Digital governance: the six challenges shaping business strategy

Spain remains one of the European markets with the highest incidence of cyberattacks, an indicator that reflects not only the country's attractiveness to cybercriminals, but also the complexity and fragmentation of the digital business ecosystem. In this context, Spanish companies are beginning to strengthen their defensive strategies.

According to the "Hiscox Cyber Readiness Report 2025," 92% plan to increase their investment in cybersecurity and data protection over the next twelve months. However, increased budgets alone do not guarantee greater resilience. In this regard, Hiscox has identified six key challenges that are affecting corporate cybersecurity:

Advanced digital identity management: the historical reliance on weak and reused passwords has proven unsustainable, emerging as the biggest battleground. The transition to continuous verification and robust authentication models?supported by biometrics, cryptographic keys, adaptive multi-factor authentication, and zero-trust architectures?has become a critical operational requirement. The goal is no longer just to prevent unauthorized access, but to limit lateral movement, apply the principle of least privilege, and monitor user behavior in real time.

Agility in technology adoption and governance: the speed at which new digital solutions are incorporated often exceeds the ability to evaluate and govern them properly, leading to reactive decisions that prioritize uncontrolled innovation or blockages that hinder competitiveness. But effective cybersecurity requires continuous risk assessment processes, clear governance frameworks, and close coordination between technical, legal, and business areas, allowing for quick decisions without taking unnecessary risks.

Real human factor preparedness: the human component remains one of the most vulnerable links in the security chain. Although awareness has been institutionalized, its real impact is limited. According to the Hiscox 2025 Cyber Preparedness Report, 63% of Spanish companies identify prior awareness as the most decisive factor, highlighting the need for models based on behavioral changes that measure human risks and reinforce good practices, especially in profiles with critical access to information.

Risks arising from artificial intelligence: the accelerated incorporation of AI-based technologies has generated new attack vectors. In fact, according to the same report, 57% of Spanish SMEs consider that they have suffered AI-related cyberattacks in the last 12 months, and in 19% of cases, these attacks were carried out using AI-based tools or software. These figures underscore the urgency of implementing specific controls, responsible use policies, and continuous monitoring mechanisms for models, data, and automated decisions.

Digital supply chain security: outsourcing services and interconnecting with third parties has diluted the security perimeter. The same report states that more than a third of Spanish SMEs identify the supply chain as one of the main entry points for cyberattacks. Thus, it is essential to implement technological due diligence processes, periodic audits, specific contractual clauses, and continuous monitoring mechanisms that allow for the evaluation of suppliers' security posture over time, not just at the time of contracting.

Growing regulatory pressure: regulatory frameworks such as NIS2 and the Cyber Resilience Act raise technical requirements and transfer explicit responsibilities to management bodies, consolidating cybersecurity as a corporate governance issue. Not surprisingly, as the aforementioned report shows, 36% of Spanish SMEs rank regulatory changes among the top three business risks, making it necessary to integrate compliance, security, and continuity into a comprehensive risk management strategy.