Cybersecurity in Spain, Q1 2026: real threats, a pending regulatory framework, and a sector in full effervescence
23 de April de 2026
IDaaS (Identity as a Service): what it is, how it works, and its role in modern security
7 de May de 2026
Europe under continuous pressure: the landscape according to ENISA
The ENISA Threat Landscape 2025, published in October 2025 and based on the analysis of 4,875 incidents between July 1, 2024 and June 30, 2025, is the most comprehensive reference document available on the state of cybersecurity in Europe. Its conclusions are clear: the threat ecosystem has become more mature, more convergent, and harder to classify into clean categories.
The most striking finding in statistical terms is that DDoS attacks represented 77% of all incidents recorded in the EU. However, that figure requires context: the vast majority of those attacks were perpetrated by hacktivists with ideological motivations, not by organized criminal groups. The category that truly matters in terms of economic and operational impact is ransomware, which ENISA identifies as the most disruptive cyber threat with the greatest financial damage in Europe, regardless of its relative weight in the total volume.
The distribution of incidents by sector is revealing. Public administration accounts for 38.2% of all recorded incidents, making it by far the most attacked target in the EU. Transport ranks second with 7.5%, especially the air, maritime, and logistics subsectors. Digital and service infrastructures represent 4.8%, finance 4.5%, energy 1.7%, and healthcare 1.2%.
Cybercriminal incidents.
Excluding political hacktivism, ransomware mainly attacked the manufacturing sector, with 14.9% of published claims. European manufacturing, highly connected through cross-border supply chains, has become one of the priority targets for groups such as Akira, Qilin, and FOG. ENISA data on variants deployed against the manufacturing industry show Akira leading with 48.7% of attacks, followed by Qilin with 20.5% and FOG with 10.3%.
As for entry vectors, phishing represents 60% of all intrusion attempts. With more than 80% of social engineering campaigns globally already using AI-generated or AI-enhanced content by early 2025. Exploitation of vulnerabilities ranks second with 21.3% of intrusions, and the speed at which those vulnerabilities are weaponized is alarming: attackers are exploiting new vulnerabilities within days of their public disclosure. The period analyzed by ENISA recorded more than 42,595 newly disclosed vulnerabilities, 27% more than in the previous period. (Source: ENISA Threat Landscape 2025.)
The geopolitical dimension: when the State is the attacker
One of the most important conclusions of ENISA’s Threat Landscape 2025 and of reports by European intelligence services is the growing convergence between organized cybercrime and State-directed operations. The lines that used to separate hacktivists, criminal groups, and State actors are being deliberately blurred.
The groups APT29 (associated with Russia) and Sandworm (also linked to Russian military intelligence) were identified by ENISA as the most active in the EU. During the period analyzed, with a special focus on public administration, defense, and telecommunications. CERT-EU’s December 2025 report confirmed that Russian intelligence services are highly likely to continue their cyber and hybrid operations against European governments and critical infrastructures at least until mid-2026. (Sources: ENISA Threat Landscape 2025; CERT-EU Cyber Brief 26-01, January 2026.) China also features prominently.
The United Kingdom sanctioned two China-based technology companies in December 2025 for their role in malicious activities that compromised systems belonging to more than 80 government, public, and private entities worldwide. The United Kingdom’s National Cyber Security Centre (NCSC) described these companies as representative of an ecosystem of private actors that plausibly supports cyber operations sponsored by the Chinese State.
Germany formally attributed several cyber incidents to Russia-linked actors in December 2025. And the hacktivist group Z-PENTEST-ALLIANCE, with alleged connections to the Russian group Sandworm, was identified as the main actor attacking EU critical infrastructures, with particular concentration on energy and water management systems, and distributing videos of operators manipulating OT systems to amplify the psychological impact of their actions.
World Economic Forum.
In its Global Cybersecurity Outlook 2026 published in January 2026, prepared in collaboration with Accenture based on 804 respondents in 92 countries, including 316 CISOs and 105 CEOs, notes that instability linked to the war in Ukraine has coincided with an increase in hybrid attacks using drones to target European airports and other critical infrastructures. Together with the spread of disinformation that has further destabilized the regional security landscape. 64% of organizations already integrate geopolitically motivated cyberattacks into their strategy, such as the disruption of critical infrastructures or espionage, and 91% of large companies have adjusted their cybersecurity posture accordingly. (Source: WEF, Global Cybersecurity Outlook 2026, January 2026.)
