I am Ángel Ortega Castro, independent ENS consultant. I accompany you through the entire ENS certification process — from the initial diagnosis to the conformity audit before an ENAC-accredited body. The accredited body issues the certificate; I prepare your organisation so you arrive ready and your company can tender with the Spanish Administration with real guarantees.
The ENS certification is the formal document that accredits that an organisation's information systems meet the requirements of the Esquema Nacional de Seguridad (ENS, Spain's National Security Framework) (Royal Decree 311/2022, of 3 May; BOE-A-2022-7191). It is not equivalent to an internal declaration: at medium and high category levels, the certification is issued by a product certification body accredited by ENAC in accordance with UNE-EN ISO/IEC 17065:2012, which gives it standing before the Administration and third parties. The certificate is valid for two years, after which it must be renewed through a new conformity audit.
For the complete framework in which this process sits, I recommend the comprehensive ENS guide and the article on the ENS certification process, requirements and costs.
Unlike the basic-level declaration of conformity, the ENS certificate is issued by a third party accredited by ENAC: its value does not rest on the organisation's own assertion.
More and more public contracts require ENS certification as a condition of technical solvency. Without the certificate for the relevant category, the company is directly excluded from the tender, regardless of its actual capabilities.
The ENS certificate is valid for two years. Renewal requires a new conformity audit, which ensures that the security level is maintained over time and does not become obsolete.
The path to ENS certification installs a real management cycle: risk analysis, Annex II measures and periodic review. It is not a one-off formality, but a sustained security system.
The ENS framework does not impose the same requirements on everyone. The route that applies to your organisation depends on the category of the information system in scope, which is determined by assessing the potential impact of a security incident across the five security dimensions — confidentiality, integrity, availability, authenticity and traceability (CIDAT). Read about the basic, medium and high ENS categories in detail before deciding.
When no dimension exceeds the low level, the organisation may demonstrate conformity through a self-assessment declaration of conformity, without the involvement of an external certification body.
When any dimension reaches the medium level, conformity must be demonstrated through certification by an ENAC-accredited body (ISO/IEC 17065). The consultant prepares; the accredited body certifies.
When any dimension reaches the high level, the requirement is the same route as for medium — certification by an ENAC-accredited body — but with a broader and more demanding set of security measures.
The organisation verifies compliance itself in accordance with the applicable CCN-STIC guides and issues its own declaration. I prepare all the documentation and evidence so the declaration is rigorous and can withstand any review. I explain the process in detail in the article on the basic-level ENS self-assessment declaration of conformity.
The ENS certification is issued by a product certification body accredited by ENAC in accordance with UNE-EN ISO/IEC 17065:2012. My role is to prepare you to pass that audit: I implement the measures, generate the documentation and support you throughout. I never promise guaranteed certification: it is issued by the accredited body, not the consultant. If you need prior adequacy work, I start from the ENS consulting for companies service.
Obtaining ENS certification at medium or high category is not a one-off formality: it is the result of a structured process that follows the CCN-STIC guides and culminates in an audit carried out by an ENAC-accredited body. Prior preparation — which is my role as consultant — largely determines the outcome of that audit.
