Cybersecurity in Spain, Q1 2026: real threats, a pending regulatory framework, and a sector in full effervescence

Spain under pressure: the figures that matter

The official cybersecurity report published by INCIBE on February 9, 2026 provided a clear picture of the previous year: 122,223 incidents managed in 2025, 26% more than in 2024. It is not an isolated figure. It is the continuation of a trend that shows no signs of easing.

Behind that figure there is a more granular snapshot that deserves to be read carefully:

• 55,411 malware incidents, the most frequent type.
• 392 ransomware attacks recorded, which despite their relatively low number concentrate the greatest economic impact per incident. Between 80,000 and 150,000 euros on average for a mid-sized Spanish company.
• 45,445 cases of online fraud, 19% more than the previous year. Four out of every ten security incidents correspond to this category.
• 25,133 phishing cases, the most frequently used entry vector by attackers.
• 237,028 vulnerable systems detected and proactively notified to those responsible by INCIBE-CERT. More than two hundred and thirty thousand potentially open doors distributed throughout the territory.
• 3,849 cases of unauthorized access to or theft of digital data.
• 4,600 potentially fraudulent “.es” web domains shut down in collaboration with Red.es, with 100% of the cases reported by INCIBE.

(Source: INCIBE, 2025 Cybersecurity Report.)

Operators regulated by NIS2

In the area of essential and important operators, those regulated by the NIS2 Directive, INCIBE handled 401 incidents in 2025. Specifically, distribution by sectors draws the map of exposure. Banking concentrated 34% of the attacks; transport, 14%; energy, 8%; financial market infrastructures, 7%; and insurers and pension funds, 6%.

The 017 Cybersecurity Helpline received 142,767 inquiries in 2025, 44.9% more than in 2024. The split between preventive inquiries (49%) and reactive ones (51%) reveals that still more than half of those who call do so when the damage is already occurring. Main reasons: phishing, vishing or smishing attempts (28%), fraudulent online purchases (16%) and digital identity impersonation (14%). (Source: INCIBE.)

What is happening in 2026: real attacks, real names

If 2025 was a year of statistical records, the first months of 2026 have confirmed that the threat level is not easing. Check Point Software Technologies’ Security Report 2026 documents that organizations in Spain recorded an average of 1,968 weekly cyberattacks throughout 2025. This is a 70% increase compared to 2023.

In December of that same year, the figure stood at 1,883 weekly attacks, 5% more than in December 2024, with the government sector, consumer goods and services, and telecommunications as the main targets.

At the ransomware level, Spain accounts for 2% of attacks published globally. In fact, the fourth quarter of 2025 closed with 2,473 ransomware victims published on leak sites, the highest figure recorded to date. In the first quarter of 2025 alone 2,289 victims with published data were recorded, a 134% growth compared to the previous year, driven in part by the mass exploitation of zero-day vulnerabilities. The Spanish Data Protection Agency (AEPD) received close to 2,800 personal data breach notifications throughout the year. (Source: Check Point, Security Report 2026.)

The incidents of 2026 already on the map

What distinguishes 2026 from previous years is not only the volume: it is the visibility and the caliber of the targets reached. In the first months of the year, several top-level incidents have confirmed that no one is outside the crosshairs.

Endesa, January 2026.

The electric company confirmed a breach that compromised contact data, national ID numbers, IBAN numbers and contract details of a significant number of customers. The origin: an issue in an old technology provider that also affected other international companies. Endesa activated protocols immediately and notified the authorities, although it warned its customers of the risk of impersonation and phishing campaigns using the extracted data. (Source: Channel Partner, Main cyberattacks in Spain in 2026.)

Ministry of Finance, early 2026.

The Ministry investigated a potential cyberattack on its databases after an alert issued by the firm Hackmanac, which pointed to an actor identified as “HaciendaSec” and claimed access to personal, banking, and tax data of more than 47 million citizens. The investigation remains open. (Source: Channel Partner.)

Port of Vigo, March 24, 2026.

