The Financial Technology Law Review: Spain


There is currently no specific regulatory framework in Spain or the European Union governing fintech as such. This is largely because fintech is a complex and transversal universe that involves different entities, services and even legal concerns. However, both the European and the Spanish supervisory authorities have been implementing different measures for several years to promote updating the current legislative framework, issue new rules where necessary and enable fintech to develop.

The most noteworthy recent initiative is the adoption by the European Commission on 24 September 2020 of a digital finance package, which included a digital finance strategy and legislative proposals on cryptoassets and digital resilience, and that will require the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority (ESMA) to provide technical advice on different matters in the coming years.

Various electronic sources provide information on fintech. For instance, the Spanish Fintech and Insurtech Association has its own website and the National Securities Market Commission (CNMV) created a section on its website to provide an informal communication space with fintech and a Q&A for fintech companies on activities and services that may be within the CNMV's remit.

The main tax incentive schemes for investment in tech or fintech businesses generally applicable in Spain are: (1) the Spanish patent box regime and the research, development and innovation tax credit that potentially applies to Spanish-resident companies engaged in tech and fintech activities (generally only where the technology qualifies for it; for example, as a patent or as advance registered software); (2) the corporate income tax (CIT) benefits for start-ups and small enterprises (e.g., a 15 per cent rate applicable to stand-alone start-ups during the first two fiscal years in which the company has a positive taxable base, instead of the statutory 25 per cent rate or qualified depreciation regime for tangible assets and property investments) and Spanish-resident venture-capital entities; and (3) tax credits for 'business angels' in specific start-ups (under specific conditions). Proper structuring is essential for investors in these companies to mitigate any Spanish tax leakage applicable to investments in tech and fintech companies.

In December 2021, the Spanish government adopted the draft Start-up Law to place Spain in pole position to attract investment and innovative entrepreneurship. The draft includes important tax incentives, such as an increase in the period for which the reduced CIT rate applies (the first four years in which the company has a positive taxable base, rather than the first two years), as well as interest- and deposit-free tax debt deferrals. The Start-up Law is expected to be approved in 2022.

In general, and until further regulations are passed, Spain should be considered a fintech-friendly jurisdiction, which has been evidenced by the approval of a regulatory sandbox. For example, in 2013 it was estimated that there were 50 fintech companies in Spain; this number had grown to 463 as at March 2021.2


i Licensing and marketing

Spain has not regulated fintech across the board. Therefore, fintech businesses are not subject to specific licences or marketing rules in Spain. This is mainly because they provide a variety of financial services. In general, leaving aside third-party providers (TPPs), which are regulated under Directive (EU) 2015/2366 on payment services in the internal market (PSD II)3 and crowdfunding and crowd-lending platforms, which are subject to Law 5/2015 of 27 April 2015 on the promotion of business financing, fintech businesses focused solely on developing IT solutions to support the provision of services by financial entities are not currently subject to any financial regulatory regime.

However, fintech businesses involved in financial activities such as deposit-taking, investment services (such as automated digital advice and the management of collective investments), payment services and insurance are subject to the general regulatory regime applicable to any company operating in those sectors (including marketing rules) and they must therefore obtain the relevant authorisations from the authorities depending on the service rendered. For banking services, the competent authority is the Bank of Spain (BoS) or the European Central Bank (ECB). For investment services, the competent authority is the CNMV, and for services or products that relate to insurance, reinsurance and pension funds, the competent authority is the General Directorate of Insurance and Pension Funds (DGSFP).

Law 5/2015 regulates crowdfunding and crowd-lending platforms and the provision of their services. These activities require an authorisation from the CNMV (with the intervention of the BoS). Unlike other financial regulations in Spain, which are transpositions of European financial directives, Law 5/2015 is purely domestic. However, it will have to be amended to be aligned with the EU Regulation on European Crowdfunding Service Providers (ECSP), which has applied since 10 November 2021. This Regulation was part of the European Commission's fintech action plan and the mid-term review of the 2015 capital markets union action plan. The Regulation lays down uniform rules across the EU for the provision of investment-based and lending-based crowdfunding services related to business financing. It allows platforms to apply for an EU passport based on a single set of rules, which makes it easier for them to offer their services across the EU with a single authorisation. The new rules are expected to increase the availability of this innovative form of finance, which will help companies seek alternatives to bank financing. Investors on crowdfunding platforms, meanwhile, will benefit from an aligned and enhanced investor protection framework, based on: (1) clear rules on information disclosures for project owners and crowdfunding platforms; (2) rules on governance and risk management for crowdfunding platforms; and (3) strong and harmonised supervisory powers for national authorities overseeing the functioning of crowdfunding platforms. The CNMV has established a simplified procedure for platforms that are already authorised in Spain so as to continue providing these services and to adapt to the content of the Regulation, which may be in force until 10 November 2022.

