Skip to content
CertENS
ES
Regulation

What is the Spanish National Security Scheme (ENS): introductory guide

A clear introduction to the ENS (Esquema Nacional de Seguridad), the mandatory Spanish information-security framework governed by RD 311/2022.

6 min read Laura Méndez · Lead Auditor CISA · CertENS

The Spanish National Security Scheme (ENS, Esquema Nacional de Seguridad) is the mandatory information-security framework that the Spanish public administration and its service providers must comply with. Established by Royal Decree 311/2022, it defines the security policy that governs the use of electronic means in the public sector. If you provide services to any Spanish public body, you will sooner or later be asked for ENS compliance — and likely for a formal certificate.

This guide gives you a first tour of what the ENS is, who it applies to, and why it matters.

The purpose of the ENS

The ENS aims to create a common baseline of security for all the information systems used by public administrations and their providers. Its objectives:

  • Guarantee that citizens’ data and public services are protected with consistent criteria.
  • Enable interoperability between administrations with shared security rules.
  • Make it auditable: compliance can be verified by an accredited third party.
  • Align with European frameworks (GDPR, NIS2) without re-inventing the wheel.

Unlike ISO 27001, which is voluntary, the ENS is legally mandatory for organisations within scope.

Who must comply

Three groups:

  1. The Spanish public sector in the broad sense: state-level ministries, regional governments, city councils, universities, public companies, and more.
  2. Providers delivering services to the public sector when those services affect public-sector information or ICT systems. This is where most private companies first encounter the ENS: a tender requires it.
  3. Intermediaries handling public-sector data on behalf of public administrations.

In practice, if your company sells software, cloud services, BPO, or consultancy to any Spanish public body, the ENS is almost certainly already in your radar — or will be soon.

Categories: Basic, Medium, High

Each system in scope is categorised based on the impact that a security incident would have on five dimensions: confidentiality, integrity, traceability, authenticity, and availability. The result is a category:

  • Basic — limited impact.
  • Medium — serious impact.
  • High — very serious impact, including harm to rights, public services, or critical infrastructure.

Higher categories require more controls and a formal certification audit (not just a self-declaration).

Annex II: the 73 controls

The ENS defines 73 security measures organised into three families:

  • Organisational framework (policies, roles, responsibilities).
  • Operational framework (planning, access control, operations, monitoring, external services, continuity).
  • Protection measures (facilities, personnel, equipment, communications, media, applications, information, services).

Each control has requirements that vary by category: what is optional at Basic may be mandatory at Medium, and further reinforced at High.

Statement of Applicability and Risk Analysis

Two documents are the backbone of ENS compliance:

  • Risk Analysis: often done with MAGERIT v3 methodology and the CCN’s PILAR tool.
  • Statement of Applicability (SoA): lists each control, whether it applies, and how it’s implemented.

These two documents are what the auditor will scrutinise in detail during certification.

Certification and audit

For Medium and High categories, organisations need a formal certification issued by an ENAC-accredited body. The audit is detailed and on-site, with interviews, document reviews, and technical verifications. Certification is valid for two years, with annual surveillance audits.

For Basic category, a Declaration of Conformity is enough — self-assessed and published.

Relationship with other frameworks

  • ISO 27001 — significant overlap; can be leveraged, but doesn’t cover ENS entirely.
  • NIS2 — complementary; ENS covers many of NIS2’s requirements for entities in scope.
  • GDPR/LOPDGDD — data protection sits alongside the ENS; both apply simultaneously.
  • AI Act — emerging; the CCN has started publishing specific technical instructions.

Typical timelines and costs

  • Basic: 2-3 months, 10-20k€ range for a mid-sized organisation.
  • Medium: 4-6 months, 30-70k€.
  • High: 6-9 months, 75k-180k€.

These are first-year ranges that include consultancy, audit, technical investment and internal hours. Maintenance is typically 20-30% of the initial investment annually.

Why certify

  • Required to win public-sector contracts.
  • Reduces real risk through structured security practice.
  • Prepares the organisation for adjacent regulations (NIS2).
  • Signals maturity to customers and partners.
  • Aligns internal operations around a shared baseline.

Final recommendation

The ENS is not a checklist: it’s a discipline. Taken seriously, it transforms how an organisation handles information. Understanding the basics first — categories, Annex II, SoA, risk analysis, ENAC certification — makes every conversation downstream much easier. If your project is about to start, this is exactly where it begins.

Keep reading

Regulation

ENS vs ISO 27001: are they compatible? Which one first?

How ENS and ISO 27001 compare, where they overlap and how to leverage an existing ISO 27001 certification to accelerate ENS compliance.

6 min
News

ENS and NIS2: how both regulations fit together in 2025

Practical mapping of ENS and NIS2 for Spanish organisations facing both: overlaps, specific NIS2-only requirements and an integrated compliance approach.

7 min
News

ENS 2026: trends and expected updates

What's changing in ENS in 2026: NIS2 consolidation, AI Act integration, evolution of the CCN catalogue, and reinforced supply-chain expectations.

6 min

Ready to get ENS certified?

Free, no-commitment initial assessment. We reply within 24 business hours.

Request assessment info@certificacionens.eu