In the early hours of Tuesday, March 24, the internal monitoring systems of the Port of Vigo alerted to an intrusion. It was ransomware. The technical teams acted immediately by isolating all the servers from any external connection. This left the Port Authority’s website inoperative for more than 72 hours.

The physical operation of the port, which in the first two months of 2026 had accumulated 715,728 tons of goods, could be maintained manually, but the associated digital services were interrupted. Consultancy firm GMV provided technical assistance and a forensic analysis was initiated to determine the entry vector. The declared objective of the attack was obtaining a financial ransom. (Sources: Galicia Press; FORLOPD; Cadena de Suministro.)

Basic Fit and Inditex, 2026.

The low-cost gym chain Basic Fit confirmed unauthorized access to its customer database that affected more than 4.5 million users in Spain, France and Germany. In the case of Inditex, the company reported a breach originating from an external provider, emphasizing that its systems and operations were not directly affected. (Source: Channel Partner.)

These incidents are not isolated accidents. They are the concrete expression of the trends that global reports have been describing for months: attacks through the supply chain, ransomware aimed at critical infrastructures, and massive data theft for delayed extortion.

AI: the factor that accelerates everything

Artificial intelligence has fully entered the cybersecurity equation, and it has done so on both sides. According to Check Point data for the end of 2025, 1 out of every 27 requests to generative AI tools in enterprise environments posed a high risk of sensitive data leakage, and 91% of organizations that used GenAI tools experienced high-risk request activity.

Over 25% of the requests contained potentially sensitive or confidential information. On the offensive side, AI is being used to create highly personalized multilingual phishing campaigns, generate malicious code, deploy fake websites massively, and produce voice and video deepfakes for impersonation. Tools such as FraudGPT or WormGPT have democratized capabilities that previously required technically sophisticated attackers.

On the defensive side, AI enables automated detection and response to incidents (XDR, EDR), analysis of user behavior in real time, and correlation of alerts at a scale that no human team could handle manually.

The INCIBE report highlights that, globally, more than 28 million cyberattacks in 2025 were driven by artificial intelligence, with 87% of companies affected by incidents enhanced by this technology. (Source: data compiled by INCIBE.)

The regulatory framework: NIS2 pending, ENS in force, and a European anomaly that is lasting too long

Spain’s delay with NIS2

The NIS2 Directive (EU Directive 2022/2555) had a transposition deadline for Member States of October 17, 2024. Spain did not make it. Not only did it not make it: by mid-2026, the final law has still not been published in the BOE.

The legislative path has been slow. The Council of Ministers approved the Preliminary Draft Law on Coordination and Governance of Cybersecurity on January 14, 2025, following a joint proposal from the Ministries of the Interior, Defense and Digital Transformation. This text moved into the hearing and public information phase between January and February 2025. In May 2025, the European Commission sent a reasoned opinion to Spain over the delay, which could lead to a lawsuit before the Court of Justice of the EU with coercive fines on the State. At the beginning of 2026, the bill received urgent classification to speed up its parliamentary processing, but as of March 2026 it had still not completed the legislative process. (Sources: NIS-2-Directive.com, update March 12, 2026; INCIBE; Delbion.)

This situation generates a double paradox. On the one hand, the directive has been binding at European level since January 2023, so the absence of transposition does not exempt affected organizations from responsibility. On the other hand, the lack of an approved national law keeps thousands of companies in real legal uncertainty regarding the exact scope of their obligations.

National Cybersecurity Center (CNC)

What is known from the draft text is relevant: a National Cybersecurity Center (CNC) is created, attached to the Presidency of the Government, which will assume coordination of the national cybersecurity policy and act as a single point of contact before the EU and ENISA. This figure seeks to resolve the institutional fragmentation that the Joint National Security Commission identified in its February 2026 diagnosis: CCN-CERT, INCIBE, Cyberdefense and the police forces operating without centralized coordination.

