When a company supplying the Spanish Public Administration begins its National Security Framework (ENS) compliance process, the first question it must answer is also the most important: which category does my system fall into? The category — basic, medium or high — is not a bureaucratic formality; it determines the volume of measures that must be implemented, the level of documentary rigour required and, above all, the type of conformity that will be demanded before your next public tender reaches a successful conclusion.
Why is system categorisation the mandatory starting point?
Royal Decree 311/2022 of 3 May, which regulates the National Security Framework (BOE-A-2022-7191), organises its compliance logic around a fundamental principle: proportionality. Not all information systems handle the same type of data or provide the same services; therefore, not all of them require the same measures. Annex I of RD 311/2022 establishes the procedure for determining the system category, and that result directly determines which subset of the 75 measures in Annex II is required.
Categorisation must be carried out before selecting any security control. Starting to implement measures without having categorised the system is a frequent mistake that generates either overcost — applying higher-level controls that are not required — or, worse, undercost, when controls that are mandatory for the system's actual category are omitted.
What are the five CIDAT security dimensions and how are they assessed?
A system's category is determined by assessing the impact that a security incident would have on each of the five security dimensions that the ENS groups under the acronym CIDAT:
- Confidentiality (C): assurance that information is only accessible to authorised parties. A breach may expose citizens' personal data, trade secrets or classified information.
- Integrity (I): assurance that information and processes have not been altered without authorisation. Its compromise may lead to administrative decisions based on incorrect data.
- Availability (D): ability of the system and data to be accessible when needed. A failure here may interrupt services that are essential to citizens.
- Authenticity (A): verification that the identity of users, processes and systems interacting with the system is as declared. Its compromise may enable fraudulent access or identity impersonation.
- Traceability (T): ability to record and retrieve the history of actions on the system. Essential for auditing, forensic analysis and regulatory compliance.
For each service in scope, the impact on each dimension is rated using the three-level scale of Annex I: LOW, MEDIUM or HIGH. The rating is based on the actual consequences a security incident would have on the organisation, citizens, the public service or national security. CCN-STIC Guide 806 provides concrete valuation criteria that help to objectify these decisions.
How is the final system category — basic, medium or high — determined?
The system category results from the highest impact assigned to any of the five CIDAT dimensions for any of the services in scope. Annex I's rule is precise:
- If the highest impact on any dimension is LOW, the system is basic category.
- If any dimension reaches a MEDIUM impact — and none reaches HIGH — the system is medium category.
- If any dimension reaches a HIGH impact, the system is high category.
It is important to note that a single dimension of a single service in scope reaching the HIGH level is sufficient to classify the entire system as high category, which activates the most demanding set of Annex II measures. For this reason, correctly defining the system scope — and not expanding it unnecessarily — is a strategic decision with significant consequences for the cost and timeline of the compliance project.
What practical differences exist between the three category levels in terms of measures and conformity?
Differences between categories are not only quantitative. Medium and high level measures require a greater reinforcement level: more granular controls, greater traceability and more rigorous procedures. Annex II indicates for each measure whether it applies to basic, medium or high category, and with which reinforcement level (R1, R2 or R3 in CCN-STIC series 800 terminology).
The most operationally decisive difference is the required conformity route:
- Basic category: the organisation carries out a self-assessment using the CCN's INES tool and issues a declaration of conformity under the CCN-STIC 809 procedure. No ENAC-accredited external auditor is required, but rigour and full traceability in the documentation of evidence are mandatory.
- Medium or high category: a self-assessed declaration is not sufficient. A conformity certificate issued by an inspection body accredited by ENAC under standard UNE-EN ISO/IEC 17065 is required. These bodies review controls on-site, verify evidence and issue the certificate if the system meets requirements.
It is important to clarify that specialist accompaniment — such as that provided by Summum Calidad through its ENS compliance service — does not replace or issue the conformity certificate, which is the exclusive competence of ENAC-accredited bodies. Accompaniment prepares the system to pass that process with the greatest possible guarantees.
How often must categorisation and conformity be renewed?
Annex III of RD 311/2022 establishes that information systems subject to the ENS must undergo a security audit at least every two years. For basic category systems, renewal of the self-assessed declaration of conformity follows the same biennial cycle. For medium or high category, the ENAC-accredited body carries out the renewal audit within that period.
Any significant change in the system scope, its technology architecture or the services provided may require a new categorisation and, consequently, an extraordinary audit outside the regular cycle. Categorisation is not an exercise carried out once and filed away: it must be updated whenever the system or the services in scope change in a material way.
What common mistakes are made when categorising an ENS system?
Experience in compliance projects makes it possible to identify recurring error patterns in the categorisation phase:
- Undervaluing impact on availability: it is common to assign a LOW impact to availability when in reality the interruption of service for an extended period would have MEDIUM consequences for the contracting Administration. If the service is critical for the electronic processing of administrative files, availability likely justifies a MEDIUM impact.
- Excluding auxiliary systems from scope that should be included: scope must not be limited to the main system. Supporting systems — authentication, log management, backups — must be included if their compromise could affect the CIDAT dimensions of the main system.
- Failing to document the justification for each rating: conformity auditors do not only review the final categorisation result; they examine in detail the justification for each level assigned. Without evidence of how each rating was reached, the categorisation has no probative value in the audit process.
- Confusing the system category with the impact level of a single dimension: these are distinct concepts. An organisation may have systems of different categories if its services have different impacts. The system category is the maximum level observed in any dimension of any service in scope.
How does ENS categorisation fit within an information security management system?
For organisations working with a certified or in-progress ISO 27001:2022 standard, the impact analysis of ENS categorisation aligns naturally with the risk assessment that ISO 27001 requires. The five CIDAT dimensions of the ENS have their conceptual equivalent in ISO 27001's asset valuation criteria, and the analysis results can be leveraged across both frameworks without duplicating effort.
This overlap is precisely why the integrated ENS–ISO 27001 compliance approach is more efficient than two separate projects. As analysed in detail in the article on how much can be saved by implementing ENS and ISO 27001 together, estimated savings versus two parallel projects are between 30% and 40% in cost and team time.
If you are not yet clear on whether the ENS applies to you or under what circumstances it obliges you, you can first consult the article on when the ENS is mandatory for private companies, which clarifies the scope of application of Article 2 of RD 311/2022 and the most common mandatory scenarios for suppliers.
What to do after determining the system category?
Once the category has been determined, the next step is to prepare the compliance plan in accordance with CCN-STIC Guide 806, which selects the applicable Annex II measures, prioritises them by impact on residual risk and sets an implementation timeline with assigned responsibilities. That plan, together with the risk analysis and the Statement of Applicability, is the roadmap that will guide the entire compliance process through to the declaration or certification of conformity.
Summum Calidad accompanies organisations supplying the Spanish Public Administration throughout that journey, from initial categorisation to rigorous preparation for the conformity audit. Our ENS accompaniment service covers the initial diagnosis, gap analysis, documentation preparation and pre-audit review so that the declaration or certification process is completed with the strongest possible foundation.