DORA Regulation (I): challenges in the digitalization of the financial sector

March 19, 2025

It is well known that digital transformation in the financial sector has acquired a central role in the evolution of the global economy and, therefore, also in the national economy. This transformation has recently been reinforced in Spain by the Draft Bill for the Digitalization and Modernization of the financial sector, which seeks to harmonize technological innovation with a solid regulatory framework.

In this series of articles, we will analyze in detail the key aspects of this draft bill, its implications, the advances and challenges facing the financial sector, and the impact of the DORA regulation on improving the security, resilience and modernization of the sector.

Digitalization in the Financial sector

The advance of digital technologies has made it possible to achieve greater operational efficiency in financial institutions. The automation of processes, the growth of digital services, and the search for better user experience are good examples of this. However, these same advances pose new challenges in cyber security and this, in turn, implies challenges in terms of regulatory approaches.

Cybersilience: a fundamental pillar

One of the cornerstones of the draft bill is the implementation of the DORA (Digital Operational Resilience Act) regulation which, as we know, requires various entities in the financial sector to adopt measures against cyberattacks, risk management and incident notification, as well as other bodies to create supervision mechanisms and even sanctions for possible non-compliance. The aim is to avoid, as far as possible, the unavailability of financial services and also to establish security responsibilities.

A sanctioning framework to ensure the digital resilience of institutions

Further into the different issues covered by the draft bill, we can see that it introduces penalties focused on the digital and operational security of financial institutions.

On the one hand, fines will be classified according to the seriousness of the infraction. Penalties may be imposed for non-compliance in aspects such as incident management, failure to adapt to the DORA Regulation itself, or the lack of adequate protection in infrastructures. Penalties will also be imposed on companies that fail to comply with the requirement of training and education in cyber security for their personnel.

Finally, the responsibility of Directors and Administrators in the entities is established, introducing mandatory corrective measures and/or personal sanctions.

Following with this sanctioning framework, and due to the fact that this draft bill has yet to be approved, we will give just a few examples of the fines or sanctions set out above:

Penalties for non-compliance in incident management:

  • Failure to report incidents. Fines that could reach up to 2 million euros. Incorrect classification of incidents.
  • Lack of proper protocols could result in penalties that take into account the percentage of current turnover.
  • Absence of recovery plans, which could lead to temporary suspension of operations.
Cyber Security strategies to protect the financial sector
Cyber Security
Cyber Security strategies to protect the financial sector
October 10, 2023

Penalties for failure to comply with the DORA Regulation:

  • Deficiencies in the supervision of ICT suppliers. Outsourcing services without adequate security guarantees can result in penalties of up to 5% of annual turnover.
  • Failure to implement resilience tests. Penalties may be imposed on entities that do not carry out periodic drills or tests.
  • Lack of ICT Risk Management strategy. The entity that fails to implement an adequate risk management framework could face financial penalties and must implement corrective measures if necessary.

Challenges for financial institutions

The implementation of the DORA requirements may present several challenges, such as the costs that institutions will have to bear to avoid such sanctions, or the need for frequent audits to ensure a high level of compliance.

Towards a more resilient financial sector

The draft bill for the Digitalization and Modernization of the Financial Sector in Spain establishes a rigorous sanctioning regime to ensure the cyberresilience of the financial sector and of the entities affected by the DORA Regulation. The draft bill provides for significant financial penalties and mandatory corrective measures to reinforce security and resilience. These measures will therefore also strengthen public confidence in the services offered by financial institutions.

Above all, and finally, this regulatory framework seeks to ensure a safer and more stable environment for businesses and consumers. However, as this is a preliminary draft, this text is an initial proposal and it should be noted that it has not yet been approved, so its content may be modified during its parliamentary processing.

It is therefore only after its approval that we will be able to know the final version and all its implications, although it is true that, even subject to possible changes, we can already get an idea of the fines or penalties that could be imposed in the event of non-compliance with the DORA requirements.

■ MORE OF THIS SERIES

DORA Regulation (II): Impact on governance. The management body's role
Telefónica Tech
DORA Regulation (II): Impact on governance. The management body's role
April 2, 2025
El Reglamento DORA (III) Las Autoridades Europeas de Supervisión en DORA. Claves de su papel regulador
Telefónica Tech
El Reglamento DORA (III) Las Autoridades Europeas de Supervisión en DORA. Claves de su papel regulador
15 de abril de 2025

■ RELACIONADO

Mastering DORA: Practical strategies to ensure operational resilience in the financial sector
Telefónica Tech
Mastering DORA: Practical strategies to ensure operational resilience in the financial sector
March 27, 2025