The ENS (Spanish National Security Framework) is not exclusively for the public sector. Article 2.3 of Royal Decree 311/2022 expressly extends its scope to private companies and organizations in three main situations: when they provide services or systems to public administrations, when they operate as supply chain subcontractors for public sector contracts, and when they are legally linked to or dependent on a public body. Regulated sectors such as finance and critical infrastructure add a fourth, indirect pathway. If your company falls into any of these categories, ENS conformity is not optional — it is a contractual or legal requirement.
The legal basis: Article 2.3 of Royal Decree 311/2022
When the ENS was reformed by Royal Decree 311/2022, lawmakers made explicit what had always been implicit: private entities that interact with or support the public sector cannot be left outside the security framework. Article 2.3 states that ENS obligations extend to private parties to the extent that they provide services or operate systems on behalf of public administrations, or are legally subordinate to them.
This is not a novelty unique to Spain. The NIS2 Directive and DORA regulation at the European level follow the same logic: security obligations travel through the supply chain.
The three main ENS entry points for private companies
1. Direct service providers to the public sector
The most common scenario. If your company provides IT services, cloud hosting, cybersecurity, software development, or any other digital service to a public administration, the procurement specifications for that contract will almost certainly require ENS conformity. Bidders must demonstrate conformity at the appropriate level (BASIC, MEDIUM, or HIGH) as a condition of award. The awarded contractor must maintain that conformity throughout the contract.
In practice, this means that an SME (small and medium-sized enterprise) that wins a contract to manage a municipal website must have at least a BASIC-level ENS declaration of conformity. A technology company awarded a contract to manage health data for a regional government will likely need MEDIUM or HIGH certification.
2. Supply chain subcontractors
ENS obligations can travel down the supply chain. If your company is a subcontractor to a prime contractor that holds a public sector contract with ENS requirements, the prime contractor may — and often must — flow those requirements down to you. This is increasingly common in IT infrastructure, cybersecurity, and cloud services.
The practical implication: even if you have never bid on a public sector contract directly, if your client does, you may be subject to ENS requirements through the contractual chain.
3. Private entities linked or dependent on the Administration
Article 2.3 also covers private entities that are legally linked to or dependent on a public body. This includes publicly controlled foundations, state-owned enterprises, entities whose governing bodies are appointed by or accountable to a public administration, and similar structures. These entities are treated as equivalent to public administrations for ENS purposes and must comply directly, not merely through contractual flow-down.
The fourth pathway: regulated sectors (NIS2, DORA)
For companies in regulated sectors — financial institutions (DORA), operators of essential services, and digital service providers (NIS2) — ENS conformity may be required indirectly through sector-specific supervisory requirements. In Spain, INCIBE and CCN-CERT coordinate with sector regulators. While DORA and NIS2 do not explicitly mandate ENS certification, supervisors increasingly reference it as an accepted benchmark for demonstrating security maturity.
Five scenarios: legal basis and what each requires
| Scenario | Legal basis | ENS requirement | Conformity pathway | Who verifies |
|---|---|---|---|---|
| Direct IT service provider to public body | Art. 2.3 RD 311/2022 + contract specifications | Conformity at required level | Declaration (BASIC) or certification (MEDIUM/HIGH) | Contracting authority |
| Supply chain subcontractor | Art. 2.3 RD 311/2022 + subcontract flow-down | Conformity at level specified in subcontract | Declaration or certification per level | Prime contractor |
| Publicly controlled foundation or state-owned enterprise | Art. 2.3 RD 311/2022 directly | Full ENS compliance as if a public body | Self-assessment (BASIC) or audit (MEDIUM/HIGH) | Supervisory body + CCN |
| Regulated sector (DORA, NIS2) | DORA / NIS2 + sector supervisor guidance | Indirect — ENS as accepted benchmark | ENS conformity recognized as evidence of compliance | Sector regulator |
| Purely private company, no public sector relationship | N/A | No ENS obligation | Voluntary (e.g., for competitive differentiation) | Market / clients |
How ENS arrives through procurement documents
The most common way a private company encounters ENS requirements is through the procurement specifications (pliegos de prescripciones técnicas y administrativas) of a public tender. These documents define the technical and administrative conditions that bidders must meet. ENS conformity clauses typically appear in one of three forms:
- Admissibility condition: Bids that do not demonstrate ENS conformity at the required level are excluded at the screening stage.
- Award criterion: ENS conformity (or a higher level than minimum) awards additional points in the scoring matrix.
- Contract performance condition: The awarded contractor must obtain or maintain ENS conformity within a specified period after award, as a contract execution obligation.
Reading the procurement specifications carefully — ideally before deciding whether to bid — is the first step. If ENS conformity is required and your company does not yet have it, factor the time and cost into your bid decision.
