Burgos has a growing technology and services business community with increasing participation in local and provincial public procurement. The Diputación de Burgos manages services for more than 370 municipalities in the province and regularly tenders contracts covering information systems, technology maintenance and digitisation projects. The Ayuntamiento de Burgos, with a well-established electronic administration, procures document management solutions, citizen-facing platforms and cloud services. The Universidad de Burgos (UBU), as a public higher-education entity, is also subject to the ENS and brings its technology suppliers into scope. Any Burgos-based company operating in any of these environments must have completed its ENS compliance: the general deadline for existing systems expired on 5 May 2024, in accordance with the sole transitional provision of RD 311/2022, and new systems must comply from the moment they go live.
The Esquema Nacional de Seguridad organises its requirements around an information security management system: policy, risk analysis, proportionate selection of measures, operation, monitoring and continuous improvement. This approach is structurally identical to the Plan-Do-Check-Act cycle of ISO 27001:2022, making the integration of both frameworks the most efficient path for a public-sector supplier. Annex II of RD 311/2022 contains 75 security measures organised across three frameworks (organisational, operational and protection) and 16 families, of which 7 families and 33 measures belong to the operational framework — including the op.nub family on cloud service security, which is especially relevant for SaaS suppliers hosting applications for Burgos-based public entities. When an organisation already has an ISO 27001 ISMS in place, many of those measures are already covered or require only a documentary adaptation to the ENS context.
The category of the system — basic, medium or high — is determined by assessing the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each service in scope. The category is not a minor detail: it determines which Annex II measures are mandatory and, above all, what form of conformity is required. For basic-category systems, conformity is demonstrated through a self-assessed conformity declaration in accordance with CCN-STIC 809. For medium or high-category systems, certification by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065 is mandatory. Summum Calidad does not issue conformity certificates — that is the exclusive remit of accredited third parties — but prepares your organisation to enter that process in the best possible condition: documented system, complete evidence and gaps closed before the external auditor arrives.