Commercial SMS Regulation in Spain: Order TDF/149/2025 and Upcoming Changes

In Spain, sending SMS for commercial purposes is primarily regulated by Law 34/2002 on Information Society Services (LSSI), which prohibits unsolicited commercial communications sent by electronic means (including SMS) without express consent from the recipient. This means that, as a general rule, promotional SMS can only be sent if the user has previously authorized them (e.g., by checking a consent box) or if there is a prior contractual relationship and the messages concern products/services similar to those already contracted.

In any case, each commercial SMS must offer a simple and free means for the recipient to object or unsubscribe from future mailings, complying with the right of opposition recognized in the regulations. In parallel, data protection legislation (GDPR and LOPDGDD) reinforces these obligations: sending SMS to natural persons constitutes personal data processing that requires a valid legal basis (consent of the data subject or legitimate interest in the case of existing customers) and transparency in the information provided to the user.

Likewise, "advertising exclusion lists" have been implemented that allow citizens to register to not receive advertising from companies with which they have no relationship. These lists, managed under the supervision of the Spanish Data Protection Agency, must be consulted by companies before conducting SMS marketing campaigns, excluding those who are registered. Currently there are two official exclusion listings: the traditional Robinson List and the more recent "Stop Advertising" List, with similar functioning.

Organizations that send commercial SMS have the legal obligation to clean their databases against these lists, unless the recipient is already a customer or has given express consent outside of them. In other words, if a phone number is registered on an exclusion list, it could only receive commercial messages from a company if it is already a customer of that company or if it has given specific consent after its registration on the list.

Regarding identity spoofing via SMS (known as smishing), until recently the legal framework was limited to general rules (such as those in the Penal Code in cases of fraud) and generic obligations for operators to guarantee correct use of numbering. However, the growing fraud through text messages impersonating banks, public institutions or other trustworthy entities motivated the adoption of specific measures in the telecommunications field.

Thus, in early 2025 the Ministry of Economic Affairs and Digital Transformation approved Order TDF/149/2025 (published in the Official Gazette on February 15, 2025) with a package of measures against identity spoofing in phone calls and SMS. This ministerial order, currently in force, focuses on tackling vishing and smishing by requiring correct identification of the origin of calls and messages, and blocking those fraudulent SMS that manipulate the sender identifier.

Regarding SMS, the regulation introduces controls over numbering and aliases used as sender, with the objective of preventing scammers from sending messages appearing to be legitimate entities (e.g., using a bank's name or a fake phone number as sender). In summary, the current legal framework combines consumer protection rules in commercial communications (consent and exclusion lists from LSSI/LOPDGDD) with new sectoral telecommunications measures (Order TDF/149/2025 and related) to combat identity spoofing via SMS, imposing obligations on both sending companies and network operators.

As noted, for sending SMS for promotional purposes it is mandatory to have prior consent from the recipient, except for limited exceptions. Article 21 of the LSSI establishes that commercial communications cannot be sent by electronic means (including SMS) if they have not been requested or expressly authorized by the recipient.

The only exception to this rule (art. 21.2 LSSI) allows sending messages to current customers about own products or services similar to those already contracted, provided that their contact data has been lawfully obtained and each message offers the possibility to object to new mailings. For example, an online store could send an SMS offer to a customer who already purchased previously, without additional consent, but must include in the message an opt-out mechanism (e.g. "Reply STOP to receive no more messages").

If the recipient exercises their right of opposition or revokes consent, the company must immediately cease promotional mailings. In line with the above, Spain has advertising exclusion systems designed to protect users from unwanted communications. The best known is the Robinson List, a service managed by the Spanish Digital Economy Association in coordination with the AEPD, where anyone can register for free to not receive advertising from entities with which they have no relationship.

To this has been added in 2025 the "Stop Advertising" List, of more recent creation, with equivalent functioning (even allowing to specify channels such as telephone, SMS, postal mail or social networks that the user wants to block). All companies planning SMS marketing campaigns must obligatorily consult these listings before sending messages, and exclude from their recipients the numbers registered.

In practice, this involves regularly cleaning contact databases against the Robinson List and Stop Advertising. It is important to note that registration on an exclusion list does not completely cancel advertising: if a user is a current customer of a company or has given their consent to receive messages, that company may send them commercial SMS even if the number appears on Robinson/Stop.