Supply chain extension in practice
Supply chain extension is an area of growing practical importance. Prime contractors that hold ENS-required public sector contracts are increasingly including ENS flow-down clauses in their subcontracts. This means that a software development SME or a cloud infrastructure provider may find itself subject to ENS requirements not through a direct public sector relationship, but through its commercial relationship with a prime contractor.
Best practice: review your contracts with public sector prime contractors for ENS references. If present, determine what level is required and whether your current security posture meets it.
Linked or dependent entities: where the line is drawn
The concept of "linked or dependent" private entity is sometimes misunderstood. It does not refer to any company that has a contract with the public sector — that is the service provider scenario. It refers to entities with a structural or governance link to a public body: entities where a public administration holds a majority stake, appoints the majority of governing body members, or exercises decisive influence over the entity's decisions. Examples include:
- Publicly controlled foundations (fundaciones del sector público)
- State-owned enterprises (empresas públicas)
- Entities where a public administration is the majority shareholder
- Entities subject to public sector budgetary or audit control
These entities are subject to the ENS directly and must implement it as if they were a public administration — they cannot delegate compliance to a contracting authority.
Regulated sectors: NIS2 and DORA
Companies subject to NIS2 (operators of essential services, digital service providers) or DORA (financial entities and their ICT third-party providers) face cybersecurity requirements that overlap significantly with the ENS. In Spain, supervisory guidance increasingly treats ENS conformity as an accepted — though not exclusive — benchmark for demonstrating compliance with these sector-specific frameworks.
For financial entities subject to DORA, ENS certification at MEDIUM or HIGH level provides strong evidence of ICT risk management maturity. For NIS2 entities, ENS conformity maps well to the technical and organizational measures required by Article 21 of the directive.
ENS vs ISO 27001: not the same thing
A common question: "We already have ISO 27001 — do we need ENS as well?" The short answer is yes, if your situation falls within Article 2.3 of RD 311/2022 or is required by contract. ENS and ISO 27001 are complementary but distinct:
| Dimension | ENS | ISO 27001 |
|---|---|---|
| Nature | Spanish regulatory requirement | International voluntary standard |
| Scope | Systems used in/for Spanish public administration | Any organization, any sector |
| Certification body | ENAC-accredited auditor (MEDIUM/HIGH) | Accredited certification body (IAF/EA) |
| Self-assessment option | Yes, for BASIC category | No — certification always requires external audit |
| Substitutability | ISO 27001 does not substitute ENS when ENS is required | ENS may satisfy some ISO 27001 controls |
| Renewal cycle | Every 2 years | Every 3 years (annual surveillance) |
Having ISO 27001 is valuable and can accelerate ENS compliance work, but it does not replace ENS conformity when that is what the contract or regulation requires.
Steps for private companies
- Determine applicability: Review your current and prospective public sector contracts and subcontracts. Identify any ENS requirements in procurement specifications or contractual flow-down clauses.
- Assess your situation: Are you a direct service provider, a supply chain subcontractor, or a linked/dependent entity? Each has slightly different obligations.
- Categorize relevant systems: Apply the CIDAT dimensions to the systems you use to provide services to the public sector. Determine whether BASIC, MEDIUM, or HIGH category applies.
- Choose the conformity pathway: BASIC → self-assessment and declaration of conformity. MEDIUM/HIGH → certification by an ENAC-accredited auditor.
- Implement and document: Apply the required security measures from Annex II of RD 311/2022, document gaps and improvement plans, and issue or obtain the conformity declaration or certificate.
For detailed guidance on the certification process, see the ENS certification: process, requirements, and costs article. For implementation support, see ENS implementation consultancy.
Frequently asked questions
Does the ENS apply to private companies?
Yes, in specific cases. Article 2.3 of Royal Decree 311/2022 extends ENS obligations to private entities that provide services or systems to public administrations, act as supply chain subcontractors, or are legally linked or dependent on a public body. It does not apply to private companies that have no relationship with the public sector.
How does the ENS reach a private company through public procurement?
Public bodies include ENS conformity requirements in their procurement specifications. Bidders must demonstrate ENS conformity — either by declaration (BASIC) or certification (MEDIUM/HIGH) — as a condition of award. The awarded contractor must maintain conformity throughout the contract term.
Is ENS certification the same as ISO 27001?
No. ENS certification is a Spanish regulatory requirement specifically for systems used in or provided to Spanish public administrations. ISO 27001 is an international voluntary standard for information security management. They are complementary — many organizations obtain both — but they serve different legal and contractual purposes. ISO 27001 certification does not substitute for ENS conformity when the latter is required.
What is a 'linked or dependent' private entity under the ENS?
Article 2.3 of RD 311/2022 refers to private entities that are legally linked to or dependent on a public administration — for example, publicly controlled foundations, state-owned enterprises, or entities whose governing bodies are appointed by or accountable to a public body. These entities are treated as equivalent to public administrations for ENS purposes.