Data protection and cybersecurity laws in Spain

Organic Law 3/2018 of 5 December on the Processing of Personal Data and Guarantee of Digital Rights (hereinafter Organic Law 3/2018) (in Spanish, "Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales"):
a) adapts the Spanish legal system to the GDPR, 
b) regulates the exercise of the fundamental right to data protection, protected by Art. 18(4) of the Spanish Constitution, in accordance with GDPR and this Organic Law, and 
c) regulates the guarantee of the digital rights of citizens, including processing of personal data in the context of employment (e.g. surveillance systems, geolocation devices and the right to privacy in the use of digital devices).

The law provides an interpretation of some of the broader concepts in the GDPR. It came into effect on 7 December 2018 and repealed, except for some provisions in the political and judicial sector, the Organic Law 15/1999 of 13 December on the Protection of Personal Data and any other law or regulation contrary to GDPR.

This law:

• applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system;
• does not apply to the processing of personal data:
  • by a natural person in the course of a purely personal or household activity; 
  • when the data processing is carried out within the framework of activities which fall within the scope of Chapter 2 of Title V of the TEU; 
  • for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Directive (EU) 2016/680); 
  • related to deceased individuals (with some exceptions); or 
  • subject to the regulation on the protection of classified information.

Unless otherwise proved, it is presumed that the following processing are lawful:

• the processing of contact details of natural persons providing their services in a legal entity and individual entrepreneurs that provide their services for a legal person is covered by the legitimate interest legal basis, subject to certain requirements (Art. 19);
• the processing of personal data related to the breach of pecuniary, financial or credit obligations through common credit information systems is lawful, subject to certain requirements (Art. 20);
• processing activities derived from any kind of corporate structural change transaction (transformation to a different legal form, merger, acquisition, division, global assignment of assets and liabilities and international relocation of registered office); to the extent that the processing is necessary for the success of the transaction and the continuity of the service. If the transaction does not finally take place, the transferee shall immediately erase the data, regardless of any other retention period that might legally apply (Art. 21);
• video surveillance: natural or legal persons, public or private, may carry out the processing of images through camera systems or video cameras in order to preserve the safety of people and property, as well as their facilities, subject to certain requirements (Art. 22);
• whistleblowing schemes: processing of personal data necessary to ensure the protection of individuals who report regulatory infringements (Art. 24). The processing of personal data shall be carried out according to the GDPR, the Organic Law 3/2018 and the Law regulating the protection of persons who report regulatory violations and the fight against corruption.

Other relevant laws on data protection for specific sectors/processing activities/type of personal data are:

• Telecommunications and electronic communications: Law 11/2022 of 28 June General Telecommunications ("Ley 11/2022, de 28 de junio, General de Telecomunicaciones"). This law regulates, among other, the processing of personal data in the telecommunications sector, rights on data protection for users and subscribers, and traffic and location data, as well.
• Payment services: Royal Decree-Law 19/2018 of 23 November of payment services and other urgent financial measures ("Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera"). This Royal Decree-Law regulates the processing of personal data in the payment services sector.
• Insurance sector: Royal Decree-Law 3/2020 of 4 February on urgent measures transposing into Spanish law various European Union directives in the field of public procurement in certain sectors; private insurance; pension plans and funds; taxation and tax litigation ("Real Decreto-ley 3/2020, de 4 de febrero, de medidas urgentes por el que se incorporan al ordenamiento jurídico español diversas directivas de la Unión Europea en el ámbito de la contratación pública en determinados sectores; de seguros privados; de planes y fondos de pensiones; del ámbito tributario y de litigios fiscales"). This Royal Decree-Law regulates the processing of personal data in the insurance sector and sets up certain requirements for the processing of several entities that may participate in the processing (insurance companies, brokers, etc).
• Prevention of occupational risks: Law 31/1995 of 8 November on the Prevention of Occupational Risks ("Ley 31/1995, de 8 de noviembre, de Prevención de Riesgos Laborales"). This Law sets up a duty for the employer to protect workers against occupational risks and guarantee the safety and health of all workers at their service in aspects related to work. In particular, in the context of the Covid-19 pandemic, the worker must inform his/her employer in case of suspected contact with the virus, in order to safeguard his/her own health and that of other workers in the workplace through appropriate measures.
• Processing and public access to official documents: Access to official public documents that contain personal data shall be governed by the Law 19/2013 of 9 December on transparency, access to public information and good governance ("Ley 19/2013, de 9 de diciembre, de transparencia, acceso a la Información pública y buen gobierno"), by the GDPR and the Organic Law 3/2018.
• Clinical information and documentation: Law 41/2002 of 14 November regulating patient autonomy and rights and obligations regarding clinical information and documentation (in Spanish "Ley 41/2002, de 14 de noviembre, básica reguladora de la autonomía del paciente y de derechos y obligaciones en materia de información y documentación clínica"). This Law regulates the processing of personal data concerning health and sets up the minimum data retention period.
• Processing of personal data carried by Courts of Justice: The processing of data carried out by the Courts of Justice in the proceedings for which they are competent, as well as the processing carried out within the management of the "Judicial Office," shall be governed by the provisions of the GDPR and Organic Law 3/2018, without prejudice to the provisions of Organic Law 6/1985 of 1 July on the Judicial Power ("Ley Orgánica 6/1985, de 1 de julio, del Poder Judicial," when applicable.
• Data protection law enforcement (policy and criminal justice authorities): The processing of personal data for law enforcement purposes, used by police and criminal justice authorities, is regulated by Organic Law 7/2021 of 26 May for the protection of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. This law was adopted to comply with the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 (Law Enforcement Directive or LED).
• Whistleblowing schemes: In addition to the GDPR and the Organic Law 3/2018, the processing of personal data for the protection of whistleblowers and in these systems is governed by the Law 2/2023 of 20 February which regulates the protection of persons to report on violations and fight against corruption ("Ley 2/2023, de 20 de febrero, reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción"). This law establishes the applicable regime to the processing of personal data derived from the use of whistleblowing schemes.
• Consent of minors: The processing of personal data based on consent:
  • is possible for minors over 14 years of age, and 
  • for minors under 14 years of age, is only lawful if consent is given by the parent or guardian.

• Agencia Española de Protección de Datos (AEPD) (Spanish Data Protection Agency)
  www.aepd.es

The current Statute of the AEPD, as an independent administrative authority at the state level, was approved by Royal Decree 389/2021 of 1 June.

There are three regional authorities with competences in relation to data processing carried out by regional and local public bodies:

• Autoridad Catalana de Protección de Datos (Catalan Data Protection Authority)
  https://apdcat.gencat.cat/es/inici/index.html
• Agencia Vasca de Protección de Datos (Basque Data Protection Agency)
  https://www.avpd.euskadi.eus/s04-5213/es/
• Consejo de Transparencia y Protección de Datos de Andalucía (Council of Transparency and Data Protection of Andalusia)
  https://www.ctpdandalucia.es/es

There is one authority with competences in relation to data processing carried out by courts acting in their judicial capacity:

• Consejo General del Poder Judicial (General Council of the Judiciary)
  https://www.poderjudicial.es/cgpj/es/Temas/Autoridad-de-control-de-proteccion-de-datos/

Even though there are no anticipated changes to local laws, the following Draft Bills may be relevant: 

• Organic Law on the protection of personal data for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (“Proyecto de Ley Orgánica de Protección de Datos Personales tratados para fines de prevención, detección, investigación y enjuiciamiento de infracciones penales y de ejecución de sanciones penales”). The purpose of this Organic Law is to adopt the transposition measures to comply with Directive (EU) 2016/680.
• Draft bill on distance working (“Proyecto de Ley de trabajo a distancia”). Article 17 of the Project of Law includes the right to intimacy and data protection according to the Organic Law 3/2018. This article includes two relevant provisions: a) the use of telematic means and monitoring of works by means of automatic devices shall ensure the right to intimacy and data protection, considering the principles of proportionality (“idoneidad”), necessity and proportionality of the means used; b) businesses should establish criteria for the use of digital devices, respecting in all cases the minimum standards of privacy protection in accordance with social customs and legally and constitutionally recognised rights.