In addition, the Spanish government approved Law 7/2020 of 13 November 2020 for the digital transformation of the financial system, which establishes a set of measures to accompany the digital transformation of the financial system and more importantly, it establishes a controlled testing area or sandbox. The aim of the sandbox is to carry out, with all the necessary guarantees, technology-based financial innovation projects (through new applications, processes, products or business models) provided that they are sufficiently mature, benefit users of financial services, facilitate regulatory compliance, increase the efficiency of institutions or markets, or contribute to improving the performance of public functions in the financial sphere. The Spanish fintech sandbox has managed to attract a total of 67 projects to its first call, which ended on 23 February 2021. Of those projects, 18 were admitted to controlled testing in the Spanish sandbox and 12 have started the six-month testing period. A second call was closed in October 2021 and four of the 13 projects submitted were approved. The deadline to submit projects for a third call is April 2022.

In January 2022, Spain established rules regulating how cryptoassets are to be publicised.4 Among other things, these rules force providers of cryptoasset services and certain other legal and natural persons to inform the CNMV of cryptoasset publicity campaigns that target more than 100,000 investors 10 days in advance and to include warning disclaimers about the risks assets pose. In addition, this regulation provides the principles and rules applicable to marketing materials regarding cryptoassets. Other than this, no specific regulatory framework governs the marketing of fintech products and services (except for Law 5/2015) so these entities must observe the marketing legislation applicable to any other company. Apart from the Spanish Consumers Law, which establishes certain principles on marketing, and the general law on publicity, other applicable publicity provisions are included in the Spanish laws on electronic commerce and distance marketing of financial services.

ii Cross-border issues

There are no specific passporting procedures for fintech. Only fintech entities set out as regulated financial services providers have access to the cross-border provisions under Spanish laws implementing the European directives that allow for specific types of regulated entities to operate in another EU Member State without having to be authorised by the host Member State regulators.

Accordingly, EU-regulated financial services providers that operate a fintech business benefit from the passporting regime, which enables them to provide services in Spain on a freedom-to-provide-services basis or by establishing a branch. It is a simple notification procedure set out under the main EU financial directives (such as the fourth Capital Requirements Directive, the second Markets in Financial Instruments Directive (MiFID II), the Undertakings for Collective Investment in Transferable Securities Directive, the Alternative Investment Fund Managers Directive or PSD II, and now ECSP), which involves the home Member State notifying the host Member State that the relevant entity intends to provide services in its territory.

Non-EU financial services providers that intend to provide services in Spain require an authorisation from the BoS, the CNMV or the DGSFP, even if they intend to provide services through a branch or from the territory of their home state. A non-EU fintech company authorised as a financial services provider would also be required to follow the same authorisation procedure.

The ownership of non-regulated fintech is not restricted in Spain. Regulated fintech entities (such as credit institutions, investment institutions and insurance companies) are subject to a significant holdings regime that requires a purchaser of a 10 per cent or higher stake to obtain prior authorisation from the corresponding supervisory authority.

Digital identity and onboarding

Digital identity is recognised in Spain. Different types of digital identities are regulated under Spanish Law 6/2020 of 11 November 2020 on aspects of trust services (the Spanish Electronic Signature Law) and Regulation (EU) No. 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (jointly known as the Electronic Signature Laws).

Digital identity certificates can be issued by any state or private entity that complies with the regime established in the Electronic Signature Laws. However, the most widely recognised certificates are issued by public institutions (the Royal Spanish Mint and the Tax Agency). Electronic identity is accessible to all national and non-national persons.