For example, if someone registered on the Robinson List provides their number to a bank and accepts receiving alerts or offers from that bank, the bank's SMS would be legitimate (since there is explicit consent or contractual relationship). However, no company with which the user has no prior relationship may send them commercial messages while on the list, under penalty of infringement.

Authorities (mainly the AEPD) treat sending unsolicited commercial communications as sanctionable practice, especially if the affected party was registered in an exclusion system. Therefore, adhering to exclusion lists and properly managing consents are fundamental pillars of regulatory compliance in commercial SMS.

Companies must preserve evidence of consent obtained (date, form, authorized purpose) and enable simple ways for users to withdraw that consent at any time, as required by the GDPR. In summary, the current regime requires a "prior permission" (opt-in) approach for SMS marketing, complemented with global opt-out tools (Robinson and Stop Advertising lists) that companies must scrupulously respect.

These obligations coexist with the new anti-fraud measures of Order TDF/149/2025, which means that having consent is not enough to send SMS: in addition, messages must comply with the technical and identification requirements that we will see in later sections.

In the telecommunications field, each SMS message carries an associated sender identifier that can be a phone number (numeric origin) or an alphanumeric code (also called alias when the sender appears as text, for example, a company name). CLI (Calling Line Identification) presentation refers precisely to showing that identifier to the recipient.

In Spain, the use of phone numbering is regulated by the National Numbering Plan (established by Royal Decree 2296/2004 and subsequent regulations), which assigns certain number ranges for each service. For example, Spanish mobile numbers begin with 6 or 7, geographic numbers with 8 or 9, etc., while prefixes like 3 or 4 do not exist in national numbering. Additionally, the National Commission for Markets and Competition (CNMC) allocates numbering blocks to operators, and they assign them to end users or sub-assign to other providers.

Historically, manipulating the CLI to appear as another origin (spoofing) was already prohibited, but was technically possible in certain environments (e.g., misconfigured VoIP exchanges). The new Order TDF/149/2025 reinforces CLI control in both calls and SMS. Regarding text messages, the Order provides that operators must block any SMS whose sender identification is anomalous or invalid.

SMS with empty or invalid numeric sender

If the message presents an empty CLI (without number) or a number that is not attributed to any service or does not follow the national numbering plan format, it should not be processed. This covers obvious cases like impossible numbers (e.g.: beginnings 3xx…) and also falsified numbers that have not been assigned to any user or operator. Operators will consult numbering databases to verify if a number is actually assigned in Spain.

SMS with unauthorized numeric sender

Beyond format, messages whose numeric origin has not been assigned by the CNMC to any authorized operator are blocked. That is, even if the number has valid format, if it appears in the national registry as not allocated to any operator (for example, a number from a block not yet granted, or an "orphan" number), the message will be filtered.

For this, the CNMC will provide operators with updated information (even through automated tools/API) about ranges and numbering in use. In fact, the creation of a real-time consultation database has been planned so that operators can check if a number is assigned before processing the communication. This measure will be fully operational in 2026, giving the CNMC time to implement it.

SMS with alphanumeric sender (alias)

Aliases are text strings that identify the sender but do not correspond to a returnable phone numbering (i.e., the recipient cannot reply to the SMS using the alias directly). They are widely used by companies (banks, commerce, online platforms) so that instead of seeing a number, the user sees a recognizable name.

The problem is that until now anyone could send SMS with an arbitrary alias, facilitating spoofing (a scammer could put "BankXYZ" as alias and try to deceive the recipient). The new regulation creates a national registry of alphanumeric aliases managed by the CNMC, where companies must register the aliases they use before employing them in their campaigns.

Each registered alias will be associated with the entity that registered it and with the messaging service providers authorized to use it. From the full entry into force of this measure (see calendar below), operators will block all SMS that use an unregistered alias or sent through a provider not enabled for that alias. In essence, only those names officially validated in the registry can appear as alphanumeric senders, preventing unauthorized third parties from impersonating them.