Administrative sanctions:

The AEPD has enforcement powers for administrative procedures only. Administrative sanctions for private data controllers and processors may consist of a fine, according to the GDPR. Public authorities and bodies established in Spain and listed in Art. 77 of the Organic Law 3/2018, when acting as data controllers or processors, shall be sanctioned with a decision declaring the infringement (instead of a fine). For the purposes of the prescription of infringements, in Articles 72 to 74, the Organic Law 3/2018 classifies the infringements as very serious, serious and non-serious. In these Articles, the law specifies some actions considered as infringements, in addition to the ones included in Article 83 of the GDPR.

In addition to the graduation criteria established in Article 83.2 of the GDPR, the Organic Law 3/2018 adds other criteria such as: the continued nature of the infringement, the linking of the offender´s activity with the processing of personal data, the benefits obtained from the commission of the infringement, the possibility that the conduct of the person concerned might have led to the commission of the offence or the existence of a merger by absorption following the commission of the infringement, which cannot be attributed to the merging entity (Art. 76).

Criminal sanctions:

There are no criminal sanctions in the Organic Law 3/2018.

Others:

Individual (material or non-material) damages must be requested in the competent jurisdiction. In this case, the civil jurisdiction is competent for these claims. 

Registration or notification of processing or filing systems are not provided for by Organic Law 3/2018.

Registration is required for:

• Binding Corporate Rules (BCRs) authorised by the AEPD. Since 2020 the AEPD has authorised BCRs;
• Codes of Conduct. In 2020 the AEPD registered the modification of the code of conduct for the processing of personal data in marketing and there are two additional codes of conduct registered between 2022 and 2024 adapted to the GDPR for clinical trials (2022), insurance sector (2022) and the resolution of data protection disputes in the electronic communication sector (2024). 

The following notifications must be sent to the competent data protection authority:

• Appointment, modification or dismissal of the appointment of the Data Protection Officer (DPO) according to Art. 37(7) of the GDPR;
• Data breaches according to Art. 33 of the GDPR.

Prior authorisation is required for international data transfers to countries or international organisations without an adequacy decision of the Commission or appropriate safeguard. This authorisation is subject to the opinion of the European Data Protection Board (EDPB), according to the GDPR.

• Transparency and information: On transparency and information to the data subject, when personal data:
  • a) are collected from him/her, Organic Law 3/2018 states that the controller may provide, as a minimum, some information on the processing of personal data (identity of the controller and, where applicable its representative; purposes of the processing and exercise of data subject´s rights (Arts. 15 to 22 of the GDPR) and indicate an electronic address or any other means which would allow access to additional information (Art. 11(1)); 
  • b) not have been obtained from him/her, the controller may provide, as a minimum, some information on the processing of personal data (categories of personal data processed and sources of the personal data) and indicate an electronic address or any other means which would allow access to additional information (Art. 11(2)).
• Personal data concerning administrative infringements: The processing of personal data concerning administrative infringements and sanctions can only be carried out by competent bodies for the investigation and sanctioning procedure and the processing is limited to the data strictly necessary for the purpose of the processing. Otherwise, the processing of this personal data:
  • a) shall require the data subject´s consent or a law that authorises their processing, or
  • b) may be carried out by lawyers or solicitors when the purpose is to collect the information provided by their clients for the exercise of their functions (Art. 27).
• Personal data concerning criminal records: Processing of personal data concerning criminal records only can be carried out if there is a European or national law, including the Organic Law 3/2018 (Art. 10).
• Record of processing activities of public authorities and bodies: Public authorities and bodies listed in Art. 77 Organic Law 3/2018 shall publish their record of processing activities. This record shall include the information set up in Art. 30 of the GDPR and the legal basis for the processing (Art. 31).
• Blocking of personal data: The data controller shall be obliged to block the data when they are rectified or deleted. The blocking of data consists of the identification and reservation of the data, adopting technical and organisational measures to prevent their processing, including their visualisation, except for making the data available to judges and courts, the Public Prosecutor´s Office or the competent Public Administrations, in particular the data protection authorities, for the enforcement of possible liabilities arising from the processing and only for the period of limitation of the same. Once this period has elapsed, the data shall be deleted.

There are some deviations from the GDPR on the rights of access, rectification, suppression and restriction.

Access: Based on Art. 12(5) of the GDPR the exercise of this right on more than one occasion during a six-month period may be considered repetitive unless there is a legitimate cause for this. If the data subject chooses a means other than the one offered by the controller for access that entails a disproportionate cost, the request shall be considered excessive and the subject shall pay for the excess costs.

