Yes, a small municipality is also obligated to comply with the ENS (Spanish National Security Framework), just like any other public administration. The good news is that a low-resource municipality almost always falls into the BASIC category — and at that level, conformity is obtained through self-assessment, with no need for a third-party accredited auditor. The realistic roadmap is: organize security, categorize systems, conduct a straightforward risk analysis, draft the declaration of applicability with its improvement plan, and then submit the declaration of conformity and upload the INES report. The Centro Criptológico Nacional (CCN) provides free guides and tools designed precisely for local authorities with limited resources.

The legal obligation: size is no exemption

One of the first things I hear at initial meetings is: "Ángel, this was designed for large administrations…" It is a widespread belief — and it is wrong. Article 2 of Royal Decree 311/2022 states clearly that the ENS applies to all public administrations, including municipalities, regardless of their population or budget. The obligation covers all information systems used to exercise public powers or provide public services.

What size does affect is the applicable category and, therefore, the conformity pathway. A municipality with 400 inhabitants that only manages a basic digital notice board and electronic records is unlikely to reach MEDIUM category — which means its path to conformity is substantially lighter.

For more context on the regulatory framework, see the complete ENS guide and the ENS for local government entities article.

The small municipality problem

Let us be honest: a municipality of 300 inhabitants typically does not have an IT department. Often there is a single clerk-comptroller who also handles payroll, accounting, and local registry tasks. Asking this person to manage ENS compliance alone, without tools or guidance, is unrealistic.

That is why the CCN has invested in resources specifically targeting small local authorities: simplified guides, free tools, and online training. The key is knowing where to look — and not over-engineering the process.

Categorization: almost always BASIC

The first substantive step in ENS compliance is categorizing the information systems. Categorization is done by applying five security dimensions — Confidentiality, Integrity, Availability, Authenticity, and Traceability (CIDAT) — to each system, using three impact levels: LOW, MEDIUM, and HIGH.

The system's category is the highest level reached across all five dimensions. The municipality's overall category is the highest category across all its systems.

For a typical small municipality:

In practice, if none of a municipality's systems reaches MEDIUM on any dimension, the municipality is BASIC, and the self-assessment pathway applies.

Self-assessment: the BASIC pathway

At the BASIC category, ENS conformity does not require an ENAC-accredited external auditor. The municipality carries out a self-assessment, verifies that the applicable security measures from Annex II of RD 311/2022 are in place (or that deviations are documented with compensating measures), and issues a declaration of conformity.

This declaration is a formal document signed by the head of the organization (typically the mayor or the municipal secretary) stating that the systems have been assessed and found to comply with the applicable ENS requirements. It is registered and, where required by regional regulation, communicated to the competent supervisory body.

See the full article on the ENS declaration of conformity and self-assessment process for step-by-step detail.

The INES report: what it is and who must submit it

INES stands for Informe del Estado de la Seguridad — the National Security Status Report. It is an annual report that all public administrations subject to the ENS must submit through the CCN-CERT platform.

The INES report compiles the organization's security posture across its systems: category, implemented measures, incidents, and pending improvements. CCN uses the aggregate data to publish its annual national security status report.

Even BASIC-category small municipalities must submit the INES report annually. Failure to submit is a non-conformity that can be flagged during supervisory reviews. The CCN provides the INES tool free of charge through the CCN-CERT portal.

Where to start: the Adequacy Plan (5 phases)

The Plan de Adecuación (Adequacy Plan) is the structured roadmap that takes a public administration from zero to ENS conformity. For a small municipality, I recommend the following five-phase approach:

Phase 1 — Organize security

Designate a security officer (this can be the clerk-comptroller or an external consultant), create a minimal security policy document approved by full council, and identify all information systems in scope.

Phase 2 — Categorize systems

Apply the CIDAT dimensions to each identified system. Document the assessment and determine the category of each system and the overall organizational category. For most small municipalities, the result will be BASIC.

Phase 3 — Risk analysis

Conduct a simplified risk analysis for each system in scope. At the BASIC level, a qualitative analysis using the CCN's PILAR tool (or a simpler spreadsheet-based approach) is sufficient. The goal is to identify the main threats, estimate their likelihood and impact, and determine which security measures are most critical.

See the MAGERIT risk analysis guide for a step-by-step walkthrough applicable to small organizations.

Phase 4 — Declaration of applicability and improvement plan

Review the security measures from Annex II of RD 311/2022 that apply to the BASIC category. For each measure, document whether it is implemented, partially implemented, or not yet implemented. Where a measure is not implemented, document the compensating measure or include it in the improvement plan with a target date.

Phase 5 — Declaration of conformity and INES report

Once the measures are sufficiently implemented (or the improvement plan is formalized), issue the declaration of conformity, have it signed by the mayor or municipal secretary, and submit the annual INES report through the CCN-CERT platform.

Free CCN tools and guides

CCN-CERT provides a full suite of free resources for public administrations, particularly local authorities:

Minimum roadmap table

Phase Key actions CCN resources Who leads
1. Organize security Designate security officer; approve security policy at full council CCN-STIC 805, CCN-STIC 883 Mayoral office / clerk-comptroller
2. Categorize systems Inventory systems; apply CIDAT dimensions; determine category CCN-STIC 803, CCN-STIC 883 Clerk-comptroller / external consultant
3. Risk analysis Identify threats; estimate likelihood and impact; prioritize measures PILAR tool, CCN-STIC 807 Security officer / external consultant
4. DoA + improvement plan Map Annex II measures; document gaps; set deadlines CCN-STIC 804, Annex II RD 311/2022 Security officer / external consultant
5. Declaration + INES Issue and sign declaration of conformity; submit INES report INES platform, CCN-STIC 883 Mayor / municipal secretary

Common errors

Where I work

I support small municipalities and local government entities across Castilla y León and the Canary Islands, as well as remotely throughout Spain. If your municipality needs support to complete the Adequacy Plan, reach out through the ENS implementation consultancy page.

Frequently asked questions

Are small municipalities legally obligated to comply with the ENS?

Yes. Article 2 of Royal Decree 311/2022 requires all public administrations — including municipalities with fewer than 1,000 inhabitants — to comply with the ENS (Spanish National Security Framework). Size does not exempt them from the obligation, but it does determine the applicable category and compliance pathway.

What ENS category do small municipalities usually fall into?

The vast majority of small municipalities fall into the BASIC category. This is because their information systems typically handle low-impact data and services. Categorization is determined by applying the five CIDAT security dimensions to each system; if the highest dimension level across all systems is LOW, the municipality is BASIC.

Does a small municipality need an external auditor for ENS conformity?

No. At the BASIC category, ENS conformity can be obtained through self-assessment and a declaration of conformity — no ENAC-accredited third-party auditor is required. An external auditor is only mandatory for MEDIUM and HIGH categories.

What is the INES report and who has to submit it?

INES stands for Informe del Estado de la Seguridad (National Security Status Report). It is an annual report that all public administrations subject to the ENS must submit through the CCN-CERT platform. It compiles the security posture of the organization's systems. Even BASIC-category municipalities must submit it annually.

Can a small municipality use CCN tools for free?

Yes. CCN-CERT provides free tools including PILAR (risk analysis), INES (report submission), and LUCIA (incident management), as well as free guides such as CCN-STIC 883 (ENS for local entities) and online training courses through the CCN-CERT academy.

How long does ENS compliance take for a small municipality?

For a BASIC-category small municipality with external support, the typical timeline is 3 to 6 months from the initial security organization phase through to the declaration of conformity and INES report submission. Internal-only projects without prior documentation can take longer.