ENS Spanish National Security Framework complete guide.

The ENS is the regulatory framework that sets the minimum security principles and requirements that must be met by all information systems of Spanish public administrations and of the companies providing them with technology services. Regulated by Royal Decree 311/2022 of 3 May, the ENS is not optional: it is a legal obligation whose breach can lead to exclusion from public tenders, administrative sanctions and, above all, unacceptable exposure to cyber-threats.

If you manage a company working with the Administration or run a public body that handles citizens' information, this guide will give you a complete and practical view of everything you need to know to comply with the ENS in 2026.

What is the ENS and why does it exist?

The ENS originated with Law 11/2007 on electronic access of citizens to public services, which recognised the right of citizens to interact electronically with the Administration. That right required a security framework guaranteeing the protection of information and electronic services. The first ENS was approved by Royal Decree 3/2010, and it was completely renewed by Royal Decree 311/2022, which is the version in force.

The ENS pursues four fundamental objectives. First, to create the security conditions needed to generate trust in the use of electronic means. Second, to establish a common security policy for all public-sector entities. Third, to provide a common language and common elements that facilitate interaction between administrations and the communication of security requirements to industry. Fourth, to serve as a reference of good information security practices.

Legal framework in force

The legal framework of the ENS rests on several rules. Law 40/2015 on the Legal Regime of the Public Sector establishes in article 156 that the ENS aims to set the security policy for the use of electronic means in the public sector. Royal Decree 311/2022 develops this with 41 articles, 4 additional provisions, one transitional, one repealing and 4 technical annexes.

Additionally, the ENS is closely related to other regulations such as the General Data Protection Regulation (GDPR), the NIS2 Directive (transposed into Spanish law) and the forthcoming Cybersecurity Coordination and Governance Act.

Who must comply with the ENS: full scope

The scope of the ENS is broader than many organisations realise. The direct obligation falls on the entire public sector: the General State Administration, the Administrations of the Autonomous Communities, the entities of Local Administration, public universities and public-law entities linked to or dependent on the Public Administrations.

The indirect obligation for the private sector

Article 2 of Royal Decree 311/2022 establishes that the ENS also applies to the information systems of private-sector entities when they provide services or supply solutions to public-sector entities for the exercise of their administrative powers and competences. This includes all companies that handle, process, store or transmit information classified by the Administration, as well as ICT providers supporting public systems.

In practice, this means that if your company develops software for a town council, manages the technology infrastructure of a regional ministry, provides cloud services to a state ministry or simply processes citizens' data on behalf of a public entity, it is obliged to comply with the ENS at the level corresponding to the information system it supports.

The ENS in public tenders

The trend is clear: more and more public procurement specifications require ENS certification as a technical solvency requirement or as a scoring criterion. This makes the ENS not only a legal obligation but a real competitive advantage for companies that tender with the Administration.

The five security dimensions: DICAT

The ENS evaluates information security across five dimensions, known by the acronym DICAT. Each dimension is assessed independently and its level determines the system's category.

Availability ensures services and information are accessible when needed. Integrity guarantees that information has not been altered in an unauthorised way. Confidentiality protects information against unauthorised access. Authenticity ensures the identity of people and entities accessing the system is verifiable. And Traceability allows reconstructing who did what, when and on what information.

Each dimension is rated at three levels (LOW, MEDIUM, HIGH) according to the impact a security incident would have on that specific dimension.

ENS categories: BASIC, MEDIUM and HIGH

The system's category is determined based on the highest level reached in any of the five DICAT dimensions. That is, if four dimensions are at LOW level but one is at HIGH, the system as a whole is categorised as HIGH.

BASIC category

Applies when a security incident would have limited impact on the organisation's functions, assets or affected individuals. It is the most common category in small town councils and low-impact information systems. It requires a declaration of conformity (not formal certification) and the application of a reduced subset of the 73 controls.

MEDIUM category

Corresponds to systems where an incident would have a serious impact. It is the usual category for most of the Administration's bodies and for their technology providers. It requires formal certification by an entity accredited by ENAC and the application of a broader set of controls, including reinforced authentication, monitoring and incident management requirements.

HIGH category

Applies when an incident would have very serious or catastrophic impact. It is the category for systems handling classified information, critical infrastructures or high-impact essential services. It requires the full 73 controls at their maximum requirement, more frequent audits and advanced protection mechanisms.

The 73 ENS controls: overview

The ENS controls are organised into three large frameworks covering security from governance to technical implementation.

Organisational framework (4 controls)

The organisational framework lays the foundations of security. It includes the security policy (org.1), which defines management's commitment; the security rules (org.2), which develop the policy into operational standards; the security procedures (org.3), which detail how the rules are executed; and the authorisation process (org.4), which regulates the approval of new systems or significant modifications.

