Home / Publications / Data Law Navigator | Spain

Data Law Navigator | Spain

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last updated March 2020

Risk Scale

Risk Scale Red

*Please note that, in addition to increasing the risk of sanctions, in Spain the risk of class actions leading by consumers’ associations is likely as these associations are very active, although it is not totally clear at this stage whether these associations will eventually be deemed to be entitled to represent the data subjects in data protection court proceedings.


  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
  • Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
  • Royal Decree 1720/2007, of 21 December, implementing the Law 15/1999, of 13 December, on the Protection of Personal Data (RD LOPD). (Only applicable to the extent that it has not been repealed by the GDPR or LOPDGDD)
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI).
  • General telecommunications Law 9/2014, of 9 May 2014.


Agencia Española de Protección de Datos (AEPD).
There are three regional authorities with competences in relation to data processing carried out by regional and local public bodies:
Autoridad Catalana de Protección de Datos
Agencia Vasca de Protección de Datos
Consejo de Transparencia y Protección de Datos de Andalucía

If applicable: stage of legislative implementation of GDPR 

On 7 December 2018, came into force the LOPDGDD  to reform the current Spanish LOPD. The aim of the new legislation is to bring the Spanish data protection regime up to the General Data Protection Regulation's (GDPR) standards and to provide an interpretation to some of the broader concepts in the GDPR.

If applicable: local derogations as permitted by GDPR 

The following local derogations, as permitted by the GDPR, have been expressly included in the LOPDGDD:

  • Unless there is proof to the contrary, it is presumed that the processing of contact details of natural persons and individual entrepreneurs that provide their services for a legal person is covered by the legitimate interest legal basis, subject to certain requirements (art. 19).
  • Unless otherwise proved, it is presumed that the processing of personal data related to the breach of pecuniary, financial or credit obligations through common credit information systems is lawful, subject to certain requirements (art. 20).
  • Unless proved to the contrary, processing activities derived from any kind of corporate structural change transaction (transformation to a different legal form, merger, acquisition, division, global assignment of assets and liabilities and international relocation of registered office), will be presumed lawful to the extent that the processing is necessary for the success of the transaction and the continuity of the service. If the transaction does not finally take place, the transferee shall immediately erase the data, regardless of any other retention period that might legally apply (art. 21).
  • Video surveillance: Natural or legal persons, public or private, may carry out the processing of images through camera systems or video cameras in order to preserve the safety of people and property, as well as their facilities, subject to certain requirements (art. 22).
  • The processing of personal data for the purpose of avoiding the sending of commercial communications to those who have stated their refusal or objection to their receipt is lawful (art. 23).
  • The creation and maintenance of information systems through which a private entity may be made aware of, even anonymously, the commission within it or by third contracting parties of acts or behaviours which may be contrary to the applicable general or sectoral legislation (whistle blowing schemes) is lawful, subject to certain requirements. The employees and third parties shall be informed about the existence of such information systems (art. 24).
  • Processing and public access to official documents: the access to official public documents which contain personal data, shall be governed by the Law 19/2013, of 9 December, on transparency, access to public information and good governance, by the GDPR and the LOPDGDD.
  • Processing in the context of employment: LOPDGDD refers to the processing of employees’ data through surveillance systems or geolocation devices to exercise the control function over employees as established in the Workers’ Statute (arts. 89 and 90). Employees have the right to the protection of their privacy in the use of digital devices made available to them by the employer (art. 87).
  • After 25 May 2018 data processing agreements in force will extend their validity until the agreed date of termination. Where the contract has an indefinite duration, adaption of the contract shall take place before 25 May 2022.

During these periods either party may require the other party to modify the contract so that it is in accordance with Article 28 GDPR.


LOPDGDD intends to adapt the current Spanish legislation on data protection to the GDPR standards, protecting the constitutional right to personal data protection pursuant to article 18.4 of the Spanish Constitution.
LOPDGDD also regulates the guarantee of the digital rights of citizens (arts. 79-97).

As in the GDPR, LOPDGDD applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

LOPDGDD does not apply to the processing of personal data:

  • by a natural person in the course of a purely personal or household activity;
  • When the data processing is carried out within the framework of activities which fall within the scope of Chapter 2 of Title V of the TEU;
  • for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Directive (EU) 2016/680).
  • Processing of data related to deceased individuals (with some exceptions).
  • subject to the regulation on the protection of classified information

The processing of data carried out on the occasion of the processing by the Courts of Justice of the proceedings of which they are competent, as well as that carried out within the management of the “Judicial Office”, shall be governed by the provisions of GDPR and LOPDGDD, without prejudice to the provisions of Organic Law 6/1985, of 1 July, on the Judicial Power, when applicable.


