Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	At BBVA, cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and is designed to facilitate coordination across different departments of the Group in the handling of such cybersecurity threats and incidents. This framework includes steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity countermeasures and mitigation strategies and, as later explained in greater detail, informing management and our Board of Directors of material cybersecurity threats and incidents. Our cybersecurity risk management program is regularly updated to align with industry best practices established by internationally accepted security standards and its effectiveness in mitigating the risks that the Group is exposed to is periodically assessed. For BBVA, cybersecurity is not only a strategic priority, but also one of the main elements in the digital transformation of the Bank. BBVA’s Corporate Security Area is responsible for ensuring adequate information security management by establishing security policies, procedures and controls that bolster the security of the Group’s global infrastructures, digital channels and payment methods following a holistic and threat intelligence-led approach, where a program has been designed for each of the four fundamental pillars of BBVA’s security strategy: cybersecurity, data protection, physical security and security in business processes and fraud management, with the aim to reduce the risks identified in the risk taxonomy defined by the Group. As cyberattacks evolve and become more sophisticated, the Group has strengthened its prevention and monitorization efforts. During the past few years, cybersecurity and information security measures have been reinforced with the aim to ensure an adequate protection of BBVA’s information and the assets supporting business processes. Security measures adopted in the past few years include measures intended to: (i) ensure end-to-end protection of business processes, considering logical and physical security, privacy and fraud management concerns, (ii) ensure compliance with the security and privacy by design principles; and (iii) improve client access control and authentication services related to online services, from a security and user experience perspective, including by enhancing the use of facial biometrics, behavioral biometrics, advanced analytics models and the implementation of dynamic Card Verification Values (CVV). Further, system monitoring capabilities, as well as incident prevention, detection and response capabilities have also been strengthened through the use of integrated information sources, improved analytical capabilities and automated platforms, improving information security management from a preventive and proactive approach. Additionally, and with the aim to ensure that security is embedded in business processes, the security management model has been reinforced in the software development lifecycle process and in infrastructure, architecture and operations management. The Global Computer Emergency Response Team (“CERT”) is the Group’s first line of detection and response to cyberattacks aimed at global users and the Group’s infrastructure. The Global CERT, which is based in Madrid, operates 24x7 and provides services in all countries where the Group operates, with operation lines dedicated to fraud and cybersecurity. The Global CERT receives information on cybersecurity threats from our Threat Intelligence Unit. Both of them are part of the Corporate Security Area. BBVA routinely reviews, reinforces and tests its security processes and procedures through simulation exercises in the areas of physical security and digital security. Specialized teams periodically perform security technical tests in order to detect and correct possible security vulnerabilities. These tests include technical tests of technological platforms as well as malicious users’ simulated attacks performed by the “red team”. The outcome of such exercises is a fundamental part of a feedback process designed to improve the Group’s cybersecurity strategies. Both the Corporate Security Area and the Risk Control Area engage third-party security experts for risk assessments and system enhancements. BBVA is working on the development of new artificial-intelligence and machine-learning models that enable the prediction and prevention of cyberattacks on financial infrastructure, providing a more secure client experience. BBVA’s Threat Intelligence Area has been reinforced in 2023 and 2024, adopting measures directed at transforming detailed technical information into actionable intelligence information that can be used to make decisions related to risk management. The Threat Intelligence Area continuously monitors threats that affect the financial sector and analyses risk trends with the aim to implement measures to minimize the risks the Group is exposed to. Analysis performed includes not only security trends but also the type, frequency and origin of attacks on systems and information. In addition, BBVA continuously carries out training and awareness initiatives related to security and privacy, promoting training and awareness campaigns for BBVA’s employees, clients and society, through the BBVA app, online channels and social networks. Some of the topics covered include protection of personal information, secure password management, device protection (laptops, smartphones, etc.), social engineering (phishing, smishing, vishing), malware and other technical attacks detection, detection of scams, security on online purchases and how to react if there is a security incident. BBVA’s cybersecurity strategy is based on internationally accepted security standards. It covers best practices established in information-security standards and guidelines including ISO/IEC 27002 and other ISO/IEC 27000 series standards, COBIT 5 and the NIST Cybersecurity Framework. BBVA has also obtained several security certifications (such as Tier IV and ISAE 3402 certifications) in different countries. To maintain these certifications, periodic external audits are performed, considering the specific requirements of each certification. The external auditors that perform these audits are selected from among the most recognized audit firms in the areas of each certification. Considering that one of the main risks companies face today are risks related to third parties, BBVA reinforced its controls to ensure an adequate protection of information by BBVA’s service providers in 2024. BBVA requires that service providers contracted by any Group company have internationally accepted security certifications. Security clauses are also included in contracts with service providers, including obligations to comply with specific security measures and all applicable legal and regulatory requirements. The third parties risk management model has been reinforced during 2024 to comply with the requirements of new regulations entering into force, such as the Digital Operational Resilience Act (DORA)
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]	In 2024, we did not identify any cybersecurity threats that materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our Board of Directors has overall oversight responsibility for our risk management, and is assisted by the Board’s Technology and Cybersecurity Committee in the oversight of technological risk and cybersecurity management and in monitoring the Group’s technological and cybersecurity strategies.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our Board of Directors has overall oversight responsibility for our risk management, and is assisted by the Board’s Technology and Cybersecurity Committee in the oversight of technological risk and cybersecurity management and in monitoring the Group’s technological and cybersecurity strategies. This Committee, which meets every two months, is one of the main elements of our risk management governance model. It is responsible for the oversight of the Group’s technological and cybersecurity strategies and is informed by the Chief Security Officer (“CSO”) of technological and cybersecurity performance and of any incidents that have arisen. The Committee keeps the Board of Directors informed of the main technological and cybersecurity risks to which the Group is exposed, as well as current cybersecurity and technological trends and any relevant security event that can affect the BBVA Group.
Cybersecurity Risk Role of Management [Text Block]	The risk management process includes lines of action related to the adequate training of BBVA’s Board members in the area of cybersecurity and incident management, as well as the periodic performance of global and local simulation exercises in order to raise the level of training and awareness of the Board of Directors and certain key personnel and ensure an immediate and effective response in case of a security breach. Further, BBVA’s Corporate Security Area and the Risk Control Area, based in Madrid, are responsible for identifying and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our CSO, who receives reports from our cybersecurity team (which is part of the Corporate Security Area) and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Both the Corporate Security Area and the Risk Control Area engage third-party security experts for risk assessments and system enhancements.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	Our Board of Directors has overall oversight responsibility for our risk management
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Our CSO and certain of the personnel of the Corporate Security Area have obtained internationally recognized certifications such as ISACA, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), SANS Institute Certifications (GIAC Security Essentials, GIAC Certified Incident Handler Certification, GIAC Strategic Planning Policy and Leadership), Certified Information Systems Security Professional (CISSP) and ISO Certifications (ISO 27001 Lead Auditor), among others, and consist of experienced information systems security professionals and information security managers with the experience and capabilities required for their security functions. The CSO regularly reports to BBVA’s Internal Control & Operational Risk Committee on the Group’s cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports to them every two months that cover, among other topics, third-party assessments of the Group’s cybersecurity programs, developments in cybersecurity and updates to the Group’s cybersecurity programs and mitigation strategies.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	Our Board of Directors has overall oversight responsibility for our risk management, and is assisted by the Board’s Technology and Cybersecurity Committee in the oversight of technological risk and cybersecurity management and in monitoring the Group’s technological and cybersecurity strategies. This Committee, which meets every two months, is one of the main elements of our risk management governance model. It is responsible for the oversight of the Group’s technological and cybersecurity strategies and is informed by the Chief Security Officer (“CSO”) of technological and cybersecurity performance and of any incidents that have arisen. The Committee keeps the Board of Directors informed of the main technological and cybersecurity risks to which the Group is exposed, as well as current cybersecurity and technological trends and any relevant security event that can affect the BBVA Group.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