Operational framework (31 controls)

The operational framework covers planning, access management, operation of systems, external services, service continuity and monitoring. It includes controls such as security planning (op.pl), access control (op.acc), configuration management (op.exp), contracting of external services (op.ext), service continuity (op.cont) and system monitoring (op.mon).

Protection measures (38 controls)

Protection measures address security of facilities (mp.if), personnel management (mp.per), equipment protection (mp.eq), communications security (mp.com), protection of information media (mp.si), application security (mp.sw), information protection (mp.info), services protection (mp.s) and cryptography (mp.c — new in RD 311/2022).

Risk analysis: cornerstone of the ENS

Risk analysis is not a bureaucratic step: it is the exercise that determines which controls are necessary, with what level of rigour, and where security resources should be concentrated. The ENS requires a formal risk analysis based on a recognised methodology.

The reference methodology in Spain is MAGERIT (Methodology for Risk Analysis and Management of Information Systems), developed by the Higher Council of Electronic Administration. MAGERIT is supported by the PILAR tool, developed by the CCN (Centro Criptológico Nacional), which automates much of the analysis process.

The risk-analysis process comprises several stages: identification and valuation of information assets, identification of threats that may affect each asset, estimation of impact and likelihood of materialisation, calculation of risk, selection of safeguards and determination of acceptable residual risk.

The ENS certification process

The path to ENS certification varies according to the system's category.

Declaration of conformity (BASIC category)

BASIC-category systems do not require external certification. A declaration of conformity signed by the system's owner is enough, attesting that the applicable ENS requirements are met. This declaration must be renewed every two years or when significant changes occur in the system.

Formal certification (MEDIUM and HIGH categories)

MEDIUM and HIGH-category systems must obtain a certification issued by a certification entity accredited by ENAC (Entidad Nacional de Acreditación). The process includes a stage 1 audit (documentary review and planning) and a stage 2 audit (on-site evaluation of compliance). The certification is valid for two years, with an intermediate surveillance audit.

Indicative costs

Adaptation and certification costs vary widely depending on organisation size, system complexity and category. As a general indication, an implementation project for an SME at MEDIUM category typically sits between €15,000 and €40,000 (consultancy included), while certification itself (external audit) ranges between an additional €5,000 and €15,000.

CCN tools for compliance

The CCN (Centro Criptológico Nacional) provides organisations with a free ecosystem of tools that greatly facilitates compliance with the ENS.

PILAR is the official risk-analysis tool, implementing the MAGERIT methodology. INES (National Security Status Report) is the platform for reporting ENS adaptation status. LUCIA is the incident-management system of CCN-CERT. CLARA enables automated verification of security-configuration compliance. ANA is the vulnerability-analysis tool. And microCLOUD offers secure cloud services for entities with limited resources.

Relationship of the ENS with other standards and frameworks

The ENS does not operate in isolation. It complements ISO 27001 (information security management system), sharing many requirements but with significant differences in scope and approach. It also relates to GDPR for personal data processed by electronic means, to the NIS2 Directive for essential and important service operators, and to the DORA framework for the financial sector.

A smart strategy consists of approaching compliance in an integrated way, leveraging synergies between standards to reduce duplication and costs.

Frequently asked questions

How long does it take to adapt to the ENS?

A typical adaptation project requires between 4 and 12 months, depending on the category, the organisation's starting point and available resources.

Can I certify to ENS and ISO 27001 at the same time?

Yes, and it is a recommended strategy. Both standards share the management-system structure and many controls overlap. A simultaneous implementation can reduce costs by 30-40% compared to doing them separately.

What happens if I don't comply with the ENS?

Non-compliance can result in exclusion from public tenders, administrative liabilities for security incidents affecting citizens' data, and sanctions under the applicable cybersecurity legislation.

Do I need a consultant to implement the ENS?

It is not mandatory, but it is highly advisable, especially for organisations tackling the ENS for the first time. A specialist consultant brings experience in categorisation, risk analysis, control selection and audit preparation.

Conclusion: the ENS as a strategic opportunity

The ENS should not be seen solely as a regulatory obligation, but as an opportunity to improve your organisation's security posture, access public tenders and generate trust with your public-sector clients. In a context where cyber-attacks against administrations and their providers multiply every year, holding an ENS certification is not just complying with the law: it is demonstrating professionalism and commitment to protecting citizens' information.

If you want to assess your situation regarding the ENS or start an adaptation process, get in touch. We will analyse your specific case and provide an action plan tailored to your needs and resources.