What Is INCIBE: Functions, Services and Difference with CCN

INCIBE (Instituto Nacional de Ciberseguridad) is the Spanish public entity coordinating cybersecurity for private companies and citizens. It's a state-owned commercial company (S.M.E.) attached to the Ministry for Digital Transformation and Civil Service through the State Secretariat for Digitalisation and AI. Headquartered in León, it was established in 2014 as successor to INTECO and employs approximately 400 people. It's the main point of contact in Spain for private companies needing support against incidents, technical advisories, training and sectoral certifications.

This guide explains what INCIBE actually is, the four functions organising it, the concrete services for companies (INCIBE-CERT, Line 017, CVE advisories, Kit Digital, badges and seals), how it differs from CCN and CCN-CERT (scopes don't overlap), how to notify an incident step by step, fit with NIS2 as one of the sectoral authorities in Spain and how any Spanish company can leverage what it offers at no cost.

What INCIBE is

INCIBE operates as the executive arm of the State in cybersecurity for unclassified scopes. Its competencies partially overlap with the CCN but the operational split is clear: CCN covers public administration and classified information, INCIBE covers private enterprise and citizens.

What it contributes operationally to the Spanish ecosystem:

• Single point of contact for private companies needing support during incidents.
• Technical advisories on vulnerabilities in products used in Spain.
• Free training and materials for SMEs, citizens, minors and educators.
• Mediation and support services in cases of cyberattacks against companies and citizens.
• Badges and seals private companies can use to evidence good practice.
• Coordination with international CSIRTs and unclassified strategic operators.

INCIBE also operates the public domains incibe.es and osi.es (Office of Internet Security), and maintains an active social media presence for early alerts.

The four organising functions

INCIBE's internal structure pivots around four main lines.

1. INCIBE-CERT

The computer security incident response team for citizens, private enterprise and unclassified strategic operators. The most visible piece for cybersecurity professionals.

Key functions:

• Response coordination during national incidents.
• Publication of vulnerability advisories detected by Spanish researchers or affecting products used in Spain. Detail of how this gets used in the what is a CVE guide.
• Agreements with CNAs (CVE Numbering Authorities) for responsible disclosure coordination with Spanish researchers.
• Technical analysis of malware samples detected in Spanish companies.
• Participation in the EU CSIRTs Network and other international forums (FIRST, TF-CSIRT).

Web: https://www.incibe-cert.es/. Notification: online form and email incidencias@incibe-cert.es (for critical cases, also a specific phone number).

2. Citizen services (OSI and Line 017)

OSI (Internet Security Office) offers materials and campaigns for individual users. Line 017 is the toll-free phone number (24/7) any citizen or company can call during an incident or cybersecurity query. Managed by specialised staff, it routes cases requiring technical response to INCIBE-CERT.

Line 017 handles tens of thousands of queries per year and is the first support tier for SMEs that don't yet have a contractual relationship with a cybersecurity provider.

3. Services for companies

Block including specific programmes for SMEs and strategic operators:

• Kit Digital. Subsidy programme (not purely INCIBE; Red.es manages it but INCIBE participates in the cybersecurity portion). Provides digital vouchers so SMEs can contract basic cybersecurity services.
• AENOR Cybersecurity Seal and other certifications promoted with AENOR and other entities.
• Innovation and Research Catalogue listing Spanish companies with cybersecurity R&D capabilities.
• Mentoring and acceleration programmes for sector startups (Cybersecurity Ventures).
• Cybercamp and CyberOlympics for young talent.

4. Talent and training

INCIBE runs programmes to attract and train cybersecurity talent: TalentHackathons, scholarships, university training with CCN and other entities, open training materials.

Difference with CCN and CCN-CERT

Confusion between INCIBE, CCN and CCN-CERT is very common. Key difference:

• CCN (Centro Criptológico Nacional). Attached to the CNI. Responsible for cybersecurity in the Spanish public administration and strategic operators with classified information. Headquartered in Madrid. Maintains Magerit (more detail in the Magerit guide), the CCN-STIC guide suite, PILAR and MicroCLAUDIA tools, and the CCN ENS certification.
• CCN-CERT. Government CSIRT for public administration and operators with classified information. Operational arm of CCN.
• INCIBE. State company for citizens, private companies and unclassified strategic operators.
• INCIBE-CERT. INCIBE's CSIRT.

Executive summary by situation:

• Private company with incident: INCIBE-CERT.
• Public administration with incident: CCN-CERT.
• Private company under NIS2 essential in a specific sector: sectoral authority (CNMC, Banco de España, etc.) plus INCIBE-CERT as technical support.
• Operator with classified information: CCN-CERT.
• Citizen or microenterprise query: OSI (part of INCIBE) and Line 017.

NIS2 has partly reorganised this allocation, assigning INCIBE the national authority role for many unclassified sectors.

How to notify an incident to INCIBE-CERT

The step-by-step operational flow for a Spanish company suffering an incident.

1. Internal decision. The CISO or equivalent decides to notify (NIS2/DORA can make it mandatory). Documenting the moment of the decision matters for the legal deadline.
2. Access to the notification portal. https://www.incibe-cert.es/reporte-de-incidentes or a specific line call for serious incidents.
3. Minimum information in the first report:

• Notifier contact details (organisation, person, phone, email).
• Nature of the incident (category: malware, intrusion, denial of service, data leak, social engineering, etc.).
• Affected assets (servers, data, customer services).
• Estimated impact (scope, criticality, number of people affected if there's personal data).
• If there are preliminary IoCs (hashes, domains, IPs).
• If there's suspicion of a specific actor.

4. Subsequent communication. INCIBE-CERT assigns an analyst who contacts to coordinate the technical response if needed. The interaction can be short (informative only) or intense (response coordination) depending on severity.
5. Incident closure. After remediation, closure gets notified with post-incident analysis if applicable.

