ENS Basic Level Declaration of Conformity: How to Self-Assess

Declaration vs Certification: the key distinction

Royal Decree 311/2022 establishes two distinct conformity instruments, each tied to a category level:

• Declaration of conformity (BASIC): The organization self-assesses its systems against the BASIC-level security measures from Annex II of RD 311/2022 and issues a formal declaration signed by the head of the organization. No external audit is required.
• Certification of conformity (MEDIUM / HIGH): An ENAC-accredited auditor conducts an independent audit of the organization's systems and issues a certification certificate. The organization cannot self-certify at these levels.

This distinction matters enormously in practice. Many organizations assume they need an external auditor when in fact their systems are BASIC and a self-assessment suffices. Conversely, some organizations at MEDIUM or HIGH attempt to issue a declaration when the regulation requires certification.

Dimension	Declaration of conformity (BASIC)	Certification of conformity (MEDIUM/HIGH)
Who assesses	The organization itself (self-assessment)	ENAC-accredited external auditor
Document issued	Declaration signed by head of organization	Certification certificate from auditor
External audit required	No	Yes (mandatory)
Validity	2 years	2 years (with annual surveillance for HIGH)
Cost	Low (internal effort + optional consultancy)	Medium to high (auditor fees)
Accepted in public procurement	Yes, for BASIC-level requirements	Yes, for MEDIUM/HIGH-level requirements

The 7-step self-assessment process for BASIC conformity

Step 1 — Confirm your category is BASIC

Before beginning the self-assessment, verify that your systems have been correctly categorized and that none reaches the MEDIUM level on any CIDAT dimension. If any system is MEDIUM or HIGH, the declaration pathway does not apply to that system — certification is required.

Step 2 — Organize the security governance

Designate a security officer, draft a security policy document, and ensure it has been formally approved by the head of the organization (for public bodies, typically by full council resolution or equivalent). The security policy is the foundation of the declaration.

Step 3 — Conduct the self-assessment

Review each security measure from Annex II of RD 311/2022 that applies to the BASIC category. For each measure, document its implementation status: fully implemented, partially implemented, or not yet implemented. Where a measure is not implemented, document the compensating measure or the planned implementation date.

Step 4 — Conduct the risk analysis

Carry out a risk analysis proportionate to the BASIC category. A qualitative analysis identifying main threats, their likelihood, and their potential impact is sufficient. CCN's PILAR tool or a structured spreadsheet approach are both acceptable. Document the analysis.

Step 5 — Draft the declaration of applicability

Prepare the declaration of applicability (DoA): a document listing all applicable security measures and their implementation status. The DoA is the core evidence document that supports the declaration of conformity. It should also include the improvement plan for measures not yet fully implemented.

Step 6 — Issue and sign the declaration of conformity

Draft the declaration of conformity as a formal document. It must state: the systems covered, the category (BASIC), the assessment date, the applicable regulatory framework (RD 311/2022), that a self-assessment has been conducted and the systems found to comply with the applicable measures, and any material deviations with their planned remediation. It must be signed by the head of the organization.

Step 7 — Register and communicate the declaration

Register the declaration in the organization's document management system. Where required by regional or sector-specific regulation, communicate it to the competent supervisory body. Also submit the annual INES (National Security Status Report) through the CCN-CERT platform.

The conformity seal

CCN-CERT provides a conformity seal (distintivo de conformidad) that certified or declared organizations may display to demonstrate their ENS status. The seal indicates the level (BASIC, MEDIUM, or HIGH) and the validity period. It is not mandatory for internal use but is commonly required or referenced in public procurement and commercial relationships.

For BASIC-level organizations, the conformity seal can be displayed once the declaration of conformity has been issued and, where applicable, communicated to the supervisory body. It is not issued by CCN automatically — the organization makes it available following its own declaration.