Rectification: If required, the data subject shall include the documentation justifying the inaccuracy or incompleteness of personal data processed.

Suppression: If suppression derives from the opposition right according to Art. 21(2) of the GDPR, the data controller shall store core personal data of the data subject for avoiding future processing with the purpose of direct marketing.

Restriction of processing: The Organic Law 3/2018 specifies that restriction should be clearly stated in the data controller´s information systems.

The Organic Law 3/2018 also regulates in its Title X, on the guarantee of digital rights, the right to be forgotten (Art. 94) and data portability in social networks (Arts. 94 and 95). Whereas the right to be forgotten applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data that form part of a filing system or are intended to form part of a filing system, the right to data portability in social networks does not. It means that the Spanish Data Protection Agency is competent regarding the right to be forgotten, but not for the right to data (other than personal data) portability in social networks.

The data subject´s rights (Arts. 15 to 22 of the GDPR) may be exercised directly or through a legal or voluntary representative. In case of minors under the age of 14, parents or guardians may exercise rights on their behalf and in their name.

In addition to the GDPR the following provisions must be considered when a data processor acts on behalf of a data controller. If agreed in the contract or other legal act with the data controller, the processor may manage on behalf of the controller the requests of data subjects´ rights (Art. 12(3) Organic Law 3/2018).

According to Art. 33(3) of the Organic Law 3/2018 if there is a legal provision on the retention of personal data, the data processor shall return the personal data to the data controller that shall ensure their retention while the obligation is applicable. The data processor may retain personal data, duly blocked, for as long as any liability arises from its relationship with the data controller.

For third parties (data processors) providing a service under concession, management entrustment or contract that involves the processing of personal data to a Public Administration, the security measures shall correspond to those of the originating Public Administration and shall comply with the National Security Scheme (Esquema Nacional de Seguridad) (First Additional Provision of the Organic Law 3/2018 on the security measures in the public sector).

Finally, for any data processing agreement (contract or other legal act) entered into prior to 25 May 2018 pursuant to the provisions of Article 12 of the repealed Organic Law 15/1999, shall remain in force until the expiry date indicated therein and, in the event of having been agreed indefinitely, until 25 May 2022. During these periods, either party may have required the other to modify the contract so that it complies with the provisions of Article 28 GDPR and Article 33 Organic Law 3/2018.

There are no derogations from the GDPR.

Organic Law 3/2018 sets out the same criteria under Article 37 GDPR in relation to DPO appointment obligations.

However, the Organic Law 3/2018 (Art. 34) sets out, for avoidance of any doubt, the obligation of particular entities to appoint a DPO, including the following: professional associations; educational centres; entities operating networks and providing electronic communication services; information society providers; credit institutions and/or financial companies; insurance companies; investment service companies; energy distributors and traders; entities responsible for files related to financial solvency and creditworthiness; companies developing marketing and commercial research activities; health centres; gambling operators that operate through electronic means; or private security companies; sports federations when processing minors' data.

Organic Law 3/2018 sets out that DPOs are not personally responsible for non-compliance with the GDPR (Art. 70.2). As in the case of the GDPR, the Organic Law 3/2018 makes it clear that data protection compliance is the responsibility of the controller or the processor and, as stated in the GDPR, they must ensure and be able to demonstrate it. Additionally, it established a term of ten days for controllers and processors to notify appointments, modifications and removals of DPOs to the AEPD or the regional data protection authorities, both when the appointment is mandatory and when it was made voluntarily (Art. 34.3). Organic Law 3/2018 specifies that the AEPD and the regional data protection authorities will maintain an updated list of DPOs that will be accessible by electronic means (Art. 34.4).

On 10 January 2020 the AEPD released an updated version (v.1.4) of the Certification Scheme of Data Protection Officers. Under this version the DPOs may use the certification mark, and the training entities must include certain information on the training programme on their websites. This certification is voluntary for DPOs. It was adopted as "a valid tool for the objective, impartial assessment of the competence of an individual to carry out a specific activity".

Organic Law 3/2018 also regulates the intervention of the DPO in the event of a complaint before a data protection authority; the data subject may first address the DPO, so the DPO can reach a decision before going to the AEPD (a maximum of two months from receipt of the complaint) (Arts. 37 and 65.4).

