Cybersecurity

In 2025, the 2023–2025 Information Security Strategic Plan was closed, having achieved all its objectives, and the Cosmos Plan was launched, aimed at transforming the Group’s technological ecosystem. 

During 2025, and within the framework of the Information Security Master Plan, initiatives were implemented to strengthen critical capabilities in digital identity, secure software development, data loss prevention, cybersecurity oversight of suppliers, promotion of cybersecurity culture, automation of identification, detection and response processes with adaptive AI capabilities, and the development of resilience plans against disasters or disruptive cyberattacks. 

In 2025, we completed the 2023–2025 Information Security Strategic Plan (with over €90M invested in 2025, more than 30% above 2024) and launched the Cosmos Plan (2025–2030), aimed at transforming the Group’s technological ecosystem, including the information security domain. 

Cybersecurity, our priority

Our team is committed to cybersecurity, complying with both the legal and regulatory requirements in force, and with the NIST Cybersecurity Framework, the most advanced security framework.

Reinforcing our commitment to cybersecurity with international best practices

In addition to security reviews, assessments of the lines of defence, inspections conducted by supervisory authorities, audits carried out by third parties, and the annual financial audit, which includes information security related aspects, we maintain internationally recognised certifications in this area. These include ISO 27001 (which certifies all the Group’s cybersecurity processes, including the CSIRT) and the National Security Scheme (Esquema Nacional de Seguridad, applied to the payment gateway provided to public authorities).

These certifications are subject to regulated review cycles. ISO 27001 entails a certification audit every three years, complemented by annual surveillance audits, whilst the National Security Scheme requires a certification audit every two years.

In addition, within this control and oversight framework, annual audits and self assessments are conducted, including those related to SWIFT CSP (carried out by an accredited auditor), TARGET2 (self assessments in Spain and France covering information security management), and IBERPAY (self assessment of the SNCE Cybersecurity Control Framework, aimed at overseeing the cyber resilience of the infrastructures used to connect to the system).

In addition, we are part of the CSIRT (Computer Security Incident Response Team), as well as the FIRST (Forum Of Incident Response And Security Teams) international forum. These distinctions support our operations and guarantee a safer, more resilient and more aligned environment with the highest international standards.

As one of the leading banks in innovation and cybersecurity, in 2025 we will continue to participate in the following projects at the European level in the development of cybersecurity capabilities:

	AI4CYBER: artificial Intelligence app to improve anomaly detection and infrastructure protection.
	ATLANTIS: improve response and coordination between critical infrastructure operators to large-scale attacks or incidents.
	GREEN DATA AI: improve the efficiency of Fraud Detection systems with AI tools.
	EMERALD: transform the concept of continuous assessment and certification of cloud-based services into a complete scheme for Certification as a Service (CaaS).
	NG-SOC: generate tools and services that improve SOC (Security Operations Center) capabilities.
	INTERSOC: generate tools and services that improve SOC (Security Operations Center) capabilities.
	PIQASO: develop optimized and operational implementations for a set of cryptographic algorithms and post-quantum protocols, the encapsulation of keys, digital signatures, key exchange (authenticated), among others.
	PQNEXT: to facilitate the transition to post-quantum cryptography (PQC) to ensure security against threats arising from quantum computing.
	VIGILANCE: to strengthen cybersecurity in European critical infrastructures through advanced monitoring, analysis, and response capabilities against emerging threats.
	CYBERAID: to increase the cyber resilience of critical infrastructures by developing an agentic AI-based infrastructure to coordinate cyber security tools.

Launch of iSign

To fortify operational security, iSign has been introduced, a digital signature solution integrated into the CaixaBankNow app, providing an additional layer of protection and ensuring that only the account holder can authorise sensitive transactions. The transition from CaixaBank Sign to iSign represents a qualitative leap in customer experience, security, operational efficiency and technological modernisation.

iSign was awarded by Global Finance (best Finance Innovations in Europe 2025 – Western Region).

Get to know our policies and principles of action >