The Electronic Signature Laws set out the different categories of electronic signatures depending mainly on their security features as well as the probative effects corresponding to each category, as well as regulating the characteristics and effects of each of them in Spain. In particular, there are three categories: simple electronic signature, advanced electronic signature and qualified electronic signature, in order of the simplest (with fewer security features) to the most complex, based on a recognised certificate and created by a trustworthy signature creation device, which will entail the use of the highest security features.

The three categories of electronic signature are recognised in Spain as being valid to enter into any contractual relationship or transaction. However, the Electronic Signature Laws only recognise the 'qualified electronic signature' as having the same value before a court as a handwritten signature on paper. This does not mean that other types of electronic signature do not have any legal effect. Indeed, an electronic signature may not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. However, the evidential value of each signature will depend on how rigorous the different steps of the contracting process are and on the security measures used to ensure the identification of the signatory throughout the contracting process.

The Electronic Signature Laws also provide for a regulation in Spain of additional trust services, allowing fintech not only to improve the services they may provide but also to build certain fintech businesses around these concepts with an appropriate legal framework. During 2021, there were certain relevant judicial rulings and resolutions from public registries in Spain5 questioning the validity of certain e-signature models and platforms and whether they met the requirements for validity in Spain.

Fintech companies established as financial services providers are subject to anti-money laundering requirements that establish rules to identify clients. These rules enable a digitised onboarding of the clients in certain cases (for instance, when the client's identity is certified in accordance with applicable regulations on electronic signatures) and subject to certain requirements.

Digital markets, payment services and funding

Collective investment vehicles are regulated under Law 35/2003 of 4 November 2003 on collective investment schemes and Law 22/2014 of 12 November 2014 on venture capital and other closed-ended investment schemes and management companies of the closed-ended investment schemes. There is no specific law for fintech collective investment vehicles.

As opposed to the rest of fintech, and as mentioned in Section II, crowdfunding and crowd-lending platforms are subject to Law 5/2015 and the ECSP. Spanish consumer lending regulations apply when a fintech company is involved in a credit transaction with a consumer. Loans and financings may be assigned through an assignment contract and it is very common to assign entire portfolios of loans. These loans and financings may only be traded if they are converted into a security, which is assigned to a special purpose vehicle (SPV). The SPV may then issue securities backed by the credit rights arising from loans. The above is the typical structure in securitisations.

Law 5/2015 amended the Spanish legal regime on securitisation, which is also regulated by Regulation (EU) 2017/2402 (the Securitisation Regulation) as recently amended by Regulation (EU) 2021/557 of 31 March 2021 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation to help the recovery from the covid-19 crisis. Under Spanish law, assigning assets to a securitisation fund should comply with the following requirements:

  1. the transferor and, as the case may be, the issuer of the securities assigned to a securitisation fund must have audited their annual accounts for the two financial years prior to the incorporation of the fund, except in certain cases;
  2. the transferor must disclose in its annual reports the current and future assignment of credit rights that impact each year;
  3. the assignment of the assets to the fund should be formalised in a contract; and
  4. the management company of the securitisation fund should submit a document to the CNMV for each asset assignment containing certain information on the assets.

Under Spanish law, only duly authorised entities may render professional payment services. As mentioned in Section II, the BoS grants this authorisation. Since the implementation of PSD II into Spanish law, TPPs have been able to access their clients' payment accounts for the purposes of providing the services regulated under PSD II.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Spain has no specific regulation on blockchain technology, cryptocurrencies or the issuance of tokens. However, the European and Spanish regulators have been assessing these products for some years and have taken some steps towards their regulation.

On 24 September 2020, the European Commission published its proposed regulation on markets in cryptoassets (MiCA), which forms part of a wider set of publications on Europe's Digital Finance Strategy. MiCA will apply to any person who provides cryptoasset services or issues cryptoassets in or into Europe. It will also apply to any cryptoasset that is not already subject to EU regulation. This will include utility tokens, payment tokens, stablecoins (or asset-referenced tokens) and a newly defined e-money token (a token that is not e-money in the traditional sense, but has all the hallmarks of traditional e-money). It will not apply to security tokens that are already subject to existing EU regulations. Neither will it apply to central bank digital currencies, but it imposes substantial requirements on significant stablecoins (global stablecoins (GSCs)). This appears to be another regulatory step to ensure central banks retain control of monetary policy and to safeguard against perceived risks with GSCs.