Public Administrations and third parties (data processors) providing a service under concession, management entrustment or contract that involves the processing of personal data to a Public Administration, shall comply with the National Security Scheme (Esquema Nacional de Seguridad), approved by Royal Decree 311/2022 of 3 May 2022.

There are no derogations from the GDPR.

There is an electronic proceeding for communicating data breaches to the AEPD (only available in Spanish). It does require an electronic certificate or Cl@ve PIN, a PIN code that enables identification and signing for many of the procedures with the Public Administrations or other public entities, as in this case.

The Spanish Data Protection Agency published a guide on personal data breaches and notifications (available here).

Electronic commercial communications via email: Electronic commercial communications (opt-in system) via email are governed by the Law 34/2002 of 11 July 2002 on information society services and electronic commerce ("LSSI"). Though not explicitly mandated in all cases, the AEPD strongly encourages using a "double opt-in" mechanism to demonstrate consent. In this regard, AEPD has issued a report that expressly states that the LSSI, because of its special character, prevails over the data protection regulation.

In accordance with Article 21(1) LSSI, sending electronic commercial communications through email is forbidden unless requested or expressly authorised by the data subject (including legal entities). As an exception to the previous rule, commercial communications may be sent as well if there is a previous contractual relationship and personal data, lawfully obtained, are used for sending commercial communication on products or services of the sender that are similar to those initially contracted with the customer ("soft-in consent"). Companies must always include an easy and free procedure that allows the data subject to object to the use of his or her personal data for electronic commercial communications sent via email.

Commercial communications by regular (postal) mail or phone are governed by Organic Law 3/2018, excluding legal entities: When carrying out direct marketing communications, it is required to first consult the advertising exclusion systems to avoid processing the data of data subjects who have opposed or refused this use of their personal data. This consultation is not required when the data subject has given his or her consent to receive the communication to whoever intends to carry out it.

Article 22 of the Law 34/2002 of 11 July 2002 on information society services and electronic commerce ("LSSI") sets out that cookies may be used in the recipients' computers or equipment when data subjects have given their consent once they have been fully and clearly informed of the purpose of those technologies and especially on their use for data processing, as per the requirements established in the data protection law. Despite the previous provision, the Spanish Data Protection Agency (AEPD) has held that after the full application of the GDPR, consent requirements for the use of cookies should be those established in the GDPR.

The AEPD has published additional guidelines on cookies and similar technologies (ie local shared objects or flash cookies) adapted to the GDPR, Organic Law 3/2018 and EDPB Guidelines 5/2020 on consent under the GDPR. Guidelines are available at the AEPD´s webpage.

Additionally, on January 2024 the AEPD published guidelines on using cookies for audience measurement tools (to obtain traffic or performance statistics) which states the conditions to be exempted from the need to obtain consent for their use.

Severe

The Spanish Data Protection Agency has released several guidelines or other publications on topics such as cookies and data breaches. For guidelines in English, please, visit the following links:

• Guide on use of cookies (available here);
• Technologies and Data Protection in Public Administrations (available here);
• Guidelines for Data Protection by Default (available here);
• Guide to Privacy by Design (available here);
• Guidelines for social distancing and access control apps due to COVID-19 (available here);
• FAQ COVID-19 (available here);
• Technologies in the fight against COVID-19. A cost-benefit analysis (available here);
• Introduction to 5G technologies and their risk in terms of privacy (available here);
• GDPR compliance on processing that embeds Artificial Intelligence, an introduction (available here);
• Audit requirements for Personal Data Processing Activities involving AI (available here);
• Recommendations to protect personal data in situations of mobility and telecommuting (available here).

The National Cybersecurity Strategy (the "Strategy") was adopted in 2019 (developing the forecast of the 2017 National Security Strategy and updating the previous version adopted in 2013). The aim of the current version of the Strategy is to promote a secure and reliable cyberspace.

The Strategy provides five specific goals and seven lines of action, such as boosting cybersecurity for citizens and companies or contributing to international cyberspace security. On this basis, Spain continues to rely on multiple rules comprising its cybersecurity regulatory structure, which has been strengthened during the last years.

