A specific compliance profile (SCP) of the ENS (Spanish National Security Framework) is a set of security measures that the National Cryptologic Centre validates and publishes for a specific sector or type of entity. It draws on Article 30 of RD 311/2022 and the principle of proportionality to make adaptation more pragmatic, without lowering the required security level.
What is a specific compliance profile of the ENS?
When an entity tackles adaptation to the ENS (Spanish National Security Framework), the standard approach is to start from the full catalogue of Annex II measures and, after risk analysis, determine which ones apply according to the system category. This is the correct approach, but also an extensive one — and it forces every organisation to walk the same path of interpretation again and again. This is where specific compliance profiles come in.
A specific compliance profile (SCP) is, in simple terms, a tailored version of the ENS designed for a specific group: small town councils, healthcare centres, agricultural fund paying agencies, entities within the scope of the NIS2 Directive, etc. Instead of every entity in that group interpreting the catalogue from scratch, the National Cryptologic Centre (CCN) defines which measures and reinforcements are appropriate for that type of organisation and for a given security category, and publishes them in a CCN-STIC guide.
The official definition is fairly precise: an SCP is a set of security measures, whether or not included in Royal Decree 311/2022, which — as a result of the mandatory risk analysis — are applicable to a specific entity or sector of activity and for a given security category. Two ideas from that sentence are worth retaining: the SCP always starts from risk analysis (it does not replace it) and may include measures beyond those in Annex II when the sector requires it.
What is the legal basis for SCPs?

The basis for specific compliance profiles is Article 30 of Royal Decree 311/2022, of 3 May, which governs the ENS (Spanish National Security Framework). That article is titled "Specific compliance profiles and accreditation of entities implementing secure configurations" and expressly enables the mechanism.
The text of Article 30 establishes that, by virtue of the principle of proportionality and seeking an effective and efficient application of the ENS to specific entities or sectors of activity, specific compliance profiles may be implemented. These profiles shall comprise those security measures which, as a result of the mandatory risk analysis, prove appropriate for a given security category.
The same article gives the CCN a dual function: to validate and publish the specific compliance profiles defined, in accordance with the approved security technical instructions and security guides. That is, an SCP is not a document that anyone can draft independently; it has an authorised issuer and a validation process behind it. That provenance is what gives it weight for the purposes of subsequent certification audit.
Article 30 also opens the door to accreditation schemes for entities and validation of persons implementing secure configurations of third-party solutions or platforms — but that is a complementary aspect. For the purposes of this article, the relevant part is the first half: the one that provides the regulatory basis for sector-specific profiles.
How does an SCP differ from general adaptation?
The difference does not lie in rigour or security level but in the starting point and the interpretation effort. In general adaptation, the entity takes the full catalogue of measures (the organisational, operational and protection frameworks) and decides their applicability case by case. In adaptation supported by an SCP, much of that work has already been reasoned out and delimited for its type of organisation.
| Aspect | General adaptation | Adaptation with SCP |
|---|---|---|
| Starting point | Full Annex II catalogue | Set of measures already delimited for the sector or entity type |
| Determining applicability | Done entirely by the entity | Already reasoned and prioritised in the CCN-STIC guide |
| Risk analysis | Mandatory | Mandatory (the SCP does not replace it) |
| Required security level | What the category demands | The same: the SCP does not lower the level |
| Measures beyond Annex II | Only if risk justifies it | May incorporate them when the sector requires it |
| Interpretation effort | High | Reduced and homogeneous across entities in the group |
The key point is that an SCP adapts and prioritises — it does not cut. It applies the principle of proportionality already at the heart of the ENS, but does so collectively and in a reasoned way for a sector, rather than leaving each entity to resolve it alone. If you want to understand how the measures that the SCP orders are structured, it is worth reviewing the organisational, operational and protection framework of Annex II.
What are the advantages of an SCP?
The advantages of working with a specific compliance profile are mainly practical, and they are felt most strongly in organisations with limited technical resources.
