The ENS has three categories — basic, medium and high — and the one that applies to you is not chosen, it is derived. You assess the five security dimensions of your system (confidentiality, integrity, availability, authenticity and traceability) at low, medium or high levels, then apply the rule from Article 40 of Royal Decree 311/2022: the system is high category if any dimension reaches high level; medium if any dimension reaches medium (and none reach high); and basic if any dimension reaches low (and none reach medium or high). The right question is not "which level do I want?" but "what damage would an incident cause?".
This is the doubt almost everyone faces when they encounter the ENS (Spanish National Security Framework) for the first time, and it is where most mistakes happen: either they underestimate out of ignorance, or they overestimate "just to be safe" and saddle themselves with measures they don't need. This guide is deliberately practical: the rule, a decision tree, and examples by service type so you get your category right. If what you're looking for is a detailed description of each category and its requirements, see the page on ENS categories basic, medium and high; here we focus on deciding.
Ángel Ortega Castro helps organisations categorise their systems. The method is always the same: impact first, then level — never the other way round.
How many levels does the ENS have?
The ENS defines three security categories for systems: basic, medium and high. There is no fourth category or half-measure. What does have nuance is how you arrive at each one, because the category is the result of first assessing five security dimensions at three levels (low, medium, high).
It is worth keeping the concepts separate: dimensions (what guarantees the system protects) are assessed in levels, and from those levels the category of the overall system is derived. The five dimensions — the CIDAT set — are explained in depth at the 5 ENS security dimensions.
The impact rule: how category is determined
The core of the decision lies in Article 40 of RD 311/2022. The system's category is set by the most demanding dimension: dimensions are not averaged — you take the maximum. This is the rule, without ambiguity:
| If the most demanding dimension is at level… | …the system category is |
|---|---|
| Any dimension at HIGH | HIGH |
| Any at MEDIUM, none at high | MEDIUM |
| Any at LOW, none at medium or high | BASIC |
The implication is important: a single high dimension makes the entire system high category, with all that implies in terms of Annex II measures and reinforcements. That is why valuing each dimension accurately — neither over- nor under-estimating — is the most cost-effective decision in the entire compliance process.
How to determine whether my system is basic, medium or high
The level of each dimension is determined by the impact an incident affecting that guarantee would have. RD 311/2022 grades this as follows:
- LOW level: the incident would cause a limited detriment to the functions, assets or persons affected.
- MEDIUM level: the incident would cause serious harm.
- HIGH level: the incident would cause very serious or potentially irreparable harm.
The assessment examines the effect on the organisation's ability to meet its objectives, protect its assets, fulfil its service obligations and respect the law and individuals' rights. It is not an arbitrary judgement: it is argued dimension by dimension.
Decision tree for categorising your system
Apply this sequence, one dimension at a time. Ask these questions for confidentiality, integrity, availability, authenticity and traceability:
- Would an incident in this dimension cause very serious or irreparable harm? If yes → the dimension is HIGH. Stop: the entire system will be high category.
- Would it cause serious (but not irreparable) harm? If yes → the dimension is MEDIUM.
- Would it cause only limited harm? If yes → the dimension is LOW.
- Does the dimension not apply to this system? Assign no level.
Once you have assessed all five, keep the highest level that appeared: that determines the category. This is a deliberately conservative system, because the ENS prioritises not underestimating risk.
Examples by service type
Examples help calibrate, though every real case requires its own assessment. This table gives indicative positioning for different service types:
| Service type | Most critical dimension | Indicative category |
|---|---|---|
| Institutional website (publishes content only) | Low integrity / availability | Basic |
| Electronic office with procedures and personal data | Medium confidentiality / authenticity | Medium |
| System with specially protected data (health, ideology) | High confidentiality | High |
| Critical service whose outage affects citizens | High availability | High |
| Notification platform with evidential value | Medium-high traceability / authenticity | Medium or High |
The pattern is clear: as soon as specially protected data or a service whose unavailability would have serious consequences comes into play, the category escalates. A purely informational portal will rarely go above basic.
What changes between basic, medium and high?
Moving up a category is not just a label: it changes the real compliance effort on three fronts.
- Annex II measures. Higher category means more applicable measures and, above all, more active reinforcements on each measure. Detailed in Annex II explained.
- Verification. Basic allows self-assessment; medium and high require formal audit at least every two years under Article 31.
- Cost and timelines. Each category jump increases implementation work and evidence documentation.
This is why it is important not to over-dimension: declaring yourself high category "to be safe" forces you to maintain measures, reinforcements and audits that your system may not need. The correct category is the one that matches the actual impact, no more, no less.
