Anyone with a mobile phone, from a regular citizen to a minister, including senior corporate executives, faces a common problem: fraud and cybersecurity issues, especially in the banking sector. The challenge is horizontal in nature, and its consequences are being felt—even impacting people’s mental health—but it goes beyond that. The matter scales to corporate competitiveness, citizens’ trust, the protection of essential services, and Europe’s position in a geopolitical context shaped by the tech rivalry between the United States and China. This was the starting point of the ING‑led digital well-being meeting held on April 24, where institutional representatives, regulation experts, leaders of the financial sector, and cybersecurity specialists discussed digital fraud as a social, economic, and geopolitical challenge.
In the opening, Carlos López Blanco, a lawyer and expert in digital regulation, argued that the concept of cybersecurity is insufficient to describe the magnitude of the challenge. The central thread was that perhaps it is worth moving beyond the classic notion of cybersecurity and talking directly about security: a security intertwined with technology, the economy, public services, and everyday life.
Co-responsibility in the face of digital fraud
The idea of shared security ran through much of the dialogue. From the banking sector, Alexandros Triantafyllou, Director of Fraud Prevention at ING, argued that digital fraud and cybersecurity must be understood as a social problem, not as an exclusive responsibility of the customer, a particular company, or a single sector. In this context, users are especially exposed because the relationship with their bank is increasingly conducted through digital channels and because attacks exploit precisely that everyday trust.
Participants in the meeting also included political and institutional representatives, such as Javier Ruiz, National Security spokesperson for the Socialist Group in Congress; Tatiana Jiménez, Deputy Spokesperson for Economy and Employment for PSOE in the Madrid Assembly; Carlos González, PP deputy in the Madrid Assembly, and Alberto García, head of service at the Secretary of State for Digitalization and Artificial Intelligence. From their contributions, the conversation incorporated a public perspective on protecting small municipalities, digital literacy, and the need to adapt the institutional response to risks that evolve rapidly.
“Vulnerability affects not only bank customers or large companies, but also small administrations that manage local services and sensitive data”
A similar logic is evident on the institutional level. From politics, the emphasis was placed on the smaller administrations, which often have resources but do not always possess sufficient technical know-how to adequately protect their citizens. With this example, it was understood that vulnerability does not affect only bank customers or large companies, but also small administrations that manage local services and sensitive data.
In this sense, if fraud operates across the board, protection must do so as well. Javier Montes, ING’s General Manager of Retail Banking, highlighted a regulatory advance already implemented by the banking sector: instant transfers, which have made it possible for people to move and access their money immediately. However, he also warned about their implications for fraud: when a transaction can be executed in seconds, the ability to detect and stop a fraudulent transaction is reduced, especially for large amounts, such as the 50,000 euros that can move in seconds. The aim was not to change the regulation, but to consider its effects when sweeping regulatory advances of major significance. In this example, a comparison was drawn: that a vehicle can reach 200 kilometers per hour does not mean it should always travel at that speed.
Therefore, co‑responsibility implies recognizing that the user must be educated and alert, but also that companies must build safer environments. Cybersecurity specialists argued that organizations should protect citizens even from their own mistakes. The reason is that the challenge is not only about warning of risks, but also about reducing the chances that a human error becomes an economic loss or a security breach.
A connected citizenry, but still unprotected
Citizens use the internet with ease, but they do not always understand the risks. At the institutional level, a finding from ING’s policy brief Digital Well-being: Toward Conscious Technology Use to Fight Fraud and Preserve Our Security was recalled: “more than 95% of vulnerabilities originate from human error”. This places digital and media literacy at the heart of any prevention strategy. Nevertheless, the problem is that such training arrives late, unevenly, or sometimes not at all. Hence, it was also emphasized that cybersecurity is a shared task across multiple sectors.
Political representatives also pointed to a generation with the capacity to access the internet in almost every aspect of life, but who simultaneously feels unprotected and fearful. That sentiment affects especially those who have had to adapt to the digital environment without adequate prior education, although the problem also affects the youngest.
“Digital security can also start with these simple actions: pause, verify, and distrust what seems suspicious”
In this area, content creators can play a relevant role. The sector explained that many basic practices of “digital hygiene” remain not internalized by the public. When a prominent creator adopts good routines and demonstrates them to their community, they can trigger a cascade effect that helps normalize protective habits. Because cybersecurity can also begin with these simple gestures: pause, verify, distrust what seems suspicious, and understand that every personal account can be a doorway to greater risks.
Carlos López Blanco, a lawyer and expert in digital regulation, explains the present and the evolution of cybersecurity. Photo: Courtesy, ING
Economic risk: SMEs, suppliers, and the supply chain
The risk to businesses arose naturally in the discussion. Several experts focused on the supply chain, one of the most sensitive points of the new landscape. The conversation described a “perfect storm” in which greater connectivity and higher reliance on technology coexist with cybercrime of “increasingly sophisticated” levels, and in this regard, the ability to respond is as important as prevention. The keyword is resilience: to acknowledge that risk exists and to prepare organizations to withstand, react, and recover.
“Cybersecurity must be part of the strategic leadership of companies”
The attack on Jaguar Land Rover in 2025 serves as a paradigm of this problem: the United Kingdom faced an economic impact estimated at between £1.6 and £2.1 billion, with effects on thousands of organizations linked to the supply chain. The damage, therefore, is not limited to the attacked company, because it can extend to component, battery, or ancillary service providers. In many cases, these companies are SMEs with fewer resources to protect themselves and less capacity to absorb the impact. Another public affairs perspective expanded that assessment by recalling that all digital life rests on connectivity infrastructures whose design, management, and use are also part of security.
In parallel, it was stressed that cybersecurity must be part of the strategic leadership of companies, since it can no longer be treated as a technical issue confined to a particular department. As discussed, cybersecurity affects business, reputation, operational continuity, and the trust of customers and suppliers.
A public response to a common risk
Although the conversation warned that regulation often lags behind the risks, institutional responses are essential. This view defended the role of the administration and coordination with security forces, but it was also acknowledged that technological times require constant reevaluation of responses. In that sense, the value of cross‑sector dialogue spaces was highlighted.
Gustavo Lozano, ING’s CISO, cited the Digital Operational Resilience Act (DORA) as an example—a solid and well‑oriented regulation whose practical implementation still shows gaps. The critical point, he noted, is in sharing threat information between sectors and in real time. Currently, the approach remains more reactive than preventive: alerts and practices that appear first in one country or sector do not always reach other actors quickly enough to anticipate and respond effectively.
Therefore, there was an emphasis on developing mechanisms that allow structured sharing of threat information that, in many cases, first appears in one country and is quickly replicated elsewhere. Having that information in advance would enable leveraging the experience of those who have already faced the situation and improving the prevention capacity of the entire ecosystem.
“Cybersecurity can no longer rest solely on user prudence nor on the reaction capacity of a single company”
The meeting’s conclusions pointed precisely to the need to combine protection, education, regulation, and secure design. Cybersecurity can no longer rest solely on user prudence or on the reaction capacity of a single company. If digital fraud affects citizens, banks, SMEs, suppliers, municipalities, and critical infrastructures, the response must be built from all those levels. Therefore, in a world where technology increasingly organizes daily life, economic activity, and the delivery of public services, digital well-being hinges on accepting that security is a common challenge that requires resources, agreements, and collaboration.
In partnership with:
