Sector publico y seguridad

ENS compliance in Tenerife: information security management for Canarian public-sector suppliers

The Cabildo Insular de Tenerife, the Ayuntamiento de Santa Cruz de Tenerife, the Universidad de La Laguna and every other public body on the island are subject to the Esquema Nacional de Seguridad (ENS), Spain's National Security Framework. That obligation extends to their suppliers: if you already hold contracts with any of those entities, or intend to bid for public tenders on the island, RD 311/2022 (BOE-A-2022-7191) requires that your information systems comply with the ENS before the contract takes effect. Summum Calidad guides you through that process from an information security management system (ISMS) perspective, integrating ENS requirements with those of ISO 27001:2022 so that compliance becomes part of your normal operations rather than an additional burden. We work with technology companies and service providers looking to grow their share of Canarian public procurement without duplicating documentation effort.

RegulationRD 311/2022 · BOE-A-2022-7191
Fiscal contextCanary Islands Economic Regime (IGIC, not mainland VAT)
Engagement modelStructured project with ongoing accompaniment

Tenerife is home to a significant share of the Canarian public sector: the Cabildo Insular de Tenerife as the island's supra-municipal authority, the Ayuntamiento de Santa Cruz de Tenerife as the provincial capital, the Universidad de La Laguna as the leading academic institution of the western archipelago, and dozens of consortia, patronatos and dependent entities that procure technology services, management software, infrastructure maintenance and cloud-based solutions. All of these bodies are subject to the ENS, and so are their private suppliers. Article 2 of RD 311/2022 is unambiguous: the Framework applies to the information systems of public-sector entities and to those of their suppliers whenever those systems process information whose security is relevant to public-sector security. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for existing systems to comply. Operating from Tenerife with active public contracts and non-compliant systems constitutes a breach that may jeopardise contract renewals and participation in future tenders.

The Canary Islands fiscal environment adds a layer of operational specificity relevant to any compliance project. Companies based in Tenerife operate under the Canary Islands Economic and Fiscal Regime (REF): the Impuesto General Indirecto Canario (IGIC) replaces mainland VAT, with different rates and its own settlement scheme. This has implications for the management of accounting and fiscal documentation that can affect the Annex II controls of the ENS related to the traceability of transactions and the integrity of records. Summum Calidad is familiar with this environment and adapts ISMS procedures to the Canarian fiscal reality, preventing SGSI documents from conflicting with the operational reality of an IGIC-registered company. Compliance auditors scrutinise the coherence between documented processes and actual processes; a company that invoices under IGIC but documents its workflows in VAT terms generates inconsistencies that undermine the evidence presented.

Annex II of RD 311/2022 organises requirements into 75 measures distributed across three frameworks — organisational, operational and protective — and 16 control families. The operational framework concentrates 7 families and 33 measures, including the op.nub (cloud security) family, which is particularly relevant for suppliers offering SaaS or cloud infrastructure to Canarian public bodies, given the growing weight of cloud solutions in the island's public administration. System categorisation — basic, medium or high, based on the impact that a security incident would have on the five CIDAT security dimensions — determines the applicable subset of measures and the required conformity route: a self-assessed declaration of conformity for basic-category systems (per CCN-STIC 809), and certification by an ENAC-accredited inspection body under UNE-EN ISO/IEC 17065 for medium and high categories. Summum Calidad does not issue conformity certificates — that is the exclusive remit of ENAC-accredited third parties — but prepares your system to meet the category that applies to you with the guarantees the regulation demands.

The ENS compliance in Tenerife process.

The process · four stages
01

Initial assessment and system categorisation in the Canarian context

We analyse the real scope of your information systems in relation to active or planned public contracts with bodies in Tenerife and the Canary Islands — the Cabildo, the Ayuntamiento de Santa Cruz, the ULL or others — and determine the ENS category that applies to you under Annex I of RD 311/2022, assessing the impact on the five CIDAT dimensions for each in-scope service. We also review your operational structure under the Canary Islands REF to ensure that ISMS documentation accurately reflects the fiscal reality of a company operating under the IGIC regime.

02

ENS–ISO 27001 gap analysis with control mapping

We cross-reference the 75 measures of ENS Annex II against the controls of your existing ISO 27001 management system or, if you do not yet have ISO 27001 certification, against your current security practices. The output is a prioritised gap table — reusable controls, partially covered controls and absent controls — with an estimated effort to close each gap before the declaration or certification of conformity required by your category.

03

Integrated ENS–ISO 27001 ISMS design

We design or update your information security management system to cover ENS and ISO 27001:2022 requirements simultaneously. We produce the integrated Statement of Applicability, the information security policy aligned with article 12 of RD 311/2022 and the Annex II organisational framework procedures. All design work takes into account the operational characteristics of a Tenerife-based company: typical local public contracts, IGIC fiscal regime and the usual structure of Canarian technology SMEs.

04

Control implementation and evidence documentation

We accompany the implementation of outstanding organisational, operational and protective Annex II controls and produce the complete evidence package required: procedures, records, risk analysis reports, management review minutes and staff training records. The technical implementation of operational framework controls — hardening, monitoring, cloud security (op.nub) — is coordinated with Summum Sistemas, ensuring coherence between the documentary-normative and the technical planes.

