The National Security Framework (ENS — Esquema Nacional de Seguridad) was created in 2010 to protect information handled by the Spanish public sector. However, since the entry into force of Royal Decree 311/2022, of 3 May, the question that more and more SME directors and IT managers put to us is always the same: «Does my private company also have to comply with the ENS?». The short answer is: it depends on whether you provide services or manage systems for a public administration. The long answer — the one you need before your next public tender — is what we develop in this article.
What is the ENS and why does it now matter to private companies?
The National Security Framework is the Spanish regulatory framework that establishes the principles, requirements and security measures that must be applied by all entities that handle information or provide electronic services within the scope of public administrations. The current text, Royal Decree 311/2022, repealed the previous 2010 decree and significantly extended its scope.
The key point for private companies lies in Article 2 of Royal Decree 311/2022, which extends the application of the ENS to «private sector providers that supply services or solutions to public sector entities». In practice, this means that if your company manages a SaaS platform for a city council, develops software for a regional government department, hosts data for a public body, or provides managed IT services to the public administration, the ENS applies directly to you. It is not optional; it is a contractual requirement that can be enforced in tender specifications.
Which private companies does the ENS bind? The three main cases
To avoid any doubt, it is worth distinguishing the cases where the obligation is clear from those where it may arise through contract or by extension:
- Direct suppliers to the public administration: companies that sign service, supply or concession contracts with public bodies and, within those contracts, handle, store or transmit classified or official-use information. Tender documents will, with increasing frequency, include an ENS conformity requirement as an eligibility condition.
- Supply chain providers: subcontractors or suppliers of a prime contractor who themselves have an ENS obligation. If the prime contractor must demonstrate conformity and delegates to you part of the service that touches public systems, the obligation flows down contractually.
- Operators of critical infrastructure with a public nexus: although the primary obligation arises from the Critical Infrastructure Protection Act (Law 8/2011), when the operator also provides services to public administrations, the ENS acts as a complementary or alternative security framework, depending on the CCN protocols.
What does not generate a direct ENS obligation is providing services exclusively to private clients with no public contracts or public data involved. In that case, the de facto reference standard is ISO 27001, which shares many controls with the ENS and makes the transition easier if you decide to enter public tenders in the future.
The three ENS categorisation levels: basic, medium and high
The ENS is not a one-size-fits-all framework. Its practical application depends on the category of the system to be handled or managed. The category is determined by the public body that owns the system — not by the private supplier — but it is the supplier that must implement the security measures corresponding to that category in their part of the service.
| System category | Impact in the event of an incident | Required conformity instrument | Who issues it |
|---|---|---|---|
| Basic | Limited (internal management information, low-risk procedures) | Declaration of Conformity (DDC) | The entity itself or the provider (self-assessment with evidence) |
| Medium | Serious (affects citizens' rights, operation of essential services, sensitive data) | ENS certification by an ENAC-accredited body | External auditor accredited by ENAC |
| High | Very serious or catastrophic (critical infrastructure, national security, classified data) | ENS certification by an ENAC-accredited body | External auditor accredited by ENAC + CCN validation in certain cases |
The vast majority of IT service contracts with local and regional public administrations fall into the medium category, which requires certification by an external auditor accredited by ENAC. The basic category, although it allows self-declaration, nonetheless requires a documented risk analysis, implementation of the measures set out in Annex II of Royal Decree 311/2022, and auditable evidence.
Compliance deadlines: the transitional regime of Royal Decree 311/2022
Royal Decree 311/2022 established a single transitional provision granting 24 months from the date of publication in the Official State Gazette (3 May 2022) for pre-existing systems to achieve full conformity with the new framework. That deadline expired in May 2024.
In practical terms, the transitional period has already expired. For a private supplier, this means that ENS conformity is no longer «something coming», but a requirement enforceable right now in any tender or contract renewal. Tender documents published since 2025 on platforms such as the Public Sector Procurement Platform now routinely include the ENS conformity clause as an admission condition.
The growth in certifications has been substantial in recent years: the CCN's governance portal records a sustained increase in entities holding a valid ENS certificate, and a significant proportion of that growth comes from private companies that need the certificate to maintain or expand their public contracts.
ENS vs. ISO 27001: are they the same? Can one substitute for the other?
This is one of the most frequent questions we receive at Summum Calidad. The answer is that they are not equivalent, but they are complementary, and holding ISO 27001 significantly eases ENS compliance.
ISO 27001 is an international standard that establishes an Information Security Management System (ISMS) based on risk analysis. The ENS, by contrast, is a Spanish national standard with a very specific catalogue of security measures — 75 measures grouped in Annex II of Royal Decree 311/2022 — and an orientation towards public service.
The main differences are:
- The ENS is mandatory for the scenarios it describes; ISO 27001 is voluntary (although frequently required by contract).
- The ENS has a more prescriptive catalogue of measures; ISO 27001 allows greater freedom to select controls from Annex A based on risk analysis.
- ENS certification is only issued by bodies accredited by ENAC; ISO 27001 certification is issued by certification bodies accredited by ENAC or equivalent European accreditation bodies (UKAS, DAkkS, etc.).
