Spain’s Department of National Security (DSN) has published this week the 2025 Annual National Security Report, approved by the National Security Council. Produced from the Office of the Presidency of the Government, the document offers the most complete and up-to-date official diagnosis of the threats facing Spain. One conclusion runs through every section: the world has moved from operating under shared rules to functioning according to power dynamics, and in that new landscape Spain — with its strategic position in NATO, the EU and the Mediterranean — is a deliberate and permanent target. Cyberattacks head the threat list alongside hybrid operations, foreign espionage and disinformation campaigns.

What does the 2025 National Security Report say about cyberattacks in Spain?

The DSN report, published today and covered by Infodefensa, El Español and Escudo Digital, identifies cyberspace vulnerability as one of Spain’s main strategic threats. The figures accompanying the official assessment are stark:

  • 122,223 cybersecurity incidents managed by INCIBE in 2025, a 26% increase on the 97,400 recorded in 2024. The highest figure ever registered.
  • 237,028 vulnerable systems detected and notified by INCIBE-CERT in 2025, susceptible to exploitation by cybercriminals.
  • Malware was the most widespread threat, with 55,411 cases. Of these, 392 were ransomware attacks — system hijacking for extortion purposes — the type of attack generating the greatest operational and economic impact on affected organisations.
  • 85% of systems compromised by botnets corresponded to Internet of Things (IoT) devices: televisions, set-top boxes, media players and connected home appliances.
  • Sectors most affected under NIS2: banking (34%), transport (14%), energy (8%), financial market infrastructures (7%) and insurers and pension funds (6%). These operators represent the country’s critical fabric.
  • 401 incidents managed in the domain of essential and important operators regulated by NIS2.

The report also notes that Spain is among the European countries most actively targeted by state and non-state actors who use cyberspace as a tool for pressure, destabilisation and intelligence gathering. The threat is not only technical: it is strategic.

Why Spain is a priority target: the factors explaining the vulnerability

The DSN identifies a set of structural factors that make Spain a high-priority target for multiple types of actors:

  1. First-order geostrategic position. Spain is a logistical, energy and telecommunications hub on the European Atlantic seaboard. Its active participation in NATO and the EU makes it a target for actors seeking to pressure, gather intelligence or destabilise the Western alliance.
  2. Digitised critical infrastructure with uneven protection. The accelerated digitalisation of recent years in energy, transport, finance and public administration has not always been matched by proportionate cybersecurity investment, creating exploitable gaps.
  3. Business fabric dominated by SMEs with low cybersecurity maturity. Over 70% of cyberattacks in Spain target SMEs. 60% of those suffering a serious incident close within six months. The average cost of an attack on an SME can reach €75,000.
  4. Hybrid operations as the new normal. The report highlights that state actors have evolved towards hybrid methods combining cyberattacks with physical sabotage, disinformation and electoral interference, making detection and attribution more difficult.
  5. Incomplete NIS2 transposition. The NIS2 cybersecurity directive, which should have been transposed in October 2024, remains unfinished in Spain, leaving many organisations in a grey zone regarding their obligations and regulatory exposure.

The actors behind the threats: Russia, China and organised cybercrime

The 2025 National Security Report provides for the first time a comprehensive picture of the actors threatening Spain in cyberspace and beyond:

Russia: high-intensity hybrid operations

Russian intelligence services — particularly the GRU and SVR — recorded in 2025 what the DSN describes as “high and intense operational activity” across Europe. The CNI detected 108 actions by foreign intelligence services during the year. Documented operations include sabotage of logistics warehouses linked to Ukraine support and critical infrastructure, cyberattacks targeting communication and energy networks, drone overflights of military and border installations, and disinformation campaigns and attempts at electoral interference. The report stresses that the slight decline in detected actions compared to the previous year does not imply less activity: it simply reflects the evolution towards more opaque methods, in what is termed the “grey zone,” which makes detection and attribution more difficult.

China: strategic espionage and diaspora surveillance

China maintains its interest in the EU and NATO, focusing on obtaining information about political decisions and on monitoring the Chinese diaspora and dissident communities in Europe. The report documents the expansion of Chinese cyberattack groups beyond Asia, with incidents recorded in telecommunications infrastructure and European ministries.

Organised cybercrime: industrialisation of ransomware

Beyond state actors, organised cybercrime recorded a 116% increase in ransomware attacks against Spain in 2025, according to Zscaler’s Annual Ransomware Report, placing the country in the global top 15. Groups such as Qilin — already responsible for attacks on Ahorramas, Asefa and the Autonomous City of Melilla in 2026 — and LockBit or its successors continue operating under the RaaS (Ransomware as a Service) model with affiliates indiscriminately attacking Spanish companies of all sizes.

Key lessons for Spanish businesses and executives

The 2025 National Security Report is not just a geopolitical document. It is an operational risk map for any Spanish organisation. The actionable lessons are direct:

  • Cybersecurity is no longer solely the IT team’s responsibility. When the National Security Council itself identifies it as a first-order strategic threat, cyber risk management must be on the board and executive committee agenda, not fully delegated to the technical department.
  • Ransomware is the most likely and costliest threat for Spanish SMEs. The report data confirms that ransomware groups prioritise Spain. An SME without a ransomware response plan or tested backups faces an existential risk.
  • Hybrid operations also affect the private sector. Russian attacks on logistics infrastructure linked to Ukraine support illustrate that the private sector is part of the geopolitical battlefield. Companies forming part of supply chains with strategic implications must explicitly assess this in their risk management.
  • NIS2 is not optional even if transposition is delayed. Organisations operating in essential sectors — energy, transport, banking, health, digital infrastructure — must align with the directive now, before Spain’s transposition is completed and compliance deadlines become immediate.
  • IoT security is an urgent gap. With 85% of botnet-compromised systems corresponding to IoT devices, any company with connected industrial environments, smart buildings or OT devices must prioritise the inventory and protection of those assets.

Cybersecurity as a strategic priority

The 2025 Annual National Security Report closes any debate about whether cybersecurity is a technical or a strategic problem. It is both — and the Spanish Government says so explicitly at the highest level. For Spanish organisations, the question is no longer whether they will be targeted, but when and with what level of preparedness they will respond.

The report’s data points in one direction: organisations that have invested in visibility, early detection and tested response plans are the ones that survive incidents. Those that were waiting for the threat to materialise before acting are the ones making headlines.

Apolo Cybersecurity: protecting Spanish organisations in the threat landscape the DSN describes

At Apolo Cybersecurity we work precisely in the domain the 2025 National Security Report identifies as priority: protecting Spanish organisations against cyberattacks, ransomware, espionage and hybrid operations. We help companies across all sectors assess their real security posture, implement controls against the most prevalent threats in the Spanish context, align with NIS2, and build incident response plans that work when it matters most.

If the Government’s assessment is that Spanish critical infrastructure is in the crosshairs, the question for any executive is direct: at what level of preparedness is your organisation?

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity