Miguel Ángel Perea Mora

As we have seen, DORA (Digital Operational Resilience Act) Regulation has not only brought about a change in the way the European Union (EU) financial sector manages the risks arising from digitalisation, but this change has also had a relative impact on the role played by EU supervisory bodies. Within this framework, the European Supervisory Authorities (ESAs) play an important role in ensuring regulatory compliance and the security of the digital financial ecosystem. Yet, what functions do they have within the DORA framework? We are going to try to break down with some examples the functions and advantages of the ESAs. What are the ESAs, and which ones operate within DORA? First of all, it is worth explaining what these European Supervisory Authorities (ESAs) are, which are made up of: EBA (European Banking Authority): this is the European Union's regulatory body, responsible for guaranteeing the stability and integrity of the European banking system, one of its functions being to develop a single regulatory and supervisory framework for all banking entities in the EU. ■ This includes the creation of technical regulations, guidelines and standards that ensure consumer protection, transparency in banking services and prudent management of financial risks. ESMA (European Securities and Markets Authority): this authority is responsible for improving the functioning of financial markets and protecting consumers. Its functions include supervising securities markets, rating agencies, financial data providers, etc. ■ Its role is key to guaranteeing a transparent, efficient and stable market, developing (like the EBA) technical standards and various guidelines. EIOPA (European Insurance and Occupational Pensions Authority): EIOPA, as the body that supervises the insurance and pensions sector in Europe, seeks to protect policyholders, pensioners and beneficiaries by promoting market stability and transparency. ■ Additionally, as with the EBA and ESMA, it also develops guidelines, recommendations and technical standards to strengthen the resilience and soundness of entities in the sector. Therefore, these entities, in coordination with the European Central Bank (ECB) and other national authorities, are responsible for ensuring financial stability in the digital environment, harmonizing regulations and ensuring that entities comply with operational resilience requirements. Supervision and regulatory compliance In addition to the requirements set out in the Regulation, another pillar of DORA is the creation of a robust supervisory framework at European level, and in this respect the ESAs have an important role to play, for example when it comes to: Supervising financial institutions and essential ICT service providers: They will assess the digital operational resilience of banks, insurers, investment firms and other key players in the financial sector. Coordination with other national authorities, which in the case of Spain can be the CNMV, the DGSFP or the BdE: They will guarantee the homogeneous application of DORA in all Member States. The application of sanctions (the Draft Law on the Digitalisation and Modernisation of the Financial Sector has recently been published): In case of non-compliance, the ESAs may impose corrective measures and financial sanctions on non-compliant entities. Incident notification and management Cyber incident management is key in the DORA Regulation and also in the published technical standards. The ESAs, also in this case, play an important role: They centralise information on serious incidents and ensure that entities report within the established deadlines. They coordinate responses to try to prevent the spread of threats in the European financial ecosystem. They analyze trends and issue recommendations to strengthen the digital security of financial institutions. In addition, they can also receive information about significant cyber threats. ■ Let's remember that according to the DORA Regulation, an ICT incident classified as serious must be reported within a maximum period of 24 hours from its detection. Oversight of third-party ICT service providers This is perhaps one of the most important issues within DORA, and the Regulation establishes requirements for implementing strict control over ICT providers that are considered essential to the financial sector. Regarding this, the ESAs have the power to: Request and carry out a registration of ICT providers of Financial Entities at the EU level. Evaluate and designate critical providers to guarantee their reliability. Require periodic audits and risk assessments and carry out other types of supervision. Request that measures be taken to correct or mitigate identified deficiencies if they present security risks. Having well-defined document management with the government also facilitates adaptation to new regulations, integrating improvements without the need to restructure the entire document management system. Pentesting The ESAs also oversee threat led penetration testing (TLPT) designed to assess the resilience of entities. The functions to be carried out include: Defining TLPT testing methodologies based on the TIBER-EU framework. Evaluating and selecting the entities that must undergo mandatory testing according to their risk profile. Supervising the application of corrective measures based on the results of the tests carried out. Benefits of having the ESAs in the DORA framework The role of the ESAs within DORA brings benefits to the European financial sector and to service users. Examples include the following: Greater harmonization and regulatory consistency: Regulatory differences between countries are avoided, guaranteeing a level playing field for all entities and achieving a more cohesive regulatory landscape. Better protection against cyber threats: Supervision also improves the sector's