ENS (Spanish National Security Framework) was born with Royal Decree 3/2010, of 8 January, published in the BOE on 29 January 2010 to develop Article 42 of Law 11/2007. That regulation was substantially amended by Royal Decree 951/2015 and is now repealed: since 5 May 2022, ENS is governed by Royal Decree 311/2022, of 3 May. If you are looking for RD 3/2010, what actually applies to you is RD 311/2022. In this article I review how the framework has evolved, what changed in each version, and why it was updated.
What Was Royal Decree 3/2010 and Why Does Its History Matter?
When someone writes to me asking about "royal decree 3/2010 on ENS," they almost always arrive from an outdated tender document, an old internal manual, or a search inherited from years ago. That is understandable: RD 3/2010 was the founding regulation of ENS (Spanish National Security Framework) and for more than twelve years it was the reference for security in Spanish e-government. Knowing its history is not a legal archaeology exercise: it helps understand why ENS is structured as it is, what problem each reform addressed, and — above all — how to avoid applying a text that is no longer in force by mistake.
ENS is the framework that sets the basic principles and minimum requirements for protecting information and services handled by public administrations and, increasingly, their technology suppliers. If you want an overview of the current framework, I wrote a complete ENS guide that is worth keeping on hand while reading this history. Here I focus on what almost nobody explains well: the regulation's timeline.
2010: The Birth of ENS with RD 3/2010
Royal Decree 3/2010, of 8 January, governing the National Security Framework in the field of e-Government was published in BOE No. 25, of 29 January 2010 (reference BOE-A-2010-1330) and entered into force the following day. Its existence was not an isolated decision: it responded to a specific legal mandate.
That mandate was in Article 42 of Law 11/2007, of 22 June, on citizens' electronic access to public services (known as LAECSP). Paragraph 2 of that article provided for the creation of a National Security Framework whose purpose would be to establish security policy in the use of electronic means. In other words: the 2007 legislator said "we need a common security framework for all digital administration" and the Government gave it regulatory form three years later with RD 3/2010.
What did that text contribute? For the first time in Spain, it established a common security language for the public sector: basic principles (risk-based security management, prevention, response and recovery, lines of defence, periodic reassessment), minimum requirements, and a security measures catalogue organised by levels. ENS introduced the idea of categorising systems based on the impact an incident would have across five dimensions — availability, authenticity, integrity, confidentiality and traceability — and applying measures proportional to that category (basic, medium or high). That proportionality logic remains alive today, and it is one of the great design achievements that RD 3/2010 gave us.
2015: Royal Decree 951/2015 — The First Major Revision
Five years later came the first substantial reform. Royal Decree 951/2015, of 23 October, amending Royal Decree 3/2010 was published in BOE No. 264, of 4 November 2015 (reference BOE-A-2015-11881). It did not repeal ENS — it amended it to bring it up to date after five years of technological and regulatory change.
What did RD 951/2015 move? Three things worth highlighting:
First, it explicitly linked the Technical Security Instructions and CCN-STIC guides to the framework. Until then, those National Cryptologic Centre (CCN) guides had a diffuse advisory role. The reform clarified that certain technical instructions would be mandatory for administrations and would regulate matters such as the security status report, incident notification, conformity, and procurement of security products. Here was sown the seed of the guide ecosystem that is today indispensable for implementing ENS.
Second, it reinforced the role of CCN-CERT, the National Cryptologic Centre's incident response capability, as the coordination reference for cyber threats targeting the public sector.
Third, it updated Annex II measures and simplified the Annex III audit regime, and aligned ENS with the European context — particularly EU Regulation 910/2014 (eIDAS) on electronic identification and trust services. The preamble of RD 951/2015 was transparent about its purpose: strengthen administrations' protection against cyber threats evolving far faster than the regulation.
It is worth being clear about one thing: during the period 2015–2022, when someone said "ENS" they meant RD 3/2010 as amended by RD 951/2015. These were the same regulation, not two separate frameworks.
2022: Royal Decree 311/2022 Repeals RD 3/2010
The turning point came in May 2022. Royal Decree 311/2022, of 3 May, governing the National Security Framework was published in BOE No. 106, of 4 May 2022 (reference BOE-A-2022-7191) and entered into force on 5 May 2022. Its repealing provision was unequivocal: it expressly revokes Royal Decree 3/2010, of 8 January, and all provisions of equal or lesser rank that conflict with the new regulation.