When to voluntarily certify at BASIC level

Even though self-assessment suffices at BASIC, there are situations where obtaining a third-party certification makes sense:

• Your clients or procurement targets require certified conformity (not just a declaration) as a competitive differentiator.
• Your organization is growing and expects to handle MEDIUM-category services in the near future — getting certified now reduces future costs.
• You want to demonstrate security maturity to international clients or partners who may not be familiar with the Spanish self-assessment pathway.
• Your ISO 27001 audit is upcoming and you want to consolidate both exercises.

Cost and time for self-assessment

For a small public body or SME (small and medium-sized enterprise) in the BASIC category, the self-assessment process typically takes 2 to 4 months from governance setup through to signed declaration, assuming no prior ENS documentation exists. With existing documentation, the timeline can be as short as 4 to 6 weeks.

The main costs are internal staff time (security officer, management sign-off) and optional external consultancy fees. There are no regulatory fees for issuing a BASIC-level declaration.

Renewal every 2 years

The declaration of conformity is valid for two years from the date of issue. At renewal, the organization must:

1. Repeat the self-assessment against the current version of Annex II of RD 311/2022 (measures may have been updated).
2. Verify that no material changes to systems or processing activities have occurred that would affect the category or applicable measures.
3. Update the declaration of applicability and improvement plan.
4. Issue a new signed declaration of conformity.

Renewal is not an audit — it is a new self-assessment. However, if a material change has occurred (new system, new data category, significant architectural change), the categorization must be revisited before renewal.

Common errors

• Skipping the categorization step: Issuing a declaration without having formally categorized the systems first — which makes the declared level unsubstantiated.
• Declaring BASIC when a system is MEDIUM: Applying self-assessment to a system that should be at MEDIUM or HIGH category, rendering the declaration invalid.
• No signed document: Treating the self-assessment spreadsheet as the declaration. The declaration must be a standalone signed document.
• No improvement plan: Declaring conformity without documenting the gaps and a realistic timeline for remediating them.
• Forgetting renewal: Allowing the declaration to lapse beyond two years without renewal.

Using the declaration for public sector work

When responding to public tenders that require ENS conformity at the BASIC level, the declaration of conformity is the document to present. It should be:

• Current (within the 2-year validity period)
• Signed by the authorized representative of the organization
• Specific to the systems that will be used to deliver the contracted services
• Accompanied by the declaration of applicability if requested by the contracting authority

For public procurement requiring MEDIUM or HIGH ENS conformity, a certification of conformity from an ENAC-accredited auditor is required. See ENS certification: process, requirements, and costs.

Conclusion

The ENS declaration of conformity is a practical, cost-effective instrument for organizations at the BASIC category. It requires discipline — documented self-assessment, formal governance, a signed declaration, and timely renewal — but it does not require the cost or complexity of a third-party audit. Organizations that invest in doing it properly gain a legitimate conformity credential accepted in public procurement across Spain.

For support with the self-assessment process, see ENS implementation consultancy.

Frequently asked questions

What is the ENS declaration of conformity?

The ENS declaration of conformity is a formal document in which an organization — through its own self-assessment — states that its information systems comply with the security measures required by the ENS at the BASIC category. It is valid only for BASIC-level systems. It must be signed by the head of the organization and is renewed every two years.

Is the declaration of conformity valid for public procurement?

Yes, for contracts that require BASIC-level ENS conformity. The declaration of conformity is the recognized instrument for demonstrating BASIC-level compliance and is accepted in public procurement specifications. For MEDIUM or HIGH levels, a certification of conformity issued by an ENAC-accredited auditor is required.

How often must the ENS declaration of conformity be renewed?

The ENS declaration of conformity must be renewed every two years. At renewal, the organization must repeat the self-assessment to verify that the security measures are still implemented and that no material changes have occurred that would affect the category or the applicable measures.

Can I voluntarily obtain ENS certification even if I am in the BASIC category?

Yes. Organizations in the BASIC category may voluntarily choose to obtain a certification of conformity from an ENAC-accredited auditor, even though only the self-assessed declaration is legally required. This is advisable when clients require certified conformity, when seeking competitive differentiation, or when planning to grow into MEDIUM-category services.