# DORA Reporting in Spain: Banco de España, CNMV and DGSFP Guide

Source: https://www.cyadviso.com/dora-spain-bde-cnmv-dgsfp
Last reviewed: 2026-05-01
Country: Spain (ES)
Tags: DORA, Spain

Spain DORA supervision across Banco de España, CNMV and DGSFP: scope by entity type, ICT incident routes, cyber-threat notifications and evidence checklist.

---

## Short answer

In Spain, DORA authority routing depends on the authorisation: Banco de España supervises banking and payment-sector entities, CNMV supervises securities-market entities and relevant CASP / investment activity, and DGSFP supervises insurance and pension-sector entities.

## Competent authorities

- **Banco de España** (Banco de España) — https://www.bde.es/wbe/en/
- **Comisión Nacional del Mercado de Valores (CNMV)** (CNMV) — https://www.cnmv.es/portal/home.aspx?lang=en
- **Dirección General de Seguros y Fondos de Pensiones (DGSFP)** (DGSFP) — https://dgsfp.mineco.gob.es/

## Entities in scope

- Credit institutions (banks)
- Payment institutions and electronic money institutions (PIs / EMIs)
- Investment firms
- Crypto-asset service providers (CASPs) authorised under MiCA
- Insurance and reinsurance undertakings, where supervised in this jurisdiction
- Other financial entities listed in DORA Article 2

## Jurisdictional nuances

- Banco de España announced dedicated DORA procedures for major incident and significant cyber-threat notifications for entities it supervises.
- CNMV published a DORA cybersecurity page and a procedure for reporting major ICT-related incidents and voluntary significant cyber threats to CNMV.
- Spain has a multi-authority model; group structures with payment, investment and insurance permissions need an entity-by-entity reporting map.
- Do not assume the CNMV temporary email procedure applies to Banco de España-supervised entities, or vice versa.

## Primary sources

- Banco de España Electronic Office — DORA major-incident and cyber-threat notification procedure — https://sedeelectronica.bde.es/sede/es/tramites/notificacion-incidentes-graves-ciberamenazas-importantes-p314.html
- CNMV — Cybersecurity and DORA information — https://www.cnmv.es/portal/ciberseguridad?lang=en
- CNMV — Procedure for reporting major ICT-related incidents — https://www.cnmv.es/DocPortal/Ciberseguridad/Comunicacion_incidentes_en.pdf
- Regulation (EU) 2022/2554 — DORA, EUR-Lex — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554
- European Banking Authority — Digital Operational Resilience Act (DORA) — https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act

---

Canonical HTML: https://www.cyadviso.com/dora-spain-bde-cnmv-dgsfp
Authored by Andrey Gubarev — CISO for EU fintechs (CISM, CDPSE, SABSA).
CyAdviso · DORA / ICT risk / vCISO programmes for EU-licensed fintechs.