The AEPD has enforcement powers (administrative procedures only). Under the LOPDGDD, infractions are those acts and conducts described in article 83 of the GDPR.

Additionally, the LOPDGDD sets up what may be considered very serious, serious and minor infringements, establishing a statute of limitations of three, two and one year respectively.

Finally, in addition to the graduation criteria established in article 83.2 of the GDPR, the LOPDGDD add new criteria as for instance the continued nature of the infringement, the linking of the offender´s activity with the processing of personal data, benefits obtained from the commission of the infringement, the possibility that the conduct of the person concerned might have led to the commission of the offence and/or the existence of a merger by absorption following the commission of the infringement, which cannot be attributed to the merging entity (art. 76).

Registration / notification 

Registration or notification of processing or filing systems are not provided for by LOPDGDD.
LOPDGDD regulates:
Notification of the DPOs to the Data Protection Authorities (art. 34.3).
Registration of Codes of conduct (art. 38.5).

Main obligations and processing requirements

(i) Information obligations and (ii) data subjects’ consent or legal basis for the processing, mirroring under the LOPDGDD the obligations set out in (i) articles 13 and 14 GDPR and (ii) articles 6 to 10 GDPR. The AEPD has published additional guidelines on the obligations of data controllers under GDPR. Guidelines are available here (only available in Spanish).

Data subject rights

As in the GDPR, Data subject have the rights to (arts. 12-18):

  • information and transparency;
  • access;
  • rectification and erasure (“Right to be forgotten”);
  • restriction of processing;
  • data portability;
  • object;
  • right not to be subject to a decision based solely on automated processing, including profiling.

LOPDGDD also regulates in particular the rights to be forgotten and data portability in social networks (arts. 94 and 95)

Processing by third parties

LOPDGDD (art. 33) directly refers to Article 28.3 GDPR. The AEPD has published additional guidelines on the contracts binding on the processor. Guidelines are available here (only available in Spanish).

Transfers out of country

Under the LOPDGDD, rules applicable to the international transfer of data reflects the rules included in the Chapter V GDPR.
The Law regulates standard contractual clauses adopted by the data protection authorities for carrying out international transfers (art. 41), cases subject to prior authorisation from data protection authorities (art. 42) and those subject only to prior information from these authorities (art. 43)

Data Protection Officer

LOPDGDD sets out the same criteria under article 37 GDPR in relation to DPO appointment obligations. However, the LOPDGDD(art. 34) sets out, for avoidance of any doubt, particular entities which must appoint a DPO, including the following: professional associations; educational centres; entities operating networks and providing electronic communication services; information society providers; credit institutions and/or financial companies; insurance companies; investment service companies; energy distributors and traders; entities responsible for files related to financial solvency and creditworthiness; companies developing marketing and commercial research activities; health centres; gambling operators that operate though electronic means; or private security companies; sports federations when processing minors’ data.

LOPDGDD sets out that DPOs are not personally responsible for non-compliance with the GDPR (art. 70.2). As the GDPR, the LOPDGDD makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with the law. Data protection compliance is the responsibility of the controller or the processor.

Additionally, it is stablished a term of ten days for controllers and processors to notify appointments and removals of DPOs to the AEPD or the regional data protection authorities, both when the appointment is mandatory and when it was made voluntarily (art. 34.3).

LOPDGDD specifies that the AEPD and the regional data protection authorities will maintain an actualized list of DPOs that will be accessible by electronic means (art. 34.4).

On 10 Jaunary 2020 the AEPD released an updated version (v.1.4) of the Certification Scheme of Data Protection Officers. Under this version the DPOs may use the mark of the certification and the training entities have to provide certain information on the training program into their webpages. This certification is voluntary for DPOs. It was adopted as “a valid tool for the objective, impartial assessment of the competence of an individual to carry out a specific activity”.

Finally, the LOPDGDD regulates the intervention of the DPO in case of complaint before a data protection authority; the data subject may address first to the DPO, so the DPO has the possibility of reaching a decision before going to the AEPD (it is established a maximum period of two months from receipt of the complaint) (arts. 37 and 65.4).


