The recent cyberattack suffered by the Valdemoro City Hall, which forced the suspension of administrative deadlines and affected the ordinary functioning of public services, again brings to light an uncomfortable reality that many organizations continue to underestimate. Digitization has multiplied efficiency, yes, but it has also concentrated critical dependencies whose fragility only becomes evident when something goes wrong.
When we think of a cyberattack, we tend to imagine the loss of access to systems, the disruption of services, or even data theft. But there is a derivative that is less visible and, in many cases, equally delicate, the legal.
What happens when a relevant communication cannot be authenticated? What happens if a contractual notice, a formal claim, a communication with an employee, or a warning with legal effects becomes trapped in a compromised system, without verifiable traceability or without sufficient guarantees about its integrity?
Digital transformation has led many companies to shift legally sensitive processes to everyday channels that, while convenient, were not always designed with evidentiary testing in mind. And that creates a false sense of security.
Sending an email isn’t enough
It’s not enough that a platform logs internal activity. When conflicts arise, what matters is not operational perception but the ability to robustly demonstrate what was sent, when it was sent, whether the content has remained intact, and what evidence exists of its receipt.
It is a debate that no longer affects only large corporations or public administrations. Law firms, human resources departments, financial institutions, or companies with a significant volume of sensitive communications are also discovering that operational continuity is not just about keeping servers running, but about preserving the evidentiary validity of their communications.
The issue takes on an additional dimension when the exchanged content includes personal data, contractual documents, or confidential information. Because not all digital certification mechanisms address content security in the same way. In some cases, the focus has historically been on certifying the sending or receiving event, but not necessarily on robustly protecting the transmitted content.
That is why a more mature view of the problem is taking shape, where resilience is not measured solely in uptime or technical recovery capacity, but also in the legal strength of digital processes.
The real lesson is not that a system can fail. That is part of any technological reality. The question is whether, when it happens, the organization’s critical communications remain defendable.
Javier Meizoso, CEO of Legalpin
