Computer Sabotage in Public Administrations and Emergency Contracts under the LCSP

Cyberattacks against Spanish public bodies have intensified in recent years, jeopardizing the continuity of essential services and exposing critical vulnerabilities in the State’s digital infrastructure. From denial-of-service attacks to sophisticated ransomware programs, massive hacks and actions by organized hackers that encrypt entire databases, Public Administrations face a permanent threat that requires agile and effective legal responses.

When computer sabotage, a hack, or a hacking attack paralyzes critical systems—such as municipal tax management, the census, local health services, or electronic administrative processing—especially in city councils and local entities, public officials must act immediately. In this context, the emergency contract regulated in Article 120 of Law 9/2017, of November 8, on Public Sector Contracts (LCSP) emerges as a fundamental legal tool that allows for contracting without following ordinary bidding procedures.

At IN DIEM Abogados, we regularly advise city councils and Public Administrations on the legal management of cybersecurity incidents, hacks, and computer attacks, analyzing when a cyberattack can legally justify an emergency contract, what requirements must be met, what risks its improper use entails, and how to correctly document the file to pass subsequent auditing.

What is considered computer sabotage in the Public Administration?

The computer sabotage constitutes a specific form of cyberattack aimed at deliberately damaging, altering, or disabling computer systems. Unlike other digital threats, sabotage seeks to cause direct harm to the operability of systems, causing service interruptions, data destruction, or blocking access to critical resources.

In administrative practice, these scenarios usually materialize through hacks executed by individual hackers or organized groups, who exploit technical vulnerabilities to gain illicit access to public systems. Although terms like hack or hacking are used in common language, from a legal point of view, only those attacks that cause serious and deliberate damage to systems can be classified as computer sabotage.

Legally, the Spanish Penal Code criminalizes these acts in Articles 264 and following, punishing anyone who “by any means, without authorization and in a serious manner, deletes, damages, deteriorates, alters, suppresses, or makes inaccessible data, computer programs, or electronic documents belonging to others”. When these attacks affect critical infrastructures or essential services of Public Administrations, the penalties are considerably increased.

It is important to distinguish between concepts that, although related, are not identical.

A cyberattack is any malicious action against computer systems (phishing, malware, unauthorized intrusions).
Computer sabotage implies a specific intent to cause serious harm and destabilize operations.
On the other hand, a security incident may include technical failures, human errors, or lower-impact attacks that do not necessarily constitute sabotage.

Not every cyberattack is sabotage.

The National Institute of Cybersecurity (INCIBE) and the National Cryptologic Center – Government CERT (CCN-CERT) are the official bodies that coordinate the response to these incidents in the Spanish public sector, providing alerts, forensic analysis, and action protocols for critical threats.

Most frequent types of computer sabotage, hacks, and hacking attacks

Ransomware: Encryption of critical data with a demand for a financial ransom for its recovery.
Denial-of-service (DDoS) attacks: Server saturation that prevents access to electronic headquarters and public services.
Database destruction: Deletion or corruption of administrative information and essential records.
Manipulation of sensitive data: Alteration of tax, health, or administrative information with a direct impact on citizens.
Unauthorized access to internal systems: Intrusions into public networks for the theft of confidential information or operational sabotage.
Blocking of critical digital infrastructures: Paralysis of key systems such as tax management, justice, healthcare, or municipal census.

Impact of computer sabotage on public services

The consequences of computer sabotage in a Public Administration go far beyond the technical sphere. The interruption of systems can prevent the provision of essential services to citizens, affecting fundamental rights and generating serious social and economic harm.

An attack that blocks a hospital’s systems compromises the safety of patients. Sabotage in a tax administration can paralyze collection and file management. The failure of judicial platforms delays proceedings and violates the right to effective judicial protection.

The risks to personal data are equally critical. Administrations safeguard sensitive information of millions of citizens—health data, tax information, criminal records, data on minors—whose exposure or destruction constitutes a violation of the General Data Protection Regulation and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights. The Spanish Data Protection Agency can impose million-euro fines for non-compliance resulting from inadequate management of security breaches.

Given this scenario, the Administration has the obligation to act quickly to restore services, which justifies the use of exceptional procurement mechanisms when legal requirements are met.

And it is important to understand that, from an administrative perspective, the officials of the affected body assume direct responsibility for the crisis management. Inaction or an inadequate response can generate financial liability toward injured third parties and, in serious cases, personal liability for public managers.