What is included

What ENS compliance in Tenerife includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (ENS Annex I)

    Document justifying the category assigned — basic, medium or high — by assessing the CIDAT impact on each service provided to Canarian public bodies, with a traceable methodology referenced to RD 311/2022.

  • ENS–ISO 27001 gap analysis with mapped controls

    Cross-reference table of the 75 Annex II ENS measures (3 frameworks, 16 families) against your ISO 27001:2022 controls or existing security practices, identifying reusable items, partial gaps and absent controls, with estimated effort to close each gap.

  • Integrated ISMS and Statement of Applicability

    Information security management system designed to cover ENS and ISO 27001:2022 simultaneously, with an integrated Statement of Applicability that justifies the selection and exclusion of controls in the format expected by conformity auditors.

  • Information security policy compliant with the ENS

    Corporate policy drafted in accordance with article 12 of RD 311/2022 and adapted to the operational reality of companies based in Tenerife providing services to Canarian public-sector bodies under the IGIC fiscal regime.

  • Procedures, records and evidence package

    Complete set of operational procedures, records and evidence demonstrating real implementation of Annex II controls: user and access management, backups, vulnerability management, change control, incident management and staff training.

  • Pre-audit review and conformity dry run

    For medium or high categories, an internal audit that simulates the ENAC-accredited body's process: evidence review, identification of weak points and correction before the certification audit, minimising the risk of non-conformities.

Summum cluster

How it connects with its sisters.

ENS compliance from a management system perspective is strengthened when it integrates with the technical implementation of Annex II measures carried out by Summum Sistemas: MAGERIT/PILAR risk analysis, system hardening, security event monitoring and preparation of the technical evidence package. In Tenerife, where Canarian public administration is advancing towards cloud-based solutions, the op.nub family of Annex II requires specific attention that both teams address in a coordinated fashion.

Frequently asked questions about ENS compliance in Tenerife.

Does the ENS apply to suppliers of the Cabildo de Tenerife and the Ayuntamiento de Santa Cruz de Tenerife?

Yes. Article 2 of RD 311/2022 establishes that the ENS applies to the information systems of public-sector entities and to those of their suppliers whenever those systems process information whose security is relevant to public-sector security. The Cabildo Insular de Tenerife, the Ayuntamiento de Santa Cruz de Tenerife and the Universidad de La Laguna are all ENS-subject entities, and any private company providing them with technology services, management software, system maintenance or cloud solutions must have its systems compliant. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for existing systems.

How does the Canary Islands IGIC tax regime affect the ENS compliance project?

The IGIC does not alter the technical requirements of the ENS, but it does have implications for ISMS documentation. Annex II controls related to transaction traceability, record integrity and document management must reflect the fiscal reality of a company operating under the Canary Islands Economic and Fiscal Regime: different IGIC rates, specific settlement schemes and an accounting structure distinct from mainland VAT. Conformity auditors review the coherence between documented processes and real processes, so Summum Calidad adapts ISMS procedures to the Canarian fiscal reality to avoid inconsistencies that would weaken the evidence.

What is the difference between basic, medium and high categories in the ENS?

The category is determined by assessing the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each in-scope service. If the maximum impact on any dimension is LOW, the system is basic; if any dimension reaches MEDIUM impact, it is medium; if any dimension reaches HIGH impact, it is high. The category determines the subset of the 75 Annex II measures that are mandatory and the required conformity route: basic means a self-assessed declaration of conformity under CCN-STIC 809; medium or high requires certification by an ENAC-accredited inspection body under UNE-EN ISO/IEC 17065.

Can I integrate ENS compliance with an existing ISO 27001 certification?

Yes, and that is the most efficient approach. ISO 27001:2022 and the ENS share a very similar management structure — PDCA cycle, risk analysis, proportional control selection, management review and continual improvement — and many controls are coincident or complementary. With ISO 27001 certified, the gap towards the ENS focuses on the specific aspects of the Spanish framework: Annex I categorisation, Annex II controls without a direct ISO 27001 equivalent, and adapting documentation to the CCN format. Summum Calidad carries out the precise gap analysis and closes only what is missing, without redoing work that is already in place.

Which public bodies in Tenerife can require ENS compliance in a procurement tender?

Any public-sector entity subject to the ENS may include compliance as a technical solvency requirement or contract execution condition. In Tenerife, this includes the Cabildo Insular de Tenerife, the Ayuntamiento de Santa Cruz de Tenerife, the Ayuntamiento de La Laguna, the Universidad de La Laguna, the Servicio Canario de Empleo in its island offices, the autonomous bodies of the Gobierno de Canarias based on the island, and the local administration consortia and patronatos. ENS requirements in tender specifications have become increasingly common for digital and technology service contracts, particularly since the compliance deadline passed in May 2024.

Does Summum Calidad issue the ENS certificate of conformity?

No. The ENS certificate of conformity for medium or high category systems can only be issued by an inspection body accredited by ENAC under the UNE-EN ISO/IEC 17065 standard. Summum Calidad is not an accredited body and does not issue any official certificate. What we do is prepare your information security management system so that, when the conformity audit carried out by the accredited third party you choose takes place, your organisation is ready to pass it: gap diagnosis, control implementation, evidence documentation and a pre-audit review before the official audit.