Under previous LOPD and RD LOPD, data controllers and processors must take appropriate technical and organisational measures against unauthorised or unlawful access or processing, and against accidental loss or destruction of, or damage to, personal data.

The RD LOPD sets out exhaustive security measures to ensure a level of security appropriate to the nature of the data in relation to the following categories:

  • Basic security measures must be applied to all data. These measures include, for instance, access control to data by employees.
  • Medium security measures must be applied to data that, for instance, allows data controllers to profile data subjects. These measures include, for instance, the execution of data privacy audits every two years and the appointment of a Security responsible within the organisation.
  • High security measures are applicable to special categories of data (gender violence, health, sexual life…). These measures include, for instance, encryption when communicating personal data.

The LOPDGDD eliminates this above described security measures system. Controllers and processors shall implement the security measures provided by Article 32, but there is not a check list as per previous RD LOPD.
Public Administrations shall apply the security measures established in the so-called "National Security Scheme".

Breach notification

LOPDGDD does not refer explicitly to the legal obligation to notify personal data security breaches (to data subjects or the data protection authority). However, failure to comply with such obligations under articles 33 and 34 GDPR has been included as an infringement (serious or minor) under the LOPDGDD.

The AEPD has published additional guidelines on management and notification of data breaches. Guidelines are available at the AEPD´s webpage (available here).

Direct marketing

  • Electronic commercial communications (opt-in system) through email are governed by the LSSI. In this regard, AEPD has issued a report which expressly states that the LSSI, because of its special character, prevails over the data protection regulation. In accordance with Article 21.1 LSSI, sending electronic commercial communications through email is forbidden unless requested or expressly authorised by the data subject (including legal persons).

Companies must always include an easy and free procedure that allows the data subject to object the use of its personal data for electronic commercial communications.

  • Commercial communications by regular mail or phone are governed by LOPDGDD, excluding legal persons.

When a data subject objects the processing of his personal data for marketing purposes, the data controller shall inform him of the existing systems of advertising exclusion.


Article 22 LSSI sets out that cookies may be used in the recipients’ computers or equipment when data subjects have given their consent once they have been fully and clearly informed on the purpose of those technologies and especially on their use for data processing, as per the requirements established in the LOPD.

Despite the previous provision, the AEPD has recently settled (only available in Spanish) that after the fully application of the GDPR, consent requirements for the use of Cookies should be those established in the GDPR.

The AEPD has published additional guidelines on cookies and similar technologies (i.e. local shared objects or flash cookies) adapted to GDPR and LOPDGDD. Guidelines are available at the AEPD´s webpage (available here).

There is an electronic proceeding for communicating data breaches to the AEPD (only available in Spanish). It does require having an electronic certificate or [email protected] PIN, a PIN code that enables identification and signing for many of the procedures with the Public Administrations or other public entities, as in this case.

Useful links

Web page of the AEPD (only available in Spanish): 


Cyber Security

Last updated March 2020

Risk Scale

Risk Scale Orange

Laws and regulations

The National Cyber Security was adopted in 2019 (developing the forecast of the 2017 National Security Strategy and updating the previous version adopted in 2013). The aim of the current version of the Strategy is to promote a secure and reliable cyberspace. The Strategy provides five specific goals and seven lines of action, such as to boost cyber security for citizens and companies or to contribute to international cyberspace security. The Strategy is available here (in English).

On this basis, there is not a single regulation but several rules make up the Spanish cybersecurity regulatory framework. The Cybersecurity Law Code, published by the Spanish Official Journal in cooperation with the Spanish Cybersecurity National Institute (INCIBE), collates the main legislation related to information security and the protection of cyberspace, among which, it is worth mentioning the following:

National security

  • Law 36/2015, of 28 September, on National Security (National Security Law).
  • Order PRA/33/2018, of 22 January, publishing the Agreement of the National Security Council regulating the National Cybersecurity Council (National Cibersecurity Council)
  • Order PRA/116/2017, of 9 February, publishing the Agreement of the National Security Council implementing the mechanisms to ensure the integrated operation of the National Security System (NSS Mechanisms Order).
  • Royal Decree 1008/2017, of 1 December, approving the National Security Strategy 2017. (National Security Strategy)
  • Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the field of e-Government scope (e-Government National Security Scheme).
  • Royal Decree 4/2010, of 8 January, regulating the National Interoperability Scheme in the field of e-Government (e-Government National Interoperability Scheme).
  • Order PRE/2740/2007, of 19 September, approving the Regulation on the Information Security Evaluation and Certification Scheme (Regulation on the Information Security Evaluation and Certification Scheme).


