ENS (Esquema Nacional de Seguridad)
ENS (Esquema Nacional de Seguridad) is Spain's national cybersecurity framework, established under Real Decreto 311/2022 and modified by RD 1125/2024. It mandates security requirements for public sector organizations and private entities handling government data, establishing a risk-based approach with three security categories and five protection dimensions.
ISMS Copilot has dedicated knowledge of ENS requirements. You can ask framework-specific questions, generate policies aligned with ENS measures, assess compliance gaps, and cross-reference controls with ISO 27001:2022 and NIS2.
Who Needs ENS Compliance?
ENS applies to organizations in Spain that:
Public administration: All government bodies, agencies, and public sector entities at national, regional, and local levels
Private sector contractors: Companies providing services to public administration or handling government data
Critical infrastructure operators: Operators of critical infrastructure designated by Spanish authorities
State-owned enterprises: Public companies and entities with government ownership
Service providers: Organizations processing personal data or providing electronic services to public entities
Compliance is mandatory for in-scope organizations, with different requirements based on system categorization.
ENS Regulatory Structure
The framework is organized under RD 311/2022 with the following structure:
Legal articles (41 total):
General provisions (Arts. 1–4): Scope, definitions, and fundamental concepts
Basic principles (Arts. 5–11): Security principles and organizational requirements
Security policy and requirements (Arts. 12–30): Minimum security measures and policy framework
Audit and incident handling (Arts. 31–34): Audit requirements and incident response
Conformity rules (Arts. 35–38): Declaration and certification of conformity
System categorization (Arts. 40–41): Classification methodology
Annexes:
Anexo I: System categorization criteria (BÁSICA, MEDIA, ALTA)
Anexo II: 73 security measures with official identifiers
Anexo III: Audit requirements and periodicity
Security Categories
ENS establishes three security categories based on the potential impact of security breaches:
BÁSICA (Basic):
Systems with minimal impact on organizational operations
Limited consequences for data confidentiality, integrity, or availability
Fundamental security measures required
Self-assessment and declaration of conformity sufficient
MEDIA (Medium):
Moderate impact on organizational operations or service delivery
Potential harm to individuals or organizations
Enhanced security measures with reinforcement requirements
Requires formal audit every two years
ALTA (High):
Critical systems with severe potential impact
Significant harm to national interests, public safety, or large populations
Maximum security measures with multiple reinforcement levels
Requires formal audit every two years by accredited auditors
Five Security Dimensions
ENS organizes security measures across five dimensions, each with progressive levels (0–3):
Dimension | Spanish | Focus |
|---|---|---|
C | Confidencialidad | Protecting information from unauthorized disclosure |
I | Integridad | Maintaining data accuracy and completeness |
T | Trazabilidad | Recording actions and enabling accountability |
A | Autenticidad | Verifying identity and ensuring data origin |
D | Disponibilidad | Ensuring timely access to information and services |
Each category (BÁSICA, MEDIA, ALTA) requires specific minimum levels for each dimension. Higher categories demand higher dimension levels, with reinforcements (R1, R2, R3) adding supplementary controls.
The 73 Security Measures
Anexo II defines 73 security measures organized into three frames:
Marco Organizativo (Organizational frame):
Security policy and organization
Roles and responsibilities
Security committees and coordination
Personnel security and awareness
Marco Operacional (Operational frame):
Access control and authentication
Incident management
Business continuity and disaster recovery
Supplier and third-party management
Marco de Protección (Protection frame):
Network and communications security
Endpoint protection
Cryptography and key management
Physical security
Each measure includes specific requirements per security category, with reinforcement levels for higher categories.
Key Roles Under ENS
ENS defines four critical roles for security governance:
Responsable de la información: Owner of the information, accountable for classification and protection requirements
Responsable del servicio: Service owner, responsible for service delivery and availability
Responsable de la seguridad: Security officer, coordinates security implementation and monitoring
Responsable del sistema: System administrator, implements technical security measures
CCN-STIC Guidance Series
ENS implementation is supported by CCN-STIC technical guides from the Spanish National Cryptologic Centre (CCN-CERT). Key guides include:
CCN-STIC 800: General ENS implementation guide
CCN-STIC 802: Security policy development
CCN-STIC 804: Risk assessment methodology
CCN-STIC 808: Incident management
CCN-STIC 809: Business continuity
CCN-STIC 815: Audit procedures
CCN-STIC 817: Security measures implementation
CCN-STIC 823–825: Technical security controls
CCN-STIC 830: Cloud security
CCN-STIC 884, 892: Specialized security domains
Current versions are maintained at ccn-cert.cni.es.
