Sector publico y seguridad

ENS compliance in León: information security management for public-sector suppliers

The Diputación de León, the Ayuntamiento de León and the Universidad de León (ULE) are public-sector entities subject to Spain's Esquema Nacional de Seguridad (ENS). This means that any company supplying them with software, technology services or data-processing solutions must comply with RD 311/2022 (BOE-A-2022-7191) in order to bid for and operate under their contracts. Summum Calidad guides companies in León and across the province through that process from an information security management system (ISMS) perspective, integrating ENS requirements with ISO 27001:2022 to share common controls and eliminate duplication. If you want to keep supplying public-sector bodies in León, ENS compliance is not optional — we help you tackle it in an orderly, rigorous manner with minimal disruption to your daily operations.

RegulationRD 311/2022 · BOE-A-2022-7191
TargetSuppliers to public bodies in León
ApproachStructured ENS + ISO 27001 engagement

The Esquema Nacional de Seguridad, enacted by Royal Decree 311/2022 of 3 May, requires that information systems of Spanish public-sector entities — and those of their suppliers — meet minimum security requirements. In León, this has concrete implications: the Diputación de León manages municipal services for dozens of municipalities across the province, the Ayuntamiento de León operates digital citizen-service and electronic-procurement platforms, and the Universidad de León (ULE), as a public university, is likewise subject to the ENS. If your company provides technology services, develops software, manages infrastructure or processes data on behalf of any of these bodies, the ENS applies to you directly. The deadline for bringing existing systems into compliance expired on 5 May 2024; operating without completing that process represents a real risk to your access to provincial and regional public procurement.

Summum Calidad approaches ENS compliance from a management-system perspective, the same one that underpins ISO 27001:2022: security policy, risk analysis, selection of controls proportional to the system's impact level, implementation with auditable evidence, and a review and continuous-improvement cycle. Annex II of RD 311/2022 contains 75 security measures organised across three frameworks — organisational, operational and protection — and 16 families, including the op.nub family specifically for cloud services. This structure is compatible with Annex A of ISO 27001:2022, making it possible to build a single management system that satisfies both standards. For a company supplying public bodies in León, this integrated approach not only saves time and cost; it also positions the organisation to respond swiftly when procurement specifications require evidence of ENS conformity.

The compliance process begins with system categorisation under Annex I of RD 311/2022: the impact that a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) is assessed for each in-scope service, and the result determines whether the system falls under the basic, medium or high category. The category defines both the subset of Annex II measures that are mandatory and the conformity route required: for basic-category systems, a self-assessed declaration of conformity following CCN-STIC 809 is sufficient; for medium or high category, conformity must be certified by an inspection body accredited by ENAC under the UNE-EN ISO/IEC 17065 standard. Summum Calidad supports the entire process — diagnosis, categorisation, implementation, documentation and audit preparation — but does not issue conformity certificates, which are the exclusive competence of accredited bodies.

The ENS compliance in León process.

The process · four stages
01

Diagnosis and system categorisation (Annex I ENS)

We analyse the scope of the services you provide to public bodies in León — Diputación de León, Ayuntamiento de León, ULE or others — and the data you process on their behalf. Using that information, we apply the Annex I methodology of RD 311/2022 to assess the impact across the five CIDAT dimensions and determine the system category (basic, medium or high). If you already hold an ISO 27001 certification or have documented security practices, we identify at this stage what work is already done and what the actual gap toward ENS compliance looks like.

02

ENS–ISO 27001 gap analysis and action plan

We map the Annex II ENS controls — 75 measures across 16 families — against your ISO 27001:2022 management system controls or existing security practices. The output is a prioritised gap table showing estimated effort to close each item, distinguishing what can be reused directly, what requires documentary adjustment and what requires new technical implementation. This analysis is the starting point for a project plan with milestones, owners and realistic dates.

03

Integrated ISMS design and Statement of Applicability

We design or update the information security management system to cover simultaneously the requirements of ISO 27001:2022 and the measures of ENS Annex II. We prepare the integrated Statement of Applicability, which justifies the selection and exclusion of controls in the format expected by conformity auditors, and draft the information security policy in accordance with Article 12 of RD 311/2022, including the roles and responsibilities specific to your organisational structure.

04

Control implementation and evidence generation

We support the implementation of outstanding security measures — organisational, operational and protection — and generate the required evidence documentation: procedures, records, risk analysis reports, management review minutes, training records and continuity plans. For technical implementation aspects — hardening, monitoring, vulnerability management, op.nub cloud controls — we coordinate with Summum Sistemas, which covers the technical-operational layer of the project.

What is included

What ENS compliance in León includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (Annex I ENS)

    Document justifying the assigned category — basic, medium or high — by assessing the impact on the five CIDAT dimensions for each service provided to public bodies in León, with a traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 Annex II ENS measures against your ISO 27001:2022 system controls, identifying direct reuse, partial gaps and missing controls, with estimated effort to close each item before the conformity audit.

