In 2025, INCIBE handled 122,223 cybersecurity incidents in Spain — a 26% rise year-on-year, according to the Cybersecurity Balance 2025 report published by the agency in February 2026. In that context, knowing how to choose a cybersecurity company is no longer a technical decision delegated to the IT department: it is a business decision with a direct impact on operational continuity, reputation, and legal compliance. Picking the wrong provider doesn't simply mean overpaying; it means discovering, in the middle of an incident, that the company supposed to defend you wasn't equipped to do so.
This article is a practical guide for technology leaders, C-suite executives, and procurement teams who need to evaluate and contract a security partner in Spain. We won't talk about marketing or vague promises: we'll talk about verifiable certifications, objective evaluation criteria, the regulatory framework that shapes the decision, and the red flags that should lead you to rule out a candidate before signing anything.
Why Choosing a Cybersecurity Provider Is Now a Business Decision
For years, buying IT security felt like buying an antivirus — a technical expense, almost routine, solved by going with the cheapest option. That era is over. INCIBE's own figures paint a picture in which the threat is massive and systematic, not the exception.
In the Cybersecurity Balance 2025, malware led all incident categories with 55,411 cases, followed by online fraud with 45,445, of which phishing was the dominant technique at 25,133 registered incidents. The free helpline "Tu Ayuda en Ciberseguridad" (line 017) handled 142,767 queries throughout the year — a 44.9% increase over 2024. It's not just that attacks are rising: more organisations and individuals are suffering them and need urgent help.
What matters most to decision-makers is the asymmetry. An attacker only needs to succeed once; your provider must succeed every time. When INCIBE-CERT detected and notified 237,028 relevant vulnerable systems susceptible to exploitation in 2025, it was mapping the real exposure surface of Spanish organisations. If your security partner cannot discover, prioritise, and remediate vulnerabilities at that scale, the contract isn't worth the paper it's printed on.
There is also some good news: the market has options. According to the Study on the Cybersecurity Industry in Spain 2025 — produced by INCIBE and CONETIC and presented in March 2026 — Spain has 3,431 cybersecurity companies (4.47% of the country's tech firms), a sector that turned over €6.351 billion in 2024 and employs around 165,000 professionals, accounting for 25.5% of Spanish ICT employment. Spain is also the fourth-largest European cybersecurity market, with 12% of continental revenue, and the sector projects average annual growth of 14.25% between 2026 and 2029.
The uncomfortable conclusion: supply is vast and wildly uneven. It ranges from large system integrators to niche consultancies and resellers that add almost no value. Having 3,431 providers to choose from doesn't make the decision easier — it makes it harder. That's why you need a method.
What Certifications Should a Reliable Cybersecurity Company Hold (ENS, ISO 27001, ENAC)?
The first filter for ruling out candidates is objective and verifiable: certifications. They aren't decorative badges — they are proof that an independent third party has audited the provider's processes. In Spain, three references dominate any serious conversation.
ISO/IEC 27001: The Information Security Management Standard
ISO/IEC 27001:2022 certification accredits that a company operates an Information Security Management System (ISMS) — not merely that it uses good tools. The current 2022 edition includes 93 Annex A controls organised across four domains (organisational, people, physical, and technological). In Spain, it is issued by a certification body accredited by ENAC (the National Accreditation Entity) in accordance with ISO/IEC 17021-1, within a framework operated by bodies such as AENOR.
Two details many buyers overlook:
- Certification renews every three years and requires annual surveillance audits. A company that shows you a four-year-old certificate with no interim audit is not currently certified.
- What matters is not just that the provider is certified, but the scope declared on the certificate. An ISO 27001 whose scope covers only "internal administration" does not cover the service they will actually deliver to you.
If your organisation is aiming to achieve certification — or to require that level of maturity from a vendor — it helps to understand exactly what the process involves. At Technova we cover this in our ISO 27001 implementation and certification service, where we accompany clients from gap analysis through to the final audit.
National Security Scheme (ENS): Mandatory for Public-Sector Work
Royal Decree 311/2022 of 3 May governs the Esquema Nacional de Seguridad (ENS). It is essential reading if your company provides — or intends to provide — services to public administration, because in that case ENS compliance is not optional.
