Spain Moves to Demystify DORA With 74-Question Industry Guide

Key Takeaways

• CNMV Issues DORA FAQ: Spain’s securities regulator has published 74 frequently asked questions clarifying how DORA should be applied in practice.
• Structured Around Five Pillars: The guidance follows DORA’s architecture, addressing scope and proportionality, ICT risk management, incident reporting, resilience testing, and ICT third-party risk.
• Operational Maturity in Focus: The CNMV highlights the financial sector’s heavy dependence on technology and service providers, emphasizing the need to strengthen digital operational resilience.
• Proportionality Emphasized: The document identifies areas where DORA’s proportionality principle is particularly relevant, taking into account size, risk profile, and operational complexity.

Deep Dive

Spain’s securities regulator, the Comisión Nacional del Mercado de Valores, has recently published a detailed set of 74 frequently asked questions aimed at helping financial firms interpret and apply the EU’s Digital Operational Resilience Act.

The document, titled “Preguntas frecuentes sobre el Reglamento 2022/2554 de resiliencia operativa digital (Reglamento DORA),” is designed to answer practical questions that have emerged as firms work to embed DORA’s requirements into their day-to-day operations. The CNMV says its goal is to provide explanations to the sector, particularly financial institutions subject to the regulation, on how the rules should be applied.

The guidance is structured around DORA’s five pillars: definitions, scope and proportionality; ICT risk management; the management, classification and notification of ICT-related incidents; digital operational resilience testing; and ICT third-party risk management. In doing so, the regulator mirrors the architecture of the regulation itself, reinforcing that compliance under DORA cuts across governance, technology, incident response and vendor oversight.

In the document, the CNMV acknowledges the starting point for many firms. Financial institutions operate with a high degree of technological dependence and rely heavily on external service providers. Achieving the level of digital operational resilience expected under DORA, the regulator notes, requires a significant effort to reach sufficient maturity in this area.

DORA, which applies across the financial sector, introduces demanding requirements intended to strengthen resilience. The FAQ walks through those expectations, offering clarification on how good practices and cybersecurity standards should be implemented in line with the regulation.

At the same time, the CNMV emphasizes that DORA is not blind to differences across the market. The regulation incorporates mechanisms that allow for proportional application, taking into account an entity’s size, overall risk profile, and the nature, scale and complexity of its services and operations. The FAQ highlights areas where applying this principle is particularly important, signaling that while the bar is high, it is not uniform.

As supervisory expectations around operational resilience continue to sharpen across Europe, the publication positions the CNMV’s guidance as a practical reference point for firms working to translate DORA’s broad framework into concrete internal controls and processes.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.