¿Qué es el reglamento DORA y cuál es su objetivo?

El reglamento DORA (Digital Operational Resilience Act) es la normativa europea que establece un marco común para garantizar la resiliencia operativa digital en el sector financiero. Su objetivo es que entidades financieras y proveedores TIC puedan resistir, responder y recuperarse ante incidentes tecnológicos o ciberataques sin afectar a la continuidad del servicio.

¿A quién aplica la normativa DORA?

La normativa DORA aplica a bancos, aseguradoras, gestoras de fondos, empresas de inversión y otros actores del sector financiero, pero también a sus proveedores de servicios TIC . Esto incluye cualquier tercero que procese datos o participe en funciones críticas, lo que amplía significativamente el perímetro de cumplimiento.

¿Qué exige el reglamento DORA a las empresas?

El reglamento DORA establece cinco grandes bloques de obligaciones: Gestión del riesgo TIC Notificación de incidentes Pruebas de resiliencia operativa Gestión del riesgo de terceros Intercambio de información sobre ciberamenazas En la práctica, obliga a las empresas a documentar, auditar y controlar toda su infraestructura digital y cadena de proveedores .

¿Por qué los proveedores externos son clave en la normativa DORA?

Uno de los pilares de la normativa DORA es la gestión del riesgo de terceros TIC , ya que muchos incidentes provienen de proveedores externos. De hecho, el reglamento exige identificar, monitorizar y contractualizar a todos los proveedores que intervienen en servicios críticos, incluyendo su cadena de subcontratación.

¿Cuándo entra en vigor el reglamento DORA y qué implica su cumplimiento?

El reglamento DORA es aplicable desde el 17 de enero de 2025 y, al ser un reglamento europeo, es de aplicación directa en todos los Estados miembros. Su cumplimiento implica que las organizaciones deben demostrar, con evidencia auditable, que gestionan correctamente los riesgos digitales y que sus proveedores cumplen los mismos estándares.

The DORA regulation: what financial institutions need to know

The DORA regulation, officially Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, came into force on 17 January 2025 with a clear mandate: financial institutions and all their relevant technology providers must be able to demonstrate that they operate under auditable security, traceability and control standards.

What many law firms and financial institutions have not yet realised is that this scope includes their translation providers.

What the DORA regulation is and who it affects

DORA is the European regulation which harmonises digital operational resilience requirements for the financial sector.

It applies to banks, insurers, fund managers, investment firms, trading platforms and, crucially, to all ICT service providers that support them, ranging from large cloud infrastructures to more specialised providers which until now nobody had ever considered part of the technological risk landscape.

The DORA regulation does not ban service outsourcing. What it does say is that any external provider which accesses, processes or manages information as part of a critical function must be subject to governance: identified, audited, bound by contract and supervised.

Why translation services fall within the scope of DORA

The question many compliance officers are now asking themselves, albeit belatedly, is this: what happens when sensitive information about a financial client is sent to a language service provider?

Under the DORA framework, the answer is troubling if that provider doesn't operate under the appropriate conditions.

When a law firm like Uría Menéndez, a bank or an insurer commissions a translation of a financing agreement, a regulatory report or a due diligence document, it transfers highly sensitive information to a third party.

If that third party uses public machine translation platforms, for instance ChatGPT, the standard version of DeepL or Google Translate, the content may be retained, indexed or used to train external models. Without a processing agreement. Without traceability. Without control.

This isn't merely a privacy issue: under DORA, it's an ungoverned third-party IT risk.

The specific risks picked out by the DORA regulation

The DORA regulation identifies third-party risk management as one of its five cornerstones. For translation providers, the most frequent points of failure are the following.

Using uncontrolled tools. Most conventional language service providers use machine translation tools in their workflows without the client knowing what they are, under what conditions they operate, or what happens to the processed data. Public platforms without an enterprise version don't have the contractual guarantees DORA requires of ICT service providers.

Poor traceability. DORA stipulates that financial institutions must be able to demonstrate who accessed what information, when, and under what conditions. A translation provider without auditable records of access, processing and delivery cannot meet this prerequisite.

