The National Security Framework (ENS) sets out the security measures that public-sector information systems — and the private companies that serve them — must meet. After Royal Decree 311/2022 its scope has widened and affects far more SMEs than people think.
Who must comply?
The entire public administration and, by extension, any supplier that handles information or provides services to public bodies: software development, hosting, maintenance, consulting or document management.
Categories and levels
- Basic category: systems whose compromise would have a limited impact.
- Medium category: serious impact on the organisation's functions.
- High category: very serious impact, possibly harming individuals.
Each category requires a set of measures across five dimensions: confidentiality, integrity, traceability, authenticity and availability.
More and more public tenders require ENS certification as a condition of entry. Not having it leaves the company out of the bid.
How to get certified
The process starts with a risk analysis, the categorisation of systems and the implementation of the measures in the Statement of Applicability. An accredited body then audits and issues the certification, which is renewed periodically.
At Eritia Privacidad we guide your company through the entire ENS cycle, from the initial assessment to the certification audit.
