Watchdog warns of unacceptable cybersecurity in Generalitat entities

The report reveals that ten consortia and foundations fall below 50% maturity in cybersecurity, with governance described as "practically non-existent".

Generic image of cybersecurity with digital circuits and a Mediterranean city in the background.
IA

Generic image of cybersecurity with digital circuits and a Mediterranean city in the background.

The Court of Auditors has concluded that cybersecurity governance in 16 consortia and foundations of the Generalitat Valenciana is "unacceptable," with ten entities scoring below 50% maturity.

The Court of Auditors has warned about the deficient cybersecurity governance within the instrumental public sector of the Generalitat Valenciana. An analysis of 16 consortia and foundations, including hospitals, research centers, and the Palau de les Arts Foundation, indicates that no entity achieves an adequate level of maturity. Ten of them fall below a 50% score, reflecting a "very deficient" situation and, in some cases, "practically non-existent" governance.
The audit, which assesses security policies, risk management, and regulatory compliance, deems the overall cybersecurity situation "unacceptable" and points to a "neglect of responsibilities" by governing bodies. The Court of Auditors emphasizes that cybersecurity is a strategic management element, particularly for entities handling sensitive information and relying on digital systems.
The report details that six entities fall between 50% and 80% maturity, still considered "deficient," while the remaining ten are below 50%. Among the analyzed entities are the General University Hospital Consortium of Valencia, Fisabio, the Museums Consortium of the Valencian Community, and the ValER Foundation.
One of the most negative aspects is cyber-resilience, with fifteen entities scoring below 50%. This indicates a "lack of provisions and plans" to effectively address serious security incidents. The two hospital consortia, those in Valencia and Castellón, present an "especially grave" situation due to the critical nature of the healthcare services they provide.
Furthermore, "significant deficiencies" are detected in regulatory compliance, with a widespread "non-compliance with legislation regarding information security and data protection." Only two entities exceed 80% in this area, falling far short of meeting the National Security Scheme (ENS) requirements.
The implementation of Decree 49/2025 on the Information Security Policy is also lacking. As of the end of 2025, only the ValER Foundation had formally adhered to it. Entities under the Health (39.8%), Education (17.2%), and Environment (7.5%) departments show particularly low average scores.
In light of this scenario, the Court of Auditors recommends "active leadership" in security, the adoption of policies aligned with the ENS, the formalization of responsible parties, and investment in human and material resources, recognizing that "cybersecurity is not cheap."