Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES
Legal Analysis

Hacking: The Offence of Illegal System Access (Art. 197 bis CP)

calendar_todayJune 18, 2026

Last updated:

listIn this article

lightbulbKey Takeaways

  • check_circleAccessing a system by breaching its security: 6 months-2 years
  • check_circleThe offence is complete on access, even if nothing is taken
  • check_circleLawful pentesting only with the holder's written authorisation
  • check_circleDamage/sabotage fall under art. 264; secrets under art. 197

Quick answer

Article 197 bis of the Spanish Criminal Code (CP) punishes anyone who, breaching security measures and without authorisation, accesses an information system or remains in it against the will of its rightful holder, with imprisonment of six months to two years; intercepting non-public data transmissions carries imprisonment of three months to two years or a fine. Article 197 ter punishes supplying programs or passwords for such access, and articles 264 to 264 ter punish computer damage and sabotage. It must not be confused with the disclosure of secrets (article 197) or with computer fraud (article 249).

The term hacking covers very different conduct, from technical curiosity to a targeted attack on a company. In criminal law, the core provision is article 197 bis of the Spanish Criminal Code (CP), which punishes illegal access to computer systems, complemented by the supply of tools (art. 197 ter) and by computer damage or sabotage (arts. 264 to 264 ter). As criminal lawyers specialising in computer offences, we explain which conduct is an offence, how it differs from neighbouring figures and how a defence is built.

What Art. 197 bis CP Punishes

The provision contains two forms. The first is illegal access: anyone who, breaching the security measures put in place to prevent it, and without being duly authorised, accesses, or facilitates another person's access to, all or part of an information system, or remains in it against the will of the person with the legitimate right to exclude them. The penalty is imprisonment of six months to two years.

The second form is the interception of communications: anyone who, by technical devices or instruments and without authorisation, intercepts non-public transmissions of computer data taking place from, to or within an information system, including its electromagnetic emissions. The penalty is imprisonment of three months to two years or a fine of three to twelve months. The protected legal interest is the security of information systems in its threefold dimension: confidentiality, integrity and availability.

The Elements of Illegal Access

For the access to be an offence, three requirements must concur, and they define the punishable conduct with precision:

  • Breach of security measures: the system had to be protected (passwords, authentication, encryption, firewalls) and the perpetrator gets around that barrier. Accessing an open, unprotected resource does not, on its own, satisfy this requirement.
  • Lack of authorisation: the access takes place without the consent of the person entitled to control the system. This is the heart of the offence and, at the same time, the main ground of defence.
  • Intent: the perpetrator knows and intends to access without being authorised. Negligent conduct is not punished.

The offence is committed upon effective access to, or remaining in, the system, regardless of whether any information is extracted or any harm is caused. That is why hacking can be an offence even if "nothing was taken".

Supplying Programs and Passwords (Art. 197 ter CP)

The Code extends protection to preparatory acts. Art. 197 ter CP punishes anyone who, without being duly authorised, produces, acquires for use, imports or supplies to third parties, with the intent to facilitate the commission of the offences under art. 197 or art. 197 bis: (a) a computer program designed or adapted principally to commit those offences; or (b) a password, access code or similar data allowing entry into the system. The penalty is imprisonment of six months to two years or a fine of three to eighteen months.

The key to the defence is purpose: many security tools (vulnerability scanners, auditing suites) have a perfectly legitimate dual use. The offence requires the program to be designed principally to commit crime and that the intent to facilitate the offence be present.

Computer Damage and Sabotage (Arts. 264 to 264 ter CP)

Where the attack does not stop at entering but destroys, alters or paralyses, the computer-damage offences come into play:

  • Art. 264 CP — damage to data: deleting, damaging, deteriorating, altering, suppressing or rendering inaccessible another person's data, programs or electronic documents, without authorisation and seriously, with a serious result. Penalty of imprisonment of six months to three years; in the aggravated cases (criminal organisation, damage of special gravity, essential public services, critical infrastructure), imprisonment of two to five years and a fine.
  • Art. 264 bis CP — system sabotage: seriously obstructing or interrupting the functioning of another person's computer system. Penalty of imprisonment of six months to three years, in its upper half where the activity of a company or public administration is significantly impaired; aggravated up to imprisonment of three to eight years and a fine.
  • Art. 264 ter CP — sabotage tools: producing or supplying programs or passwords designed to commit the above damage. Penalty of imprisonment of six months to two years or a fine of three to eighteen months.

⚠️ Critical infrastructure increases the penalty

Where the attack affects a critical infrastructure system (energy, transport, banking, healthcare, water, communications) or creates a serious risk to State security, the penalties for the damage offences rise very significantly. Whether the facts qualify as an attack on critical infrastructure is therefore a decisive point in the proceedings.

Distinction from Disclosure of Secrets and Computer Fraud

Hacking is often confused with other figures from which it should be kept apart:

  • Disclosure and revelation of secrets (art. 197 CP): this protects privacy, not the system. It punishes seizing personal data or communications, or disclosing them, with imprisonment of one to four years and a fine, aggravated if there is disclosure. While art. 197 bis punishes the intrusion as such, art. 197 punishes the attack on personal data. A single episode often begins as illegal access and ends up affecting privacy, which gives rise to a concurrence to be resolved case by case.
  • Computer fraud (art. 249 CP): this requires intent to profit and an unconsented transfer of assets obtained through computer manipulation (for example, diverting a transfer after compromising online banking). Where illegal access is the means of achieving that transfer of assets, the correct classification and the concurrence relationship are central technical issues.

