Financial cyberattacks in Spain: The importance of complying with DORA regulations

In recent days, the focus has once again been placed on financial cyberattacks in Spain, after it was published that our country climbed positions among the most attacked in Europe during 2025. Beyond the headline, this data is a clear signal for banks, insurers, fintechs and technology providers: the risk is no longer just “suffering a computer attack”, but rather maintaining business continuity and complying with an increasingly demanding regulatory framework, with DORA as a centerpiece.

‍

What is known about cyberattacks?

According to published information, Spain recorded dozens of “major” financial incidents during 2025, ranking among the most attacked countries in Europe. This type of data usually comes from threat intelligence reports and incident aggregators, and helps to visualize an operational reality: the financial sector concentrates economically motivated campaigns (cybercrime), but also episodes of reputational pressure and hacktivist activity.

It is important to clarify two points to correctly interpret these figures:

1. “Major cyberattacks” does not equal “all incidents”: usually refers to campaigns that are relevant by impact, notoriety or reach.
2. They exist methodological differences between sources (what they consider a “financial attack”, what is included as a “major incident”, if there are attempts or only confirmed intrusions, etc.).

In risk management, the useful thing is not to discuss the exact number, but to assume that the sector is on target and to reinforce controls and resilience in a measurable way.

‍

Why this sector is a target

The financial sector is especially attractive due to a combination of factors:

• Direct impact on money: fraud, transfers, payments, extortion.
• Sensitive data: identity, banking information, KYC, scoring, documentation.
• Domino effect: A security breach can affect customers, partners, payment processors and third parties.
• High technological dependence: APIs, cloud, integrations, outsourcing, software providers and managed services.

In addition, there is an element that multiplies pressure: traceability and evidence. The industry must not only protect itself, but demonstrate that it properly manages ICT risk, including critical suppliers and operational resilience.

‍

How do these types of attacks occur

Although each incident is different, many attacks in the sector share patterns. These types of cyberattacks usually occur for five main causes:

1. Phishing and Social Engineering to steal credentials or skip controls (including MFA “fatigue”).
2. Exploitation of vulnerabilities on exposed services or unpatched systems.
3. Access by third parties: committed vendor, poorly governed remote access, uncontrolled integrations.
4. Lateral movement and privilege escalation: The attacker seeks to consolidate access and reach critical systems.
5. Extortion and Double Impact: ransomware, data breaches, and reputational/operational pressure.

In practice, many incidents don't start with a sophisticated technique, but with a basic weakness: reused passwords, lack of segmentation, excessive permissions, or lack of continuous monitoring.

‍

Key lessons for companies

If you work in banking, insurance, payment methods, fintech or are an ICT provider in the sector, these are the priorities that are most repeated when we analyze real incidents:

• Reduce attack surface: asset inventory, Internet exposure, hardening, patches with SLA.
• Shielding identities: Robust MFA, privilege control, access review, segregation of functions.
• Detection and response: 24/7 SOC, use cases aimed at fraud and intrusion, containment playbooks.
• Operational resilience: immutable copies, restore tests, realistic RTO/RPO, continuity.
• Third parties under control: due diligence, contractual requirements, evidence, audits and monitoring.

The difference between “incident” and “crisis” is usually in two things: early detection and real resilience.

‍

Cybersecurity as a strategic priority

Los financial cyberattacks in Spain they are not just a technical problem: they are a business risk with an impact on continuity, customer trust and compliance. In an environment where the sector operates with multiple technological dependencies, cybersecurity must be treated as a management discipline: with clear managers, metrics, evidence and continuous improvement.

And this is where the regulatory framework marks a before and after, because it requires us to standardize that operational maturity and demonstrate it.

‍

Meeting DORA is no longer optional: How to prepare in 2026

From the January 17, 2025, DORA is mandatory in Spain for financial institutions included in its scope. This involves moving from “having measures” to demonstrate digital operational resilience with evidence: ICT risk management, control of critical third parties, real capacity to respond and report incidents, and periodic resilience tests.

In Apolo Cybersecurity we help organizations to land DORA with a practical approach: gap analysis, prioritization of requirements, construction of evidence for auditing and operational reinforcement (24/7 monitoring, incident response and supplier governance).