| Phase | What is done | Reference and deliverable |
|---|---|---|
| Phase 01 Diagnosis & scope |
Gap analysis between the current situation and ENS requirements. Definition of scope: which information systems fall within the certification perimeter. | Diagnostic report with distance to compliance and documented perimeter. |
| Phase 02 System categorisation |
Assessment of the system across the five CIDAT dimensions and assignment of the resulting category (basic, medium or high). The category determines the required conformity route. | Annex I of RD 311/2022. Categorisation document with justification per dimension. See basic, medium and high ENS categories. |
| Phase 03 Risk analysis |
Identification of assets, threats, vulnerabilities and safeguards using MAGERIT methodology. Residual risk is quantified and a treatment plan established. | MAGERIT risk analysis (supported by PILAR or other CCN tools). Risk treatment plan. |
| Phase 04 Adequacy plan & SoA |
Information security policy, selection and justification of applicable Annex II measures for the defined scope and category. Drafting of the Statement of Applicability (SoA). | CCN-STIC 806 guide. Adequacy plan with owners and deadlines. Complete SoA. |
| Phase 05 Implementation of measures |
Deployment of selected security measures: organisational, operational and protection frameworks. Generation of evidence accrediting compliance with each control. | Evidence per implemented Annex II measure. Complete documentary framework (procedures, internal policies, records). |
| Phase 06 Internal pre-audit |
Thorough review of documentation and evidence before the official audit. Identification and remediation of gaps that could lead to non-conformities. Simulation using the Annex III methodology. | Pre-audit report with findings and closure plan. Annex III checklist of RD 311/2022. |
| Phase 07 Conformity audit |
The conformity audit is carried out by the ENAC-accredited certification body. I accompany you throughout, coordinate evidence delivery and manage any requests for clarification. | Annex III of RD 311/2022. The audit is conducted by the accredited body; the consultant supports and accompanies. |
| Phase 08 Certificate issuance & renewal |
The accredited body issues the ENS certificate (valid for two years). A monitoring plan is put in place to maintain conformity and prepare the biennial renewal before the certificate expires. | ENS certificate issued by the accredited body. Monitoring plan and roadmap for renewal within 24 months. |
Full details are available in the article on the ENS certification process, requirements and indicative costs.
Only product certification bodies holding express accreditation from ENAC (Entidad Nacional de Acreditación) under UNE-EN ISO/IEC 17065:2012 for the ENS scheme may issue the ENS certification. This accreditation is not automatic: ENAC evaluates the body's technical competence, impartiality and procedures before authorising it.
You can check the current list of ENAC-accredited ENS certification bodies at any time on the ENAC public search tool. The CCN also publishes guidance on the process at ens.ccn.cni.es. Once your certificate is obtained, your company will appear in the list of ENS-certified companies managed by the CCN.
All ENAC-accredited bodies meet the minimum technical requirements. The differences between them lie in sector experience (auditing a document management system is not the same as auditing a cloud services platform), availability and lead times (the most in-demand bodies may have waiting lists), the clarity of their audit process and costs, which vary according to the scope and complexity of the system. I recommend requesting proposals from two or three bodies before committing.
As a consultant, my job is to prepare your organisation so the accredited body's audit runs without surprises. That means documentation is complete, evidence is verifiable and your team knows what to expect during the audit. I have no commercial relationship with any certification body: I support you independently of whichever you choose, which guarantees neutral advice. Once the body is selected, I coordinate communication and evidence delivery throughout the process.
For the full pre-audit preparation process, see what the ENS consulting for companies service covers before reaching the certification audit.
Technical specifications in public ICT contracts are increasingly incorporating ENS conformity as a solvency criterion or contractual obligation. Without the certificate matching the system's category, the company cannot submit a bid. The general compliance deadline expired on 5 May 2024: the obligation is fully in force.
ENS certification does not only open doors in contracts that explicitly require it. It also differentiates your company from competitors that do not yet hold it, signals maturity in information security and facilitates relationships with public bodies that value independent accreditation over self-declarations.
Administrations that must certify their own systems in turn require their suppliers and subcontractors to comply with the ENS for the systems they contribute to the service. Holding the certification makes your company an eligible supplier throughout the entire public-sector value chain, significantly expanding your addressable market.
My work finishes when the accredited body issues your certificate. This is what we build together during the preparation process.
I am Ángel Ortega Castro, an independent consultant specialising in regulatory compliance and information security. I support companies providing services to the public sector through the entire process leading to ENS certification: from the initial diagnosis to the day the ENAC-accredited body issues the certificate.
I am honest from the outset about what I can and cannot promise. I prepare and adapt your organisation for the conformity audit; the certification is issued by the ENAC-accredited body, never by the consultant. Anyone who promises you guaranteed certification is either misleading you or does not understand the process.
