Cybercrime accounts for one in five crimes in Spain

Spain recorded 488,426 cybercrimes in 2025, accounting for 19.8% of all reported crime, according to the Spanish Ministry of Interior’s latest Cybercrime Report. The figure shows a 5.1% increase from 2024, demonstrating the growing threat of digital crime nationwide.

Computer fraud and online scams continued to dominate cybercrime, accounting for nearly nine in ten reported offences with 429,677 cases. Internet-related forgery increased by 11.3% to 21,690 cases, while sexual offences rose by 21% and illegal access or interception offences surged by 40.7%, highlighting the growing diversity of cybercriminal activity.

The number of cybercrime victims reached 383,285, up 9.3% from 2024. People aged 51 to 65 were the most frequently targeted, particularly through credit card fraud and travel cheque scams, accounting for 146,737 victims. Although most victims were male, the types of cybercrime varied considerably across age groups and demographics.

Critical infrastructure operators experienced 90 cyberattacks in 2025, a 43.8% decrease from the previous year. The transport sector accounted for 42.2% of incidents, followed by the information and communications technology sector with 15.5%.

Why does it matter?

The report shows that cybercrime has become a mainstream form of criminal activity, accounting for nearly one in five reported offences in Spain. The continued growth in fraud, online scams and unauthorised access highlights how digital crime is evolving alongside greater reliance on online services by individuals, businesses and public institutions.

Although attacks on critical infrastructure declined, the overall increase in cybercrime and victim numbers suggests that law enforcement and cybersecurity authorities will need stronger investigative capabilities, cross-border cooperation and preventive measures to keep pace with increasingly sophisticated digital threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

European Commission panel recommends social media restrictions for under-13s

A special panel convened by the European Commission has recommended restricting access to social media and other high-risk digital services for children under 13, arguing that platforms should prove they are safe before minors are allowed to use them.

The report was prepared by the co-chairs of the Special Panel on Child Safety Online, Prof. Dr. Jörg M. Fegert and Dr. Maria Melchior, whom European Commission President Ursula von der Leyen appointed in March 2026 to advise on child safety online and possible age restrictions for social media.

The panel met three times between March and June 2026 to examine scientific evidence on the impact of social media and digital environments on minors, review existing EU and national rules, and develop recommendations to better protect and empower children online.

The report uses the term ‘social media+’ to describe social media and other digital services that expose minors to potentially harmful features, including addictive design, infinite scroll, autoplay, recommender systems, persistent notifications, AI companions, video games and video-sharing platforms.

The co-chairs argue that providers, not children or parents, should bear the burden of demonstrating that their services are safe by design and appropriate for young users. Until then, they recommend restricting access for children under 13, while allowing member states to introduce additional precautionary measures for older adolescents if needed.

The recommendations also call for proportionate age-assurance systems, stronger safety-by-design requirements, limits on addictive platform features, more effective complaints mechanisms for minors and stronger enforcement of existing EU legislation, including the Digital Services Act, GDPR and AI Act.

The report also urges the EU to close legislative gaps on child sexual abuse online by adopting permanent obligations requiring providers to prevent, detect, report and block abuse, including in interpersonal communications.

Beyond restrictions, the report emphasises digital empowerment through stronger media literacy for children, parents, teachers and caregivers, greater participation by young people in policymaking, improved parental guidance, increased support for civil society organisations and helplines, and more investment in offline activities such as sports, arts and youth spaces.

The report concludes that protecting children online requires an ecosystem-wide approach involving regulators, digital service providers, educators, parents, caregivers and children themselves. It argues that children’s rights should apply online just as they do offline, balancing protection with opportunities to learn, participate and communicate.

Why does it matter?

The report could significantly influence future EU policy on children’s access to digital services, platform design and online safety. By recommending a default restriction for children under 13 and placing responsibility on providers to demonstrate that their services are safe, it shifts the debate away from parental responsibility towards platform accountability.

Although the recommendations are not legally binding, they are likely to inform future discussions on the Digital Services Act, the AI Act and wider EU child protection policies. If adopted, they could reshape how online platforms design services for younger users across Europe.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

CISA shares lessons from GitHub credential exposure

CISA has published details of an internal CISA incident response triggered after an investigative reporter alerted the agency to Amazon AWS GovCloud keys and other internal information exposed in a public GitHub repository.