The sanctioning regime foreseen in NIS2, and which the future Spanish law will incorporate, is among the most severe in the European regulatory landscape:

up to 10 million euros or 2% of global turnover for essential entities; up to 7 million or 1.4% of turnover for important entities. In addition, governing bodies assume direct personal responsibility: they may be temporarily disqualified if serious negligence is demonstrated.

It is estimated that NIS2 expands the number of affected organizations in the EU from about 15,000 (under NIS1) to more than 160,000. In Spain, the estimate is more than 5,760 directly obligated entities.

ENS: the current framework that does not wait

While NIS2 is still being processed, the National Security Framework (Royal Decree 311/2022) remains the mandatory reference framework for Spanish public administrations and their technology providers. Its requirements regarding privileged access control, continuous monitoring, traceability of actions and credential management are not new, but their practical application remains uneven, especially in municipalities and smaller agencies.

CCN-CERT currently operates 48 probes of its Early Warning System for Industrial Control Systems (SAT-ICS), strategically distributed across Spanish territory, with coverage for 38 affiliated organizations belonging both to the public sector and to companies of strategic interest. (Source: CCN-CERT.)

The defending sector: a 6.351 million euro market

The threat has created its counterpart. Study on the cybersecurity industry in Spain 2025, produced by INCIBE and CONETIC based on the analysis of more than 500 companies and presented in León on March 18, 2026, offers the most complete snapshot available of the Spanish defending sector.
The main figures:

• 6.351 million euros in revenue in 2024, equivalent to 4.65% of the total Spanish ICT sector. The market has grown by 70% since 2020.
• 164,761 professionals employed in cybersecurity, 25.55% of total employment in the ICT sector. Between 2021 and 2025, employment grew by 35.14%.
• 3,430 active companies, of which 45% are microenterprises and only 5% are large corporations. In the last five years, 403 new companies have been created, already accounting for 12% of revenue.
• Spain is the fourth European cybersecurity market, with 12% of continental revenue and 2.8% of global revenue.
• Annual growth projection of 14.25% between 2026 and 2029, which would bring the sector to around 282,000 jobs at the end of the period.

(Sources: INCIBE/CONETIC, Study on the cybersecurity industry in Spain 2025, presented on March 18, 2026)

3 billion euros in 2026

The DBK Observatory of Informa confirms for its part that the market for cybersecurity products and services in Spain, which billed 2.5 billion euros in 2024, will exceed 3 billion euros in 2026, with two thirds of the business in services and the remaining third in software and hardware. (Source: DBK Sector Observatory, Informa.) As for public investment, the 2025 Defense Plan allocated 3.262 billion euros to technology and cybersecurity, with an additional 1.157 billion specifically approved for cybersecurity and cyberdefense in May 2025.

44.2% of Spanish companies plan to increase their cybersecurity investment in 2026, according to the Secure&IT study published in January of that year. The figure has a positive reading, awareness of risk is growing, but also a troubling one:

the remaining 55.8% do not plan to increase it, despite the fact that the average cost of a cyberattack for a small company ranges between 35,000 and 80,000 euros, and that stopping business activity because of an attack can cost between 4,000 and 7,500 euros per minute. (Sources: Secure&IT, January 2026; ESED.)

Gaps that persist: talent, SMEs and OT

The talent deficit has a new shape

Spain continues to face a structural deficit of professionals specialized in cybersecurity, but in 2026 the problem has evolved. It is no longer mainly a question of the number of professionals: it is a question of critical skills. Added to this is an additional challenge that INCIBE’s general director, Félix Barrio, identified in the presentation of the sectoral study in March 2026 as “one of the greatest scourges” of the market: gender inequality. Only 20% of cybersecurity employment corresponds to women, a gap that the sector cannot afford to maintain if it wants to cover the projected demand.

The outsourcing of services toward MSP and managed SOC models is being the practical response to the problem: many organizations opt for external partners to access advanced capabilities without building internal teams from scratch. This trend, which accelerates in 2026 under the regulatory pressure of NIS2, has implications in the chain of responsibility that the directive defines precisely.

