ENS security levels: which does your system need?

·

When a company supplying the Spanish Public Administration begins its National Security Framework (ENS) compliance process, the first question it must answer is also the most important: which category does my system fall into? The category — basic, medium or high — is not a bureaucratic formality; it determines the volume of measures that must be implemented, the level of documentary rigour required and, above all, the type of conformity that will be demanded before your next public tender reaches a successful conclusion.

Why is system categorisation the mandatory starting point?

Royal Decree 311/2022 of 3 May, which regulates the National Security Framework (BOE-A-2022-7191), organises its compliance logic around a fundamental principle: proportionality. Not all information systems handle the same type of data or provide the same services; therefore, not all of them require the same measures. Annex I of RD 311/2022 establishes the procedure for determining the system category, and that result directly determines which subset of the 75 measures in Annex II is required.

Categorisation must be carried out before selecting any security control. Starting to implement measures without having categorised the system is a frequent mistake that generates either overcost — applying higher-level controls that are not required — or, worse, undercost, when controls that are mandatory for the system's actual category are omitted.

What are the five CIDAT security dimensions and how are they assessed?

A system's category is determined by assessing the impact that a security incident would have on each of the five security dimensions that the ENS groups under the acronym CIDAT:

For each service in scope, the impact on each dimension is rated using the three-level scale of Annex I: LOW, MEDIUM or HIGH. The rating is based on the actual consequences a security incident would have on the organisation, citizens, the public service or national security. CCN-STIC Guide 806 provides concrete valuation criteria that help to objectify these decisions.

How is the final system category — basic, medium or high — determined?

The system category results from the highest impact assigned to any of the five CIDAT dimensions for any of the services in scope. Annex I's rule is precise:

It is important to note that a single dimension of a single service in scope reaching the HIGH level is sufficient to classify the entire system as high category, which activates the most demanding set of Annex II measures. For this reason, correctly defining the system scope — and not expanding it unnecessarily — is a strategic decision with significant consequences for the cost and timeline of the compliance project.

What practical differences exist between the three category levels in terms of measures and conformity?

Differences between categories are not only quantitative. Medium and high level measures require a greater reinforcement level: more granular controls, greater traceability and more rigorous procedures. Annex II indicates for each measure whether it applies to basic, medium or high category, and with which reinforcement level (R1, R2 or R3 in CCN-STIC series 800 terminology).

The most operationally decisive difference is the required conformity route:

It is important to clarify that specialist accompaniment — such as that provided by Summum Calidad through its ENS compliance service — does not replace or issue the conformity certificate, which is the exclusive competence of ENAC-accredited bodies. Accompaniment prepares the system to pass that process with the greatest possible guarantees.

How often must categorisation and conformity be renewed?

Annex III of RD 311/2022 establishes that information systems subject to the ENS must undergo a security audit at least every two years. For basic category systems, renewal of the self-assessed declaration of conformity follows the same biennial cycle. For medium or high category, the ENAC-accredited body carries out the renewal audit within that period.

Any significant change in the system scope, its technology architecture or the services provided may require a new categorisation and, consequently, an extraordinary audit outside the regular cycle. Categorisation is not an exercise carried out once and filed away: it must be updated whenever the system or the services in scope change in a material way.

What common mistakes are made when categorising an ENS system?

Experience in compliance projects makes it possible to identify recurring error patterns in the categorisation phase:

How does ENS categorisation fit within an information security management system?

For organisations working with a certified or in-progress ISO 27001:2022 standard, the impact analysis of ENS categorisation aligns naturally with the risk assessment that ISO 27001 requires. The five CIDAT dimensions of the ENS have their conceptual equivalent in ISO 27001's asset valuation criteria, and the analysis results can be leveraged across both frameworks without duplicating effort.

This overlap is precisely why the integrated ENS–ISO 27001 compliance approach is more efficient than two separate projects. As analysed in detail in the article on how much can be saved by implementing ENS and ISO 27001 together, estimated savings versus two parallel projects are between 30% and 40% in cost and team time.

If you are not yet clear on whether the ENS applies to you or under what circumstances it obliges you, you can first consult the article on when the ENS is mandatory for private companies, which clarifies the scope of application of Article 2 of RD 311/2022 and the most common mandatory scenarios for suppliers.

What to do after determining the system category?

Once the category has been determined, the next step is to prepare the compliance plan in accordance with CCN-STIC Guide 806, which selects the applicable Annex II measures, prioritises them by impact on residual risk and sets an implementation timeline with assigned responsibilities. That plan, together with the risk analysis and the Statement of Applicability, is the roadmap that will guide the entire compliance process through to the declaration or certification of conformity.

Summum Calidad accompanies organisations supplying the Spanish Public Administration throughout that journey, from initial categorisation to rigorous preparation for the conformity audit. Our ENS accompaniment service covers the initial diagnosis, gap analysis, documentation preparation and pre-audit review so that the declaration or certification process is completed with the strongest possible foundation.