  • Organic Law No. 10/1995, of 23 November, of the Criminal Code (Criminal Code).
  • Organic Law No. 5/2000, of 12 January, regulating the criminal liability of minors (part-inclusion).
  • Royal Decree of 14 September 1882 approving the Code of Criminal Procedure (part-inclusion).

Computer Security Incident Response Team

  • Law No. 34/2002, of 11 July, on information society services and e-commerce (LISSEC).
  • Royal Decree No. 421/2004, of 12 March, regulating the National Cryptology Center (CCN Regulation).

Critical infrastructure

  • Law No. 8/2011 of 28 April, of 28 April, implementing measures for the protection of critical infrastructures (CIP Law).
  • Royal Decree No. 704/2011, of 20 May, approving the Regulation on the protection of critical infrastructures (CIP Regulation).
  • Decision of the State Secretariat for Security, of 8 September 2015, approving the new minimum content of the Operator’s Security Plans and the Specific Protection Plans (Decision on the Operator’s Security Plans and Specific Protection Plans).

Network and information systems

  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).
  • Royal Decree-Law No.12/2018 on Network and Information System Security
  • Royal Decree-Law 8/2020 of 17 March 2020 on urgent extraordinary measures to deal with the economic and social impact of COVID-19.

Telecommunications and users

  • General Telecommunications Law No. 9/2014, of 9 May (Telecoms Act).
  • Royal Decree No. 424/2005 of 15 April 2005, approving the Regulation on the conditions for the provision of electronic communication services, universal service and users’ protection (the Universal Service Regulation).
  • Royal Decree No. 381/2015 of 14 May 2015, establishing measures against unauthorised traffic and irregular traffic for fraudulent purposes in electronic communications (the Unauthorised and Irregular Traffic Regulation).
  • Commission Regulation (EU) No. 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (EU Data Breach Notification Regulation).
  • Law 59/2003, of 19 December, on electronic signatures.
  • Law 25/2007, of 18 October, on the conservation of data relating to electronic communications and public communications networks.

Data protection

  • Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)).
  • Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
  • Royal Decree No. 1720/2007 of 21 December 2007, approving the regulations implementing Organic Law No. 15/1999 (Only applicable to the extent that it has not been repealed by the GDPR or LOPDGDD)


National Security Law: regulates (i) the basic principles, the higher Public Administration bodies, authorities and main components of National Security; (ii) the National Security System and the management, organization and coordination thereof; (iii) crisis management; and (iv) the contribution of resources to National Security. It includes cybersecurity among the areas of particular concern to National Security. This Law applies to public administrations and, on the terms set out therein, to natural persons and legal entities.

eGovernment National Security Scheme: regulates the security policy to be applied in the use of electronic means in the context of the public sector, laying down the basic principles and minimum requirements for a proper protection of information to be applied by Public Administrations. It does not cover information systems regulated by official secrets regulations.

eGovernment National Interoperability Scheme: regulates the criteria and recommendations in terms of security, preservation and standardization of information, formats and applications to be considered by the Public Administrations to ensure an adequate level of interoperability of the data, information and services they manage, and to avoid citizens’ discrimination on grounds of their technological choices.

CIP Law: sets out the framework for the protection of critical infrastructures, introducing measures and obligations for the public and the private sectors. It promotes the coordination and involvement of public administrations and managing bodies or owners of the infrastructures providing essential services. The strategic sectors covered by the Law are Administration, Space, Nuclear Industry, Chemical Industry, Research Facilities, Water, Energy, Health, Information & Communication Technologies (ICT), Transport, Food, and Financial & Tax System.

Telecoms Act: main piece of legislation governing the provision of electronic communications networks and services. Among other regulatory obligations, electronic communications operators are subject to a number of security requirements aimed at ensuring the secrecy of communications, the protection for personal data and the integrity and security of networks and services.


The National Security Law designates the following as national security competent authorities: (i) Parliament and Senate; (ii) Government (http://www.lamoncloa.gob.es); (iii) Prime Minister (http://www.lamoncloa.gob.es/presidente/Paginas/index.aspx; (iv) Ministers (http://www.lamoncloa.gob.es/gobierno/Paginas/index.aspx); (v) National Security Council (http://www.dsn.gob.es/es/sistema-seguridad-nacional/consejo-seguridad-nacional; and (vi) Government Representatives in Autonomous Communities and Cities (http://www.seat.mpr.gob.es/portal/delegaciones_gobierno/delegaciones.html). In addition, the National Security Law sets out the so-called National Security System, a group of authorities, bodies, resources and proceedings that allow the competent authorities to exercise their duties. The structure of the National Security System includes the Prime Minister, who manages the System with the assistance of the National Security Council, the National Security Department and the support bodies of the National 
Security Council.

