Who Will Govern Cybersecurity in Spain by 2035? Results From a Delphi Study

Abstract

This study explores the future of cybersecurity governance in Spain by 2035, focusing on the roles of public and private actors. Using a two-round Delphi method, we collected insights from experts to evaluate the probability, desirability, and impact of 20 projections for Spain's cybersecurity landscape. The findings suggest a consolidation of multi-stakeholder forms of governance, with public agencies like INCIBE and CCN guiding policy and oversight while private entities deliver essential services. Experts foresee continued collaboration between national and EU institutions, with the EU playing a key role in regulatory coordination. Three governance scenarios emerged: public-centric cybersecurity governance, state-driven cybersecurity assurance, and private monopolistic provision. These scenarios underscore a complex multistakeholder model shaped by collaboration and tension between public and private actors, particularly in light of fragmented ownership over cyberspace resources. This study highlights the need for adaptable governance frameworks that balance regulatory oversight with private sector efficiency, providing insights for stakeholders as they prepare for evolving cyber threats