Declaration and Certification of Conformity
ENS offers two conformity pathways:
Self-assessment (Declaración de Conformidad):
Available for BÁSICA category systems
Organization conducts internal assessment
Declaration published on electronic portals per Art. 38.2
Certification (Certificación de Conformidad):
Required for MEDIA and ALTA categories
Conducted by accredited auditors
Biennial audit cycles per Anexo III
Regular audit (Art. 31) can serve simultaneously for certification
ISMS Copilot does not replace the formal Anexo III audit for MEDIA and ALTA systems. It serves as preparation support and assistance between biennial audits. For citations with direct legal responsibility, always verify against primary sources (BOE, CCN-CERT, AENOR).
Cross-Framework Mapping
ENS aligns with international frameworks, enabling integrated compliance approaches:
ISO 27001:2022: Control-level mappings between Anexo II measures and Annex A controls
NIS2 Directive: Alignment with EU-wide cybersecurity requirements
RGPD/LOPDGDD: Integration with Spanish data protection law
This allows organizations to leverage existing ISO 27001 or NIS2 compliance work for ENS implementations.
How ISMS Copilot Helps
ISMS Copilot provides comprehensive support for ENS compliance work:
Framework-specific guidance: Ask about specific ENS articles, measures, or dimension requirements
Policy contrast: Compare existing policies and procedures against RD 311/2022 requirements
Declaración de Aplicabilidad review: Analyze Statement of Applicability documents for completeness
Gap identification: Identify security gaps against Anexo II measures
Preliminary evidence review: Assess audit evidence before formal review
Category determination: Support system categorization decisions (BÁSICA/MEDIA/ALTA)
CCN-STIC guidance: Recommend appropriate guides from the 800 series for specific cases
Cross-framework mapping: Map controls between ENS, ISO 27001:2022, and NIS2
Workspace organization: Manage ENS projects separately from other compliance initiatives
The AI distinguishes between categories, understands dimension levels, and knows reinforcement requirements (R1, R2, R3). For exact measure × level × reinforcement matrices, it references Anexo II of the RD directly.
Try asking: "What are the ENS requirements for a MEDIA category system?" or "Map ENS Anexo II measures to ISO 27001:2022 Annex A controls" or "Which CCN-STIC guide covers incident management?"
Plan Availability
ENS knowledge is available across all ISMS Copilot plans, including the free trial. Framework knowledge is not stratified by plan—you can access full ENS guidance regardless of subscription level.
Getting Started
To begin ENS compliance work in ISMS Copilot:
Create a dedicated workspace for your ENS compliance project
Ask the AI to help determine your system's category (BÁSICA, MEDIA, or ALTA)
Generate security policies aligned with Anexo II measures
Upload existing security documentation for gap analysis
Develop your Declaración de Aplicabilidad mapping measures to your environment
Request guidance on relevant CCN-STIC guides for your implementation
Prepare audit evidence packages for formal conformity assessment
Limitations
ISMS Copilot is a compliance assistant, not a replacement for:
Professional judgment on security decisions
Accredited auditors for formal conformity certification
Legal counsel for regulatory interpretation
Primary sources (BOE, CCN-CERT, AENOR) for legally binding citations
For MEDIA and ALTA systems, formal Anexo III audits remain mandatory. ISMS Copilot accelerates preparation and supports continuous improvement between audit cycles.
Related Resources
Official RD 311/2022 text: BOE (Boletín Oficial del Estado)
CCN-CERT guidance portal: ccn-cert.cni.es
AENOR (Spanish Association for Standardization) certification information
ISO 27001 Information Security Management (related framework)
NIS2 Directive (related framework)