Small-to-mid-sized banks, fintech, asset managers, payment entities, alternative-credit platforms, investment firms: the financial sector in Spain and Portugal operates under the strictest regulatory framework outside defense. DORA entered into force in January 2025 and has raised the bar on digital operational resilience definitively.
Impulso Tecnológico accompanies mid-sized Iberian financial entities with a specific proposition: making the speed of fintech innovation compatible with DORA / MIFID II / PSD2 compliance without compliance killing agility.
Typical challenges in financial services
- DORA with no plan: applies since January 2025 to every regulated financial entity. Digital operational resilience, ICT risk management, incident registry, advanced penetration testing, critical ICT third-party management. Fines up to 2% revenue.
- MIFID II + reporting: full order traceability, microsecond time-stamping, encrypted voice recording, 5+ year retention.
- PSD2 / SCA: open banking, Strong Customer Authentication, regulated APIs, TPP management.
- Operational AML / KYC: anti-money-laundering screening, beneficial owners, source of funds, SEPBLAC reporting (Spain), BdP (Portugal).
- Operational resilience: demonstrable capacity to survive major incidents without stopping critical service. Active-active or active-passive + tested business continuity.
- Constant audits: BdE, CNMV, BdP, CMVM, EIOPA — each inspection asks for detailed technical evidence on tight deadlines.
How we tackle it at Impulso
- DORA implemented in blocks: gap analysis vs published ITS/RTS, operational ICT incident registry, critical ICT third-party management with DORA-compliant clauses, TLPT (Threat-Led Penetration Testing) when required.
- Measurable operational resilience: active-active or active-passive architecture per RTO/RPO, major-incident drills every 6 months, real-time SLA metrics dashboard.
- Financial cybersecurity with Fortinet + Sophos: network segmentation, MFA on all accounts, DDoS protection, 24/7 monitoring with managed SIEM.
- MIFID II / PSD2 documented compliance: order traceability, time-stamping, encrypted voice records, PSD2 APIs with full audit.
- Operational AML / KYC: Refinitiv, Dow Jones or equivalent integration; automated screening and review flow.
- 24/7 support with financial SLA: <15 min response for critical incidents, preferential vendor escalation, client portal with DORA metrics.
Iberian financial regulatory framework
- DORA (Regulation EU 2022/2554): applies since 17 Jan 2025. Digital operational resilience, ICT risk management, incident registry. Fines up to 2% revenue.
- MIFID II (Directive 2014/65/EU): order traceability, product governance, voice recording, price transparency.
- PSD2 (Directive 2015/2366/EU): open banking, SCA, TPP management.
- AML / 6AMLD: anti-money-laundering. SEPBLAC (Spain) and BdP (Portugal) supervise.
- GDPR + LOPDGDD / Law 58/2019: financial data special category when associated with health or behavior.
- NIS2: systemic banks are essential; rest of financial sector, important.
Why Impulso for Iberian financial services
- Real regulatory experience: we have prepared clients for BdE, CNMV and BdP inspections. Audit-surviving documented evidence.
- Iberian coverage: technical presence in Madrid and Lisbon with bilingual team — simultaneous coverage of the entity and its subsidiary.
- Partner Fortinet, Sophos, Veeam, Microsoft: stack with certifications required by financial procurement.
- No invoice surprises: fixed monthly fee, vendor escalation included, contractually measurable SLA.
If your financial entity needs to tackle DORA, prepare for inspections, or replace an IT provider that doesn't scale, we offer a free initial conversation: 90 minutes with a senior consultant, executive diagnosis within 10 days.