Companies and organizations that hold ENS (Spanish National Security Framework) conformity are listed on the CCN-CERT governance platform at gobernanza.ccn-cert.cni.es. The registry is publicly accessible and searchable. "ENS certified" is an umbrella term: BASIC-category entities hold a self-assessed declaration of conformity, while MEDIUM and HIGH-category entities hold a certification of conformity issued by an ENAC-accredited auditor. All three levels appear in the registry. The conformity seal can be verified by cross-referencing it against the registry before awarding a contract or entering a supplier relationship.
What it means for a company to be "ENS certified"
The term "ENS certified" is used loosely in the market, and it is worth unpacking precisely what it means at each level:
- BASIC — Declaration of conformity: The organization has self-assessed its systems against the BASIC-level security measures of Annex II of Royal Decree 311/2022 and issued a formal declaration signed by its head. No external auditor is involved. The declaration is valid for two years.
- MEDIUM — Certification of conformity: An ENAC-accredited auditor has independently assessed the organization's systems and issued a certification certificate. The certificate is valid for two years, with possible surveillance requirements.
- HIGH — Certification of conformity: As for MEDIUM, but with more stringent security measures and typically with annual surveillance audits within the two-year cycle.
In strict regulatory language, "certification" applies only to MEDIUM and HIGH levels — BASIC-level entities hold a "declaration," not a "certification." However, in commercial usage, "ENS certified" often refers to any of the three levels. Always verify the specific level when evaluating a supplier.
Where to find the ENS certified entities registry
The primary registry for ENS conformity is the CCN-CERT governance platform, accessible at:
gobernanza.ccn-cert.cni.es/certificados
The registry lists:
- The name of the certified entity
- The conformity level (BASIC, MEDIUM, or HIGH)
- The scope of the certification (which systems or services are covered)
- The certification date and expiry date
- For MEDIUM/HIGH: the ENAC-accredited auditor that issued the certificate
The registry is publicly accessible without registration. Search by entity name or browse by sector and level.
The conformity seal: what it is and how it is used
CCN-CERT provides a conformity seal that entities may display on their website, marketing materials, and tender submissions. The seal visually communicates the level of ENS conformity achieved and its validity period.
Key points about the conformity seal:
- It indicates the conformity level (BASIC, MEDIUM, or HIGH) and the validity dates.
- It is not automatically issued by CCN — the entity makes it available following its declaration or upon receiving certification.
- Displaying a seal for a lapsed, suspended, or non-existent conformity is misleading and may have legal consequences under both competition law and public procurement regulations.
- Contracting authorities are entitled to verify the seal against the CCN registry before awarding contracts.
How to verify ENS conformity: a 3-step process
- Ask the supplier: Request the declaration of conformity document (BASIC) or the certification certificate (MEDIUM/HIGH), including the scope, level, and validity dates.
- Cross-reference against the CCN registry: Check the entity in the CCN-CERT governance platform to confirm the conformity is current and matches the claimed level and scope.
- For MEDIUM/HIGH, verify the auditor: Confirm that the auditor that issued the certificate is ENAC-accredited for ENS certification. ENAC publishes its list of accredited entities at enac.es.
Declaration vs Certification: comparison table
| Dimension | Declaration (BASIC) | Certification (MEDIUM/HIGH) |
|---|---|---|
| Who assesses | The organization itself | ENAC-accredited external auditor |
| Document | Declaration signed by head of organization | Certificate issued by auditor |
| CCN registry | Listed at BASIC level | Listed at MEDIUM or HIGH level |
| Validity | 2 years | 2 years (annual surveillance for HIGH) |
| Cost | Low (internal + optional consultancy) | Medium to high (auditor fees) |
| Accepted in procurement | For BASIC-level requirements | For MEDIUM/HIGH-level requirements |
Certificate validity and audit cycle
ENS conformity — whether by declaration or certification — is valid for two years from the date of issue. At the end of the two-year period:
- BASIC: The organization must conduct a new self-assessment and issue a new declaration of conformity.
- MEDIUM: The organization must undergo a new audit by an ENAC-accredited auditor.
- HIGH: As for MEDIUM, plus annual surveillance audits during the two-year cycle to verify continued compliance.