The Cybersecurity Law Code, published by the Spanish Official Journal in cooperation with the Spanish Cybersecurity National Institute (INCIBE), collates the main legislation related to information security and the protection of cyberspace, of which the following is most relevant:

National Security Law:

• Law 36/2015 of 28 September on National Security (National Security Law).
• Law 11/2002 of 6 May regulating the National Intelligence Centre.
• Law 9/1968 of 5 April on Official Secrets.
• Order PCI/487/2019 of 26 April publishing the 2019 National Cybersecurity Strategy, approved by the National Security Council.
• Order PRA/33/2018 of 22 January publishing the Agreement of the National Security Council regulating the National Cybersecurity Council.
• Order PRA/116/2017 of 9 February publishing the Agreement of the National Security Council implementing the mechanisms to ensure the integrated operation of the National Security System (NSS Mechanisms Order).

Public sector:

• Royal Decree 311/2022 of 3 May regulating the National Security Scheme in the field of e-Government scope (National Security Scheme).
• Royal Decree 4/2010 of 8 January regulating the National Interoperability Scheme in the field of e-Government (National Interoperability Scheme).
• Order PRE/2740/2007 of 19 September approving the Regulation on the Information Security Evaluation and Certification Scheme (Regulation on the Information Security Evaluation and Certification Scheme).

Critical Infrastructure:

• Law 8/2011 of 28 April implementing measures for the protection of critical infrastructure (CIP Law).
• Royal Decree 704/2011 of 20 May approving the Regulation on the protection of critical infrastructure (CIP Regulation).
• Decision of the State Secretariat for Security of 8 September 2015 approving the new minimum content of the Operator's Security Plans and the Specific Protection Plans (Decision on the Operator's Security Plans and Specific Protection Plans).

Network and Information System Security:

• Royal Decree-Law 12/2018 of 7 September on Network and Information System Security.
• Royal Decree 43/2021 of 26 January developing Royal Decree-Law 12/2018 of 7 September on Network and Information System Security.

Telecommunications (Telecoms):

• Law 34/2002 of 11 July of information society services and electronic commerce.
• Law 11/2022 of 28 June General Telecommunications (Telecoms Act).
• Royal Decree 424/2005 of 15 April 2005 approving the Regulation on the conditions for the provision of electronic communication services, universal service and users´ protection (the Universal Service Regulation).
• Royal Decree 381/2015 of 14 May 2015 establishing measures against unauthorised traffic and irregular traffic for fraudulent purposes in electronic communications (the Unauthorised and Irregular Traffic Regulation).
• Law 25/2007 of 18 October on the conservation of data relating to electronic communications and public communications networks.

5G:

• Royal Decree-Law 7/2022 of 29 March on requirements for ensuring the security of 5G electronic communications networks and services.

Cybercrime:

• Organic Law 10/1995 of 23 November of the Criminal Code.

Since 2024, two major developments have been proposed:

• A new draft law on critical infrastructure resilience was published in February 2025, partially repealing and replacing the CIP Law to align with Directive (EU) 2022/2557. This law will update the obligations applying to operators of critical entities and fosters closer cross-sector coordination.
• A new cybersecurity framework draft law, published in early 2025, will implement Directive (EU) 2022/2555 (NIS2) and repeal Royal Decree-Law 12/2018. When the new law is approved, operators of essential services and digital service providers will have to comply with strengthened notification obligations, increased fines, and more detailed risk management measures.

National Security Law: regulates (i) the basic principles, the higher Public Administration bodies, authorities and main components of National Security; (ii) the National Security System and the management, organisation and coordination thereof; (iii) crisis management; and (iv) the contribution of resources to National Security. It includes cybersecurity among the areas of particular concern to National Security. This Law applies to public administrations and, on the terms set out therein, to natural persons and legal entities.

National Security Scheme: regulates the security policy to be applied in the use of electronic means in the context of the public sector, laying down the basic principles and minimum requirements for a proper protection of information to be applied by Public Administrations.

National Interoperability Scheme: regulates the criteria and recommendations in terms of security, preservation and standardisation of information, formats and applications to be considered by the Public Administrations to ensure an adequate level of interoperability of the data, information and services they manage, and to avoid citizens´ discrimination on grounds of their technological choices.

