ENS categories: BASIC, MEDIUM and HIGH explained.

Categorisation is one of the most important decisions in the adequacy process to the ENS (Spanish National Security Framework), because it determines how many controls you must implement, at what stringency level, and whether you will need formal certification or a statement of conformity is enough. A categorisation error, whether by excess or by default, has direct consequences in costs, timelines and compliance level. This guide explains how the categorisation system works and how to apply it correctly in your organisation.

How is the system category determined?

System categorisation is not arbitrary. It follows a regulated process defined in Annex I of RD 311/2022 based on valuing the impact a security incident would have on the organisation and the persons affected.

The process starts by identifying the information handled by the system and the services provided. For each one, the impact of an incident is valued against each of the five DICAT security dimensions (Availability, Integrity, Confidentiality, Authenticity and Traceability). Impact is classified into three levels: LOW, MEDIUM or HIGH.

The system category is set as the highest level reached on any of the five dimensions. That is, if your system handles information whose confidentiality is rated HIGH, even if the other four dimensions are MEDIUM, the whole system is categorised as HIGH.

What criteria determine the impact level?

An impact is considered LOW when an incident in that dimension results in limited harm to the organisation's functions, to the assets affected or to individuals. It is considered MEDIUM when the harm is serious. And HIGH when the harm is very serious or catastrophic.

Factors evaluated to determine the level include the scope of the damage (number of people or services affected), the organisation's ability to keep operating, the economic impact, damage to public image, harm to citizens' rights and non-compliance with legal obligations.

BASIC category: requirements and scope

BASIC category is assigned to systems where a security incident would have limited impact. It is the most common category for auxiliary information systems, corporate intranets with no sensitive data, informational websites of public bodies and systems of small town councils with basic functionality.

Requirements for BASIC category

BASIC category systems must implement a reduced subset of the 73 ENS controls. Approximately 36 controls apply in BASIC category, many of them at a basic level of stringency.

Accreditation is done through a statement of conformity signed by the system owner, without external audit. This significantly reduces compliance costs in €, but it does not exempt from rigour in actually implementing the controls.

Common mistakes in BASIC category

The most frequent mistake is undervaluing the category to avoid external certification. If it is discovered that a system categorised as BASIC should have been MEDIUM (for example because it handles health data or citizens' tax information), the consequences can be serious: the system falls out of compliance and all documentation must be redone.

MEDIUM category: the most usual scenario

MEDIUM category corresponds to systems where a security incident would have a serious impact. It is the predominant category for most administration systems: document managers, e-processing platforms, electronic registry offices, financial management systems, procurement platforms, and the systems of ICT providers supporting these services.

Requirements for MEDIUM category

Approximately 57 controls apply in MEDIUM category, with stronger stringency than BASIC. The most significant reinforcements occur in access control (multi-factor authentication in certain contexts), monitoring (mandatory periodic log review), incident management (formal procedures and notification to CCN-CERT) and service continuity (tested plans).

Certification must be issued by an ENAC-accredited body, which means a formal external audit with all associated costs and timelines detailed in our certification guide.

HIGH category: maximum stringency

HIGH category is reserved for systems where a security incident would have very serious or catastrophic consequences. This includes systems handling national classified information, critical infrastructure, high-impact essential services (healthcare, justice, security forces), e-voting platforms and systems with massive citizen data whose leakage would cause serious harm to their rights.

Requirements for HIGH category

The 73 ENS controls all apply with maximum stringency. Encryption of communications and storage is required, strict network segmentation, real-time monitoring with intrusion detection capability, incident response within defined times and redundancy of critical systems.

Certification is mandatory and follow-up audits can be more frequent. Implementation and maintenance costs in € are significantly higher than in MEDIUM category.

Comparative table: controls by category

As a summary, the controls applicable by category roughly break down as follows. The organisational framework applies the 4 controls in all three categories. In the operational framework, BASIC applies about 16 controls, MEDIUM about 25 and HIGH the full 31. In protection measures, BASIC applies about 16, MEDIUM about 28 and HIGH the full 38. In total, BASIC requires approximately 36 controls, MEDIUM 57 and HIGH the full 73.

Beyond the number of controls, the stringency within each control also varies. For example, access control in BASIC can accept robust passwords, while in MEDIUM multi-factor is required, and in HIGH multi-factor with cryptographic devices is required.

How to categorise: step-by-step process

The categorisation process must be formally documented. First, identify all information systems within the ENS scope. Second, for each system, identify the information handled and the services provided. Third, for each information set and service, value the impact of an incident on each of the five DICAT dimensions. Fourth, determine the system category as the highest level reached on any dimension. Fifth, document the valuations with their justification. And sixth, submit the categorisation to the security officer for approval.

It is advisable that categorisation is carried out collegially among the information owner, the service owner and the security officer, with support from the ENS consultant if external advice is available.

Re-categorisation: when it is needed

Categorisation is not static. It must be reviewed when significant changes occur in the system (new services, new types of information, new integrations), when legal or contractual requirements change, during the periodic review of the security policy and always before certification renewal.

An upward re-categorisation (from BASIC to MEDIUM, or from MEDIUM to HIGH) implies the need to implement additional controls, which may require a complementary adequacy project.

📩 Not sure which category fits your system? Get in touch for a professional categorisation analysis. We will help you determine the right category and plan adequacy efficiently with transparent costs in €.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.