preparedness for attacks or other disruptive events. Transparency and trust in the market: Regulation reinforces the credibility of financial institutions and their suppliers in the eyes of society in general. Conclusion The European Supervisory Authorities play a key role within DORA by ensuring that the financial sector is more secure, resilient, and prepared for digital challenges. The economic stability of the EU is strengthened by their work in supervising entities, regulating ICT providers, and managing cyber incidents. Finally, this collaboration will become increasingly important because in an increasingly interconnected world, having strong and well-coordinated bodies will make the difference between financial security and vulnerability. ■ MORE OF THIS SERIES Telefónica Tech DORA Regulation (I): challenges in the digitalization of the financial sector March 19, 2025 Telefónica Tech DORA Regulation (II): Impact on governance. The management body's role April 2, 2025 ■ RELATED Telefónica Tech Mastering DORA: Practical strategies to ensure operational resilience in the financial sector March 27, 2025

The Digital Operational Resilience Act (DORA) has already received significant attention, primarily because it compels financial entities to adopt measures that ensure digital operational resilience. These measures include technical and organizational requirements. One of the key elements of the Regulation is the mandatory documentation institutions must produce and maintain—ranging from strategic policies to operational procedures. The central question we must ask is: how should this documentation approval be managed? Defining the appropriate approval level is essential to ensuring effective governance while avoiding both excessive bureaucracy and the absence of oversight in critical decision-making processes. Defining the appropriate approval level is essential to ensuring effective governance while avoiding both excessive bureaucracy and the absence of oversight in critical decision-making processes. This series of articles will explore in detail the key aspects of the Regulation, its implications, the challenges and progress seen across the financial sector, and how DORA is influencing the evolution of security, resilience, and modernization within the industry. Types of documentation and their approval level To better understand how DORA affects internal governance structures, we begin by distinguishing among several types of documentation. These include, among others: Policies: These are high-level directives that establish strategic principles. They must be approved by senior management or the board of directors. Procedures: These outline the operational steps required to implement policies. Typically, they fall under the approval remit of the Chief Information Security Officer (CISO), Chief Information Officer (CIO), or designated security leads. Plans and strategies: This category includes business continuity plans, operational resilience frameworks, or incident management strategies. Given their strategic impact, they may require senior-level approval. Records and audits: These document activities and regulatory compliance. They are usually handled and approved by technical leads and audit departments. Defining the appropriate approval level is essential to ensuring effective governance while avoiding both excessive bureaucracy and the absence of oversight in critical decision-making processes. Regarding approval levels, Article 5 of the DORA Regulation stipulates that the Management Body is responsible for approving the ICT risk management framework, including all core policies. Beyond this explicit requirement, there are other instances where the Regulation outlines the involvement of the Management Body, such as: Approval of business continuity and recovery plans, as defined in Article 11. Oversight of third-party management, including approval of the ICT third-party service provider policy and regular review of risks associated with external providers, in accordance with Article 28. ■ These responsibilities underscore the pivotal role the Management Body plays in the document management process, reinforcing the extent to which DORA influences Cyber Security governance and resilience within financial institutions. Practical examples of approval levels Based on DORA’s approval requirements, the following examples illustrate how this might be implemented in practice: Example 1: ICT risk management ICT Risk Management Policy → Management Body This document outlines how the institution handles ICT-related risks. Given its critical impact on operational resilience, it requires senior leadership endorsement. ICT Risk Assessment Procedure → CISO / Risk Officer This document describes the methodology used to assess risks. Since it is primarily operational, it may be approved by those responsible for its execution. Example 2: Access Control Access Management Policy → Management Body This defines the overarching principles and rules for accessing critical systems and data. Because of its broad applicability across the organization, senior leadership should approve it. Access Control Procedure → CISO / Security Officer This outlines the detailed steps for granting, modifying, and revoking access. It can therefore be approved at a more operational level. Example 3: ICT vendor management ICT Vendor Oversight Policy → Management Body Given that ICT vendors may pose systemic risks, strategic-level approval is warranted. ICT Vendor Assessment Procedure → Third-Party Management Officer (if such a role exists) This document specifies the controls and checks applied during periodic assessments. Clearly, the specifics will depend on the institution's internal structure. Not all organizations will have the same number of technical officers or defined roles, which means some responsibilities may need to be