CIP Law: sets out the framework for the protection of critical infrastructure, introducing measures and obligations for the public and the private sectors. It promotes the coordination and involvement of public administrations and managing bodies or owners of the infrastructure providing essential services. 

Network and Information System Security: the Royal Decree-Law 12/2018 and its regulation set up the legal framework for cybersecurity for operators of essential services and digital service providers. 

It applies to the provision of:

• essential services dependent on networks and information services included in the strategic sectors defined in the annex of the CIP Law,
• digital services (online marketplace, online search engine and cloud computing service).

Operators of electronic communications networks and services and trusted electronic service providers meeting threshold requirements remain subject to cybersecurity obligations but may benefit from simplified measures aligned with their size and risk profile.

Telecoms Act: the main piece of legislation governing the provision of electronic communications networks and services. Among other regulatory obligations, electronic communications operators are subject to a number of security requirements aimed at ensuring the secrecy of communications, the protection of personal data, and the integrity and security of networks and services.

5G: Royal Decree-Law 7/2022 incorporates into the Spanish legal system the strategic and technical measures of the toolbox agreed by the EU Member States and establishes a Security Scheme for 5G networks and services. On 30 April 2024, the Government approved additional rules that detail the procedure for designating high-risk 5G vendors, the transition periods for replacing certain network elements, and the overarching 5G Security Certification Scheme.

Cybercrime: the Criminal Code includes a number of cybercrimes including, for instance, illegal access to information systems, interception of data transmissions or computer damages.

Critical Infrastructure:

Critical Infrastructure: State Secretary for Security

National Centre for the Protection of Critical Infrastructures (CNPIC) 

Note: Other institutions and authorities have responsibilities for the proper operation of essential services or citizen security (e.g. competent Ministries and bodies with regard to each relevant strategic sector, autonomous communities and cities, etc).

Network and Information System Security:

State Secretary for Digitalization and Artificial Intelligence (for digital service providers) 

Telecoms:

Ministry for Digital Transformation

Critical infrastructure

Under the CIP Law, operators must cooperate with competent authorities to optimise the protection of the critical infrastructure they manage. This includes:

• Cooperating in the performance of risk analysis;
• Preparing an Operator Security Plan and a Specific Protection Plan for each infrastructure considered critical;
• Appointing a Security Liaison Officer and a Security Officer for each critical infrastructure.

Public Sector

The National Security Scheme lays down the minimum security requirements to be adopted by the public sector. Accordingly, the higher bodies of public administrations must implement a security policy, articulating security ongoing management and complying with certain minimum requirements (among others, organisation and implementation of the security process, risk analysis and management, authorisation and access control; protection of premises, security by default and system integrity and update).

Under the National Interoperability Scheme, the security conditions applicable to the services of the Public Administrations which are available through electronic means and the measures to ensure the retention/preservation of electronic documents must be in accordance with data protection regulations, the National Security Scheme and the relevant legal instruments to be subscribed by the Public Administrations.

Network and Information System Security:

• Operators of essential services and digital service providers must:
  • take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the networks and information systems used;
  • take appropriate measures to prevent and minimise the impact of incidents affecting them.
• Operators of essential services shall: operators of essential services must:
  • notify the competent authority of incidents likely to have a significant disruptive effect on those services;
  • designate and inform the competent authority of their person, unit or collegiate body responsible for information security as the point of contact for technical coordination with the competent authority.

Telecoms

Operators of networks and services of electronic communications available to the public shall:

• Adopt the technical measures required to ensure the secrecy of communications;
• Comply with specific privacy obligations;
• Manage security risks in an adequate manner to grant an adequate level of security and avoid or minimise the impact of security incidents;
• Guarantee the integrity of the networks to ensure the continuity of the services using such networks;
• Report security incidents and data breaches;
• Guarantee as much availability as possible of publicly available telephony services through public communications networks in case of network catastrophic failure or of an event of force majeure, adopting all measures required to guarantee uninterrupted access to emergency services.

5G

5G operators, 5G providers and 5G corporate users who have been granted rights to use the public radio domain to install, deploy or operate a private 5G network or provide 5G services for professional or self-provisioned purposes are required to perform a comprehensive security treatment of the networks, elements, infrastructures, resources, facilities and services for which they are responsible. This includes the analysis and management of security risks. 