The RD defines three security categories with differing requirements:
| ENS Category | Accreditation Method | When It Applies |
|---|---|---|
| Basic | Declaration of conformity via self-assessment | Lower-impact systems |
| Medium | Formal certification by an ENAC-accredited body | Appreciable impact on services or data |
| High | Formal certification by an ENAC-accredited body | Severe impact; essential services |
This distinction is critical when evaluating providers: a self-assessed declaration of conformity (basic category) is not equivalent to a third-party audit (medium and high categories). If a provider tells you they "comply with ENS" without specifying the category or the certifying body, ask. The gap between self-assessment and certification by an ENAC-accredited entity is substantial.
ENAC as the Credibility Anchor
Both for ISO 27001 and for ENS medium and high categories, the name that provides genuine credibility is ENAC. ENAC accreditation is what ensures that the certifying body is competent and impartial. A certificate issued by a non-accredited body has far less market value. Always verify that the badge on a certificate is backed by an ENAC-accredited entity, not just a logo.
Evaluation Criteria: 24/7 SOC/MDR, Sector Experience, and Verifiable References
Once certifications have passed the filter, you move into what separates a provider that actually defends you from one that only invoices. Here you assess real operational capabilities.
Continuous Detection and Response: 24/7 SOC and MDR
Attacks don't respect business hours. Many are deliberately launched on Friday evenings, public holidays, or in August, when internal teams are at minimum capacity. The ability to provide 24/7 detection and response is therefore the criterion that most clearly separates serious providers from the rest.
It's worth distinguishing the concepts:
- SOC (Security Operations Centre): the operations hub that continuously monitors, correlates events, and detects threats.
- MDR (Managed Detection and Response): the managed service that not only detects but responds and contains the incident on your behalf, with contractually committed timeframes.
The key question is not "do you have a SOC?" but "what exactly do you do at 3 a.m. on a Sunday when a critical alert fires?" A mature provider answers with detection and containment times committed in the SLA — not with good intentions. If you want to understand how this type of service works in practice, we describe it on our 24/7 Managed SOC and MDR page.
Sector Experience and NIS2 Alignment
A provider that has defended companies in your sector knows your specific threat landscape: protecting an industrial organisation with OT systems is very different from securing a financial institution or an essential service operator. That experience is demonstrated with real cases, not generic claims.
INCIBE's data reinforces this point: during 2025, INCIBE-CERT handled 401 incidents involving essential and important operators, aligned with the NIS2 Directive framework. If your company falls within one of the affected sectors, you need a partner that already operates under that regulatory logic — not one that is discovering it alongside you.
Verifiable References, Not Brochure Testimonials
Ask for references and, above all, follow up on them. Don't settle for logos on a website. Request to speak with an actual client of a similar profile, ask about the provider's response during a specific incident, and check whether the relationship is ongoing. A provider that churns clients every year has a problem that will eventually become your problem.
As a summary, here are the evaluation criteria we recommend scoring:
| Criterion | What to Verify | Why It Matters |
|---|---|---|
| 24/7 coverage | SOC/MDR with detection and response SLA | Attacks have no office hours |
| Certifications | Current ISO 27001 and ENS (if applicable), via ENAC | Evidence of audited processes |
| Sector experience | Cases in your industry and under NIS2 if applicable | Specific threats, not generic ones |
| References | Verifiable clients with a comparable profile | Evidence, not marketing |
| Transparency | SLA, escalation path, and reports in writing | Defines what happens in an incident |
| Team | Staff profiles and technical team turnover | Security is delivered by people |
NIS2 and ENS: How the Regulatory Framework Shapes Who You Can Hire
This is a point many organisations discover too late: regulation doesn't only bind you — it also determines which providers are valid choices.
The EU's NIS2 Directive substantially expands the number of sectors and entities required to meet cybersecurity obligations, classifying them as "essential" or "important" entities. The Community deadline for transposition passed on 17 October 2024 without Spain completing its national transposition law. To bridge that gap, the Council of Ministers approved in January 2025 the Preliminary Draft Law on Cybersecurity Coordination and Governance, as reported by the National Security Department (DSN) and analysed by firms such as ECIJA and associations including ASEPEC.
What that draft law proposes has direct implications for provider selection: it will require essential entities to hold certification, and important entities to either certify or conduct a self-assessment. In other words, if your company falls within the NIS2 scope, you will not be able to outsource your security to a provider that cannot demonstrate the level of maturity the law will require of you.
The intersection with the ENS is equally relevant. If you work with public administration and manage medium- or high-category systems, we have already seen that RD 311/2022 requires certification by an ENAC-accredited body. Combining both frameworks, the message for buyers is clear: verify that the certifiable maturity of your provider is equal to or greater than what regulation demands of you. Contracting someone below your own compliance level transfers the legal risk to your organisation.
For a comprehensive view of how to integrate compliance, detection, and response into a coherent strategy, you can explore our overall approach to cybersecurity services for business.
Key Questions to Ask Before Signing the Contract
A good cybersecurity sales meeting should make the provider slightly uncomfortable: if every question receives an easy answer, you haven't asked enough. These are the questions that best reveal a candidate's real maturity.
- What certifications do you currently hold and what is their exact scope? Request the certificate itself, the date of the most recent surveillance audit, and the ENAC-accredited body that issued it.
- How does your SOC work and what detection and response SLA do you commit to in the contract? Time commitments must appear in the signed agreement, not just the sales proposal.
- What happens exactly when you detect a serious incident outside business hours? Ask for the escalation procedure and who makes decisions at 3 a.m.
- Who is on the team that will handle my account and what is their turnover rate? Security is executed by people; knowing who they are and whether they stay matters.
- Can you give me a verifiable reference from a client in my sector? And then actually call them.
- How do you help me comply with NIS2 and/or ENS given my situation? A concrete answer shows they know your regulatory framework.
- What reports do I receive, how often, and in what format? Ongoing visibility is part of the service, not an add-on.
- What happens to my data, logs, and configurations when the contract ends? Portability and a clean exit must be agreed from the outset.
If a provider answers all eight questions with specifics and in writing, you have a serious candidate in front of you. If the responses are vague, marketing-heavy, or evasive, that too is valuable information.
Red Flags: When to Rule Out a Cybersecurity Provider
Knowing what to look for matters just as much as knowing what should make you walk away. These are the most reliable warning signs we encounter when auditing security contracts.
- Imprecise or expired certifications. "We're in the process of getting certified" repeated for years, certificates with no surveillance audit, or badges from bodies not accredited by ENAC.
- Promises of total security. No credible provider guarantees 100% protection. Anyone who promises "you'll never suffer an attack" either doesn't understand the problem or is misleading you.
- No SLA in writing. If detection and response timeframes don't appear in the contract, they don't exist. Good intentions cannot be enforced in court.
- Opacity about the team and subcontracting. If they won't tell you who will operate your security or whether the SOC is outsourced to a third party, assume the worst.
- Price as the only selling point. In cybersecurity, cheap often means automated monitoring with no human analysts behind it. The savings evaporate in the first real incident.
- No verifiable references. Logos on the website but no client you can actually speak to. Silence is an answer.
- Ignorance of the regulatory framework. A provider that cannot explain how NIS2 or ENS applies to them will not be able to help you comply with either.
Any one of these flags, in isolation, warrants a difficult conversation. Two or more together warrant ruling the candidate out.
Conclusion: Make the Decision a Process, Not a Gut Feeling
With 122,223 incidents handled by INCIBE in 2025 and more than 3,400 providers competing in the Spanish market, choosing a cybersecurity company cannot rest on a persuasive sales meeting or the lowest price. The right decision comes from a method: filter by verifiable certifications (ISO 27001 and ENS via ENAC), assess genuine operational capabilities (24/7 SOC/MDR, sector experience, and independently verified references), align your provider's maturity with your obligations under NIS2 and the ENS, and ask the questions that distinguish those who actually defend from those who merely invoice.
If you're starting that process and want a practical foundation, download our ISO 27001 readiness checklist: it will help you measure your own maturity before demanding it from a third party. And if you'd like us to accompany you in evaluating, contracting, or auditing your security partner, talk to the Technova Partners team: we'll help you turn a risk decision into an informed one.