In addition to the above, Order TDF/149/2025 introduced a restriction in the voice field (calls) prohibiting the use of mobile numbering for customer service or commercial calls – forcing companies to use geographic or toll-free numbers (800/900) for those purposes. Although this provision refers to phone calls (not SMS), it is part of the same effort to ensure that each type of communication uses appropriate and recognizable numbering.

In the SMS context, no equivalent prohibition on using mobile numbers has been imposed; in fact, many companies will continue to be able to use long numbers or dedicated short codes to send messages, as long as those numbers have been assigned by an operator. What is crucial is that foreign or fake mobile numbers are not used as SMS sender.

In summary, current regulation on numbering and sender presentation in SMS requires: (a) using only valid and assigned numbering, (b) not hiding or manipulating the sender identifier, and (c) in the case of alphanumeric aliases, registering and authorizing their use previously. These measures aim for the user to be able to trust the identity that appears in the SMS, reducing cases of spoofing fraud.

Order TDF/149/2025 was approved in February 2025, entered into force on March 7, 2025 (20 days after its publication) and provided for progressive application of some obligations. In particular, from June 7, 2025 (three months after entry into force) several measures affecting SMS sending began to be fully required.

Blocking SMS with falsified or unassigned numbering

Since June 2025, operators must block any SMS message whose numeric sender is not valid. This includes SMS with empty sender field, with formats that do not match Spanish numbering, or with national numbers that are not allocated to any real subscriber.

Blocking SMS "spoofing" from abroad

Another obligation in effect since June 7, 2025 is to prevent SMS originated outside Spain that appear to come from Spanish numbering from reaching Spanish users. Many frauds start from foreign platforms that used fake Spanish numbers to give confidence to the recipient. Now, when an SMS enters national networks through international gateways, if it carries a Spanish number as sender, the receiving operator will verify if it is a legitimate roaming case.

It is only allowed to route it if it corresponds to a Spanish customer in international roaming (i.e., someone who is temporarily abroad and sends an SMS through their operator); otherwise (A2P or mass traffic from outside simulating being local), the message will be blocked. This has forced a reorganization of messaging traffic: foreign companies that sent SMS with Spanish sender without actually being in Spain now face blocks.

Prohibition of commercial calls from mobile numbers

Although we focus on SMS, it should be mentioned that simultaneously, since June 2025 the prohibition of using mobile numbers in telemarketing or customer service calls entered into force, forcing the migration of these services to fixed or toll-free 800/900 numbering. We mention this only as part of the global regulatory context; regarding commercial SMS, there is no prohibition of mobile origin, but as explained, any mobile number used must be one's own/assigned and not a simulated one.

In sanctioning terms, these non-compliances are classified as serious infractions of the General Telecommunications Law. Since June 2025, for example, using a mobile number in a prohibited way or bypassing these blocks could entail fines of up to 2 million euros.

For companies that use SMS in their communications, the implications of the 2025 changes are clear: ensure using legitimate and authorized senders. In practice, many have had to coordinate with their messaging providers to verify what identifiers they were using in their mailings.

An immediate positive effect of these measures (June 2025) is that certain obvious spam and smishing has decreased, as the most crude cases of falsification (non-existent or clearly fraudulent numbering) are blocked. However, scammers could continue attempting deceptions using text aliases (company names) or international numbering. That's why the Order provided for a second regulatory milestone in 2026 to address especially the alias issue.

June 7, 2026 marks the date when the most novel provisions of Order TDF/149/2025 regarding SMS will enter into force: those referring to alphanumeric sender codes (aliases) and their registration.

Mandatory alias registration

All companies, organizations and administrations that use an alias when sending SMS must register said alias in the registry enabled by CNMC before its use. Registration will link the alias with the entity that uses it and with its messaging service provider or providers authorized to send messages on its behalf.

For example, if a bank wants to use the alias "MyBank" in its SMS, it will have to register it indicating that it belongs to Bank X and perhaps that its provider (operator Y or platform Z) is authorized to send SMS using "MyBank". This registry will begin operating in 2026 (its entry into operation was announced around May 2026) so that companies can register their aliases in advance. From June 7, 2026, no SMS with unregistered alias can be delivered to the user, as it will be blocked in the network.

