Esquema Nacional de Seguridad (ENS): Security Requirements for Spain

The Esquema Nacional de Seguridad (ENS) is Spain's national cybersecurity framework, established under Royal Decree 311/2022 of 3 May. It is mandatory for all Spanish public administrations and for any private company providing IT services, software, cloud, or managed services to a public body. If your product or service is used within a system the public administration classifies as Medium or High, you must hold a valid ENS Certificate of Conformity. The transition deadline passed in May 2024 — compliance is no longer optional.

ENS defines three security levels based on the potential impact of a breach. Basic (Básico) applies to systems where a breach causes minor damage; a self-assessment and internal declaration are sufficient. Medium (Medio) covers systems where a breach causes considerable disruption to public services or legal obligations; a mandatory third-party audit by an ENAC-accredited body is required, and the Certificate of Conformity is valid for two years. High (Alto) applies to systems where a breach causes very serious or catastrophic damage; it requires the most rigorous measures including CCN-approved cryptographic tools and mandatory 24-hour incident reporting to CCN-CERT. Most IT supplier contracts involve Medium or High systems.

Attack Surface Management directly addresses the ENS controls auditors check most carefully. op.exp.1 requires a current asset inventory — ASM automatically discovers all your internet-facing assets with weekly scans. op.exp.7 requires documented vulnerability management — ASM scans for CVEs and logs every finding with timestamps and remediation status. op.mon.3 requires continuous monitoring — ASM provides weekly automated external perimeter scanning with an auditable log. Instead of manually gathering evidence before an audit, you always have it ready.

ENS certification is mandatory for private companies specifically in the context of public sector contracts. If you supply IT services, software, cloud infrastructure, or managed services to a Spanish public body, and those services form part of a system classified as Medium or High, you must hold a Certificate of Conformity for the services in scope. Private companies with no public sector business are not directly covered — but companies processing personal data under Spain's LOPDGDD may reference ENS as a security standard, and critical infrastructure operators face overlapping obligations under NIS2.

ENS and NIS2 are complementary frameworks. ENS covers the Spanish public sector and its supply chain; NIS2 covers essential and important entities across the EU economy. Spain missed the October 2024 NIS2 transposition deadline and received a European Commission reasoned opinion in May 2025. The draft Spanish NIS2 law now before Parliament explicitly recognizes ENS certification — particularly ENS High — as a compliance pathway for meeting NIS2 obligations. Organizations that invest in ENS compliance now are positioning themselves to satisfy both frameworks once the Spanish NIS2 law passes, expected in 2026.

ENS certification timelines vary by system complexity and security level. For a Medium system, you can typically expect 3 to 6 months from starting your gap assessment to receiving your Certificate of Conformity — assuming your security controls are largely in place. The process includes a formal risk analysis, a Statement of Applicability (Declaración de Aplicabilidad), implementing all applicable Annex II measures, and a third-party audit by an ENAC-accredited body. Organizations that start with an automated gap assessment against op.exp and op.mon controls — the areas auditors focus on most — significantly reduce the time to certification. The certificate is valid for two years.