In the local sphere, city councils are especially vulnerable to this type of hacking, as they manage multiple essential services with limited technical resources. The paralysis of municipal electronic headquarters, administrative registries, or economic management systems can directly affect thousands of citizens, reinforcing the need for a correctly articulated immediate legal and technical response.

The emergency contract in the Public Sector Contracts Law

The Article 120 of the LCSP regulates the emergency contract as an exceptional procedure that allows for contracting without following ordinary procedures when it is necessary to act immediately in the face of catastrophic events, situations of grave danger, or needs that do not allow for delay.

This type of contract allows for the direct awarding of works, services, or supplies without prior bidding, without publicity, and without the usual deadlines. Its purpose is to guarantee an immediate response when the urgency is incompatible with ordinary procurement procedures.

However, its use is subject to very clear limits. The emergency contract can only cover what is strictly necessary to address the critical situation and for the essential duration. Furthermore, even if there is no prior bidding, the expenditure is subject to subsequent auditing by the control bodies.

When can a cyberattack justify an emergency contract?

Nevertheless, this extraordinary power is subject to strict limits. Emergency procurement can only be used for what is strictly necessary during the essential time to resolve the urgent situation. The LCSP establishes that these contracts cannot exceed four months, although they may be extended for another four in duly justified exceptional cases. Additionally, the price must be reasonable and in line with the market, avoiding the unjustified enrichment of the contractor due to the situation of necessity.

Transparency and accountability are safeguarded by the obligation to immediately communicate the processing of the file to the competent fiscal control body, which will subsequently audit the fulfillment of legal requirements and the adequacy of the expenditure. This subsequent auditing constitutes an essential control over the use of exceptional mechanisms that involve a temporary breach of the ordinary principles of competition and publicity.

Can a cyberattack justify an emergency contract?

A computer sabotage can legally justify an emergency contract provided that three essential requirements are met simultaneously.

Firstly, there must be an objective emergency situation, characterized by its severity, unpredictability, and capacity to paralyze essential public services.
Secondly, it must be proven that it is impossible to use an ordinary procedure or even an urgent one without aggravating the damage or unacceptably delaying the recovery of the service. Not all security incidents allow for emergency procedures; only those that require immediate action.
Finally, there must be a direct relationship between the attack suffered and the services contracted. The services must be aimed at containing the incident, recovering systems, forensic analysis, or restoring operability, not at structural improvements that can be put out to tender later.

The Administration must exhaustively document these circumstances, as the burden of proof lies with the contracting body.

Fundamental difference between urgency and emergency

It is essential to distinguish between urgency and emergency. Urgency, regulated in Article 119 of the LCSP, allows for the acceleration of deadlines but maintains the basic guarantees of the procurement procedure. Emergency, on the other hand, enables the bypassing of those procedures in exceptional situations. A security incident that requires rapid action but can be managed through an ordinary urgent procedure does not justify resorting to an emergency contract.

Legal risks of improper use of the emergency contract

The incorrect use of the emergency procedure entails serious legal consequences for both the Administration and the officials who make the decision. Fiscal control bodies, especially the Court of Auditors and regional and local audit departments, examine these files with particular rigor precisely because of their exceptional nature.

Declaration of nullity of the contract

If the subsequent audit determines that the legal requirements to use the emergency procedure were not met, the contract may be declared null and void for violating mandatory rules.

Although this nullity does not prevent the contractor from receiving the amount corresponding to the services already executed—to avoid unjust enrichment—it does cause significant administrative, legal, and reputational problems for the Administration.

Responsibility of the contracting body

Public officials who irregularly process an emergency contract may incur accounting liability when their actions cause financial harm to the public treasury.

The Court of Auditors may demand the reimbursement of the amounts improperly paid, along with the corresponding interest.

In cases of gross negligence or bad faith, criminal liabilities may even arise, such as crimes of embezzlement or malfeasance.

Disqualifications and professional consequences

Irregular procurement can lead to disqualifications from holding public office, as well as disciplinary sanctions for the officials involved. These consequences directly affect the professional careers of public managers.

Obligation to indemnify injured third parties

If it is proven that the improper use of the emergency procedure unjustifiably prevented competition, the Administration may be forced to indemnify third parties who were harmed.

Challenges by excluded companies

Companies that did not participate in the emergency contract cannot challenge it if the emergency was correctly justified.

However, they can do so when they manage to demonstrate that a real emergency situation did not exist, opening the door to appeals and claims with significant legal consequences.