Blocking unauthorized aliases

Telecommunications operators will be obliged to block all SMS that use unregistered aliases, as well as those that, even having valid alias, do not come from an authorized provider associated with that alias in the registry. This second part is important: it seeks to prevent a registered alias from being exploited by third parties.

Following the previous example, if "MyBank" is registered by Bank X but a scammer contracts a foreign provider to send messages using "MyBank", even though the alias exists in the registry, the Spanish operator will verify the origin. If the message comes from a carrier or gateway that does not match those authorized for Bank X, then it will be blocked for being considered fraudulent use.

Blocking international SMS with Spanish alias

Just as since 2025 SMS from abroad using fake Spanish numbers are blocked, from June 2026 the blocking will extend to international messages with unauthorized alphanumeric aliases. In particular, if a message enters the Spanish network with an alias that matches a registered Spanish alias but comes from an unvalidated source, it will be blocked.

Even if the alias was not registered at all, it would also be blocked (since it would not pass the registry filter). Basically, the door is closed to international smishing via alias: it will no longer be enough to use the name of a known bank as sender, because if that bank has it registered, any message that does not come from its official channels will not reach the user.

Registry procedure and management

CNMC will issue instructions detailing how to register, requirements and deadlines. It is expected that the process will be electronic, probably enabling a portal where companies accredit their identity, the desired alias (verifying that they have the right to use that trade name, registered trademark or similar) and the data of their SMS operator or provider.

It is also foreseeable that the information will have to be kept updated (for example, if you change provider, you would have to update who is enabled for your alias). An aspect to consider is the possible saturation or overlap of aliases: the registry will have to manage cases of generic names. It is expected that preference will be given to registered trademarks or corporate names.

Sanctions for non-compliance

Using an unregistered alias or sending SMS bypassing the registry will be considered a serious violation. Given that the Order refers to the sanctioning regime of the General Telecommunications Law, fines could reach up to 2 million euros in serious cases. But perhaps even more dissuasive is the fact that messages simply will not reach the recipient: for a company, having its legitimate communications blocked for not having followed the registration process would be highly detrimental.

In summary, from June 2026 the regulatory landscape for SMS in Spain will be much stricter regarding who can send messages and with what identifiers. Each alias will act almost like a "registered trademark" in the SMS field, with a central registry that guarantees that only the legitimate owner (and their technological partners) can use it.

Implementation of this new regulation falls largely on communications operators and also on so-called messaging service providers (SMS sending platforms, aggregators) and their resellers. Order TDF/149/2025 specifies that it applies to all providers that allow making calls or sending messages using numbering from the national plan or identifying aliases.

Proactive blocking of illicit traffic

Operators (and in general, any provider that transports SMS) are obliged to detect and block in their networks messages that violate legal criteria. This includes implementing filters to identify empty or invalid CLI, verify Spanish numbering presented in incoming international traffic, and from 2026 check aliases against the CNMC registry.

The blocking obligation is imperative; if an operator allows prohibited messages to pass, it could be sanctioned. Therefore, operators must update their signaling systems and SMS firewalls to incorporate these filtering logics.

Consultation of numbering databases and registry

To comply with the above, operators have the obligation to stay synchronized with official information about assigned numbering and registered aliases. CNMC, by provisions of the Order, must facilitate tools (APIs, listings) so that operators can consult in real time if an origin number is assigned to any operator.

Likewise, there will be secure access to the alias registry for online consultation: when an SMS with alias "ACME" arrives, the operator's system must consult if "ACME" is in the database and if the origin of that message corresponds to an authorized provider. All this technical framework must be integrated by operators into their messaging management platforms before June 2026.

Collaboration with CNMC and SE Telecommunications

In addition to blocking, the regulation imposes collaboration duties. For example, Additional Provision First of the Order requires obligated subjects (operators and providers) to annually submit statistics to the Secretary of State for Telecommunications and CNMC on blocked calls and messages, including when possible the reason for blocking.

This means that operators must keep an internal record of filtered SMS, classifying them (e.g., X messages blocked for unassigned CLI, Y for unregistered alias, etc.). These statistics will serve the authority to measure the effectiveness of measures and detect new fraud tactics.

