70 % of cyber attacks in Spain hit SMEs, according to INCIBE data. The reason is straightforward: SMEs hold valuable assets — customer records, payment data, intellectual property — but have historically under-invested in protecting them. The average cost of an incident for a company with fewer than 50 employees exceeds 35,000 euros in recovery, lost productive time and reputational damage. Against that risk, current public programmes fund security tools and services that were previously out of reach for businesses without a dedicated IT department.
The Activa Ciberseguridad programme, managed by INCIBE and EOI under the Recovery Plan (PRTR), offers each qualifying company an advisory service valued at 2,140 euros: a technical diagnosis, a prioritised roadmap and awareness workshops for the team. Kit Digital, meanwhile, funds the deployment of concrete solutions — managed firewalls, threat detection, encrypted backup, identity management — with vouchers of up to 6,000 euros for companies with 3 to 9 employees and up to 12,000 euros for those with 10 to 49. In 2026, Order TDF/39/2026 has reactivated remaining funds from previous calls, meaning opportunities still exist for businesses that have not yet applied for a voucher.
These funding lines are accompanied by the NIS2 regulatory framework: the European directive — whose Spanish transposition is going through parliamentary process in 2026 — requires companies in essential and important sectors to implement minimum security measures, risk management, incident notification and personal accountability at board level. Although the final Spanish law has not yet been published, the European Commission has already launched infringement proceedings against non-transposing Member States, so waiting is not a viable strategy. Summum Sistemas structures the technical roadmap so that every subsidised investment also serves to comply with NIS2 when the law comes into force. For the governance and regulatory compliance analysis of NIS2, we coordinate with the Summum Consultoría team, which owns that domain within the group.