The agency said the information was identified by a security researcher whose company continuously scans public code repositories. The repository was not part of CISA’s official GitHub environment but belonged to a contractor’s personal GitHub account.

According to CISA, its Office of the Chief Information Officer immediately took the repository offline and preserved it for forensic analysis. The agency also suspended its development environment, reset affected credentials and revoked the contractor’s system access.

The investigation found that the contractor had uploaded copies of a CISA build and deployment repository to a personal GitHub account while attempting to build cloud infrastructure independently. The repository contained infrastructure-as-code, build scripts, administrator credentials and build credentials.

Forensic analysis found no evidence that the exposed credentials had been used outside CISA environments and no customer or mission data was compromised.

CISA subsequently rotated all credentials associated with environments where the contractor had administrator privileges, expanded repository allow and deny lists, and restricted users’ ability to upload code to public repositories before restoring the development environment.

The agency said the incident reinforced the value of taking external vulnerability reports seriously, applying Zero Trust principles to development environments and maintaining detailed logging that enabled rapid investigation.

It also identified several areas for improvement, including stricter controls over public repositories, better secrets detection, clearer GitHub and cloud incident response playbooks, simpler reporting channels for security researchers, stronger development environment guardrails and more mature cryptographic key management.

CISA also said organisations should maintain clear reporting channels for incidents affecting their own environments and publish reporting instructions in multiple locations rather than relying solely on a security.txt file.

The agency said publishing its own incident response experience is intended to help other organisations strengthen their security practices and improve preparedness for similar incidents.

Why does it matter?

The incident illustrates how easily sensitive credentials can be exposed through routine developer workflows and personal code repositories, even within organisations responsible for cybersecurity. It also highlights the importance of rapid detection, credential rotation and strong access controls when managing cloud infrastructure.

By publicly documenting both its response and the lessons learned, CISA is encouraging organisations to treat incident reporting, secrets management, Zero Trust architecture and developer governance as integral parts of software security rather than afterthoughts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom fines adult platform over Online Safety Act age check failures

The UK communications regulator, Ofcom, has fined the operator of Fapello.com £630,000 for breaching the Online Safety Act, marking one of its most significant enforcement actions under the new regime.

The penalty includes £600,000 for failing to implement legally required age assurance measures to prevent children from accessing pornographic content, and a further £30,000 for failing to comply with a legally binding information request. Following Ofcom’s action, Fapello.com geoblocked users in the UK, although the regulator said it will continue monitoring compliance.

Ofcom also confirmed it has opened a new investigation into Bit Hive, operator of Eporner.com, to assess whether its age verification measures meet the Act’s requirement for ‘highly effective’ age assurance.

Separately, the regulator expanded its existing investigation into Kemono.cr to examine whether the platform failed to comply with statutory information requests.

Ofcom said robust age verification is a core requirement of the Online Safety Act and warned that providers failing to implement effective protections or cooperate with regulatory investigations should expect enforcement action, including substantial financial penalties.

The regulator added that it prioritises investigations according to user reach and will continue monitoring compliance across online pornography services.

Why does it matter?

The case demonstrates that the UK’s Online Safety Act has entered a new phase of active enforcement. Rather than focusing solely on guidance and compliance deadlines, Ofcom is now imposing financial penalties and investigating platforms that fail to implement effective child protection measures.

The decision also shows that enforcement extends beyond age verification itself. Companies that fail to cooperate with regulatory investigations or provide required information may face additional sanctions, reinforcing the regulator’s ability to oversee compliance across online platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Commission launches consultation on data sovereignty

The European Commission has launched a targeted consultation on data sovereignty, seeking feedback on challenges affecting EU organisations, cross-border data flows and strategic data dependencies.

The consultation targets stakeholders across the data value chain and a range of economic sectors. It seeks input on data-related dependencies, including barriers to accessing or using data in third countries, obstacles to transferring data into the EU, and risks associated with third-country access to sensitive data.

The European Commission supports the Data Union Strategy adopted in November 2025, which aims to strengthen the EU’s data sovereignty and reinforce its position in international data flows.

The initiative is also linked to the European Tech Sovereignty Package, which covers semiconductors, AI, cloud computing and open-source technologies. According to the Commission, these measures are intended to strengthen Europe’s digital autonomy and support its ambition to become an AI continent.