distributed accordingly. Correctly defining the approval level is not only a regulatory requirement—it directly impacts governance and operational efficiency. Impact on governance and decision-making Delving deeper into the Regulation’s structure, we see that it introduces a regime of sanctions focused specifically on financial institutions' digital and operational security. By looking at these examples, it becomes evident that defining the proper approval level is not just about compliance—it is a foundational element of internal governance and operational efficiency: Balancing control and agility: If the Management Body approved every technical procedure, day-to-day operations would grind to a halt. Delegating approval authority to operational roles enables agile execution while preserving strategic oversight. Clarifying accountability: Each organizational tier knows exactly which decisions fall under its remit. This prevents overlaps and blind spots, ensuring better regulatory compliance and more efficient decision-making. Optimizing organizational structure: Clear assignment of approval responsibilities fosters effective division between strategic and operational functions. This specialization supports both accountability and efficiency. Ensuring regulatory compliance: A clearly defined approval structure allows organizations to demonstrate alignment with DORA requirements during audits, minimizing penalty risk. Furthermore, a well-designed documentation governance model makes it easier to adapt to new regulations, allowing improvements to be integrated without requiring a complete overhaul of the existing document management framework. Strategic policies must be approved by the Management Body, whereas technical procedures can be delegated to operational managers. Conclusion: Governance's key strategy DORA mandates that key policies and strategies be approved by the Management Body, while technical procedures may be delegated to operational stakeholders. This division of responsibilities is central to optimizing governance and digital operational resilience. The crux of the matter is that without a well-defined approval responsibilities assignment, organizations risk inefficiency, overlapping functions, and inadequate supervision. Properly defining these levels not only ensures DORA compliance but also strengthens the internal control framework and enhances the organization’s ability to respond to ICT-related risks. Therefore, each institution must review and adapt its documentation processes to ensure that they not only meet regulatory obligations but also enable agile and effective management of digital operational resilience. A well-defined assignment of responsibility for document approval not only ensures compliance with DORA but also strengthens the internal control framework and improves the institution’s responsiveness to ICT risks. Moreover, executive involvement in approving critical documents reinforces a culture of compliance and accountability. When senior leaders endorse key documentation, it cultivates an environment where all levels of the organization understand the importance of following established procedures. This reduces risk and improves preparedness for audits and potential incidents. Over time, it also accelerates decision-making and improves the effectiveness of execution. Finally, direct supervision by senior management in the approval process enhances the company’s credibility with regulators, clients, and partners. It signals a genuine commitment to cybersecurity, business continuity, and risk management—all central pillars of DORA Regulation. With a robust and top-down approved documentation framework, the organization becomes more resilient, reducing uncertainty and increasing its ability to adapt to new regulatory demands and operational challenges. Direct supervision by senior management in the document approval process strengthens the company’s credibility and demonstrates a genuine commitment to cybersecurity and risk management. ■ MORE OF THIS SERIES Telefónica Tech DORA Regulation (I): challenges in the digitalization of the financial sector March 19, 2025 Telefónica Tech DORA Regulation (III): The European Supervisory Authorities in DORA. Keys to their regulatory role April 15, 2025 ■ RELATED Telefónica Tech Mastering DORA: Practical strategies to ensure operational resilience in the financial sector March 27, 2025

It is well known that digital transformation in the financial sector has acquired a central role in the evolution of the global economy and, therefore, also in the national economy. This transformation has recently been reinforced in Spain by the Draft Bill for the Digitalization and Modernization of the financial sector, which seeks to harmonize technological innovation with a solid regulatory framework. In this series of articles, we will analyze in detail the key aspects of this draft bill, its implications, the advances and challenges facing the financial sector, and the impact of the DORA regulation on improving the security, resilience and modernization of the sector. Digitalization in the Financial sector The advance of digital technologies has made it possible to achieve greater operational efficiency in financial institutions. The automation of processes, the growth of digital services, and the search for better user experience are good examples of this. However, these same advances pose new challenges in cyber security and this, in turn, implies challenges in terms of regulatory approaches. Cybersilience: a fundamental pillar One of the cornerstones of the draft bill is the implementation of the DORA (Digital Operational Resilience Act) regulation which, as we know, requires various entities in the financial sector to adopt measures against cyberattacks, risk management and incident notification, as well as other bodies to create supervision