- More pragmatic adaptation. The entity does not start from a blank sheet: it has a starting point reasoned by the CCN for its type of organisation, which reduces the risk of misinterpreting the measures.
- Homogeneity within the sector. When all town councils in a population bracket apply the same profile, solutions, documents and criteria become comparable and reusable. This facilitates support from provincial councils and supra-municipal bodies.
- Lower project cost. Since the bulk of the applicability analysis has already been done, consulting and documentation effort concentrates on what is genuinely specific to each entity: its asset inventory, its risk analysis and its statement of applicability.
- Better fit for certification. Since the SCP is validated and published by the CCN, the certification body has a clear reference framework against which to verify compliance.
- Templates and supporting annexes. Many SCP guides include annexes for risk analysis, security policy, categorisation, statement of applicability and awareness plans, which accelerate the project kick-off.
That said, honesty requires noting: an SCP is not a shortcut to comply with less. It does not reduce legal obligations or allow you to skip risk analysis. What it does is organise the work more efficiently. That is why, even with an SCP in place, support during ENS implementation continues to add value: someone must ground that profile in the concrete reality of each organisation.
What specific compliance profiles have been published?
The SCP catalogue has grown in recent years. The general framework for profiles is documented in the 890-series guides, while sector-specific or entity-type profiles have their own CCN-STIC guides. The following is an overview of the main profiles validated and published by the CCN.
| Profile / group | CCN-STIC guide | Who it applies to |
|---|---|---|
| General SCP framework | 890 series (890A, 890C) | Documents the concept and essential security requirements for ENS adaptation |
| Very small town councils | CCN-STIC 883A | Municipalities of fewer than approximately 5,000 inhabitants |
| Small town councils | CCN-STIC 883B | Town councils with fewer than 20,000 inhabitants |
| Medium-sized town councils | CCN-STIC 883C | Town councils with between 20,000 and 75,000 inhabitants |
| Provincial councils | CCN-STIC 883D | Supra-municipal bodies and provincial councils |
| Healthcare sector | CCN-STIC 891 | Patient healthcare: primary and specialist care |
| Paying agencies | CCN-STIC 852 | Agricultural European fund paying agencies |
The catalogue is updated with some regularity and profiles have been added for new groups, such as one oriented at organisations within the scope of the NIS2 Directive. So before planning a project it is worth consulting the current list on the CCN portals, which I link in the sources section. The 883 series, dedicated to local public sector entities, is the most established and the one most widely used in practice.
Is there an SCP for small town councils?
Yes, and it is probably the most widely used case. Small town councils are, by far, the entities that benefit most from specific compliance profiles, because they typically have limited technical staff and a tight budget for cybersecurity. The CCN-STIC 883 series organises these profiles by population brackets.
The bracket approach has a clear logic: it is not reasonable to demand the same structure and resources from a municipality of 2,000 inhabitants as from one of 60,000. That is why the 883A profile is designed for the smallest town councils, 883B for those with fewer than 20,000 inhabitants and 883C for the intermediate range up to 75,000. Provincial councils, which often provide shared services to several municipalities, have their own profile under 883D.
The CCN also maintains a specific portal for local entities with implementation support materials. If your organisation is a town council or a supra-municipal body, the sensible first step is to identify your population bracket and locate the 883-series profile that applies to you, before you even start documenting anything.
Are there profiles for sectors such as healthcare?
Yes. Beyond the local government world, the CCN has published profiles for specific sectors of activity. The most representative is the healthcare sector profile, covered in guide CCN-STIC 891, aimed at patient healthcare in primary and specialist care.
This healthcare profile is a good example of how an SCP can go beyond Annex II when the sector justifies it: it includes a set of security measures — whether or not covered by Royal Decree 311/2022 — that, after risk analysis, are applicable to healthcare provision and ensure a minimum security level. The guide addresses ENS applicability, the statement of applicability and criteria for applying measures (risk analysis, security architecture, certified components, authentication mechanisms, incident management, continuity plan), and comes with several practical annexes.