The consultation will remain open until 8 September 2026 at 23:59 CEST.

Why does it matter?

The consultation reflects the EU’s growing view that data sovereignty is both an economic competitiveness issue and a matter of strategic security. By examining cross-border data flows, third-country access and data dependencies, the Commission is seeking to reduce vulnerabilities while preserving trusted international data exchanges.

The exercise also highlights how data governance is becoming a central pillar of the EU’s broader technology sovereignty agenda. The feedback received could help shape future policies on cloud services, AI, digital infrastructure and international data transfers as Europe seeks to balance openness with greater strategic autonomy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EDPB adopts GDPR guidance for AI, blockchain and anonymisation

The European Data Protection Board (EDPB) has adopted new guidelines on anonymisation, web scraping for generative AI, and the use of blockchain technologies under the General Data Protection Regulation (GDPR). The measures aim to provide organisations with greater regulatory clarity while protecting individuals’ personal data rights.

The anonymisation guidelines set out criteria for determining when data can be considered anonymous, focusing on whether individuals can be isolated, linked to other datasets or reidentified through inference. The framework is intended to help organisations assess when data can be used without identifying individuals.

The web scraping guidance outlines the GDPR obligations associated with collecting online data to train generative AI models. The EDPB emphasises transparency, purpose limitation, data accuracy and data minimisation, while noting that processing sensitive personal data requires additional legal safeguards.

The Board also adopted its blockchain guidelines following public consultation, explaining how different blockchain architectures may affect GDPR compliance. The recommendations are intended to help organisations deploy blockchain technologies while addressing privacy challenges associated with decentralised data processing.

Why does it matter?

The EDPB’s guidance provides greater legal certainty for organisations developing AI and blockchain applications in Europe. As generative AI increasingly relies on large-scale data collection and blockchain adoption continues to expand, clearer GDPR expectations could shape how organisations collect, process and protect personal data.

The guidance also illustrates how European regulators are adapting long-standing data protection rules to emerging technologies without creating separate privacy frameworks for each new innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

UK Treasury highlights economic value of cyber resilience

HM Treasury has published a report arguing that cyber resilience in financial services should be treated as a strategic capability rather than simply a compliance requirement or technical cost.

The report, The Value of Resilience: Cyber Resilience in Financial Services, brings together evidence on the economic and operational value of resilience, focusing on the growing impact of cyber disruption across the financial sector.

The report argues that cyber risk has intensified as financial institutions become more dependent on digital infrastructure, third-party providers, cloud services and shared technologies. It cites the Bank of England’s 2026 H1 Systemic Risk Survey, in which 82% of UK banks, insurers and asset managers identified cyberattacks as one of the financial system’s a top five risks.

HM Treasury also cites National Cyber Security Centre data showing a sharp rise in nationally significant cyber incidents during 2024–25. Highly significant incidents increased by 50% year on year, while nearly half of all incidents handled by the NCSC met the threshold for national significance.

The financial impact can be considerable. KPMG Cyber Risk Insights modelling cited in the report estimates plausible worst-case annual ransomware losses of more than £230 million for mid-sized financial firms and around £466 million for large institutions, illustrating how average loss estimates can underestimate severe but plausible cyber events.

Beyond direct financial losses, the report links major cyber incidents to operational disruption, reputational damage, lost revenue and reduced investor confidence, noting that affected firms may underperform the market for a year or longer.

At the same time, HM Treasury argues that stronger cyber resilience can reduce both the likelihood and impact of disruption through earlier detection, faster containment, more effective escalation procedures, recovery planning, service prioritisation and fallback arrangements.

The report also presents resilience as a driver of growth rather than simply a defensive measure. Citing Accenture research, it argues that highly resilient organisations generate faster revenue growth, achieve stronger profit margins and are better positioned to modernise systems, adopt AI and pursue digital transformation without disruption undermining progress.

Why does it matter?

The report reframes cyber resilience as a source of competitive advantage rather than simply a risk management function. For financial institutions, stronger resilience is presented not only as a way to protect customers and market confidence, but also as an enabler of AI adoption, digital transformation and long-term business performance.

