Which sectors are most vulnerable to cyberattacks in Spain and how can their security be reinforced?
Any company can fall victim to a cyberattack, but essential sectors are particularly at risk. That’s why they rely on companies like Cipher, Prosegur’s cybersecurity division , to strengthen their digital defences.
In 2024, Spain experienced 97,348 cybersecurity incidents. Taken in isolation, that figure may be difficult to interpret, but it’s the trend that provides real context. According to the Security Report published by the National Cybersecurity Institute (Incibe), this figure represents a 16.6% increase compared to 2023, continuing a steady year-on-year rise since 2020.
Any cyberattack is a cause for concern, but some carry more serious implications than others. This is particularly true for essential or critical sectors, those on which a country’s daily functioning depends, as highlighted in a recent study by Cipher. These areas recorded 341 cyber incidents, and as shown in the graph below, the transport sector was the hardest hit, closely followed by the financial and tax systems. The ICT sector also appeared further down the list. These three sectors make up the top tier of those most affected, although in reality, nearly all productive sectors in Spain are now being regularly targeted by major security threats.
These areas, aside from their obvious importance, share a common feature: all of them fall under the scope of the NIS2 Directive (Network and Information Systems Directive 2), the European legislation whose ultimate aim is to strengthen cybersecurity in sectors that are strategic for both the economy and society, including energy, transport, banking, healthcare and food, among many others. In practice, it affects nearly every productive sector in the country.
The directive does so by raising the bar at every stage of a potential incident. Public and private institutions alike will be required not only to handle data with greater care, but also to enhance their security and cybersecurity systems, equipping their organisations with the appropriate legal, organisational and technical measures. They will also need to improve protection for their customers and suppliers, and in the event of any incident, report it swiftly and effectively.
TECHNOLOGY
NIS2 Directive
The new European regulation introduces stricter technical, organisational, and governance requirements for organisations. This obliges them to take the following actions:
-
Assess and manage their cybersecurity risks.
-
Implement protection and incident response measures.
-
Strengthen the security of their supply chain.
-
Report significant incidents within very tight timeframes.
The truth is that, although the official deadline for transposing this directive into national legislation expired on 17 October 2024, Spain has yet to formally complete the process by passing the corresponding national law.
How to protect against cyberattacks
In any case, the lack of formal transposition has not prevented certain regulators from beginning to request information from organisations in their respective sectors. Their aim is to assess the level of maturity and compliance in terms of information security. As a result, many organisations are already working to align themselves with what is now seen as a clear strategic necessity: ensuring their security in an increasingly digital and cyber-threatened environment.
In this context, Cipher, the cybersecurity division of the Prosegur group, brings over 20 years of experience in protecting critical infrastructure in sectors such as banking, energy, insurance and public administration. Operating in 18 countries, Cipher offers its own advanced technological capabilities, including xMDR (Extended Detection and Response) and Security Observatory, both designed to secure clients’ technology infrastructures.
It also offers its clients access to SPIP (Security Posture Improvement Plan), a cybersecurity solution that brings together cybersecurity architects and ethical hackers focused on identifying vulnerabilities and misconfigurations within clients’ systems. Based on this analysis, the team develops tailored security plans that streamline the compliance process while reducing both time and associated costs. With international certifications such as PCI QSA, ISO 27001, ISO 20000, and Trusted Introducer, the company delivers a bespoke approach for each client, adapting to their technological environment, asset criticality, and specific organisational needs through concrete, actionable measures.
"Cipher is one of the most established and respected Managed Security Service Providers (MSSPs) worldwide.”
David Fernández Granado
Managing Director of Prosegur’s Cybersecurity Division
“Cipher is one of the most established and recognised Managed Security Service Providers (MSSPs) worldwide,” says David Fernández Granado, Managing Director of Prosegur’s cybersecurity division, “demonstrating a proven commitment to security excellence. It combines daily operational protection with the strategic insight needed to comply with regulations such as NIS2, DORA and ENS in an integrated and pragmatic way.”
Alongside its technological services, the company recently announced a strategic partnership with ECIJA, a firm specialised in Governance, Risk and Compliance services, and a leading legal advisor in the Ibero-American market in digital law, privacy, data protection, risk, and compliance. This collaboration offers a comprehensive approach that jointly aims to cover all information security compliance needs. Specifically:
-
Cipher handles all technical aspects: risk analysis, cybersecurity measure implementation, continuous monitoring, and incident response.
-
ECIJA is responsible for legal, regulatory, and compliance matters: risk and compliance gap analysis, development of policies and procedures, contract adjustment, executive training, audit preparation, as well as management and advice on potential sanction procedures.
This alliance addresses a clear market need: “The vast majority of companies seek a single partner who can provide guarantees both technologically and legally throughout their NIS2 compliance process. Together, Cipher and ECIJA offer a turnkey solution that blends innovation, expertise and experience to help organisations tackle one of the decade’s biggest regulatory challenges in cybersecurity,” states Alonso Hurtado, Partner for IT, Risk & Compliance at the firm.
Thanks to this partnership, “companies can access a full compliance service for the NIS2 Directive, as well as the DORA Regulation and the National Security Framework (ENS), covering everything from technical implementation to legal and regulatory compliance — all managed in a consistent and efficient manner,” concludes Fernández Granado.
.webp)
.webp)
.webp)
