Insights
6 min read

The independent director missing on many Spanish boards: the technology one

Recommendation 23 of the Spanish Good Governance Code allows additional specialised committees. More and more boards are realising technology no longer fits inside the audit committee.

  • Topics:
  • Corporate governance
  • Board of directors
  • Technology oversight

For the past decade, technology oversight has had a seat in Spanish boards, but not its own seat. It appeared as a recurring item in the audit committee, or as an annex to the management report, or as "the CIO's topic" when invited to the plenary once a year. Governance was diffuse because the matter seemed to belong elsewhere.

That architecture is wearing out, and not as a fad. Three regulatory and business forces are dislodging it simultaneously:

  1. DORA (Regulation (EU) 2022/2554) places ICT risk oversight directly on the management body of financial entities, fully applicable since January 2025.
  2. NIS2 assigns specific obligations to the management body in critical sectors, including monitoring of measures, training and accountability.
  3. EU AI Act (fully operational from August 2026) requires documented and traceable human oversight of high-risk AI systems.

Add to this the economic weight: in many Spanish groups, technology OPEX already exceeds 4-6 % of revenue and digital-transformation CAPEX is the single largest line of discretionary investment. A subject that moves that much capital and carries that much regulatory risk no longer fits as an annex to the audit committee without diluting it.

What Recommendation 23 says (and allows)

The Spanish Good Governance Code for Listed Companies, in Recommendation 23, allows the board, exercising its self-organisation power, to constitute additional specialised committees beyond those expressly named in the Code (audit, nominations and remuneration).

In other words: a Spanish listed company can formalise a technology, innovation and future committee — or a data and AI governance committee, however it chooses to name it — without any need for regulatory change. It only needs a board resolution and a reflection in the internal regulations.

The CTIF initiative, which I follow closely, is systematising this approach from the doctrinal angle. But what matters here is not the naming but what is gained by separating the matter:

  • Focus: the technology-aware director stops being an occasional guest and becomes a permanent member of a body that deliberates on technology strategy, ICT risk, data governance and AI.
  • Traceability: decisions are documented as committee decisions, not as loose items in audit minutes.
  • Accountability power: a committee can request KPIs, dashboards and periodic appearances with a depth that a full board in plenary cannot sustain.

The question many boards are not asking themselves

Why are so many boards still not formalising this body if it is permitted and the need is obvious? My reading, drawn from conversations with directors and corporate secretaries, is threefold:

First, inertia. Creating a new committee involves amending the regulations, taking on a recurring cost and clarifying interfaces with audit. There is friction and it is worth thinking through.

Second, the availability of candidates. Five years ago, an independent director with an institutional-technology profile was almost a rarity. Today they are scarce but available, and specialised headhunters (Russell Reynolds, Egon Zehnder, Spencer Stuart) maintain real lists.

Third, the residual belief that "the CIO handles this." On serious boards, that line no longer holds. The CIO is an executive; oversight belongs in the governance body, with functional independence.

What an independent director with technology focus contributes

It is not a substitute for the CIO. It is the CIO's qualified counterpart at the board, and the guardian that the matter is treated with the depth it deserves. In practice, the most relevant contributions are four:

  1. Technical challenge: ability to question architectures, vendor lock-in, technical debt and ROI assumptions on a knowledgeable basis.
  2. Regulatory anticipation: bringing AI Act, NIS2, DORA and sector-specific milestones to the board before they become problems.
  3. Governance discipline: asking for inventories, registries and metrics that many organisations are not yet producing.
  4. Connection to operational reality: distinguishing the project slide from the actual state — something a director without executive experience in the field finds hard to do.

A practical recommendation for chairs and lead independent directors

If you are reading this from an organisation where the matter is still treated transversally, my practical recommendation is modest and sequential:

  • Step 1 (this quarter): introduce the technology matter as a standing board item, with a dossier prepared by management.
  • Step 2 (next six months): identify and interview 2-3 candidate independent directors with a technology-institutional profile, even with no immediate vacancy.
  • Step 3 (next financial year): formally assess the creation of a specialised committee, with its own regulations.

You do not need to shoot first and aim later. But you also cannot keep postponing the decision year after year while regulation and risk intensify.