¿Qué es el reglamento DORA y cuál es su objetivo?

El reglamento DORA (Digital Operational Resilience Act) es la normativa europea que establece un marco común para garantizar la resiliencia operativa digital en el sector financiero. Su objetivo es que entidades financieras y proveedores TIC puedan resistir, responder y recuperarse ante incidentes tecnológicos o ciberataques sin afectar a la continuidad del servicio.

¿A quién aplica la normativa DORA?

La normativa DORA aplica a bancos, aseguradoras, gestoras de fondos, empresas de inversión y otros actores del sector financiero, pero también a sus proveedores de servicios TIC . Esto incluye cualquier tercero que procese datos o participe en funciones críticas, lo que amplía significativamente el perímetro de cumplimiento.

¿Qué exige el reglamento DORA a las empresas?

El reglamento DORA establece cinco grandes bloques de obligaciones: Gestión del riesgo TIC Notificación de incidentes Pruebas de resiliencia operativa Gestión del riesgo de terceros Intercambio de información sobre ciberamenazas En la práctica, obliga a las empresas a documentar, auditar y controlar toda su infraestructura digital y cadena de proveedores .

¿Por qué los proveedores externos son clave en la normativa DORA?

Uno de los pilares de la normativa DORA es la gestión del riesgo de terceros TIC , ya que muchos incidentes provienen de proveedores externos. De hecho, el reglamento exige identificar, monitorizar y contractualizar a todos los proveedores que intervienen en servicios críticos, incluyendo su cadena de subcontratación.

¿Cuándo entra en vigor el reglamento DORA y qué implica su cumplimiento?

El reglamento DORA es aplicable desde el 17 de enero de 2025 y, al ser un reglamento europeo, es de aplicación directa en todos los Estados miembros. Su cumplimiento implica que las organizaciones deben demostrar, con evidencia auditable, que gestionan correctamente los riesgos digitales y que sus proveedores cumplen los mismos estándares.

DORA Regulations: what financial institutions should know

The DORA regulation, officially Regulation (EU) 2022/2554 on digital operational resilience, came into effect on 17 January 2025 with a clear mandate: Financial institutions and all their relevant technology providers must be able to demonstrate that they operate under auditable security, traceability, and control standards..

What many law firms and financial institutions have not yet processed is that this perimeter includes their translation providers.

What is the DORA regulation and who does it affect?

DORA is the European regulation that harmonizes the digital operational resilience requirements for the financial sector.

It applies to banks, insurers, fund managers, investment firms, trading platforms and, critically, to all ICT service providers that support them, from large cloud infrastructures to more specialized providers that, until now, no one considered part of the technological risk map.

The DORA regulations do not prohibit the outsourcing of services. It establishes that any external provider that accesses, processes, or manages information in the context of a relevant function must be governed: identified, audited, contracted and supervised.

Why translation services fall within the DORA perimeter

The question that many compliance officers are asking themselves, belatedly, is this: What happens when sensitive information from a financial client is sent to a language provider?

The answer, under the DORA regulations, is uncomfortable if that provider does not operate under the appropriate conditions.

When a firm like Uría Menéndez, a bank or an insurance company commissions the translation of a financing agreement, a regulatory report or a due diligence report, it is transferring highly sensitive information to a third party.

If that third party uses public machine translation platforms, ChatGPT, DeepL in standard version, Google Translate, the content may be retained, indexed or incorporated into the training of external models. No processing agreement. Without traceability. Uncontrolled.

That's not just a privacy issue: Under DORA, it is an ungoverned third-party ICT risk.

The specific risks that the DORA regulation puts on the table

The DORA regulation identifies third-party risk management as one of its five fundamental pillars. For translation providers, the most frequent points of failure are the following.

Use of uncontrolled tools. Most traditional language providers use machine translation tools in their workflows without the client knowing what they are, under what conditions they operate, or what happens to the processed data. Public platforms without an enterprise version lack the contractual guarantees that DORA requires of ICT service providers.

Lack of traceability. DORA requires that financial entities be able to demonstrate who accessed what information, when and under what conditions. A translation provider without auditable records of access, processing, and delivery cannot support that requirement.