SMEs: the link under the greatest pressure

The Spanish business fabric is dominated by SMEs, and their cybersecurity situation in 2026 is worrying. 50% of Spanish SMEs suffer some cyberattack every year. Verizon’s global DBIR analyses confirmed in 2025 that SMEs are a target almost four times more often than large organizations, and that ransomware was present in 88% of the breaches that affected them.

The cyberinsurance market reflects this pressure: cyberinsurance premiums reached 190 million euros in Spain in 2024, 12% more than the previous year. Ransomware represents 41.92% of the total cost of claims, and it is precisely companies with turnover below 50 million euros that register the highest frequency of incidents.

NIS2 expands its scope to entities with more than 50 employees or 10 million euros in turnover in regulated sectors. This means that thousands of SMEs that previously operated without formal cybersecurity obligations are now within the scope of the directive, or will be when Spanish law finally transposes it.

IT/OT convergence: an attack surface growing without restraint

The digitalization of sectors such as energy, industry or public services has accelerated the convergence between information technologies and operational technologies. Systems that previously functioned on isolated networks are now connected, managed remotely and, frequently, protected with tools designed exclusively for conventional IT environments.

The Port of Vigo incident in March 2026 is a precise example of how a critical logistics node, the port led general cargo traffic among Galician ports in February of that year, with 416,873 tons in a single month, can be attacked on its digital layer with consequences that extend to physical operations and the supply chain.

According to an analysis by Cipher, the cybersecurity division of Grupo Prosegur, cyberattacks on supply chains doubled in 2025, with an average cost of 4.33 million euros per incident and an estimated global annual cost of 53.2 billion dollars. (Source: Cipher/Prosegur, reported by Cadena de Suministro.)

What is changing in organizations’ response

From reaction to anticipation (although slowly)

The reactive model, contain, recover, analyze, remains dominant in most Spanish organizations, but regulatory pressure and the growing cost of incidents are accelerating a paradigm shift. Organizations that integrate automated detection and early response tools manage to reduce the incident life cycle substantially.

According to IBM data for 2025, the average life cycle of a breach dropped to 241 days, the lowest level in nine years, although breaches that exceed 200 days continue to generate much greater economic and operational impacts. (Source: IBM, Cost of a Data Breach Report 2025.)

Zero Trust as the direction of travel

The most consolidated trend in the defensive response of Spanish organizations in 2026 is the migration toward zero trust architectures (Zero Trust). VPNs and remote access tools continue to be critical vectors because of stolen credentials and the absence of multifactor authentication, which is pushing a growing number of organizations toward ZTNA (Zero Trust Network Access) models that eliminate the direct exposure of services to the internet.

Cybersecurity is consolidating, according to all indicators, as the second technological priority of Spanish companies in 2026, only behind artificial intelligence, with 17% of mentions in IT investment plans, according to the LiceoTIC study produced from 230 company responses.

The landscape in perspective: what remains to be solved

By mid-2026, cybersecurity in Spain presents a dual state: the defending sector is robust, dynamic and growing at an unprecedented pace; the reality of threats is equally robust, dynamic and growing. Between the two, there are gaps that are not closed only with technology.

Institutional fragmentation, publicly diagnosed by the Joint National Security Commission in February 2026, is one of the most urgent problems. Without an operational National Cybersecurity Center and without the NIS2 transposition law published, coordination between CCN-CERT, INCIBE, Cyberdefense and the police forces continues to be more difficult than it should be.

The maturity gap between large corporations and SMEs is the second structural problem. Sector figures show a strong cybersecurity industry with international projection, but its services do not reach with the same intensity the thousands of medium-sized companies that form the supply chain of critical operators.

And the speed of regulatory adaptation is the third challenge. In an environment where attackers evolve in weeks and laws take years, the time gap between the real threat and the framework that regulates it is, in itself, a risk.

What is not in doubt is that cybersecurity has ceased to be a technical issue and has become a top-order strategic variable: for governments, which legislate and coordinate; for companies, which invest and suffer the attacks; and for the Spanish economy as a whole, which depends more and more on digital infrastructures that someone has to protect.