E-government and the ENS (Spanish National Security Framework) go hand in hand because one cannot exist without the other: when an administration allows you to submit a document at its electronic headquarters, receive a notification or consult a file online, it is handling information and services by electronic means, and ENS is the legal framework that guarantees those means are secure. ENS is enacted under Article 156 of Law 40/2015 and protects five security dimensions — confidentiality, integrity, traceability, authenticity and availability — across every electronic headquarters and service. Put differently: e-government is the "what" (paperless procedures) and ENS is the "how it is done securely."

I have spent years supporting local councils, public bodies and companies that provide services to public administrations through ENS implementation, and there is one idea I repeat in almost every initial meeting: ENS is not a bureaucratic whim or an isolated technical standard. It is the logical consequence of having digitalized the relationship between citizens and the administration. From the moment the law gives you the right to interact electronically with any administration, someone must be responsible for ensuring that interaction cannot be manipulated, impersonated or brought down. That someone is ENS.

In this article I explain how ENS and e-government are related, where that connection comes from, exactly what the framework protects in an electronic headquarters or registry, and who it obliges. I do so with the real regulatory sources in front of me — Royal Decree 311/2022, Law 40/2015, Law 39/2015 — and without inventing articles, because in compliance matters precision is not an ornament: it is the work itself.

What is e-government and why does it need security?

E-government is, simply put, the provision of public services and the processing of administrative procedures by electronic means rather than on paper and at a physical counter. When you apply for a grant from home, when you receive a tax notification in your electronic mailbox, or when a local council publishes a file at its electronic headquarters, you are inside e-government.

Its legal backbone consists of two laws from 2015. Law 39/2015, of 1 October, on the Common Administrative Procedure of Spanish Public Administrations, regulates the "outward-facing" relationship: citizens' rights to interact electronically, the electronic registry, electronic notifications, identification and signature. Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, regulates internal functioning and interaction between administrations: the electronic headquarters, the electronic seal, data exchange — and crucially — enables the ENS (Spanish National Security Framework).

However, digitalizing a procedure multiplies the risks. In a physical office, forging a seal, impersonating an official or intercepting a document requires physical presence and leaves a physical trail. In the electronic world, those same attacks can be executed remotely, at scale, and almost without trace if there are no controls. What is the point of a right to receive electronic notifications if anyone could read your notification, alter it or prevent you from receiving it? E-government is only viable if those who use it can trust it. And that trust is not decreed: it is built with verifiable security measures. That is ENS's role.

What is the relationship between ENS and e-government?

ENS and e-government: why they go hand in hand
Photo: University of Salford (CC BY 2.0)

The relationship is one of means to end. E-government is the end — delivering services and processing procedures without paper — and ENS is the means that ensures that end is achieved securely. They are not two parallel worlds: ENS was created expressly to provide security for e-government.

This is not my interpretation; it is in the very historical title of the standard. The first ENS (Spanish National Security Framework), approved by Royal Decree 3/2010, was literally titled "regulating the National Security Framework in the field of Electronic Administration." The link is in the name. Royal Decree 311/2022 in force extended the scope to the entire public sector, but the essence did not change: wherever information is processed and services are provided by electronic means, ENS must be present.

I see this every day. When a local council says "we want to comply with ENS," what they are actually asking is: "we want our electronic headquarters, our registry and our notifications to function without anyone being able to break, impersonate or bring them down." ENS is the translator between that legitimate concern and a concrete, auditable, enforceable set of measures. If you want to understand the full framework, I develop it in my complete guide to ENS (Spanish National Security Framework).

The shared origin: from Law 11/2007 to Article 156 of Law 40/2015

To understand why ENS and e-government share the same DNA, we need to look back. E-government was formally born with Law 11/2007, of 22 June, on citizens' electronic access to public services. That law recognized for the first time citizens' right to interact with the administration by electronic means, and in its articles it provided for two twin instruments to make this possible in a secure and interoperable way:

ENS was developed through Royal Decree 3/2010 and interoperability through Royal Decree 4/2010. They were two sides of the same coin: an e-government system that is neither secure nor interoperable is worthless.

