ENS - Esquema Nacional de Seguridad (English)

Ensuring security in the use of electronic media in Public Administration.

With the new regulatory text, the aim is to ensure the protection of information systems within the entities to which it applies, by reducing vulnerabilities and promoting continuous monitoring, while also establishing response mechanisms and optimal security measures within the current legal, technological, strategic, and cyber threat framework.

The ENS (Esquema Nacional de Seguridad) seeks to evolve the security policy of all Spanish public sector entities, taking into account European Union regulations aimed at increasing the cybersecurity level of information systems.

​What is the Esquema Nacional de Seguridad o ENS

The Esquema Nacional de Seguridad, currently governed by RD 311/2022, establishes the security policy for the adequate protection of information and services provided through a common approach based on fundamental principles, minimum requirements, protection measures, and mechanisms for compliance and monitoring. This applies to the public sector as well as private sector technology providers collaborating with the Administration.

The purpose of the ENS is to ensure access, confidentiality, integrity, traceability, authenticity, availability, and preservation of data, information, and services used electronically by entities in the exercise of their powers, by: 

• Providing the Spanish Public Sector with a common security approach for protecting the information it handles and the services it provides, thereby promoting continuous security management—essential for digital transformation in a context of cyber threats.
• Establishing a common language for interaction between different administrations and for setting security requirements for information security industry providers.

External Audit of the Esquema Nacional de  Seguridad

Information systems are categorised into three levels to determine the importance of each system:

• HIGH Category: When any information security risk could cause catastrophic damage.
• MEDIUM Category: When any information security risk could cause serious harm, with none reaching a higher level.
• LOW Category: When information security risks do not exceed limited harm, with none reaching a serious or higher level. For LOW or BASIC category systems, an audit is not mandatory—a self-assessment report is sufficient.

Security audits are mandatory for information systems classified as MEDIUM or HIGH, to be conducted every two years or whenever significant changes occur in the system that may affect security. Upon completion of the audit by a third-party entity such as DNV, an audit report will be issued indicating the level of ENS compliance and recommendations for potential corrective measures.

ENS vs ISO 27001

Companies already certified under ISO 27001 typically have a security culture that gives them a head start in achieving ENS certification, as the controls listed in ISO 27002 align with many of the security measures outlined in Annex II of the ENS.

However, ENS is a legal standard focused on protection, with mandatory requirements, whereas ISO 27001 is a management system aimed at continuous improvement and building an information security management system.

Both standards integrate well and can coexist effectively within organisations, although ISO 27001 certification is not strictly required to obtain ENS certification.

How to Get Started

To obtain certification, it is necessary to implement a validation system that meets the ENS requirements. DNV is an accredited third-party certification body and can support you throughout the process by certifying your information system under the Esquema Nacional de Seguridad. We also offer open training on ENS requirements.