The importance of correctly documenting every step of the file is crucial. The file must contain a detailed technical report on the incident and its severity, a legal opinion on the appropriateness of the emergency procedure, proof of the impossibility of using other channels, justification for the choice of contractor, and complete documentation of all actions taken. This documentation not only fulfills formal requirements but also constitutes essential evidence in the event of a subsequent audit.

Opportunities for technology companies and public sector providers

Emergency contracts resulting from cyberattacks represent a significant opportunity for companies specialized in cybersecurity, system recovery, and digital forensic analysis. However, these opportunities are only sustainable if one acts with rigor, transparency, and market-adjusted prices.

In critical situations, Administrations usually turn to providers with proven experience and immediate response capacity. Therefore, prior preparation, certifications, and knowledge of the legal framework of public procurement are decisive.

Most demanded services in cyberattack emergencies

Digital forensic analysis to determine the origin, scope, and authorship of the attack
Immediate recovery of compromised systems through backup restoration or infrastructure reconstruction
Urgent implementation of security patches and critical updates
Temporary reinforcement of infrastructure through cloud services or backup servers
Intensive monitoring of systems during the critical period
Specialized technical advice for decision-making during crisis management

For provider companies, it is essential to understand that the absence of bidding does not imply an absence of controls. Although the emergency procedure bypasses publicity and competition, the contractor must scrupulously fulfill all contractual obligations, exhaustively document their actions, and adjust their fees to market criteria. Abusive prices or deficient services can lead to financial claims and future disqualifications from contracting with the public sector.

Importance of specialized legal advice

Prior legal advice constitutes a strategic investment for both companies and Administrations. Technology providers must have specialized advice in public procurement to properly structure their offers, know their rights and obligations, and correctly manage contractual documentation. This advice also allows for the identification of legitimate opportunities for collaboration with the public sector beyond emergencies, through framework agreements, dynamic acquisition systems, or ordinary procedures that guarantee a stable and predictable contractual relationship.

How Can IN DIEM Help You?

IN DIEM Abogados provides specialized legal advice to city councils and public sector entities in the management of cybersecurity incidents, hacks, and computer sabotage, accompanying contracting bodies from the initial phase of the crisis to the correct processing and defense of the emergency procurement file.

The technical and legal complexity of emergency contracts due to cyberattacks requires highly specialized advice that integrates deep knowledge of public procurement, digital law, and cybersecurity. Firms with experience in this field can provide value to both contracting Administrations and provider companies.

Legal services for Public Administrations

For Public Administrations, preventive legal advice is fundamental for designing action protocols for critical incidents that allow for an agile response without incurring irregularities. This includes the preparation of contingency plans that identify in advance which services would be critical in the event of a cyberattack, which providers could act quickly, and what documentation must be prepared to justify the emergency.

During crisis management, legal support allows for the correct processing of the emergency file, ensuring that all legal requirements are met, that the supporting documentation is solid and complete, and that the decisions made are defensible before control bodies. This assistance includes drafting legal reports, reviewing technical proposals, negotiating contractual conditions, and supervising the fulfillment of formal obligations.

Legal services for provider companies

The subsequent review of the file constitutes another high-value service. An independent legal analysis before the official audit allows for the identification of documentary weaknesses, the correction of formal deficiencies, and the preparation of defensive arguments against possible objections. This preventive review significantly reduces the risks of subsequent questioning and facilitates passing fiscal controls.

For technology and consulting companies, specialized advice allows for an understanding of the specific demands of the public sector, adapting their business models to the particularities of administrative contracting and properly managing contractual relationships with public bodies. This includes designing commercial strategies compatible with procurement regulations, preparing solid technical-legal offers, and managing contractual incidents.

The experience accumulated in real cases allows these firms to offer a practical approach based on precedents, resolutions from advisory bodies, and consolidated administrative doctrine. This applied knowledge is especially valuable in a field where case studies are decisive and where small nuances in documentation or procedure can make the difference between an impeccable file and a questionable one.

Infografía Sabotaje Informático

1¿Qué es el sabotaje informático?

Acción deliberada para dañar o inutilizar sistemas informáticos

Paralización de servicios públicos esenciales

Destrucción o cifrado de datos (ransomware)

Tipificado en el Código Penal (arts. 264 y ss.)

2¿Qué es el contrato de emergencia?