When Law 11/2007 was repealed and its content distributed between Laws 39/2015 and 40/2015, ENS did not disappear: it was relocated. Today its legal anchor is Article 156 of Law 40/2015, which in paragraph 2 states that the National Security Framework aims to establish the security policy in the use of electronic means and consists of the basic principles and minimum requirements that adequately guarantee the security of processed information. That same Article 156 identifies it as an instrument for achieving security and the protection of personal data in systems adopted by public administrations.

To summarize the regulatory chain directly: e-government and ENS were born together in Law 11/2007 (Article 42), developed in parallel in 2010, and today coexist in the 2015 laws, where Law 39/2015 grants rights to citizens and Law 40/2015 (Article 156) enables the ENS that protects the exercise of those rights. Royal Decree 311/2022 is the piece that regulates ENS in detail.

The five security dimensions of ENS

The technical heart of ENS consists of its five security dimensions. All information and all services that an administration handles electronically are assessed according to how much damage would be caused if each of these dimensions were compromised. From that assessment come the system categories (basic, medium or high) and, with them, the measures to be implemented.

The five dimensions, set out in Royal Decree 311/2022, are:

These five dimensions are not abstract: they apply concretely to each element of e-government you use. I develop this further in the table below, but keep in mind the key idea: the headquarters you visit, the registry where you submit your documents and the notification you receive are — if the administration complies with ENS — protected across all five dimensions simultaneously.

How ENS protects electronic headquarters and services

This is where the relationship between ENS and e-government stops being theory. Let us take the main elements that Law 39/2015 and Law 40/2015 make available and see what ENS does for each one.

The electronic headquarters is the electronic address owned by an administration through which you interact with it (defined in Article 38 of Law 40/2015). ENS requires that headquarters to guarantee authenticity — that it is genuinely the official headquarters and not an impersonation — the integrity of the information it publishes, and availability so it does not go down when deadlines are at stake.

The electronic registry, which Law 39/2015 requires all administrations to maintain, receives and formally logs your documents. ENS ensures that what you submit is recorded with a time stamp, is not altered (integrity) and that an indelible record of the entry remains (traceability).

Electronic notifications are perhaps the most sensitive case, because deadlines and rights depend on them. ENS ensures that the notification arrives intact, that only the relevant party can access it (confidentiality) and that the exact moment of its dispatch and access is recorded (traceability and authenticity).

Identification and electronic signature are the gateway to everything above. ENS underpins the systems that guarantee the signing party is who they claim to be (authenticity) and that the signature cannot be repudiated afterwards.

In my experience, when an administration understands this mapping, it stops seeing ENS as a burden and starts seeing it for what it is: the safety belt of its own e-government. If you want to see how this translates into a real project, I describe it on my ENS implementation consultancy page.

Table: the 5 ENS security dimensions applied to e-government

This is the table most often requested when I explain ENS to teams coming from an e-government background. It connects each abstract dimension of the framework with what it guarantees in practice, with a concrete example from an electronic headquarters or service.

ENS dimension What it guarantees Example in an electronic headquarters or service
Confidentiality Only authorized parties can access the information. Your electronic notification cannot be read by another citizen or by unauthorized staff.
Integrity Information is not altered without authorization. The document you submit to the electronic registry arrives and is preserved exactly as you sent it.
Traceability A record exists of who did what and when. Every registry entry and every access to a notification leaves a dated, indelible trail.
Authenticity The identity of the acting party and the origin of the information are guaranteed. Certificate-based signatures and the electronic headquarters itself are verifiable and cannot be impersonated.
Availability Information and services are accessible when needed. The headquarters and registry remain operational on the last day of a call's deadline.

Who is obliged by ENS within e-government?

This is the question that determines whether ENS affects you. Royal Decree 311/2022, in line with Law 40/2015, has a very broad scope of application. In essence it obliges:

For local entities this point is especially relevant, as they are closest to citizens and manage the most electronic headquarters and registries. If you work in or with a local council, my specific article on ENS in local councils and local administration will be useful. And if your organization provides services to the public sector from Castilla y León or from Las Palmas, those are the two regions where I support most of these projects.

