Yes, this is governed both at a national level and EU level through the following regulatory legislation.
National level
Credit institutions:
- Royal Decree 84/2015, dated 13 February, on the implementation of Act 10/2014, dated 26 June, on the organization, supervision and solvency of credit institutions
- Circular 2/2016, dated 2 February, of the Bank of Spain, to credit institutions, on supervision and solvency
Investment firms:
- Royal Decree 217/2008, dated 15 February, on the legal regime applicable to investment firms and other entities that provide investment services
- Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive
Management companies:
- Act 35/2003, dated 4 November, on Collective Investment Undertakings
- Royal Decree 1082/2012, dated 13 July, approving the implementation regulation of Act 35/2003, dated 4 November, on collective investment undertakings
- Act 22/2014, dated 12 November, regulating venture capital entities, other closed ended investment undertakings and management companies
Insurance undertakings:
- Act 20/2015, dated 14 July 2015, on the regulation, supervision and solvency of insurance and reinsurance undertakings
- Royal Decree 1060/2015, dated 20 November 2015, on the regulation, supervision and solvency of insurance and reinsurance undertakings
EU level
- European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019/02)
- European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (ESMA 50-164-4285)
- EU Guidelines on ICT and security risk management (EBA/GL/2019/04)
- European Insurance and Occupational Pensions Authority Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002)
- EU regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014