Regulatory compliance
We take you from categorisation to the certificate: risk analysis, statement of applicability, compliance plan, implementation of the Annex II measures, audit and maintenance. For administrations that must comply with the scheme and for companies that want to sell to the public sector.
ENS auditors on the team and our own system certified in the HIGH category.
Who must comply
The Esquema Nacional de Seguridad, regulated by Royal Decree 311/2022, applies to the entire Spanish public sector (state, regional and local) and also reaches the private companies that provide services or technology solutions to public administrations: tender specifications routinely ask for ENS certification, and without it many public-sector doors do not open.
If you sell to the Administration, or want to start doing so, the ENS is not optional in practice. And if you are a public entity, it is directly your legal security framework.
There is also a third, growing group: the essential and important entities under NIS2. The draft bill transposing the directive points to the ENS as the way to demonstrate compliance, so if NIS2 reaches you, the ENS is your path too.
The framework
The system is categorised according to the impact an incident would have across five dimensions; the category is set by the dimension with the highest level, and from it depend the Annex II measures and how conformity is demonstrated.
No dimension reaches the medium level.
Declaration of conformity
Some dimension reaches the medium level and none the high.
Certification by an accredited body
Some dimension reaches the high level.
Certification by an accredited body
Benefits
Without an ENS certificate, many tenders cannot even be signed. With it, you compete in the public sector.
Neither extra measures that drive up cost, nor too few that fail the audit: exactly what your category requires.
The documentation the scheme requires and that helps you operate, aligned with the CCN-STIC guides. No filler.
Maintenance, evidence kept up to date and preparation for each ordinary audit, all covered.
Service
System categorisation: information, services, dimensions and category, with formal approval.
Scheme roles: information owner, service owner, security officer and system owner.
Risk analysis with a recognised methodology, tailored to your system scope and its category.
Statement of applicability: Annex II measures by category, reinforcements and justified exclusions.
Compliance plan prioritised and approved by the competent body: your first piece of evidence.
Guided implementation: policy, standards, procedures and measures, all aligned with the CCN-STIC guides.
Certification audit: preparation, support and closing of findings.
Maintenance: evidence review, ongoing support and the system ready for the next cycle.
And something that is rarely mentioned: compliance does not end with a seal. It leaves a living security management system in place, certifiable by third parties, that keeps improving your security long after the audit.
Method
Scope, dimensions, proposed category and risk map, in two to four weeks.
Statement of applicability and roadmap approved by the competent body.
Measures, documentation, training and evidence; from four to twelve months depending on category and starting point.
Support with the accredited body and closing of non-conformities. The RD then sets audits at least every two years in MEDIUM and HIGH, and we accompany you through each one.
In parts
Not everyone needs the whole journey. These two stages can be contracted separately, and both end in a report that makes sense.
A snapshot of your real situation against RD 311/2022: what you already comply with, what you are missing for the category you need and how much effort it takes to close it. Designed to decide with data before committing budget, or to bring management a defensible plan.
You walk away with: the compliance level, measure by measure of Annex II, and a prioritised roadmap, within a few weeks.
A review with auditor methodology before the audit that counts: the initial certification audit or the biennial ordinary one. To arrive without surprises, with findings found and fixed while it is still cheap. In the BASIC category, it supports the self-assessment.
You walk away with: a findings report with evidence and an action plan. It prepares for the audit by the accredited body, it does not replace it.
Synergies
With ISO 27001, the correlation is very high and documented by the CCN itself in its correspondence guide: risks, policy, roles and a large part of the controls are leveraged both ways. If you already have the ISMS, the ENS arrives with most of the work done; if you start with the ENS, ISO 27001 is just a step away. And to prove that the technical Annex II measures truly protect, our infrastructure pentest puts them to the test.
And towards NIS2, the ENS is shaping up as the Spanish route to compliance: the draft bill transposing the directive relies on compliance profiles based on the scheme, requires essential entities to hold accredited certification of conformity (in practice, the ENS in MEDIUM or HIGH category) and lets important entities choose between that certification or a self-assessment. Certifying today is getting ahead of tomorrow's compliance.
Questions
The entire Spanish public sector and the private companies that provide services or technology solutions to public administrations. For the supplier, the obligation arrives through the contract and the tender specifications: certification is required as a condition to bid or to keep the service.
It depends on the impact an incident would have on the information and services you handle, assessed across five dimensions. Your organisation formally determines the category following Annex I; our job is to help you assess it well and justify it, because over-categorising makes compliance more expensive and under-categorising fails an audit.
In the BASIC category a self-assessment with its declaration of conformity is enough. In MEDIUM and HIGH, conformity requires a formal audit under Annex III and certification by an accredited body.
It depends on the category and the starting point. As a reference, implementation usually takes between four and twelve months; the initial categorisation gives you a realistic estimate within a few weeks.
RD 311/2022 sets ordinary audits at least every two years for the MEDIUM and HIGH categories. Between audits, the system must stay alive: that is why we offer maintenance as part of the service.
It counts, and a lot: the correspondence between both frameworks is very high and we leverage it with the official CCN mapping. But it is not equivalent: the ENS requires formal categorisation, specific Annex II measures and accredited conformity in Spain. The good news is that the remaining path is short.
Yes. Full compliance is the whole journey, but each stage can be contracted separately: a gap analysis against the ENS if you want to know where you stand before deciding, or an internal review audit if you are already certified and want to reach the ordinary audit without surprises. That review does not replace the audit by the accredited body: it prepares for it.
Everything points to it being the Spanish route: the draft bill transposing NIS2 relies on compliance profiles based on the ENS, requires essential entities to hold accredited certification of conformity and lets important entities choose between certifying or self-assessing. The text is still going through the legislative process, but the direction is clear: whoever reaches NIS2 with ENS certification arrives with the work done.
Shall we talk?
Categorisation resolves a lot in little time: with it you will know your category, which measures apply to you and the real path to the certificate.
Get in touch