Fintech Legislation in Spain: Sandbox, MiCA and DORA in One Map

The regulatory map that was missing

Fintech regulation in Spain has moved more in the past 18 months than in the prior decade. Three legislative pieces converge simultaneously: the reformed regulatory sandbox, MiCA (Markets in Crypto-Assets) fully applicable since December 2024, and DORA (Digital Operational Resilience Act) enforceable since January 2025. For a fintech operating in Spain — or any EU member state looking at the Spanish market — understanding how these three fit together is not optional.

What follows is a practical map. Not exhaustive legal analysis (get a lawyer for that), but the engineering and compliance perspective a CTO or product team needs for planning.

Spain’s regulatory sandbox

Spain’s Law 7/2020 created one of Europe’s first regulatory sandboxes. Its purpose: let innovative companies test financial products in a controlled environment, supervised by regulators (CNMV, Bank of Spain, DGSFP) but without requiring a full license.

Since launch, the sandbox has processed four rounds. The numbers are modest: roughly 70 projects admitted in total, of which about 18 have completed testing satisfactorily. Not spectacular volume, but companies that go through the sandbox gain something valuable: direct dialogue with the regulator and a (theoretically) accelerated path to licensing.

The 2024 reforms introduced relevant changes:

• Extended timelines: The testing phase can extend to 24 months (previously 12).
• MiCA transitional regime: Companies operating with crypto-assets before MiCA’s enforcement can use the sandbox as a bridge toward full authorization.
• European interoperability: Mechanisms for Spanish sandbox results to be recognized by regulators in other member states.

Should you consider the sandbox? It works best for genuinely innovative products where the existing regulatory framework doesn’t fit. If your product clearly falls into a regulated category (payments, lending, investment), the direct licensing route is more efficient.

MiCA: crypto-asset regulation arrives

MiCA (EU Regulation 2023/1114) is the first comprehensive regulatory framework for crypto-assets in the European Union. It came into partial effect in June 2024 (stablecoins) and fully in December 2024. As of January 2025, any company issuing, offering, or providing services related to crypto-assets in the EU operates under MiCA.

What MiCA covers

MiCA establishes requirements for three main categories:

Asset-referenced token issuers (ART): Stablecoins backed by asset baskets. They require national regulator authorization, a detailed white paper, capital requirements, and reserves custodied by independent third parties.

E-money token issuers (EMT): Stablecoins pegged to a fiat currency. They require an e-money institution license. Significant EMT issuers (over 5 million holders or over EUR 5 billion in circulation) fall under direct EBA supervision.

Crypto-asset service providers (CASP): Exchanges, custodians, advisors, platform operators. They need authorization from the national competent authority. Requirements include minimum capital (EUR 50,000-150,000 depending on service), corporate governance, risk management systems, and client protection.

What changes in practice

For companies already operating in Spain under the Bank of Spain’s registry (the former virtual currency exchange service provider registry), MiCA means a substantial transition. The transitional regime allows operating until July 2026 under previous conditions, but full MiCA authorization must be requested before that date.

Technical MiCA requirements that directly affect engineering teams:

• Client asset segregation: Client crypto-assets must be segregated from the operator’s, with verifiable technical mechanisms.
• Cybersecurity: MiCA explicitly references DORA for digital resilience requirements.
• Transparency: Published white papers, real-time pricing information, fully traceable transaction records.
• Market abuse prevention: Insider trading and market manipulation detection systems applied to crypto-assets.

Critical deadlines

Milestone	Date
MiCA fully applicable	December 2024
End of transitional regime (BdE registry)	July 2026
EBA/ESMA technical standards	Progressive publication during 2025

DORA: digital operational resilience

DORA (EU Regulation 2022/2554) establishes uniform digital operational resilience requirements for financial entities and their critical ICT providers. Applicable since January 17, 2025.

Unlike MiCA, DORA is not fintech-specific. It affects banks, insurers, fund managers, payment institutions, and also the critical ICT providers serving them. If your company provides cloud infrastructure, payment processing, or data services to a financial entity, DORA affects you.

DORA’s five pillars

1. ICT risk management: A comprehensive technology risk framework approved by the management body. Covers identification, protection, detection, response, and recovery. Sounds similar to ISO 27001, and it largely is. The difference: DORA makes it legally mandatory and specifies more granular requirements.

2. Incident reporting: ICT incident classification against defined criteria (duration, scope, data impact, service criticality) and regulator notification. Three phases: initial notification (within 4 hours for major incidents), intermediate report (72 hours), and final report (one month).

3. Resilience testing: Periodic ICT system testing including vulnerability analysis, penetration testing, and for significant entities, TLPT (Threat-Led Penetration Testing) every three years. TLPTs are advanced tests based on real threat intelligence, similar to TIBER-EU exercises.

4. Third-party ICT risk management: Requirements for managing technology providers, including mandatory contractual clauses, audit rights, exit strategies, and risk concentration. DORA introduces the concept of “critical ICT provider” that may fall under direct supervision by European Supervisory Authorities.

5. Information sharing: Voluntary mechanisms for sharing cyber threat intelligence among financial entities.

Implications for technology providers

If your company is an ICT provider to a financial entity, DORA imposes specific contractual requirements:

• Clear description of services, service levels, and data processing locations.
• Cooperation with regulators, including access and audit rights.
• Exit plans enabling the financial entity to migrate without disruption.
• Notification of incidents affecting provided services.

If designated as a “critical ICT provider” (typically large cloud providers like AWS, Azure, or GCP, but potentially also specialized providers with high concentration), you fall under direct European supervision.

How the three pieces fit together

This is where the map makes sense. For a typical fintech company:

If you offer crypto-asset services: MiCA is your primary regulation. DORA applies as a digital resilience complement (MiCA explicitly references it). The sandbox can be your bridge if transitioning from the old registry.

If you’re a technology provider to banking/insurance: DORA is your primary regulation. DORA’s contractual requirements determine what your clients will demand, whether you like it or not.

If you offer payment services: PSD2 (and the upcoming PSD3/PSR) remains your main framework, complemented by DORA for operational resilience.

If you operate across multiple verticals: You need a compliance management system covering the overlaps. The good news: DORA and MiCA share common ground with ISO 27001 and ENS in risk management, incident management, and continuity. The bad news: notification requirements and deadlines differ across each regulation.

Practical roadmap

For a product or engineering team at a fintech operating in Spain, immediate priorities:

1. Classify your activity under MiCA if you handle crypto-assets. Determine whether you’re a CASP, ART/EMT issuer, or whether your activity falls outside scope. This determines everything else.
2. Assess your DORA exposure: Either as a direct financial entity or as an ICT provider. DORA’s contractual requirements are already in force.
3. Build the ICT risk management framework DORA demands. If you already have ISO 27001, you’re 70% there. If not, now is the time.
4. Prepare incident notification capabilities. Four hours for an initial report is tight. You need procedures, templates, and designated owners before an incident occurs.
5. Review ICT provider contracts. DORA requires specific clauses. If you’re the provider, prepare contractual annexes meeting the requirements. If you’re the client, demand them.

The fintech regulatory landscape in Spain is clearer now than two years ago. MiCA, DORA, and the reformed sandbox provide a defined framework. What is missing, as always, is execution. For a detailed analysis of MiCA’s impact, see our article on MiCA and the fintech sector.