Article 264 Spanish Criminal Code: Computer Damage and Sabotage (2026)
Last updated:
listIn this article
lightbulbKey Takeaways
- check_circleDeleting or altering another's data: 6 months to 3 years
- check_circleDouble test: serious conduct and serious result
- check_circleArt. 264 bis: system sabotage, up to 8 years
- check_circleRansomware: computer damage plus extortion (art. 243 CP)
Quick answer
Article 264 of the Spanish Criminal Code punishes computer damage: seriously deleting, damaging, deteriorating, altering, suppressing or rendering inaccessible another person's computer data, programs or electronic documents without authorisation, with 6 months to 3 years in prison. Article 264.2 raises the penalty to 2 to 5 years plus a fine of one to ten times the loss in cases such as criminal organisations, especially serious damage or attacks on essential services and critical infrastructure. Article 264 bis punishes seriously hindering or interrupting another's computer system with up to 8 years, and 264 ter covers tools designed for these attacks. In a ransomware attack, demanding payment adds the offence of extortion under article 243 CP.
Need help with your case? Talk to a criminal defense lawyer at Alonso Sala.
Article 264 of the Spanish Criminal Code punishes computer damage: deleting, damaging, deteriorating, altering, suppressing or rendering inaccessible another person's computer data, programs or electronic documents, without authorisation and in a serious manner. Together with articles 264 bis, 264 ter and 264 quater, it forms the Spanish framework against computer sabotage: attacks on the operation of systems, the tools used to carry them out and the criminal liability of companies. As criminal defence lawyers specialised in cybercrime, we explain what each provision actually punishes, the penalties involved and where the defence arguments lie.
What Article 264 Says: the Basic Offence
Article 264.1 CP imposes 6 months to 3 years in prison on anyone who, by any means, without authorisation and in a serious manner, deletes, damages, deteriorates, alters, suppresses or renders inaccessible another person's computer data, computer programs or electronic documents, where the result produced is serious.
Three elements of the offence stand out:
- Subject matter: data, programs and electronic documents belonging to another. What the law protects is the integrity of information; physically destroying someone else's computer or server is prosecuted as ordinary criminal damage under article 263 CP.
- Lack of authorisation: anyone acting with the system owner's permission — for instance in a contracted security audit — falls outside the offence.
- A double seriousness test: both the conduct and the result must be serious. Unlike ordinary criminal damage, there is no 400-euro threshold separating a minor offence: incidents that fail this double test are simply not criminal under article 264.
Paragraph 3 adds a cross-cutting aggravation: the penalties are imposed in their upper half where the offender unlawfully used another person's personal data to gain access to the system or to win a third party's trust.
The Aggravated Forms of Article 264.2
The penalty rises to 2 to 5 years in prison plus a fine of one to ten times the loss caused where any of these five circumstances applies:
- The offence was committed within a criminal organisation.
- It caused especially serious damage or affected a high number of computer systems — the typical aggravation in large-scale malware campaigns.
- It seriously disrupted essential public services or the supply of staple goods.
- It affected the computer system of critical infrastructure or created a serious danger for the security of Spain, the European Union or a Member State.
- It was committed using the tools described in article 264 ter: attack software, or another person's passwords or access codes.
In cases of extreme seriousness, the court may additionally impose the penalty one degree higher.
Article 264 bis: Hindering or Interrupting a System
Article 264 bis CP protects not the data itself but the operation of the system. It punishes with 6 months to 3 years in prison anyone who, without authorisation and in a serious manner, hinders or interrupts the operation of another's computer system in one of three ways: by carrying out the conduct of article 264, by introducing or transmitting data — the natural fit for denial-of-service attacks — or by destroying, damaging, disabling, removing or replacing the computer, telematic or electronic storage system itself.
The provision contains two aggravated tiers:
- If the attack significantly disrupts the normal activity of a company, business or public administration, the penalty is imposed in its upper half and may be raised to the next degree.
- If any of the circumstances of article 264.2 applies, the penalty is 3 to 8 years in prison plus a fine of three to ten times the loss.
Here too, the upper half applies where another person's personal data was unlawfully used to access the system or to win a third party's trust.
Has a cyberattack paralysed your business in Spain?
The first hours are decisive: preserving the affected systems and documenting the loss will shape both the criminal investigation and any future claim. Secure the digital evidence before restoring backups.
Article 264 ter: Attack Software, Passwords and Access Codes
Article 264 ter CP moves criminal liability forward to preparatory acts. It punishes with 6 months to 2 years in prison or a fine of 3 to 18 months anyone who, without due authorisation, produces, acquires for use, imports or supplies to third parties, with the intention of facilitating the offences of articles 264 and 264 bis:
- A computer program designed or adapted mainly to commit those offences.
- A computer password, access code or similar data allowing access to all or part of an information system.
The decisive element for the defence is intent: the offence requires the specific purpose of facilitating computer damage or sabotage. Dual-use tools — vulnerability scanners, penetration-testing suites — handled in authorised professional cybersecurity work fall outside the provision. The boundary with unlawful access to systems under article 197 bis CP also matters: accessing without damaging is a different offence with a different penalty.
