DORA obligations apply to different payment operators and processors in Spain

Spain

Royal Decree-Law 8/2023 applies certain obligations of DORA Regulation to payment system operators, payment scheme operators, electronic payment arrangement operators, payment processors and other technological or technical service providers.

On 28 December 2023, Royal Decree-Law 8/2023, of 27 December, adopting measures to address the economic and social consequences of the conflicts in Ukraine and the Middle East, as well as to mitigate the effects of the drought (hereinafter the "Royal Decree-Law"), was published in the Official State Gazette (BOE). Among other measures, the text includes certain obligations regarding operational digital resilience for payment system operators, payment scheme operators, electronic payment arrangement operators, payment processors and other technological or technical service providers who operate in Spain. These measures have been adopted in response to recent incidents with Redsys, the leading Spanish payment processor.

Specifically, the measures contained in the Royal Decree-Law are based on Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector (hereinafter "DORA") which, under recital 104, indicates that Member States "may draw inspiration from the digital operational resilience requirements set out in this Regulation when applying rules to payment system operators and processing entities in their own jurisdictions". In fact, the new requirements that the Royal Decree-Law imposes on these entities in Article 4 are those contained in Chapter II of DORA, which provides for obligations regarding information and communication technology ("ICT") risk management.

These requirements include governance and internal organisational measures, such as the direct responsibility of the board for ICT risk management, or measures, such as the implementation of a solid, comprehensive, and well-documented specific ICT-related risk management framework as part of the overall risk management system, to ensure a high level of digital operational resilience.

Finally, the Royal Decree-Law designates the Bank of Spain (“Banco de España”) as the competent authority to oversee compliance with these obligations, which will be enforceable on the different payment operators and processors and, therefore subject to sanctions in cases of non-compliance, as of 17 January 2025, the date on which DORA will also be enforceable on the remaining institutions in the financial sector.