โ Cybersecurity Glossary
What Is ENS (Esquema Nacional de Seguridad)?
ENS (Esquema Nacional de Seguridad) is Spain’s mandatory national cybersecurity framework, regulated by Royal Decree 311/2022. It defines the security principles, controls, and certification requirements that public administrations and their technology providers must implement to protect information systems ensuring confidentiality, integrity, availability, authenticity, and traceability. Originally enacted in 2010 (Royal Decree 3/2010), the framework was substantially updated in 2022 to address modern cyber threats, introduce mandatory certification for Medium and High systems, align with the EU’s NIS2 Directive, and add new controls for cloud security and supply-chain protection.
Definition and legal framework
The Esquema Nacional de Seguridad (ENS), or National Security Framework, is the legal cybersecurity framework established by the Spanish government to protect information systems and electronic services operated by or on behalf of public administrations. It provides a structured, risk-based approach defining how organizations must safeguard the confidentiality, integrity, availability, authenticity, and traceability of data and digital services.
ENS was first introduced through Royal Decree 3/2010 (January 8, 2010), based on Law 11/2007. It was substantially updated by Royal Decree 311/2022 (May 3, 2022) to address the evolving threat landscape: stronger risk management, mandatory certification for Medium and High systems, cloud security and supply-chain controls, 24 hour incident reporting, and explicit alignment with the EU’s NIS2 Directive and GDPR.
Key fact: ENS scope extends beyond government agencies. Any private sector organization that processes public sector information, provides technology services (cloud, SaaS, managed services), or supports government IT must comply regardless of location.
Core principles
ENS is built on fundamental principles that establish a security culture beyond technical controls:
Security categories
ENS classifies systems into three categories based on potential incident impact, per Annex II of Royal Decree 311/2022:
How is the category determined? Annex I of Royal Decree 311/2022: impact assessment across five dimensions confidentiality, integrity, availability, authenticity, traceability. The highest value across any dimension determines the overall category.
Who must comply with ENS
ENS compliance extends to any organization involved in processing public sector information or delivering digital services to public entities:
| Organization type | Examples | Certification requirement |
|---|---|---|
| National government agencies | Ministries, central administration, regulatory agencies | Mandatory for Medium and High |
| Regional administrations | Autonomous communities and departments | Mandatory for Medium and High |
| Local government entities | Municipalities, city councils, provincial councils | Mandatory for Medium and High |
| Technology providers | Cloud, SaaS, managed security, IT outsourcing | Required by public sector contracts |
| Contractors and suppliers | Companies processing public sector data | Required by public sector contracts |
| Critical infrastructure operators | Energy, transport, health, financial services | Mandatory under ENS + NIS2 |
Public tenders: many now require ENS certification as a prerequisite. Any organization regardless of location processing information for the Spanish public administration must comply at the contract required level.
Security controls and measures
Annex II of Royal Decree 311/2022 defines measures in three categories that scale by system classification:
Organizational measures
Security policies, roles (security officer, system administrator), risk analysis methodologies, and governance structures.
Operational measures
Access control, activity logging, incident management, continuity planning, change management, and supply-chain security.
Technical measures
Network protection, authentication, cryptography, system hardening, malicious code detection, intrusion prevention, and communications security.
| Control area | Basic | Medium | High (Alta) |
|---|---|---|---|
| Access control | Single-factor | Multi-factor (MFA) | Advanced MFA + privileged access |
| Activity logging | Basic audit trails | Detailed logging + retention | Centralized SIEM + real-time |
| Network protection | Perimeter firewall | Segmentation + IDS/IPS | Advanced monitoring + XDR |
| Incident response | Documented procedure | Team + CCN CERT reporting | 24h notification + automated |
| Cryptography | Standard encryption | Validated algorithms | CCN approved products |
| Risk analysis | Informal | Formal (PILAR) | Comprehensive + continuous |
Certification process
ENS certification validates compliance with Royal Decree 311/2022. Mandatory for Medium and High; renewed periodically:
CPSTIC catalog and the role of the CCN
The CPSTIC (Catรกlogo de Productos y Servicios de Seguridad TIC) is the official catalog maintained by Spain’s National Cryptologic Center (CCN). It lists cybersecurity products evaluated and certified for ENS regulated environments.