- Having ISO 27001 implemented and certified significantly reduces the effort needed to achieve ENS conformity, because they share many controls: asset management, access control, encryption, continuity, and incident management.
If your company already has ISO 27001 implemented with Summum Calidad, the path to ENS certification is considerably shorter: a gap analysis between your ISMS controls and the 75 ENS measures, a remediation plan for the gaps, and the certification audit by an ENAC-accredited body.
The ENS compliance process step by step
ENS compliance follows a structured logic that Summum accompanies from start to finish, through to obtaining the certificate (always issued by the external certification body accredited by ENAC, not by us). The typical process has four phases:
1. Applicability analysis and categorisation
The starting point is determining which of the organisation's systems are subject to the ENS and in which category they fall. This involves reviewing contracts with the public administration, the systems that handle public information, and the potential impact of a security incident on the confidentiality, integrity and availability of that information. The result is the categorisation document, which is the foundation of the entire project.
2. Risk analysis and ENS gap assessment
Once the category is known, a risk analysis is carried out on the assets involved, along with a gap analysis between the security measures already in place and the 75 measures in Annex II of Royal Decree 311/2022 required for that category. This analysis produces the compliance plan, prioritised by risk and effort.
3. Implementation of measures and documentation
The technical and organisational measures identified in the gap analysis are implemented: security policies, identity management, encryption, network segmentation, backups, vulnerability management, staff training, and incident response procedures. Each measure is documented with the evidence required for the audit.
4. Certification audit
For medium and high categories, an ENAC-accredited body carries out the certification audit in two phases: document review and on-site audit. If the result is positive, it issues the ENS conformity certificate, valid for two years, after which it must be renewed. For the basic category, the Declaration of Conformity is signed by the security manager, supported by the analysis evidence and the implemented measures.
To start the process, the most efficient first step is to request an initial assessment with our specialist team: see the ENS compliance service at Summum Calidad here.
Consequences of non-compliance: what you are really risking
The ENS does not have its own penalty regime with direct fines for private suppliers. However, the consequences of non-compliance are equally serious from a business perspective:
- Exclusion from public tenders: if the tender specifications require ENS conformity and you do not have it, you are automatically excluded from the procedure.
- Early contract termination: if during the execution of an already awarded contract it is found that the supplier is not maintaining the required security level, the contracting authority may terminate the contract for breach of technical conditions.
- Liability for incidents: if a security breach occurs in systems under your management, the lack of ENS compliance aggravates contractual liability and, where applicable, civil liability towards the public body and the citizens whose data have been compromised.
- Loss of competitive advantage: as more suppliers become certified, those who do not are placed at a disadvantage in selection processes, even when certification is not formally required but is valued as an award criterion.
ENS and NIS2: the regulatory convergence ahead
The NIS2 Directive (EU Directive 2022/2555), whose transposition into Spanish law is pending in 2026, will extend cybersecurity obligations to sectors that have not previously been in scope: industrial manufacturing, food, waste management, postal services, digital services and managed service providers (MSPs). Many of these sectors have contractual relationships with the public administration and will find that they must simultaneously comply with the ENS (for their public contracts) and with NIS2 requirements (for their sector).
The good news is that both frameworks share a common logic based on risk management, security governance, incident reporting and business continuity. A well-executed ENS compliance project lays the foundation for covering a significant portion of NIS2 requirements, especially regarding technical and organisational measures.
Frequently asked questions
Does my company need ENS certification even if the public contract is small?
The ENS conformity obligation does not depend on the contract value, but on whether the systems involved handle public sector information and the category of those systems. A low-value contract that involves access to citizens' data or municipal management platforms may equally require ENS conformity. It is the impact level of the system, not the economic value of the contract, that determines the requirement.
How long does the compliance and certification process take?
Timelines vary according to the organisation's starting point and the system category. For a company with a reasonable security posture and basic-category systems, the declaration of conformity process can be completed in 3 to 5 months. For medium-category certification by an accredited body, the typical timeline is between 6 and 12 months, including the external audit. If the company already has ISO 27001 implemented, timelines are significantly reduced because the risk analysis and many controls are already documented and operational.
Does ISO 27001 replace the ENS in public contracts?
No. ISO 27001 is a valuable and complementary international standard, but it does not replace the ENS for regulatory compliance in contracts with Spanish public administrations. A tender that requires ENS conformity cannot be satisfied by ISO 27001 certification alone. That said, as we have explained, having a current ISO 27001 certification considerably reduces the effort and cost of ENS compliance, because many of its measures are already documented and implemented.
Which bodies can certify the ENS in Spain?
Only inspection or certification entities accredited by ENAC (Entidad Nacional de Acreditación — National Accreditation Body) under the specific CCN (National Cryptology Centre) scheme may certify ENS conformity for medium and high categories. Several bodies operate in Spain with this accreditation: AENOR, Bureau Veritas, SGS, DNV and others. Summum Calidad, as a consultancy, accompanies the compliance process, but certification is always issued by the external accredited body.