  • Integrated ENS–ISO 27001 Statement of Applicability

    Formal document recording, for each Annex II ENS measure and each Annex A ISO 27001:2022 control, whether it applies to the system, the implementation status and the justification for any exclusions, in the format expected by conformity auditors and by CCN-STIC 809.

  • Information security policy compliant with ENS

    Corporate policy drafted in accordance with the requirements of Article 12 of RD 311/2022 and adapted to the organisation's structure and culture: purpose, scope, roles, management commitments, biennial review cycle and alignment with service contracts with public bodies in León.

  • Procedures, records and evidence package

    Complete set of operational procedures and records attesting to the actual implementation of controls: user and access management, backups, vulnerability management, change control, incident management, personnel training and ISMS performance monitoring.

  • Pre-audit review and conformity dry run

    For medium or high category systems, an internal audit simulating the ENAC-accredited body's process under UNE-EN ISO/IEC 17065: evidence review, identification of weak points and correction before the certification audit, minimising the risk of non-conformities.

Summum cluster

How it connects with its sisters.

ENS compliance from a management-system perspective is completed by the technical implementation of Annex II measures carried out by Summum Sistemas: risk analysis using MAGERIT methodology and PILAR tool, system and service hardening, security event monitoring, op.nub cloud controls and preparation of the technical evidence package for the conformity audit. Both teams work in a coordinated single project covering the documentary-regulatory layer and the technical-operational layer, without duplicating effort or transferring responsibility from one team to the other.

Frequently asked questions about ENS compliance in León.

Why does the ENS affect a company that supplies the Diputación de León or the Ayuntamiento de León?

Because Article 2 of RD 311/2022 extends the scope of the ENS to private entities that provide services or products to public-sector bodies subject to the regulation. The Diputación de León, the Ayuntamiento de León and the Universidad de León (ULE) are public bodies subject to the ENS; therefore, any company that supplies them with software, hosting services, system maintenance or data processing must demonstrate compliance. If you participate in procurement procedures of these bodies and cannot prove your compliance, you may be excluded from those contracting processes.

What are the ENS category levels and what does each mean for a company in León?

The ENS establishes three categories: basic, medium and high. The category is determined by assessing the impact that a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for the services in scope. If the maximum impact in any dimension is low, the system is basic; if any dimension reaches medium impact, it is medium; if any reaches high impact, it is high. For a technology-services company working with the Ayuntamiento de León on a document management system, the typical category tends to be basic or medium. The category defines which Annex II measures are mandatory and whether a self-assessed conformity declaration (basic category) is sufficient or certification by an ENAC-accredited body is required (medium and high).

What is Annex II of RD 311/2022 and how many measures does it include?

Annex II of RD 311/2022 sets out the 75 security measures that ENS-subject systems must apply depending on their category. These measures are organised across three frameworks — organisational (4 families), operational (7 families, including op.nub for cloud services) and protection (5 families) — totalling 16 families. Not all measures are mandatory for all systems: Annex II specifies for each measure whether it applies to basic, medium or high category systems, or to all. The gap analysis work consists precisely of identifying which of those measures apply to your organisation's system and which are already covered by your ISO 27001 management system controls.

Does the Universidad de León (ULE) require its technology suppliers to be ENS-compliant?

Yes. The Universidad de León is a public university and, as such, is subject to the ENS. This means that its information-system suppliers — academic management software, cloud services, infrastructure maintenance, student data processing — must demonstrate ENS compliance if their systems interact with those of the ULE. The specific requirements depend on each procurement tender, but the regulatory trend is for ENS conformity requirements to appear increasingly in ICT service contracts of Spanish public universities.

Can I integrate ENS compliance with an existing ISO 27001 certification?

Yes, and it is the most efficient way to do it. ISO 27001:2022 and the ENS share a very similar management structure: security policy, risk analysis, proportional control selection, implementation with evidence and periodic review. Many controls in Annex A of ISO 27001:2022 overlap with Annex II measures of the ENS, so the gap concentrates on aspects specific to the Spanish framework: Annex I categorisation, measures with no direct ISO 27001 equivalent and the documentation format required by the CCN. Summum Calidad performs a precise gap analysis and closes only what is missing, without redoing what already works in your ISMS.

Does Summum Calidad certify or audit the ENS for my organisation?

No. Summum Calidad does not issue ENS conformity certificates or perform certification audits. For basic-category systems, we prepare the documentation needed for your organisation to issue its own self-assessed declaration of conformity in accordance with CCN-STIC 809. For medium or high category systems, we carry out a thorough pre-audit review and support you throughout the process, but the certificate is issued by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065, freely chosen by the organisation. Our role is to prepare you to pass that process with the highest possible assurance and the lowest risk of non-conformities.