New legislation advances the digitalisation and modernisation of Spain's financial laws

The Spanish government has published a set of legislative initiatives that intend to provide an up-to-date legal framework for the financial sector. The initiatives include the Draft Law for the Digitalisation and Modernisation of the Financial Sector, the Draft Royal Decree on Digitalisation and Modernisation of the Financial Sector, and the Draft Royal Decree on Distributed Ledger Technologies.

The legislative initiatives are meant to introduce measures to create alignment between the Spanish financial laws and recent EU core pieces of legislations in the financial sector, such as the Markets in Crypto-Assets Regulation (MiCA) and the Digital Operational Resilience Act (DORA).

Cryptoasset regulation changes

The legislative initiatives build on previous regulatory efforts to regulate cryptoassets in Spain and align with MiCA to establish a comprehensive legal framework for this rapidly evolving sector.

Transition from the Bank of Spain to the CNMV

Under the previous framework, cryptoasset service providers (CASPs) operating in Spain were required to register with the Bank of Spain in accordance with Spanish anti-money laundering (AML) laws. However, this registry did not have the purpose of constituting an actual administrative authorisation to operate but rather operated as a transitory mechanism to address one of the key risks associated with cryptoassets: money laundering.

As MiCA became fully applicable, the National Commission on Securities Markets (Comisión Nacional del Mercado de Valores (CNMV)) has been appointed as the competent authority to supervise CASPs comprehensively. In any event, CASPs operating with cryptoassets which require a banking license – for example, e-money tokens – would still be supervised by the Bank of Spain.

AML laws amended

The Bank of Spain’s registry will no longer be required for operational purposes under the new framework. CASPs authorised by the CNMV will automatically now qualify as obliged entities and subject to the AML laws.

CASPs must adopt stricter know your customer (KYC) protocols, including identity verification for all customers, regardless of transaction size, and seek to obtain information on the origin and destination of the cryptoassets transferred. Transactions involving high-risk jurisdictions, politically exposed persons or anonymous accounts would require additional scrutiny in accordance with the Legislative initiatives.

Implications for registered providers

There is a transitional period for existing providers that registered with the Bank of Spain as of 30 December 2024. They will be allowed to continue offering the same services without CNMV authorisation until 30 December 2025, or until their application for authorisation under the new framework is denied, whichever comes first.

The Bank of Spain’s registry will remain as a supplementary resource to assist the CNMV in verifying compliance with AML and honorability requirements.  This is relevant for CASPs already registered with the Bank of Spain, as they may benefit from a slightly less burdensome authorisation process with the CNMV compared to new applicants.

Regulatory 'sandbox'

Since its first implementation in Spain back in 2020, the financial regulatory "sandbox" has had a positive reception, as it provides a controlled environment in which businesses can test cutting-edge financial products and services under the supervision of the Spanish regulatory authorities.

The legislative initiatives introduce important updates to the sandbox model, building on its initial success to make the process more effective, available, transparent and beneficial for participants.

Broader and enhanced scope

The sandbox now has a broader scope for participants. It explicitly includes cryptoasset projects, blockchain-based solution, and decentralised finance (DeFi) initiatives. Non-traditional financial service providers, such as fintech startups and technology firms developing financial applications, can participate more easily, broadening the range of innovation that may benefit from the sandbox and increasing collaboration between traditional financial institutions and fintech companies.

It also has a streamlined authorisation process, with a simplified entry process for applicants to administrative burdens and provide clearer guidelines for participation. While participants currently need to wait for official calls to engage in the sandbox, the legislative initiatives would permit the submission of sandbox projects at any time (except for non-working periods).

An enhanced regulatory feedback process means that participants will receive tailored guidance from regulators, ensuring compliance with applicable laws while allowing for iterative improvements during the testing phase.

The new framework has also extended testing periods. This allows for phase-based extensions to accommodate more complex projects, such as those involving artificial intelligence (AI) or sophisticated blockchain applications.

Participants will also receive additional post-sandbox support from regulators after completing the sandbox to help them transition to full-scale operations.

Enhancing digital operational resilience

The integration of DORA into Spanish law aims to establish a harmonised framework for operational resilience across the financial sector, mandating robust measures to ensure that institutions can withstand, recover from, and adapt to information and communications technology (ICT)-related disruptions, including cyberattacks. 

Implications for financial entities

Financial entities must implement comprehensive ICT risk management frameworks tailored to their operations and policies to ensure operational continuity and resilience, which must be reviewed regularly and updated to address emerging risks.

In terms of incident reporting and management, financial entities are required to report significant ICT-related incidents to their supervisory authority within a strict timeframe.

Regular stress testing must also be undertaken by financial entities. They must conduct periodic resilience stress tests to assess their ability to withstand ICT disruptions. Larger or critical institutions may face additional stress testing requirements imposed by regulators.

ICT third-party risk management also needs to be carried out. Financial entities must carefully monitor and manage risks posed by third-party ICT providers, such as cloud service providers. Contracts with third-party vendors must include provisions for monitoring, incident response, and ensuring compliance with DORA. Regulators will have the authority to oversee critical third-party providers to ensure systemic risks are minimised.

ICT continuity and recovery plans also need to be put place. Entities must develop detailed ICT continuity plans to ensure that critical operations can continue during disruptions. These plans must include strategies for recovery, periodic testing, and clear responsibilities for managing incidents.

DORA also has governance and accountability implications. It introduces stricter governance requirements, ensuring that senior management and boards of directors are accountable for ICT resilience. Financial entities must appoint specific personnel or departments to oversee compliance with DORA requirements.

Implications for Third-party ICT providers

DORA places significant obligations on third-party providers, such as cloud service companies, which are critical to financial institutions’ operations.

Increased oversight is required from providers, who must meet stricter standards and be prepared for regulatory audits.

Compliant ICT providers will become the only viable partners for financial institutions, opening even bigger opportunities for growth in the sector.

Osborne Clarke Comment

The Spanish government’s legislative initiatives modernise the financial legal framework to align with EU regulations such as MiCA and DORA and, in so doing, enhance trust in the financial sector and support innovation.