Back Spain

    Status regarding Budapest Convention

Status regarding Budapest Convention

Status : Party Declarations and reservations : Declaration in the instrument of ratification deposited on 3 June 2010. Original English. In case the present Convention on Cybercrime is extended by the United Kingdom to Gibraltar, the Kingdom of Spain would like to make the following declaration: 1. Gibraltar is a Non-Self-Governing Territory for whose external relations the United Kingdom is responsible and which is undergoing a process of decolonization in accordance with the relevant decisions and resolutions of the United Nations General Assembly. 2. The Gibraltar authorities are local ones and exercise exclusively internal powers which have their origin and basis in the distribution and attribution of powers made by the United Kingdom, in accordance with the provisions of its domestic legislation, as a sovereign State on which the said Non-Self-Governing Territory depends. 3. Accordingly, any participation by the Gibraltar authorities in the application of this Convention shall be considered as taking place solely within the domestic jurisdiction of Gibraltar and shall not be deemed to involve any change in respect of the preceding two paragraphs. Period of effect: 1/10/2010. Declaration set out in a letter deposited with the instrument of ratification on 3 June 2010. Original: English. In accordance with articles 24 and 27 of the Convention, Spain declares that the designated central authority is the Subdirectorate General for International Legal Cooperation of the Ministry of Justice. The above statement refers to articles 24, 27. Declaration made in a letter deposited together with the instrument of ratification on 3 June 2010. In accordance with article 35 of the Convention, Spain declares that the designated contact point of the 24/7 network is the General Commissariat of the Judicial Police of the Ministry of the Interior. Period of effect: 1/10/2010. The above declaration refers to article 35. See legal profile

Cybercrime policies/strategies

National Cybersecurity Strategy 2019 has been approved by the National Security Council of the Government of Spain.

Specialised institutions

The General´s Prosecutor’s Office has a Unit that is a specialized on Cybercrime and a network of specialized prosecutors. The Central Unit of Cybercrime, coordinated by a Prosecutor of the first Category supported by two deputy prosecutors, has the scope is to coordinate all the activities of the prosecutors, nationwide. The specialized network will be integrated by a district attorney of each and every Provincial Prosecutor´s office, who will be responsible for the respective provincial Unit. Every specialized unit will have the number of prosecutors considered to be necessary in reason of the volume of the activity that they should develop.


There is no such a structure regarding judges.


The General´s Prosecutor’s Office already established a first delimitation of what was to be understood as cybercrime in its Instruction 2/2011 of 11 October “Concerning Specialised High Prosecutors on Computer-related Crimes and the Sections for computer-related crimes of the Prosecutor’s offices.


The offences which are competence of this area of specialisation are currently those listed below, grouped into three categories:

  1. Crimes where the object of the criminal activity is the computer systems themselves or the ICT.
  • Computer damages (Articles 264, 264 bis, 264 ter and 264 quater of the Criminal Code)
  • Illegal access to systems, illegal interception and availability of tools to commit these offences (Articles 197 bis, 197 ter, 197 quarter and 197 quinquies of the Criminal Code)
  • Discovery, disclosure or dissemination of secrets committed through ICTs or whose object are data recorded in electronic or telematic files or supports (Article 197 of the Criminal Code).
  • Discovery and disclosure of business secrets committed through the use of ICTs or whose object is data recorded in computer or electronic files or media. (Article 278 of the Criminal Code).
  • Offences against broadcasting and interactive services (Article 286 of the Criminal Code)


B) Crimes where criminal activity uses the advantages offered by ICTs for its execution.

  • Fraud committed through ICT (Article 248.2 a) b) and c) of the Criminal Code,
  • Harassment of children through ITC, child grooming (Article 183 ter of the Criminal Code)
  • Children/disabled persons pornography (Article 189 of the Criminal Code)
  • Crimes against intellectual property when committed using ICTs (Articles 270 et seq. of the Criminal Code)


C) Crimes in which criminal activity uses for its execution the advantages offered by ICTs or its research that demands specific knowledge in the field.

  • Falsification of documents when ICTs have been used for the execution of the crime, when that circumstance was a determining factor in the criminal activity and generated special technical complexity in the criminal investigation(Articles 390 et seq. of the Criminal Code )
  • Slander and defamation against public officials, authorities or agents of the same, committed through ICTs ( Articles 211 et seq. of the Criminal Code)
  • Threats/intimidation through ICTs (Articles 169 et seq. of the Penal Code)
  • Harassment through ICTs (Article 172 ter of the Criminal Code)
  • Degrading treatment through ICTs (Article 173.1 of the Criminal Code)
  • Discrimination against individuals or groups of individuals defined by their personal, family, physical, ideological, racial, national, economic or sexual characteristics through ICTs (Articles 510 and 510 bis of the Criminal Code)


Also, any other type of crime in which the use of ICTs has been a determining factor in its execution and in which this circumstance generates a special complexity in the criminal investigation.


