The Esquema Nacional de Seguridad (ENS) Explained
What Spain's ENS (RD 311/2022) is, who must comply, its categories and dimensions, and how tech vendors achieve conformity to win public-sector deals.
The Esquema Nacional de Seguridad (ENS — Spain's National Security Framework) is the mandatory set of security principles, requirements, and controls that any organisation must satisfy to handle information or provide services for the Spanish public sector. It is established by Real Decreto 311/2022 (Royal Decree 311/2022), which replaced the original RD 3/2010, and it applies not only to public administrations but also — and this is the part most companies miss — to the private-sector technology suppliers that build, host, or operate systems on their behalf. If your SaaS platform, consultancy, or managed service sells to a Spanish ministry, regional government, town council, university, or public hospital, ENS conformity is increasingly a hard prerequisite to bid, not a nice-to-have.
This article explains what the ENS requires, how the three security categories work, the five security dimensions and control families, and the two routes to demonstrating conformity — plus a realistic roadmap for a tech company, and why ISO 27001 alignment cuts the effort substantially.
What the ENS Is (and Why RD 311/2022 Matters)
The ENS was created to guarantee a consistent, minimum level of security across all information systems used to deliver public electronic services in Spain. Its legal roots run through Ley 40/2015 on the legal regime of the public sector, and it is coordinated by the Centro Criptológico Nacional (CCN — National Cryptologic Centre), part of Spain's intelligence agency, the CNI. The CCN publishes the influential CCN-STIC series of security guides, of which CCN-STIC 800 is the ENS-specific family every implementer will consult.
RD 311/2022 modernised the framework in several important ways compared with the 2010 version:
- It restructured the control catalogue into a cleaner set of measures organised by security framework, operational framework, and protection measures.
- It introduced operational profiles of compliance (perfiles de cumplimiento específicos), lighter tailored pathways for particular sectors or system types such as small town councils or specific cloud scenarios.
- It sharpened the treatment of the supply chain, making explicit that contractors and outsourced service providers fall within scope.
- It aligned the framework more closely with the evolving EU regulatory landscape, including the NIS/NIS2 direction of travel.
In short: the ENS is not an optional best-practice standard. It is regulation with the force of a real decreto, and non-conformity can disqualify a bid or breach a signed public contract.
Who Must Comply
The ENS reaches three broad groups:
- Public-sector entities — the Administración General del Estado (central government), the comunidades autónomas (regional governments), entidades locales (local councils), and public-law bodies, universities, and agencies.
- Private-sector suppliers that provide technology, services, or solutions to those entities — cloud providers, SaaS vendors, software developers, integrators, managed service providers, and consultancies.
- Any system that handles information or delivers a service falling under the scope of the public administration's electronic activity.
For a private company, the trigger is commercial: the moment you provide a system or service that processes public-sector information, the contracting body is obliged to require ENS conformity from you. Public tenders (licitaciones) increasingly embed ENS conformity — often at a specific category — as an admission requirement in the technical specifications (pliegos). No certificate, no bid.
The Three Security Categories: BÁSICA, MEDIA, ALTA
Every system in scope is assigned one of three categories, which determines how demanding the applicable controls are. The category is not chosen arbitrarily — it is derived from a valuation of the system across the five security dimensions (below). You assess the worst-case impact if each dimension were compromised, rate it bajo (low), medio (medium), or alto (high), and the highest rating drives the system's overall category.
| Category | Determined by | Typical use cases |
|---|---|---|
| BÁSICA (Basic) | Worst-case impact of a security breach is limited | Informational websites, small municipal services, low-sensitivity internal tools, systems whose failure causes minor, recoverable harm |
| MEDIA (Medium) | A breach would cause serious harm to the organisation or citizens | SaaS platforms processing personal or administrative data, regional e-government services, most vendors selling operational software to public bodies |
| ALTA (High) | A breach would cause very serious or catastrophic harm | Critical infrastructure, essential public services, systems handling highly sensitive data (health, security, large-scale citizen data) |
For most private SaaS and technology vendors selling to the Spanish public sector, MEDIA is the practical target — it is the category most commonly demanded in tenders, and the one Axelia itself holds.