The findings also reflect a broader shift in cyber policy. As financial services become increasingly dependent on cloud infrastructure, AI and interconnected digital ecosystems, regulators are treating operational resilience as a strategic capability that underpins both financial stability and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Parliament updates Digital Agenda for Europe factsheet

The European Parliament has updated its factsheet on the Digital Agenda for Europe, outlining how the EU’s digital policy has shifted from setting strategic goals to implementing rules on platforms, data, digital identity, AI and cybersecurity.

The factsheet says digital platforms and emerging technologies continue to reshape how Europeans work, communicate, shop and learn. Since 2024, the EU has focused on implementing legislation designed to strengthen digital security, promote fair competition and support digital sovereignty alongside the green transition.

The updated overview of the Digital Agenda for Europe situates current policy within a longer trajectory, from the 2010 Digital Agenda and the 2015 Digital Single Market strategy to the 2030 Digital Compass and the Digital Decade framework. Together, these initiatives set targets for digital skills, public services, business transformation and resilient digital infrastructure.

The document highlights several core policy areas. On data, it points to the EU’s framework built around the GDPR, the Data Governance Act and the Data Act. On AI, it notes that the AI Act has been in force since August 2024, with its provisions applying in stages under the oversight of the EU AI Office.

The factsheet also identified the Digital Services Act (DSA) and Digital Markets Act (DMA) as key pillars of the EU’s digital single market. It notes that the DSA has applied in full since February 2024, while DMA enforcement intensified in 2025 with the first fines imposed on designated gatekeepers.

Cybersecurity is another major focus. The document highlights the expanded scope of the NIS2 Directive, the Cyber Resilience Act, which entered into force in December 2024, and the Cyber Solidarity Act, aimed at strengthening EU-wide cyber detection and incident response.

The update also highlights digital identity, interoperability, platform work, media freedom, digital education and infrastructure resilience as continuing priorities within the EU’s broader digital policy agenda.

Why does it matter?

The update illustrates how the EU’s digital strategy has entered a new phase focused on implementation rather than legislation. With most of its major digital laws now in force, attention is shifting from adopting new rules to enforcing them consistently across member states and ensuring they deliver tangible results.

That shift is significant because the success of the EU’s digital agenda will increasingly be judged by its practical impact on competition, cybersecurity, AI governance, digital sovereignty and the functioning of the single market, rather than by the number of new regulatory initiatives.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UN explores how AI can scale human rights implementation

Digital tools and AI can help governments turn thousands of human rights recommendations into concrete action, but only if technology remains firmly guided by human expertise and institutional cooperation, speakers concluded during a WSIS Forum 2026 session on scaling digital tools for human rights monitoring.

The discussion brought together representatives from Costa Rica, the Office of the UN High Commissioner for Human Rights (OHCHR), academia, and civil society to examine how digital platforms, AI-assisted analysis, and improved data management can enhance the implementation of recommendations issued by UN human rights mechanisms.

Costa Rica shares experience with recommendation tracking

Opening the discussion, Domenico Zipoli, Head of Programmes at the Geneva Human Rights Hub, noted that governments receive thousands of recommendations every year from treaty bodies, the Universal Periodic Review (UPR), special procedures, and regional mechanisms, making implementation increasingly difficult without digital support.

Costa Rica’s Roberto Cespedes, Chargé d’Affaires at the country’s mission to the UN in Geneva, explained how the National Recommendations Tracking Database (NRTD) has transformed the country’s follow-up process.

Costa Rica established its National Mechanism for Implementation, Reporting and Follow-up (NMIRF) in 2011, bringing together ministries, parliament, the judiciary, and the national human rights institution. However, for years, the mechanism lacked an effective technological platform capable of managing recommendations from multiple international processes.

‘The database has significantly improved visibility of recommendations across institutions,’ Cespedes said.

He highlighted the tool’s ability to cluster recommendations by topic, enabling ministries to identify shared responsibilities and collaborate more effectively. Rather than working in isolation, institutions increasingly recognise the need for coordinated implementation.

Costa Rica is also working to expand access beyond government. Cespedes said civil society organisations are expected to gain direct access to the platform, allowing them to monitor implementation, provide feedback, and strengthen transparency.

OHCHR: AI can assist, but humans remain indispensable

Presenting the UN perspective, Marie Eve Boyer, Human Rights Officer at OHCHR, explained that the NRTD was developed to address the fragmentation of international human rights recommendations.

