The Esquema Nacional de Seguridad, adopted by Royal Decree 311/2022 of 3 May, sets out the minimum security principles and requirements for Spanish public-sector information systems and for the private-sector entities that supply services to them. Its scope is broader than many companies realise: if you participate in public tenders, if you process citizens' data on behalf of a public authority, or if your software runs on public-sector infrastructure, the ENS applies to you in full. The transitional provision of RD 311/2022 allowed 24 months from the regulation's entry into force — 5 May 2022 — for existing systems to comply; that deadline passed on 5 May 2024. Operating without compliance today constitutes a breach that may jeopardise your access to public procurement and create liability for the contracting authority.
Summum Calidad approaches ENS compliance through the lens of information security management — the same lens that governs ISO 27001:2022. The two frameworks are not separate worlds: the ENS organises its requirements around a management system — security policy, risk analysis, proportionate control selection and implementation, management review, continuous improvement — which is essentially the ISO 27001 PDCA cycle applied to the Spanish public-sector context. When an organisation already holds ISO 27001 certification, or is working towards it, ENS compliance builds on existing work: Annex A controls from ISO 27001:2022 overlap with Annex II measures of the ENS, documentation serves both frameworks, and a single internal audit cycle covers the requirements of both standards. The savings compared with two parallel projects are estimated at between 30% and 40% in cost and internal effort.
System categorisation — the mandatory starting point of the ENS, governed by Annex I of RD 311/2022 — determines the level of requirement that applies: basic, medium or high, according to the impact that a security incident would have on the five security dimensions (confidentiality, integrity, availability, authenticity and traceability, or CIDAT). This categorisation defines which Annex II measures are mandatory and which conformity route is required: for basic-category systems, a self-assessed declaration of conformity suffices; for medium or high, certification by an ENAC-accredited inspection body under UNE-EN ISO/IEC 17065 is required. Summum Calidad does not issue that certification — that is the exclusive competence of accredited third parties — but we do prepare your system to pass it: gap analysis, control implementation, evidence documentation and a rigorous pre-audit review before the conformity auditor arrives.
The ENS is one piece of your company’s overall compliance. The legal layer —data protection (GDPR), outsourced DPO, whistleblowing channel, criminal compliance, equality plans and anti-money-laundering— is handled by our specialised division, Summum Consultoría, giving you a single compliance partner.