MiCA defines a cryptoasset issuer as any 'person who offers cryptoassets to third parties', which is an intentionally broad definition. All issuers will have to comply with a number of general requirements, with issuers of stablecoins (or asset-referenced tokens) and e-money tokens (payment tokens) being subject to more stringent requirements.

Nevertheless, MiCA is still at the proposal stage and needs to undergo the EU legislative process. During 2021, several European institutions, such as the ECB, the European Economic and Social Committee and the European Data Protection Supervisor, published their opinions on the proposal. On 24 November 2021, the European Council adopted its position on the proposal. The latest draft has delayed MiCA's effective entry into force until 2024.

ESMA has published two statements on ICOs. Also, the CNMV and the BoS have warned firms and investors about the regulations and risks inherent to ICOs, cryptocurrencies and tokens. Their last joint press statement on cryptocurrency investment risks was published in February 2021. Along the same lines, and as mentioned above, the CNMV has regulated on the advertising of cryptoassets for investment purposes (through Circular 1/2022).

The BoS has created a register of providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers, pursuant to the transposition into Spanish legislation of the Fifth Anti-Money Laundering (AML) Directive.6 These providers, which were required to register with the BoS before 29 January 2022, are now subject to the requirements set forth in the Spanish AML legal regime.

As concerns the tax treatment of cryptocurrencies and tokens in Spain, the matter is not a clear-cut issue, although the European Court of Justice (ECJ) and the Spanish tax authorities have provided specific guidelines.

Regarding Spanish VAT, the ECJ judgment of 22 October 2015 (C-264/14) ruled that transactions involving non-traditional currencies, such as cryptocurrencies, are exempt from VAT pursuant to Article 135(1)(e) of Council Directive 2006/112/EC.7 Therefore, according to the ECJ, sale and purchase transactions with cryptocurrencies carried out by VAT-taxable persons should be exempt from Spanish VAT. On the contrary, 'mining' activities to generate cryptocurrencies should not be subject to VAT. Both criteria have also been shared by the Spanish tax authorities in specific binding tax rulings, in which it has also been confirmed that staking activities are subject to, but exempt from, VAT if carried out by VAT-taxable persons.

For Spanish tax-resident individuals holding cryptocurrencies, and pursuant to specific binding rulings issued by the Tax Agency in 2018, income triggered on the sale or transfer of cryptocurrencies (including that resulting from the exchange of one type of cryptocurrency for another) should be deemed as capital gains from a Spanish tax standpoint, and should be taxed accordingly. Specific activities concerning cryptocurrencies (e.g., mining) may have a different tax treatment and, potentially, be deemed as business activities for Spanish tax purposes (income tax, business tax, etc.). The Spanish tax authorities are currently issuing binding rulings with regard to tax treatment associated with cryptocurrency activities in relation to other taxes, such as wealth or gift tax.

There are some measures in Spain to prevent tax fraud related to cryptocurrencies. In this regard, companies that manage cryptocurrencies, as well as exchange platforms, are obliged to provide certain information about holders' identity and transactions. Spanish residents with cryptocurrencies located abroad are obliged to file Form 721; this requirement is expected to be approved shortly.

Other new business models

Similarly to ICOs, cryptocurrencies and tokens, self-executing contracts are not specifically regulated in Spain and so are permitted and subject to Spanish contract law like any other contract. There are no particular arbitration or mediation schemes for self-executing contracts. These mechanisms are available on the same terms as for any other contract. Although self-executing contracts are not specifically regulated as such, we believe the following rules should be taken into account:

  1. should the self-executing contract consist of pre-established clauses imposed by one of the parties for a generality of contracts, Law 7/1998 of 13 April 1998 on general contracting conditions will apply, which imposes certain conditions and interpretation rules, as well as a public registry for general conditions;
  2. if a self-executing contract is entered into with consumers, Royal Legislative Decree 1/2007 of 16 November 2007 approving the revised text of the General Consumers Law would also apply. This regulation establishes guiding principles applicable to relationships between consumers (understood as legal or natural persons acting in a context that falls outside their entrepreneurial or professional activities) and entrepreneurs;
  3. also of note is Law 34/2002 of 11 July 2002 on services of the information society and electronic commerce, which would apply if the contract is entered into by electronic means. It establishes a regulatory regime for electronic agreements (e.g., the information to be provided to the contracting parties prior to and after the execution of the agreements, the conditions applicable for electronic agreements to be valid, and other obligations applicable to the electronic providers); and
  4. if the contract falls into the definition of a financial service, Law 22/2007 of 11 July 2007 on the distance marketing of financial services addressed to consumers, setting out the rules for electronic agreements and electronic marketing communications, would also apply.

Fully automated investment processes are not regulated as such under Spanish law. However, some provisions of Regulation (EU) No. 596/20148 and MiFID II, which refer to algorithmic trading and high-frequency trading strategies, apply.

In addition, third-party websites comparing products or providing information about financial products are subject to general data protection rules, in the same way as other service providers. They are also subject to competition rules, although they are generally not an area of concern for competition authorities to the extent that they favour free competition among the players in the market. However, concerns may be raised if these websites impose most-favoured-nation clauses on any of the players.

From a purely regulatory perspective, the provision of information about financial products is not subject to authorisation if this information does not involve the provision of any other regulated services (for instance, investment advice).

In recent years, the financial industry has seen a fast-growing adaption of the economy to fintech. The most important sectoral innovations are those related to credit, payment and investment management services. Crowdfunding, crowd-lending and TPPs are good examples of new business models.

Another new business model that has recently emerged is based on the commercialisation of big data in terms of consumer trends based on clients' data. This model has already been questioned by the Spanish Data Protection Agency, which imposes restrictions on the validity of customers' consent for their data to be used in an aggregated manner for its commercialisation.

Generally, the main legal and regulatory issues for fintech in Spain are the obstacles resulting from the provision of financial services that trigger licensing requirements. As stated in Section I, the current legal regime for the authorisation of financial entities, which is established by reference to EU law, does not provide for a simplified procedure for businesses that only provide a limited range of services, as is the case of many fintech businesses. Hence, at present, fintech-providing regulated services such as payment or investment services must navigate complex and burdensome procedures in Spain or in their country of establishment before having access to customers.

Intellectual property and data protection

i Intellectual property

Fintech business models and related software may be protected by the rules applicable to the ownership of inventions and works, which should be analysed separately.

Fintech business models may be classed as inventions that are typically the result of research. That result may essentially be protected by patents, utility models or, if such protection is not available or the parties do not wish to request it, inventions can also enjoy a certain degree of protection as know-how or as trade secrets:

  1. Spanish patents provide protection for inventions for 20 years as of the filing date;
  2. utility models protect inventions of lower inventive rank than patents, and are granted for 10 years;
  3. once the referred protection periods have expired, the invention will enter the public domain and may be freely used by any person; and
  4. know-how has value as long as it is protected as a trade secret and, thus, it is kept confidential (as opposed to patents and utility models), which means that it is not generally known by individuals belonging to the environment where this information would be known and it is not easily accessible by them; it has a potential or effective commercial value by being secret; and it has been subject to reasonable measures to keep it secret. These measures could include contracts (confidentiality agreements) and the adoption of practical measures (security measures, such as password protection and limitations on access to certain personnel), demonstrating that the invention or work remains valuable.

On a separate note, software is to be deemed an invention but is protected by copyright from the very moment it is created. Registration is not necessary to protect software. The exploitation rights for the work will run for the life of the author and survive 70 years after the author's actual or declared death should the author be a natural person. If the software's author is a legal person, the rights will run for 70 years as from 1 January of the year following that in which the software was lawfully published or, failing publication, from its creation.

Regarding the ownership of intellectual property rights, the ownership of inventions and works should again be analysed separately. There are default rules under Spanish law to attribute ownership of inventions.

In the absence of other applicable rules, the natural person who creates the invention (i.e., the inventor) is the owner.

When the inventor is an employee (private or public):

  1. if the invention is a result of his or her work for an employer, pursuant to the terms of his or her employment agreement or to the instructions received from his or her employer, the employer owns the rights to the invention; and
  2. if the invention is a result of his or her independent work but he or she benefited from knowledge obtained from his or her employer or used its facilities, the employer may be deemed to own the invention or have rights to use it, in exchange for fair compensation.

