The Spanish Securities Commission (CNMV) has published a set of frequently asked questions on Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), to clarify how in-scope financial entities should apply the framework and related cybersecurity good practices and standards. The document answers 74 questions grouped across DORA’s pillars: definitions, scope and proportionality; management of information and communication technology (ICT) risk; ICT-related incident management, classification and notification; digital operational resilience testing; and third-party ICT risk management. It also highlights areas where proportionality is particularly relevant, reflecting DORA mechanisms that tailor requirements based on an entity’s size, overall risk profile, and the nature, scale and complexity of its services and operations, and notes a dedicated CNMV channel for DORA-related queries.
Spanish Securities Commission (CNMV) 2026-02-12
Spanish Securities Commission publishes 74-question FAQ on the Digital Operational Resilience Act
The Spanish Securities Commission (CNMV) released a FAQ document on Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), to guide financial entities on applying the framework and cybersecurity standards. The document addresses 74 questions on DORA’s pillars, emphasizing proportionality based on entity size, risk profile, and service complexity, and includes a CNMV channel for DORA-related inquiries.