The CCN, under Spain’s National Intelligence Center (CNI), develops security guidelines (CCN STIC), manages the CPSTIC catalog, coordinates incident response through CCN CERT, and defines ENS compliance criteria.
Qualified products
Certified for sensitive administrative information under ENS. Requires LINCE certification (Medium) or Common Criteria (High), plus cryptographic validation.
Approved products
For classified information (CONFIDENTIAL, SECRET). Includes design validation, cryptographic review, and secure development lifecycle analysis.
Why CPSTIC matters: Article 19 of ENS requires certified products. The CPSTIC is the official procurement reference. Inclusion is both a quality certification and a strategic market advantage.
Teldat and ENS compliance
Teldat’s be.Safe ecosystem provides integrated cybersecurity and networking solutions for ENS compliance across all categories CPSTIC certified at ENS Alta (High).
be.Safe Pro: network security at every level
Integrated NGFW, IPS with 15,000+ signatures, 4,000+ application decoders, 84 web filtering categories. Deployed on SD-WAN routers with Zero Touch provisioning no separate appliances. Covers ENS network protection, access control, and threat prevention controls.
be.Safe XDR: detection and response for Medium and High
Personalized machine learning models detect lateral movement, data exfiltration, privilege escalation. Automated response: network reconfiguration, device isolation, connection blocking meeting ENS advanced detection and response requirements.
ZTNA and Zero Trust SD-WAN
Per application, identity based access via ZTNA. Microsegmentation across all branches via Zero Trust SD-WAN each branch an isolated security zone.
CPSTIC/CCN certification at ENS Alta
Solutions listed in CPSTIC at ENS Alta (High) the highest category for critical public sector deployments.
Unified compliance: NGFW (network protection) + XDR (detection/response) + ZTNA (access control) + Zero Trust SD-WAN (microsegmentation). All mapped to ENS Annex II, CPSTIC certified, managed from a single cloud console, with Europe’s largest SD-WAN + XDR deployment (Junta de Andalucรญa) as proof of scale.
Frequently asked questions – FAQ’s
โฏ What is ENS (Esquema Nacional de Seguridad)?
Spain’s national cybersecurity framework (Royal Decree 311/2022). Defines security principles, controls, and requirements for public administrations and their providers ensuring confidentiality, integrity, availability, authenticity, and traceability.
โฏ Who must comply with ENS?
All Spanish public administration bodies, private companies providing technology services or processing data for public entities, critical infrastructure operators, and subcontractors.
โฏ What are the ENS security categories?
Basic (minimal impact, voluntary certification), Medium (mandatory certification), High/Alta (mandatory certification + continuous oversight). Determined by impact across five dimensions.
โฏ What is the CPSTIC catalog?
Official CCN catalog of evaluated cybersecurity products: Qualified (ENS regulated, via LINCE/Common Criteria) and Approved (classified information environments).
โฏ How does ENS relate to ISO 27001 and NIS2?
Shares 70 – 80% of controls with ISO 27001, plus Spain specific requirements. Royal Decree 311/2022 explicitly aligns with the EU’s NIS2 Directive.
โฏ Is ENS certification mandatory?
Mandatory for Medium and High. Voluntary for Basic (compliance still required). Valid two years. Required as prerequisite in many public tenders.
โฏ How does Teldat help with ENS compliance?
be.Safe Pro and be.Safe XDR are CPSTIC certified at ENS Alta (High). Network security (NGFW, IPS), threat detection (XDR with AI), access control (ZTNA), microsegmentation (Zero Trust SD-WAN) multiple ENS Annex II controls from a unified platform.
Achieve ENS compliance with Teldat
CPSTIC certified cybersecurity solutions meeting ENS requirements across all categories network protection, threat detection, access control, and automated incident response.