Provider chain responsibility

In many cases, companies that send SMS do not connect directly to the mobile network but through aggregators or SMS service resellers. The compliance obligation reaches all links. An aggregator that offers mass sending services must ensure that its clients' messages comply with the rules, because the final delivery operator will block improper traffic and could even cancel agreements if it systematically detects abuses.

Likewise, for alias registration, messaging providers will act as enablers: when they register an alias for a client, they must appear as authorized providers of that alias. If a provider is not in the registry as authorized for a certain alias, it cannot process messages with that sender.

Ensuring correct assignment of numbering used

Another tacit obligation is that operators must provide only legitimate numbering to their messaging clients and avoid previous practices of certain laxity (such as assigning the same number to multiple clients, or allowing a client to use a number that was not actually in their pool). The Order emphasizes that only formally assigned or sub-assigned numbering should be used.

Network operators will have to monitor that no intermediate operator uses numbers outside the assignment. This means, in operations, that each number that appears as SMS sender must be traceable to a specific operator and end client. Traceability is key to, when necessary, identify the real sender of a fraudulent message.

Exceptions and special permits

The regulation provides for the possibility of authorizing specific exceptions. A case cited in the Ministry's press release is that of Spanish companies with offshore/nearshore operations: companies that have service centers or systems abroad but legitimately use Spanish numbers to communicate with their clients.

These companies can request a special permit from the Secretary of State for Telecommunications to continue using their national numbering from outside Spain without being blocked. This exception will require operators to incorporate "white lists" of exempt origins if approved by the authority.

In conclusion, operators and SMS providers act as technical guardians of the regulation: they must deploy the means for it to be effectively complied with (blocks, registries, reports). The technological challenge is not minor, as it involves real-time databases and sectoral coordination, but it is a joint effort to protect users and companies from fraud.

Companies located outside Spain that send SMS to Spanish users (marketing campaigns, A2P notifications, etc.) must pay special attention to this regulation, as it affects the termination of their messages within Spanish networks. Several key considerations for these international senders are:

Territorial application of marketing rules

From the data protection and consumer perspective, if a foreign company sends commercial communications to consumers in Spain, Spanish legislation can be applied to it. In practice, the AEPD has sanctioned foreign companies for spam directed at Spaniards. Therefore, they must obtain express consent from recipients just like a local company and respect the Robinson/Stop Advertising lists. Being abroad does not exempt them from complying with LSSI regarding sending unsolicited advertising.

SMS delivery through local operators

The usual practice is for a foreign company to use aggregators or international carriers to deliver SMS in Spain. These carriers in turn terminate the message via agreements with Spanish mobile operators. With the new regulation, Spanish operators will block messages that do not comply with CLI rules, even if they come from outside. So the foreign company must coordinate with its SMS provider to ensure it uses a permitted sender.

If they want the sender to appear local (for reasons of trust or response), they must acquire Spanish numbering or an alias and do so legitimately. It is no longer possible to "simulate" a Spanish number without authorization: any attempt in that direction post-2025 will end with the message being discarded.

Use of aliases by foreign companies

Perhaps the most critical point is that of aliases from 2026. A foreign company (for example, a global online platform) that wants to send SMS to Spain using an alias (e.g. its brand) will have to register it in the CNMC registry through a representative/subsidiary or through the operator it works with. There is no nationality distinction in the obligation: if the SMS with alias reaches Spanish networks, the alias must be registered.

Suppose an international authentication service that sends codes by SMS with the alias "SecureCode": to continue doing so in Spain, it must register "SecureCode" in 2026 and designate its providers. Otherwise, those messages will be blocked. It is irrelevant that the company is not in Spain; the Spanish network filters incoming traffic according to its rules.

Avoid Spanish numbering if there is no local presence

A strategy that some companies used was to send SMS with a generic Spanish mobile number to appear local. This, after the Order, is unfeasible without local presence. The safest alternative for a foreign company that does not want to register is to use an international sender number (for example, a number from its country of origin or a virtual long code not Spanish).

Spanish operators will not block messages with foreign number as sender, since they do not fall under "falsified national numbering". Of course, this has counterparts: the message may generate less trust in the user by coming from a foreign number, and it cannot be easily replied to. But from a legal perspective, it is lawful. Even so, if the content is commercial, it needs consent equally.

