DORA DRIVES IBERIAN VENDOR SPEND

Rodrigo Díaz-Jares Amorós, Associate in Financial Regulation at DLA Piper Spain, documented in October 2025 that while DORA harmonises substantive obligations across the European Union, it delegates penalty regimes to Member States, producing a divergence that has created two materially different enforcement environments on the Iberian Peninsula within the same regulation.

Portugal moved first. Law No. 73/2025, passed on 23 December 2025, activated an autonomous sanctions regime carrying fines up to 5.000.000 euros or 10% of annual turnover, with personal liability provisions attached. Spain's transposition remains pending parliamentary processing, with a proposed ceiling of 5% of annual turnover, but no finalised regime yet.

That legislative gap in Spain has not neutralised the commercial trigger. The Comisión Nacional del Mercado de Valores published a self-assessment report in December 2024 revealing that 23% of supervised entities had no defined test plan and 22% had no cryptography and key management policy. These are not abstract governance shortfalls but documented absences that map directly onto DORA's Pillar I and Pillar IV obligations, and the CNMV has since clarified that ISO 27001 certification does not substitute for a DORA-specific gap analysis.

The Redsys outages of November 2023 produced the clearest illustration of what DORA is structurally designed to prevent. Redsys processes 85% of card transactions for approximately 60 Spanish financial institutions, moving more than 505.000 million euros annually through its network. When it failed on 18 November 2023, the only functioning terminals were those connected to its sole competitor. The Spanish government's response was Royal Decree-Law 8/2023, applying DORA-type obligations to payment processors ahead of the EU-wide enforcement date, with the Bank of Spain designated as competent authority.

The compliance readiness data produced by Deloitte confirms where the purchasing window sits. Only 25% of institutions felt compliant with ICT risk management as of January 2025, and only 8% with resilience testing and third-party risk. A further 38% pushed their full compliance target into 2026, entering the active enforcement phase with known gaps.

Large Spanish banks operating under European Central Bank direct supervision had pre-existing European Banking Authority outsourcing frameworks to build on, treating DORA as an incremental update rather than a rebuild. The addressable spend for cybersecurity and identity vendors is concentrated in the mid-tier: payment institutions, fintechs, insurance intermediaries, and crypto-asset service providers that built no comparable foundation.

The 19 critical ICT third-party providers designated by the European Supervisory Authorities in November 2025 now face direct oversight, meaning that every Iberian financial entity contractually dependent on one of those providers inherits an audit surface it did not previously carry.