Skip to main content
Last reviewed: 1 May 2026DORASpain

DORA Reporting in Spain: Banco de España, CNMV and DGSFP Guide

By Andrey GubarevCISM, CDPSE, SABSA20+ years in cybersecurity and complianceAndrey Gubarev ↗LinkedIn ↗

Spain DORA supervision across Banco de España, CNMV and DGSFP: scope by entity type, ICT incident routes, cyber-threat notifications and evidence checklist.

Short answer

In Spain, DORA authority routing depends on the authorisation: Banco de España supervises banking and payment-sector entities, CNMV supervises securities-market entities and relevant CASP / investment activity, and DGSFP supervises insurance and pension-sector entities.

Who is the relevant competent authority?

The relevant competent authority depends on the authorisation and entity type. For Spain, the following authorities are relevant:

The relevant competent authority depends on the authorisation and entity type — Banco de España for banking and payment-sector entities, CNMV for securities-market entities and CASPs under its remit, and DGSFP for insurance and pension-sector entities.

Which financial entities are typically in scope

  • Credit institutions (banks)
  • Payment institutions and electronic money institutions (PIs / EMIs)
  • Investment firms
  • Crypto-asset service providers (CASPs) authorised under MiCA
  • Insurance and reinsurance undertakings, where supervised in this jurisdiction
  • Other financial entities listed in DORA Article 2

Authority and evidence map

Entity typeLikely authorityDORA artefactWhere to verify
Banks / credit institutionsBanco de EspañaICT risk framework, incidents, BCDR, third-party registerAuthority site
Payment institutions / EMIsBanco de EspañaIncident workflow, Register of Information, supplier evidenceAuthority site
Investment firms / CASPs / insurersDepends on authorisation and entity typeEntity-specific resilience and supervisory evidence packCheck the competent authority listed below before filing

DORA incident reporting

DORA Article 19 establishes the duty to report major ICT-related incidents. The reporting timeline and templates are set through the related EU technical standards; once an incident is classified as major, the operating cadence is:

  • Initial notification — within 4 hours after classification, and no later than 24 hours after the entity becomes aware of or detects the incident.
  • Intermediate report — within 72 hours of the initial notification.
  • Final report — within one month of the initial notification, including root-cause analysis and remediation.

The cadence is set in EU law, but the local submission channel is set by the competent authority. Banco de España publishes DORA incident and cyber-threat procedures through its electronic office; CNMV has published a temporary procedure using DORA templates and its cybersecurity mailbox while Virtual Office collection is implemented.

Where to verify before filing

Before submitting a notification, Register of Information or supervisory response, verify the current local channel, form and language expectation on the competent authority website. For Spain, start with Banco de España, CNMV and DGSFP.

Register of Information

DORA Article 28 requires every financial entity to maintain a Register of Information of all contractual arrangements with ICT third-party service providers, with extended content for arrangements supporting critical or important functions. Submission frequency, format and the exact local instructions are set by the competent authority. Local reporting channels, templates and submission instructions should be verified on the competent authority website before filing.

ICT third-party risk and outsourcing evidence

Article 28–30 requirements (register, contractual provisions, exit strategies, concentration analysis) sit on top of the existing outsourcing evidence stack (Spain entities can typically reuse much of their EBA Guidelines on outsourcing arrangements work as the operating baseline). Critical-or-important-function arrangements need the full Article 30 contractual provisions and the structured register entry.

Jurisdictional nuances

  • Banco de España announced dedicated DORA procedures for major incident and significant cyber-threat notifications for entities it supervises.
  • CNMV published a DORA cybersecurity page and a procedure for reporting major ICT-related incidents and voluntary significant cyber threats to CNMV.
  • Spain has a multi-authority model; group structures with payment, investment and insurance permissions need an entity-by-entity reporting map.
  • Do not assume the CNMV temporary email procedure applies to Banco de España-supervised entities, or vice versa.

What not to assume

  • Do not assume the same filing channel applies across all EU Member States.
  • Do not assume a group-level notification replaces entity-level obligations.
  • Do not assume an outsourcing register is equivalent to the DORA Register of Information.
  • Do not assume TLPT applies automatically; Article 26 scope is competent-authority-led.

Evidence checklist for fintech SMBs

What a Spain-supervised fintech SMB should keep current and inspection-ready:

  • ICT risk management framework approved by the management body, with a current review date.
  • Incident classification log with mapping to DORA Article 18 criteria and a timestamped decision trail.
  • Register of Information for ICT third-party arrangements (Article 28), with extended content for critical-or-important functions.
  • ICT third-party dependency map (provider → service → critical-or-important function).
  • Business continuity and DR test evidence — last test date, scope, RTO / RPO, after-action remediation.
  • Board / management-body reporting pack on ICT risk, incidents, third-party concentration and remediation.
  • Supplier contract clauses meeting Article 30 (audit rights, security standards, incident support, exit support).
  • Remediation tracker with owner, due date and supervisory commitment status.

How CyAdviso helps

CyAdviso runs DORA programmes for EU-licensed fintechs (EMIs, payment institutions, CASPs, investment firms) supervised by Banco de España and other EU competent authorities. The output of a 90-day programme is a defensible evidence pack that the Banco de España reviewer can read end to end — ICT risk framework, incident playbooks, Register of Information, third-party controls, BCDR test artefacts and a board-reporting cadence. Free DORA self-assessment or book a 15-minute call.

FAQ

Who is the DORA competent authority in Spain?

In Spain, DORA authority routing depends on the authorisation: Banco de España supervises banking and payment-sector entities, CNMV supervises securities-market entities and relevant CASP / investment activity, and DGSFP supervises insurance and pension-sector entities.

Which financial entities are typically in DORA scope in Spain?

Credit institutions (banks); Payment institutions and electronic money institutions (PIs / EMIs); Investment firms; Crypto-asset service providers (CASPs) authorised under MiCA; Insurance and reinsurance undertakings, where supervised in this jurisdiction; Other financial entities listed in DORA Article 2

Where should Spain entities verify local DORA reporting channels?

Banco de España publishes DORA incident and cyber-threat procedures through its electronic office; CNMV has published a temporary procedure using DORA templates and its cybersecurity mailbox while Virtual Office collection is implemented.

What is the DORA major ICT incident reporting timeline?

Once an incident is classified as major, the initial notification is due within 4 hours after classification and no later than 24 hours after detection or awareness; the intermediate report is due within 72 hours of the initial notification; the final report is due within one month of the initial notification.

What evidence should a Spain-supervised fintech keep ready?

Keep the ICT risk framework, incident classification log, Register of Information, ICT third-party dependency map, BCDR test evidence, board reporting pack, Article 30 supplier contract clauses and remediation tracker current and inspection-ready.

Does DORA reporting in Spain always go through Banco de España?

No. The relevant competent authority depends on the authorisation and entity type. For Spain, relevant authorities include Banco de España, CNMV, DGSFP.

Primary sources

About the author

Andrey Gubarev

Andrey Gubarev is the founder and vCISO of CyAdviso. He has 20+ years in cybersecurity and multi-year CISO experience at EU-licensed fintechs, including EMIs, payment institutions and CASPs. His work focuses on DORA, MiCA, ICT risk governance, outsourcing oversight, incident readiness and board-ready evidence.

Certifications: CISM, CDPSE, SABSA.

gubarev.pro ↗LinkedIn profile ↗fromCISO.com ↗