The business messaging ecosystem in Spain has just entered a new regulatory phase. The CNMC Circular 1/2026, published in the BOE on March 27, 2026, details the operation of the upcoming Alias Registry, an official database that will validate which alphanumeric sender IDs can be used in SMS, MMS, and RCS messages sent to Spanish numbers. This measure is part of the deployment of the Order TDF/149/2025, approved to combat fraud through caller ID spoofing and message impersonation.
The key aspect is the deadline: the blocking obligations outlined in the order will take effect starting June 7, 2026. From that date, operators involved in message transmission must block messages with aliases that are not registered in the registry or, even if registered, are sent by providers not authorized to use that alias. In other words, the traditional corporate SMS signed with names like your bank, insurance company, brand, or government agency will no longer rely solely on commercial agreements with aggregators: it will also depend on prior regulatory validation.
What really changes for companies, brands, and messaging platforms
Until now, alphanumeric sender IDs were a very convenient tool for customer service, authentication, notifications, and campaigns: they helped identify the brand and increased user trust. The problem is that this same field has also been extensively exploited in smishing attacks, where cybercriminals impersonate banks, logistics companies, or public administrations to steal credentials, personal data, or account access. The CNMC and the Ministry for Digital Transformation have opted for a structural solution: turning this alias into a validated and traceable resource.
For companies, this means a new and quite clear obligation: register the alias before using it. The circular states that the registration must be performed by the company or public administration that owns the alias, or by the originating provider acting on their behalf. Third-party authorized entities can also participate. Furthermore, foreign companies needing to send messages with aliases to customers with Spanish numbers will also have to register, except in cases related to roaming or future bilateral recognition agreements between registries.
The practical consequence is that marketing, customer service, operations, and cybersecurity teams will need to coordinate much better. Sending a campaign from a CPaaS platform, CRM, or automation tool will no longer suffice. They will need to ensure that the alias is correctly registered, linked to the appropriate brand or trading name, and associated with the messaging providers actually generating the traffic. If this chain is misaligned, messages could be blocked before reaching the customer.
The impact will be especially strong on aggregators, resellers, and CPaaS providers
One of the most significant elements of the circular is that it doesn’t only target telecom operators. It also applies to messaging aggregators, resellers with technical blocking capabilities, and other providers involved in the SMS, MMS, or RCS delivery chain. All of these will need to be pre-registered in the Operators Registry and also register in the Alias Registry, accepting a declaration of compliance with regulations. The CNMC also clearly distinguishes between originating providers, transit providers, and terminating providers, assigning specific blocking obligations based on each role.
This introduces additional pressure on the enterprise messaging sector. Platforms that sell transactional SMS, authentication, promotional campaigns, or omnichannel messaging will need to review not only their contracts but also their technical architecture, interconnection flows, and traceability. The circular even mandates maintaining daily logs of blocked messages, their origins, and annual statistics on alias usage, indicating a much more intense market oversight.
From a business perspective, this regulation can have a dual effect. On one hand, it raises the entry barriers and makes it harder for opportunistic or less transparent operators. On the other hand, it adds a layer of operational and compliance requirements that may favor better-prepared providers, capable of API integration, document validation, and brand identity governance.
What types of alias can be registered and which will be excluded
The CNMC will not accept any text as a sender. For SMS and MMS, the circular requires a length between 3 and 11 characters, allowing letters, numbers, and certain symbols, but excluding purely numeric strings, multiple special characters, and aliases that could cause confusion. Generic names like “Bank,” “Urgent,” or “Message,” as well as offensive or impersonation-facilitating terms, will not be permitted. For RCS, the rules differ slightly but maintain the same core principle: the alias must clearly identify a connection to the brand, trade name, corporate designation, or domain of the holder.
This point is particularly important for brands. The circular requires proof of a legitimate link between the alias and one of these elements: a registered trademark, trade name, corporate name, registered domain, or other registered designations. In case of conflicting requests for the same alias, the CNMC will prioritize based on this connection, and if there’s still a tie, the first submitted application will prevail.
In corporate terms: sender identity in messaging is no longer an informal matter but resembles much more the management of a regulated digital brand.
There will be a testing period, but time is limited
The circular plans for a testing environment until June 6, 2026 for providers to adapt systems and familiarize themselves with registry downloads. It also contemplates an initial bulk upload of existing aliases, where originating providers supply this data for confirmation by the holders. However, the schedule isn’t overly generous. The CNMC sets a transitional period of six months, during which the maximum validation period can be extended to three months before reverting to the standard one-month period.
This means prompt action is essential. For banks, insurers, e-commerce companies, utilities, telecoms, government agencies, and any business using SMS or RCS as a critical channel, June is approaching fast. What was once an abstract regulatory compliance issue is now an operational necessity: if the alias isn’t properly managed, the communication may be blocked or lost.
What the market stands to gain and what might become more complicated
The CNMC’s logic is straightforward: reduce fraud and increase end-user trust. If the system functions as intended, it will be much harder for malicious actors to insert fake messages into legitimate threads for banking, logistics, or administrative communications. This benefits not only consumers but also companies relying on SMS/RCS channels for authentication, alerts, and sensitive notifications.
However, there are costs involved. Companies will need resources to register and maintain their aliases, providers will need to adapt systems, and the entire sector will have to operate within a model where technical or regulatory non-compliance results directly in message blocking. For an increasingly automated market where CRM, marketing clouds, customer service platforms, and CPaaS are continually integrated, this governance requirement can be beneficial but won’t come free.
Ultimately, the Alias Registry is not just an administrative formality. It represents a fundamental shift in how sender identity is validated in enterprise messaging in Spain. From a technological and corporate standpoint, June will mark a clear before-and-after.
Frequently Asked Questions
Which companies are required to register their alias?
Businesses and public administrations that want to send SMS, MMS, or RCS to Spanish numbers using an alphanumeric sender ID. They can also be originating providers or authorized third parties acting on their behalf.
When will messages with unregistered aliases start to be blocked?
Starting June 7, 2026, when the blocking obligations in Order TDF/149/2025 come into effect.
Are only mobile operators affected?
No. Aggregators, message storage and forwarding providers, and certain resellers with technical blocking capabilities are also covered.
Will it be publicly possible to see who is using a particular alias?
Yes. The CNMC plans a public web portal where active aliases, their owners, and activation dates can be checked.