Spain's CNI Confirms It's Among the Most Cyberattacked Countries in the World: What It Means for Your Business

The Secretary General of Spain's National Intelligence Centre (CNI), Luis García Terán, has publicly confirmed that Spain is among the countries receiving the most cyberattacks in the world, and that these aggressions arrive, in his own words, “with all kinds of artifacts.” The warning, made during the Security and Global Defence forum organised by Europa Press on 5 May 2026, is more than an institutional headline: it confirms a reality that Spanish businesses and public administrations face daily, and forces a rethink of how corporate cybersecurity is managed when the adversary is increasingly diverse, fast and accessible.

‍

What did the CNI say?

The statements from the deputy head of the intelligence service, reported by El Español, EFE and Europa Press, deliver three core messages for businesses, administrations and critical infrastructure operators:

• Spain is a permanent, top-tier target. The CNI ranks the country among the most cyberattacked in the world, with campaigns combining ransomware, espionage and disinformation.
• Attack capabilities have been democratised. What once required an advanced technical team can today be executed with accessible tools, ransomware-as-a-service (RaaS) platforms and generative artificial intelligence.
• The frontline is no longer just technical, it is also social. García Terán stressed that cyberattacks no longer aim solely to steal information: they also seek to polarise society and erode trust in democratic institutions.

The CNI also recalled that it dedicates significant effort to identifying attack attempts against the Ministry of Defence, against its own networks, and against Spanish companies, both inside and outside the country. The operational translation for any organisation is direct: the risk is neither theoretical nor exclusive to large strategic operators.

‍

Why Spain concentrates so much offensive interest

The CNI's message connects with data the sector has been documenting for some time. Spain combines a series of factors that make it a priority target for multiple types of actors:

1. Strategic position in the European Union and NATO. Spain is a logistical, energy and telecommunications hub for the entire European Atlantic seaboard. That attracts the interest of rival states and operators affiliated with them.
2. Business fabric dominated by SMEs. 50% of Spanish SMEs suffer some form of cyberattack each year. It is an enormous attack surface with a very uneven security posture.
3. Critical infrastructure with high digital dependency. Energy, transport, healthcare, water, finance and public administration have digitalised rapidly and, in many cases, without proportionate investment in cybersecurity.
4. Regulatory delay. The transposition of the NIS2 directive, which should have been completed in October 2024, remains unfinished as of today. This vacuum leaves many obligated companies in a grey zone regarding their duties and responsibilities.
5. Linguistic ecosystem attractive to attackers. The Spanish language connects with hundreds of millions of users in Latin America, multiplying the return on phishing, fraud and disinformation campaigns generated with AI.

The conclusion that emerges from the CNI's analysis is not new, but it is more emphatic: Spain is not collateral damage, it is a deliberate target. And it will be increasingly so.

‍

How cybercrime is being democratised

The democratisation the CNI refers to is no metaphor. It is a structural change underway since 2023, accelerated through 2025 and 2026 by three concrete factors:

1. Ransomware-as-a-Service (RaaS). Platforms run by operators like Qilin, The Gentlemen or new white-label brands such as DragonForce allow any affiliate, without coding skills, to launch professional extortion campaigns in exchange for a percentage of the ransoms.
2. Generative artificial intelligence. According to data published by INCIBE, more than 28 million cyberattacks in 2025 were powered by AI, and 87% of companies reported incidents enhanced by this technology. AI enables flawless phishing in any language, generates deepfakes, discovers vulnerabilities within hours, and executes lateral movement across networks in under 30 seconds.
3. Credential and access marketplaces. Initial Access Brokers (IABs) have professionalised the trade in corporate credentials, VPN access and valid OAuth tokens. An attacker on a low budget can now purchase access to a specific company and operate from inside as if they were an employee.

The result is a landscape in which a single operator with basic skills can compromise dozens of organisations within weeks. What used to be a state-level operation can now be a garage operation.

‍

Key lessons for businesses and executives

The CNI's warning leaves several actionable takeaways that any company, regardless of size, should bring to the management agenda:

• Cybersecurity is no longer an IT issue, it is a corporate governance issue. If attack capabilities are within reach of non-state actors with limited resources, the responsibility to protect the company can no longer be fully delegated to the technical team. It must sit on the board's and executive committee's agenda.
• NIS2 is not paperwork, it is leverage. Even if Spain's transposition is delayed, companies operating in affected sectors should already be aligning with the directive: doing so avoids last-minute compliance costs and, more importantly, improves real security posture.
• Third-party due diligence is non-negotiable. The dominant pattern in 2026 is to attack upstream in the chain (vendor → client). Auditing the security posture of third parties with privileged access to your systems is an obligation, not a formality.
• Identity is the new perimeter. Compromised credentials, persistent OAuth tokens, unmonitored SaaS sessions. Detection and response must increasingly focus on identity behaviour rather than on classic perimeter defence.
• Preparation is trained, not assumed. Having an incident response plan that has never been tested is not having a plan. Tabletop exercises, drills and recovery tests make the difference between containing an incident in hours or in weeks.

The right question for any Spanish executive today is no longer whether their company will be attacked, but when and with what impact. The CNI is saying it out loud. And it is saying it because they are already seeing it.

‍

Cybersecurity as a strategic priority

The CNI's warning confirms a trend that no longer admits nuance: Spain operates in an environment of permanent and growing digital hostility. For businesses, this means cybersecurity must shift from the technology budget to the business continuity budget. And it must be addressed with three clear principles: real visibility over identities and vendors, early detection capability, and tested response plans.

Investment in cybersecurity is not a compliance cost, it is a resilience lever and, in many sectors, a condition for continuing to operate. Organisations that grasp this fastest will be best positioned to absorb incidents that, according to the CNI itself, are not going to stop.

‍

Apolo Cybersecurity: getting ahead of an adversary that is already here

At Apolo Cybersecurity we help Spanish companies assess their real exposure to the threat landscape the CNI describes. We work on security posture assessment, identity and access management, technology supply chain analysis, continuous monitoring, incident response drills and NIS2 compliance support.

If your organisation operates in a critical sector, manages sensitive data, or depends on technology vendors with privileged access to your systems, this is the time to review your real level of preparation. Not after the next incident.

‍