Cybersecurity is one of the challenges that the financial sector must face and incorporate into its business model from the moment of its design, it must be adequately reflected in the strategy and procedures of financial institutions, and technological risk management must be considered within the institutions' risk map and managed appropriately.

More information can be requested regarding all that related to this section of the website of the CNMV on email

Legislation, guides and other information of interest 

Digital Operational Resilience Act - DORA

Regulation (EU) 2022/2554 (DORA -  Digital Operational Resilience Act) was published on 27 December 2022 and enters into force on 17 January 2025. DORA is applied to financial institutions offering services in the European Union.

Given the great dependency of the financial sector on technology to perform its critical business functions and its increasing dependence on third-party technological services, the aim of DORA is to strengthen the resilience of the sector with regard to threats to its ICT assets. This Regulation harmonises the most relevant operational resilience requirements at European level for the entities to be capable, under the principle of proportionality, of detecting, responding to and recovering from possible incidents that affect their critical or relevant business functions.

DORA is based on five pillars: 

  • ICT risk management
  • ICT-related incident management, classification and notification
  • Digital operational resilience testing
  • Third-party ICT risk management
  • Information sharing

Relevant documents and consultations:

Level 2 and 3 Regulatory Developments by ESAs Public consultation Date expected for the publication of the final document
First batch of mandates (Articles 15, 16(3), 18(3), 28(9) and 28(10) of DORA) 26/05/2023 17/01/2024
Second batch of mandates (Articles 11(11), 20a, 20b, 26(11), 30(5), 32(7) and 41 of DORA) 08/12/2023 17/07/2024

TIBER-ES framework

TIBER-EU constitutes the first common European-scale framework for the execution of red teaming testing, recording the manner in which the authorities, the entities and the cybersecurity service providers are to work jointly to achieve the objective of these tests. These tests aim to foresee, as far as possible, the impact an entity would suffer in the case of confronting a real cyber attack. For this, a cyber attack is simulated in this type of advanced test, employing tactics, techniques and procedures such as those a sophisticated cyber attacker would use. Therefore, they constitute an extremely powerful instrument to improve the cyber resilience of financial institutions.

TIBER-ES subscribes to principles of TIBER-EU and has the aim of strengthening the cyber resilience of the Spanish financial sector, guaranteeing the acknowledgement of the authorities in other jurisdictions that have also adopted this framework locally. The CNMV will monitor the tests, via the TCT (TIBER Cyber Team), whenever the financial institutions carrying them out are within its supervisory scope. TIBER-EU, European framework for the execution of red teaming testing.

Public statements and events