- Categories
- Strategy→
- Execution→
- Artificial Intelligence→
- Training & conferences→
- Customer experience→
- External management→
- Compliance & security→
Strategy and diagnosis

Strategic consultancy Brand audit Marketing plan Positioning Audience mapping Brand archetypes
See all strategy services →

Execution and channels

Branded content Applied neuromarketing Attribution models SEO & SEM Marketing automation Corporate identity Packaging Out-of-home advertising
See all execution services →

Artificial intelligence applied to marketing

AI applied to marketing Predictive analytics with AI Generative AI for content Chatbots & conversational support Personalisation at scale AI training for teams AI audit & governance
See AI services →

Training, conferences and keynotes

Conferences & keynotes In-company training Academic centres · master's · MBA Open masterclasses Applied neuromarketing Branded content AI for marketing teams Strategy & management
See all training →

Customer experience

Experience design (CX) Customer journey mapping Gamification Point-of-sale marketing
See customer experience →

External marketing management

External marketing department Interim CMO Executive coaching Communications & PR
See external management →

Regulatory compliance & security

ENS Consultancy ISO standards (9001/14001/27001) Cybersecurity & GDPR Compliance (overview)
See ENS consultancy →

Featured

Compliance · ENS

Compliance with the Spanish National Security Framework.

RD 311/2022, Basic/Medium/High categories and audit preparation to tender with Spanish public authorities.
See the service →
- By category
- Industry→
- Geography→
- Scope→
- Company size→
Industries I work in

Wineries & wine Agri-food Banking & financial services Tourism & hospitality Manufacturing Public sector Technology & SaaS Retail & consumer goods
See all sectors →

Where I work

Valladolid Burgos Aranda de Duero Las Palmas de Gran Canaria Castilla y León Canary Islands Rest of Spain
Coverage map →

Commercial scope

B2B Brand B2C Executive personal brand Territory brand
See scopes →

By company size

SMEs (10–50 employees) Mid-sized companies (50–250) Large companies (250+) Family-owned businesses Entrepreneurs & start-ups
See by size →

Featured

Public sector

Working with public authorities with confidence.

Brand, compliance and information security to tender and deliver services to the public sector.
See approach →
- By topic
- Branded content→
- Neuromarketing→
- Strategy→
- Analytics→
- Resources→
Branded content & storytelling

Cuánto · Banco Santander Aprendemos Juntos · BBVA What is branded content Success stories
All branded content insights →

Neuroscience applied to marketing

Concept and applications Eye-tracking in advertising EEG and emotional response Consumer cognitive biases
All neuromarketing insights →

Strategy & classics

Marketing Myopia · Levitt Utility marketing Inbound vs outbound Positioning by Trout & Ries
All strategy insights →

Analytics and measurement

Attribution models Programmatic advertising GA4 and real indicators ROAS, MER and metrics that matter
All analytics insights →

Downloadable resources

Strategic templates Monthly newsletter Essential reading list Marketing glossary
See all resources →

Essential reading

ENS Guide

Spanish National Security Framework: complete guide.

What the ENS is, who it applies to and how to achieve compliance step by step. The starting point of the ENS cluster.
Read guide →
About

Compliance & security · ENS

Esquema Nacional de Seguridad (ENS) Consultancy for Companies

Updated: 27 June 2026

I am Ángel Ortega Castro, independent ENS consultant. I guide your organisation through compliance with the ENS, Spain's National Security Framework (Esquema Nacional de Seguridad, RD 311/2022) so that you build trust and can tender and work with Spanish public bodies without disrupting your operations.

Schedule a call → See the service phases

RD 311/2022

Current framework

3 categories

Basic · Medium · High

1 to 1

Real accompaniment

What the ENS is and why comply

Information security with legal backing.

The Esquema Nacional de Seguridad (ENS, Spain's National Security Framework) establishes the mandatory security policy for the use of electronic means in the public sector and in organisations that provide services to it. The current regulation is Real Decreto 311/2022, de 3 de mayo, which repealed RD 3/2010 and organises its content across four Annexes — categorisation (I), security measures (II), audit (III) and glossary (IV) — under the coordination of the National Cryptologic Centre (CCN).

This is not a box-ticking exercise: ENS compliance protects your systems, opens the door to public procurement and demonstrates to your clients that you manage information with rigour and method. Here are the four reasons why it is worth doing it properly.

Real protection

You implement the Annex II measures proportionate to the risk: defence in depth across the five security dimensions (CIDAT), not isolated controls.

Demonstrable trust

ENS conformity is a credibility signal for public authorities, citizens and partners. You demonstrate that you handle their data seriously.

Tender with public bodies

More and more tender specifications require ENS conformity from suppliers and contractors. Compliance is the condition for entering and winning public tenders.

Resilience and continuous improvement

The ENS instils a management cycle (PDCA): risk analysis, monitoring, incident response and periodic audit. You improve in a sustained way.

If you would like a panoramic overview first, I recommend the complete guide to the Spanish National Security Framework and the quick ENS summary in 5 minutes.

Who is obligated

Who does the ENS apply to?

