How will the new DORA regulation affect investment entities?
The entry into force of the Digital Operational Resilience Act (DORA) marks a turning point in the landscape of European financial regulation. This regulation, which requires financial entities, including investment or crowdfunding firms, to strengthen their digital resilience, properly manage technological risks, and improve their response protocols to cyberattacks, is set to transform not only the internal operations of these actors but also the ecosystem in which they operate, including the Fintech and Proptech sectors.
Urbanitae, as a key player in the investment sector, finds itself at the center of this change, highlighting the importance of adapting to an increasingly demanding regulatory environment.
What is DORA?
DORA, or the Digital Operational Resilience Act, is a European Union regulation that establishes a uniform legal framework to ensure digital operational resilience in the financial sector. Its main objective is to ensure that all financial entities, from banks to investment firms and ICT service providers, have robust systems that enable them to manage technological and operational risks, protect their customers’ information, and ensure the continuity of their services in the face of potential cyberattacks or disruptive incidents.
The regulation came into force on January 16, 2023, and became applicable on January 17, 2025, granting a two-year adaptation period for entities to comply with its stringent requirements. These include the implementation of contingency plans, periodic risk assessments, and operational resilience testing, all of which are key measures to enhance digital resilience and protect data in an increasingly interconnected and vulnerable environment.
As outlined by the Ministry of Economy, Trade, and Business, this regulation is particularly relevant for investment entities, as it reinforces cybersecurity in handling large volumes of sensitive information and establishes a standard that harmonizes practices across the EU.
According to Nacho Bautista, head of the crowdfunding division at the Spanish Association of FinTech and InsurTech (AEFI) and CEO of Fundeen, “DORA is not about making suggestions; it is about setting requirements. And what it demands is that investment entities stop treating cybersecurity as a checkbox exercise and start seeing it as a fundamental pillar of their operations. Having a decent antivirus or making occasional backups is no longer enough. Now, we are talking about managing digital risks with the same seriousness as financial risks.”
How should entities prepare for the new regulation?
Adapting to DORA requires a comprehensive transformation in risk management and digital operations. Financial institutions must begin with a complete diagnosis of their technological infrastructure, carefully identifying and classifying their critical assets and processes. This will allow them to detect vulnerabilities and implement necessary protection measures to minimize risks.
“Risk management is going to become more proactive than reactive. It will no longer be just about fixing problems when they occur but about anticipating and preventing them. This means establishing continuous controls over all critical systems, conducting frequent internal audits, and maintaining constant monitoring of potential vulnerabilities,” explains Bautista.
At the same time, it is crucial to reassess relationships with external providers. As stated by the European Securities and Markets Authority (ESMA), DORA imposes strict oversight over the entire supply chain of ICT services, requiring that every collaborator meets established security standards. Reviewing and updating contracts with clear clauses defining responsibilities and notification protocols is essential.
Furthermore, entities will need dedicated cybersecurity teams, professionals who understand both technology and the specific risks of the financial sector. “Real-time monitoring tools and intrusion detection systems will also be essential to react swiftly to any threat,” adds the AEFI and Fundeen representative.
How does DORA regulation impact entities like Urbanitae?
As a crowdfunding platform regulated by the Spanish National Securities Market Commission (CNMV), Urbanitae is subject to a regulatory framework that ensures transparency and investor protection but must also adapt to the new DORA requirements.
“Real estate crowdfunding platforms and those in other sectors, due to their digital nature, are particularly exposed to technological risks. Complying with DORA may seem like a burden at first (more costs, more processes, more audits…), but it can also become a key differentiator,” explains Bautista.
The impact of DORA on an entity like Urbanitae is reflected in the need to strengthen cybersecurity and technological risk management. The regulation requires financial entities, including real estate crowdfunding platforms, to establish robust systems to identify and mitigate vulnerabilities in their digital infrastructures. This means Urbanitae must review and audit not only its own systems but also the chain of technology providers it relies on for processing and storing investor and project information.
In this regard, Nacho Bautista highlights that “investors are not only looking for good returns; they are also looking for trust. In a world where cyberattacks are increasingly frequent, knowing that your money is protected by a platform that meets the highest security standards is undoubtedly an added value.”
Although adapting to DORA presents challenges in terms of investment and technological upgrades, Urbanitae sees it as an opportunity to position itself as a benchmark in the sector, demonstrating a strong commitment to digital security and operational resilience.
Application of DORA in other sectors
Although DORA primarily targets the financial sector, its implications extend beyond it. Insurance companies, cloud service providers, and telecommunications entities will also be required to raise their security standards, promoting the standardization of security practices across Europe.