Administrative sanctions: 

Enforcement

The National Security Law and the CIP Law do not designate a specific authority for enforcement purposes. 

Penalties

The National Security Law and the CIP Law do not lay down a sanction regime for failing to comply with the provisions thereof.

Under Royal Decree 12/2018 on Network and Information Systems Security, the breach of the relevant obligations by operators may be sanctioned as follows:

• If considered a non-serious breach, reprimand or fine of up to EUR 100,000.
• If considered a serious breach, fines of up to EUR 500,000.
• If considered a very serious breach, fines of up to EUR 1m (or higher if material damage is considerable, subject to the new law's updated thresholds).

Under the Telecoms Act, the breach of the relevant obligations by operators may be sanctioned as follows:

• If considered a non-serious breach, fine of up to EUR 50,000.
• If considered a serious breach, fines of up to EUR 2m.
• If considered a very serious breach, fines of up to EUR 20m.

The Spanish Criminal Code also punishes a number of cybercrimes including, for instance, illegal access to information systems, interception of data transmissions or computer damages.

CSIRTs are incident response teams that analyse risks and monitor incidents on a national scale, disseminate alerts about them and provide solutions to mitigate their effects.

Under the 2025 Network and Information System Security , CSIRTs of reference are the following:

• The CCN-CERT, of the National Cryptologic Centre;
• The INCIBE-CERT, of the National Institute of Cybersecurity of Spain. INCIBE-CERT will be operated jointly by INCIBE and CNPIC in all matters relating to the management of incidents affecting critical operators;
• ESPDEF-CERT, of the Ministry of Defence, which will cooperate with CCN-CERT and INCIBE-CERT in those situations that these require in support of operators of essential services and, necessarily, in those operators that have an impact on National Defence and that are determined by regulation.

The National Security Law sets forth a procedure to manage crises affecting National Security, including coordinated response to those threats. Cybersecurity is one of the areas of particular concern to National Security so a cyber incident should be dealt with through this procedure when its effects, dimension, urgency and mainstreaming are severe enough to need intensified cooperation from competent public authorities. 
The President of Spain, advised by the National Cybersecurity Council, continues to have the power to coordinate response against the risk or threat by defining the nature and scope of the crisis, appointing, if necessary, an authority in charge of coordination, the range of powers the authority will be granted with for that purpose, and the human and material resources to be provided by other authorities.

Notwithstanding the foregoing, the management procedure to respond to cybersecurity incidents is generally dependant on the specific sector concerned. For instance, the applicable planning instruments (i.e. National Plan for the Protection of Critical Infrastructure, Sector Strategic Plans, Operator Security Plans, Operator Specific Protection Plans and Operational Support Plans) still govern the response to incidents.

In 2019 Spain published a National Cybersecurity Incident Notification and Management Guide. The purpose of this guide is to provide information security managers with guidelines on reporting cybersecurity incidents to competent public authorities in each case. It establishes a detailed notification model based on a series of impact criteria and classifies incidents into five levels of danger (critical, very high, high, average and low). The Guide was released by the Ministry of the Interior. In 2020 an updated version of the Spanish National Guidelines for Reporting and Managing Cyber Incidents was published. The guidelines describe a one-stop-shop mechanism through an email or ticket sent to the corresponding CSIRT (INCIBE-CERT or CCN-CERT). The CSIRT, depending on the incident, shall indicate which is the competent authority for the reporting.

These guidelines include:

• A uniform classification/taxonomy of cyber incidents;
• The notification impacts and thresholds;
• Metrics and indicators of reference recommended to measure the level of implementation and efficiency of the incident management process.

In addition to these guidelines, INCIBE-CERT has published an Appendix (“Cyber incident management procedure for the private sector and citizenry”), with the aim of providing support to task on management of cyber incidents and reporting.

Numerous recommendations, guidelines and codes of practice regarding cybersecurity continue to be released by authorities and institutions including INCIBE, INCIBE-CERT or CNN-CERT.

• National Cybersecurity Strategy (available here). 
• Report on Cyber threats and Trends, 2020 edition (only available in Spanish here).
• National Institute of Cybersecurity (Instituto Nacional de Ciberseguidad, INCIBE).
• National Cryptologic Centre (Centro Criptológico Nacional, CCN).