The incidents defining 2026 in Europe
The statistical data take on concrete meaning when examining the real incidents that have marked the European landscape in the first months of 2026.
European airports, September 2025.
A ransomware attack against Collins Aerospace, provider of the MUSE check-in and boarding software, caused operational disruptions at several of Europe’s main airports, including Heathrow, Brussels, and Berlin. The queues, delays, and cancellations experienced for days illustrated how dependence on a single software provider can paralyze critical transport nodes in multiple countries simultaneously. (Source: ENISA Threat Landscape 2025.)
SFR (France), December 2025.
The French telecommunications operator SFR suffered a cyberattack involving unauthorized access to a network management tool used by technicians, with the theft of customer data including names, addresses, phone numbers, and email addresses. The incident is part of a series of breaches in the French telecommunications sector during the last quarter of 2025. (Source: CERT-EU Cyber Brief 26-01.)
Barts Health NHS (United Kingdom), December 2025.
Barts Health NHS Trust, one of England’s largest healthcare providers, revealed that actors from the Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite to steal years of invoices containing personal data of patients, former executives, and suppliers. Clinical systems were not affected, but the organization had to seek a court order to restrict the dissemination of the stolen data. (Source: CERT-EU Cyber Brief 26-01.)
Port of Vigo (Spain), March 2026.
In the early hours of March 24, ransomware forced all servers at the Port of Vigo, Galicia’s leading general cargo port, to be disconnected from any external connection. The systems remained inaccessible for more than 72 hours. Physical operations could be maintained manually, but digital services were completely interrupted while forensic analysis was carried out to determine the entry vector. (Sources: Galicia Press; FORLOPD; Cadena de Suministro.)
Submarine infrastructures (Finland), December 2025.
Finnish authorities intercepted and seized the cargo ship Fitburg in the Gulf of Finland, under suspicion of having deliberately damaged a submarine telecommunications cable connecting Finland with Estonia. The incident falls within growing concern over the vulnerability of European submarine infrastructures to physical sabotage with an intelligence component. (Source: CERT-EU Cyber Brief 26-01.)
These cases coincide with a pattern that ENISA documents systematically: maritime transport and port logistics are targets of growing interest for actors with both criminal and geopolitical motivations. The strategic value of logistics nodes, combined with their high dependence on digital platforms, multiple connected actors, and constant operational pressure, makes them high-impact and, often, low-resilience targets.
The profile of the European attacker in 2026: industrialization and convergence
DIESEC European Cyber Threat 2026 and the ENISA Threat Landscape 2025 converge in a description of the attacker affecting European organizations: it is not the lone hacker, nor even the isolated criminal group. It is an industry with its own structure, specialization, and business models.
Ransomware-as-a-Service (RaaS) groups have drastically lowered the entry barrier for new actors. The period analyzed by ENISA documented 82 different active ransomware variants, with ongoing fragmentation of the ecosystem driven in part by law enforcement operations that dismantled LockBit (Operation Cronos, February 2024). That pressure did not reduce the volume of attacks: it dispersed it among more actors and pushed the accelerated emergence of new variants.
Initial Access Brokers (IABs), intermediaries that sell access to corporate networks on illegal markets, remain a critical vector. ENISA documents the common use of VPN and RDP credentials purchased on dark web marketplaces by groups such as SafePay, which appeared in September 2024 and expanded rapidly using exactly this method. The info-stealer Lumma was identified as the most prevalent credential theft tool since early 2025. (Source: ENISA Threat Landscape 2025; ENISA, European Digital SME Alliance analysis.)
In terms of cybercriminality, 81.1% of cybercriminal incidents against EU organizations involve ransomware and 15.2% are data breaches, with a double extortion strategy, encrypting and stealing simultaneously, that has gone from being the exception to becoming the standard. Stolen data are systematically leaked on cybercriminal forums if the ransom is not paid, and this threat of public exposure is proving especially effective in sectors regulated by the GDPR, where a confirmed breach entails notification obligations and possible sanctions.
The role of artificial intelligence: a double-edged sword with asymmetry
The WEF’s Global Cybersecurity Outlook 2026 identifies AI as the most significant factor of change in cybersecurity according to 94% of respondents, and 87% point to AI-related vulnerabilities as the fastest-growing risk in 2025. That consensus reflects something real: AI is redefining the playing field, but it is doing so asymmetrically.
