The ENS (Spanish National Security Framework) uses five security dimensions — known collectively as CIDAT — to assess information systems and determine their category: Confidentiality, Integrity, D = Availability (from the Spanish Disponibilidad), Authenticity, and Traceability. Each dimension is rated LOW, MEDIUM, or HIGH based on the impact of a potential breach. The system's category is the highest level reached across all five dimensions. Category determines which security measures from Annex II of Royal Decree 311/2022 must be applied, and whether conformity can be self-assessed (BASIC) or requires a certified auditor (MEDIUM/HIGH).
What CIDAT means
CIDAT is the acronym formed by the initial letters of the five security dimensions defined in the ENS:
- C — Confidentiality: Only authorized parties can access the information.
- I — Integrity: Information has not been altered or destroyed without authorization.
- D — Availability (from Spanish Disponibilidad): The system and its information are accessible and usable when needed.
- A — Authenticity: The identity of users, processes, or devices can be verified.
- T — Traceability: The actions of users and systems can be tracked and audited after the fact.
These five dimensions are used in the categorization process defined in CCN-STIC 803 and Annex I of Royal Decree 311/2022. Every information system subject to the ENS must be assessed against all five dimensions.
Summary table of the five dimensions
| Letter | Dimension | Core question | Typical incident |
|---|---|---|---|
| C | Confidentiality | What happens if unauthorized parties access this information? | Data breach, unauthorized disclosure of personal data |
| I | Integrity | What happens if the information is altered without authorization? | Falsification of records, data tampering |
| D | Availability | What happens if the system is unavailable? | Service outage, ransomware, denial of service |
| A | Authenticity | What happens if we cannot verify who acted on the system? | Identity fraud, unauthorized access with stolen credentials |
| T | Traceability | What happens if we cannot reconstruct what happened? | Inability to investigate an incident, deleted audit logs |
How each dimension is rated: the three impact levels
Each CIDAT dimension is rated at one of three levels based on the potential impact of a breach affecting that dimension:
- LOW: Limited harm. Minor operational disruption, minor financial loss, minor reputational damage. The organization can absorb the impact without significant difficulty.
- MEDIUM: Serious harm. Significant operational disruption, significant financial loss, significant reputational damage, or breach of legal obligations. Recovery requires meaningful effort.
- HIGH: Very serious harm. Critical disruption of essential services, major financial loss, severe reputational damage, risk to personal safety, or criminal liability. Recovery is complex and prolonged.
The rating for each dimension should reflect the worst realistic scenario — not the average or the best case.
Confidentiality (C)
Confidentiality protects information from being accessed by unauthorized parties. It is the dimension most intuitively associated with "security" by non-specialists, but it is not the only one that matters — and for many public services, it may not even be the most critical.
Rating guidance:
- LOW: The information is already public or its unauthorized disclosure would cause only minor inconvenience (e.g., a public information website).
- MEDIUM: Unauthorized disclosure would cause significant harm to individuals or the organization (e.g., personnel records, procurement drafts, internal communications).
- HIGH: Unauthorized disclosure would cause very serious harm — risk to personal safety, criminal liability, or severe damage to national interests (e.g., criminal investigation data, classified information, critical infrastructure configurations).
Integrity (I)
Integrity ensures that information has not been altered, falsified, or destroyed without authorization. For public administrations, integrity is often the most critical dimension — a falsified record, an altered resolution, or a tampered register can have severe legal and civic consequences.
Rating guidance:
- LOW: Unauthorized alteration would cause only minor disruption and could be easily detected and corrected (e.g., a draft document with no legal effect).
- MEDIUM: Unauthorized alteration would cause significant harm and would require substantial effort to detect and correct (e.g., payroll data, procurement records).
- HIGH: Unauthorized alteration would cause very serious harm — invalidity of legal acts, significant financial loss, or harm to individuals (e.g., civil registry records, judicial resolutions, tax assessments).
Availability (D)
Availability ensures that systems and information are accessible and usable when needed by authorized parties. The "D" in CIDAT comes from the Spanish word Disponibilidad. In the context of public services, availability failures directly affect citizens' ability to exercise their rights and receive services.
Rating guidance:
- LOW: The service can tolerate prolonged downtime without significant harm (e.g., a non-critical internal intranet).
- MEDIUM: Extended downtime would cause significant disruption to service delivery or internal operations (e.g., the electronic records system of a government department).