Procedimiento excepcional regulado en el art. 120 LCSP

Permite contratar sin licitación previa

Solo ante acontecimientos catastróficos o grave peligro

Duración máxima: 4 meses (prorrogable a 8)

3Requisitos para justificar la emergencia

Situación extraordinaria e imprevisible

Necesidad de actuación inmediata

Relación directa con la crisis

⚠️ Urgencia ≠ Emergencia

La urgencia acelera plazos. La emergencia permite prescindir de licitación. No confundirlas evita riesgos legales.

🛡️Riesgos del uso indebido

• Nulidad del contrato si no concurren los requisitos
• Responsabilidad contable del órgano de contratación
• Fiscalización posterior obligatoria por el Tribunal de Cuentas
• Inhabilitaciones y sanciones por uso irregular

4Servicios contratables en emergencia

Análisis forense digital del ciberataque

Recuperación inmediata de sistemas críticos

Implementación urgente de parches de seguridad

Infraestructura temporal de respaldo (cloud)

Monitorización intensiva durante la crisis

Contact us. Contact us for specialized advice.

If a Public Administration, especially a city council, faces a cyberattack, hack, or serious computer security incident, or needs specialized legal advice on public procurement, emergency contracts, and digital law, having expert legal support is decisive for acting with speed, legal certainty, and full coverage before control bodies.

At IN DIEM Abogados, we advise local entities and public bodies on the legal management of technological crises, the correct processing of emergency contracts in accordance with the LCSP, and the prevention of administrative, accounting, or criminal liabilities.
Contact our firm to analyze your specific situation and receive advice tailored to the needs and particularities of your Administration.

We are here to help you.

Frequently Asked Questions (FAQs)

¿Qué diferencia hay entre un ciberataque y un sabotaje informático?

Un ciberataque es cualquier acción maliciosa dirigida contra sistemas informáticos, incluyendo phishing, malware o intrusiones no autorizadas. El sabotaje informático es un tipo específico de ciberataque con intencionalidad de causar daño grave, destruir datos o paralizar operaciones de manera deliberada. El sabotaje implica mayor gravedad y consecuencias más severas.

¿Cualquier incidente de seguridad justifica un contrato de emergencia?

No. Solo los incidentes que cumplan simultáneamente tres requisitos: situación extraordinaria e imprevisible, necesidad de actuación inmediata sin posibilidad de esperar procedimientos ordinarios, y relación directa entre la emergencia y los servicios a contratar. Un simple fallo técnico o un incidente menor no justifican este procedimiento excepcional.

¿Cuánto tiempo puede durar un contrato de emergencia por ciberataque?

La LCSP establece una duración máxima de cuatro meses, prorrogable excepcionalmente por otros cuatro meses adicionales si persiste la situación de emergencia. El contrato debe limitarse al tiempo estrictamente necesario para superar la crisis y restablecer los servicios afectados.

¿Puede una Administración contratar a cualquier empresa en emergencia?

Formalmente sí, puede adjudicar directamente sin licitación. Sin embargo, debe elegir empresas con capacidad técnica acreditada, experiencia demostrable y precios razonables de mercado. La elección debe ser justificada y documentada, ya que será objeto de fiscalización posterior por los órganos de control.

¿Qué organismos fiscalizan los contratos de emergencia?

El Tribunal de Cuentas a nivel estatal, los órganos de control externo autonómicos, las intervenciones generales correspondientes y, en algunos casos, el Tribunal Administrativo Central de Recursos Contractuales. Todos estos órganos pueden revisar la legalidad y adecuación del procedimiento de emergencia utilizado.

¿Puede declararse nulo un contrato de emergencia ya ejecutado?

Sí. Si la fiscalización posterior determina que no concurrían los requisitos legales, el contrato puede declararse nulo de pleno derecho. Aunque el contratista cobrará por las prestaciones ejecutadas para evitar enriquecimiento injusto, la Administración y sus responsables pueden incurrir en responsabilidades contables y administrativas.

¿Qué responsabilidades asume el órgano de contratación?

Puede incurrir en responsabilidad contable si el uso indebido del procedimiento causó perjuicio económico, responsabilidad disciplinaria por incumplimiento de normas administrativas, e incluso responsabilidad penal en casos de negligencia grave o prevaricación. La documentación exhaustiva resulta crucial para evitar estos riesgos.

¿Las empresas IT necesitan certificaciones especiales para estos contratos?

