Cybersecurity

Cybersecurity is one of the challenges that the financial sector must face and incorporate into its business model from the moment of its design, it must be adequately reflected in the strategy and procedures of financial institutions, and technological risk management must be considered within the institutions' risk map and managed appropriately.

Legislation, guides and other information of interest 

• Code of Good Governance for Cybersecurity (13.07.2023)
• Regulation on digital operational resilience for the financial sector (DORA, applicable from 17 January 2025). This regulation aims to reinforce and harmonise at European level the main requirements regarding cybersecurity for financial institutions and their ICT services.
• Guidelines on outsourcing to cloud service providers (10.05.2021). European Securities and Markets Authority (ESMA). These guidelines aim to aid firms and competent authorities to identify, tackle and supervise the risks and challenges deriving from cloud outsourcing agreements, from outsourcing decision taking, selecting a cloud service provider, outsourced activity follow-up, to exit strategies.

Digital Operational Resilience Act - DORA

Regulation (EU) 2022/2554 (DORA -  Digital Operational Resilience Act) was published on 27 December 2022 and enters into force on 17 January 2025. DORA is applied to financial institutions offering services in the European Union.

Given the great dependency of the financial sector on technology to perform its critical business functions and its increasing dependence on third-party technological services, the aim of DORA is to strengthen the resilience of the sector with regard to threats to its ICT assets. This Regulation harmonises the most relevant operational resilience requirements at European level for the entities to be capable, under the principle of proportionality, of detecting, responding to and recovering from possible incidents that affect their critical or relevant business functions.

DORA is based on five pillars: 

• ICT risk management
• ICT-related incident management, classification and notification
• Digital operational resilience testing
• Third-party ICT risk management
• Information sharing

Relevant documents and consultations:

TIBER-ES framework

TIBER-EU constitutes the first common European-scale framework for the execution of red teaming testing, recording the manner in which the authorities, the entities and the cybersecurity service providers are to work jointly to achieve the objective of these tests. These tests aim to foresee, as far as possible, the impact an entity would suffer in the case of confronting a real cyber attack. For this, a cyber attack is simulated in this type of advanced test, employing tactics, techniques and procedures such as those a sophisticated cyber attacker would use. Therefore, they constitute an extremely powerful instrument to improve the cyber resilience of financial institutions.

TIBER-ES subscribes to principles of TIBER-EU and has the aim of strengthening the cyber resilience of the Spanish financial sector, guaranteeing the acknowledgement of the authorities in other jurisdictions that have also adopted this framework locally. The CNMV will monitor the tests, via the TCT (TIBER Cyber Team), whenever the financial institutions carrying them out are within its supervisory scope. TIBER-EU, European framework for the execution of red teaming testing.

• TIBER-EU, European framework for the execution of red teaming testing.
• Guide for the implementation of the TIBER-ES operational framework. The purpose of this guide is to specify the conditions under which the red teaming testing is to be executed following the TIBER-ES requirements.

Public statements and events

• Information for regulated entities: Invitation for financial entities to participate in a DORA dry run exercise (15.04.2024)
• Press release: New Code of Good Governance for Cybersecurity (13.07.2023)