Executive summary · TL;DR

Spanish town councils are required to comply with the ENS (Spanish National Security Framework) under RD 311/2022, with minimum BASIC categorisation and biennial audit by an ENAC body.

Of the more than 8,000 town councils that exist in Spain, fewer than 200 have obtained certification or statement of conformity with the ENS (Spanish National Security Framework). The figure is alarming considering that ENS mandatory compliance for the entire Spanish Public Administration has no size-based exceptions. Town councils, provincial diputaciones and local authorities face specific challenges that this guide addresses with practical solutions adapted to their reality.

In this article
  • The reality of Spanish town councils against the ENS
  • Typical categorisation of municipal systems
  • Phase 1: diagnosis and awareness (1-2 months)
  • Phase 2: categorisation and basic analysis (2-3 months)
  • Free CCN tools for municipalities

The reality of Spanish town councils against the ENS

The current situation is worrying. Most small and medium municipalities have not even started the ENS adequacy process. The recurring reasons are: lack of awareness of the legal obligation, absence of specialised cybersecurity staff, very limited budgets in €, legacy information systems that are difficult to secure, and a mistaken perception that the ENS only affects large bodies.

However, town councils are especially vulnerable to cyberattacks. They handle personal data of all their citizens (census, taxes, licenses, social services), they manage local critical infrastructure (water, lighting, traffic) and they frequently operate with obsolete systems lacking security updates.

Typical categorisation of municipal systems

Most small and medium town councils will categorise their systems as BASIC or MEDIUM. A council under 5,000 inhabitants with basic e-services (electronic registry office, census, tax management) usually sits in BASIC category, which allows the statement of conformity without external certification.

Medium-sized councils (5,000-50,000 inhabitants) with more complex e-services (full processing, social services, local police) usually require MEDIUM category, with the corresponding obligation of formal certification.

Large councils and provincial diputaciones, with more complex and interconnected information systems, may require HIGH category in some of their systems.

Adequacy roadmap for a town council

Phase 1: diagnosis and awareness (1-2 months)

The first step is for the municipal governing team to take on board the obligation and the importance of the ENS. Convene an information session for the mayor's office, the responsible councillor and the technical staff. Identify an internal project lead, even if part-time. And carry out a basic inventory of the municipal information systems and the ICT providers managing them.

Phase 2: categorisation and basic analysis (2-3 months)

Categorise the information systems according to Annex I of the ENS. Run a simplified risk analysis with µPILAR (the reduced version of the CCN tool). Identify the most critical gaps against applicable controls.

Phase 3: prioritised adequacy plan (1 month)

Draft an action plan that prioritises measures by risk level. Do not try to do everything at once. Start with the controls with the greatest impact on risk reduction: access control, backups, incident management and staff awareness.

Phase 4: progressive implementation (6-12 months)

Implement controls gradually, starting with the most critical. Document the security policy and the essential procedures. Train staff. Establish an agreement with your ICT providers so they apply the controls that fall to them.

Phase 5: declaration or certification (1-2 months)

If the category is BASIC, issue the statement of conformity. If MEDIUM or HIGH, contract a certification audit with an ENAC-accredited body.

Free CCN tools for municipalities

The CCN offers an ecosystem of tools specifically designed for administrations with limited resources.

µPILAR is the simplified version of the risk analysis tool, more accessible than the full version and sufficient for most municipalities. CLARA is the automated verification tool for security configuration compliance on Windows systems. ANA is the vulnerability analysis tool that allows scanning of the council's systems for known weaknesses. microCLOUD offers secure cloud services (email, storage, office productivity) for bodies that cannot manage their own infrastructure. VANESA is the CCN's secure videoconferencing service. And INES is the platform for reporting ENS adequacy status.

All these tools are free for public sector bodies. Leveraging them can significantly reduce adequacy project costs in €.

Funding available for town councils

Several funding sources are available. Next Generation EU funds, channelled through digitalisation plans of the Spanish autonomous communities and provincial diputaciones, include specific budget lines for municipal cybersecurity. Provincial diputaciones in several autonomous communities offer technical and financial support programmes to their municipalities. And local Chambers of Commerce can provide guidance on the aids available.

The role of municipal ICT providers

Many town councils have outsourced the management of their information systems. In those cases, the ICT provider is co-responsible for ENS compliance. It is essential that contracts with providers include security clauses aligned with the ENS, that providers demonstrate their own compliance (ideally with ENS certification), that service level agreements (SLAs) include security requirements, and that provider compliance is regularly monitored.

If your ICT provider does not know the ENS or is unwilling to commit to its compliance, seriously consider switching provider.

Success cases in local administration

Despite the challenges, more and more town councils are successfully completing their ENS adequacy. The common keys in success cases are the commitment of the governing team, the appointment of an internal lead, intensive use of the CCN tools, collaboration with the provincial diputación, and specialised external advice for the most complex phases of the project.

📩 Are you in charge of a Spanish town council or local body that needs to comply with the ENS? Let's talk. We have experience in the local administration and will propose an adequacy plan adapted to your resources, timelines and budget in €.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.

Continue reading — ENS compliance

Need help with this?

Work with me on your ENS adequacy

Tailored consulting for ENS compliance. First session at no cost.

Book a session →

Frequently asked questions

How does this apply to my SME?

It applies as long as you serve Spanish customers or process Spanish data; the framework is mandatory above thresholds we summarise in the table.

What does it cost in 2026?

Indicative ranges for SMEs 10-50 employees: 2,500-12,000 EUR for documentation + auditor fees vary by AENOR / BV / SGS / LRQA.

Which Spanish regulation applies?

BOE references RD 311/2022 (ENS), Regulation EU 2016/679 (GDPR), LOPDGDD, NIS2, DORA and the EU AI Act 2024/1689 depending on scope.

How long does the implementation take?

Average runs 4-7 months for a single ISO. Compound integrated SGI (9001+14001+27001) usually 8-12 months.

Can I co-finance it with Kit Digital or Kit Consulting?

Yes, Kit Consulting 2026 covers up to 24,000 EUR in advisory hours; Kit Digital covers tools (CRM, ERP, ciberseguridad) up to 29,000 EUR.

El marketing del cerebro es más predictible que el marketing de la opinión. — Ángel Ortega Castro