Elevate

ENS Compliance - Spain

Esquema Nacional de Seguridad (ENS) Compliance and Certification Readiness

Spain’s National Security Framework — governed by Royal Decree 311/2022 — is mandatory for public sector entities and every private organization supplying IT services, cloud infrastructure, or digital solutions to the Spanish public administration. Elevate Consult guides organizations through ENS gap assessment, implementation, and certification readiness across all three security levels. 

What is the ENS

Spain's mandatory cybersecurity framework for public sector and its suppliers

The Esquema Nacional de Seguridad (ENS) establishes the basic principles, minimum requirements, and security measures that Spanish public administrations and their technology providers must implement to protect the information and services they manage electronically. Established in 2010 and significantly updated by Royal Decree 311/2022, the ENS now aligns with EU frameworks including NIS2 and GDPR and its scope has expanded to encompass cloud services, supply chain security, and incident reporting obligations. 

For US-based technology vendors, SaaS providers, cloud operators, and managed service organizations entering the Spanish public sector market (or already serving it) ENS compliance is not optional. It is a contractual prerequisite that contracting officers enforce at the procurement stage. 

May 2025

Deadline for all Medium and High systems to hold a valid ENS certificate 

2 years

Certificate validity period, with annual surveillance audits 

24 hrs

Maximum incident reporting window for significant security events 

70-80%

Control overlap with ISO 2700 existing certifications accelerate ENS readiness 

Security classification

Three levels, one determines your certification obligation

ENS classifies information systems by the sensitivity of the data they process. The level assigned to your system determines which security controls apply and whether certification is voluntary or mandatory. 

For US-based technology vendors, SaaS providers, cloud operators, and managed service organizations entering the Spanish public sector market ( or already serving it ) ENS compliance is not optional. It is a contractual prerequisite that contracting officers enforce at the procurement stage. 

Low

Basic protection

Applies to systems handling non-critical data. Certification is voluntary. Self-assessment and conformity declaration are accepted. 

Medium

Mandatory certification

Applies where a moderate risk to confidentiality, integrity, or availability exists. Independent audit by an ENAC-accredited body required. 

High

Mandatory certification

Applies to systems handling sensitive or critical public sector data. The most stringent security requirements. Mandatory ENAC-accredited certification. 

Who must comply

ENS applies far beyond Spanish government agencies

The 2022 update significantly expanded the ENS scope. Any organization whose systems process, store, or transmit information on behalf of a Spanish public administration must comply — regardless of where that organization is headquartered

Spanish public sector entities

All central, regional, and local government agencies using electronic services or managing citizen data. 

Cloud and SaaS providers

US and international technology vendors supplying cloud services, SaaS platforms, or managed infrastructure to Spanish public entities. 

Subcontractors in the supply chain

Any subcontractor whose systems are used in the performance of a public sector contract is expected to meet ENS requirements. 

IT service contractors

Private companies holding public sector contracts involving ICT systems that process government-related data. 

Framework positioning

How ENS maps to frameworks your organization already knows

ENS is not built in isolation. Royal Decree 311/2022 was explicitly designed to align with major international standards; meaning organizations with existing compliance programs can leverage prior work. But ENS has Spain-specific requirements that are not covered by any other framework. 

ISO 27001

70-80% control
overlap

  • Significant structural alignment on risk management and security controls 
  • ISO 27001 certification accelerates ENS readiness but does not satisfy it 
  • ENS adds Spain-specific incident reporting, national cryptology requirements, and CCN-STIC guide adherence 

NIS2 Directive

Explicit alignment
by design

  • RD 311/2022 was updated to align ENS with NIS2 requirements in Spain 
  • NIS2 compliance supports ENS readiness for essential and important entities 
  • ENS goes further with sector-specific controls for public sector systems 

NIST SP 800-53 / FedRAMP

Structural parallels,
not equivalents

  • ENS controls align with NIST domains: risk management, incident response, access control, data protection 
  • FedRAMP-authorized providers can leverage existing documentation for ENS readiness 
  • ENS has distinct Spanish regulatory and cryptographic requirements not covered by FedRAMP 

CMMC

Adjacent frameworks, separate obligations

  • Both are government-driven certification programs for contractors 
  • CMMC covers US DoD supply chain; ENS covers Spanish public sector supply chain 
  • Organizations serving both markets need both — there is no mutual recognition 
Our process

From gap to certificate: a structured ENS readiness program

Elevate Consult supports organizations through every stage of the ENS compliance lifecycle: system categorization, gap assessment, control implementation, documentation, and readiness for independent audit by an ENAC-accredited certification body. 

PHASE 1

System categorization and scoping

Identify the information types processed by your systems and determine the applicable ENS security level (Low, Medium, or High) as required by Royal Decree 311/2022. Define the system boundary and confirm whether certification is voluntary or mandatory for your environment.

