Skip to content
CertENS
ES
Implementation

ENS categories: Basic, Medium and High explained with examples

The three ENS categories under RD 311/2022 explained with real-world examples: how they're determined, what changes between them and how to pick the right one.

7 min read Diego Aranda · ENS Implementer · CertENS

Categorising a system is one of the most consequential early decisions in an ENS project. It determines which Annex II controls apply, which reinforcements kick in, how demanding the audit will be, and how much the whole project will cost. Get it wrong and you either over-engineer (expensive) or under-protect (serious audit risk). This article explains the three categories — Basic, Medium, High — with concrete examples so you can place your own system correctly.

Where the categories come from

Annex I of RD 311/2022 defines categorisation as a function of the maximum impact a security incident would produce across the five security dimensions: confidentiality, integrity, traceability, authenticity, and availability.

Each dimension is rated Low, Medium or High. The system’s overall category is the highest rating across all dimensions. So a system with Medium confidentiality and Low everything else is a Medium system — not an average.

Basic

Systems where a security incident would have a limited impact: small loss of public-image prestige, minor operational disruption, no significant economic or legal damage, no harm to rights of third parties.

Typical examples

  • Publication of non-sensitive information on a ministry’s web portal.
  • Internal intranet for communication without sensitive personal data.
  • System for managing public concerts or events with no personal-data processing.
  • Small town council’s citizen form system with basic tracking.

What it requires

  • Reduced controls from Annex II.
  • Declaration of Conformity (self-declared by the organisation).
  • Registration in INES (Informe Nacional del Estado de Seguridad).
  • Publication of the declaration.

Basic is accessible — typically 2-3 months of implementation.

Medium

Systems where an incident would have serious impact: noticeable economic damage, substantial reputational harm, significant operational disruption, or affect the rights of specific people.

Typical examples

  • Human-resources management systems for a medium-sized public body.
  • Taxation systems at a regional or municipal level.
  • Citizen-identification systems that authenticate access to public services.
  • Healthcare administrative systems (hospital admissions, appointment management).
  • Electronic-registry systems for public tenders.
  • E-government portals for filing official applications.

What it requires

  • Full set of Medium-level controls across Annex II.
  • Formal Certification by an ENAC-accredited body.
  • Surveillance audit annually.
  • Recertification every two years.
  • Full documentation: risk analysis, SoA, STIC procedures.

Medium is the most common category in our project portfolio. Timelines: 4-6 months.

High

Systems where an incident would have very serious impact: large economic losses, damage to rights of many people, threat to life or physical integrity, serious disruption of essential services, national-security implications.

Typical examples

  • Systems supporting essential public services (electricity, water, emergency calls).
  • Sensitive healthcare systems (clinical records, research on human subjects).
  • Intelligence and national-security systems.
  • Central immigration and border-management systems.
  • Justice Administration systems (case files, sentence databases).
  • Banking systems of public banks.
  • Platforms supporting essential or important operators under NIS2 (often High by default).

What it requires

  • Full Annex II with all reinforcements.
  • Dedicated Security Operations Centre (SOC) or equivalent.
  • 24/7 monitoring, DRP, BCP, full supply-chain control.
  • Formal Certification by ENAC-accredited body with a harsher audit.
  • Surveillance annually, recertification biennial.

Timelines: 6-9 months minimum. Costs naturally higher.

The five dimensions explained

Confidentiality

“What happens if this information becomes public?” If the answer is “nothing”, Low. If “serious harm or liability”, High.

Integrity

“What if this information were altered silently?” For clinical records, High. For a static page with public event schedules, Low.

Traceability

“Can I reconstruct who did what?” For systems with decisions affecting citizens, High. For pure information websites, Low.

Authenticity

“Are the users and the actions they perform really who they claim?” For e-government submissions, High. For a read-only search interface, Low.

Availability

“What if the system were down for hours? days?”. For emergency services, High. For a consultation page with no time-critical use, Low.

Common categorisation mistakes

Over-categorising “to be safe”

“We’ll go High to avoid problems” — this multiplies cost for no protection benefit if the actual impact is lower. Justify decisions honestly.

Under-categorising out of convenience

“We don’t want to do Medium because of the audit” — if the actual impact is serious, Basic is not a real option. The auditor will question it, and worse, a real incident could exceed the protections you put in place.

Averaging dimensions

The category is the maximum, not an average. One High dimension pushes the whole system to High.

Categorising the whole organisation

Categorisation is per system, not per organisation. The HR system may be Medium while the events portal is Basic.

Ignoring supply-chain dependencies

If your system depends on a provider system at a different category, that mismatch must be analysed and documented.

The role of the Information Owner

The Information Owner (Responsable de la Información) is the person formally responsible for assigning dimension levels. They must know the business value of the information and decide based on criteria, not feelings. In public bodies this is typically a director or similar role. In private providers, often someone senior from the business unit owning the service.

How we approach categorisation at CertENS

  1. Scope the system precisely (assets, data, users, sub-services).
  2. Workshop with Information Owner, Service Owner, System Owner.
  3. Walk through each dimension with concrete impact scenarios.
  4. Assign Low / Medium / High per dimension with written justification.
  5. Derive the overall category.
  6. Formally document the decision in the Risk Analysis.
  7. Align the SoA accordingly.

This categorisation is the foundation of the whole project. It takes 1-2 weeks of focused work and pays dividends in everything that follows.

Final recommendation

Don’t rush categorisation. It’s tempting to tick a box and move on, but a poor categorisation contaminates every downstream decision. Invest the time, get the business stakeholders engaged, document justifications, and the rest of your ENS project will fit on rails. Mis-categorise and you’ll be fighting the decision every step of the way.

Keep reading

News

ENS 2026: trends and expected updates

What's changing in ENS in 2026: NIS2 consolidation, AI Act integration, evolution of the CCN catalogue, and reinforced supply-chain expectations.

6 min
News

ENS and NIS2: how both regulations fit together in 2025

Practical mapping of ENS and NIS2 for Spanish organisations facing both: overlaps, specific NIS2-only requirements and an integrated compliance approach.

7 min
Use cases

Public-sector providers: why you need ENS to win tenders

How the ENS has become a de facto requirement for providers bidding on Spanish public-sector contracts — what's mandatory, what's practical and how to get certified in time.

6 min

Ready to get ENS certified?

Free, no-commitment initial assessment. We reply within 24 business hours.

Request assessment info@certificacionens.eu