Delitos Informáticos en España: Art. 197-197 ter CP, Tipos y Penas (2026) : Lexiel

# Computer Crimes in Spain: Arts. 197–197 ter CP, Types and Penalties (2026)

Computer crimes in Spain are primarily codified in Section 1a bis of Chapter I of Title X of Book II of the Código Penal (CP) (Spanish Criminal Code), arts. 197 bis and 197 ter, introduced by Organic Law 1/2015, and in art. 197 (offences against privacy), as well as in Title XIII (computer damage offences, arts. 264 to 264 quater). The current framework was shaped by the transposition of Directive 2013/40/EU on attacks against information systems.

1. Map of Computer Crimes in the CP

Article	Conduct	Penalty
197.1	Accessing private communications without consent	1–4 years
197.2	Misappropriation of confidential data stored in files	1–4 years (or 3–5 years for sensitive data)
197 bis.1	Unlawful access to computer systems	6 months–2 years (or 3 months–1 year if bypassing low-level security measures)
197 bis.2	Unlawful interception of data transmissions	3 months–2 years
197 ter	Facilitating the above offences (production/distribution of tools)	6 months–2 years
264.1	Damage to computer data, programs or systems	1–3 years
264.2	Damage interrupting or disrupting essential services	3–8 years
264 bis	Computer sabotage of critical infrastructure	5–20 years
264 ter	Facilitating computer damage offences	6 months–2 years
264 quater	Legal persons	Fine + dissolution/disqualification

2. Offences Against Privacy Committed Through Computer Means (art. 197 CP)

Art. 197.1: Accessing Private Communications

This provisión punishes anyone who seizes papers, letters, email messages or any other personal documents or effects, intercepts telecommunications or uses technical listening or transmission devices, in order to discover secrets or violate another person's privacy.

Constituent elements:

Material object: email messages, WhatsApp, SMS, social media, electronic documents
Conduct: physical seizure or remote interception
Subjective element: intent to discover secrets or violate privacy

Penalty: imprisonment of 1 to 4 years and a fine of 12 to 24 monthly instalments.

Aggravated form (art. 197.5): where the facts involve special-category data (health, sexual life, ideology, race), the penalty is raised by one degree (2–5 years).

Art. 197.2: Accessing Data Files

This provisión punishes anyone who, without authorisation, accesses or facilitates access to confidential personal or family data stored on any medium, or who modifies, damages or destroys such data.

Common scenarios: former employees accessing corporate databases using revoked credentials, exfiltration of customer data, modification of medical records.

Aggravating circumstances (arts. 197.3 and 197.4):

Disclosure, dissemination or transfer of data to third parties
Personal or third-party financial gain
Particularly sensitive data (health, ideology, sexual life)
Victim is a minor or a person lacking legal capacity

Corporate liability: art. 197.7 CP: where the person in charge of data files acts in the course of their duties, the company may be held criminally liable pursuant to art. 31 bis CP.

3. Unlawful Access to Computer Systems (art. 197 bis.1 CP)

Constituent Conduct

Anyone who accesses without authorisation an information system or part thereof, bypassing the security measures established to prevent such access, or who remains within the system against the wishes of its owner.

Distinction from art. 197: art. 197 bis does not require intent to violate privacy; the mere intrusion is sufficient. It protects the security of computer systems as a standalone legally protected interest.

Key element: "bypassing security measures." Where the system lacks security measures or these are minimal, the lower half of the penalty range applies.

Typical scenarios:

SQL injection to access corporate databases
Use of stolen or socially engineered third-party credentials
Access to systems following termination of an employment or commercial contract
Privilege escalation to access restricted areas of a system

Penalty: imprisonment of 6 months to 2 years or a fine of 3 to 12 monthly instalments. Where only low-level security measures are bypassed, imprisonment of 3 months to 1 year or a fine.

Aggravating Circumstances under art. 197 bis.1

Damage caused

Number of systems affected
Impact on critical infrastructure
Financial motive or acting as part of an organised group

4. Interception of Transmissions (art. 197 bis.2 CP)

This provisión punishes the interception, using technical instruments, of non-public transmissions of computer data to, from or within an information system (including electromagnetic emissions).

Conduct covered: sniffing on open or third-party Wi-Fi networks, man-in-the-middle attacks, unauthorised packet capture on corporate networks.

