, shared fraud liability rules, direct payment system access for non-banks and a more powerful open banking framework. PSD2-authorised payment institutions should begin gap analysis now to plan adaptations in advance.
Compliance Function Roadmap for 2025-2026
An efficient response to this regulatory agenda requires a compliance function capable of managing multiple frameworks simultaneously. Priorities include: completing DORA implementation; revising AML policies for the new 2024/1624 Regulation; obtaining MiCA authorisation if applicable; preparing the first CSRD report; and monitoring PSD3/PSR progress for early planning.
Integrating all compliance frameworks into a unified risk management function — rather than separate regulatory silos — through a regulatory map, a cross-functional compliance committee, differentiated training by exposure level and proactive supervisory relationships is the key to efficiency and responsiveness in an environment of accelerating regulatory change.
