In Spain, public-sector cybersecurity is structured around several key concepts: the National Cryptology Center (CCN), the National Security Framework (ENS), the CPSTIC Catalog, and the Qualified and Approved cybersecurity products listed within it. Although closely interconnected, each plays a distinct role within Spain’s public information security ecosystem. This article explains what each concept means, how they relate to one another, and the steps companies must follow to have their products included in the CPSTIC Catalog.

The National Cryptologic Center (CCN)

The CCN is the public body responsible for ensuring the security of information technologies within  Spain’s public sector. Operating under the National Intelligence Center (CNI), it serves as the national technical authority on cybersecurity. Its responsibilities include developing security guidelines and standards, coordinating incident response through CCN-CERT, defining technical security criteria, and managing the CPSTIC Catalog. In short, it is the central authority that defines and coordinates technical cybersecurity policy across the public sector.

The National Security Framework (ENS)

In the Spanish public sector, information is generally divided into two main categories: sensitive administrative information and classified information. Sensitive administrative information includes personal data, case files, tax and health records, and internal administrative processes. Classified information, on the other hand, refers to information whose unauthorized disclosure could compromise national defense, security, or strategic state interests, and which is governed by specific legislation on official secrets and national security.

The National Security Framework (ENS) was established to protect sensitive administrative information. It defines how public administrations and their suppliers must secure their systems and data. The ENS establishes three security levels—basic, medium, and high—based on the potential impact of a security incident. It also mandates organizational, procedural, and technical measures designed to ensure the confidentiality, integrity, availability, authenticity, and traceability of information.

The CPSTIC Catalog

The Catalog of Information and Communication Technology Security Products and Services (CPSTIC), managed by the CCN, is the official repository of cybersecurity products and services that have been evaluated and authorized for use within Spain’s public sector. Its goal is to help public administrations select reliable solutions that provide adequate technical security guarantees, according to the type of information being protected and the applicable regulatory framework.

The catalog distinguishes between two types of products:

• Qualified Products: Designed to protect sensitive administrative information governed by the ENS. Evaluation typically includes functional testing, architectural review, documentation analysis, and, in some cases, recognized certifications such as Common Criteria or LINCE.
• Approved Products: Intended for systems that handle classified information. These products must meet a higher level of assurance, particularly regarding cryptographic controls. Evaluation may include design validation, implementation testing, and secure development lifecycle analysis.

How can a company have its products included in the CPSTIC Catalog?

Companies seeking inclusion in the CPSTIC Catalog must follow a formal process defined by the CCN. The procedure varies depending on whether the product is pursuing Qualification (ENS-oriented) or Approval (for environments handling classified information).

For qualification (Qualified Product)

1. Identify the catalog category that best fits your solution.
2. Review the technical requirements defined by the CCN for that category.
3. Adapt the product to meet these requirements (functional, security, documentation, hardening, etc.).
4. Submit the required documentation, including technical evidence, architectural descriptions, manuals, and any applicable certifications.
5. Undergo technical evaluation, which may involve testing by accredited laboratories or CCN-recognized assessment processes.
6. Obtain the formal qualification resolution issued by the CCN.

While it is a demanding process, it focuses on ENS compliance and ensuring that the product provides sufficient guarantees for basic, medium, or high-level administrative environments.

For approval purposes (Approved Product)

1. Coordinate directly with the CCN to define the scope of the approval process.
2. Meet enhanced technical requirements, particularly those related to cryptography.
3. Undergo advanced technical evaluations, including design analysis, cryptographic implementation review, and testing in controlled environments.
4. Provide detailed evidence of secure development lifecycle practices and supply chain controls.
5. Obtain formal approval from the CCN.

Approval applies to systems handling classified information (e.g., CONFIDENTIAL, SECRET) and therefore involves stricter requirements than those established for qualification.

Conclusion

Inclusion in the CPSTIC Catalog is a key milestone for any company seeking to provide cybersecurity solutions to the Spanish public sector. Being part of this catalog not only signifies recognition of the quality and reliability of these products but also facilitates their adoption by public administrations seeking solutions that are properly tested and aligned with ENS requirements and classified information protection standards.

Teldat has successfully positioned its products in both categories of the catalog—Qualified and Approved—demonstrating full compliance with CCN standards. This achievement enables participation in public-sector opportunities while contributing to the strengthening of information security in Spain. Being listed in the catalog is more than just a technical certification; it is a strategic advantage that reinforces customer trust and enhances visibility within the sector.