Roaming vs. international A2P

The regulation distinguishes between legitimate international traffic (roaming) and A2P traffic. A foreign company cannot camouflage itself as roaming, except by attempting the simbox route (Spanish cards abroad), which is also pursued for fraud. Spanish operators detect patterns: an A2P center that sends thousands of SMS with Spanish numbering from foreign IPs is not perceived as real roaming, and those SMS are blocked.

Legal representation and notifications

If a foreign company violates (e.g., sends mass spam to Spaniards), it may face investigations or sanctions. Authorities could require operators to block even totally certain traffic. It should be noted that the General Telecommunications Law 11/2022 obliges extra-community providers that offer services in Spain to designate a legal representative in the country.

In short, foreign companies must consider Spain as a territory with very defined rules for SMS. The advisable thing is that they work with a trusted Spanish or international aggregator that is aware of Order TDF/149/2025. This partner will tell them, for example: "we need to register your alias X" or "we provide you with a dedicated Spanish short number for your mailings". Assuming these small additional steps will allow them to continue communicating with Spanish clients without problems.

Given this new regulatory scenario, companies that use SMS as a communication channel must adopt both legal and technical best practices to ensure compliance. Below are key recommendations and proactive measures:

Properly manage consent and opt-outs

As a starting point, you must ensure having legal basis for each commercial SMS sent. This involves keeping record of who consented, when and how (e.g., web form, confirmation SMS, etc.), so that we can demonstrate said consent in case of an inspection. Likewise, each message must include clear instructions to unsubscribe (for example, indicating a free response keyword or a link to an unsubscription page).

Consult advertising exclusion lists before campaigns

It is advisable to establish an internal periodic procedure to cross the recipient database with the Robinson List and Stop Advertising List. For example, before launching a mass SMS campaign, the number list should be sent to the exclusion tool to filter those registered (many mass sending services already offer this functionality as part of their platform). Documenting the date and result of that consultation provides a layer of due diligence in case of complaints.

Register aliases with sufficient advance notice

For those who use alphanumeric aliases, do not wait until the last moment to register them. It is suggested to identify all aliases used by the company (they can be trade names, acronyms, different group brands, etc.) and manage their registration in the CNMC registry as soon as the process is available (possibly in early 2026). Additionally, it is advisable to reserve alternative aliases or variations if deemed necessary.

Use approved providers and communicate aliases to them

If you work with one or several SMS gateways, make sure to notify them what alias you will use and verify that they appear as authorized for that alias in the registry. This mutual communication avoids problems: the provider will know they can send with that sender because it is in order, and you ensure that the provider did the diligence of registering it correctly.

Review sending platform configuration (APIs/SMPP)

At a technical level, companies must audit how they are sending their SMS. If they use an API or SMPP connection to send messages, they must ensure that they do not freely allow setting a custom sender without control. Many APIs allow specifying the sender ID; from now on, it should be restricted to permitted IDs. Configuring valid sender lists in the account prevents errors and potential blocks.

Acquire dedicated numbering if necessary

For some companies, it may be preferable to use a phone number as sender instead of an alias, especially if they do not manage to register it in time or if they want to allow user response. In such case, the recommendation is to obtain a dedicated long number (long code) or a short code through a registered operator. A dedicated number avoids confusion and guarantees that it is in the company's name.

Implement authentication and verification of important mailings

For certain critical uses (such as OTP mailings, banking verifications, etc.), some companies implement added security mechanisms. For example, digitally signing the SMS content or sending part of the information through separate channels, so that even if someone intercepted or falsified a message, they could not deceive the user without the valid signature.

Monitor and adapt to authority indications

Given that CNMC will issue instructions and guides may emerge, it is important to stay informed. Mobile marketing or telecommunications associations will probably publish updated best practices once the alias registry is operational. Companies should designate someone (e.g. the DPO or marketing manager) to follow these regulatory developments and ensure continuous compliance.

In summary, best practices focus on not waiting for blocks to happen or sanctions to arrive, but anticipating: legitimize the contact database, clean invalid numbers, register official identifiers and use trusted partners. All this results in a more reliable communications ecosystem, where both companies and users will be better protected against SMS channel abuse.

