The DORA Regulation: legal implications for ICT risk management in the financial sector

The DORA Regulation: legal implications for ICT risk management in the financial sector

Regulation (EU) 2022/2554, known as DORA (Digital Operational Resilience Act), has been fully applicable since 17 January 2025 and marks a milestone in the regulation of digital operational resilience within the European financial sector. Its purpose is to strengthen the ability of entities to prevent, withstand, respond to, and recover from incidents related to information and communication technologies.

To understand the true scope of this Regulation and its obligations, it is essential to analyse its subjective scope of application, the elements required to prepare for an audit, and the legal implications of non-compliance.

Who must comply?

The scope of application of the Regulation is set out in Article 2, which includes more than twenty categories of financial entities subject to European supervision. These include credit institutions, investment firms, payment institutions and electronic money institutions, insurance and reinsurance undertakings, fund management companies, and market infrastructures such as trading venues and clearing houses. Also covered by DORA are crypto-asset service providers and certain providers of financial data services. This breadth makes DORA one of the most transversal regulatory frameworks in European financial law.

Although the Regulation expressly refers to external ICT service providers, the primary responsibility for compliance lies with financial entities, which must effectively manage and supervise the risks associated with these third parties. Article 28 and the following provisions establish that financial entities must comprehensively manage the risks arising from the use of third-party ICT services. This includes maintaining a full register of ICT agreements, identifying those supporting critical or important functions, and ensuring that contracts include minimum requirements on security, audit rights, access, data localisation, and subcontracting. When a provider is designated as “critical”, it becomes subject to the supervision regime under Chapter V, coordinated by the EBA, ESMA, or EIOPA.

In Spain, this oversight is aligned with guidelines and criteria issued by the Bank of Spain, the CNMV, and the DGSFP, which have strengthened monitoring of ICT operational risk and the proper management of dependencies on technology providers.

Preparing your entity for an audit

Preparing a financial institution for a DORA audit requires a robust, coherent and traceable ICT risk management framework. Articles 5 to 14 set out the minimum requirements, including the identification of essential assets, ongoing risk assessments, the maintenance of security policies and controls, continuity and recovery plans, and the regular performance of resilience tests, including advanced “threat-led” penetration testing where applicable.

This is complemented by the obligation to manage and report major incidents in accordance with Articles 17 to 23, ensuring that reporting flows to the financial supervisor are consistent with those required under the GDPR when the incident involves personal data. In this regard, the Spanish Data Protection Authority (AEPD) has reiterated that data breaches involving personal data must be reported within 72 hours, which requires internal coordination between DORA and GDPR reporting procedures.

Non-compliance with DORA

From a legal standpoint, the consequences of non-compliance are particularly significant. Article 50 of the Regulation requires Member States to establish “effective, proportionate and dissuasive” sanctions. In Spain, this translates into the application of the sector-specific sanctioning regimes of the Bank of Spain, the CNMV, and the DGSFP, which may impose substantial fines, restrictions on activity, public warnings or even sanctions directly targeting members of the management body when serious breaches of their obligations are demonstrated.

If the incident also involves a personal data breach, sanctions under DORA may be combined with those established under the GDPR and the Spanish Data Protection Act (LOPDGDD), considerably increasing the financial and reputational risk.

In summary, compliance with the DORA Regulation requires deep organisational transformation, proactive governance, and documentation aligned with European standards. Entities that approach this process strategically will not only avoid sanctions but also gain a competitive advantage in an increasingly demanding digital environment.