Article 264 quater: Corporate Criminal Liability
Computer damage and sabotage trigger corporate criminal liability under article 31 bis CP. Article 264 quater sets the penalties for legal entities:
- A fine of 2 to 5 years, or five to twelve times the value of the loss caused if that amount is higher, where the offence committed carries more than 3 years' imprisonment.
- A fine of 1 to 3 years, or three to eight times the loss if higher, in all other cases.
Courts may also impose, under article 66 bis, the penalties of letters b) to g) of article 33.7 CP: suspension of activities, closure of premises or disqualification from public subsidies, among others. An effective criminal compliance programme, implemented before the offence, can exempt the company from liability or mitigate it.
Ransomware: Computer Damage plus Extortion
Ransomware is the textbook example of overlapping offences. By encrypting the victim's files, the attacker renders them inaccessible — the conduct of article 264 — and usually hinders or paralyses the entire system (article 264 bis). Demanding a ransom to restore them adds extortion under article 243 CP: forcing another person, through intimidation and with intent to profit, to perform an act to the detriment of their assets, punished with 1 to 5 years in prison.
The list can grow: prior unlawful access to the system (article 197 bis CP), the aggravation for unlawful use of another person's personal data (articles 264.3 and 264 bis.3) and, where information is exfiltrated under threat of publication, the offences of discovery and disclosure of secrets under article 197 CP. We act both for companies and individuals targeted by these attacks and for people under investigation for them: full details on our ransomware criminal defence page.
If you have been attacked, proceed methodically: do not pay without legal advice, preserve the affected systems and the evidence, and report the incident. Our legal guide on what to do if you have been hacked walks you through the steps under Spanish law.
Defence Strategies
- Lack of seriousness: the double test of article 264.1 — serious conduct and a serious result — keeps minor incidents outside the offence; challenging the real scale of the damage is the first line of defence.
- Existing authorisation: system administrators, employees with credentials and IT contractors often operate in grey areas of permission; where authorisation existed, there is no article 264 offence.
- Attribution and technical evidence: an IP address alone does not identify a person. The defence must scrutinise the forensic expert report, the chain of custody of the logs and how the digital evidence was obtained.
- Absence of intent: article 264 has no negligent form; an accidental deletion or a careless maintenance failure is not computer damage.
- Quantifying the loss: the amount drives the proportional fine and the aggravated forms; a counter-expert report can substantially reduce the penalty.
- Repairing the harm: compensating the victim or helping restore the systems triggers the mitigating factor of article 21.5 CP and strengthens the position in any plea negotiation.
Under investigation for computer damage, or hit by an attack?
Technical evidence decides these cases. Let us review yours with forensic IT expertise before you give a statement or file a complaint.
📞 Call us: +34 91 078 65 74
⚖️ Need a criminal defence lawyer?
A firm dedicated exclusively to criminal law. Defence of suspects and private prosecution for victims of computer crime.
Frequently asked questions
What does article 264 of the Spanish Criminal Code punish?expand_more
It punishes anyone who, by any means, without authorisation and in a serious manner, deletes, damages, deteriorates, alters, suppresses or renders inaccessible another person's computer data, computer programs or electronic documents, where the result is serious. The penalty for the basic offence is 6 months to 3 years in prison.
What penalties does computer damage carry in Spain?expand_more
The basic offence of article 264.1 CP carries 6 months to 3 years in prison. Under article 264.2 (criminal organisation, especially serious damage or a high number of affected systems, essential public services, critical infrastructure, or use of the tools described in article 264 ter), the penalty is 2 to 5 years plus a fine of one to ten times the loss caused. Aggravated system sabotage under article 264 bis.2 reaches 8 years.
Is a DDoS attack a crime in Spain?expand_more
Yes. Article 264 bis CP punishes with 6 months to 3 years in prison anyone who, without authorisation and in a serious manner, hinders or interrupts the operation of another's computer system, including by introducing or transmitting data. If the attack significantly disrupts the normal activity of a business or a public administration, the penalty is imposed in its upper half and may be raised to the next degree.
Is it illegal to possess hacking tools in Spain?expand_more
Article 264 ter CP punishes producing, acquiring for use, importing or supplying to third parties programs mainly designed or adapted to commit computer damage or sabotage, as well as passwords or access codes, but only where the person acts without due authorisation and with the intention of facilitating those offences. Dual-use tools handled in authorised professional cybersecurity work fall outside the offence.
Can a company be held criminally liable for these offences?expand_more
Yes. Article 264 quater CP provides corporate fines of 2 to 5 years (or five to twelve times the loss caused, if higher) where the offence carries more than 3 years' imprisonment, and 1 to 3 years (or three to eight times the loss) in other cases, plus the penalties of article 33.7 CP. An effective criminal compliance programme may exempt the company from liability.
What offences does a ransomware attack involve in Spain?expand_more
Encrypting the victim's files and rendering them inaccessible falls under the computer damage of article 264 and the system sabotage of article 264 bis; demanding a ransom adds extortion under article 243 CP, punished with 1 to 5 years in prison. Unlawful access under article 197 bis and, where data is exfiltrated, the discovery and disclosure of secrets under article 197 CP may also apply.
gavelDo you need criminal defense in this area?
We are criminal defense lawyers specializing in cybercrime and technological criminal law. We act urgently to protect your rights.