Research consultancy

Research consultancy

Cybersecurity in the Spanish National Security Framework

Cybersecurity plays a crucial role in Spain’s national security strategy. In 2013, Spain adopted its first dedicated National Cybersecurity Strategy, following the 2011 Spanish Security Strategy, which, for the first time, recognized cyber threats and attacks as key risks to national security (Cendoya, 2016). This was further anticipated in the 2012 National Defence Directive.

The updated 2017 National Security Strategy, developed by the National Security Council, formally identifies cyberspace as a shared global domain—alongside maritime, airspace, and outer space—with unique vulnerabilities. These vulnerabilities stem from both malicious uses of cyberspace, such as terrorism, organized crime, and disinformation campaigns, and direct cyber threats like data theft, hacking, DDoS attacks, and assaults on critical infrastructure.

Spain has demonstrated a strong commitment to cybersecurity, ranking 7th globally and 5th regionally in the International Telecommunication Union’s (ITU) Global Cybersecurity Index, with a high Composite Global Index (CGI) score of 0.896. Spain performs particularly well in the ITU’s legal and organizational pillars, which assess the existence of cybersecurity laws and institutional strategies (ITU, 2019). Additionally, Spain is a member of the Freedom Online Coalition, reinforcing its commitment to open and secure cyberspace.

Spain’s geostrategic location also has implications for cybersecurity. The country comprises the Iberian Peninsula in southwestern Europe, as well as the Canary and Balearic Islands, and territories in North Africa. According to the 2017 National Security Strategy, Spain’s unique geographical positioning—linking Europe, North Africa, the Mediterranean, and the Atlantic—gives it a distinctive role as a bridge between regions and cultures, shaping its security priorities (Presidency of the Government, 2017).

A key component of cyberspace security is the physical infrastructure—particularly submarine and terrestrial fiber-optic cables and satellites—that facilitates global connectivity (Sheldon, 2014). Spain’s strategic vulnerability in this regard was historically demonstrated during the Spanish-American War, when U.S. forces disrupted Spanish communications by cutting telegraph cables. Today, more than 95% of international data transmission—including everyday activities like emailing, internet browsing, and streaming—relies on undersea fiber-optic cables (Carter & Burnett, 2015).

Protecting these critical communication networks is essential, especially for a maritime nation like Spain (Departamento de Seguridad Nacional, 2013). However, the ownership of this infrastructure largely lies with private companies, raising concerns about sovereignty and strategic autonomy. For instance, the MAREA transatlantic cable connecting Sopelana (Spain) and Virginia (USA) is jointly owned by Microsoft, Facebook, and Telefónica’s Telxius. Similarly, Tata Communications operates the VSNL Western Europe cable connecting Spain and the UK.

As Sheldon (2014) notes, the pervasive nature of cyberspace does not eliminate the importance of geography and geopolitics; cyber operations still target networks and data tied to sovereign territories with political, economic, and military significance. Spain’s 2013 Maritime Security Strategy underscores that maritime connectivity between the mainland, its islands, and autonomous cities such as Ceuta and Melilla is vital to national interests, and that cyberspace poses significant threats to maritime security (Gobierno de España, 2013).

Spain’s National Cybersecurity Framework

To manage its cybersecurity policy, Spain established the National Cybersecurity Council (CNC) in December 2013 as a specialized body under the National Security Council (CNS). During the same meeting, the first National Cybersecurity Strategy was approved. This framework was updated on April 12, 2019, and formally published as Order PCI/487/2019.

The 2019 Strategy outlines key components of Spain’s cybersecurity governance structure:

1. National Security Council – the overarching authority acting as the Government Delegate Commission for National Security;

2. Situation Committee – oversees crisis responses;

3. National Cybersecurity Council – the central body for cybersecurity oversight;

4. Permanent Commission on Cybersecurity;

5. National Forum on Cybersecurity;

6. Competent authorities and national CSIRTs (Computer Security Incident Response Teams).

The CNS, as the Prime Minister’s advisory and coordinating body on national security, operates through the Department of National Security (DSN) within the Prime Minister’s Office, ensuring coordination across government and international partners, especially within the EU.

In its April 2019 meeting, the National Cybersecurity Council addressed: (1) the evaluation of the 2019 Cybersecurity Strategy; (2) measures to combat disinformation and secure electoral processes ahead of the Spanish and EU elections; and (3) cybersecurity concerns related to 5G networks (DSN, 2019b). Just before the April 28 general elections, Prime Minister Pedro Sánchez emphasized the fundamental role of cybersecurity in safeguarding civil liberties, national defense, and driving Spain’s digital transformation and innovation (DSN, 2019c).