The ENS applies to the entire public sector (the central government, autonomous communities, local authorities and their dependent bodies) and also to private companies that provide services or solutions to the public sector under a contractual relationship. In other words, it covers the supply chain: ICT providers, integrators, software manufacturers, cloud services and contractors.

This extension to suppliers is explicit: the Real Decreto 311/2022 establishes that private-sector operators providing services to the public sector must demonstrate ENS conformity. Its sole transitional provision set 24 months to bring pre-existing systems into compliance; that general deadline expired on 5 May 2024. The obligation is fully in force: new systems or those undergoing significant changes must comply from day one, ENS conformity is renewed every two years, and tender specifications already require it as a solvency condition — organisations that cannot demonstrate it are excluded from public procurement.

I go into each scenario in detail in these blog articles: when the ENS applies in the private sector, who the suppliers obligated under the ENS are, and the scope of ENS consultancy for public administrations.

Legal basis: Royal Decree 311/2022, of 3 May, regulating the Spanish National Security Framework (BOE). Implementation guidance from the CCN (National Cryptologic Centre). Independent verification is carried out by entities accredited by ENAC.

How we work

Phases of the ENS compliance service.

The ENS compliance plan follows the sequence established by the CCN-STIC guides. Nothing is improvised: each phase produces a deliverable that builds on the previous one. This is the complete roadmap, from initial diagnosis to audit preparation.

ENS compliance plan · phases and deliverables
Phase	What we do	Reference and deliverable
Phase 01 Diagnosis (gap)	Differential analysis between your current situation and the ENS requirements. Definition of scope and the information systems affected.	Diagnosis report / GAP analysis showing the real distance to compliance.
Phase 02 Categorisation	Assessment of systems across the five security dimensions (CIDAT) and assignment of the category: basic, medium or high.	Annex I of the ENS. Determines the applicable basic, medium or high category.
Phase 03 Risk analysis	Identification of assets, threats and safeguards using the MAGERIT methodology (supported by tools such as PILAR).	MAGERIT risk analysis report and risk treatment plan.
Phase 04 Compliance plan + SoA	Security policy, selection of measures and drafting of the Statement of Applicability (SoA), justifying each applicable control.	CCN-STIC 806 guide. Compliance plan and declaration of conformity.
Phase 05 Implementation	Deployment of the selected measures: organisational, operational and protection frameworks. Supporting your team throughout.	Implementation of the Annex II measures with documented evidence.
Phase 06 Audit / certification	Preparation and pre-audit review. For medium or high category, accompaniment during the audit conducted by the accredited body.	Annex III. I prepare the ENS audit; the conformity audit is carried out by an accredited third party.

Want to know how long each phase takes? I break it down in the ENS compliance timelines. And if your systems are already in place, I can take over directly from the ENS implementation and compliance phase.

Request your initial diagnosis →

Security categories

ENS categories: basic, medium and high.

A system's category is not a rough "low/medium/high" guess: it is determined by assessing the impact of a security incident on the five security dimensions — confidentiality, integrity, availability, authenticity and traceability (CIDAT). The dimension with the highest level determines the system's category.

Basic category

Limited impact

When an incident would cause limited damage to the organisation's functions, assets or individuals.

No dimension exceeds the low level
Conformity via self-assessed declaration
A proportionate and manageable set of measures

Medium category

Serious impact

When an incident would cause serious damage: at least one dimension reaches the medium level.

At least one dimension at medium level
Conformity via accredited certification
Biennial conformity audit

High category

Very serious impact

When an incident would cause very serious, potentially irreparable damage: at least one dimension reaches the high level.

At least one dimension at high level
Conformity via accredited certification
Biennial conformity audit

Choosing the right category is essential to avoid over-investing or falling short. I help you decide in the guide to ENS categories and how to choose the right one, and to understand the role of the five security dimensions (CIDAT).

The two conformity pathways

Basic → declaration of conformity

For the basic category, conformity is demonstrated through a self-assessed declaration of conformity: the organisation itself verifies compliance in accordance with the CCN-STIC guides. I prepare the documentation and evidence so that your declaration is solid and well-founded.

Medium / high → accredited certification

For the medium or high category, conformity requires certification by an ENAC-accredited body under the standard UNE-EN ISO/IEC 17065:2012. I prepare you to pass it; the certificate is issued by the accredited body, never by the consultant.

If you are not sure which framework you need, compare ENS and ISO 27001 for tendering with public bodies; and for the full certification process, see the ENS certification process.

What you get

Documentation ready to demonstrate conformity.

I do not hand you a PDF that nobody ever opens again. I deliver the documentary and technical body of evidence that sustains your conformity and that the auditor — or your public-sector client — needs to see.

Diagnosis report / GAP analysis showing the real distance between your current situation and the ENS requirements.
System categorisation across the five dimensions (CIDAT) and the resulting level (basic, medium or high).
MAGERIT-based risk analysis and risk treatment plan.
Information security policy and derived security regulations.
Compliance plan (CCN-STIC 806) with owners, timelines and priorities.
Statement of Applicability (SoA) justifying the selection of Annex II measures.
Implementation evidence for the organisational, operational and protection measures.
Audit preparation: pre-audit review, checklist and accompaniment throughout the conformity process.

