ENS certification: process, requirements and costs in 2026.

Obtaining certification under the ENS (Spanish National Security Framework) is a process that requires planning, resources and precise knowledge of what the auditors will assess. It is not a trivial procedure, but with the right preparation and a clear roadmap, any organisation can complete it successfully. This guide details each phase of the process, requirements by category, the real costs in € you can expect and the typical timelines of a certification project.

Statement of conformity vs. formal certification

The first step is to understand that the ENS establishes two different accreditation mechanisms depending on the system category.

Statement of conformity (BASIC category)

Systems classified in BASIC category do not need to go through an external audit. The system owner can issue a statement of conformity attesting to compliance with the applicable requirements. This statement must be signed by the security officer, dated and available to any body that may require it. It is renewed every two years.

Although it does not require external audit, the statement of conformity is not a mere formality. The owner signing it assumes real responsibility for the truthfulness of what is declared. Even in BASIC category, it is recommended to carry out a rigorous internal verification process before issuing the statement.

Formal certification (MEDIUM and HIGH categories)

MEDIUM and HIGH category systems must obtain certification issued by an ENAC-accredited body under the CCN certification scheme. This certification involves an on-site audit by qualified auditors verifying compliance with all applicable controls.

The certification process step by step

Phase 0: internal preparation

Before requesting the certification audit, the organisation must have completed its ENS adequacy process. That includes system categorisation, the security policy, the risk analysis using MAGERIT or another recognised methodology, implementation of applicable controls, drafting of the Statement of Applicability (justifying which controls apply and which do not, and why) and at least one internal audit.

Internal preparation is the factor that most influences certification success. A well-prepared organisation passes the audit at the first attempt; a poorly prepared one may need several iterations with the additional cost in € that entails.

Phase 1: documentary audit

The audit team reviews all the security management system documentation before the on-site visit. This phase assesses whether the security policy meets ENS requirements, whether the risk analysis is complete and consistent, whether the Statement of Applicability is correctly drafted, whether the security procedures are documented and whether the improvement plan covers the necessary actions.

If serious documentary deficiencies are detected, the on-site audit may be postponed until they are corrected. It is better to invest time in having the documentation flawless before requesting the audit.

Phase 2: on-site audit

Auditors verify on site that the declared controls are actually implemented and operate effectively. This includes interviews with the security and system officers, review of evidence of operation (logs, records, incident reports), technical verification of security configurations, verification of procedure compliance and evaluation of control effectiveness.

Phase 3: audit report

The audit team produces a detailed report that classifies findings into three categories. Major non-conformities prevent certification and must be resolved before obtaining the certificate. Minor non-conformities do not prevent certification but must be addressed within an agreed timeframe. Observations are improvement recommendations that do not condition certification.

Phase 4: resolution of non-conformities

If non-conformities have been identified, the organisation has a period (typically 90 days for major and 6 months for minor) to present evidence of correction. The audit team verifies the corrections and, if satisfactory, issues the certificate.

Phase 5: certificate issuance

The ENS certificate is valid for two years. During that period, the certifying body carries out at least one follow-up audit (usually after one year) to verify that compliance is maintained. On expiry, a full renewal audit is required.

Which certification bodies exist?

Only bodies accredited by ENAC for the ENS certification scheme can issue valid certificates. As of publication, the main accredited bodies are AENOR, Bureau Veritas, SGS, British Standards Institution (BSI) and others progressively joining the scheme.

Selecting the certifying body should be based on several factors: specific sector experience, availability of auditors with ENS knowledge, geographic coverage (especially relevant for organisations with sites across Spain, including Castile and León, the Canary Islands and other regions), pricing and service terms.

Real ENS certification costs in 2026

The costs of an ENS adequacy and certification project break down into two main items.

Adequacy cost (consulting)

Consulting costs depend heavily on the size of the organisation, system complexity and its starting point in security. As a general reference, a Spanish SME with a MEDIUM-category information system can expect a consulting cost between €12,000 and €35,000. For larger organisations or HIGH-category systems, costs can exceed €50,000.

Certification cost (external audit)

The certification audit itself ranges from €4,000 to €15,000 for MEDIUM category, and between €8,000 and €25,000 for HIGH category, depending on the scope and complexity of the system. Annual follow-up audits typically cost around 50-60% of the initial audit.

What subsidies are available?

The Spanish Government's Kit Consulting programme can partially or fully cover cybersecurity consulting costs, including ENS adequacy, for companies with 10 to 249 employees, with vouchers up to €24,000.

How long does a certification project take?

An ENS certification project usually follows this timeline. The initial diagnosis and categorisation take between 2 and 4 weeks. The MAGERIT risk analysis needs between 4 and 8 weeks. Control implementation is the longest and most variable phase, between 8 and 24 weeks depending on the starting point. The internal pre-audit takes between 2 and 4 weeks. Resolving internal findings takes between 2 and 6 weeks. And the external certification audit requires between 2 and 4 weeks between planning and execution.

In total, from project start to certificate issuance, the typical timeframe is between 6 and 12 months for MEDIUM category, and between 9 and 18 months for HIGH category.

The 10 most frequent non-conformities in ENS audits

Knowing the common mistakes helps avoid them. The most frequent non-conformities auditors detect are the following.

First: an incomplete or outdated risk analysis, with relevant assets missing or unjustified valuations. Second: a security policy that does not meet all the requirements of Annex II of the ENS. Third: lack of segregation of duties between the roles of information owner, service owner, security officer and system owner. Fourth: security incident management without a formal procedure or evidence of its application. Fifth: insufficient staff training and awareness.

Sixth: inadequate access control, with shared accounts or excessive privileges. Seventh: absence of a business continuity plan or an untested plan. Eighth: insufficient security monitoring, with no periodic log review. Ninth: change management without a formal authorisation process. And tenth: insufficient cryptographic protection or use of obsolete algorithms.

Conclusion

ENS certification is a demanding process but perfectly achievable with proper planning and advice. The return on investment is clear: access to public sector tenders, regulatory compliance, real security improvement and trust from public sector clients.

Do not wait until a public tender requires certification to start preparing. The process takes months and, the sooner you start, the sooner you can access the opportunities the ENS opens up.

📩 Want to start your ENS certification process? Get in touch for an initial diagnosis with no commitment and a personalised action plan for your organisation.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.