There is no single magic number of months that applies to everyone. Adapting to the ENS (Spanish National Security Framework) is a project with well-defined phases: for a basic-category system it typically completes in 3 to 6 months; for medium or high category, a realistic estimate is 6 to 12 months (sometimes more) to achieve conformity. The legal deadline of the transitional regime under RD 311/2022 has already passed: pre-existing systems had 24 months from 5 May 2022, i.e. until 5 May 2024.

The question I receive most often when an organisation discovers it is subject to the ENS is not "what do I have to do?" but "how long will it take?" And it is a fair question: behind it lies a procurement calendar to meet, a tender specification demanding conformity or an inspection that is closing in. In this guide I explain honestly how long ENS compliance takes, what phases the Adaptation Plan has, and how to build a realistic schedule that does not leave you stranded halfway through the project.

I am a compliance consultant working on ENS adaptation with organisations in Castilla y León and the Canary Islands. What you are about to read is verified against primary sources (RD 311/2022 and the CCN-STIC 800-series guides) and against real project experience, where the timeline almost never matches the one in the brochure.

Is there a legal deadline for ENS compliance?

Infographic: ENS compliance deadlines — how long and how to plan
Infographic: ENS compliance deadlines — how long and how to plan. Own elaboration — Summum Marketing.

Yes, there was one, and it is worth understanding properly because it generates a great deal of confusion. Royal Decree 311/2022, of 3 May, which governs the ENS, entered into force on 5 May 2022. Its sole transitional provision granted a period of twenty-four months for pre-existing information systems to reach full compliance. The maths is straightforward: 5 May 2022 + 24 months = 5 May 2024.

That transitional deadline has already expired. Anyone who has not yet complied is not "within the deadline" — they are breaching an obligation whose cut-off date has passed. And here is the important nuance you must not overlook: the ENS is not a rule with an "expiry date" for the obligation. If your organisation falls within the scope of application, the obligation to comply is permanent, regardless of whether a transitional period exists. What expired was the grace period for systems already in existence in 2022; any new system must be born already compliant.

For systems that enter ENS scope through a supervening cause — for example, a private company that signs a contract with a Spanish Public Administration and, under the tender specification, becomes obliged — the practical "clock" is set by the contract or tender, not by a transitional provision. That is why the deadline that truly matters, in most private-sector projects, is the one set by the public client. If you want to understand when and why the ENS obliges companies, I cover that in the guide on when ENS is mandatory for companies and suppliers.

What is the ENS Adaptation Plan?

ENS compliance deadlines: how long and how to plan
Photo: woodleywonderworks (CC BY 2.0)

The Adaptation Plan is the document that organises the entire project. It is described in guide CCN-STIC-806, the National Cryptologic Centre's official reference for this task. It is not a bureaucratic formality: it is the roadmap that converts "I need to comply with the ENS" into a sequence of actions with owners and deadlines.

According to CCN-STIC-806, the Adaptation Plan must include at least the following elements:

  • The organisation's security policy, aligned with Annex II of the ENS (or a plan to create or update it if it does not exist).
  • Information processed and its valuation.
  • Services provided and their valuation.
  • Personal data handled, due to its connection with the GDPR.
  • System category (basic, medium or high) resulting from the valuation.
  • Statement of applicability for Annex II measures.
  • Risk analysis and current risk map.
  • System deficiencies relative to what is required.
  • Security improvement plan, with its implementation schedule.

Note the last point: the Adaptation Plan includes its own timeline. When you draft it properly, the Plan already contains the implementation dates for each measure. That is why the best answer to "how long will it take?" is: "until you have categorised the system and completed the risk analysis, any timeline is an estimate; the Adaptation Plan is what converts it into a commitment with dates."

What are the phases of ENS adaptation?

The complete process, from management decision to conformity, can be organised into eight phases. Not all carry the same weight: the first phases are fast and documentary; implementing measures is what takes up the calendar.