ENS, interoperability and data protection: the complete ecosystem

ENS does not work alone. It forms part of an ecosystem of standards that make e-government function, and it is worth not confusing them.

Its historical counterpart is the National Interoperability Framework (ENI), regulated by Royal Decree 4/2010. If ENS answers "let it be secure," ENI answers "let the systems understand each other." Both were born from the same Article 42 of Law 11/2007 and are complementary: there is little value in two administrations being able to exchange data (interoperability) if that exchange is not secure, and little value in its being secure if the systems cannot communicate. ENI itself refers to ENS for everything beyond what is strictly necessary for interoperability.

On the other side sits personal data protection. ENS and GDPR are not the same, but they reinforce each other: Article 156 of Law 40/2015 expressly mentions the protection of personal data as one of ENS's objectives, and many ENS measures (encryption, access control, activity logging) are simultaneously personal data security measures. Complying with ENS gets a large part of the technical GDPR work done, even though each has its own regulatory regime.

Alongside ENS, international security standards such as ISO 27001 coexist, sharing philosophy with the framework though adoption is voluntary. Many organizations that already have ISO 27001 find it greatly facilitates their ENS alignment.

From obligation to practice: how compliance is demonstrated

Complying with ENS is not about declaring it — it is about demonstrating it. The framework requires each organization to assess its systems, select the applicable category (basic, medium or high), implement the Annex II measures that apply and, depending on the case, accredit this through self-assessment or certification with an audit.

The distinction matters: basic-category systems can accredit their conformity through self-assessment, while medium- and high-category systems require formal certification following an audit by an accredited body. I detail that process, with its timelines and costs, in my article on ENS certification: process, requirements and costs.

In practice, the path I recommend to any administration or provider is orderly: first understand what information and electronic services you handle, then categorize them according to the five dimensions, next close the gap with the missing measures and, finally, accredit what has been achieved. It is not a one-week project, but it is not the monster many fear when they first encounter it either. With a good baseline map, it is perfectly manageable.

Frequently asked questions

What is the relationship between ENS and e-government?

It is a means-to-end relationship. E-government allows procedures and services to be delivered online, and ENS is the legal framework that ensures those electronic means are secure. ENS was created precisely to provide security for e-government: the first framework, Royal Decree 3/2010, was titled "in the field of Electronic Administration." Today its legal anchor is Article 156 of Law 40/2015.

Why does e-government need ENS?

Because digitalizing a procedure multiplies the risks of manipulation, impersonation or service interruption. Without security guarantees, the rights that Law 39/2015 grants citizens — receiving notifications, submitting documents, identifying themselves electronically — would not be reliable. ENS provides those guarantees through five dimensions: confidentiality, integrity, traceability, authenticity and availability.

What electronic services does ENS cover?

ENS covers all information and all services provided by electronic means within its scope: electronic headquarters, electronic registries, electronic notifications, identification and signature systems, data exchange between administrations and, in general, any system that processes information within the e-government framework of the public sector.

Does ENS apply to electronic headquarters?

Yes. The electronic headquarters is one of the core elements protected by ENS. The framework requires the headquarters to guarantee its authenticity (that it is the official site and not an impersonation), the integrity of the information it provides, and its availability — especially important when administrative deadlines are at stake.

Does ENS only oblige public administrations?

Not only them. Royal Decree 311/2022 obliges the entire public sector, but also private companies that provide services or technology solutions to Spanish Public Administrations when, in doing so, they process information or systems within ENS scope. Many technology providers discover that ENS applies to them too.

What is the difference between ENS and the National Interoperability Framework?

ENS (Royal Decree 311/2022) ensures that e-government systems are secure; the National Interoperability Framework or ENI (Royal Decree 4/2010) ensures that those systems can understand and exchange information with each other across administrations. They are complementary and were born from the same Article 42 of Law 11/2007.

How does an administration demonstrate ENS compliance?

By assessing its systems, assigning them a category (basic, medium or high) and implementing the corresponding measures. Basic-category systems can prove compliance through self-assessment; medium- and high-category systems require certification following an audit by an accredited body.

Sources

Does your organization provide services by electronic means and need to organize its ENS alignment? Let's talk and I will help you map the path. Content prepared by Summum Marketing.