Aunque no existe obligación legal específica en emergencias, contar con certificaciones reconocidas (ISO 27001, Esquema Nacional de Seguridad, certificaciones CCN-CERT) aumenta significativamente la confianza de las Administraciones y facilita la justificación de la elección del contratista ante órganos de control.

¿Se puede contratar mejoras de ciberseguridad preventivas en emergencia?

No. El contrato de emergencia solo cubre actuaciones directamente necesarias para superar la crisis inmediata. Las mejoras estructurales, actualizaciones preventivas o inversiones en ciberseguridad a largo plazo deben contratarse posteriormente mediante procedimientos ordinarios de licitación.

¿Cómo deben documentar las empresas sus actuaciones en emergencia?

Deben llevar registro detallado de todas las actuaciones realizadas, horas empleadas, recursos utilizados, resultados obtenidos y comunicaciones con la Administración. Esta documentación será esencial tanto para justificar la facturación como para defender la adecuación del contrato en caso de fiscalización.

¿Qué hacer si mi Administración sufre un ciberataque grave?

Activar inmediatamente el protocolo de seguridad, notificar a INCIBE y CCN-CERT, documentar el alcance del incidente, evaluar si concurren requisitos para emergencia, contactar con asesoramiento jurídico especializado, y preparar toda la documentación justificativa antes de tramitar cualquier contratación.

¿Las empresas pueden ofrecer servicios sin esperar la contratación formal?

En situaciones de extrema urgencia, pueden iniciarse actuaciones imprescindibles con el compromiso de formalización posterior inmediata. Sin embargo, esto entraña riesgos contractuales significativos. Lo recomendable es formalizar rápidamente aunque sea mediante documento básico que recoja el objeto, precio estimado y compromiso de ambas partes.

Cryptoveritas 360: Our Technology Partner

Crypto Financial Technological Intelligence. Cryptoveritas 360.

Publications on Crypto on Our Blog

Expert Cryptocurrency Lawyers: Málaga, Seville, Madrid, Las Palmas de Gran Canaria, Almería, Huelva, Marbella, Estepona,…

At IN DIEM Abogados and Cryptoveritas 360 we provide our services at all our offices and locations in Spain, offering direct and personalized coverage in Madrid, Seville, Málaga, Marbella, Las Palmas de Gran Canaria, as well as continuous service through our digital channels for clients throughout the country.

Our multidisciplinary team also advises international companies—including Europe, Latin America and Asia—that wish to establish or expand in Spain under the MiCA regulatory framework, whether through obtaining the CASP license from the CNMV or the incorporation of companies and compliance structures adapted to the European market.

Thanks to a hybrid working methodology (in-person and online), we guarantee the same level of quality, confidentiality and efficiency for both local and foreign clients, supporting each project from initial planning to effective regulatory authorization.

We are at your disposal for anything you need. You can reach us via IN DIEM Lawyers Phone (+34) 916 353 892. For urgent cases, you can contact us on IN DIEM 24-Hour Emergency Lawyers Phone: (+34) 610 667 452.

Did you know that IN DIEM Abogados offers an online service and an urgent service?

We offer our clients the option of being assisted via video call or videoconference, as well as by telephone, according to our clients’ preference, so that the assistance is as personal as possible, with absolute immediacy, without the need to travel. This service is complemented by communication via email, which facilitates the analysis and delivery of documentation.

Likewise, we offer urgent and 24-hour services for our companies, handling national and international contracting operations.

For more information on the Online Legal Advisory Service HERE, the 24-hour and Urgent Service, HERE, and some recognitions, we leave you this link.

24-hour Emergency Lawyer IN DIEM - Seville Malaga Huelva Madrid Las Palmas Dos Hermanas Mairena Coria de Rio — Online Legal Advice

Anything else about IN DIEM Lawyers? Here’s a short presentation video…

You will find us in Seville, Madrid, Las Palmas de Gran Canaria, Málaga, Huelva, Punta Umbría, Tomares, Coria del Río, Dos Hermanas, Mairena del Alcor, Estepona, Marbella, Mairena del Aljarafe… it will be a pleasure to serve you…!!

Article 120 LCSP, Blocking of critical digital infrastructures, city council, computer sabotage, contract auditing, Database destruction, Denial-of-service (DDoS) attacks, emergency contract, emergency procurement, LCSP, Manipulation of sensitive data, public procurement, Ransomware, Unauthorized access to internal systems

Sabotaje informático en las Administraciones Públicas y el contrato de emergencia en la LCSP