Spanish companies operate in an increasingly complex environment, marked by the expansion of their exhibition area, technological acceleration and growing dependence on third parties. Added to this reality is the increase in cyberattacks, driven by automation and artificial intelligence, which forces us to constantly review the cybersecurity budget as a strategic element.

There is also increasing regulatory pressure, with regulations such as NIS2, DORA or CRA, and a geopolitical context that further increases the perception of risk. All of this sets up a scenario in which cybersecurity is consolidated as a structural challenge for organizations and in which the cybersecurity budget takes on a key role in business planning.

“Organizations are advancing in terms of cybersecurity, although at different speeds. According to our Cybersecurity Study in Spain 2025, the majority of these companies have consolidated the technological base, but there is still a significant gap in monitoring, regulation or industrial security,” explains Francisco Valencia, general director of Secure&IT. These shortcomings are usually directly related to how the cybersecurity budget is allocated and managed.

Greater investment in cybersecurity

Investment priorities for organizations in the coming months focus on identity, cloud and data protection. Strong authentication and cloud security stand out as strategic lines, along with SOC services, training and DLP/IRM projects, areas that largely depend on an adequate cybersecurity budget.

“The report concludes with a clear trend: companies will invest more in cybersecurity. 44.2% plan to increase their cybersecurity budget, while 43% will keep it stable. For the coming years, only a minority will opt for cuts, which confirms the strategic nature of the cybersecurity budget,” says Valencia.

Spanish companies have laid the foundations for cybersecurity governance, with extensive implementation of formal policies, risk analysis and awareness programs. However, maturity remains uneven, with relevant shortcomings in incident response, the existence of security committees and the consolidation of certifications such as ISO 27001 or the ENS, aspects that require a sustained reinforcement of the cybersecurity budget.

The study also reflects a strong confusion regarding the major European regulations. Many organizations do not know whether they must comply with regulations such as NIS2, DORA or the Cyber ​​Resilience Act, and a significant proportion have not yet started their adaptation. This lack of knowledge especially affects SMEs and technology providers, who face new obligations without having compliance teams or a sufficiently sized cybersecurity budget.

From Secure&IT they warn that this gap is especially worrying: “Spanish companies are making a significant effort to adapt to the regulatory framework in cybersecurity, but the regulatory speed poses important challenges. It is not only about compliance, but about understanding the real impact on the business and correctly aligning the cybersecurity budget with risk management.”

Geopolitical pressure is another factor that worries organizations. 55.8% affirm that international conflicts increase their level of risk, which reinforces the need to review the cybersecurity budget in the face of increasingly volatile scenarios. Added to this is the rapid adoption of technologies such as generative AI.

The cyber threats most feared by Spanish organizations

In terms of threats, ransomware remains the top concern for 59.8% of businesses, followed by phishing, data exfiltration, and credential theft. The ability to mitigate these risks depends, to a large extent, on how the cybersecurity budget is prioritized.

The adoption of protection technologies shows a heterogeneous panorama. Although many companies have basic measures, the implementation of advanced solutions such as MDR, XDR or SASE is irregular, reflecting notable differences in resources and the available cybersecurity budget.

Ransomware remains the top concern for 59.8% of businesses, followed by phishing, data exfiltration, and credential theft

In terms of monitoring, only 23% have a fully operational 24×7 SOC. “Having a 24×7 SOC is today a key element of cybersecurity,” they point out from Secure&IT, highlighting that without an adequate allocation of the cybersecurity budget, the detection and response capacity is seriously compromised.

Francisco Valencia concludes: “2025 shows a country that is advancing in cybersecurity, but needs to accelerate. Identity, cloud and regulation set the course, but resilience will only come when cybersecurity is integrated transversally into the business and the cybersecurity budget is managed as a strategic investment and not as a cost.”

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.