Conformity that has lapsed beyond two years without renewal is no longer valid for procurement purposes. Always check the expiry date in the CCN registry, not just the entity name.
How to get your company onto the ENS certified list: a 5-step process
- Categorize your systems: Apply the five CIDAT dimensions to all information systems in scope. Determine whether the applicable category is BASIC, MEDIUM, or HIGH.
- Implement the required security measures: Apply the security measures from Annex II of Royal Decree 311/2022 that correspond to your category. Document implementation and any gaps with planned remediation dates.
- Choose your conformity pathway:
- BASIC: Conduct the self-assessment, draft the declaration of applicability, issue and sign the declaration of conformity.
- MEDIUM/HIGH: Engage an ENAC-accredited auditor, undergo the certification audit, receive the certificate.
- Register with CCN-CERT: Submit the conformity documentation through the CCN-CERT governance platform to have your entity listed in the public registry.
- Display the conformity seal: Once listed, display the conformity seal on your website and tender submissions, indicating the level and validity period.
For detailed guidance on the certification process, see ENS certification: process, requirements, and costs. For implementation support, see ENS implementation consultancy.
ENS and ISO 27001: a common question
Companies that already hold ISO 27001 certification frequently ask whether this exempts them from ENS conformity. The answer is no — for two reasons:
- Different legal basis: ENS is a Spanish regulatory requirement. ISO 27001 is a voluntary international standard. One does not substitute for the other in legal or contractual contexts.
- Different scope: ISO 27001 covers the organization's information security management system broadly. ENS applies specifically to systems used in or provided to Spanish public administrations, with a specific set of mandatory measures defined in Annex II of RD 311/2022.
That said, ISO 27001 certification significantly accelerates ENS compliance work — many of the controls overlap, and documentation prepared for ISO 27001 can be reused or adapted for the ENS self-assessment or audit. Many companies pursue both simultaneously to maximize efficiency.
How Ángel helps companies reach the ENS registry
Ángel Ortega Castro supports SMEs (small and medium-sized enterprises), technology companies, and public sector service providers throughout the ENS conformity process: from initial system categorization through to declaration or certification and registry listing. The approach is practical and proportionate — avoiding unnecessary complexity for BASIC-level organizations, while ensuring rigorous preparation for MEDIUM and HIGH certification audits.
For initial guidance, use the contact form or visit the ENS implementation consultancy page.
Frequently asked questions
Where can I check which companies are ENS certified?
ENS-certified entities are listed on the CCN-CERT governance platform at gobernanza.ccn-cert.cni.es. The registry is publicly accessible and searchable by entity name, certificate level (BASIC, MEDIUM, HIGH), and validity date.
What does it mean for a company to be 'ENS certified'?
An 'ENS certified' company has demonstrated that its information systems comply with the ENS at one of three levels: BASIC (self-assessed declaration of conformity), MEDIUM, or HIGH (certification from an ENAC-accredited auditor). The term 'certified' is sometimes used loosely to cover all three levels, but strictly speaking, certification refers only to MEDIUM and HIGH.
How long is ENS certification valid?
ENS conformity — whether by declaration (BASIC) or certification (MEDIUM/HIGH) — is valid for two years. At renewal, a new self-assessment (BASIC) or a new audit (MEDIUM/HIGH) must be conducted. HIGH-level certifications also require annual surveillance audits within the two-year cycle.
Is ENS certification the same as ISO 27001?
No. ENS is a Spanish regulatory requirement for systems used in or provided to Spanish public administrations. ISO 27001 is an international voluntary standard. They are complementary but not interchangeable. ISO 27001 does not substitute ENS certification when the latter is required by law or contract.
Can a company display the ENS conformity seal on its website?
Yes. Organizations with current ENS conformity may display the CCN-CERT conformity seal on their website and marketing materials. The seal must accurately reflect the conformity level and validity period. Displaying a seal for a lapsed or non-existent conformity is misleading and may have legal consequences.
Do I need ENS certification to bid on Spanish public sector contracts?
It depends on the specific contract. Many public sector IT contracts in Spain include ENS conformity requirements in their procurement specifications. The required level varies by contract. If ENS conformity is specified as a requirement, you must demonstrate it — by declaration (BASIC) or certification (MEDIUM/HIGH) — to be eligible.