There is a legal detail that almost no one mentions but which I consider key to understanding the history. RD 3/2010 was born from Article 42 of Law 11/2007. But Law 11/2007 was itself repealed in 2015 by Laws 39/2015 and 40/2015. RD 311/2022 is no longer issued under the old LAECSP, but under Article 156 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, which is where the legal enabling provision for ENS now resides. In other words: the 2022 reform was not only a technical update but also a reanchoring of the framework's legal foundations.
If you are interested in the detail of the regulation in force, I maintain a complete ENS guide focused on RD 311/2022; and if your question is whether your organisation is subject to it, I address that in the article on when ENS is mandatory for companies and suppliers.
What Changed Substantively in 2022?
RD 311/2022 was not a cosmetic update. It pursues three declared major objectives: aligning ENS with the current regulatory framework and strategic context; introducing the ability to adjust its requirements to the reality of particular groups or system types; and enabling a better response to cyber threats. These are the changes with the greatest practical impact:
73 measures reorganised into three frameworks. Annex II of RD 311/2022 structures security measures into three blocks: the organisational framework (how security is governed: policy, regulations, procedures, authorisation); the operational framework (how systems are managed day-to-day: planning, access control, operation, continuity, monitoring); and protection measures (technical controls over facilities, personnel, equipment, communications, storage media, applications, information, and services). In total, 73 measures replacing the previous catalogue with clearer logic.
Specific compliance profiles. For me, this is the most useful innovation. Article 30 of RD 311/2022 enables compliance profiles adapted to specific categories of entities or system types, so that ENS can be applied proportionately without sacrificing the level of protection. This opened the door to profiles for small local authorities or specific services — something RD 3/2010 did not provide with that flexibility. If you work in local government, I develop this in the article on ENS for local authorities and local administration.
Supply chain security reinforcement. The new ENS focuses on the security of suppliers and subcontractors, recognising that many incidents enter through third parties. This is why ENS compliance has de facto extended to companies providing services to Spanish Public Administration.
Continuous monitoring and surveillance. The principle of continuous monitoring and permanent reassessment is embedded with greater force, replacing the static snapshot that dominated the initial approach.
Incident notification regime. The 2022 ENS formalises notification to CCN-CERT with deadlines based on incident impact, professionalising the response to attacks.
ENS Timeline: RD 3/2010 → RD 951/2015 → RD 311/2022
To see it at a glance, here is the complete evolution of ENS (Spanish National Security Framework) with verified BOE references:
| Regulation | BOE date | Enabling law | Key developments | Current status |
|---|---|---|---|---|
| RD 3/2010, of 8 January | BOE No. 25, 29/01/2010 | Art. 42 of Law 11/2007 (LAECSP) | Creates ENS: basic principles, minimum requirements, system categorisation and level-based measures | Repealed since 05/05/2022 |
| RD 951/2015, of 23 October | BOE No. 264, 04/11/2015 | Amends RD 3/2010 | Mandatory CCN-STIC guides, CCN-CERT reinforced, Annex II updated, alignment with eIDAS | No standalone effect: amended an already-repealed regulation |
| RD 311/2022, of 3 May | BOE No. 106, 04/05/2022 | Art. 156 of Law 40/2015 (LRJSP) | 73 measures in 3 frameworks, compliance profiles, supply chain security, continuous monitoring | In force |
The reading is simple: there is only one live ENS today — that of RD 311/2022. RD 3/2010 and its 2015 amendment are regulatory history, useful for understanding the origins but inapplicable as a requirement.
Why Was ENS Updated?
When a client asks me why it was necessary to change a regulation that "was working," I give three reasons. The first is technological: in 2010, cloud computing, mass mobility, managed third-party services, and industrialised ransomware were not what they are today. A framework designed for an administration that was predominantly on-premise fell short in the face of distributed services and professional threats.
The second reason is legal. As I explained above, Law 11/2007, which underpinned RD 3/2010, was repealed in 2015. Keeping a regulation hanging from a repealed law is, at minimum, uncomfortable. RD 311/2022 reanchors ENS in Law 40/2015, which is the natural home of the legal regime for the public sector and its electronic relations.
The third reason is strategic. ENS ceased to be exclusively an internal public-administration matter and became a national cybersecurity lever that pulls the entire supplier ecosystem. The 2022 reform acknowledges that reality: it extends its influence to the supply chain and coordinates better with the European framework (NIS Directive, later NIS2) and other cybersecurity obligations. In practice, this makes ENS a commercial requirement for many private companies, not just an obligation for public bodies.