Lack of transparency in the subcontractor chain. Article 28 of the DORA regulation specifies that ICT supply chain dependencies have to be mapped. If the translation provider subcontracts to freelance linguists who work in their own environments with their own tools, that chain is invisible and therefore cannot be audited.

No operational resilience. What happens if the language provider fails mid-way through a critical regulatory process? Without defined SLAs, without continuity plans and without redundant infrastructure, the operational risk is borne by the contracting entity.

The new standard: The role of translation in digital risk

The DORA regulation requires financial institutions and their advisers to rethink how they assess their language providers. The key questions are no longer just "Do they do a good translation job?" or "How much do they charge per word?" Now they are also:

Is this provider included in our register of agreements with ICT third parties? Can they be audited? Is their subcontracting chain identified and covered by contracts? What technologies do they use and under what conditions? Do they have a business continuity plan?

For many institutions, the honest answer today is that they just don't know. And under the DORA regulation, that constitutes a compliance gap.

How ATLS addresses the DORA regulatory framework

ATLS has built its service model with precisely these questions in mind. For ATLS, embedding language services into a technology governance framework is not a reactive response to the DORA regulation: rather, it's what we've been shifting towards for years as a specialist legal and financial sector provider.

In practice, this means closed, controlled translation environments with no exposure to public platforms. Enterprise-grade machine translation technology with the option of dedicated engines or deployment in a European cloud.

Complete traceability of each project: who was involved, at what stage, using which tool, and when. A supply chain which is identified and contractually aligned with the same standards of confidentiality and security the client requires in-house. Defined SLAs, monitored and with auditable reporting capabilities.

And most importantly, what no purely technological solution can deliver: human review specialising in legal and financial content backed by validated glossaries and translation memories which ensure terminological consistency over time and across related documents.

DORA as a competitive advantage for first-mover organisations

The DORA regulation is not just a compliance burden. For institutions and firms which approach it proactively, it's an opportunity to stand out: to show financial clients and regulators that every link in their service chain, including language service providers, is governed by the same standards they apply to their critical technology providers.

The difference between a conventional translation provider and one compliant with the DORA regulation lies not in the quality of the output. Instead, it's in infrastructure, processes, traceability and the ability to be accountable when required.

Turn your translation partner into a compliance asset

If your company is already gearing up to comply with the DORA regulation, there's one crucial question you still need to answer:
are your language providers inside the scope of your ICT risk management… or beyond your control?

At ATLS we help law firms and financial institutions hardwire translation into their governance framework with traceability, technological control and real compliance.

Get in touch with us

FAQs about the DORA regulation

What is the DORA regulation and what is its purpose?

The DORA (Digital Operational Resilience Act) regulation is the European legislation setting out a common framework to secure digital operational resilience in the financial sector. Its purpose is to ensure that financial institutions and ICT providers can withstand, respond to and recover from technological incidents or cyber-attacks without disrupting service continuity.

Who does the DORA regulation apply to?

The DORA regulation applies to banks, insurers, fund managers, investment firms and other financial sector players along with their ICT service providers. This includes any third party which processes data or is involved in critical functions, thus significantly broadening the scope of compliance.

What are the DORA regulation's requirements for businesses?

The DORA regulation sets out five main areas of responsibility:
ICT risk management
Incident reporting
Operational resilience testing
Third-party risk management
Sharing information on cyber threats
In practice, it means businesses have to document, audit and monitor their entire digital infrastructure and supply chain.

Why are third-party providers crucial in the DORA regulation?

One of the cornerstones of the DORA regulation is managing third-party ICT risk as many incidents stem from outsourced providers. The regulation thus stipulates that all providers involved in critical services, including their subcontracting chain, must be identified, monitored and bound by contract.

When does the DORA regulation come into force and what does complying with it entail?

The DORA regulation has been effective since 17 January 2025, and as a European regulation is directly applicable in all Member States. Compliance requires organisations to furnish auditable evidence that they manage digital risks effectively and work with providers who meet the same standards.

Anabel Ruiz