The CIP Law designates the following bodies as agents of the so-called Critical Infrastructures Protection System: (i) State Secretary for Security (http://www.interior.gob.es/el-ministerio/funciones-y-estructura/secretaria-de-estado-de-seguridad); (ii) National Center for the Protection of Critical Infrastructures (CNPIC; http://www.cnpic.es/); (iii) certain competent Ministries and bodies with regard to each relevant strategic sector; (iv) Autonomous Communities and Cities; (v) Government Representation Offices; (vi) Local Authorities; (vii) National Commission for the Protection of Critical Infrastructures; and (viii) Interdepartmental Working Party for the Protection of Critical Infrastructures. These institutions and authorities have responsibilities regarding the proper operation of essential services or regarding citizens’ security.

The Royal Decree-Law No.12/2018 on Network and Information System Security designates as competent authorities on the security of network and information systems for critical operators: State Secretary for Security through CNPIC);and for digital service providers: State Secretary for Digital Progress of Ministry of Economy and Enterprise.

From a telecoms regulation perspective, the Ministry of Energy, Tourism and Digital Agenda (www.minetad.gob.es) and the Spanish Data Protection Agency (AEPD; www.agpd.es) are responsible for enforcing the relevant obligations.

Key obligations

Critical infrastructure

Under the CIP Law, operators must cooperate with competent authorities to optimize the protection of the critical infrastructure they manage. This includes:

  • Cooperating in the performance of risk analysis
  • Preparing an Operator Security Plan and a Specific Protection Plan for each infrastructure considered critical
  • Appointing a Security Liaison Officer and a Security Officer for each critical infrastructure

Public Sector

The e-Government National Security Scheme lays down the minimum security requirements to be adopted by the public sector. Accordingly, the higher bodies of public administrations must implement a security policy, articulating security ongoing management and complying with certain minimum requirements (among others, organisation and implementation of the security process, risk analysis and management, authorisation and access control; protection of premises, security by default and system integrity and update).

Under the e-Government National Interoperability Scheme, the security conditions applicable to the services of the Public Administrations which are available through electronic means and the measures to ensure the retention/preservation of electronic documents must be in accordance with data protection regulations, the e-Government National Security Scheme and the relevant legal instruments to be subscribed by the Public Administrations.


  • Adopting the technical measures required to ensure the secrecy of communications
  • Compliance with specific privacy obligations.
  • Managing security risks in an adequate manner to grant an adequate level of security and avoid or minimize the impact of security incidents
  • Guaranteeing the integrity of the networks to ensure the continuity of the services using such networks
  • Mandatory reporting of security incidents and data breaches
  • Guaranteeing as much availability as possible of publicly available telephony services through public communications networks in case of network catastrophic failure or of an event of force majeure, adopting all measures required to guarantee uninterrupted access to emergency services



The National Security Law, the CIP Law does not designate a specific authority for enforcement purposes.

The Royal Decree-Law No.12/2018 on Network and Information System Security Sanctions designates as competent authority for enforcement purposes: (i) in the case of very serious infringements, the competent Ministry pursuant to article 9 (ii) in the case of serious and minor infringements, by the body of the competent authority determined by the regulations implementing this Royal Decree-Law.

The Ministry of Energy, Tourism and Digital Agenda and the AEPD are responsible for enforcing the electronic communications regulatory framework.


The National Security Law and the CIP Law do not lay down a sanction regime for failing to comply with the provisions thereof.

Under Royal Decree No.12/2018 on Network and Information System Security, the breach of the relevant obligations by operators may be sanctioned as follows:

  • If considered a minor breach, reprimand or fine of up to EUR 100,000.
  • If considered a serious breach, fines of up to EUR 500,000.
  • If considered a very serious breach, fines of up to EUR 1 million.

Under the Telecoms Act, the breach of the relevant obligations by operators may be sanctioned as follows:

  • If considered a minor breach, fines of up to fine of up to EUR 50,000.
  • If considered a serious breach, fines of up to EUR 2 million.
  • If considered a very serious breach, fines of up to EUR 20 million.