  1. Decision and kick-off. Management approves the project and designates the ENS roles: information owner, service owner, security officer and system administrator. Without this step, nobody is accountable for the project. I cover this in the ENS implementation consultancy guide.
  2. System categorisation. Information and services are valued across the five security dimensions (confidentiality, integrity, availability, authenticity and traceability) to obtain the category: basic, medium or high. This decision drives everything else in the schedule.
  3. Risk analysis. Assets, threats and existing safeguards are identified to produce the current risk map. Usually supported by MAGERIT or an equivalent methodology.
  4. Statement of applicability. The Annex II measures that apply are selected according to the category, the personal data processed and the risk analysis results.
  5. Drafting the Adaptation Plan. Everything above is consolidated into the CCN-STIC-806 document, with the improvement plan and its schedule.
  6. Implementing measures. The improvement plan is executed. This is the longest and most variable phase, as it depends on how many measures are missing and their technical and organisational difficulty.
  7. Verification. Self-assessment for basic category; formal audit for medium and high.
  8. Declaration or certification of conformity. The formal closure that accredits compliance.

To keep the overall picture in view, here is the indicative schedule in a single table. These are estimates, not guarantees: the actual range depends on the size of the organisation, its starting maturity and its category.

Indicative ENS adaptation schedule by phase, with estimated duration and primary owner. Own elaboration (Summum Marketing) based on CCN-STIC-806; ranges are project estimates, not legal deadlines.
Phase What is done Estimated duration Primary owner
1. Decision and kick-off Management approval and role designation 1–3 weeks Management
2. Categorisation Valuation across 5 dimensions and category determination 2–3 weeks Security officer + information/service owner
3. Risk analysis Current risk map (MAGERIT or equivalent) 3–6 weeks Security officer
4. Statement of applicability Selection of Annex II measures 2–4 weeks Security officer
5. Adaptation Plan CCN-STIC-806 document and improvement plan 2–4 weeks Security officer + consultant
6. Implementing measures Executing the improvement plan 3–9 months System administrator + IT
7. Verification Self-assessment (basic) or audit (medium/high) 4–8 weeks Auditor / internal team
8. Conformity Declaration or certification and badge 2–4 weeks Security officer + certification body

If you add the ranges you will see why I say 3–6 months for basic and 6–12 months (or more) for medium and high: the documentary phases overlap and move quickly, but implementation — phase 6 — sets the pace. And that phase does not depend on the consultant; it depends on your organisation's real capacity to execute changes.

How long does ENS compliance take by category?

The system category is by far the biggest factor in shifting the calendar. Achieving basic category, where closure is done by self-assessment, is very different from achieving high category, which requires a formal audit and certification by an accredited body.

  • Basic category. Fewer Annex II measures, verification by self-assessment and closure through a declaration of conformity. This is the most agile route: with a reasonable starting position, 3–6 months is achievable.
  • Medium category. More mandatory measures and a compulsory audit by an accredited certification body. The realistic timeline rises to 6–12 months.
  • High category. The full set of reinforced measures and a formal audit. Here 9–12 months is normal, and complex projects go further.

If you do not yet know which category applies to you, that is the first piece you need to resolve, because it sizes the rest of the project. To choose correctly, understanding how the framework works as a whole helps — which I cover in the complete ENS guide.

What is the difference between a declaration and a certification of conformity?

This is a common confusion and it affects the timeline directly, because each route has its own closure. It is governed by guide CCN-STIC-809:

  • Declaration of conformity. Applies to basic-category systems. It is issued by the entity responsible for the system after self-assessment. It is faster because it does not require a third-party accredited body.
  • Certification of conformity. Mandatory for medium and high categories (and voluntary for basic). It is issued by a certification body accredited by ENAC under standard UNE-EN ISO/IEC 17065. The certificate is valid for two years, after which a renewal audit is required.

This has a scheduling consequence worth anticipating: if you are going for medium or high, it is not enough to "be ready"; you need to book the audit with the certification body and leave margin to address any findings. That is why I recommend planning the ENS audit preparation from the very start of the project, not as a final formality.

