DORA TURNS GAPS INTO CONTRACTS

Marc Andries, the Joint Oversight Director appointed by the European Supervisory Authorities to lead DORA's third-party oversight framework, designated 19 critical ICT third-party providers on 18 November 2025, placing every Iberian financial institution contracting with AWS, Microsoft, Google Cloud, Oracle, or SAP under direct pan-European scrutiny. That designation is not a warning. It is an audit trigger.

The audit trigger arrived on top of an already unstable foundation. Spain and Portugal both failed to fully transpose the DORA Directive before its 17 January 2025 application date, and the European Commission opened infringement proceedings against both on 27 March 2025. Portugal resolved its position through Law No. 73/2025, published on 23 December 2025, establishing fines reaching 5.000.000 euros or 10% of annual turnover, with personal liability for individuals and mandatory public disclosure of serious violations. Spain's national penalty regime remains incomplete, though its draft law already contemplates fines of up to 10.000.000 euros and managerial disqualification for up to ten years.

The incompleteness of Spain's national framework has not reduced urgency inside financial institutions. The CNMV's own self-assessment exercise, published in December 2024, found that 23% of supervised entities had no defined test plan, 27% had gaps in procurement and change management policies, and 22% had deficiencies in cryptography and key management. These are not preparedness scores. They are purchase orders waiting to be raised.

The origin of that urgency is concrete. On 18 November 2023, Redsys, the processor handling 85% of Spanish electronic payment transactions for around 60 financial institutions including Santander, BBVA, and CaixaBank, collapsed. It collapsed again five days later, hours before Black Friday. The two outages passed through 505.000.000.000 euros in annual network value and left Spain briefly cashless. The government fast-tracked Royal Decree-Law 8/2023 within weeks, applying DORA's Chapter II ICT risk management obligations directly to payment processors. Redsys demonstrated in hours what DORA had been designed to prevent across years: that concentration in ICT supply chains is not a theoretical systemic risk but an operational one.

The FSB's November 2025 peer review recommended that Spanish authorities use the registers of information to analyse concentration risk at a national level, and that the Banco de España formulate supervisory strategies to assist smaller entities in preparing for cyber resilience testing. Spanish less significant institutions alone reported over 3.000 third-party technology arrangements to the Banco de España.

Cybersecurity and identity vendors entering Iberia now face a market where the buying rationale has already been written by a regulator, and the gaps have already been quantified by the supervisor.