Built on the Universal Human Rights Index, the platform enables governments to consolidate recommendations, assign responsibilities across ministries, monitor progress, and prepare reports more efficiently.

Boyer noted that 20 countries are already using the NRTD, while another 40 are waiting for deployment.

She argued that AI has significant potential to support implementation by identifying relevant information, clustering recommendations, highlighting data gaps, and scaling reporting processes. However, she stressed that technology cannot replace human judgement.

‘AI can help process information, but it cannot understand the reality experienced by communities,’ she said, adding that contextual expertise remains essential when assessing whether recommendations have genuinely been implemented.

She also warned against viewing digital tools as substitutes for strong institutions, arguing that successful implementation depends on sustained human engagement alongside technological innovation.

Generative AI opens new possibilities for legal experts

Offering an academic perspective, Lukasz Szoszkiewicz, Assistant Professor at Adam Mickiewicz University in Poznań, demonstrated several prototype tools built using natural language processing and generative AI.

His projects include searchable databases of UN treaty body jurisprudence, analytical dashboards for the Universal Human Rights Index, and paragraph-level search tools for European Court of Human Rights decisions.

Szoszkiewicz argued that generative AI is fundamentally changing software development by enabling lawyers, researchers, and other domain experts to build specialised digital tools themselves rather than relying solely on IT teams.

‘Domain experts now have the possibility to develop tools that match exactly what they need,’ he explained.

He also addressed concerns about AI hallucinations, recommending that large language models be used primarily to generate deterministic software code rather than directly analysing sensitive datasets. This approach, he said, produces more reliable and verifiable results while reducing the likelihood of inaccurate outputs.

Better data still needed to measure real-world outcomes

Audience interventions highlighted persistent challenges surrounding data availability and measuring whether human rights recommendations actually improve people’s lives.

Representatives from civil society organisations working on torture prevention and disability rights pointed to the difficulty of obtaining reliable outcome data, particularly in countries where governments do not systematically publish relevant information.

Responding to these concerns, Boyer said OHCHR is exploring minimum datasets that could help governments monitor implementation more consistently while aligning human rights indicators with the Sustainable Development Goals.

Cespedes added that AI could eventually help governments identify positive actions that officials may not even realise correspond to international recommendations, making implementation more visible and easier to document.

Throughout the session, speakers agreed that AI and digital platforms should be viewed as tools to strengthen human rights implementation rather than replace human oversight. They concluded that meaningful progress will depend on better data, stronger institutional cooperation, and continued collaboration between governments, international organisations, academia, and civil society.

Track all key moments from the WSIS Forum 2026 on our dedicated WSIS page.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

ECB urges banks to prepare for AI cyber threats

The European Central Bank has called on major euro area banks to prepare action plans to address AI-enabled cybersecurity threats.

In a letter to bank CEOs, ECB Banking Supervision said emerging AI models can identify software vulnerabilities and generate functioning exploits at unprecedented speed.

The ECB warned that AI is compressing the time between vulnerability discovery and exploitation, with potentially serious implications for the confidentiality, integrity and resilience of banks’ ICT systems.

The central bank said the change is a long-term shift in the threat landscape, not a temporary risk linked to a single tool.

Banks have been asked to submit action plans to their Joint Supervisory Teams by 31 October 2026.

The plans should set out concrete measures, resources, roles, responsibilities and implementation timelines for strengthening cyber resilience.

Short-term priorities include faster vulnerability and patch management, stronger monitoring and detection, AI-enabled defensive capabilities and updated third-party risk management.

The ECB also called for structural measures such as defence-in-depth, improved cyber hygiene, infrastructure modernisation, crisis management, recovery arrangements and information-sharing.

The letter follows a European Systemic Risk Board warning about systemic cyber risks posed by frontier AI models.

ECB Banking Supervision also said it will address cybersecurity risks linked to quantum computing in a separate letter.

Why does it matter?

The ECB letter turns AI-enabled cyber risk into a concrete supervisory issue for major euro area banks. If AI accelerates vulnerability discovery and exploit generation, banks will face shorter windows for patching, detection and response. The focus on third-party providers and supply chains is also important because financial institutions depend heavily on external ICT services. The ECB’s approach links AI cyber threats with DORA-style operational resilience, showing that advanced AI is now part of mainstream financial supervision.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!