The Spanish financial sector faces in 2024 one of the most intense regulatory cycles in its recent history. The simultaneous application of the full DORA Regulation, the new European anti-money laundering package, growing supervisory expectations on ESG matters, and the imminent mandatory AI high-risk rules create an extraordinarily demanding compliance environment for banks, insurers, investment firms, asset managers, and payment institutions.
DORA: Digital Operational Resilience from January 2025
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector — the Digital Operational Resilience Act (DORA) — has been directly applicable from 17 January 2025 across all Member States. Its scope covers more than 22,000 financial entities in the EU, including banks, investment service firms, payment and electronic money institutions, fund managers, insurers, credit rating agencies, crypto-asset service providers, and statutory auditors.
The five pillars of the DORA framework are: (1) ICT risk management, with a documented framework approved by the management body covering all information systems, networks, and data assets; (2) ICT-related incident management, classification and reporting, with obligations to notify competent authorities of major incidents within strict timeframes (initial notification within four hours, intermediate and final reports); (3) Digital operational resilience testing, including annual basic testing and threat-led penetration testing (TLPT) every three years for significant entities; (4) ICT third-party risk management, with concentration risk assessment and mandatory contractual clauses; and (5) Information and intelligence sharing on cyber threats, on a voluntary basis between entities.
The Bank of Spain, CNMV, and Directorate-General of Insurance are the competent supervisory authorities for DORA in Spain. Sanctions for non-compliance will be determined under national sectoral legislation, with explicit reference to the severity, duration, and benefit derived from the breach.
The 2024 EU AML Package: New Directive and Regulation
The European Union adopted in June 2024 a comprehensive anti-money laundering and counter-terrorism financing legislative package comprising four instruments: Regulation (EU) 2024/1624 (directly applicable, requiring no transposition), the Sixth Directive (EU) 2024/1640, Regulation (EU) 2024/1620 creating the Anti-Money Laundering and Countering the Financing of Terrorism Authority (AMLA), and Regulation (EU) 2023/1113 on transfers of funds (the Travel Rule for crypto-assets).
The principal changes for entities subject to Spain’s Law 10/2010 are: (i) a general limit on cash payments between private individuals of €10,000 (entities must refuse transactions exceeding this threshold); (ii) extension of the scope to new sectors, including crypto-asset service providers (MiCA) and crowdfunding platforms; (iii) strengthened due diligence on Politically Exposed Persons (PEPs), with stricter identification and monitoring procedures; and (iv) enhanced beneficial ownership registration obligations, with broader public access.
AMLA, headquartered in Frankfurt and expected to be operational from 2025, will directly supervise the highest-risk cross-border entities and coordinate the network of Member States’ Financial Intelligence Units (FIUs).
AML Compliance in Spain: Law 10/2010 and SEPBLAC Developments
In Spain, Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing — amended by Royal Decree-Law 7/2021 transposing the Fifth AML Directive — regulates obligations for obliged entities. The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Infractions (SEPBLAC) exercises supervision and has published specific guidelines on the risk-based approach (RBA) for the financial sector, enhanced due diligence in correspondent banking relationships, and suspicious transaction reporting.
Sanctions for serious breach of Law 10/2010 can reach 10% of total annual turnover or twice the amount of funds linked to the breach; very serious infringements can result in revocation of authorisation.
ESG Supervision: ECB and Bank of Spain Expectations
The European Central Bank published its supervisory expectations on climate and environmental risks in November 2022, setting timelines for integration into risk management frameworks and risk appetite statements. The Bank of Spain supervises compliance with these expectations for credit institutions not directly supervised by the ECB. In 2024, both supervisors initiated a second round of assessments of progress, with expectations that institutions will have fully integrated climate risk into their risk management framework and economic capital models before end-2025.
The CSRD (Directive (EU) 2022/2464) also affects financial entities in two respects: as obliged entities required to report their own sustainability information, and as actors that need ESG data from their clients and investments to comply with the SFDR (Sustainable Finance Disclosure Regulation) and Taxonomy Regulations.
Integrated Compliance: Managing Overlapping Obligations
A distinctive feature of the 2024 compliance landscape is the interdependency between regulatory frameworks. DORA obligations on ICT risk management overlap with GDPR obligations on security of personal data processing. CSRD climate disclosure requirements demand data that also feeds into Taxonomy and SFDR reporting. AML customer due diligence generates data relevant to Beneficial Ownership registers under the new AML package.
Entities that manage these overlapping obligations through siloed compliance functions face duplication of effort and inconsistent data quality. The most effective approach integrates risk identification, data management, and reporting across all regulatory frameworks, underpinned by a single source of truth for entity and counterparty data.
At BMC, our legal team specialises in financial sector compliance across DORA, AML, and ESG regulatory frameworks. Learn about our legal services.