With a view to unifying criteria regarding the interpretation and the application of criminal definitions to wrongful acts committed through the network, the General Prosecutor’s Office has produced and issued the following circulars:

  • Circular 2/2015 of 19 June, “on the crimes of child pornography after the reform introduced by OL1/15”, in which the legal concept of child pornography and the objective and subjective elements of the different categories of offences related to the production, possession and distribution of child pornography are analysed, as well as the aggravated sub-types and the additional penalties to be imposed.
  • Circular 8/2015 of 21 December “on the crimes against intellectual property committed through information society services after the reform introduced by LO1/2015”, focussing on the establishment of guidelines for the interpretation of the new criminal definitions punishing these conducts in the light of the recent criteria laid down by the case-law of both national and international courts on this matter.
  • Circular 3/2017, “on the reform of the Criminal Code introduced by OL 1/2015 of 30 March concerning the crime of discovery and disclosure of secrets and the crime of computer damages”, with regard to the criminal definitions punishing attacks against information systems and which are the result of incorporating Directive 2013/40/EU to Spanish Law. Member States are therein invited to define as crimes conducts that were not regarded as such in the Framework Decision 2005/222/JHA, such as the illegal interception of non-public transmissions of computer data, or the intentional production, sale or purchase for the purpose of using, importing, distributing or in any other way making available instruments suitable for the perpetration of this type of offences in order to be used to that end.
  • Circular 1/2019, "on common provisions and safeguards for technology research measures in the Code of Criminal Procedure”.
  • Circular 2/2019 , "on the interception of telephone and telematic communications"
  • Circular 5/2019 , "on the registration of computer devices and equipment"

With the above circulars, the General Prosecutor’s Office wants to establish common guidelines on the interpretation and application of the mentioned precepts. These can be used not only by the members of the Public Prosecution Service, but also by any other legal practitioners, members of law enforcement bodies and other organisations involved in preventing such conducts and/or ensuring security in cyberspace


From Law Enforcement perspective, the Ministry of Interior leads the cybersecurity policies. The structure was consolidated by Royal Decree 770/2017, where State Secretariat for Security coordinates the cybersecurity actions through CNPIC (National Critical Infrastructure Protection and Cybersecurity Centre).

  • Within CNPIC, the OCC (Cybersecurity Coordination Office) undertakes the technical coordination and communication with the national CERTs and it is the POC with the cybercrime investigation units of Spanish LEAs.
  • Spain has an integral model of LEAs with full capabilities across the country. Guardia Civil and Cuerpo Nacional de Policía have specialized cybercrime units, not only engaged in investigation activities but also in forensics, R & D and intelligence. There are also some regional police forces, such as Mossos d´Esquadra and Ertzainza with cybercrime units.


On the other hand, Spain has the Cybersecurity National Institute (INCIBE) on behalf of Ministry of Economic Affairs and Digital Transformation. This Institute manages the INCIBE-CERT, the reference cybersecurity incidents response center for citizens and Spanish private law entities, since Royal Decree-Law 12/2018 (Spanish Network and Information Security Directive transposition) has published.


Last but not least, the Spain Data Protection Agency is the independent public authority responsible for ensuring the privacy and data protection of Spanish citizens

Jurisprudence/case law


As it is not possible to list all the cases in which the technological crimes listed above apply, below a selection  of judicial decisions as examples, as they expressly mention the Budapest Convention as the reference for the interpretation of the national law.

Relating to crimes of child pornography

  • Supreme Court Judgment of February 24, 2015.- in which the Budapest Convention and the Lanzarote Convention of the Council of Europe are mentioned for the purposes of criminalization of child pornography and Child grooming crimes respectively.
  • Sentence of the Supreme Court of September 14, 2016.- Like the previous, mentions article 9 of the Budapest Convention for the delimitation of the facts that should be considered as crimes of child pornography.
  • Judgment of the Supreme Court of September 14, 2016.- Likewise, in order to define the facts that should be classified as crimes of child pornography, cites article 9 of the Budapest Convention.
  • Judgment of the Provincial Court of Alicante of November 20, 2018.- Used to define the concept of child pornography article 9 of the Budapest Convention.
  • Judgment of the Provincial Court of Girona of March 5, 2015 - Like the previous citation, used article 9 of the Convention for the purpose of defining the concept of child pornography
  • Judgment of the Provincial Court of Zaragoza of December 22, 2017, for the purpose of defining the concept of pornographic material.
  • Judgment of the Provincial Court of Castellón of September 21, 2018 - In a case of possession of child pornography mention the Conventions of Lanzarote and Budapest and their respective explanatory reports to delimit what is to be understood as material of pornographic character .
  • Judgment of the Provincial Court of Madrid of November 27, 2017 which, like the previous one, refers to the explanatory reports of the Lanzarote and Budapest Conventions to interpret what is to be understood by sexually explicit conduct contained in the article 9.2 of the Budapest Convention


Relating to crimes of irregular access to computer systems

  • Judgment of the Girona Provincial Court of June 22, 2015.- in which the Budapest Convention is mentioned for the interpretation and application of the crime of illegal access to systems. This is an assumption prior to the reform of the Spanish criminal type that took effect in 2015 and analyses the contraposition of the precept previously in force with article 2 of the Convention.


Relating to crimes of attack on the integrity of data and systems

  • Judgment of the Provincial Court of Palencia of July 14, 2016, in which the defendant was condemned for the crime of computer damage, due to a conduct that determined the inaccessibility of computer programs pursuant of article 1 of the Convention.
  • Judgment of the Provincial Court of Madrid of September 4, 2019 in which the defendant was condemned for computer damages, articles 2 to 6 of the Budapest Convention are mentioned for the purposes of interpretation of articles 264-264 quater of the Spanish Criminal Code.


Other issues:

  • Judgment of the Provincial Court of Madrid of October 23, 2015 relating to an action consisting of removal of computer equipment, refers to the concept of computer data of the article 1 of the Budapest Convention.

Sources and links


Tools on Cybercrime & Electronic Evidence Empowering You!

These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe. 


  Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?

  Share this information with us helping to keep this platform up to date.

Useful links