Who must comply with the ENS? 2026 mandatory scope.

One of the most frequent questions we receive is direct: does my company have to comply with the Spanish National Security Framework? The answer depends on your relationship with the public sector and the type of services you provide. In this guide we analyse in detail who is required to comply, who should be even if they don't realise it, and what the consequences of non-compliance are.

If you need general background on the ENS (Spanish National Security Framework), start with our definitive guide.

Direct obligation: the public sector

Article 2 of Royal Decree 311/2022 establishes that the ENS applies to the entire public sector, as defined in Law 40/2015. This includes the General State Administration (ministries, autonomous bodies, state agencies), the Autonomous Communities and their dependent bodies, Local Entities (town councils, provincial councils, island councils), public Universities and any public-law entity linked to or dependent on the above.

There are no exemptions by size. A town council of 500 inhabitants has the same legal obligation to comply with the ENS as a ministry, although the category of its systems is likely to be different and, therefore, the applicable controls less demanding.

Indirect obligation: the private sector

This is where many companies discover an obligation they were unaware of. The same Article 2 of Royal Decree 311/2022 extends the application of the ENS to the information systems of private-sector entities when they provide services or solutions to public-sector entities.

Companies obliged de facto

All companies that develop, maintain or evolve software used by the Spanish Public Administration are required to comply with the ENS. So are those that provide hosting, cloud computing or IT infrastructure services to the public sector; those that manage, process or store information classified by the Administration; ICT outsourcing companies serving public bodies; systems integrators that deploy solutions in public-sector environments; and telecommunications companies providing connectivity services to the public sector.

The digital supply chain

The obligation extends to the entire supply chain. If your company is a subcontractor to a direct supplier of the Administration and public-sector information is handled at any point in that chain, the ENS applies to you. Many second- and third-tier suppliers only discover this when the prime contractor asks them for evidence of compliance.

What about companies that don't work with the Administration?

If your company operates exclusively in the private sector and has no direct or indirect contractual relationship with the public sector, the ENS does not legally apply. However, more and more private companies are adopting the ENS voluntarily for three reasons.

The first is strategic: many companies plan to work with the Administration in the future and want to be ready. The second is competitive: the ENS demonstrates a recognised level of security that gives confidence to any customer. The third is operational: the ENS provides a solid security framework that complements or replaces other standards.

The ENS in public tenders: increasingly demanding

The trend in public procurement is unequivocal. More and more tender specifications include ENS certification as a technical solvency requirement (i.e. as a condition to even submit an offer), or as a scoring criterion that rewards certified companies over non-certified ones.

In sectors such as ICT, cybersecurity, technology consultancy and digital services, ENS certification is becoming a de facto requirement to access the public market. Companies that fail to anticipate this trend will find themselves excluded from significant business opportunities.

See our article on ISO 9001 for public tenders to understand how ENS and ISO certifications multiply your chances in public procurement.

Self-diagnosis checklist: do I need the ENS?

Answer the following questions to determine whether your organisation is required to comply with the ENS:

• Is your organisation part of the Spanish Public Administration? If yes, you are obliged.
• Do you develop or maintain software for the Spanish Public Administration? If yes, you are obliged.
• Do you provide hosting, cloud or IT infrastructure services to public bodies? You are obliged.
• Do you process, store or transmit information classified by the Administration? You are obliged.
• Are you a subcontractor to a direct supplier of the Administration in ICT services? You are most likely obliged.
• Do you bid (or plan to bid) for public ICT contracts? Highly recommended.

If you answered yes to any of these questions, you should seriously evaluate your adaptation to the ENS.

What are the consequences of non-compliance?

Non-compliance with the ENS can carry several consequences. Exclusion from public tenders that require ENS certification as a condition is the most immediate and tangible. Termination of existing contracts with the Administration is possible if it is demonstrated that the supplier does not meet the required security levels. Administrative liability may arise if a security incident affects public data or services due to weaknesses attributable to the supplier. And the reputational damage of a security incident in a public service can be devastating for the responsible company.

The deadline to adapt is now

Royal Decree 311/2022 does not establish a grace period. The obligation is immediate for all organisations within its scope. If your company works with the Administration and has not yet started the adaptation process, you are taking on a legal and operational risk that grows with each passing day.

The good news is that subsidies such as the Kit Consulting can fund up to €24,000 of the adaptation project, and a specialist consultant can significantly accelerate the process.

If you have determined that you need to adapt to the ENS, see our guide on ENS consultancy to choose the right partner.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

Who must comply with the ENS?

All bodies of the Spanish Public Administration and private suppliers providing ICT services to the public sector. The answer depends on the relationship with the public sector and the type of services provided.

What are the categories of the ENS?

The ENS has three categories — BASIC, MEDIUM and HIGH — depending on the impact a security incident would have on the information processed. There are no exemptions by size: a town council of 500 inhabitants has the same legal obligation as a ministry, although the category and therefore the controls are likely to differ.

What is the deadline to comply with the ENS?

Royal Decree 311/2022 set staggered deadlines based on each organisation's starting point; in general, adaptation must be completed within 24 months from publication. Non-compliance brings consequences such as exclusion from public tenders that require ENS certification.

How much does ENS certification cost?

Cost depends on category: for an SME it typically falls between €8,000 and €25,000 in MEDIUM category, including adaptation and external audit. The Kit Consulting subsidy can fund up to €24,000 of the adaptation project, and a specialist consultant can significantly speed up the process.