The entry into force of these new measures poses important challenges in the technical field for platforms that manage mass SMS sending (such as A2P gateways, enterprise messaging software, etc.). Below we detail the main implications and how such platforms must adapt:

Integration with Alias Registry (CNMC)

Platforms will need to develop real-time alias consultation and verification modules. When a client tries to send an SMS using an alphanumeric sender, the system must automatically consult the CNMC database to check if that alias is registered and if the platform (or the operator it works with) is authorized to send it.

This possibly involves using an API provided by CNMC. Technically, local caches will have to be managed (to avoid consulting CNMC for each individual SMS, which would be inefficient) but ensuring frequent cache updates to reflect alias additions/removals.

Updating routing and filtering systems

Many SMS platforms implement intelligent routes (according to cost, quality, etc.). Now they must add a CLI validation step. That is, before choosing the route or sending to the next node, the system must filter messages whose sender is problematic: non-permitted alias, invalid number, etc.

For this, an internal database with permitted/prohibited numbering ranges by country is necessary. For example, the system must know that in Spain there are no numbers starting with 0,3,4 (except specific short codes) and block them to avoid even attempting their delivery.

Robust user authentication and sender usage

Mass platforms often serve multiple clients (multi-tenant). An implication is that they must link each client with their authorized senders. This involves in practice implementing sender ID whitelists per client account. Many providers already do this (as an anti-spam measure), but now it will be essential.

Someone in France who contracts the service should not be able to freely put an alias of a Spanish company, for example. Additionally, when a client registers an alias, the platform must uniquely associate it with that client so that another cannot use it.

Improved logging and traceability systems

Given that operators will require statistics of blocked messages, it is expected that they in turn will ask upstream aggregators for traffic information. Mass sending platforms must have detailed logs of each message, including the cause if it was blocked or rejected (e.g., "rejected by operator X – alias not registered").

This not only helps comply with regulatory requirements, but will be essential for technical support: companies will ask why their SMS do not arrive, and the platform must be able to diagnose if it was due to an alias/number filter.

Adaptation to assigned numbering API (2026)

As we mentioned, CNMC plans a tool for operators to consult if a number is assigned to a user. It is possible that large aggregators can also access that information to pre-validate numeric senders. Platforms could integrate that API to, for example, prevent a client from registering as sender a number that does not belong to them.

Exception handling (whitelists)

We mentioned that there could be special permits (e.g., Spanish companies authorized to use their numbers from abroad). Platforms must have the capacity to exempt those cases in their filters. Perhaps operators will provide lists of exempt numbering. Implementing these whitelists and keeping them updated is another engineering task to consider.

Training and testing

The human factor should not be forgotten. Technical teams must be trained in these new regulations so they can correctly configure systems. Likewise, it is advisable to perform tests before key dates: for example, in May 2026, perform internal tests sending SMS with unregistered aliases to check that they are effectively blocked, and with registered aliases to verify that they pass.

In summary, mass SMS sending platforms have significant software and process updating work. Those that achieve it diligently will be able to differentiate themselves even as "Spanish regulation compliant" providers, gaining the trust of clients seeking security. The investment in these technological adaptations is, therefore, essential for 2026.

Below are some common use cases of companies that send SMS, analyzing how the regulation affects them and what they must do to comply:

Case 1: National retail chain – Promotional SMS to customers

Case 2: Bank or financial entity – Transactional messages (OTP, alerts)

Case 3: Foreign e-commerce company – Promotions to Spanish customers

Case 4: Small national company – Informational communications to customers

In all these examples, a common thread can be seen: the need to legitimize both content and channel. Companies must work jointly with their legal departments (for consents, privacy) and with their technical departments or providers (for numbering, alias, etc.).

The regulation may seem demanding, but in the long term it improves confidence in SMS as a channel. More secure users mean that legitimate companies will be able to continue using the medium effectively. By eradicating much of the fraudulent spoofing traffic, it is likely that reading and response rates to legitimate commercial SMS will be maintained or even improve, as the public will not automatically distrust each message.

Thus, these regulatory changes, well implemented, benefit the entire ecosystem: protected users, responsible companies with a reliable channel, and operators offering more secure networks.