mechanisms and even sanctions for possible non-compliance. The aim is to avoid, as far as possible, the unavailability of financial services and also to establish security responsibilities. A sanctioning framework to ensure the digital resilience of institutions Further into the different issues covered by the draft bill, we can see that it introduces penalties focused on the digital and operational security of financial institutions. On the one hand, fines will be classified according to the seriousness of the infraction. Penalties may be imposed for non-compliance in aspects such as incident management, failure to adapt to the DORA Regulation itself, or the lack of adequate protection in infrastructures. Penalties will also be imposed on companies that fail to comply with the requirement of training and education in cyber security for their personnel. Finally, the responsibility of Directors and Administrators in the entities is established, introducing mandatory corrective measures and/or personal sanctions. Following with this sanctioning framework, and due to the fact that this draft bill has yet to be approved, we will give just a few examples of the fines or sanctions set out above: Penalties for non-compliance in incident management: Failure to report incidents. Fines that could reach up to 2 million euros. Incorrect classification of incidents. Lack of proper protocols could result in penalties that take into account the percentage of current turnover. Absence of recovery plans, which could lead to temporary suspension of operations. Cyber Security Cyber Security strategies to protect the financial sector October 10, 2023 Penalties for failure to comply with the DORA Regulation: Deficiencies in the supervision of ICT suppliers. Outsourcing services without adequate security guarantees can result in penalties of up to 5% of annual turnover. Failure to implement resilience tests. Penalties may be imposed on entities that do not carry out periodic drills or tests. Lack of ICT Risk Management strategy. The entity that fails to implement an adequate risk management framework could face financial penalties and must implement corrective measures if necessary. Challenges for financial institutions The implementation of the DORA requirements may present several challenges, such as the costs that institutions will have to bear to avoid such sanctions, or the need for frequent audits to ensure a high level of compliance. Towards a more resilient financial sector The draft bill for the Digitalization and Modernization of the Financial Sector in Spain establishes a rigorous sanctioning regime to ensure the cyberresilience of the financial sector and of the entities affected by the DORA Regulation. The draft bill provides for significant financial penalties and mandatory corrective measures to reinforce security and resilience. These measures will therefore also strengthen public confidence in the services offered by financial institutions. Above all, and finally, this regulatory framework seeks to ensure a safer and more stable environment for businesses and consumers. However, as this is a preliminary draft, this text is an initial proposal and it should be noted that it has not yet been approved, so its content may be modified during its parliamentary processing. It is therefore only after its approval that we will be able to know the final version and all its implications, although it is true that, even subject to possible changes, we can already get an idea of the fines or penalties that could be imposed in the event of non-compliance with the DORA requirements. ■ MORE OF THIS SERIES Telefónica Tech DORA Regulation (II): Impact on governance. The management body's role April 2, 2025 Telefónica Tech El Reglamento DORA (III) Las Autoridades Europeas de Supervisión en DORA. Claves de su papel regulador 15 de abril de 2025 ■ RELACIONADO Telefónica Tech Mastering DORA: Practical strategies to ensure operational resilience in the financial sector March 27, 2025

A little less than a month before the one-year anniversary of the publication and subsequent entry into force of the DORA Regulation, little by little more details are becoming known about how the subjects bound by the Regulation must prepare themselves to comply with this standard and be able to adapt to its requirements before its applicability, marked as of January 17, 2025. Background Indeed, DORA, the new (or not so new) European Regulation on the digital operational resilience of the financial sector, was born with the idea of responding to the fundamental role in the provision of financial services that the use of information and communication technologies (ICT) has played, acquiring a primary importance in the execution of the typical functions of all financial institutions. DORA aims to achieve a high common level of digital operational resilience within EU financial institutions. The fact of increasing digitization in the financial sector, which leads to greater efficiency for institutions and greater convenience for customers, also implies a number of risks that financial institutions must manage, as this increased digitalization makes these institutions more vulnerable to cyber threats. In an attempt to respond, the DORA Regulation establishes uniform requirements relating to the security of the networks and information systems that underpin the business processes of financial entities. The requirements established by the Regulation can be divided into 6 main areas: 1. Governance of ICT within Financial Institutions. 2. ICT risk management. 3. Third party ICT risk management. 4. Incident management and reporting. 5. Operational resilience testing. 