On the morning of Thursday 14 May 2026, the website of the Comisión Nacional de los Mercados y la Competencia (CNMC) — Spain’s National Markets and Competition Commission — went offline for several hours after detecting a massive and irregular volume of simultaneous requests. The institution confirmed it with an official statement: “The CNMC website is temporarily out of service due to the irregular receipt of thousands of simultaneous access requests.” Users encountered a 502 Bad Gateway error when trying to reach the site. The cause: a distributed denial-of-service (DDoS) attack. The CNMC is one of the most relevant regulatory bodies in the Spanish economy, overseeing energy, telecoms, transport, audiovisual and postal services markets, and is an essential reference for thousands of businesses and media outlets. Having its website taken down for hours is not a minor incident.

What do we know about the DDoS attack on the CNMC?

Facts documented by Escudo Digital, Servimedia, ADSLZone, BitLifeMedia and Consumidor Global:

  • Date and time: the attack occurred on the morning of Thursday 14 May 2026.
  • Confirmed attack type: DDoS (distributed denial-of-service attack), as reported by a spokesperson for the institution.
  • Impact: the CNMC website remained offline for several hours, showing a 502 Bad Gateway error. The body’s various digital services became inaccessible to businesses, media outlets and citizens.
  • Official statement: the CNMC communiqué stated that technical teams were working “to contain the attack, guarantee the security of systems, and restore service as quickly as possible.”
  • No confirmed attribution: the CNMC has not publicly disclosed which actor is behind the attack or whether an investigation has been opened.
  • No confirmed data compromise: a DDoS in principle does not involve unauthorised access to systems or data theft — its goal is service disruption, not exfiltration. However, in some hybrid attacks the DDoS acts as a smokescreen for a simultaneous intrusion, making subsequent forensic investigation mandatory.

Why regulators and public bodies are priority DDoS targets

The attack on the CNMC is not an isolated incident in the Spanish threat landscape. Since 2022, regulatory bodies, ministries, critical infrastructure companies and public digital services have been recurring DDoS targets across Spain and Europe. Four factors explain this pattern:

  1. High visibility and maximum reputational impact. Taking down a national regulator’s website generates immediate media coverage and sends a message of institutional vulnerability. The cost to the attacker is low; the impact on public perception is disproportionate.
  2. Historically less-protected public digital infrastructure. Public bodies tend to have slower technology renewal cycles and smaller cybersecurity budgets than large private corporations, making their digital services more susceptible to volumetric attacks.
  3. Third-party operational dependency. Thousands of Spanish businesses depend on CNMC resolutions, reports and public data for their daily operations. Disrupting its accessibility has a cascade effect on the private sector.
  4. Growing geopolitical and ideological motivation. Hacktivist groups with political motivations — such as NoName057(16), UserSec, KillNet or their successors — have made European public institutions a habitual target of coordinated DDoS campaigns, particularly in the context of the Ukraine conflict and NATO-Russia tensions. Spain, as an active NATO member, has been a recurring target since 2022.

How a DDoS attack of this type works

A DDoS attack is not technically sophisticated in concept, but can be devastating in execution. The principle is simple: overwhelm the target’s infrastructure with a volume of traffic that exceeds its processing capacity until it becomes inaccessible. The CNMC’s own description — “thousands of irregular simultaneous access requests” — is consistent with a classic volumetric attack. These attacks can follow different patterns:

  1. Volumetric attacks: flood the target’s network connection with massive traffic (DNS amplification, NTP amplification, UDP flood). Available bandwidth is exhausted and the service goes down.
  2. Protocol attacks: exploit weaknesses in network protocols such as TCP/IP to consume the processing resources of servers and intermediate network devices (SYN flood, Ping of Death).
  3. Application layer (L7) attacks: generate apparently legitimate HTTP requests at massive volume — harder to filter because the traffic appears normal. The 502 Bad Gateway error documented in the CNMC attack is consistent with this type, which saturates backend web servers.

The typical infrastructure for launching an institutional-scale DDoS includes botnets of thousands of compromised devices (including home routers, IP cameras and IoT devices, as noted in the 2025 National Security Report), DDoS-as-a-Service platforms on the dark web available from under $50 per hour, and in the case of coordinated hacktivist groups, networks of volunteers who install attack tools on their own devices.

Key lessons for CISOs and IT managers at Spanish businesses

The DDoS attack on the CNMC has direct implications for any organisation with digital services exposed to the internet:

  • A DDoS may not be “just” a DDoS. In hybrid attacks, the DDoS is the noise that conceals a simultaneous intrusion. When the CNMC detected the massive traffic, technical teams focused on restoring service. The mandatory forensic question is: did anyone exploit that chaos to access internal systems? Every organisation must have a specific protocol for this scenario.
  • The public institutions you depend on are part of your risk chain. If your business depends on CNMC resolutions, data or services — or on the AEPD, INCIBE or any other public digital body — disruption of those services must be covered in your operational continuity plan.
  • DDoS protection is not optional for any internet-facing corporate website. Cloud DDoS mitigation services (Cloudflare, Akamai, AWS Shield, Azure DDoS Protection) absorb malicious traffic before it reaches server infrastructure. Their cost is significantly lower than the impact of a prolonged outage.
  • DDoS attacks grew 30% in 2025. According to multiple specialist reports, DDoS attacks grew by over 30% globally during 2025. Spain, as a country with high digital exposure and active NATO membership, is a specific target for hacktivist group campaigns.
  • Transparent communication during the incident. The CNMC issued a statement acknowledging the attack from the outset. For private businesses, managing communications during a DDoS incident — especially when it affects clients or partners — is as important as the technical response. Silence breeds distrust; transparency, however uncomfortable, protects long-term reputation.

Cybersecurity as a strategic priority

The attack on the CNMC fits a pattern the Spanish Government itself documented in the 2025 National Security Report: Spanish critical infrastructure and digital bodies are in the crosshairs. DDoS is the most accessible attack in the cybercrime arsenal — cheap, effective and difficult to attribute — and its frequency against Spanish institutions will continue to grow while the country maintains its position in NATO and the EU in a high-tension geopolitical context.

For Spanish businesses, the question is not whether their digital services can be targeted by a DDoS. The question is whether they would remain operational during the attack.

Apolo Cybersecurity: DDoS protection and digital service continuity

At Apolo Cybersecurity we help businesses and organisations assess their DDoS exposure and implement the right protection layers: network architecture and exposure surface analysis, cloud DDoS mitigation service configuration, incident response plans covering hybrid DDoS scenarios, communication protocols during availability incidents, and critical dependency assessment on digital third parties.

If your organisation has internet-facing web services and does not have an active DDoS mitigation layer, the CNMC incident is the signal to review it.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity