ENS (Spanish National Security Framework) and GDPR are two distinct regulations with one point of convergence: security measures. ENS protects public-sector information systems and their supplier chain; GDPR protects personal data. They overlap on technical and organisational measures: Additional Provision 1 of the LOPDGDD (Spain's data protection act) establishes that public administrations comply with Article 32 of GDPR by applying ENS. Getting one right moves you a long way towards the other.
This is one of the most common sources of confusion when a public administration or a company bidding for public-sector contracts sits down to map its compliance obligations: are ENS and GDPR the same thing? If I certify ENS, do I automatically comply with data protection? Do I need two separate risk analyses, two asset inventories, two audits? The short answer is that they are not the same, but they share such extensive common ground that ignoring it wastes money and time. