Skip to content
CertENS
ES
Use cases

Public-sector providers: why you need ENS to win tenders

How the ENS has become a de facto requirement for providers bidding on Spanish public-sector contracts — what's mandatory, what's practical and how to get certified in time.

6 min read Diego Aranda · ENS Implementer · CertENS

If your company sells to Spanish public administrations — software, cloud, managed services, consultancy, BPO, or any information-handling service — the ENS is no longer optional. It’s the de facto passport for winning tenders. This article explains what public-procurement rules require today, how public bodies evaluate ENS in tender scoring, and what to do if your clients are starting to ask for it.

Why procurement demands ENS

RD 311/2022 explicitly extends the ENS to providers processing information or delivering services to the public sector. That means the procuring body is obliged to require ENS-level security from its providers. In practice, that obligation is cascaded into:

  • Mandatory clauses in tender specifications (PPT - pliegos).
  • Evidence-of-compliance requirements.
  • Security-audit rights.
  • Non-compliance penalties.

Market reality

Even before 2022, many Spanish public bodies had already started demanding ENS. Today it’s almost universal:

  • Ministries and state-owned enterprises.
  • Regional governments (Comunidades Autónomas).
  • Large city councils.
  • Universities.
  • Public health services (SERGAS, SERMAS, ICS, etc.).
  • Public transport operators.

A tender without ENS-related requirements in the PPT is now the exception.

What’s typically required in tenders

Mandatory compliance with ENS

Most PPTs require the provider to implement ENS in the systems used to deliver the contracted service. What changes is how that’s demonstrated.

Mandatory certification

In contracts where the information is Medium or High category, a formal ENAC-accredited ENS certificate is typically required at bid-submission time, or within a grace period after contract award.

Mandatory Declaration of Conformity

For Basic category services, a Declaration of Conformity may suffice — but must be published on your website and registered.

Contractual clauses

  • Right of audit by the procuring body.
  • Incident-reporting obligations.
  • Notification of sub-contracting.
  • Specific data-handling terms.
  • Ability to terminate for non-compliance.

Scoring and tie-breakers

Beyond mandatory requirements, some tenders score security certifications as quality/value factors — giving ENS-certified providers extra points. In tight competitions, those points decide.

Timing problem: when to start

The fatal mistake: learning about ENS two weeks before a tender closes. ENS projects take 3-9 months, not weeks. Procurement rules typically allow certification within the first few months of the contract, but:

  • Some tenders require certification at bid time. You’re out.
  • Even with grace periods, if you fail to certify in time, you lose the contract.

Providers who treat ENS as a strategic investment (rather than a reactive scramble) win the market.

What to certify: scope decisions

You don’t need to certify everything you do — just the systems that will serve the contract. Smart scoping:

  • Certify the specific services and infrastructure that touch public-sector data.
  • Leave unrelated internal systems out of scope.
  • Align scope with your target market (don’t over-scope at High if your business is Medium-category services).

A well-scoped certification is 30-50% cheaper than an over-scoped one. Scoping is a strategic decision, not a technical one.

Common types of providers and their typical category

SaaS providers

Medium by default. Often High if the solution handles clinical data, fiscal data, or critical administrative services.

Managed-services and BPO providers

Depends on the service. Citizen-services BPO tends to be Medium. Sensitive-services BPO (health records, judicial) tends to High.

Software development services

Medium for most custom development. High if you build on/test with production-sensitive data.

Cloud providers

Typically inherit from the service layer they provide. Major hyperscalers (AWS, Azure, GCP) have ENS certifications for their Spanish regions — providers can inherit many controls, reducing their own work.

Consultancy and advisory

Often Basic or Medium depending on what you handle. Usually Basic unless you access sensitive data directly.

Leveraging your hyperscaler’s ENS

If you build on AWS, Azure, GCP, OVH or Arsys and they have ENS certification, you can inherit controls via the shared-responsibility model. Specifically:

  • Physical security of the DC.
  • Network perimeter.
  • Hypervisor and base OS.
  • Storage encryption at rest.
  • Some backup and redundancy controls.

You still need to own:

  • Application-level controls.
  • Data classification.
  • Customer-side access management.
  • Organisational controls (policy, roles, training).
  • Specific configuration hardening.

A good cloud architecture can save 20-30% of the ENS project by leveraging provider certifications.

Costs and ROI

For a typical SMB provider aiming at the public-sector market:

  • Medium category first-year investment: 30-70k€.
  • Annual maintenance: 6-12k€.
  • Typical contract size won: 50-500k€+ across 2-4 years.

ROI is usually positive after the first won contract. Multi-year public-sector contracts with ENS as barrier-to-entry are margin-protecting: competition is smaller, prices more stable.

Mistakes providers make

Treating ENS as pure bureaucracy

Minimal documentation, no real implementation. Fails at audit, or worse, at a security incident affecting a client.

Copy-paste documentation

Generic policies downloaded from the internet, unrelated to actual practice. Detectable immediately.

Over-scoping to “play it safe”

Certifying everything you do, including internal systems. Unnecessary cost, slower project.

Last-minute panic

Starting 6 weeks before a big tender. Doesn’t work.

Ignoring sub-contractors

If you sub-contract parts of the service, your sub-contractors need to align. Procurement will ask.

Picking the wrong partner

Generic consultancies doing ENS as a side gig often produce weak implementations. Specialisation matters.

Roadmap for a provider starting today

  1. Month 1: strategic decision + scoping workshop. Pick target category. Pick partner.
  2. Months 2-3: gap analysis and initial implementation plan.
  3. Months 3-5: document drafting, risk analysis, technical controls deployment.
  4. Month 5: pre-audit with independent consultant.
  5. Month 6: formal audit by ENAC-accredited body.
  6. Month 7: certificate issued. Ready to bid.

Total: 6-7 months for Medium. Can compress to 4-5 if the starting posture is strong.

Final recommendation

If you sell (or plan to sell) to the Spanish public sector, ENS is not a checkbox — it’s a competitive necessity. Start before it’s urgent. Scope smartly. Pick specialists. Treat it as a strategic investment, not a compliance cost. The providers that move first dominate the market of the next 3-5 years.

Keep reading

News

ENS 2026: trends and expected updates

What's changing in ENS in 2026: NIS2 consolidation, AI Act integration, evolution of the CCN catalogue, and reinforced supply-chain expectations.

6 min
News

ENS and NIS2: how both regulations fit together in 2025

Practical mapping of ENS and NIS2 for Spanish organisations facing both: overlaps, specific NIS2-only requirements and an integrated compliance approach.

7 min
Regulation

ENS vs ISO 27001: are they compatible? Which one first?

How ENS and ISO 27001 compare, where they overlap and how to leverage an existing ISO 27001 certification to accelerate ENS compliance.

6 min

Ready to get ENS certified?

Free, no-commitment initial assessment. We reply within 24 business hours.

Request assessment info@certificacionens.eu