At BBVA, cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and is designed to facilitate coordination across different departments of the Group in the handling of such cybersecurity threats and incidents. This framework includes steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity countermeasures and mitigation strategies and, as later explained in greater detail, informing management and our Board of Directors of material cybersecurity threats and incidents. Our cybersecurity risk management program is regularly updated to align with industry best practices established by internationally accepted security standards and its effectiveness in mitigating the risks that the Group is exposed to is periodically assessed.

For BBVA, cybersecurity is not only a strategic priority, but also one of the main elements in the digital transformation of the Bank. BBVA’s Corporate Security Area is responsible for ensuring adequate information security management by establishing security policies, procedures and controls that bolster the security of the Group’s global infrastructures, digital channels and payment methods following a holistic and threat intelligence-led approach, where a program has been designed for each of the four fundamental pillars of BBVA’s security strategy: cybersecurity, data protection, physical security and security in business processes and fraud management, with the aim to reduce the risks identified in the risk taxonomy defined by the Group.

As cyberattacks evolve and become more sophisticated, the Group has strengthened its prevention and monitorization efforts. During the past few years, cybersecurity and information security measures have been reinforced with the aim to ensure an adequate protection of BBVA’s information and the assets supporting business processes. Security measures adopted in the past few years include measures intended to: (i) ensure end-to-end protection of business processes, considering logical and physical security, privacy and fraud management concerns, (ii) ensure compliance with the security and privacy by design principles; and (iii) improve client access control and authentication services related to online services, from a security and user experience perspective, including by enhancing the use of facial biometrics, behavioral biometrics, advanced analytics models and the implementation of dynamic Card Verification Values (CVV).

Further, system monitoring capabilities, as well as incident prevention, detection and response capabilities have also been strengthened through the use of integrated information sources, improved analytical capabilities and automated platforms, improving information security management from a preventive and proactive approach.

Additionally, and with the aim to ensure that security is embedded in business processes, the security management model has been reinforced in the software development lifecycle process and in infrastructure, architecture and operations management.