6. Information sharing. However, within all the requirements demanded in the articles of the Regulation, it is emphasized that some of these should be dealt with in a more specific way, which should be developed by the European Supervisory Authorities (ESAs) in a more precise way than the Regulation indicates. What mandate does DORA give to the ESAs regarding risk management? DORA specifically indicates that these ESAs, composed of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), in consultation with the European Union for Cyber Security (ENISA), will develop common Regulatory Technical Standards (RTS) to specify other elements that are not in the Regulation but that obliged entities must also apply in their organization. This mandate granted to the ESAs by the competent authorities is developed in some articles of the Regulation, so that, focusing on the aspects related to risk management, Articles 15 and 16.3 of DORA, indicate in summary that: Articles 15. Increased harmonization of ICT-related risk management tools, methods, processes and policies The ESAs shall develop technical standards in order to: a) Specify other elements to be included in ICT security policies, procedures protocols and tools; b) Develop new components of access management rights controls; c) Further develop mechanisms to enable early detection of anomalous activity and criteria to trigger ICT incident detection and response processes; d) To further specify the components of the ICT business continuity policy; e) Specify in more detail the testing of ICT business continuity plans; f) Specify in more detail the components of ICT response and recovery plans; g) Further specify the content and format of the report on the review of the ICT risk management framework. These STRs should take into account the size and overall risk profile of the financial institution, as well as the nature, scale and complexity of its services, activities and operations. Article 16.3 Simplified framework for ICT risk management This article applies to certain smaller or less interconnected financial entities, and establishes requirements on: a) Elements to be included in the ICT-related risk management framework; b) Specify in more detail the elements in relation to systems, protocols and tools to minimize the consequences of ICT-related risk; c) Specify in more detail the components of ICT business continuity plans; d) Specify in more detail the standards for testing business continuity plans and ensuring the effectiveness of the controls in place; e) Further specify the content and format of the report on the review of the ICT risk management framework. These RTS will also have to take into account the size and overall risk profile of the financial institution, as well as the nature, scale and complexity of its services, activities and operations. Finally, both Article 15 and Article 16.3 establish January 17, 2024 as the deadline for the submission of these technical standards. Cyber Security Cyber Security strategies to protect the financial sector October 10, 2023 Current status of the Technical Regulatory Standards As we have just mentioned, the submission of the Technical Standards will be made shortly. Even so, the ESAs have been publishing drafts of these standards, which, after having been submitted for consultation, are awaiting their official and definitive presentation. In addition to the above, although in this article we have only referred to the RTS on risk management, it is also expected that other standards will be published to clarify other requirements established by the Regulation. In particular, the Standards to be presented no later than January 17, 2024 will be as follows: ICT Risk Framework. RTS on ICT Risk Management Framework (Art.15) and RTS on Simplified Risk Management Framework (Art.16.3). Classification and notification of ICT-related incidents. RTS on ICT incident classification criteria (Art.18.3) Third-party risk management. ITS for establishing information recording templates (Art.28.9) and RTS for specifying the policy on ICT services performed by third parties (Art.28.10). In summary, the Standards that are expected are those cited below, marking in blue those that will be presented at the beginning of 2024: DORA Compliance and Technical Standards However, after all the above, how should we comply with these Technical Standards? Or more precisely, do we comply only with the Standards, only with the Regulation, or with both? The AES and other competent authorities explicitly state that these Standards must be complied with in addition to the requirements of the Regulation, so all regulated entities must comply with both the obligations of the Regulation and the guidelines developed in the Technical Standards. As the ESAs specifically point out in the publication for consultation on the RTS, “the requirements set out in the standards are complementary to the requirements for the ICT risk management framework already set out in DORA and should therefore be read in conjunction with the related articles of DORA (articles 5-16)”. Conclusion One year after the publication of the Regulation, and with the imminent publication of the first Technical Standards by the ESAs, it will be possible to be in a position to undertake in a robust manner the different actions that each organization must carry out in order to comply with DORA. In this sense, the current moment invites to carry out this adaptation, since there is enough information to undertake it, and, in addition, there is enough time to carry out the necessary actions without the need to reach the date of application of the Regulation without being sufficiently prepared for its compliance. ◾From Govertis, part of Telefónica Tech, we offer the necessary solutions for the obliged entities, establishing the actions in time and form for the adequacy and compliance of DORA, and thus arrive prepared to the key day of application of the Regulation. Cyber Security AI of Things Generative AI as part of business strategy and leadership September 20, 2023