Key Aspects Of The EU's DORA Regulation According To Spain's CNMV

The Spanish National Markets and Securities Commission (Comisión Nacional del Mercado de Valores, or CNMV), has released a document compiling answers to some of the most frequently asked questions concerning the Digital Operational Resilience Act (DORA or the Act). Key elements of the document –which considers best practices, cybersecurity standards, Delegated Regulations 2024/1772¹ and 2025/301², and Implementing Regulation 2025/302³ (which develop regulatory and implementation technical provisions)– are summarised below.

1. Scope and proportionality

The CNMV notes that there is no national register of DORA subjects, and that financial entities are responsible for assessing, on a proactive basis, whether and how DORA applies to their activities. However, the authority clarifies that the DORA applies to various CNMV-supervised financial entities including investment firms, crypto‑asset service providers, market infrastructures, management companies, alternative investment fund managers, and data reporting and crowdfunding service providers.

Similarly, the CNMV clarifies that alternative investment fund managers with portfolios below specified asset thresholds –100 million and 500 million euros respectively for leveraged and non-leveraged portfolios– as well as National Investment Advisory Firms (in Spanish, EAFN) are excluded from the DORA's scope. The latter –which are entities authorized by the CNMV to operate exclusively within Spain for the provision of investment advice and accessory services only– are excluded as they are not foreseen with article 2.1 DORA, nor do they constitute investment firms as defined under article 4.1.1 MiFiD II Directive (Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments).

The obligations applicable to the entities within DORA's scope are moderated by the principle of proportionality (article 4 DORA), in consideration of various factors such as the entity's size, risk profile, and operative and organizational magnitude, as well as the nature, scope, and complexity of the activities undertaken. As such, entities provided for under article 16 DORA, including microenterprises  –those with fewer than 10 employees and an annual volume of business below 2 million euros– and non-interconnected entities are subject to a simplified  Information and Communication Technology (ICT) risk management framework, while more critical entities are subject to additional obligations such as conducting Threat-Led Penetration Testing (TLPT) or having continuity plans in place.

2. ICT risk management

The CNMV explains that ICT risk management under DORA must be based on a structured and documented risk assessment, covering the inventory and classification of ICT assets, threat and vulnerability analysis, impact and probability assessment, and the definition of mitigation measures and action plans.

To support this process, financial entities should rely on quantitative and qualitative indicators, such as:

• system availability,
• the number and severity of ICT incidents,
• mean time to repair,
• coverage of critical assets by controls, and
• detected security alerts or anomalies.

These risk management frameworks must be reviewed at least annually –or periodically in the case of simplified regimes– and particularly after significant incidents, material business or technological changes, regulatory updates, internal evaluations or audits, or upon request by the competent authority.

The CNMV further highlights the need to identify and maintain an up‑to‑date list of critical and important functions, as this is essential for prioritising resources and risk management efforts on areas that could compromise essential operations. In this context, financial entities are expected to maintain –and review regularly– a structured ICT asset inventory and to conduct business impact assessments (BIA) analysing exposure to severe disruptions. Similarly, financial entities must establish well documented continuity plans based on the BIA and ensure that said plans are clear on the corresponding roles, triggering conditions, and measures to be adopted; provide for contingency planning; and are assigned sufficient resources.

Regarding safeguards, the CNMV notes that financial entities should implement proactive controls proportionate to the criticality of their ICT activities, rather than relying solely on reactive measures. These include, among others:

• segregation of ICT responsibilities,
• least‑privilege access controls,
• reinforced authentication,
• encryption,
• backups,
• vulnerability assessments, and
• third-party ICT risk management.

Entities should also deploy mechanisms  for the early detection of anomalous ICT activity, which must be integrated into the ICT risk management framework, such as:

• continuous monitoring,
• log analysis,
• automated alerts and
• key risk indicators.

Finally, the CNMV stresses that ICT risk management must be embedded in the overall governance and strategy of the financial entity, holding the Board of Directors –who are likewise expected to have sufficient knowledge and experience in ICT risks and digital operational resilience– responsible for ensuring its effective implementation.

In this regard, the CNMV also clarifies that compliance with standards such as ISO 27001 does not necessarily ensure compliance with DORA, and that entities must conduct their own gap analysis to assess alignment with the Act's requirements.

3. Management, classification and notification of ICT related incidents

The CNMV clarifies that ICT‑related incidents  –which include technical events and cybersecurity incidents– are unforeseen events that disrupt or degrade the normal functioning of ICT systems, compromising information security or the operational capacity of the financial entity. Effective incident management requires, amongst other measures:

• timely detection and documentation of incidents or anomalies;
• classification and severity assessments;
• clear allocation of roles;
• establishment of containment and recovery measures;
• root-cause analyses; and
• coordination with affected third‑party service providers.

An ICT‑related incident is deemed to affect critical services where it impacts ICT systems supporting critical or important functions; services subject to prior authorisation or supervision; or involves effective, unauthorised, and malicious access to the entity's systems or networks (article 6 of Delegated Regulation (EU) 2024/1772 (Delegated Regulation)).

Incidents qualify as major ICT incidents, where at least two of the materiality thresholds –concerning the number of affected clients or transactions, reputational impact, duration, geographical spread, data loss, or economic loss (including personnel costs) suffered by the entity– set out in article 9 of the Delegated Regulation are met.

In addition, recurring incidents that do not individually meet the thresholds may be considered major  under article 8 of the Delegated Regulation where there have been multiple recurrences within 6 months, are derived from the same root cause, and collectively exceed the materiality criteria. Certain events, such as DDoS attacks or phishing campaigns, are not automatically considered major, but may be classified as such depending on their impact on critical functions or the scale and origin of the incident.

