ALT IsoLogoTipo SBX Theme
OBS Report: Spain and Its Cybersecurity Regulations
CAMPUS
Request Information
OBS Business School - OBS Formación Online en Management SL Communication, will process your personal data in accordance with your request in order to contact you and inform you of the selected programme with a view to the next two calls for applications, and may contact you by electronic means (WhatsApp and/or email) and by telephone, being deleted once this information has been provided and/or once the aforementioned calls for applications have elapsed.

You may exercise your rights of access, deletion, rectification, opposition, limitation and portability by sending a letter to OBS Business School - OBS Formación Online en Management SL Communication located at Apartado de Correos 221 de Barcelona, or by sending an email to [email protected]. You may also file a complaint with the Spanish Data Protection Agency if you consider it appropriate.

You may contact our Data Protection Delegate by writing to [email protected] or to Grupo Planeta, Attn: Delegado de Protección de Datos, Avda. Diagonal 662-664, 08034 Barcelona.
+34 934 005 375
Ciberseguridad 05
Technology | Innovation

OBS Report: Spain and Its Cybersecurity Regulations

Ramón Martín Miralles López

The level of cyberattacks it suffers surpasses that of the U.S. and Israel 

Ciberseguridad 2025

 

September 2025. OBS Business School, an institution of Planeta Formación y Universidades, has published the report Cybersecurity from a Regulatory Perspective, led by professor and lawyer specialized in Digital Law Ramón Miralles. This document compares regulations in Spain, the United States, Latin America, and the European Union.

Information security is no longer just a technical issue—it has become a legal asset and a right. This shift requires the adoption of security measures and the promotion of international cooperation, the only way to strengthen the effectiveness of laws against attacks that know no borders.

Legislative processes are similar in rule-of-law states, but differences exist in the degree of implementation depending on legal culture, regulatory capacity, and each country’s level of economic development.

Legal Measures in Cybersecurity

The Global Cybersecurity Index 2024 by the ITU evaluates 194 countries across five pillars: legal, technical, organizational, capacity-building, and cooperation. Most countries stand out in the legal domain: 177 have regulations on data protection, privacy, or security breaches; 151 have specific data protection laws; and 104 regulate critical infrastructures.

The European Union has a mature regulatory framework, with the NIS2 Directive as its cornerstone. This directive mandates risk management, incident reporting, staff training, and executive accountability. It has led to regulations such as DORA, which ensures digital resilience in the financial sector, and MiCA, which regulates crypto-assets by requiring security measures on platforms. Other additions include the Cyber Resilience Act, focused on connected digital products; the Cyber Solidarity Act, which strengthens cooperation in the face of incidents; and the Cybersecurity Act, which enhances ENISA’s role and establishes an ICT certification framework.

The European framework is complemented by the GDPR, rules on digital services and telecommunications, and Directive 2013/40/EU on cybercrime. However, Miralles warns that regulations alone are not enough without effective mechanisms to act against perpetrators in cyberspace.

What About Spain?

Spanish regulations are aligned with the European framework but also include the National Security Law for the protection of critical infrastructures, the National Cybersecurity Strategy (2019, currently under review), and the National Cybersecurity Plan. Currently, the Draft Law on Cybersecurity Coordination and Governance is being processed. It proposes the creation of the National Cybersecurity Center, risk management, mandatory incident reporting, designation of security officers, and oversight by sectoral authorities.

Spain also has the National Security Framework (ENS), which sets the security policy for the use of electronic means in public administration. Key institutions include the National Cryptologic Center, INCIBE, police units for technological investigations, and the Cybercrime Prosecutor’s Office, responsible for coordinating the prosecution of cybercrimes.

In short, Spain has a mature and necessary cybersecurity regulatory and governance framework, given the high number of cyberattacks it receives—surpassing even the United States and Israel.
 

Content written by:
Carmen García-Trevijano
OBS Business School's Press Office

DOWNLOAD REPORT

Ramón Martín Miralles, profesor de OBS Business School. Coordinador de Auditoria y Seguridad de la Información en la Autoridad Catalana de Protección de Datos. “European Certificate on Cybercrime and Electronic Evidence
Ramón Martín Miralles López

 



  • Coordinador de Auditoria y Seguridad de la Información en la Autoridad Catalana de Protección de Datos

  • “European Certificate on Cybercrime and Electronic Evidence”

  • Especialista en Gestión de la Seguridad Pública

  • Experto en ENISA (2012-2015)

  • Licenciado en Derecho por la UB


Másters destacados
Master in Cybersecurity
Master in Digital Transformation
Master in Global Data Management
Posts relacionados
Learning 2

21 August 2025

OBS Report: E-Learning and Educational Transformation 2025

Education
Informe OBS Turismo 2025 Hero

4 de June de 2025

Informe OBS: Tendencias tecnológicas aplicadas al ciclo de vida del viaje 2025

Operaciones y Procesos
INESDI THINK DIGITAL REPORT

30 January 2025

OBS-INESDI Report: Think Digital Report 2024

Data
+34 934 005 375
Request Information
OBS Business School - OBS Formación Online en Management SL Communication, will process your personal data in accordance with your request in order to contact you and inform you of the selected programme with a view to the next two calls for applications, and may contact you by electronic means (WhatsApp and/or email) and by telephone, being deleted once this information has been provided and/or once the aforementioned calls for applications have elapsed.

You may exercise your rights of access, deletion, rectification, opposition, limitation and portability by sending a letter to OBS Business School - OBS Formación Online en Management SL Communication located at Apartado de Correos 221 de Barcelona, or by sending an email to [email protected]. You may also file a complaint with the Spanish Data Protection Agency if you consider it appropriate.

You may contact our Data Protection Delegate by writing to [email protected] or to Grupo Planeta, Attn: Delegado de Protección de Datos, Avda. Diagonal 662-664, 08034 Barcelona.