If the World Economic Forum described systemic cyber risk at a global level, Spain’s data shows that this risk is already operational.
In our previous article, we examined the international context based on the Global Cybersecurity Outlook 2026. The 2025 Cybersecurity Balance published by INCIBE confirms that these trends are now visible at the national level.
In 2025, INCIBE managed 122,223 cybersecurity incidents, a 26% increase compared to 2024, and identified 237,028 vulnerable systems. The scale is no longer marginal — it is structural.
The operational pressure behind the numbers
The report reveals a clear pattern:
- 45,445 incidents were related to online fraud (4 out of 10 cases)
- 25,133 incidents were phishing-related
- 55,411 incidents involved malware (45% of total cases)
- 392 incidents were ransomware attacks
Particularly relevant is that 85% of malware-infected systems controlled as botnets were linked to IoT devices. This directly connects to one of the systemic risks highlighted globally: the expanding attack surface in increasingly connected environments.
From an operational standpoint, this translates into something concrete: more entry points, greater complexity, and increasing difficulty in maintaining end-to-end visibility.
Essential operators and NIS2: the regulatory shift
The report also identifies 401 essential and important operators, aligned with the terminology of the NIS2 Directive. This is not merely statistical information — it implies formal obligations around risk management, incident reporting, and third-party governance.
Cyber resilience is no longer just a technical best practice. It is becoming a regulatory requirement with direct implications for executive management, operations, and architecture.
In real-world environments, risk tends to surface when:
- Visibility is fragmented.
- Third-party management is not integrated into the risk model.
- Recovery depends on untested procedures.
- Architectures are not designed to degrade in a controlled manner.
From data to operational discipline
The growth in incidents, the weight of malware and online fraud, and the exposure of connected devices point to a scenario where prevention alone is insufficient.
The key lies in combining:
- Continuous monitoring and early detection.
- Segmentation and attack surface reduction.
- Verified backups and tested recovery capabilities.
- Clear governance over critical providers and services.
At TeraLevel, we consistently see that the challenge is not the absence of tools, but the lack of operational coherence between architecture, security, and business continuity.
Conclusion
INCIBE’s 2025 Cybersecurity Balance confirms that the systemic cyber risk described at the global level is already present in Spain. The rise in incidents and the growing exposure across critical sectors reinforce one central idea: cyber resilience must be designed and operated structurally.
In this context, frameworks such as NIS2 and DORA do not introduce risk — they formally recognize it and require demonstrable capacity to manage it.