PHASE 2

Gap assessment against RD 311/2022 controls

Evaluate your current security posture against the full ENS control set — including organizational, operational, and technical measures — and identify gaps relative to your assigned security level. For organizations with existing ISO 27001 or FedRAMP programs, we map prior compliance work to ENS requirements to identify what carries over and what requires new effort. 

PHASE 3

Control implementation and documentation

Develop and implement the security measures required by your ENS level, including policies, procedures, technical controls, supply chain security requirements, and cryptographic standards aligned with CCN-STIC guides. Produce the documentation package required for certification: Security Management Plan, risk assessment, and supporting evidence set. 

PHASE 4

Audit readiness and certification support

Prepare your organization for independent audit by an ENAC-accredited ENS certification body. Elevate coordinates evidence collection, manages pre-audit reviews, and supports your team through the assessment process — from initial submission through issuance of the ENS Conformity Certificate. 

PHASE 5

Surveillance and ongoing compliance

ENS certificates are valid for two years with mandatory annual surveillance audits. Elevate supports ongoing compliance through control monitoring, incident reporting readiness, and preparation for surveillance audits and recertification cycles. 

Who this is for

Built for US and international organizations entering the Spanish public sector market

ENS compliance is a procurement prerequisite — not a post-award obligation. Organizations that begin the readiness process before pursuing Spanish public sector contracts are better positioned to win and retain them. 

Cloud and SaaS providers

CISOs and security leads

Compliance and GRC officers

CTOs and IT architecture leads

Government contractors

EU market entry teams

What you get

Structured outputs at each phase

ENS compliance is a procurement prerequisite — not a post-award obligation. Organizations that begin the readiness process before pursuing Spanish public sector contracts are better positioned to win and retain them. 

ENS gap assessment report

Control-by-control gap analysis against your assigned ENS level, with prioritized remediation recommendations and a mapping of prior compliance work to ENS requirements. 

Security Management Plan (SMP)

Complete documentation of security measures implemented in your environment, structured to meet ENS documentation requirements and serve as the primary artifact for ENAC-accredited audit. 

Audit-ready evidence package

Organized evidence set supporting all ENS controls — technical configurations, policies, risk assessments, and supporting records structured for assessor review. 

Surveillance audit support

Ongoing compliance maintenance, annual surveillance audit preparation, and recertification support to keep your ENS certificate current across the two-year validity cycle. 

FAQ

Common questions from US and international organizations

Does our ISO 27001 certification satisfy ENS requirements?

No, but it significantly accelerates ENS readiness. Approximately 70-80% of ENS controls overlap with ISO 27001. However, ENS has Spain-specific requirements that ISO 27001 does not cover: national cryptology requirements aligned with CCN-STIC guides, 24-hour incident reporting to INCIBE, explicit supply chain security provisions, and a mandatory ENAC-accredited certification process. Organizations with ISO 27001 can leverage their existing documentation and controls as the foundation — the gap is real but manageable. 

We are FedRAMP-authorized. Does that help with ENS?

Yes, meaningfully. FedRAMP and ENS share structural parallels — both draw from NIST control families covering access control, incident response, risk management, and data protection. FedRAMP-authorized providers can leverage their existing documentation, evidence, and technical configurations as a starting point for ENS gap assessment. However, FedRAMP authorization does not substitute for ENS certification, and the two frameworks have no mutual recognition agreement. 

What is the difference between ENS Low, Medium, and High?

The security level is determined by categorizing the information your system processes according to the potential impact of a security incident on confidentiality, integrity, and availability. Low systems handle non-critical data and certification is voluntary. Medium and High systems handle progressively more sensitive information and require mandatory certification by an ENAC-accredited body. Most commercial providers supplying core services to Spanish public entities are classified at Medium or High. 

Who can perform the ENS certification audit?

For Medium and High systems, the certification audit must be performed by a body accredited by ENAC (Entidad Nacional de Acreditación) under ISO/IEC 17065. Elevate Consult provides readiness and implementation services — we prepare your organization for the independent audit and coordinate with the accredited certification body, but the formal audit is conducted by an ENAC-accredited entity. We help you select and engage the right certification body for your scope and timeline. 

How long does ENS certification take?

Full initial certification typically takes three to six months from kickoff, depending on the scope of your system, your current security posture, and the speed of remediation for identified gaps. Organizations with mature ISO 27001 or FedRAMP programs at the start tend to complete the process faster. Demand for ENAC-accredited assessors has increased significantly since the May 2025 mandatory certification deadline — securing assessor availability early is strongly recommended. 

Does ENS apply to our subcontractors?

Yes. If a subcontractor’s systems are used in the performance of a public sector contract involving CUI or government-related data, those systems must meet ENS requirements for the applicable security level. Prime contractors are responsible for ensuring their supply chain meets ENS obligations, consistent with the supply chain security provisions introduced in Royal Decree 311/2022. 

GET STARTED

Ready to begin your ENS compliance program?

Whether you are entering the Spanish public sector market for the first time or preparing for mandatory certification of an existing system, Elevate Consult provides the gap assessment, implementation support, and audit readiness your organization needs.