Incident handling

   Have you suffered an incident? Contact us

Logo respuesta a incidentes de ciberseguridad - INCIBE

Citizens: Incidencias INCIBE-CERT

Companies: Incidencias INCIBE-CERT

Institutions affiliated with the Spanish academic and research network (RedIRIS): Mailbox of RedIRIS

Critical infrastructure operators: Buzón PIC de INCIBE-CERT

Digital service providers: Incidencias INCIBE-CERT

If you wish, you can also contact us through the following form

INCIBE-CERT is the reference security incident response centre for both Spanish citizens and private legal companies. Its functions include:

  • offering technical support and providing information to assist in the resolution of cybersecurity incidents in their scope of action,
  • employing techniques for the early detection of incidents, notifying those affected, so that they can take measures,
  • maintaining contact with internet providers and other CERTs (national and international computer emergency response teams), notifying them of the incident, so that measures can be taken to limit or prevent its continuity.

INCIBE-CERT does not perform these functions:

  • Take direct action on resources used in cybersecurity incidents, such as:
    • closing websites,
    • blocking telephone network resources,
    • blocking profiles on social media,
    • blocking or shutting down other digital resources.
  • Perform actions that fall within the competence of the State Security Forces and Corps, except for notification and coordination with all the players involved to improve the effectiveness of the fight against possible crime, such as:
    • prosecution of cybercriminals,
    • actions in the event of data theft or leaks,
    • handling situations of digital harassment, or
    • other cybercrimes.
  • Answering questions or queries in the field of cybersecurity on issues about:
    • legal issues, 
      consumer related,
    • copyright,
    • the registration of .es domains,
    • the legitimacy of websites, or
    • other questions or queries.
  • Lodging complaints with:
    • State Security Forces and Corps,
    • Spanish Data Protection Agency (AEPD), or
    • other types of complaints or emergencies.

In its role as a CERT(Computer Emergency Response Team), INCIBE-CERT provides services for cybersecurity incidents reported by citizens and companies in Spain. The purpose of the service is to provide INCIBE-CERT's target audiences with the technological and coordination capacity to offer operational support in the event of cyber threats or cyber incidents.

This service is continuously available to citizens, companies, digital service providers, member entities of RedIRIS and strategic operators on a 24x7x365 basis.

INCIBE-CERT's specialised technical incident response team provides technical support for cybersecurity incidents. To protect the confidentiality of the data provided, INCIBE-CERT has PGP public keys that allow their encryption.

Likewise, if the incident involves a crime, INCIBE-CERT facilitates the arrival and coordination with the State Security Forces and Corps in the event that the affected party wishes to file a complaint.

In addition to receiving incidents through the mailboxes for this purpose, INCIBE-CERT uses techniques for the anticipation and early detection of incidents based on the aggregation of information sources. This makes it possible, on the one hand, to produce alerts and warnings on campaigns to improve protection against cyber threats. On the other, for the early detection of incidents, it notifies the affected party and liaises with internet providers and other CERTs if necessary.

Within the actions under way to collaborate in the fight against fraud, we pay special attention to cases related to '.es' TLD domains, for which we work very closely with dominios.esdominios.es. The cooperation of customers and users of the affected service is essential to properly block fraudulent content and avoid the impact it may have on these users.dominios.es. The collaboration of clients and users of the affected service is essential to properly block fraudulent content and prevent the impact it may have on said users.

The Incident Response service is aimed at:

  • Citizens: through the Office of Internet User Safety and the Incidencias INCIBE-CERT email address.
  • Companies: through Protect your company and the Incidencias INCIBE-CERT email address.
  • Institutions affiliated with the Spanish academic and research network (RedIRIS): through the Mailbox of RedIRIS email address.
  • Essential and critical infrastructure operators: through the Buzón PIC de INCIBE-CERT email address.
  • Digital service providers: through the Incidencias INCIBE-CERTemail address.

Contact the incident management service for RedIRIS. If you wish to obtain further information about incident management, you can check the following links:

RedIRIS also provides a list of valuable services, in collaboration with INCIBE:

  • The restricted list for security officers of member institutions of RedIRIS for the coordination of security incidents. At least one contact point per member institution must be registered on this list.
  • The activities that INCIBE, in coordination with RedIRIS, provides to RedIRIS member institutions are: incident management, technical advice, procedures, action guides, courses, recommendations, etc. INCIBE supports RedIRIS in those national or international forums or activities related to the provision of the Incident Response Service.

No, when you refer a cybersecurity incident to us we will evaluate the actions we can take with the associated digital resources depending on the type of incident, but in no case does this replace the filing of a report with the State Security Forces and Corps. This complaint must be made by the interested party, and in person.

From the point of view of reporting this type of situation, INCIBE-CERT has neither the legal authority nor the power to undertake this type of action. But you can talk to the INCIBE Cybersecurity Helpline through its different channels, which offers help and psychosocial support in cases of digital harassment for minors.

My company has suffered a web intrusion or an attack Can you help me from INCIBE-CERT?

Yes, at INCIBE-CERT we can offer you the guidelines and considerations to take into account for containment, mitigation and recovery in the event of a web intrusion or attack on your company. These guidelines and considerations should be implemented by the technical staff of the organisation concerned or its outsourced technology and/or cybersecurity company. All the help we can offer you from INCIBE-CERT in no case replaces the company or tech personnel with whom you work. In this sense, we are a facilitating agent so that you can resolve the incident as quickly as possible. As always, we would appreciate it if you could provide us with information regarding the attack, such as IOCs and hosts involved in the attack, in order to make appropriate notifications and expand our knowledge base.

If you are a citizen or a company and want to ask us a question or resolve any doubts you may have about cybersecurity, you can contact us via the national, free and confidential telephone number 017; or the instant messaging channels on WhatsApp (900 116 117) and Telegram (@INCIBE017). A multidisciplinary team of experts will attend you from 8.00 am to 11.00 pm every day of the year (including Saturdays, Sundays and public holidays). All information on this service is available on the Cybersecurity Helpline.

INCIBE-CERT does not have the power or authority to return a domain to its rightful owner. Depending on different variables, from the registry authority itself or by filing a complaint, you may be able to recover your domain. For domains of the '.es' TLD, is it possible to use the out-of-court conflict resolution system (DRP)? For the use of '.es' domain names developed by the public corporate entity Red.es to claim ownership of the affected domain, alleging the legitimate interest that you may have as the claimant. You can find more information at this link: recover your domain. You can also request dominios.es to cancel the domain if your case falls within the cases set out at: cancel your domain

No, INCIBE-CERT does not have the power or authority to act in this type of situation. If you wish to report an emergency or require immediate police presence, you should call the emergency number 112, so that your case can be assessed by professionals and the appropriate emergency services can be activated.