- HIGH: Any significant downtime would have critical consequences — inability to provide essential public services, risk to personal safety, or major financial impact (e.g., emergency services systems, critical infrastructure management).
Authenticity (A)
Authenticity is the ability to verify the identity of users, processes, or devices. It answers the question: "Can we be certain that this action was performed by who it claims to have been performed by?" It underpins non-repudiation and is essential for legally valid digital signatures and electronic administrative acts.
Rating guidance:
- LOW: Inability to verify identity would cause only minor harm (e.g., access to public information resources).
- MEDIUM: Inability to verify identity would cause significant harm — invalid administrative acts, financial loss, or breach of data protection obligations (e.g., citizen-facing e-government services, financial systems).
- HIGH: Inability to verify identity would cause very serious harm — criminal liability, invalidity of critical legal acts, or risk to personal safety (e.g., electronic voting systems, qualified electronic signatures for high-value transactions).
Traceability (T)
Traceability is the ability to reconstruct the sequence of actions taken by users and systems — the audit trail. It allows incidents to be investigated, unauthorized actions to be detected after the fact, and accountability to be established. Without traceability, it is impossible to know what happened, when, and by whom.
Rating guidance:
- LOW: Inability to trace actions would cause only minor difficulty in reconstructing events (e.g., access to general public information).
- MEDIUM: Inability to trace actions would significantly impede incident investigation and accountability (e.g., financial transactions, personnel management systems).
- HIGH: Inability to trace actions would critically impair the organization's ability to detect and respond to attacks, or would constitute a serious breach of legal obligations (e.g., systems processing criminal justice data, systems managing critical infrastructure).
Example: rating a municipal notifications platform
Consider a small municipality's electronic notifications platform (used to serve formal legal notifications to citizens):
| Dimension | Rating | Reasoning |
|---|---|---|
| Confidentiality (C) | MEDIUM | Notifications may contain personal data; unauthorized disclosure would breach GDPR |
| Integrity (I) | HIGH | Falsified notification content could invalidate administrative acts or harm citizens |
| Availability (D) | MEDIUM | Extended outage would delay formal notifications, causing procedural issues |
| Authenticity (A) | HIGH | Notifications must be provably from the administration; identity fraud would invalidate acts |
| Traceability (T) | MEDIUM | Proof of delivery must be auditable; loss of trace would impair legal validity |
System category: HIGH (highest dimension is HIGH, on both Integrity and Authenticity).
How dimensions determine the system category
The rule is simple: the system's category equals the highest level reached across all five CIDAT dimensions.
| Highest dimension level | System category | Conformity pathway |
|---|---|---|
| All dimensions LOW | BASIC | Self-assessment + declaration of conformity |
| Highest dimension is MEDIUM | MEDIUM | Certification by ENAC-accredited auditor |
| Any dimension is HIGH | HIGH | Certification by ENAC-accredited auditor |
The organization's overall ENS category is the highest category across all systems in scope. A municipality with ten systems all rated BASIC but one rated MEDIUM has an overall MEDIUM category.
How dimensions relate to Annex II security measures
Annex II of Royal Decree 311/2022 lists the security measures that must be applied, organized by framework area. Each measure specifies which category levels it applies to (BASIC, MEDIUM, HIGH) and in some cases which dimensions it specifically addresses. The CIDAT dimensions are the input to this process:
| Annex II framework area | Primary dimensions addressed |
|---|---|
| Organizational framework (security policy, roles) | All dimensions |
| Operational framework (access control, continuity) | C, D, A |
| Protection measures (cryptography, backups) | C, I, D |
| Logging and audit | T, A |
| Incident management | All dimensions |
Commonly confused dimension pairs
Integrity vs Authenticity
Integrity concerns whether the content has been altered. Authenticity concerns whether the identity of the actor can be verified. A document can have high integrity (content unchanged) but low authenticity (we cannot verify who created it). Conversely, a document can have verified authorship (high authenticity) but its content may have been subsequently altered (low integrity). Both dimensions must be rated independently.
Authenticity vs Traceability
Authenticity is about verifying identity at the time of the action. Traceability is about reconstructing what happened after the fact. Authentication tells you who is acting now; traceability tells you what was done and when, retrospectively. A system can authenticate users at login (high authenticity) but fail to retain audit logs (low traceability).
Availability vs Integrity
Availability concerns whether the system is accessible and functional. Integrity concerns whether its data is accurate and unaltered. A ransomware attack typically affects both — the system is unavailable (availability breach) and if data has been encrypted or deleted, it may also affect integrity. Rate them separately based on the specific impact of each type of breach.
