IE Law School and ECIJA present their report on the legal challenges of DORA and NIS2

On March 25, IE Law School hosted the presentation of the report "DORA and NIS2: Strengthening Operational Resilience and Cybersecurity in the Digital Age", produced by the IE-ECIJA Digital Law Observatory. The document analyzes the main challenges posed by the two most relevant current regulations for financial sector entities and digital technology service providers: the Digital Operational Resilience Act (DORA)—in force since January—and the Network and Information Security Directive (NIS2), which is currently being transposed into national law.

Both texts aim to enhance cybersecurity and operational resilience within the European Union, but they apply to different sectors and take distinct approaches in terms of requirements and obligations.

The report is the result of a focus group held with leading professionals from the technology and legal sectors, who shared their insights on how organizations are adapting to these new regulatory frameworks.

The event opened with welcome remarks from Macarena Plaza, Head of International Corporate Development and Legal Innovation at IE Law School, and Jesús Yáñez, Cybersecurity partner at ECIJA. This was followed by a panel discussion moderated by Pilar López-Aranguren, founder of Tone from the Top and professor at IE University, who emphasized "the need for in-house lawyers to develop new skills in an environment where security must be embedded in all processes."

Panelists included:

• Ricardo Calderero, Business Information Security Officer at Makro Spain.

• Elena Bernal, Legal Advisor for Innovation and Privacy at CaixaBank.

• Teresa Schüller, Data Protection Officer at Carrefour Spain.

According to the report, "one of the main obligations under both regulations is to conduct effective risk assessments that take third-party threats into account. This requires comprehensive supplier mapping. While this may be manageable for local companies, it becomes significantly more complex for multinational corporations with extended and sometimes opaque supply chains and subcontracting networks. Coordination with corporate headquarters may delay negotiations and complicate contract management."

The most reasonable approach, the report suggests, is to identify which suppliers are essential and which are not, in order to centralize and standardize contracts.

It is also critical to review the criteria used to define essentiality, as each organization may be subject to different regulatory bodies. While the new requirements are expected to be manageable when entering into new contracts with new suppliers, there is noticeable resistance to modifying existing agreements.

The report also highlights governance as a major challenge, particularly the allocation of roles across departments, associated responsibilities, and the need to design incident and risk reporting systems.

Regarding the rise in cyberattacks, the IE-ECIJA Digital Law Observatory stresses that the attack vector is increasingly external. "Among the proposed actions are initiatives related to supplier certification: supplier selection, enabling supplier self-certification, and automated diagnostics to identify and address deficiencies that must be resolved before certification can be granted," it explains.

The document concludes that for regulated entities, the implementation of these new frameworks has become a corporate-level priority. For non-regulated entities, the priority lies in adopting and implementing NIS2, which represents a significant shift in compliance culture—one that will require executive leadership to approve the necessary cybersecurity budgets.

Text adapted from a news article originally published in Expansión.

About the IE-ECIJA Digital Law Observatory

The IE-ECIJA Digital Law Observatory was established with the purpose of exploring and researching the diverse legal dimensions and implications of the digital economy. The Observatory aims to become a platform for legal and academic research and dissemination within this new legal framework.