Ángel Ortega Castro, independent ENS consultant

Why work with me

An ENS consultant who stands behind his work.

I am Ángel Ortega Castro, an independent consultant specialising in regulatory compliance and information security. I guide public administrations, ICT providers and companies tendering with the public sector through their compliance with the Spanish National Security Framework.

My approach is one of genuine, person-to-person accompaniment: I do not hand over a manual and disappear. I work alongside you at every phase, translate the regulation into concrete decisions and leave your team fully equipped to maintain conformity once the project is over.

I am honest about what I can and cannot promise: I prepare and guide your organisation towards conformity; the certificate is issued by an ENAC-accredited body. That transparency, combined with rigorous application of the current regulation (RD 311/2022, Annexes I–IV and CCN-STIC guides), is what sets me apart from anonymous consulting firms.

Independent ENS consultant RD 311/2022 · Annexes I–IV CCN-STIC guides MAGERIT · risk analysis Castilla y León · Canary Islands · Spain

Sectors I work with

Three typical ENS compliance profiles.

Local administration

Municipalities and local authorities.

Typically basic category, self-assessed declaration of conformity and use of CCN tools such as INES. Practical compliance proportionate to the size of the municipality.

ICT provider

Companies delivering services to public bodies.

Software providers, integrators and cloud services that need to demonstrate conformity in order to meet tender specifications and retain their public contracts.

Company tendering publicly

Organisations entering public procurement.

Private organisations preparing their ENS conformity as a solvency requirement in order to enter public tenders and expand their market into the public sector.

Indicative investment

How much does ENS compliance cost?

There is no single figure, and you should be wary of anyone who quotes one without knowing your situation. The investment depends on the scope (how many systems), the category (basic, medium or high), your starting maturity and whether you need accredited certification or a self-assessed declaration is sufficient.

Fixed-price proposal after the diagnosisNo surprises · tailored to your scope and category

On top of the consultancy investment, medium and high category projects also require the cost of the accredited certifying body, which is separate from my fees and invoiced directly by the auditing third party.

On the first call we assess your scope and category and I provide a fixed-price proposal. No commitment and no inflated figures: honest guidance from minute one.

Frequently asked questions

Common questions about the ENS.

Is the ENS mandatory for private companies?

Yes, when they provide services or solutions to the public sector under a contractual relationship. RD 311/2022 extends the obligation to the entire supply chain; the general deadline for pre-existing systems expired on 5 May 2024. The obligation is fully in force and tender specifications require it as a solvency condition. I go into detail in when the ENS applies in the private sector.

Who is required to comply with the ENS?

The entire public sector (central government, autonomous communities, local authorities and their bodies) and private companies that provide services to them — that is, their suppliers and contractors. I expand on who the suppliers obligated under the ENS are.

What is the difference between the basic, medium and high categories?

It is determined by the impact of an incident on the five security dimensions (CIDAT). Basic = limited harm; medium = serious; high = very serious. The dimension with the highest level determines the system's category. I help you decide in how to choose between the basic, medium and high categories.

Who issues the ENS certification?

For medium or high category, certification is issued by an ENAC-accredited body under standard UNE-EN ISO/IEC 17065:2012. For basic category, a self-assessed declaration of conformity is sufficient. As consultant I prepare you for conformity, but the certificate is granted by the accredited third party. More detail in the basic-level declaration of conformity.

How much does achieving ENS compliance cost?

It depends on the scope, the category and your starting maturity, which is why I provide a fixed-price proposal after the diagnosis. For medium and high category, the cost of the certifying body must also be added, and that is separate from the consultancy fee.

How long does ENS compliance take?

It varies according to the category and the maturity of the system. A basic-category project is typically faster than a high-category one involving multiple systems and accredited certification. I review the timelines phase by phase in the ENS compliance timelines.

How often is the ENS audited?

For medium and high category, the conformity audit is biennial (at least every two years) and is conducted by an accredited body. For basic category, verification is linked to the declaration of conformity. I explain it in detail in how often the ENS is audited and who carries it out.

ENS or ISO 27001? Do I need both?

The ENS is mandatory for the public sector and its suppliers; ISO 27001 is a voluntary international certification. They are compatible and share many controls, so the work done for one can be leveraged for the other. I compare both frameworks in ENS or ISO 27001 for tendering with public bodies.

Keep reading

ENS cluster guides.

Pillar guideSpanish National Security Framework: complete guide RegulationRoyal Decree 311/2022: summary of the current ENS Annex IIThe security measures in ENS Annex II RisksMAGERIT risk analysis for the ENS CPSTICCCN's CPSTIC catalogue: qualified ENS products ENS HubENS complete guide · services hub

Next step

Shall we talk about your ENS compliance?

First call at no cost and with no commitment. We assess your scope and category, and if we are a good fit I provide a fixed-price proposal. If not, you walk away with a useful initial diagnosis to start your ENS compliance journey.

Schedule a call → See all compliance services