The rule in connection with works is that the original owner of the rights to the work is the author or co-authors (or, in very specific and limited cases, an individual or a legal private or public entity that leads and coordinates personal contributions and publishes the result under its own name – usually in the case of software). The general rule is that the author is the owner of all moral and exploitation rights to the work.

However, some specific legal presumptions as well as some important exceptions exist:

  1. regarding copyrightable work created by an employee under his or her employment agreement, Spanish law presumes that, unless otherwise agreed, all exploitation rights over the work necessary for conducting the employer's ordinary course of business are exclusively assigned to the company when the work is delivered. This assumption is extended, if the work involves software, to all exploitation rights, without limitation based on the employer's course of business; and
  2. in the event of joint co-authors, either:
    • all co-authors have equal exploitation rights, unless otherwise agreed; or
    • the exploitation rights to the work correspond to the (legal or natural) person that assumes responsibility for the creation of the work and publishes it under the person's own name.

ii Data protection

Fintech businesses located in Spain or, under certain circumstances, businesses addressing the Spanish market from non-EU territories, are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). Since 25 May 2018, the main data protection rule in Spain has been the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) that directly applies in all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.

Notwithstanding the above, at a national level and in addition to the GDPR, Spain has certain local data protection rules. In particular, a new general data protection law was passed in December 2018: Spanish Basic Law 3/2018 on data protection and digital rights guarantees (LOPDGDD). The LOPDGDD formally repealed the previous national data protection regulations, which were incompatible with the GDPR, and adapted local rules to make them compatible with the GDPR. The main goal of the LOPDGDD is to provide specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are allowed to regulate further. Consequently, certain data processing (such as inclusion of debtors' data in creditworthiness shared files) have been regulated in detail in the LOPDGDD. Also, the LOPDGDD has approved a new set of rights of citizens in relation to new technologies, known as 'digital rights'. This set of new digital rights may affect the business of certain fintech entities, such as digital rights granted to employees regarding the use by employers of IT tools for monitoring purposes in the workplace or the use of geolocation systems.

The Spanish government has also tried to reinforce these digital rights by approving a Charter of Digital Rights for Spain, in 2021, which, even though it does not have a legal or mandatory nature, creates the framework and sets the criteria for future regulations on this matter in Spain.

Finally, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities in the EU, should also be taken into account. During 2021, the Spanish Data Protection Agency has significantly increased the size of fines imposed, as compared to previous years.

As regards the possibilities of fintech businesses carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), these activities are subject to the GDPR and to certain guidelines of the Spanish Data Protection Agency. In general, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The Spanish Data Protection Agency's interpretation of the legitimate interest as lawful grounds for companies to carry out profiling activities has been quite restrictive in the past (e.g., it does not cover profiling carried out with second- or third-party data). Also, fintech companies must comply with additional information and transparency duties when they carry out profiling activities. In addition, if artificial intelligence (AI) technologies are used to carry out profiling activities, fintech businesses must take into account the guidelines on AI issued by the Spanish Data Protection Agency and the requirements for audits on the processing of personal data using AI.9 Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments, are imposed.

Finally, and on a different note, some of these profiling activities may be carried out with anonymised or pseudonymised data. If this is the case, fintech businesses should take into account the fact that the Spanish Data Protection Agency has issued several guidelines and technical documents for anonymisation and pseudonymisation processes.10

Year in review

In our view, the most significant legislative proposals in the fintech sector remain the following.

i Sandbox

On 14 November 2020, Law 7/2020 on digital transformation of the financial system entered into force. This establishes and governs the sandbox that will offer a controlled testing environment to allow for the implementation of innovative technology projects in the financial services sector. The environment will be safe for participants to test new financial products and services, while ensuring that the stability of the financial system is maintained and potential risks are eliminated or adequately mitigated.

