The thesis: why technology oversight needs its own board committee in 2026

For nearly three decades, the technology matter has had in the Spanish board of directors a default seat: the audit committee. It was a reasonable solution when "technology" meant internal systems and the primary risk was operational unavailability or data protection non-compliance. That solution stopped being reasonable, in my view, at some point between 2024 and 2026. Not through any single deliberate decision, but because three concurrent curves have changed the problem in nature, not just in size.

My thesis is the following: the oversight of technology, data and artificial intelligence is, in 2026, a matter that merits its own specialised board committee in any Spanish organisation of relevant size. It is not a soft recommendation. It is a change in governance architecture whose postponement carries a growing cost, and whose implementation is easier and cheaper than most boards assume.

In this essay I argue the three things that sustain that thesis: the diagnosis that justifies it, the regulatory framework that enables it, and the reasonable objections that deserve refutation.

This personal thesis converges with the doctrine of CTIF (Committee on Technology, Innovation and the Future), the doctrinal initiative I have promoted since 2025, whose master document develops the principles and composition of the committee with institutional detail. The voice you read here is my own; the formal doctrine lives on the doctrinal site.

The diagnosis: three curves that have crossed

The technology matter is not one more among those reaching the board. It is the only one that has simultaneously, in less than four years, experienced three substantive transformations that rarely coincide in time.

First, the economic weight. Technology OPEX in the Spanish groups I work with sits today between 4 % and 6 % of revenue. CAPEX on digital transformation is, in most cases, the largest discretionary investment line of the annual plan. A matter that moves those volumes is by definition a board matter, not an executive committee matter. Not having a regular and in-depth conversation about how that capital is allocated is an elementary failure of due care.

Second, regulatory convergence. Since 17 January 2025, the DORA Regulation assigns the management body ultimate responsibility for ICT risk management in financial entities. The NIS2 Directive does the same in critical sectors, with individual sanctions for directors in case of serious non-compliance. The EU Regulation 2024/1689 on artificial intelligence enters full application on 2 August 2026 with sanctions up to 7 % of global turnover. And the GDPR, already known, operates in the background. For the first time in the history of Spanish corporate governance, a single body — the board — simultaneously receives four European regulatory mandates pointing at the same matter with specific responsibilities and growing enforceability.

Third, speed of evolution. In November 2022 ChatGPT did not exist at market level. In June 2026 general-purpose models are everyday infrastructure in HR, banking, customer service and operations. The adoption cycle that other technologies took a decade has happened in forty months. A board that meets eight times a year cannot adequately govern a matter that changes quarterly from a single annex meeting within its audit committee.

When these three factors converge on the same matter, the problem stops being one of "supervision intensity" and becomes one of governance architecture. No committee designed to oversee the integrity of financial statements is structurally prepared to deliberate on system classification under Annex III of the AI Act, evaluation of cloud providers under DORA, or generative AI investment decisions with uncertain time horizons.

The regulatory framework: the solution is already enabled

The good news for the Spanish board is that the legal framework requires no change to constitute this committee. Recommendation 23 of the CNMV's Good Governance Code for Listed Companies expressly allows the board, exercising its self-organisation power (Art. 529 terdecies of the Spanish Companies Act), to constitute specialised committees in addition to those named by the Code itself (audit, nominations and remuneration).

The constitution requires three elements: board resolution, reflection in the internal regulations, and publication in the annual corporate governance report. It is a single-quarter decision that requires no external authorisation, generates no regulatory friction and presents no legal risk. What it requires is the chairman's will and the support of a lead independent director who understands the matter.

The friction to create a specialised technology committee is not in the legal system. It is in the board's internal regulations and in the inertia of its current composition.

This is the uncomfortable truth: in most Spanish boards where I have had conversations, the main obstacle has not been external legal advice — which generally recommends it — but the difficulty of amending the internal regulations without opening a broader negotiation about the composition of the board itself. It is political resistance, not regulatory resistance.

The reasonable objections and their refutation

Any proposal to change governance architecture deserves to pass the test of serious objections. The three most frequent I hear are:

Objection 1: "We already have a risk committee for this." It is not the same thing. The risk committee — when it exists — oversees the corporate risk map in a cross-cutting manner. Specialised technology oversight requires a thematic dedication that a cross-cutting committee cannot sustain without losing depth in other areas. The distinction is the same as the one between the audit committee (subject-focus) and the risk committee (cross-cutting focus): they complement, they do not replace each other. In boards with both, the technology matter flows with less friction when it has its own seat.

Objection 2: "The CIO already handles this." The CIO is an executive, not an oversight body. The board's function is not to operate but to supervise and account. The separation between the executive who decides and the body that supervises the decision is an elementary principle of corporate governance that in technology matters has frequently been confused because until recently the matter was perceived as technical. It no longer is: it is regulatory, strategic and financial at the same time. The CIO reports to the committee; the committee is not the CIO.

Objection 3: "It's a fashion; in two years the regulation will relax." The European regulation applicable to this area will not relax in the foreseeable horizon. DORA is in force. NIS2 is being transposed. The AI Act has a closed application calendar until 2030. And sectoral regulators (CNMV, EBA, ESMA, Bank of Spain) have adopted growing expectations on technology oversight as board-level matter. A committee constituted today in 2026 will have work for at least the next ten years.

What this committee must be able to do

To avoid remaining a purely formal declaration, a specialised technology committee must possess delimited substantive powers and report to the full board on a regular basis. My proposal for minimum competencies, synthesised from conversations with several boards across different sectors, is the following:

• Oversight of the technology strategy and its alignment with the corporate strategy approved by the board.
• Approval or reporting of significant technology investments, with thresholds set by the board.
• Oversight of technology risk: cyber, data, AI, third parties, operational continuity.
• Sectoral regulatory compliance: AI Act, DORA where applicable, NIS2, GDPR, certifications (ISO 27001, ENS, PCI DSS).
• Periodic evaluation of the operating model of the technology function.
• Quarterly reporting to the full board with an established indicator dashboard.

The minimum viable composition is three directors, at least one with proven executive technology experience (not necessarily an active CIO) and at least one independent. A reasonable cadence is quarterly, with extraordinary sessions when a serious incident justifies it. Its secretariat can be shared with the board's secretariat or the audit committee's.

The decision boards must make in 2026

Any Spanish board has three realistic options in 2026 with respect to this matter:

1. Constitute a specialised committee with the described powers or equivalent. The option I defend in this essay.
2. Materially reinforce the attribution to the existing audit committee, adding explicit competence, recurring agenda dedication, and possibly a member with a technology profile. A defensible second-best option if the current composition allows it.
3. Do nothing and trust that informal conversation in the plenary will cover the duty of care. The worst option and the most frequent.

The difference between the first and the second is one of depth, not of legitimacy. Both fulfil the duty of Art. 225 LSC. The difference between the second and the third is not a nuance: it is the line between compliance and non-compliance. And the reality is that, in 2026, with DORA in force and the AI Act two months from full application, the third option has ceased to be a defensible option.

You do not need a regulator to walk through the organisation to understand this. It is enough to read the first decisions of the AEPD applying stricter criteria to automated processing, the early precedents of DORA in early supervisions, or the sanctioning regime of the recently published AI Act. The board that in 2026 has not taken explicit position on the architecture of its technology oversight is, simply, arriving late.

This is the decision to be made. It is not complicated to execute. It is uncomfortable to raise when the board's inertia points to not opening the internal regulations. But not raising it, at this point, is already a decision in itself. And it is the worst of those on the table.