DORA is EU Regulation 2022/2554 on Digital Operational Resilience for the financial sector. It applies from 17 January 2025 to banks, insurers, fintech, investment platforms and their critical ICT providers.
To whom does DORA apply in Spain?
Three blocks. Financial entities: commercial and investment banks, fund management companies, insurers, reinsurers, EMI (electronic money institutions), crowdfunding platforms, authorised fintech. Critical ICT providers: those designated by the ESA as critical (cloud hyperscalers, payment platforms, sector-specific SaaS providers). ICT auditors in the sector: with specific competence requirements.
What does an entity have to do to comply with DORA?
Five pillars. (1) Documented ICT risk-management framework, approved by the board. (2) Management and reporting system for serious ICT incidents to the supervisor within 4 hours. (3) Operational resilience testing programme: pentest, red team at least every 3 years. (4) Specific management of third-party ICT risk (contracts, due diligence, continuous monitoring). (5) Sharing of cyber-threat information with authorities.
What is the difference between DORA and NIS2?
DORA is specific to the financial sector and its ICT providers. NIS2 is cross-cutting across critical sectors (energy, water, healthcare, food, etc.). A financial entity is subject to DORA (lex specialis) and NOT to NIS2 for the same subject matter. A manufacturing, water or energy company is subject only to NIS2. There are areas of controlled overlap between the two.
Official sources
- EUR-Lex · EU Regulation 2022/2554 DORA
- Banco de España · Operational resilience
- ESMA · DORA resources
Frequently asked questions
To whom does DORA apply in Spain?
Three blocks. Financial entities: commercial and investment banks, fund managers, insurers, reinsurers, EMIs, crowdfunding platforms, authorised fintech. Critical ICT providers designated by the ESA. ICT auditors in the sector.
What does an entity have to do to comply with DORA?
Five pillars: documented ICT risk-management framework approved by the board; serious-incident reporting to the supervisor within 4 hours; resilience-testing programme (pentest, red team at least every 3 years); specific third-party ICT risk management; cyber-threat information sharing with authorities.
What is the difference between DORA and NIS2?
DORA is sector-specific to finance and its ICT providers. NIS2 is cross-cutting across critical sectors. A financial entity is subject to DORA (lex specialis) and not to NIS2 for the same subject. A manufacturing, water or energy company is subject only to NIS2.
Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.
Frequently asked questions
How does this apply to my SME?
It applies as long as you serve Spanish customers or process Spanish data; the framework is mandatory above thresholds we summarise in the table.
What does it cost in 2026?
Indicative ranges for SMEs 10-50 employees: 2,500-12,000 EUR for documentation + auditor fees vary by AENOR / BV / SGS / LRQA.
Which Spanish regulation applies?
BOE references RD 311/2022 (ENS), Regulation EU 2016/679 (GDPR), LOPDGDD, NIS2, DORA and the EU AI Act 2024/1689 depending on scope.
How long does the implementation take?
Average runs 4-7 months for a single ISO. Compound integrated SGI (9001+14001+27001) usually 8-12 months.
Can I co-finance it with Kit Digital or Kit Consulting?
Yes, Kit Consulting 2026 covers up to 24,000 EUR in advisory hours; Kit Digital covers tools (CRM, ERP, ciberseguridad) up to 29,000 EUR.