Spain’s Situation in the Cyberspace Domain

Written by the Cybersecurity and Privacy Protection Research Group (GiCP)

In recent years, the volume of cyberattacks in Spain has shown an increasing trend. According to the National Cybersecurity Institute (INCIBE), 97,348 cybersecurity incidents were managed in 2024, representing an increase of 16.6 % over the previous year [1]. This increase reflects both improved detection capabilities and the increasing sophistication of cyberattacks.

The 2024 Annual Homeland Security Report, by Spain’s Department of National Security, indicates that cyber threats were a top security concern, with incidents affecting critical infrastructure, government agencies, and private entities [2]. In 2024, the National Cryptologic Center Response Team (CCN-CERT) managed a total of 177,098 incidents, the Response Team of the National Cybersecurity Institute of Spain (INCIBE-CERT) of Spain 97,348, and the Response Team of the Spanish Ministry of Defense (ESPDEF-CERT) 983. In addition, the proliferation of disinformation and cyber espionage campaigns has intensified, especially during election periods and in the international context of geopolitical tensions.

Spain’s Ministry of the Interior report reflects that 472,125 known cybercrime-related events were recorded in 2023, representing an increase of 26 % over last year [3]. The largest share corresponded to computer fraud (90.5 % of the total), followed by threats and coercion.

The most common attacks include malware, phishing, ransomware and corporate network intrusions. Of the incidents managed by INCIBE in 2024, 42,136 were related to malware, 21,571 to phishing, and 357 to ransomware [1]. The most affected sectors are the public, financial and industrial sectors. In 2024, 62 % of attacks targeted these sectors, with a 190 % increase in attacks on the public sector compared to the previous year.

At the European level, Spain is among the five countries with the most ransomware attacks. In the first half of 2024, 58 attacks of this type were recorded, placing it in fifth place worldwide. The LockBit and Ransomhub groups led the attacks in the country, being responsible for 45 % of the total [4].

Compared to countries such as France, Germany or the United Kingdom, Spain shows a similar threat level, although with a more accelerated growth in the last two years. While Nordic countries maintain a preventive approach and high investment in cyberintelligence, Spain has recently intensified its efforts, highlighting its participation in European incident response networks (CSIRTs). Globally, the United States remains the most targeted country, followed by China and Russia. However, Spain’s rapid rise in the attack rankings reflects both its digital exposure and its growing geostrategic role.

Compliance with standards such as the NIS2 directive and the reinforcement of the National Security Scheme (ENS) are essential steps to shield the Spanish interests in cyberspace. However, they must be accompanied by schemes that offer support to SMEs, local bodies and smaller entities, enabling a viable transition to robust practices without generating economic disruption.

PTE Disruptive’s 2024 Cybersecurity Situation Report [5] states that there is a shortage of about 80,000 cybersecurity specialists. The lack of trained personnel limits organizations’ ability to detect and respond to threats effectively, and poses a greater risk to businesses, especially in critical sectors that require immediate and constant protection.

Companies are trying to bridge the gap through reskilling programs, but INCIBE warns that only two out of ten vacancies are filled with internal talent and that turnover increases when pay does not compensate for the pressure associated with critical incidents [6].

The public sector is particularly affected by the lack of qualified profiles. Attacks against the Administration grew by 190% in 2024, while the workforces are still subject to inflexible selection processes and salary scales that discourage the recruitment of experts.

Spain’s position in the global ransomware ranking is not only explained by its digital exposure, but also by the combination of a labor market unable to meet the demand for specialists. Closing the talent gap by means of incentives and continuous training, and making public procurement more flexible are unavoidable steps to shield the productive fabric and the Administration. Only in this way will the country be able to translate its growing geostrategic weight into a real competitive advantage in cyberspace.

Technological sovereignty is crucial for Spain and Europe in terms of cybersecurity, since it guarantees control and autonomy over their critical digital infrastructures. In a global context where cyber threats are increasingly sophisticated and persistent, relying on technologies developed and controlled by external actors, especially outside the European Union, entails significant risks.

The risks of third-party technological dependence range from the possibility of espionage to the loss of control over sensitive government, corporate and citizen data. For this reason, having our own technologies, or at least transparent and auditable technologies within the European framework, reinforces the capacity to respond to cyber incidents and reduces exposure to externally imposed vulnerabilities.

Investing in technological sovereignty fosters innovation, industrial development, and job creation within the continent. Developing homegrown cybersecurity technologies boosts research, strengthens local supply chains, and reduces vulnerability to geopolitical or trade crises. In an increasingly digitalized world, where cybersecurity is a strategic issue, having homegrown technological capacity is not just an option, but a necessity to guarantee the security, stability, and prosperity of Europe, and therefore of Spain.

In GiCP, we participate in the SafeHorizon project, where we obtain intelligence from various sources and by integrating these data streams with machine learning technologies, the project seeks to extract actionable evidence for legal use. We also participate in the CIRMA project, where we aim to improve security and resilience against digital threats through advanced use of artificial intelligence. The development of such toolboxes is key to increasing Europe’s technological sovereignty and increasing the capabilities and know-how of cybersecurity personnel.

The sustained growth in incidents reflects increasing digital exposure and a tense geopolitical environment, in which Spain has become a priority target. The increase in ransomware attacks and disinformation campaigns highlights the need for more robust and adaptive preventive measures.

Although Spain has intensified its European involvement and aligned itself with european and national regulations, gaps in effective implementation persist, especially among SMEs and public administration, which require technical and financial support to adapt without compromising their viability.

The cybersecurity talent gap represents one of the most pressing risks. The shortage of specialists, exacerbated by uncompetitive working conditions in the public sector, limits response capacity and leaves both institutions and companies vulnerable.

The strategic importance of achieving technological sovereignty is noteworthy. Dependence on external technologies exposes Spain and Europe to critical risks. Investing in proprietary solutions, such as those developed through the SafeHorizon project and CIRMA project, not only strengthens security but also drives innovation, skilled employment, and digital autonomy.

Modernizing digital protection from the citizen to the institutional level, strengthening international cooperation, and guaranteeing stable resources is the imperative basis for building a solid cyber-resilience in the 21st century.

[1] INCIBE, “Balance de actividad 2024”, Instituto Nacional de Ciberseguridad, 2025.
[2] DSN, “Informe Anual de Seguridad Nacional 2024”, Departamento de Seguridad Nacional, Gobierno de España, 2025.
[3] Ministerio del Interior, “Informe sobre la Cibercriminalidad en España 2023”, 2024.
[4] S21sec, “Threat Landscape Report H1 2024”, 2024.
[5] PTE, “INFORME DE SITUACIÓN 2024”, 2024.
[6] INCIBE, “La demanda de talento en ciberseguridad doblará a la oferta en 2024, hasta alcanzar la cifra de más de 83.000 profesionales necesarios en el sector”, 2022.