Other profiles exist for specific entity types or functions, such as agricultural fund paying agencies (CCN-STIC 852) or one oriented at the NIS2 Directive scope. The CCN's trend is to keep covering groups with homogeneous needs, so it is increasingly likely that an entity will find a profile matching its activity.
How is a specific compliance profile applied?
Applying an SCP does not exempt you from doing things properly; it simply restructures the adaptation project. A reasonable sequence is as follows.
- Identify the applicable profile. Determine whether your organisation fits a group with a published SCP (population bracket for town councils, healthcare sector, etc.) and locate the corresponding CCN-STIC guide.
- Categorise the systems. Determine the security category (basic, medium or high) of the affected systems, because the set of measures in the profile is modulated according to that category.
- Carry out the risk analysis. It is mandatory and the SCP does not replace it. The profile guides which measures are appropriate, but the specific risk of your entity remains yours.
- Draft the statement of applicability. Starting from the measures that the profile already prioritises, document which ones apply, how and why, adjusting for what is specific to your organisation.
- Implement and document. Deploy the technical and organisational measures and leave the documentary evidence that audit will require.
- Audit and certify. For medium and high categories, the certification audit verifies actual compliance against the profile and the ENS.
The SCP accelerates mainly steps 1 and 4, because much of the applicability reasoning has already been done. But steps 3 and 5 remain work that each entity must do itself — they cannot be delegated away.
Do I need external help if I use an SCP?
It depends on your organisation's maturity. A specific compliance profile lowers the barrier to entry, but does not eliminate the need for technical judgement. The guide says which measures are appropriate; someone must decide how they are implemented in your actual inventory, draft the management system documentation and prepare the entity for the audit without surprises.
From my offices in Castilla y León (Valladolid) and Las Palmas, I support public entities and technology providers on ENS adaptation projects, both in the general approach and using the SCP that best fits each case. The choice between the two is not ideological: if a profile exists for your group, it almost always makes sense to use it as the basis and dedicate effort to what is genuinely singular to your organisation.
Frequently asked questions
What is a specific compliance profile of the ENS?
It is a set of security measures — whether or not included in Royal Decree 311/2022 — which, after the mandatory risk analysis, prove appropriate for a specific sector or type of entity and for a given security category. The CCN validates and publishes it in a CCN-STIC guide, supported by Article 30 of RD 311/2022 and the principle of proportionality.
What are the advantages of an SCP?
It makes adaptation more pragmatic: the entity starts from a set of measures already reasoned for its group, which reduces interpretation cost, homogenises solutions within the sector and fits better with certification. That said, it does not lower the required security level or replace risk analysis: it adapts and prioritises, it does not cut obligations.
Are there profiles for town councils or universities?
For town councils, yes — in the CCN-STIC 883 series organised by population brackets (883A, 883B and 883C, plus 883D for provincial councils). Sector profiles also exist, such as healthcare (CCN-STIC 891) or paying agencies (CCN-STIC 852). The catalogue expands regularly, so it is worth checking the current CCN list to see whether a profile exists for your specific activity.
How is a compliance profile applied?
Identify the applicable profile, categorise the systems, carry out the mandatory risk analysis (which the SCP does not replace), draft the statement of applicability starting from the measures the profile prioritises, implement and document, and finally audit and certify for medium and high categories. The SCP speeds up applicability determination, but risk analysis and audit remain each entity's own work.
Sources
- Royal Decree 311/2022, of 3 May, governing the ENS (BOE-A-2022-7191)
- Article 30 of RD 311/2022: Specific compliance profiles and accreditation of entities implementing secure configurations
- CCN local entities portal (ENS)
- CCN-STIC 890A and 890C guides on specific compliance profiles for ENS adaptation
- CCN-STIC 883: ENS implementation guide for local entities (883 series by population bracket)
- CCN-STIC 891: Specific compliance profile for the healthcare sector