INCIBE-CERT doesn't replace the security firm running the client's technical response; it provides national coordination, aggregated threat intelligence and communication with other CSIRTs if the incident crosses borders.

Fit with NIS2

The NIS2 Directive (EU 2022/2555) and its Spanish transposition through RD-Law 7/2025 reorganise competent authorities. INCIBE takes on several roles:

• National CSIRT for private enterprise unclassified under NIS2.
• Competent authority for several sectors (generic digital sector, online service managers, public information services).
• Single point of contact (SPOC) for European coordination with ENISA and other Member States.
• Maintenance of catalogues and tools supporting compliance.

NIS2 incident notification within 24/72h deadlines goes to the sectoral authority applying to the notifying entity; INCIBE-CERT receives the notification when the company falls into sectors where it's competent or when the sectoral authority itself routes it. Full process detail in the NIS2 Spain compliance guide and in NIS2 fines.

Concrete services any company can leverage

At no cost and without special requirements, a Spanish company can use:

• Subscription to INCIBE-CERT advisories by RSS, web or email. Alerts about critical CVEs in commercial products arrive before they appear in many commercial feeds.
• Security bulletin for companies. Periodic summary of relevant threats.
• OSI training materials and SME-specific. Free courses, awareness materials for internal sensitisation, basic phishing simulators.
• Anti-phishing service. Reporting of suspicious URLs that get processed to feed national blocking lists.
• Preliminary analysis of malware samples. Via form, INCIBE-CERT can analyse suspicious binaries.
• Catalogue of companies and solutions to find Spanish providers with recognised capabilities.
• Line 017. For non-critical queries or first tier in incidents.

For an SME without an in-house security team, knowing these services drastically reduces the initial curve.

Typical mistakes in the relationship with INCIBE

What gets observed in real projects with Spanish clients.

Confusing INCIBE with CCN. Appears especially with providers signing contracts with public administration. CCN is the contact for public services; INCIBE for private companies and citizens. Mixing them delays coordination when there's an incident.

Late notification under NIS2. Waiting to have the incident fully characterised before notifying breaches the 24/72h deadlines. The first report has to go with the information available even if partial, expanding afterwards.

Not subscribing to advisories. Companies that learn about Log4Shell, ProxyShell or equivalents days later through generalist news when they could have received early warning via INCIBE-CERT or CCN feeds.

Ignoring Line 017 as initial tier. For an SME without a security team, 017 is a useful entry point for non-critical incidents.

Overlooking Kit Digital. Companies paying for basic cybersecurity services from their own budget when they could cover part with vouchers. Applicable mainly to SMEs under 250 employees.

Frequently asked questions

Is INCIBE public or private?

Public. State-owned commercial company attached to the Ministry for Digital Transformation and Civil Service. Its services are free for citizens and private companies.

Does INCIBE replace the police or the AEPD?

No. INCIBE coordinates technical response and advisories. The criminal complaint goes to National Police or Guardia Civil (Central Brigade of Technological Investigation, BCIT, or Group of Telematic Crimes, GDT). Personal data breaches get notified to the AEPD within 72 hours per GDPR; INCIBE can accompany but doesn't replace that obligation. The specific NIS2 notification obligations and steps by sector are in the NIS2 directive enforcement and fines guide.

Can foreign companies use INCIBE?

General public services (advisories, open training materials) yes. Direct support services (INCIBE-CERT, Line 017) are oriented to entities with presence or victims in Spain. For companies headquartered outside Spain, the home country CSIRT is the natural contact point; INCIBE-CERT coordinates via the European network.

Does INCIBE certify?

It doesn't certify companies directly. It promotes badges and seals (including the AENOR Cybersecurity Seal and others), participates in recognition programmes, but formal certification is issued by ENAC-accredited bodies.

Difference between INCIBE and ENISA?

ENISA is the European Union Agency for Cybersecurity, headquartered in Athens. Coordinates cybersecurity at European level, manages the EUVD (European Vulnerability Database) and publishes reference guides for Member States. INCIBE is the Spanish national implementation. The two collaborate in the European CSIRT network.

Is there INCIBE for non-Spanish companies with Spanish clients?

If the foreign company provides essential or important services in Spain under NIS2, it's within scope of the Spanish competent authority. INCIBE can act as point of contact for those cases depending on sector. The company should have a designated EU representative under NIS2 if it doesn't have headquarters in the EU.

Does INCIBE publish public IoCs?

Yes, in technical advisories about specific threats. Granularity and speed are lower than commercial providers (Mandiant, CrowdStrike, Recorded Future) but the information is free and often specific to the Spanish context. Detail in threat hunting.

Related resources

• NIS2 in Spain: how to comply: the framework that most drives private enterprise interaction with INCIBE.
• NIS2 Directive: enforcement and fines: where INCIBE's role as authority for several sectors appears.
• What is Magerit: risk methodology from CCN, sibling organisation to INCIBE in the Spanish ecosystem.
• What is a CVE: the advisories INCIBE-CERT publishes about vulnerabilities in products used in Spain.
• What is a CISO: role that typically manages the relationship with INCIBE in mid-sized or large companies.
• ENS Spain certification guide: framework where CCN operates, complementary to INCIBE.

INCIBE in Secra projects

At Secra we integrate INCIBE-CERT services and advisories into the defensive flow of the clients we support: feed subscriptions, incident routing when applicable, coordination with the competent authority when NIS2 or GDPR are active, Kit Digital leverage for SMEs entering scope. If your company is about to start moving in the NIS2 ecosystem or wants to take advantage of Spanish public services before investing in a commercial provider, get in touch via contact or check our GRC consulting services.