ENS (Esquema Nacional de Seguridad): The Complete Guide for Companies Working with Spanish Public Administration

The Esquema Nacional de Seguridad—Spain’s National Security Framework—is the cybersecurity standard that governs information systems in Spanish public administrations and, critically, in any private company that processes information belonging to those administrations or provides IT services to them. Royal Decree 311/2022 updated the ENS framework significantly, expanding its scope and raising its technical requirements to align with current threats and European cybersecurity standards.

If your company provides cloud services, software development, managed IT services, document management, or any technology service to Spanish central government, regional administration (Comunidades Autónomas), local administration, or public bodies—or if you handle data that originates from these entities—ENS certification is a prerequisite, not an option.

This guide explains how the framework is structured, what the certification levels require, and how to navigate the path to certification efficiently.

Who must comply with ENS

The core obligation under ENS applies to all Spanish public administration entities. But the private sector obligation—which is where most companies reading this guide sit—arises when a private company:

• Provides ICT services to a public administration that handles information within ENS scope
• Processes information belonging to a public administration
• Connects its systems to public administration networks or platforms

In practice, this covers: cloud hosting providers used by public bodies, software vendors whose products are deployed in public sector environments, IT managed service providers with public sector clients, document management and workflow software providers to public entities, and communications and cybersecurity service providers to the public sector.

Many private companies discover their ENS obligation when they lose a public tender because they cannot demonstrate ENS certification—or when their public sector client requests a certification report they cannot provide.

The three ENS security categories

ENS classifies information and services into three security categories: Basic, Medium, and High. The category determines the level of controls required and, for private sector companies, the certification level that must be demonstrated.

Basic category applies to information and services where a security failure would have a limited impact. Basic ENS requires a defined set of controls across organisational, operational, and protective measures. Most private sector companies providing standard IT services to local administration or non-critical national bodies target Basic certification.

Medium category applies where a security failure would cause significant harm—to individuals’ rights, to the organisation’s ability to fulfil its mission, to public interests, or to national security at a non-critical level. Medium ENS requires additional controls including specific requirements for incident management, access control, personnel security, and technology protection.

High category applies to information and services classified as critical—where failure could cause very serious harm to national security, national defence, fundamental rights, or public order. High ENS certification requires the most extensive control set and is typically relevant for defence contractors, critical infrastructure providers, and organisations processing classified information.

The category applicable to your services is determined by the contracting public administration, not by you. Before pursuing certification, confirm with your public sector client which category their information and systems require.

The ENS control framework

ENS controls are organised into three groups: organisational framework, operational framework, and protective measures.

Organisational framework covers governance, risk management, security policy, security roles, and annual security reviews. This group establishes the governance structures that underpin all other controls. Required outputs: a written security policy approved by management, named roles (Security Manager, System Responsible, Security Responsible), a risk analysis methodology, and an annual review process.

Operational framework covers security planning, access control, operational continuity, change management, incident management, and supplier security. This group governs how security is maintained in day-to-day operations. The access control requirements under ENS are prescriptive: principle of least privilege, separation of duties for sensitive functions, periodic access reviews, and logging of privileged access.

Protective measures covers the technical controls for facilities, systems, communications, software, and user information. Key requirements include: network perimeter protection and internal segmentation, encryption of stored and transmitted information, malware protection across all endpoints, patch management with defined timelines, and logging with defined retention periods.

The certification process

ENS certification for private companies is obtained through an audit conducted by an accredited certification body (Entidad de Certificación Acreditada—ECA). The process:

Phase 1: Gap assessment. Before engaging a certification body, conduct an internal gap assessment against the relevant ENS category controls. Identify which controls are already implemented, which are partially implemented, and which are absent. This assessment drives the remediation roadmap.

Phase 2: Remediation. Implement the missing controls, produce the required documentation (security policy, risk analysis, security procedures), and establish the governance structures required by the organisational framework. This phase typically takes 3–6 months depending on the starting point.

Phase 3: Pre-audit review. Most certification bodies offer an optional pre-audit review—a preliminary assessment to identify remaining gaps before the formal audit. This significantly reduces the risk of certification audit failure.

Phase 4: Certification audit. The accredited certification body conducts a formal audit against the ENS requirements. The audit produces a technical report and, if controls are found adequate, a Certification of Conformity (Certificado de Conformidad). The certificate is valid for two years for High category and three years for Basic and Medium, with annual surveillance reviews.

Phase 5: Ongoing maintenance. ENS certification is not a one-time event. The framework requires annual security reviews, evidence of ongoing control operation, and re-certification at the end of the certificate validity period.

The documentation that auditors examine

ENS auditors work from a defined control catalogue and expect to find documentary evidence for each control. The most common audit findings—where companies fail certification or receive significant observations—are:

Risk analysis not completed or not current. ENS requires a formal risk analysis using a defined methodology (MAGERIT is the standard Spanish methodology). The analysis must be current (typically within the last 12 months) and must cover all in-scope systems. A risk analysis template downloaded from the internet and not applied to actual systems does not satisfy this requirement.

Security policy not approved at management level. The ENS security policy must be approved by senior management or the governing body. A policy signed by the IT manager does not meet this requirement.

Access logs not retained for the required period. ENS specifies minimum log retention periods by category. Logs that age out of the system before the retention period has elapsed, or logs that exist but cannot be searched by identity or time range, are a common finding.

Incident management procedure not tested. The operational framework requires an incident response procedure that has been exercised. The exercise record—tabletop or simulation—must be retrievable.

Supplier security not addressed. ENS requires that supplier agreements include security requirements appropriate to the information they handle. Generic commercial terms without security clauses do not satisfy this control.

Why ENS certification is a competitive advantage

Beyond the compliance obligation, ENS certification provides commercial benefits that extend beyond public sector work:

Preferred supplier status. Public procurement procedures in Spain increasingly weight ENS certification as a selection criterion. For some contracts, certification at the required level is an exclusion criterion—companies without it are not evaluated.

Market differentiation. In the Spanish private sector, ENS certification provides independent evidence of security maturity that no internal claim can substitute. Financial services, healthcare, and legal sectors increasingly request it from critical technology suppliers.

European equivalence. ENS Medium and High certification is increasingly recognised across European public sector procurement as equivalent to ISOIEC 27001 plus additional sector-specific controls. For Spanish companies expanding to other EU markets with public sector ambitions, it provides a recognised baseline.

The path to ENS certification is not short and it is not costless. But for any company serious about operating in Spain’s public sector market, it is the foundation on which all other public sector business development stands.