Where an incident  is classified as major, financial entities must comply with the notification regime set out in article 19 DORA, including the submission of an initial notification, followed by an intermediate report within 72 hours, even where no material updates are available. Additional intermediate reports are required if normal operations have not been restored within the initial 72 hours, and a final report must be submitted within one month of the last intermediate notification.

Major incidents must also be communicated without undue delay to affected clients where their financial interests are impacted and should be escalated internally to the Board of Directors and relevant senior management. If the entity later revises the classification of a major incident as otherwise, it must notify the competent authority using the template found in Annex II of the Implementing Regulation (EU) 2025/302. All ICT incident notifications  must be submitted at the level of each legal entity subject to DORA, which remains responsible for compliance –and subject to potential corrective measures or administrative sanctions under articles 50 and 51 DORA– even when reporting is outsourced to third parties.

Finally, the CNMV highlights a number of best practices in this regard, including:

• the establishment of clear internal incident‑management procedures aligned with
• regulatory timelines and templates;
• the use of monitoring and early‑detection tools;
• regular incident simulations and testing;
• the promotion of an internal reporting culture;
• systematic incorporation of lessons learned;
• coordination with critical ICT third‑party providers; and
• timely communication with the competent authorities.

4. Digital operational resilience tests

The CNMV explains that under article 24 DORA, financial entities are required to establish, maintain, and periodically review a digital operational resilience testing programme, that is applied at least annually all ICT systems and applications supporting critical and important functions. Such programmes may include tests all of which must be carried out by independent parties (whether internal or external) such as:

• vulnerability assessments,
• open‑source software and source‑code analysis,
• network and physical security tests,
• scenario‑based testing, - penetration testing, and
• tests of business continuity plans and ICT system development and migration processes.

The appropriateness of tests to be adopted are to be determined by each entity based on the proportionality principle, considering its maturity level and the ICT risks involved. As such, microenterprises  may apply a risk‑based approach that balances available resources against the urgency of the risks identified, and they benefit likewise from exemptions from certain requirements, including independent testing, exhaustive follow‑up of test results, and the obligation to test all ICT systems supporting critical and important functions. More advanced entities, particularly those whose disruption could affect financial stability, are subject to TLPT obligations, which must be conducted at least every three years and may be performed under recognised EU or national frameworks such as the TIBER-EU and TIBER-ES, respectively.

To this end, the CNMV highlights the following best practices: definition of clear objectives and success criteria, participation of multidisciplinary teams, adequate documentation and traceability, and incorporation of test outcomes in the continuous improvement of digital operational resilience.

5. Management of third-party ICT risks

The CNMV recalls that DORA adopts a broad definition of ICT services, covering all digital and data‑related services provided on a continuous basis through ICT systems. Where a regulated financial entity provides a regulated financial service to another financial entity, any embedded ICT components are generally treated as part of a financial service for DORA purposes. By contrast, where ICT elements are independent or unrelated to the regulated financial service, they qualify as ICT services and fall within DORA's third‑party risk framework under its Chapter V.

DORA distinguishes between critical ICT third‑party service providers –as designated by the European Supervisory Authorities and subject to direct oversight under articles 31 to 44 DORA– and other ICT service providers contracted directly by financial entities. Financial entities remain responsible for identifying the providers that support their critical and important functions and for ensuring compliance with specific contractual and governance requirements, such as those set out in article 30(2) DORA. Entities must maintain a register of all third-party ICT service providers –including intragroup providers– prioritising those that are most relevant from a risk perspective and must comply with reporting obligations to competent authorities under article 28(3) DORA.

Before entering into ICT outsourcing arrangements, financial entities are required to conduct a risk‑based pre‑contractual assessment and due diligence, focusing primarily on:

• criticality,
• concentration risks,
• conflicts of interest,
• subcontracting arrangements, and
• the overall complexity of the ICT value chain.

Similarly, financial entities must retain appropriate termination and exit rights, notably in cases of:

• material non‑compliance by the provider,
• significant changes affecting the service,
• weaknesses in the provider's ICT risk management,
• impediments to effective supervisory oversight, or
• non-compliance with the subcontracting controls established legally or contractually.

However, the CNMV is cognizant that based on the DORA's recency, financial entities may be unable to comply with all third-party ICT risk management obligations during the early stages.

In this context, the CNMV encourages financial entities to avoid excessive concentration of ICT service providers, given the operational risks this may entail, and recommends engaging independent monitoring services for the most critical providers where internal capabilities are insufficient.

The CNMV also clarifies that certifications such as ISO 27001 do not, in themselves, ensure compliance with DORA, as they are not specifically aligned with the Act, although they may support  the due‑diligence assessment of ICT service providers.

Finally, the CNMV highlights key best practices for third‑party ICT risk management under DORA, including maintaining an inventory and classification of providers, conducting prior and ongoing assessments, incorporating clear contractual safeguards, establishing exit and contingency plans, and integrating third‑party risk management into the broader ICT risk management framework.

6. In conclusion

Ultimately, the CNMV's guidelines on DORA offer financial institutions with a clear framework for strengthening digital operational resilience, emphasising the importance of a risk-based approach, sound governance and the proactive management of both ICT assets and third-party providers. Effective DORA implementation requires continuous assessment, comprehensive documentation and cross-functional integration of technological considerations into broader corporate strategy.

Although full compliance may prove challenging at this early stage, institutions that adopt best practices and anticipate regulatory obligations will be better positioned to enhance their incident preparedness, reduce their operational exposure and align with supervisory expectations that are shaping a new benchmark for digital risk management in the financial sector.

Footnotes

1.Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

2.Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

3.Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.