ENS (Esquema Nacional de Seguridad) Explained: Requirements & Certification
The Esquema Nacional de Seguridad (ENS) — Spain’s National Security Framework — is the mandatory security standard for all Spanish public administrations and any private company that provides services or solutions to the Spanish public sector. If you want to do business with the Spanish government, ENS is not optional — it’s the entry ticket.
Updated in 2022 (Royal Decree 311/2022), the ENS aligns with NIS2, ISO 27001, and other European standards while maintaining specific requirements for the Spanish public sector ecosystem.
Who Does ENS Affect?
Direct Scope
- All Spanish public administrations — central government, autonomous communities (regions), local government, universities, public health services
- Public sector entities — agencies, foundations, and public companies
- Any private company that provides electronic services, systems, or solutions to Spanish public administrations
The Private Sector Reality
This is where most organizations are surprised. If your company:
- Hosts or manages systems used by public administrations
- Develops software used in public services
- Provides cloud services to government entities
- Manages data on behalf of public organizations
- Provides IT consulting or services to the public sector
…then you need ENS compliance at the appropriate level.
Three Certification Levels
| Level | Applies When | Audit Requirement |
|---|---|---|
| Basic | Systems handling low-impact information | Self-assessment |
| Medium | Systems with moderate impact on services or data | Mandatory external audit |
| High | Systems critical to public services, national security, or sensitive data | Mandatory external audit by accredited body |
The required level depends on the impact dimensions: confidentiality, integrity, availability, authenticity, and traceability of the information and services.
Key Requirements
ENS organizes security measures into three categories:
1. Organizational Measures
- Security policy — documented, approved by management, communicated to all personnel
- Security rules and procedures — detailed operational guidelines
- Authorization process — formal process for authorizing systems and changes
- Risk analysis — systematic identification and assessment of risks
- Security roles — defined responsibilities: security officer, system administrator, security administrator
2. Operational Measures
- Access control — identification, authentication, and authorization mechanisms
- Activity logging — audit trails for all system activities
- Incident management — detection, response, and recovery procedures
- Business continuity — backup, recovery, and availability plans
- Configuration management — baseline configurations and change control
- Maintenance — regular system maintenance and security patching
- Monitoring — continuous monitoring of system security
3. Protection Measures
- Facility protection — physical security of data centers and work areas
- Communications protection — encryption, network segmentation, perimeter security
- Information protection — data classification, handling, and destruction procedures
- Software protection — secure development, application security testing
- Cryptographic protection — encryption standards for data at rest and in transit
Compliance Process
- Categorize your systems based on impact dimensions
- Select applicable security measures for your level
- Implement the measures
- Assess compliance through internal or external audit
- Certify (for Medium and High levels) through accredited certification bodies
- Maintain compliance with periodic audits (every 2 years for Medium/High)
Why ENS Matters
- Market access: Without ENS, you cannot bid on most Spanish public sector contracts. The public sector IT market in Spain is worth billions annually.
- NIS2 alignment: The updated ENS (2022) is designed to align with NIS2 requirements, so ENS compliance supports EU-wide cybersecurity obligations.
- ISO 27001 overlap: Many ENS controls map directly to ISO 27001 Annex A controls. Achieving both is efficient.
- Growing enforcement: Public administrations are increasingly requiring ENS certification in procurement processes, not just as a preference but as a mandatory requirement.
What Happens Without ENS
ENS doesn’t impose direct monetary fines like GDPR. But the consequences are significant:
A Scenario That Costs Contracts
This is an illustrative scenario based on common procurement patterns.
A technology company wins a €3 million contract to digitize a regional government’s citizen services. The project is complex: digital identity verification, electronic processing of permits, online payments, and citizen communication portal.
Six months into implementation, the government’s security office conducts a routine vendor review. They discover the company has no ENS certification — not even Basic level. The company assumed “being secure” was enough.
The consequences:
- Contract suspension — all work halted pending compliance review
- Remediation demand — the company must achieve ENS Medium certification within 9 months
- Fast-track certification costs: €50,000–€100,000 in consulting fees and audit costs
- Penalty payments for project delays (€15,000/month in the contract)
- A competitor — already ENS Medium certified — offers to take over the project
- The contract is reassigned after the deadline passes without certification
Total loss: €3M contract + €200K in penalties and certification costs + reputation damage in the public sector market.
The lesson: in Spanish public sector, ENS is not optional — it’s the entry ticket. The time to certify is before you bid, not after you win.
How to Get Started
1. Determine Your Required Level
Assess which ENS level applies to your systems based on the impact dimensions. Most companies providing services to public administrations need at least Medium.
2. Gap Assessment
Compare your current security posture against ENS requirements for your level. Identify missing measures, undocumented processes, and technical gaps.
3. Implement Missing Measures
Focus on the highest-priority gaps first: access control, logging, incident management, and risk analysis are typically where companies fall short.
4. Document Everything
ENS requires extensive documentation: security policy, operating procedures, risk analysis reports, and audit evidence. Start documenting early.
5. Engage a Certification Body
For Medium and High levels, engage an accredited certification body. The audit typically takes 2-4 weeks, and you should allow 3-6 months for preparation.
ENS is Spain’s way of ensuring that when citizens interact with digital public services, their data and their trust are protected. For companies, it’s the clearest signal that you’re ready for the public sector market. Don’t wait for a contract to require it — be ready before the opportunity arrives.
Ready to assess your compliance?
Start your free assessment today and find out where you stand with GDPR, NIS2, DORA, ISO 27001, and more.
Written by
Metrica.uno Team
Content Team
Metrica.uno Team is part of the Metrica.uno team, helping organizations navigate AI compliance with practical insights and guidance.
Related Articles
Cyber Resilience Act (CRA) Explained: Who It Affects, Requirements & Penalties
Everything you need to know about the CRA: who it applies to, security requirements for digital products, SBOM obligations, and consequences of non-compliance.
DORA Explained: Who It Affects, Requirements & Penalties
Everything you need to know about DORA: who it applies to, digital resilience requirements, ICT third-party risk management, and consequences of non-compliance.
EU AI Act Explained: Who It Affects, Requirements & Penalties
Everything you need to know about the EU AI Act: risk classification, compliance requirements, who it applies to, and what happens if you don't comply.