The Spanish Criminal Code also punishes a number of cybercrimes including, for instance, illegal access to information systems, interception of data transmissions or computer damages.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

CSIRTs are incident response teams that analyse risks and monitor incidents on a national scale, disseminate alerts about them and provide solutions to mitigate their effects.

Under Royal Decree No.12/2018 on Network and Information System Security, CSIRTs of reference are the following:

  • The CCN-CERT, of the National Cryptologic Center,
  • The INCIBE-CERT, of the National Institute of Cybersecurity of Spain, INCIBE-CERT will be operated jointly by INCIBE and CNPIC in all matters relating to the management of incidents affecting critical operators.

ESPDEF-CERT, of the Ministry of Defence, which will cooperate with CCN-CERT and INCIBE-CERT in those situations that these require in support of operators of essential services and, necessarily, in those operators that have an impact on National Defence and that are determined by regulation.

Is there a national incident management structure for responding to cyber security incidents?

The National Security Law sets forth a procedure to manage crisis affecting National Security, including coordinated response to those threats. Cybersecurity is one of the areas of particular concern to National Security so a cyber incident should be dealt through this procedure when its effects, dimension, urgency and mainstreaming are severe enough to need intensified cooperation from competent public authorities. In these cases, the Prime Minister will coordinate response against the risk or threat by defining the nature and scope of the crisis, appointing, if necessary, an authority in charge of coordination, the range of powers the authority will be granted with for that purpose, and the human and material resources to be provided by other authorities to contribute towards the solution of the crisis. Government is obliged to inform the Congress immediately about the measures undertaken and of the crisis evolution.

Notwithstanding the foregoing, the management procedure to respond to cybersecurity incidents is generally dependant on the specific sector concerned. For instance, as regards critical infrastructures, response to and management of cyber incidents would be carried out in accordance with the applicable planning instruments (i.e. National Plan for the Protection of Critical Infrastructures, Sector Strategic Plans, Operator Security Plans, Operator Specific Protection Plans and Operational Support Plans). This information is classified so the content is not publicly available.

INCIBE-CERT provides a service to respond to cybersecurity incidents addressed to citizens, companies, personnel belonging to the academic and research network RedIRIS and strategic and critical infrastructure operators (in this last case, in coordination with CNPIC).

CNN-CERT provides a service to respond to cyber incidents experienced by classified systems and systems of the Spanish Public Administrations and of companies and organizations of strategic interest.

In 2019 Spain published a National Cyber-security Incident Notification and Management Guide. The purpose of this guide is to provide information security managers with guidelines on reporting cyber-security incidents to competent public authorities in each case. It establishes a detailed notification model based on a series of impact criteria and classifies incidents into five levels of danger (critical, very high, high, average and low). The Guide was released by the Ministry of the Interior (only available in Spanish) 

Other cyber security initiatives

Numerous recommendations, guidelines and codes of practice regarding cybersecurity have been issued by authorities and institutions including INCIBE, INCIBE-CERT or CNN-CERT. For instance:

  • INCIBE guidelines on cloud computing, ransomware, secure deletion on information, secure storage of information, management of security incidents, cybersecurity on e-commerce or security risk management.
  • INCIBE-CERT Guide on cybersecurity on wireless communications in industrial environments; Guide on Industrial Protocols Security – Smart Grids, or Situation of malware for Android.
  • CNN-CERT Principles and basic recommendations on cybersecurity, or Good Practice Reports on e-commerce, mobile devices, web browsers, ransomware or IoT.

Certain remarkable tools have been developed for detecting and managing security incidents such as SAT (https://www.ccn-cert.cni.es/gestion-de-incidentes/sistema-de-alerta-temprana-sat.html), LUCIA (https://www.ccn-cert.cni.es/gestion-de-incidentes/lucia.html) or REYES (https://www.ccn-cert.cni.es/herramientas-de-ciberseguridad/reyes.html).

There are also different private initiatives to promote cybersecurity and the cooperation between the public and private sector in this field, such as ABUSES Forum (http://abuses.es/index.html.en), ISMS Forum Spain (www.ismsforum.es), National Forum for Digital Trust (http://www.agendadigital.gob.es/agenda-digital/FNCD/Paginas/foro-nacional-confianza-digital.aspx) or the Circle of Technologies for the Defence and Security Foundation (https://fundacioncirculo.es/).

Useful links


<< back to Overview


José Luis Piñar
José Luis Piñar
Picture of Javier Torre
Javier Torre de Silva