The Five Security Dimensions
Category is determined by valuing the system across five dimensiones de seguridad:
- Confidentiality (confidencialidad) — information is disclosed only to those authorised.
- Integrity (integridad) — information and systems are not altered in an unauthorised way.
- Availability (disponibilidad) — services and data are accessible when needed.
- Authenticity (autenticidad) — the identity of users, systems, and the origin of data is genuine and verifiable.
- Traceability (trazabilidad) — actions can be attributed unambiguously to an entity, and reconstructed after the fact.
Each dimension is rated low/medium/high based on the impact of its compromise. A system that would suffer only minor harm from a confidentiality breach but catastrophic harm from unavailability inherits a high availability rating — and the overall category rises accordingly. This dimension-by-dimension valuation is the analytical heart of an ENS project and is where a structured risk methodology pays off.
The Control Framework: Three Groups of Measures
RD 311/2022 organises its security measures (Annex II) into three families:
- Organisational framework (marco organizativo) — the security policy, normative framework, security procedures, and authorisation processes. This is governance: who owns security, what the rules are, and how they are approved.
- Operational framework (marco operacional) — planning, access control, operations, external services, continuity, and continuous monitoring. This is how security is run day to day.
- Protection measures (medidas de protección) — safeguards applied to specific assets: facilities, personnel, equipment, communications, information media, software applications, information itself, and services.
Crucially, the controls are applied proportionally to the category. A BÁSICA system implements a baseline; MEDIA reinforces it; ALTA demands the most rigorous measures, additional evidence, and stronger assurance. RD 311/2022 also defines four governance roles that must be assigned: the responsable de la información (information owner), responsable del servicio (service owner), responsable de seguridad (security officer), and responsable del sistema (system owner) — with a clear separation between the security function and system operation.
Certification vs Self-Declaration
The ENS provides two routes to demonstrate conformity, and which one applies depends on your category:
- Self-declaration of conformity (autoevaluación / declaración de conformidad) — permitted for BÁSICA systems. The organisation assesses itself and publicly declares conformity. Lower cost, lower assurance.
- Formal certification of conformity (certificación de conformidad) — mandatory for MEDIA and ALTA systems. An accredited, independent certification body audits the system and issues an ENS conformity certificate, valid for two years and subject to surveillance.
Both routes result in the right to display the official ENS conformity seal (distintivo de conformidad) at the corresponding category. Because MEDIA and ALTA require third-party certification, most vendors selling seriously to the public sector go through a full external audit.
Accredited Certification Bodies
ENS certification is issued by conformity assessment entities (entidades de certificación) accredited by ENAC (Entidad Nacional de Acreditación — Spain's national accreditation body) specifically for the ENS scheme, under the coordination of the CCN. When selecting a certifier, confirm their ENAC accreditation covers the ENS (not merely ISO 27001) and that they can audit at your target category. The audit follows the CCN's methodology, and results are reflected through CCN channels.
How the ENS Relates to ISO 27001 and NIS2
A frequent question: if we already hold ISO 27001, are we done? Not quite — but you are well over halfway there.
ISO 27001 and the ENS share the same DNA: a risk-based information security management system, an emphasis on governance, and heavily overlapping controls (access control, cryptography, operations security, continuity, supplier management, logging). An organisation with a mature, certified ISMS will find that a large share of ENS requirements are already satisfied by existing policies, procedures, and evidence.
The key differences:
- The ENS is Spanish public-law regulation with prescriptive, category-dependent controls; ISO 27001 is a voluntary international standard with a risk-driven Statement of Applicability.
- The ENS mandates specific measures and governance roles and uses its own five-dimension valuation model; ISO 27001 lets you justify exclusions.
- ISO 27001 certification does not substitute for ENS conformity when a tender demands ENS — but it dramatically accelerates the project because the underlying management system, risk process, and evidence already exist.
