Cybersecurity incident management ENS: the protocol.

Cybersecurity incidents are no longer an "if", they are a "when". The question is not whether your organisation will suffer a security incident, but how prepared it will be when it happens. The ENS (Spanish National Security Framework) dedicates specific controls to incident management, recognising that this capability is critical to the resilience of digital services.

What the ENS requires on incident management

The ENS dedicates several controls to incident management: op.exp.7 (incident management) requires a formal incident management process, op.exp.9 (record of activities) requires that incidents be documented, and op.exp.10 (cryptographic key protection) addresses incidents involving keys. Additionally, related controls such as op.mon.1 (intrusion detection) and op.mon.2 (capacity metrics) support the early detection of incidents.

Phases of incident management

An effective incident management protocol must cover the following phases.

Phase 1: Preparation

Before an incident happens, the organisation must have everything ready: documented and approved incident management procedure, internal incident response team (IRT) or contract with an external one, tools for detection, analysis and response (SIEM, EDR, forensics tools), defined and tested communication channels (internal, with CCN-CERT, with regulators, with affected parties), incident classification criteria by severity, periodic incident management training and drills.

Phase 2: Detection and analysis

Detection can come from multiple sources: SIEM alerts, EDR/antivirus alarms, log analysis, user reports of suspicious behaviour, external notifications (CCN-CERT, partners, customers), threat hunting carried out by the security team.

Once a possible incident is detected, initial analysis must determine: whether it is a genuine incident or a false positive, its scope (affected systems, users, data), its severity (low, medium, high, critical), the type of incident (malware, ransomware, data leak, denial of service, unauthorised access, etc.) and the potential impact on the organisation.

Phase 3: Containment

The objective of containment is to limit the damage and prevent the incident from spreading. It can be short-term (immediate, even if temporary) or long-term (more solid, but it may take longer). Containment measures include isolating affected systems from the network, blocking malicious IP addresses or accounts, disabling compromised services, applying emergency patches and changing the credentials of compromised accounts.

Phase 4: Eradication

Once contained, the threat must be eliminated. This includes removing malware, closing the vulnerabilities exploited, removing persistence mechanisms (backdoors, malicious scheduled tasks) and verifying that the threat is no longer present.

Phase 5: Recovery

Restoring systems to normal operation. It is critical to: restore from clean backups, verify the integrity of the systems before bringing them back online, monitor closely to detect possible reactivation, and gradually return to normal operation.

Phase 6: Lessons learned

Every incident is an opportunity to improve. Within a maximum of two weeks after the incident: hold a post-mortem meeting with everyone involved; analyse what worked and what did not; document the root cause; define improvement actions (new controls, procedure updates, additional training); update the procedure based on lessons learned.

Notification to CCN-CERT

The ENS requires notifying CCN-CERT of significant incidents through the LUCIA platform (Unified Cybersecurity Incident Logging). The notification must include: identification of the affected organisation, date and time of detection, type of incident, affected systems and information, estimated impact, contention measures applied, and contact for the incident response team.

The deadlines depend on the severity. For critical incidents, the notification must be made within 24 hours of detection. For high-severity incidents, within 48 hours. For medium-severity incidents, within 72 hours.

Incident severity classification

The CCN-CERT defines five severity levels:

• Critical (level 5): incident with very serious impact on essential services, with significant data loss or compromise of critical infrastructure.
• Very high (level 4): serious impact on important services or sensitive information.
• High (level 3): noticeable impact on services or information.
• Medium (level 2): limited impact, manageable with internal resources.
• Low (level 1): minimal impact, easily resolved.

Relationship with the GDPR: personal data breach

If the incident involves a personal data breach, additional GDPR obligations apply (Articles 33 and 34): notification to the AEPD within 72 hours of detection and, if there is a high risk to the rights and freedoms of data subjects, individual notification to the affected persons.

Coordinate ENS notification (to CCN-CERT) and GDPR notification (to AEPD) when the incident affects both spheres, which is the case for any incident affecting personal data in public-sector systems.

Tabletop exercises and drills

The procedure is only useful if the team knows how to apply it under pressure. Conduct regular drills with realistic scenarios: simulate the entire incident management cycle, involve all relevant areas (security, IT, communication, legal, management), evaluate response time, document any deficiencies and update the procedure based on the lessons learned.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

Who must comply with the ENS?

All bodies of the Spanish Public Administration and private suppliers providing ICT services to the public sector. The ENS requires a formal incident management process under controls op.exp.7, op.exp.9 and op.exp.10.

What are the categories of the ENS?

The ENS has three categories — BASIC, MEDIUM and HIGH — depending on the impact of an incident. Incident management requirements scale according to category.

What is the deadline to comply with the ENS?

Royal Decree 311/2022 set staggered deadlines based on each organisation's starting point; in general, adaptation must be completed within 24 months from publication. The notification deadlines to CCN-CERT depend on incident severity (24h for critical, 48h for high, 72h for medium).

What happens if the ENS is not complied with?

Non-compliance with the ENS prevents contracting with the Spanish Public Administration and may lead to sanctions under the applicable sectoral regulations.