Opacity in the sub-supplier chain. Article 28 of the DORA regulation requires the mapping of dependencies in the ICT supply chain. If the translation provider subcontracts to freelance linguists who work in their own environments with their own tools, that chain is invisible—and therefore unauditable.

Lack of operational resilience. What happens if the language provider fails in the middle of a critical regulatory process? Without defined SLAs, without continuity plans and without redundant infrastructure, the operational risk falls on the contracting entity.

The new standard: the role of translation in digital risk

The DORA regulations require financial institutions and their advisors to rethink how they evaluate their language providers. The relevant questions are no longer just "Do they translate well?" or "How much do they charge per word?". Are:

Is this provider included in our register of agreements with third-party ICT providers? Can it be audited? Is your subcontracting chain identified and contractually documented? What technologies does it use and under what conditions? Do you have a business continuity plan?

For many entities, the honest answer today is that they don't know. And that, under the DORA regulation, is a compliance gap.

How ATLS responds to the DORA regulatory framework

ATLS has built its service model precisely with these questions in mind. For ATLS, integrating language services within a technological governance framework is not a reactive response to the DORA regulation: This is the direction in which it has been evolving for years as a specialized provider in legal and financial environments.

In practice, that means closed and controlled translation environments, with no exposure to public platforms. Enterprise-grade machine translation technology, with the option of dedicated engines or deployment in the European cloud.

Complete traceability of each project: who intervened, at what stage, with what tool, when. Supply chain identified and contractually aligned with the same confidentiality and security standards that the client requires internally. Defined, monitored, and auditable reporting SLAs.

And above all, what no purely technological solution can guarantee: Human review specialized in legal and financial content, with validated glossaries and translation memories that ensure terminological consistency over time and between related documents.

DORA as a competitive advantage for first-mover entities

The DORA regulation is not just a compliance burden. For entities and firms that proactively address it, it represents an opportunity for differentiation: demonstrate to financial clients and regulators that every link in their service chain, including language providers, is governed by the same criteria that apply to their critical technology providers.

The difference between a conventional translation provider and one aligned with the DORA regulation is not in the quality of the output. It's in the infrastructure, the processes, the traceability, and the ability to be accountable when someone demands it.

Turn your translation partner into a compliance asset

If your company is already working on adapting to the DORA regulation, there is one key question you cannot leave unanswered:
Are your language providers within your ICT risk perimeter… or out of control?

At ATLS we help law firms and financial institutions to integrate translation within their governance framework, with traceability, technological control and real compliance.

Get in touch with us

Frequently Asked Questions about DORA Regulations

What is the DORA regulation and what is its objective?

He DORA regulation (Digital Operational Resilience Act) It is the European regulation that establishes a common framework to guarantee digital operational resilience in the financial sector. Its objective is to enable financial institutions and ICT providers to to resist, respond to, and recover from technological incidents or cyberattacks without affecting the continuity of service.

To whom does the DORA regulation apply?

The DORA regulations It applies to banks, insurance companies, fund managers, investment firms and other players in the financial sector, but also to your ICT service providers. This includes any third party that processes data or participates in critical functions, significantly expanding the scope of compliance.

What does the DORA regulation require of companies?

The DORA regulation establishes five main blocks of obligations:
ICT risk management
Incident notification
Operational resilience tests
Third-party risk management
Information sharing on cyber threats
In practice, it forces companies to document, audit and control your entire digital infrastructure and supply chain.

Why are external providers key in the DORA regulations?

One of the pillars of the DORA regulations is the ICT third-party risk management, since many incidents originate from external providers. In fact, the regulation requires identifying, monitoring and contracting all suppliers involved in critical services, including their subcontracting chain.

When does the DORA regulation come into force and what does compliance with it entail?

The DORA regulation has been applicable since January 17, 2025 And, being a European regulation, it is directly applicable in all Member States. Compliance implies that organizations must demonstrate, with auditable evidence, that they properly manage digital risks and that their suppliers meet the same standards.

Anabel Ruiz