The government is advancing a broad cybersecurity framework designed to clearly define the roles of all bodies involved in national digital security efforts and to ensure seamless cooperation among them. The announcement, made publicly on Monday, points to finalizing the text and presenting it to the Cortes before year’s end. The goal is to establish an umbrella regulation that standardizes the actions of every institution connected to cybersecurity, precisely assigns responsibilities, and clarifies coordination mechanisms at a legal level. Institutions are distributed across various ministries within the executive branch.
Currently, several organizations contribute to Spain’s cyber defense and security landscape. These include the National Institute of Cybersecurity (Incibe), affiliated with the Ministry of Digital Transformation; the Office of Homeland Security under the Presidency; components of the National Cryptology Center and the National Intelligence Center (CNI); the Joint Cyberspace Command within Defense; the General Secretariat for Digital Governance (SGAD) under the Ministry of Digital Transformation; and law enforcement bodies such as the Civil Guard and the National Police under the Ministry of Interior, among others. This alliance of agencies forms a complex ecosystem that the new law aims to streamline under a single regulatory umbrella, with a clear mandate for each participant. (Attribution: Ministry of Digital Transformation)
Homeland Security warns of 15,500 cyberattacks on critical infrastructure in war year
Escrivá underscored the need for every involved institution to operate within a unified legal framework that provides formal legitimacy to their response mechanisms. The executive views cybersecurity as a strategic lever for the nation’s economy, with the intent to shrink the frequency of cyber intrusions targeting businesses and individuals, hasten incident responses, and reduce the operational and economic impact of cybercrime. The law is expected to bolster both public and private resilience, with particular focus on the most vulnerable segments and small- to medium-sized enterprises. These points were presented to lawmakers during a briefing at the Congressional Digital Transformation Committee. (Attribution: Congressional Digital Transformation Committee briefing)
without touching 5G
The proposed Cybersecurity Law will address this field in a broad, general way without modifying the current security regime tied to 5G technology. The government had previously approved a separate 5G security framework in early 2022, just weeks after Russia’s invasion of Ukraine began. This specialized 5G framework remains in force as planned, according to ministry sources. (Attribution: Ministry of Digital Transformation)
The administration has discussed the consideration of high-risk suppliers within a separate security list and has indicated that future decisions on supplier inclusion would be made on a case-by-case basis rather than through a blanket ban. While the official list has not been finalized, the government clarified that there is no immediate plan to exclude specific Chinese manufacturers from 5G networks. (Attribution: Ministry of Digital Transformation)
The ministry added that the risk-based approach means evaluating each potential supplier within public aid programs aimed at expanding new networks. There is no predetermined veto in the current rural-5G investment initiative, but telecom operators may bear costs for replacing equipment from entities deemed risky as part of project implementations. (Attribution: Ministry of Digital Transformation)
Escrivá also urged political groups to reach three core agreements on digital transformation. He called for political accords with social partners and citizens to promote ethical use of artificial intelligence, to strengthen the country’s technological capacity through targeted investments and expanded digital infrastructure, and to advance the modernization of Public Administration. (Attribution: Escrivá statement to lawmakers)