On the EU side, NIS2 (Directive (EU) 2022/2555, transposed into Spanish law) raises baseline cybersecurity and incident-reporting obligations for essential and important entities across many sectors. The ENS is widely regarded as a strong foundation for meeting NIS2-style requirements in the Spanish context: the operational controls, continuity measures, monitoring, and incident handling the ENS mandates map naturally onto NIS2 risk-management duties. Likewise, sector regulations such as DORA for financial entities lean on the same control disciplines. Building on an ENS + ISO 27001 base positions an organisation to address these overlapping regimes efficiently rather than as separate projects.
Why a Private SaaS or Tech Vendor Increasingly Needs the ENS
The commercial logic is straightforward and getting sharper every procurement cycle:
- Admission to tenders. Public bodies embed ENS conformity in their pliegos as a mandatory requirement. Without it, your bid is inadmissible regardless of price or quality.
- Supply-chain accountability. RD 311/2022 makes suppliers explicitly in-scope, so contracting bodies must push conformity down to you. Expect ENS clauses in contracts and audits of your evidence.
- Competitive differentiation. An ENS seal at MEDIA signals to every public buyer that your platform has been independently audited to a recognised national standard — a trust shortcut competitors without it cannot offer.
- Faster sales cycles. Holding the certificate up front removes a procurement blocker and shortens security due diligence.
For a SaaS vendor, ENS is quickly moving from differentiator to table stakes in the Spanish public market.
A Phased Roadmap to ENS Conformity
Achieving ENS conformity is a project, not a purchase. A realistic path for a technology company targeting MEDIA looks like this:
| Phase | Focus | Typical activities |
|---|---|---|
| 1. Scoping & categorisation | Define what's in scope and its category | Identify the systems/services in scope, value the five dimensions, determine the category, assign the four governance roles |
| 2. Gap analysis | Measure distance to conformity | Map current controls (and any ISO 27001 ISMS) against the applicable ENS measures; produce a prioritised gap list |
| 3. Risk analysis | Formal risk assessment | Run a risk analysis (commonly with the MAGERIT methodology), define the declaración de aplicabilidad (statement of applicability) |
| 4. Remediation | Close the gaps | Implement missing organisational, operational, and protection measures; write policies and procedures; deploy technical controls; assign roles |
| 5. Evidence & operation | Run the controls and gather proof | Operate the controls long enough to generate audit evidence — logs, records, continuous monitoring, audit trails |
| 6. Audit & certification | Independent assessment | Engage an ENAC-accredited certification body; remediate any non-conformities; obtain the ENS conformity certificate |
| 7. Maintenance | Keep conformity live | Continuous monitoring, periodic review, surveillance activity, and renewal within the two-year validity cycle |
Realistic effort: For an organisation starting from a solid ISO 27001 base, a MEDIA project is often achievable in roughly three to six months, because governance, risk methodology, and much of the evidence already exist. Starting from scratch — no ISMS, informal processes — expect closer to six to twelve months, with the heaviest lift in building the organisational framework, formalising risk analysis, and accumulating operational evidence. The single biggest accelerator is an existing, well-run management system: the ENS rewards organisations that already treat security as a governed, evidenced discipline rather than an ad-hoc effort.
Conclusion
The ENS is Spain's mandatory security framework for the public sector and its suppliers, and RD 311/2022 has both modernised it and made the supply-chain obligation unmistakable. For technology vendors, conformity — most often at MEDIA, with formal third-party certification — is fast becoming the price of entry to public-sector business. The good news is that the work is tractable and highly synergistic with ISO 27001, NIS2, and DORA: build the management system once, and much of it carries across.
Axelia knows this path first-hand: we are ENS Categoría Media certified under RD 311/2022, so we have run every phase above on our own systems before advising anyone else. Through our ISMShed GRC platform — with its AI Compliance Copilot, MAGERIT risk management, and continuous evidence and audit-trail automation — combined with hands-on GRC consulting, we help startups and SMEs reach ENS conformity faster and keep it live. If ENS is on your roadmap to win Spanish public-sector contracts, let's talk about the shortest credible route there.
