ENS Annex II: security measures explained

Q: How many security measures does ENS contain?

ENS Annex II of Royal Decree 311/2022 contains 73 security measures, identified with codes org.*, op.* and mp.*. On top of them, additional reinforcements are activated depending on the security dimension levels of the system.

ENS Annex II of the ENS (Spanish National Security Framework) is the catalog of security measures a system must apply to be conformant. It is approved by Royal Decree 311/2022 and organizes those measures into three frameworks — organizational, operational and protection — totaling 73 measures identified by codes (org.*, op.*, mp.*). Which measures apply to you and how demanding they are depends on the system category (basic, medium or high) and on the reinforcements activated by that category. The final selection is formalized in the Declaration of Applicability.

If you are approaching ENS for the first time, Annex II is where the framework stops being theory and becomes a concrete list of things that must be implemented. Without exaggeration, it is the heart of compliance: the rest of the Royal Decree defines principles, scope and categories, but Annex II is what the auditor opens when they arrive to check whether your system is genuinely protected. In this guide I break it down framework by framework, explain how it relates to the system category, and clarify the difference between having a measure "implemented" and being able to demonstrate it.

I work on regulatory compliance for companies and entities from Castilla y León and Las Palmas, and the pattern repeats itself: most organizations stumble not because they are unaware of Annex II, but because they do not understand that each measure has a different intensity depending on the system level. Let us set this straight.

What is ENS Annex II?

Annex II of Royal Decree 311/2022 is the part of ENS (Spanish National Security Framework) that enumerates the security measures an entity must apply to protect its information systems. While Annex I sets the categories and Annex III regulates the audit, Annex II is the "what needs to be done."

Its logic is proportional. Not all measures apply to all systems: a basic-category municipal information portal does not need the same protection as the electronic headquarters processing files with sensitive data. That is why each Annex II measure indicates whether it applies — and with what intensity — depending on the system category and, where relevant, on the level of each affected security dimension.

An important novelty compared to the previous Royal Decree 3/2010 is the reinforcement system. In the current version, many measures have a base requirement plus a series of reinforcements (identified with the letter R) that are activated as the level of demand increases. This replaces the more rigid previous scheme and allows for better-graduated protection.

The three frameworks of Annex II: organizational, operational and protection

ENS Annex II: security measures — Photo: Savannah River Site (CC BY 2.0)

Annex II groups the 73 measures into three frameworks. Understanding them is half the work, because each one answers a different question about how you protect information.

Infographic of the three Annex II ENS frameworks: organizational, operational and protection — The three Annex II ENS frameworks. Own elaboration · Summum Marketing.

Organizational framework (org): the rules of the game

The organizational framework answers "who is in charge and with what rules?" These are the security governance measures that underpin everything else. It comprises four measures:

org.1 Security policy: the highest-level document, approved by the governing body, setting the commitment, responsibilities and general framework. It is the starting point of any alignment effort. If you are interested in how it is drafted and how it connects to other frameworks, I cover it in my guide on information security policy aligned with ISO 27001 and ENS.
org.2 Security regulations: the rules that develop the policy and describe what is and is not permitted.
org.3 Security procedures: the step-by-step operational how-to for security-relevant tasks.
org.4 Authorization process: the formal control over what is incorporated into the system (equipment, applications, connections, locations) and who authorizes it.

There are few measures here, but their absence is one of the most common audit findings: many entities have reasonable technical controls yet lack a formally approved policy or written procedures. Without an organizational framework, everything else is unsupported.

Operational framework (op): protecting day-to-day operations

The operational framework answers "how do I operate the system securely?" It is the most extensive and covers the operational lifecycle. Its groups are:

op.pl Planning: risk analysis, security architecture, component procurement, sizing and capacity management.
op.acc Access control: identification, access requirements, segregation of duties, rights management, authentication mechanisms.
op.exp Exploitation: asset inventory, security configuration, change management, protection against malicious code, activity logging, incident management.
op.ext External resources: use of third-party services and supply chain requirements.
op.nub Cloud services: group introduced by Royal Decree 311/2022 for systems relying on cloud providers.
op.cont Service continuity: impact analysis, continuity plan and periodic testing.
op.mon System monitoring: intrusion detection and continuous surveillance.

The op.nub group is one of the major additions of the current regulation and acknowledges something obvious: today a large proportion of public services are delivered on external infrastructure, and security does not end at the organization's own perimeter.

Protection measures (mp): shielding each asset

The third framework answers "how do I protect each type of asset?" It moves from physical to logical, covering all the elements that make up a system:

mp.if Protection of premises and infrastructure: physical access, power, climate control, fire and flood protection.
mp.per Personnel management: role characterization, duties, awareness and training.
mp.eq Equipment protection: workstation, screen lock, laptop protection.
mp.com Communications protection: secure perimeter, traffic confidentiality and integrity, network segmentation.
mp.si Information media protection: labeling, encryption, secure erasure and destruction.
mp.sw Software protection: secure development and acceptance testing before deployment.
mp.info Information protection: classification, encryption, electronic signature, backups.
mp.s Services protection: email protection, web application protection, denial-of-service protection.

How many security measures does ENS contain?

Annex II of Royal Decree 311/2022 contains 73 security measures distributed across the three frameworks. The figure tends to surprise people in both directions: those coming from more extensive frameworks find it manageable, and those starting from scratch find it a lot. The key is that not all of them apply to you.