On the offensive side, AI is being used to generate hyper-personalized and multilingual phishing content at industrial scale. ENISA confirms that more than 80% of social engineering campaigns worldwide already use AI to generate or improve their content. Tools such as Xanthorox AI, documented by ENISA in the Threat Landscape 2025, are specifically designed to automate malware development and social engineering. Audio and video deepfakes are facilitating next-generation Business Email Compromise (BEC) attacks, with calls where a “voice” simulates being an executive requesting urgent transfers or access to systems.
OT technology is also being vectorized through AI. The new ICS malware called VoltRuptor, documented by ENISA, was used to compromise an Italian smart building automation company in June 2025, evidencing the operational viability of tools specialized in industrial environments.
On the defensive side, the adoption of AI for security is accelerating, but with major governance gaps. The percentage of organizations assessing the security of their AI tools almost doubled from 37% in 2025 to 64% in 2026, according to the WEF. However, autonomous AI agents are being deployed with excessive permissions, unclassified documents, and obsolete access rules, creating new attack surfaces that attackers are already learning to exploit. (Source: WEF, Global Cybersecurity Outlook 2026.)
The European regulatory framework: active construction and persistent fragmentation
NIS2: approved, not fully transposed, and already under review
The NIS2 Directive (EU Directive 2022/2555) had a transposition deadline of October 17, 2024. The result was a collective failure: at the beginning of 2026, only about 16 of the 27 countries had fully transposed the directive. European Commission initiated infringement procedures against 23 Member States, sending reasoned opinions in May 2025 to 19 of them, including Spain, as a preliminary step before a possible referral to the Court of Justice of the EU.
Brussels’ response to this landscape was, paradoxically, to propose changes to the directive before many countries had finished transposing it. On January 20, 2026, the Commission presented, as part of a new cybersecurity package, specific amendments to NIS2 aimed at simplifying compliance. The main changes include simplified jurisdictional rules for organizations operating in multiple EU countries, compliance pathways based on existing certifications, and more detailed ransomware reporting. Stated objective is to facilitate compliance for 28,700 companies, including 6,200 micro and small companies. The amendments are expected to be negotiated throughout 2026, with a 12-month transposition period after approval. (Source: European Commission / digital-strategy.ec.europa.eu, January 2026.)
This double movement, pressuring lagging countries while proposing to review the directive, reflects a real tension in European cybersecurity governance. The urgency of deploying the regulatory framework clashes with the difficulty of applying it homogeneously across 27 different legislative ecosystems.
The new cybersecurity package of January 2026
Beyond the amendments to NIS2, the cybersecurity package presented by the Commission on January 20, 2026 includes several initiatives that redefine the European regulatory landscape:
Revised Cybersecurity Regulation. The new regulation proposes a horizontal security framework for ICT supply chains. Designed to address the risks of strategic dependencies on providers from third countries that raise cybersecurity concerns. The Commission presents it as a tool for the EU and Member States to jointly detect and mitigate risks across the 18 critical sectors. (Source: European Commission, January 20, 2026.)
Strengthening ENISA’s role. The agency will take on new functions. Early warnings on cyber threats, support for ransomware response together with Europol, and management of the proposed new single window for incident notification at European scale. (Source: European Commission, January 20, 2026.)
Action plan for hospital cybersecurity. The Commission has published a specific resilience plan for hospitals and healthcare providers, recognizing the sector’s particular exposure. ENISA data confirm the urgency. Breaches in the European healthcare sector record the highest average cost of any industry, and hospital systems continue to operate with IT infrastructures that are decades old. The most extreme figure from the recent past remains the attack on Ireland’s Health Service Executive (HSE) in 2021, whose full recovery cost more than 600 million euros and took five months.
DORA: in force, with implementation challenges
Digital Operational Resilience Regulation (DORA), applicable since January 2025 to the European financial sector, is imposing a significant compliance burden on entities operating in multiple jurisdictions. The combination of NIS2, DORA, GDPR, and national sectoral regulations is creating compliance complexity that large entities can manage but that represents a real challenge for mid-sized firms in the sector.
The resilience gap: an unequal Europe facing risk
One of the most worrying findings of the WEF’s Global Cybersecurity Outlook 2026 is the existence of a growing gap between cyber-resilient organizations and those that are not. That gap is not only technological: it is structural and related to size, sector, and geography.
Less than 45% of private-sector CEOs trust their country’s ability to respond to major cyber incidents affecting critical infrastructures. This level of distrust in collective national response capacity is significant. (Source: WEF, Global Cybersecurity Outlook 2026.)
