Skip to content
CertENS
ES
News

ENS 2026: trends and expected updates

What's changing in ENS in 2026: NIS2 consolidation, AI Act integration, evolution of the CCN catalogue, and reinforced supply-chain expectations.

6 min read Laura Méndez · Lead Auditor CISA · CertENS

2026 is shaping up as a year of consolidation for the Spanish cybersecurity framework. After two full years of RD 311/2022 in operation and NIS2 transposed, the ENS ecosystem is entering a maturity phase. This article previews the trends and updates we see coming, and what you should watch if you’re implementing or about to renew.

1. NIS2 is no longer “the new thing”

The Spanish NIS2 transposition has completed its first cycles of registration, supervision and notification. In 2026:

  • Supervisory authority inspection criteria consolidate.
  • Early sanction cases produce real-world precedent.
  • Entities in dual scope (ENS + NIS2) stabilise integrated systems.
  • CCN-STIC guides appear to align NIS2 with ENS Annex II.

Any organisation still treating the two frameworks as separate projects will learn in 2026 the cost of that choice: duplication, inconsistencies and higher total cost.

2. Real reinforcement of supply-chain security

Supplier requirements have tightened every year. In 2026, the clear direction:

  • Standardised questionnaires pushed by major public contractors: one questionnaire serves multiple customers.
  • Mutual recognition of certifications between customers (no repeat audits if a valid ENS certificate exists).
  • Continuous monitoring of critical suppliers via TPRM platforms.
  • Transparent sub-contracting: sub-contractors must be notified to the end customer.
  • Stricter termination clauses for non-compliance.

Preparing your critical suppliers for this new environment avoids surprises.

3. AI formally enters the ENS framework

The EU AI Act is already binding for certain systems. In 2026 we see:

  • Publication of a specific CCN Technical Instruction for systems with AI components under ENS scope.
  • Specific reinforcements in op.pl, op.exp, op.mon for AI-bearing systems.
  • Increased audit attention to explainability and traceability of automated decisions.
  • Specific training on AI security under mp.per.4.

If your system incorporates models (in-house or via third-party APIs) and you don’t yet have an AI-specific policy, 2026 is the year to create one.

4. Post-quantum enters the agenda

CCN-STIC 807 and related guides begin explicit mention of post-quantum cryptography. No immediate obligation, but:

  • Recommendations of hybrid algorithms (classical + post-quantum) for long-lived data.
  • Cryptography inventory with planned migration dates.
  • Awareness of the “harvest now, decrypt later” problem.
  • Migration plans for High-category systems.

High-category systems with long-sensitive data should start planning.

5. New compliance profiles

CCN continues publishing sector-adapted profiles. In 2026 we see:

  • Profiles for small local entities with reduced administrative burden.
  • Profiles for SaaS providers serving public administrations.
  • Profiles for early-stage startups targeting the public sector.
  • Alignment with European profiles (ENISA) to facilitate mutual recognition.

Leveraging these profiles reduces adequation work substantially.

6. Compliance automation

GRC tooling has matured. In 2026 it’s common to see:

  • Continuous control with auto-collected evidence (APIs to cloud, IAM, EDR).
  • Real-time dashboards of control health.
  • Partially automated audits with objective evidence.
  • Proactive alerts when a control degrades.
  • PILAR integration so the risk analysis lives on.

Organisations adopting these tools navigate audits with less stress and more discipline.

7. Operational security (DevSecOps)

Cloud-native systems require DevSecOps approaches. ENS adapts:

  • Infrastructure as Code (IaC) with controls encoded.
  • Policy-as-Code for configurations.
  • Automated security testing in pipelines.
  • SBOM (Software Bill of Materials) mandatory in critical systems.
  • Integration with component vulnerability management (SCA).

ENS 2026 is not incompatible with modern engineering: it requires applying it with discipline.

8. Professionalisation of the Security Officer role

The Responsible Officer for Information Security gains formal weight:

  • Recognised specific training.
  • Professional registry in some autonomous communities.
  • Remuneration and seniority matching the role.
  • Effective separation from operational function.

Organisations assigning the role as a side-task to a sysadmin increasingly face tensions.

9. Metrics and maturity

ENS maturity metrics standardise:

  • Percentage of measures implemented.
  • Mean time to close critical vulnerabilities.
  • Training coverage.
  • Phishing-simulation outcomes.
  • Incident response time.

INES incorporates these indicators. Sector benchmarking emerges.

10. European recognition

The European Commission works on common cybersecurity frameworks. In 2026 it starts to materialise:

  • European certification scheme (EUCS) for cloud services.
  • Cross-recognition between ENS and equivalent schemes in other EU member states.
  • Cross-border public procurement with harmonised cybersecurity requirements.

Organisations with international ambition gain from this convergence.

What to do with this information

If you’re in implementation:

  • Keep these trends in mind as you design the system.
  • Bet on automation from the start.
  • Integrate ENS + NIS2 + AI from day one.

If you’re already certified:

  • Include these trends in your improvement plan.
  • Prepare your Committee with the 2026 horizon.
  • Invest gradually in automation.

If you’re a provider:

  • Prepare standardised questionnaires and answers.
  • Position your ENS certification as a differentiator.
  • Anticipate expectations around continuous monitoring.

Final recommendation

2026 doesn’t bring a “new ENS”, but a consolidated framework that’s more demanding in practice. Organisations that settle into complacency will fall behind; those who leverage the maturity phase to evolve will gain competitiveness. Now is a good moment to update the 24-month plan.

Keep reading

News

ENS and NIS2: how both regulations fit together in 2025

Practical mapping of ENS and NIS2 for Spanish organisations facing both: overlaps, specific NIS2-only requirements and an integrated compliance approach.

7 min
Use cases

Public-sector providers: why you need ENS to win tenders

How the ENS has become a de facto requirement for providers bidding on Spanish public-sector contracts — what's mandatory, what's practical and how to get certified in time.

6 min
Regulation

ENS vs ISO 27001: are they compatible? Which one first?

How ENS and ISO 27001 compare, where they overlap and how to leverage an existing ISO 27001 certification to accelerate ENS compliance.

6 min

Ready to get ENS certified?

Free, no-commitment initial assessment. We reply within 24 business hours.

Request assessment info@certificacionens.eu