On top of those 73 measures, reinforcements operate: additional requirements activated according to the level of the affected dimensions. That is why two systems with the same number of applicable measures can have very different implementation burdens. The figure that really matters is not "how many measures does ENS have," but "how many measures and reinforcements apply to me" — and that is determined by the category.

How do the measures relate to the system category?

This is the mechanism that generates the most confusion. The sequence is:

You assess the five security dimensions (confidentiality, integrity, availability, authenticity and traceability) of your system at low, medium or high levels. I explain this in detail in the 5 ENS security dimensions.
You determine the system category from those levels, per Article 40 and Annex I: the system is high category if any dimension reaches high level; medium if any reaches medium (and none reaches high); and basic if any reaches low (and none reaches medium or high). If you are unsure about the category, I help you decide in how to choose between basic, medium and high level.
You select from Annex II the measures that apply to that category and the reinforcements activated by each level.

In other words: dimensions set the levels, levels set the category, and the category sets which part of Annex II you must implement. It is not optional to choose "by eye"; it is a traceable chain that the auditor will reconstruct in reverse.

What is the difference between organizational, operational and protection frameworks?

A simple way to remember it: the organizational framework is governance (who decides and with what rules), the operational framework is operations (how the system is managed throughout its life) and the protection measures are the assets (how each specific thing is shielded). I develop this same structure, with a focus on controls, in ENS controls by framework.

Framework	Question it answers	Example measures
Organizational (org)	Who is in charge and with what rules?	Policy, regulations, procedures, authorization process
Operational (op)	How do I operate the system securely?	Access control, exploitation, continuity, monitoring, cloud
Protection (mp)	How do I shield each asset?	Premises, equipment, communications, information, services

The Declaration of Applicability: where everything lands

Article 28 of Royal Decree 311/2022 introduces the Declaration of Applicability (DA), the document that formalizes which Annex II measures have been selected for a specific system and is signed by the security officer. It is the bridge between the abstract catalog and your reality: in it you justify what you apply, what you do not, and why.

The same article allows for compensatory measures: if an Annex II measure does not fit your case, you can replace it with others that protect the asset equally or better, provided this is documented and the ENS basic principles are satisfied. This flexibility is useful, but it has fine print: the substitution must be argued and recorded — it cannot simply be assumed. In an audit, a well-constructed Declaration of Applicability saves a great many discussions.

Annex II and ISO 27001: do they overlap?

To a significant extent, yes. The CCN-STIC 825 guide maps ISO 27001 controls to ENS measures, because both frameworks share the same philosophy. If you already have an ISO 27001 management system implemented, part of Annex II work is already done: many of your controls serve as evidence. They are not interchangeable — ENS is mandatory by regulation and has its own category system — but leveraging what you already have accelerates alignment and avoids duplicating effort.

Common errors when tackling Annex II

Starting with the technical and forgetting the organizational framework. Without formal policy and procedures, the op and mp measures have no foundation.
Confusing "implemented" with "demonstrable." A measure without evidence (log, configuration, record) does not count in an audit. I address this in Annex III and the conformity audit.
Inflating the category. Assigning a high level "to be safe" triggers unnecessary measures and reinforcements. The category must be justified, not inflated.
Ignoring the supply chain. The op.ext and op.nub groups require passing requirements on to your providers, not just to your own system.

Frequently asked questions about ENS Annex II

What is ENS Annex II?

It is the part of Royal Decree 311/2022 that lists the security measures a system must apply to conform with ENS (Spanish National Security Framework). It groups 73 measures across three frameworks: organizational, operational and protection.

How many security measures does ENS contain?

Annex II of Royal Decree 311/2022 contains 73 measures, identified with codes org.*, op.* and mp.*. On top of them, additional reinforcements are activated depending on the security dimension levels of the system.

How do the measures relate to the system category?

Each Annex II measure indicates whether it applies to basic, medium or high category. You first assess the security dimensions — that sets the category — and the category determines which measures and reinforcements you must implement.

What is the difference between the organizational, operational and protection frameworks?

The organizational framework covers security governance (policy, regulations, procedures); the operational framework covers the secure operation of the system (access control, exploitation, continuity, cloud); and the protection measures shield each specific asset (premises, equipment, communications, information, services).

Do I have to apply all 73 Annex II measures?

No. You only apply those that correspond to your system category, plus the reinforcements activated by each dimension level. The final selection is documented in the Declaration of Applicability, where you justify what applies, what does not and why.

Does my ISO 27001 certification count for Annex II?

It serves as a starting point: the CCN-STIC 825 guide maps ISO 27001 controls to ENS measures, so many already-implemented controls provide evidence. It does not replace ENS, which is mandatory by regulation and has its own category scheme, but it reduces the alignment effort.

Sources

Royal Decree 311/2022, of 3 May, regulating ENS (Spanish National Security Framework) (BOE-A-2022-7191) — consolidated text, Annex II and Article 28.
Royal Decree 3/2010, of 8 January (BOE-A-2010-1330) — repealed regulation, evolution reference.
ENS Portal — CCN (ens.ccn.cni.es) — official documentation and CCN-STIC guides (808, 825).

Content prepared by Summum Marketing for angelortegacastro.com. For informational purposes only; for formal ENS alignment, always verify against the current text of Royal Decree 311/2022 and the applicable CCN-STIC guides.