Companies that send SMS messages to customers in Spain now have a regulatory deadline to comply with; an order introduced by the Ministry of Digital Transformation and Public Service in February 2025 has been progressively implemented since its announcement, and will be fully enforced by June this year.
Order TDF/149/2025 establishes the creation of an SMS Alias Registry managed by the National Commission for Markets and Competition (CNMC) as part of broader measures to combat impersonation scams.
In this, an alias is defined as the name that appears on a corporate SMS – “BBVA,” “Correos,” “Zara.” Until now, virtually anyone could use any name, but the new regulation obliges companies to register their aliases in advance with the CNMC, while operators will be required to block messages sent from those unregistered.
The regulation arrives in the context of widespread mistrust. According to Spain’s CIS public research center, 47% of Spaniards have been victims or targets of a cyber scam in the past year, and 73% believe it is harder to protect their personal data online than to secure their own homes.
Now, companies that are not registered before June will find their legitimate communications blocked alongside fraudulent ones – there is no automatic distinction between a scammer and a brand that simply registered too late.
This problem is not new, nor uniquely Spanish. Global providers such as Twilio, Sinch, Vonage, and LINK Mobility have been navigating sender verification frameworks across multiple markets for years. The closest precedent to Spain’s approach is Italy, which introduced a similar alias registration system, though without the same level of rigor that the Spanish regulation now demands.
Other markets, including the United States and the United Kingdom, have tackled the problem differently. The U.S. assigns numeric identifiers rather than text aliases, while the UK’s registry applies primarily to large brands and does not mandate registration for all businesses.
In markets where similar frameworks have been implemented, companies that prepared early avoided operational disruptions and communicated through a channel where their messages carried the credibility that less prepared competitors lacked.
“Many companies are still not fully aware of the real scope of the change,” warned Diego Rodríguez, Marketing Director at LINK Mobility Spain, one of the authorized providers already managing registrations.
“The timelines are demanding, and the circular that will define the operational details is not yet final, which creates some uncertainty,” he told 150sec.
When companies begin auditing their aliases, they often discover that their messaging architecture grew without planning. Several aliases for different brands or business lines, and none designed with legal ownership verification in mind.
Conflicts emerge that were previously invisible: names that do not exactly match registered trademarks, and generic senders such as “INFO” or “ALERT”. Which the regulation expressly prohibits, requiring companies to use only their own brand across all communications.
“Building engagement with your customers should be as seamless and trustworthy as possible,” said Inbal Shani, Chief Product Officer at Twilio, when presenting the company’s global rollout of Rich Communication Services (RCS).
“This represents a fundamental shift in how businesses can communicate with their customers,” added Shani.
The regulation also includes RCS, the technology gradually replacing traditional SMS by allowing for messages to include images, interactive buttons, and read receipts.
For recipients, RCS and SMS arrive in the same messaging app but appear in separate conversation threads, and RCS aliases are not subject to the 11-character limit that applies to SMS. Importantly, RCS has always operated under a mandatory verification process (managed by Google and the operators) that already ensures senders are who they claim to be.
The challenge the new regulation introduces is the prospect of a double verification. One with the CNMC and another with Google and the operators. Both parties are working to align the two processes and avoid duplication, though the details have not yet been finalised.
The path to compliance has three steps. First, companies must audit how many aliases they use and confirm legal ownership of each. Second, select a registration provider authorized by the CNMC – the only valid channel for managing the process. And third, begin registration promptly: the CNMC has established a transitional period to ensure service continuity, but completing the process early brings peace of mind and leaves no room for last-minute surprises.
For years, SMS has operated like a road without traffic signs, where any vehicle could travel under any identity. The registry, now, is installing those signs.
In the end, it’s an opportunity for a communications competitive advantage: firms that register early will avoid roadblocks and communicate in a channel where their messages carry the credibility their slower competitors’ will lack.
Featured image: Anastasiia Shyrokykh via Unsplash+
This article was originally published by Pablo Sierra on 150sec and was re-published with permission.