Operational Resilience Portal

Information and resources about operational resilience and the DORA regulatory framework

 

Iberpay's commitment to digital resilience and the DORA regulations

Iberpay is responsible for managing the Spanish national payments system (the Sistema Nacional de Compensación Electrónica or SNCE) under Spanish Act 41/1999, of 12 November, on payment and securities settlement systems. Its main mission is to process and settle transactions between financial institutions, via a common, harmonised set of standards, the SNCE regulations and operating instructions, which are overseen and pre-approved by the Bank of Spain. Iberpay also provides a range of accessory and complementary services that add value for participants and for the wider payments ecosystem. All services are developed and implemented in compliance with prevailing industry rules and standards.

As part of this mission, Iberpay is strengthening its commitment to operational resilience, security and transparency and launching this Operational Resilience Portal as a resource and reference for users and stakeholders on all matters relating to Regulation (EU) 2022/2554, the Digital Operational Resilience Act or DORA.

About DORA: the new European framework

The DORA regulation has been in force since 17 January 2025 and sets a common framework to bolster the digital operational resilience of all financial institutions and operators in the European financial ecosystem. Its key aim is to ensure critical financial services can resist, respond to and recover from technological or cyber incidents, incorporating ICT risk requirements into general operational risk management.

Initially, DORA did not cover managers of national retail payment systems. However, Spanish lawmakers, in Royal Decree 8/2023, of 27 December, decided that payment systems operators would have to comply with Chapter II of the regulation.

In addition, the Bank of Spain, following guidance from the European supervisory authorities and recital 63 of the DORA regulation itself, ruled that payment systems operators should be considered to be ICT service providers solely for the purposes of DORA.

As Iberpay is therefore considered an ICT service provider, the financial institutions it deals with will have to apply the requirements of Chapter V, Section I on managing ICT third-party risk. Iberpay has sought to make DORA compliance a smooth process for financial institutions, thanks to a standard contractual addendum which is the same for all participants and covers all Iberpay services. The addendum has been pre-approved by the Bank of Spain and applies harmonised and proportionate principles through a resolution of the company's governance bodies.

Note that the expected direct application of Chapter V, Section I to payment systems operators depends on Article 20.1 of Spain's Draft Law on Digitization and Modernization of the Financial Sector receiving legislative approval.

DORA at Iberpay: scope and oversight

Based on the guidance of the European authorities and in coordination with the Bank of Spain, Iberpay has been considered to be an ICT service provider solely and exclusively for the purposes of the DORA regulation. This means that the technology services Iberpay provides to its participants will be subject to a number of obligations under the regulation.

It should be noted that Iberpay is not classed as a critical ICT third-party service provider (CTTP) and, therefore, is not subject to direct oversight by the European authorities under DORA. Instead, the Bank of Spain acts as competent authority for the purposes of the regulation.

Also, as a systemically important financial market infrastructure (FMI), Iberpay is subject to the European Central Bank’s (ECB) oversight framework for FMIs, applied in Spain by the competent authority: the Bank of Spain. The main principles and tools of this oversight strategy are the Principles for Financial Market Infrastructures (PFMI) published by the CPMI-IOSCO, which are the international standards for global risk management and operational resilience. This framework has been the core of Iberpay's resilience strategy since 2018 and already applies the principles that DORA has now brought into the European regulatory framework.

So, DORA is actually a consolidation of Iberpay's existing resilience management model, ensuring continuity and consistency between international requirements and the European oversight environment. DORA also imposes a stricter oversight and sanctioning framework across Europe, reinforcing practices of responsibility, transparency and regulatory compliance in matters of digital resilience.

Alignment plan: a sector-wide approach

To make sure all stakeholders can meet the new requirements in an efficient, consistent and proportionate way, on May 2025 the Iberpay Board of Directors, which includes representatives of all the main Spanish financial institutions, passed a resolution approving the DORA strategy and alignment plan, which was signed off by the Bank of Spain and is now being executed under the direct oversight of its governance bodies.


The plan's measures include the following:

  • Establish a common model contractual addendum for all ICT services and all participants that will channel the new regulatory obligations in a harmonised way and avoid duplication. The addendum, as revised by the Bank of Spain, covers issues such as access and audit rights, resilience obligations, and oversight and control systems under the DORA framework.
  • Coordinate joint ICT audits taking a common approach for the whole sector, so optimising resources, ensuring harmonisation and making the system more efficient.


This neutral, fair and coordinated approach bolsters the resilience and stability of the Spanish payment system, bringing the current technical framework into line with the new regulatory standards while setting out a clear path to compliance for participants.

Operational Resilience Portal: launch and development


The Operational Resilience Portal was conceived as an authoritative reference and transparency space for participants and institutions in the payments ecosystem.Through the portal, Iberpay will share relevant documentation as well as informative updates and support materials related to the application of DORA.

Institutional contact

Any queries relating to DORA or Iberpay's compliance process should ideally be channelled through the designated institutional representatives on the Board of Directors, technical committees or sector working groups. This will make sure they are dealt with in a coordinated and efficient manner.

However, Iberpay is making available a dedicated email for occasional consultations about DORA compliance issues which cannot be resolved through the usual channels or from the information on this portal: compliance@iberpay.com