From dimensions to signatures and encryption
CIDAT dimensions map directly to specific technical controls:
- Confidentiality → Encryption at rest and in transit: Protects information from unauthorized access.
- Integrity → Hash functions, digital signatures, version control: Detects and prevents unauthorized alteration.
- Availability → Redundancy, backups, disaster recovery, DDoS protection: Ensures continued service.
- Authenticity → Multi-factor authentication, digital certificates, PKI: Verifies identity.
- Traceability → Audit logging, SIEM, immutable log storage: Enables post-incident reconstruction.
Common errors when rating CIDAT dimensions
- Rating the organization instead of the system: Each system must be rated independently. A municipality's payroll system and its public website have very different CIDAT profiles.
- Conflating Authenticity and Traceability: These are separate dimensions. Do not substitute one for the other.
- Using average impact instead of worst-case: The rating should reflect the worst realistic scenario, not the typical or best-case impact.
- Ignoring data processed by the system: The CIDAT rating must account for all types of data the system processes, including the most sensitive.
- Over-rating to be safe: Systematically rating everything HIGH does not make the organization more secure — it triggers unnecessary certification requirements and diverts resources from genuine risks.
CIDAT dimensions in risk analysis
The CIDAT dimensions are not only used for categorization — they also structure the risk analysis. When identifying threats and estimating their impact, the analysis should consider the impact on each relevant dimension separately. A ransomware attack, for example, may have:
- HIGH impact on Availability (systems offline)
- MEDIUM impact on Integrity (data encrypted or deleted)
- LOW impact on Confidentiality (if data was encrypted before exfiltration)
Analyzing impact dimension by dimension produces a more precise risk picture and leads to better-prioritized security measures.
Where to start: rating your dimensions in 5 steps
- Inventory your systems: List all information systems in scope. Each will be rated separately.
- Identify the data and services: For each system, identify what data it processes and what services it provides. This is the basis for assessing each dimension.
- Apply the impact scale to each dimension: For each of the five CIDAT dimensions, ask: "What would be the impact if this dimension were breached for this system?" Rate LOW, MEDIUM, or HIGH.
- Determine the system category: The category is the highest dimension level. Document the reasoning.
- Determine the organizational category: The overall ENS category is the highest system category across all systems in scope.
CCN-STIC 803 provides detailed guidance and worksheets for this process. For a practical walkthrough, see the complete ENS guide.
Frequently asked questions
What does CIDAT stand for in the ENS?
CIDAT is the acronym for the five security dimensions of the ENS: C = Confidentiality, I = Integrity, D = Availability (from the Spanish Disponibilidad), A = Authenticity, T = Traceability. These five dimensions are used to assess the security requirements of each information system and determine its category (BASIC, MEDIUM, or HIGH).
How are the CIDAT dimensions rated?
Each CIDAT dimension is rated on a three-level scale: LOW, MEDIUM, or HIGH, based on the potential impact of a security breach. LOW corresponds to limited harm. MEDIUM corresponds to serious harm. HIGH corresponds to very serious harm, including risk to personal safety or criminal liability.
How do CIDAT dimensions determine a system's ENS category?
A system's ENS category is the highest level reached across all five CIDAT dimensions. If the highest dimension is LOW, the system is BASIC. If the highest is MEDIUM, the system is MEDIUM. If the highest is HIGH, the system is HIGH. The organization's overall ENS category is the highest category across all its systems in scope.
What is the difference between Authenticity and Integrity in the ENS?
Integrity (I) refers to the property that information has not been altered or destroyed in an unauthorized manner — it concerns the accuracy and completeness of the data itself. Authenticity (A) refers to the property that the identity of a user, process, or device can be verified — it concerns who generated or transmitted the information. A document can have high integrity but low authenticity, and vice versa.
What is the difference between Authenticity and Traceability in the ENS?
Authenticity (A) is the ability to verify the identity of a user or system at the time of an action. Traceability (T) is the ability to reconstruct the sequence of activities or events after the fact — the audit trail. Authentication tells you who is acting; traceability tells you what was done and when.
Do all five CIDAT dimensions apply to every ENS system?
All five dimensions must be considered and explicitly rated for each system — they cannot simply be omitted. If a dimension has very low relevance for a particular system, it should be rated LOW with documented reasoning, not skipped.