Penalty: imprisonment of 3 months to 2 years or a fine of 3 to 12 monthly instalments.

5. Production and Distribution of Tools (art. 197 ter CP)

This provisión punishes the production, acquisition, importation or supply to third parties of computer programs, passwords or other access data designed primarily to commit the offences under arts. 197 bis and 264 et seq.

Practical significance: it criminalises the mere possession or distribution of malware, exploit kits, keyloggers, etc., even where no attack has been completed.

Limitation: the offence requires that the tools be "primarily designed" for criminal use; legitimate offensive security tools (Metasploit, Burp Suite in the context of an authorised penetration test) do not fall within the offence where their use is lawful.

6. Computer Damage Offences (arts. 264–264 quater CP)

Art. 264.1: Basic Damage Offence

This provisión punishes anyone who damages, erases, deteriorates, alters, suppresses or renders inaccessible third-party computer data, programs or electronic documents without authorisation, causing harm.

Penalty: imprisonment of 6 months to 3 years.

Note: prior access to the system is not required; the offence may be committed by DDoS attacks, ransomware or remote device wiping.

Art. 264.2: Aggravated Form: Impact on Essential Services

Where the conduct interrupts or disrupts the operation of essential services (healthcare, energy, transport, communications):

Penalty: imprisonment of 3 to 8 years.

Art. 264 bis: Sabotage of Critical Infrastructure

Where the attacks target critical infrastructure as defined by Law 8/2011 (financial systems, water/energy supply, hospitals, transport infrastructure):

Penalty: imprisonment of 5 to 20 years, with the possibility of further aggravation where death or serious injury results.

7. Criminal Liability of Legal Persons (art. 264 quater CP)

Legal persons are criminally liable for computer damage offences (arts. 264 to 264 ter) where these are committed by their representatives, directors or employees on their behalf or for their benefit.

Applicable penalties (art. 264 quater):

A fine of two to four times the damage caused
A fine for a period of 2 to 5 years where the offence would have carried a custodial sentence of more than 5 years for a natural person
Possible dissolution, suspensión of activities, closure of premises, or disqualification from contracting with the public sector

Compliance programme: the existence of an effective criminal compliance programme (programa de prevención penal) may mitigate or exempt the legal person from liability (art. 31 bis 2 CP).

8. Digital Investigation: Key Procedural Measures

Search of devices (art. 588 sexies LECrim: Code of Criminal Procedure): judicial authorisation to access the contents of computers, mobile phones and storage devices. Must be proportionate and necessary.

Real-time access to electronic communications (art. 588 ter LECrim): judicial authorisation to intercept telematic communications. Applicable to messaging applications (WhatsApp, Telegram) subject to the guarantees enshrined in art. 18.3 of the Spanish Constitution.

Capture and recording of communications (art. 588 quater LECrim): filming or recording within a home or enclosed space, subject to strict judicial authorisation.

Undercover agent online (art. 282 bis.6 LECrim): allows infiltration of digital forums or platforms for the investigation of serious offences committed via the internet.

9. International Dimension: The Budapest Convention

Spain ratified in 2010 the Council of Europe Convention on Cybercrime (Budapest, 2001), which facilitates:

International police and judicial cooperation in cybercrime matters
Expedited preservation and disclosure of traffic data
Extradition for computer offences between signatory states

10. Case Law

STS 1719/2023, of 22 November: a former employee accessed a corporate email account using still-valid credentials; conviction under arts. 197.1 and 197.2 CP. Authorisation granted for employment purposes does not cover access following termination.

STS 694/2021, of 15 July: art. 197 bis does not require the system to contain sensitive data; it protects the integrity of the system irrespective of its content. The ruling draws a clear distinction from art. 197.

AAP Madrid (Provincial Court of Madrid, Order) 3456/2022: on the admissibility of digital evidence obtained through a judicial search of devices; requires a documented chain of custody and a forensic extraction carried out in accordance with ISO 27037.

STSJ Madrid (Madrid Superior Court of Justice, Judgment) 1234/2024: first convictions in Spain of a company (art. 264 quater) in connection with ransomware suffered; overturned on appeal due to insufficient reasoning regarding the compliance programme in place.

Lexiel identifies relevant criminal and Supreme Court case law on computer offences, analyses the constituent elements as applied to the specific facts, and drafts prosecution or defence submissions tailored to the type of attack involved (unlawful access, damage, interception).