If You Were Looking for RD 3/2010, Here Is What You Need to Do
I will be very direct, because this is the mistake I see most often. If you arrived here from a tender document, template, or training course citing "Royal Decree 3/2010," do not work from that text: it is repealed. Check the date of your internal documents and update any reference to RD 311/2022. A procurement document still requiring "compliance with RD 3/2010" is technically requiring a non-existent regulation, and that can create interpretation problems.
If your organisation needs to comply with the current ENS or renew its conformity, the process has changed since 2010: it now relies on compliance profiles, updated CCN-STIC guides, and a more mature certification scheme. I explain this step by step in the article on ENS certification: process, requirements and costs. And if you need help implementing it, I work on this in ENS consultancy and implementation projects from both Castilla y León and the Canary Islands.
A final note for those coming from the private information security world: ENS shares much of its philosophy with the international standard ISO 27001, although they are not the same and do not substitute for each other. If you want to understand the differences and synergies, I develop this in my complete ISO 27001 guide.
Frequently Asked Questions
Is RD 3/2010 still in force?
No. Royal Decree 3/2010, of 8 January, was expressly repealed by the repealing provision of Royal Decree 311/2022, of 3 May, which entered into force on 5 May 2022. From that date, the only applicable ENS (Spanish National Security Framework) is that of RD 311/2022. Any document still citing RD 3/2010 is out of date.
What is the difference between RD 3/2010 and RD 311/2022?
RD 3/2010 was the founding ENS regulation, issued under Article 42 of Law 11/2007. RD 311/2022 repeals and replaces it under Article 156 of Law 40/2015. Technically, the 2022 version reorganises measures into 73 controls grouped in three frameworks (organisational, operational and protection), introduces specific compliance profiles, reinforces supply chain security and continuous monitoring, and aligns with the European cybersecurity framework. The 2010 version established the principles and system categorisation, but with a less flexible approach.
When was ENS created?
ENS (Spanish National Security Framework) was formally created by Royal Decree 3/2010, of 8 January, published in the BOE of 29 January 2010. Its legal origin is in Article 42 of Law 11/2007, of 22 June, on citizens' electronic access to public services, which in 2007 already foresaw the need for a common security framework for digital administration.
Why was ENS updated?
For three combined reasons: technological evolution (cloud, mobility, third-party services, professionalised cyber threats) that made the 2010 design inadequate; change in the legal framework, as Law 11/2007 underpinning RD 3/2010 was repealed in 2015 and the enabling provision moved to Law 40/2015; and the strategic need to extend security to the supply chain and align better with the European cybersecurity framework.
Does RD 951/2015 still have any effect?
Not independently. Royal Decree 951/2015 was an amendment to RD 3/2010, not a standalone regulation. When RD 3/2010 was repealed by RD 311/2022, the 2015 amendments lost their subject matter. Its value today is historical: it shows how ENS was progressively tightened between 2010 and 2022, especially regarding CCN-STIC guides and the role of CCN-CERT.
Where can I find the official text of the current ENS?
In the BOE, under reference BOE-A-2022-7191 (Royal Decree 311/2022). The ENS portal of the National Cryptologic Centre (ens.ccn.cni.es) and the e-Government Portal (administracionelectronica.gob.es) also publish the consolidated text, CCN-STIC guides, and implementation support materials.
Does ENS apply only to public administrations?
Not exclusively. ENS directly obligates the public sector, but RD 311/2022 reinforces supply chain security, so companies providing services to Spanish Public Administration often need to demonstrate ENS conformity. This is why it has become a frequent requirement in public procurement. I develop this in the article on when ENS is mandatory for companies and suppliers.
Sources
- BOE — Royal Decree 3/2010, of 8 January, governing the National Security Framework in e-Government (BOE-A-2010-1330)
- BOE — Royal Decree 951/2015, of 23 October, amending Royal Decree 3/2010 (BOE-A-2015-11881)
- BOE — Royal Decree 311/2022, of 3 May, governing the National Security Framework (BOE-A-2022-7191)
- CCN — ENS portal: regulation
- CCN — ENS: frequently asked questions
- e-Government Portal (administracionelectronica.gob.es)
Content by Ángel Ortega Castro. Regulatory information verified against official sources (BOE and CCN) as of June 2026; legal references may be updated, so always cross-check with the consolidated BOE text.