My methodology combines the rigour of RD 311/2022 and its Annexes I, II, III and IV, the CCN-STIC guides, the MAGERIT risk analysis methodology and genuine person-to-person accompaniment. The goal is not to generate paperwork, but for your team to emerge from the process with a security system that works and that can sustain conformity over time.
The total cost of obtaining ENS certification has two clearly separate components that should not be conflated. On one hand, the consulting fees for process preparation (diagnosis, categorisation, risk analysis, implementation, pre-audit and accompaniment). On the other, the fees of the ENAC-accredited certification body, which are invoiced directly by the third party and are independent of consulting fees.
The consulting investment varies according to the system scope (number of systems, technological and organisational complexity), the resulting category (basic, medium or high) and the starting maturity level. A system with good pre-existing security practices requires less implementation effort than one starting from zero. Preparing a self-assessment declaration of conformity for basic category is also very different from accompanying a high-level certification audit covering multiple systems in the perimeter.
For more context on typical market ranges, see the article on the ENS certification process and indicative costs.
ENS certification is the formal document that accredits that an organisation's information systems meet the requirements of the Esquema Nacional de Seguridad (RD 311/2022). It is issued by a product certification body accredited by ENAC in accordance with UNE-EN ISO/IEC 17065:2012. It serves to demonstrate to the Administration and to third parties that the organisation manages information security at the required level, and is a prerequisite in many public contracts. See the detail in the article on the ENS certification process, requirements and costs.
The declaration of conformity is the route for basic-category systems: the organisation itself verifies and declares compliance, without the involvement of an accredited third party. ENS certification, on the other hand, is mandatory for medium and high-category systems, and is issued by an ENAC-accredited certification body following an independent conformity audit. I explain this in more detail in the article on the basic-level self-assessment declaration of conformity.
Certification by an ENAC-accredited body is mandatory for medium and high-category systems. For basic-category systems, the route is the self-assessment declaration of conformity. The category is determined by assessing the impact of a security incident across the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability). For more detail, see the basic, medium and high ENS categories.
Only product certification bodies accredited by ENAC under UNE-EN ISO/IEC 17065:2012 for the ENS scheme may issue the ENS certification. Neither the CCN itself issues individual certificates to companies, nor can consultants certify: the consultant prepares and accompanies; the accredited body audits and certifies. You can check who they are on the page about how to consult the list of ENS-certified companies.
The timeline depends on system scope, category and starting maturity. In general, full preparation (diagnosis, risk analysis, measure implementation and pre-audit) can take several months; to that must be added the certification body's availability. An organisation starting from zero facing a high category takes significantly longer than one with existing controls facing medium category. See timeline details in the article on the ENS certification process.
The ENS certificate is valid for two years. Once that period has elapsed, the organisation must undergo a new conformity audit by the accredited body to renew the certificate. This is why it is important to establish from the outset a monitoring plan that maintains the conformity level throughout the certificate's validity and allows the renewal to be approached without last-minute pressure.
If the contract specifications require ENS conformity as a solvency criterion or contractual obligation, a company that cannot demonstrate it is excluded from the tender process or is in breach of its contractual obligations. Furthermore, the general compliance deadline for pre-existing systems expired on 5 May 2024, so the obligation is fully in force. Tendering without the required accreditation may give rise to contractual and administrative liability.
Yes, although it is important to define the certification scope carefully from the start. The accredited body certifies the system or set of systems included in the defined perimeter; expanding the scope afterwards requires a new audit. As a consultant, a key part of my work is helping you define the most appropriate scope: broad enough to cover what the tender specifications require, but no more than necessary to avoid unnecessarily increasing cost and effort.
First call at no cost and no commitment. We assess your scope, probable category and starting point. If it makes sense to work together, I present a fixed quote. If not, you take away useful guidance to move forward.