23% of the private sector and 11% of the public sector rated their own cyber resilience as insufficient. And while 91% of large companies have adjusted their posture in response to geopolitical threats, only 59% of SMEs are doing the same. (Source: WEF, Global Cybersecurity Outlook 2026.)
73% of WEF respondents state that they or someone in their network have been personally affected by cyber fraud in the last year. Technology-enabled fraud has reached, in the report’s words, epidemic proportions. (Source: WEF, Global Cybersecurity Outlook 2026.)
In the specific European context, geopolitical inequality also has a digital security dimension. Countries supporting Ukraine’s supply chain, Poland, Czechia, Romania, are subject to particular scrutiny by threat actors. And countries with incomplete NIS2 transposition, the majority, still in 2026, operate with less developed supervisory frameworks, creating disparities in detection, response, and cross-border coordination capacity.
OT threats: when cyberspace affects the physical world
The ENISA Threat Landscape 2025 marks an important conceptual milestone. For the first time, threats to operational technology (OT) represent 18.2% of all identified threat categories, signaling a systemic shift toward the targeting of industrial infrastructures and control systems.
The hacktivist group Z-PENTEST-ALLIANCE has concentrated its attacks on OT management interfaces accessible from the internet in the energy and water management sectors. Italy emerged as the most frequently attacked Member State in OT, followed by Czechia, France, and Spain. These attacks do not seek only disruptions: they seek visibility, presence, and future escalation capability.
The new ICS malware VoltRuptor represents the cutting edge of this threat. Designed specifically to compromise OT environments and documented by ENISA in real incidents in 2025. The fusion of IT/OT systems that is driving Industry 4.0 in Europe permanently expands this attack surface. (Source: ENISA Threat Landscape 2025.)
The European response: growing coordination, persistent gaps
CERT-EU and the CSIRT network
The coordinated response to incidents at European scale rests on the network of national CSIRTs and CERT-EU, which covers the European institutions. Regular publication of Cyber Briefs by CERT-EU, threat intelligence documents that synthesize the most relevant incidents of the period, is one of the most valuable tools for information exchange among European public bodies. Cyber Solidarity Act, approved as part of the EU regulatory framework, strengthens collective response mechanisms for cross-border incidents and the coordination of threat intelligence sharing.
The EU Cybersecurity Skills Academy
Shortage of specialized talent is recognized by ENISA as one of the most serious structural deficits in European cybersecurity. The first recommendation of the report on the state of cybersecurity in the EU, published by ENISA in December 2024, was precisely the creation of an EU Cybersecurity Skills Academy with a common approach to training, certification, and talent development at continental scale.
Technological sovereignty as a strategic imperative
The January 2026 cybersecurity package includes an explicit component of technological sovereignty: the new Cybersecurity Regulation proposes a framework to identify, assess, and mitigate risks arising from providers from third countries with critical dependencies in the ICT supply chains of the 18 European critical sectors. Henna Virkkunen, Executive Vice-President of the European Commission for technological sovereignty, security, and democracy, was explicit in the presentation of the package: as AI increasingly drives offensive operations in cyberspace, the resilience of Europe’s critical infrastructures and connectivity must be strengthened. (Source: WEF, Global Cybersecurity Outlook 2026, citing Henna Virkkunen.)
Conclusion: Europe facing forced maturity
By mid-2026, European cybersecurity is at a turning point that combines regulatory urgency, unprecedented threat pressure, and a capability gap that divides the continent between well-prepared organizations and countries and those still operating at a basic defense stage.
The major trends defining the moment are clear. Geopolitics has turned cybersecurity into a dimension of national security that no State can manage in isolation. AI is accelerating both attacks and defenses, but with a temporal asymmetry: attackers adopt new tools faster than defenders build controls for them. Ransomware has been industrialized to the point that barriers to entry for new actors are minimal. And IT/OT convergence has extended the attack surface to physical infrastructures that were previously isolated.
The EU’s regulatory response, NIS2, DORA, the Cyber Resilience Act, the new January 2026 package, is systematic and ambitious. But its effectiveness depends on the speed of implementation across 27 different legislative systems, on the supervisory capacity of national authorities with highly unequal resources and, ultimately, on the decision of private organizations to transform formal compliance into real security.
The WEF summarizes it precisely in its 2026 report: cybersecurity is not something an organization can do alone. It requires shared intelligence, coordinated governance, and a collective commitment to resilience. Europe has the framework. The question is whether it has the speed.