Full example: categorising a local authority electronic office step by step
Let us apply the method end to end. Imagine the electronic office of a mid-sized local authority, where citizens submit applications, consult case files and receive legally binding notifications. We assess its five dimensions:
- Confidentiality: processes citizens' personal data (not specially protected). A leak would cause serious but not irreparable harm. → MEDIUM.
- Integrity: altering a case file or a resolution would have serious legal consequences. → HIGH.
- Availability: outage would affect administrative deadlines, although in-person channels exist as alternatives. → MEDIUM.
- Authenticity: must guarantee that the person filing or signing is who they claim to be; a failure would open the door to fraud. → HIGH.
- Traceability: the evidential value of notifications depends on reliable records. → HIGH.
The highest level that appeared is HIGH (in three dimensions). Therefore the system is high category, even though two of its dimensions are only medium. This is precisely the effect of the maximum rule: it does not matter that most dimensions are medium; a single high is enough to set the category. That system will need to implement the Annex II high-category measures with their reinforcements, and submit to formal audit every two years.
Consider what would have happened if we had misjudged a single dimension: downgrading integrity to medium "because it rarely happens" would have changed the entire category and, with it, the compliance scope. That is why arguing each level honestly matters so much.
How much effort does each category involve?
Moving up a category is not free, and it is worth keeping that in mind when assessing so as neither to underestimate nor over-dimension. As a broad indication, effort scales like this:
| Aspect | Basic | Medium | High |
|---|---|---|---|
| Annex II measures | Essential ones | Extended | Extended + reinforcements |
| Verification | Self-assessment | Audit every 2 years | Audit every 2 years |
| Evidence documentation | Basic | Detailed | Exhaustive |
| Ongoing management burden | Low | Medium | High |
The most significant effort jump is usually from basic to medium, because it introduces formal audit. From medium to high, the increase comes mainly from reinforcements and the depth of evidence required. An honest categorisation — neither low out of convenience nor high out of fear — is therefore the decision that has the greatest impact on total compliance cost.
Who decides the system category?
Categorisation is not a decision for the technical team alone. It is a business and accountability decision: impact assessment is performed by the information and services owner — the person who knows the value of what is being protected — with the support of the security officer, and is formalised in the system documentation. The technical team contributes knowledge of the architecture, but it is the person responsible for the information who assesses the damage an incident would cause.
This assessment is not permanent: when the system changes substantially — new data, new services, new criticality — it must be reviewed. A category assigned years ago and never revisited is one of the most common findings in audits.
Common mistakes when choosing the level
- Averaging the dimensions. The category is set by the highest dimension, not the average. A single high dimension makes the entire system high.
- Choosing a higher level "to be safe". Over-dimensioning triggers measures, reinforcements and unnecessary audits.
- Valuing the system without valuing the data. The level stems from the impact on the information and service, not the technology used.
- Not reviewing after changes. The category is revalidated when the system evolves; it is not a snapshot.
System category versus compliance profiles
It is worth anticipating a nuance that appears as soon as you go deeper: category is not always the final word on which measures apply. RD 311/2022 introduced specific compliance profiles — sets of measures adapted to a particular type of entity or sector, approved by the National Cryptologic Centre. Profiles exist, for example, for small local authorities or for certain sectors, designed to calibrate requirements to their reality.
This means that two systems in the same category may end up with different sets of measures if one benefits from a specific profile. For most organisations, however, the general path applies: assess dimensions, derive category and select the corresponding Annex II measures. Profiles are an adjustment layer, not a shortcut around categorisation. If your entity fits one of those groups, it is worth checking whether an applicable profile exists before starting the compliance process.
What to do once you know your category
Determining the category is not the end — it is the starting point of the compliance process. With the category in hand, the standard roadmap is:
- Document the assessment. Leave a written record of how you valued each dimension and why; the auditor will ask for it.
- Select the Annex II measures that apply to your category, with their reinforcements.
- Draft the Statement of Applicability, justifying what you apply, what you exclude and what compensating measures you use.
- Implement and evidence each measure, organising the supporting documentation.
- Verify conformity: self-assessment if basic, formal audit if medium or high.
Each of these steps has its own complexity, but all of them start with a sound categorisation. If the foundation is right, the rest of the process flows; if the category is misjudged, everything that follows inherits the error.
Sources
- Royal Decree 311/2022 (BOE-A-2022-7191) — Article 40 (categories) and Annex I.
- ENS Portal — CCN (ens.ccn.cni.es) — CCN-STIC 803 and 804 categorisation guides.