Project promoters (for instance, tech companies, financial entities, associations representing interests, or public and private centres of investigation) and regulators will enter into a protocol to establish the rules and conditions to which the projects and testing will be subject. Guarantees and protections will be afforded to sandbox participants, including informed written consent, personal data protection, rights of withdrawal, promoter liability, guarantees covering promoter liability, confidentiality and, for the regulators, the option to end testing in cases of bad practice or failure to comply with the protocol rules.

Also, entities that participate in the sandbox may have expedited access to regulatory authorisation.

ii MiCA

On 24 September 2020, the European Commission published its proposed regulation on markets in cryptoassets (MiCA), which forms part of a wider set of publications on Europe's Digital Finance Strategy. MiCA introduces specific disclosure and transparency requirements, such as a requirement for a prospectus or white paper to be issued with a number of crypto-specific disclosures, and a requirement that issuers are established as legal entities and supervised effectively. Additional obligations will apply to issuers of asset-referenced tokens (or stablecoins). On 24 November 2021, the European Council adopted its position on the proposal and is currently holding trilogue negotiations with the European Commission and the European Parliament.

iii DORA

On 24 September 2021, the European Commission published its legislative proposal for a regulation on digital operational resilience for the financial sector, also referred to as the Digital Operational Resilience Act (DORA), as part of its wider digital finance package, which also includes a digital finance strategy. The overall objective of DORA is to introduce EU-wide rules on digital operational resilience, coordinating, streamlining and upgrading existing national regulatory regimes to address the cross-border nature of information and communications technology (ICT) risks faced by the financial sector. DORA also intends to implement a comprehensive regulatory framework for European financial entities' ICT risk management, and to harmonise ICT system testing, auditing, reporting requirements and information sharing. DORA also introduces provisions for the management of ICT third-party risks, which includes an oversight framework for critical ICT third-party service providers (CTPPs), by which CTPPs fall under the direct supervision of a lead overseer. The European Council adopted its position on the proposal on 24 November 2021 and is currently holding trilogue negotiations with the European Commission and the European Parliament.

iv Digital euro

In February 2021, the European Commission and the ECB issued a joint statement on their cooperation on a digital euro. Taking account of digitalisation, rapid changes in the payments landscape and the emergence of cryptoassets, the ECB is exploring the possibility of issuing a digital euro, as a complement to cash and payment solutions supplied by the private sector. Following the conclusion of the public consultation on 12 January 2021 and a period of preparatory work, the ECB decided to launch the investigation phase of the digital euro project. The Commission and the ECB will continue to work closely in this investigation phase, which consists of analysing and testing the various design options for the digital euro.

Outlook and conclusions

The fintech sector in Spain is still expanding, mainly in sectors where intermediation between parties is fundamental (e.g., lending, foreign exchange, brokerage and investment services such as investment advice and portfolio management) and in the payments sector. Overall, the development of online payment platforms and big data, robotics and AI tools represent the most recent trends in innovation (to date, mainly crowdfunding and crowd-lending platforms and robo-advisers).

Law 7/2020 offers an excellent opportunity for new entities to access the financial system via the recently approved sandbox. The fintech market will pay close attention to the outcome of the projects that are being tested over the coming months.

In addition, recent regulatory changes have entered into force in the past months, such as a new regulation on certain aspects of digital trust services (Law 6/2020) or cybersecurity regulations (Royal Decree 43/2021). Also, the recognition in Spain of specific digital rights is currently being reinforced through certain initiatives, such as the proposal for approval of a Spanish Charter of Digital Rights, all of which should be taken into consideration owing to their impact on the fintech legal framework. Finally, the main disruption in the global financial sector is still expected to result from ledger technologies such as blockchain. Although this type of technology is not yet commonly used, it is expected to emerge in Spain in many areas beyond just cybersecurity and cryptocurrencies.

Finally, the approval of MiCA, which is taking longer than expected, will represent an historic milestone in the regulation of the fintech ecosystem.


1 Leticia López-Lapuente and Isabel Aguilar Alonso are partners at Uría Menéndez.

2 Map of fintech in Spain, by Finnovating.

3 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015.

4 Circular 1/2022 of 10 January 2022.

5 For example, Ruling No. 74/2021 of the Provincial Court of Lleida.

6 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

7 Council Directive 2006/112/EC of 28 November 2006 on the common system of VAT.

8 Regulation (EU) No. 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse.

The Law Reviews content