The Esquema Nacional de Seguridad, enacted by Royal Decree 311/2022 of 3 May, requires that information systems of Spanish public-sector entities — and those of their suppliers — meet minimum security requirements. In León, this has concrete implications: the Diputación de León manages municipal services for dozens of municipalities across the province, the Ayuntamiento de León operates digital citizen-service and electronic-procurement platforms, and the Universidad de León (ULE), as a public university, is likewise subject to the ENS. If your company provides technology services, develops software, manages infrastructure or processes data on behalf of any of these bodies, the ENS applies to you directly. The deadline for bringing existing systems into compliance expired on 5 May 2024; operating without completing that process represents a real risk to your access to provincial and regional public procurement.
Summum Calidad approaches ENS compliance from a management-system perspective, the same one that underpins ISO 27001:2022: security policy, risk analysis, selection of controls proportional to the system's impact level, implementation with auditable evidence, and a review and continuous-improvement cycle. Annex II of RD 311/2022 contains 75 security measures organised across three frameworks — organisational, operational and protection — and 16 families, including the op.nub family specifically for cloud services. This structure is compatible with Annex A of ISO 27001:2022, making it possible to build a single management system that satisfies both standards. For a company supplying public bodies in León, this integrated approach not only saves time and cost; it also positions the organisation to respond swiftly when procurement specifications require evidence of ENS conformity.
The compliance process begins with system categorisation under Annex I of RD 311/2022: the impact that a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) is assessed for each in-scope service, and the result determines whether the system falls under the basic, medium or high category. The category defines both the subset of Annex II measures that are mandatory and the conformity route required: for basic-category systems, a self-assessed declaration of conformity following CCN-STIC 809 is sufficient; for medium or high category, conformity must be certified by an inspection body accredited by ENAC under the UNE-EN ISO/IEC 17065 standard. Summum Calidad supports the entire process — diagnosis, categorisation, implementation, documentation and audit preparation — but does not issue conformity certificates, which are the exclusive competence of accredited bodies.