Legitimate Penetration Testing and Authorisation

Ethical hacking or penetration testing —testing a system's security to find flaws— is only lawful with the holder's authorisation. The defence of a security professional turns on evidencing:

  • The existence of a written contract or engagement defining the scope, the authorised systems and the timeframe.
  • That the work did not exceed the agreed scope (no access to systems or data outside the engagement).
  • Reliance on responsible disclosure or bug bounty programmes, where they exist, as the framework for the activity.

Without evidenceable authorisation, the researcher's good intentions do not exclude the offence: the offence is built on the lack of consent, not on the ultimate purpose.

Lines of Defence

  1. Existence of authorisation: the holder's consent or an audit contract that rules out the unauthorised nature of the access.
  2. No breach of security measures: the resource was open or there was no technical barrier to get around.
  3. Disputing authorship: an IP address or a device does not on its own identify the perpetrator; shared networks, compromised equipment, dynamic IPs and spoofing call for rigorous proof.
  4. Challenging the digital evidence: the integrity and chain of custody of logs, images and exhibits; the lawfulness of how they were obtained and, where relevant, of any international cooperation.
  5. Classification and concurrence: arguing the fit between arts. 197 bis, 197, 264 and 249 avoids disproportionate penalties from an incorrect classification.
  6. Mitigating factors: reparation of the harm, confession or cooperation where appropriate.

In this area, the settled case law of the Supreme Court stresses the requirement of breaching the security measures and of unauthorised access as the pillars of the offence, as well as rigour in assessing the electronic evidence, which leaves a technical margin for defence that should be worked on from the outset.

Under investigation for hacking, or have your systems been breached?

Whether defending against a charge of illegal access or acting as private prosecution for the company attacked, our lawyers specialising in computer offences work on the digital evidence and the criminal strategy.

📞 Call us: +34 91 078 65 74

⚖️ Need a criminal defence lawyer?

Defence and private prosecution in computer offences, illegal system access, data interception and computer damage.

→ Cybercrime: full legal information

Frequently asked questions

What exactly does article 197 bis of the Criminal Code punish?expand_more

It punishes two forms of conduct. In paragraph 1, accessing an information system (or facilitating another person's access), or remaining in it against the will of its holder, by breaching the security measures and without being duly authorised: imprisonment of six months to two years. In paragraph 2, intercepting, by technical means, non-public transmissions of computer data, including their electromagnetic emissions: imprisonment of three months to two years or a fine of three to twelve months.

Do you have to steal data or cause damage for hacking to be an offence?expand_more

No. Art. 197 bis.1 CP is an offence of mere activity: it is committed by the unauthorised access to the system, breaching its security measures, even if no data is extracted and no harm is caused. If, in addition, data is deleted, altered or rendered unusable, the computer-damage offence of art. 264 CP comes into play; if reserved personal data is disclosed, art. 197 CP applies.

Is ethical hacking or penetration testing an offence?expand_more

No, provided it is carried out with the authorisation of the system's holder. The defining element of the offence is access without being duly authorised; penetration testing covered by a written contract that sets out the scope, the systems and the timeframe falls outside the offence. The problem arises when there is no authorisation, when the agreed scope is exceeded, or when consent cannot be evidenced. That is why it is essential to document the engagement in writing.

Is it an offence to supply hacking programs or passwords?expand_more

Yes. Art. 197 ter CP punishes anyone who, without authorisation, produces, acquires for use, imports or supplies to third parties a computer program designed principally to commit these offences, or a password, access code or similar data allowing entry into the system, with the intent to facilitate their commission. The penalty is imprisonment of six months to two years or a fine of three to eighteen months. A parallel provision for sabotage exists in art. 264 ter CP.

How does hacking differ from disclosure of secrets and computer fraud?expand_more

Art. 197 bis protects the integrity and confidentiality of the system itself: it punishes the intrusion as such. Art. 197 CP protects privacy: it punishes seizing personal data or communications, or disclosing them. Art. 249 CP (computer fraud) requires intent to profit and an unconsented transfer of assets obtained through computer manipulation. A single operation may begin as illegal access and develop into any of the others, which raises concurrence issues worth analysing.

terminal

gavelDo you need criminal defense in this area?

We are criminal defense lawyers specializing in hacking & intrusion lawyers. We act urgently to protect your rights.

View expertisearrow_forward

Related Articles

View allarrow_forward
calendar_todayJune 22, 2026

They Searched My Phone or Cloud Without Authorisation: Is the Evidence Excluded?

Accessing an investigated person's phone, computer or cloud requires a specific, reasoned judicial authorisation (Art. 588 sexies LECrim). Without it, the evidence may be excluded (Art. 11.1 LOPJ) and drag down everything derived from it.

Evidence ExclusionDevice Search+3
calendar_todayJune 20, 2026

Digital Exhibitionism before Minors: Article 185 CP on Webcam, Video Calls and Social Media

Digital exhibitionism falls under Art. 185 CP when obscene exhibition before a minor is done by webcam, video call or social media: six months to one year in prison.

Sexual OffensesExhibitionism+2
calendar_todayJune 11, 2026

Artificial Intelligence and Criminal Proceedings: Evidence, Digital Identity and New Risks (2026 Guide)

Complete guide to the impact of AI and new technologies on criminal proceedings: cognitive attacks and deepfakes, post-quantum cryptography, eIDAS 2 digital identity, metaverse harassment and neuro-rights.

AICybercrime+3

Knowledge is power, but strategy is key.

What you read here is just the beginning. Transform information into active defense by contacting our team of experts.

Contact Alonso Sala
Call: +34 91 078 65 74
call