The Global Computer Emergency Response Team (“CERT”) is the Group’s first line of detection and response to cyberattacks aimed at global users and the Group’s infrastructure. The Global CERT, which is based in Madrid, operates 24x7 and provides services in all countries where the Group operates, with operation lines dedicated to fraud and cybersecurity. The Global CERT receives information on cybersecurity threats from our Threat Intelligence Unit. Both of them are part of the Corporate Security Area.

BBVA routinely reviews, reinforces and tests its security processes and procedures through simulation exercises in the areas of physical security and digital security. Specialized teams periodically perform security technical tests in order to detect and correct possible security vulnerabilities. These tests include technical tests of technological platforms as well as malicious users’ simulated attacks performed by the “red team”. The outcome of such exercises is a fundamental part of a feedback process designed to improve the Group’s cybersecurity strategies. Both the Corporate Security Area and the Risk Control Area engage third-party security experts for risk assessments and system enhancements.

BBVA is working on the development of new artificial-intelligence and machine-learning models that enable the prediction and prevention of cyberattacks on financial infrastructure, providing a more secure client experience. BBVA’s Threat Intelligence Area has been reinforced in 2023 and 2024, adopting measures directed at transforming detailed technical information into actionable intelligence information that can be used to make decisions related to risk management. The Threat Intelligence Area continuously monitors threats that affect the financial sector and analyses risk trends with the aim to implement measures to minimize the risks the Group is exposed to. Analysis performed includes not only security trends but also the type, frequency and origin of attacks on systems and information.

In addition, BBVA continuously carries out training and awareness initiatives related to security and privacy, promoting training and awareness campaigns for BBVA’s employees, clients and society, through the BBVA app, online channels and social networks. Some of the topics covered include protection of personal information, secure password management, device protection (laptops, smartphones, etc.), social engineering (phishing, smishing, vishing), malware and other technical attacks detection, detection of scams, security on online purchases and how to react if there is a security incident.

BBVA’s cybersecurity strategy is based on internationally accepted security standards. It covers best practices established in information-security standards and guidelines including ISO/IEC 27002 and other ISO/IEC 27000 series standards, COBIT 5 and the NIST Cybersecurity Framework.

BBVA has also obtained several security certifications (such as Tier IV and ISAE 3402 certifications) in different countries. To maintain these certifications, periodic external audits are performed, considering the specific requirements of each certification. The external auditors that perform these audits are selected from among the most recognized audit firms in the areas of each certification.

Considering that one of the main risks companies face today are risks related to third parties, BBVA reinforced its controls to ensure an adequate protection of information by BBVA’s service providers in 2024. BBVA requires that service providers contracted by any Group company have internationally accepted security certifications. Security clauses are also included in contracts with service providers, including obligations to comply with specific security measures and all applicable legal and regulatory requirements. The third parties risk management model has been reinforced during 2024 to comply with the requirements of new regulations entering into force, such as the Digital Operational Resilience Act (DORA)

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

In 2024, we did not identify any cybersecurity threats that materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Board of Directors has overall oversight responsibility for our risk management, and is assisted by the Board’s Technology and Cybersecurity Committee in the oversight of technological risk and cybersecurity management and in monitoring the Group’s technological and cybersecurity strategies. This Committee, which meets every two months, is one of the main elements of our risk management governance model. It is responsible for the oversight of the Group’s technological and cybersecurity strategies and is informed by the Chief Security Officer (“CSO”) of technological and cybersecurity performance and of any incidents that have arisen. The Committee keeps the Board of Directors informed of the main technological and cybersecurity risks to which the Group is exposed, as well as current cybersecurity and technological trends and any relevant security event that can affect the BBVA Group.

Cybersecurity Risk Role of Management [Text Block]

The risk management process includes lines of action related to the adequate training of BBVA’s Board members in the area of cybersecurity and incident management, as well as the periodic performance of global and local simulation exercises in order to raise the level of training and awareness of the Board of Directors and certain key personnel and ensure an immediate and effective response in case of a security breach.

Further, BBVA’s Corporate Security Area and the Risk Control Area, based in Madrid, are responsible for identifying and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our CSO, who receives reports from our cybersecurity team (which is part of the Corporate Security Area) and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Both the Corporate Security Area and the Risk Control Area engage third-party security experts for risk assessments and system enhancements.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our Board of Directors has overall oversight responsibility for our risk management

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CSO and certain of the personnel of the Corporate Security Area have obtained internationally recognized certifications such as ISACA, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), SANS Institute Certifications (GIAC Security Essentials, GIAC Certified Incident Handler Certification, GIAC Strategic Planning Policy and Leadership), Certified Information Systems Security Professional (CISSP) and ISO Certifications (ISO 27001 Lead Auditor), among others, and consist of experienced information systems security professionals and information security managers with the experience and capabilities required for their security functions. The CSO regularly reports to BBVA’s Internal Control & Operational Risk Committee on the Group’s cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports to them every two months that cover, among other topics, third-party assessments of the Group’s cybersecurity programs, developments in cybersecurity and updates to the Group’s cybersecurity programs and mitigation strategies.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true