Which CCN-STIC guides govern the process and deadlines?

The ENS does not leave you alone: the CCN publishes a series of guides (the 800 series) that are the practical map of the entire process. The three most relevant to adaptation and its timeline are:

  • CCN-STIC-806 — Adaptation Plan. How to build the Plan, what it must contain and how to plan the improvement. This is the guide that structures the schedule.
  • CCN-STIC-808 — Compliance verification. Serves as the audit roadmap for assessing the conformity of a system in any category (basic, medium or high).
  • CCN-STIC-809 — Declaration and certification of conformity. Criteria and procedures for declaring or certifying conformity, together with the compliance badges.

Worth noting: these guides are updated. The CCN has published recent revisions of both 808 and 809, so before finalising your Adaptation Plan it is worth checking you are working with the current version. The core obligation does not change, but procedural details can be refined.

How to build a realistic schedule (without deceiving yourself)

The most common mistake I see is treating the ENS as a purely documentary project that can be dispatched in a few weeks. Phases 1 to 5 are indeed fast; the problem is phase 6, implementation. These are the factors that really move your timeline:

  • Starting maturity. If you already have ISO 27001 or well-established security controls, many Annex II measures are already covered and the project accelerates noticeably.
  • Real team availability. A risk analysis cannot be done "between meetings". If key people are occupied with other things, the timeline stretches.
  • Third-party dependencies. Migrations, supplier procurement or infrastructure changes introduce deadlines outside your control.
  • Category and closure route. As seen above, medium/high adds the audit and booking the certification body.
  • Contracts and subcontracting. If your obligation comes from serving a Spanish Public Administration, the supply chain may also need to adapt, which adds to the timeline.

My practical recommendation: define the target date (from the tender or public client) and plan backwards from there, building in a buffer for verification and remediation. And start categorisation as early as possible, because until you have it, any promised timeline is smoke.

FAQ — Frequently asked questions on ENS deadlines

How long does it take to comply with the ENS?

It depends mainly on the category and starting maturity. As project guidance: 3–6 months for basic category and 6–12 months (or more) for medium and high. The longest phase is implementing measures; the documentary phases advance in a few weeks.

What is the Adaptation Plan?

It is the document, described in guide CCN-STIC-806, that organises the entire project: security policy, valuation of information and services, category, statement of applicability, risk analysis, deficiencies and improvement plan with its schedule. It is the roadmap with dates.

What are the phases of ENS adaptation?

In order: decision and kick-off, system categorisation, risk analysis, statement of applicability, drafting the Adaptation Plan, implementing measures, verification (self-assessment or audit) and, finally, declaration or certification of conformity.

Is there a legal deadline for compliance?

The transitional regime of RD 311/2022 gave 24 months to pre-existing systems, from its entry into force on 5 May 2022, i.e. until 5 May 2024. That deadline has passed. The obligation to comply, however, is permanent while you remain within the scope of application; new systems must be born already compliant.

Does the certification expire?

The certification of conformity (mandatory for medium and high) is valid for two years, after which a renewal audit is required. It is worth including that renewal in your recurring planning rather than treating it as a one-off milestone.

Conclusion and next step

ENS compliance is not measured in a single number but in a phased schedule in which the system category and your starting maturity decide almost everything. The legal transitional deadline has passed, so today urgency is driven by your own situation: a tender, a contract or an inspection. The good news is that the process is perfectly mapped out by the CCN-STIC guides, and a well-crafted Adaptation Plan gives you concrete dates instead of uncertainty.

If you need to estimate your real timeline, I work on ENS implementation with organisations in Castilla y León and Las Palmas. And if you want to place the ENS within the broader regulatory landscape (GDPR, NIS2 obligations, DORA), the guide to cybersecurity regulations in Spain will be useful.

Sources

Content prepared by Summum Marketing for informational purposes. It does not constitute legal advice. Always verify the current version of the CCN-STIC guides before finalising your Adaptation Plan.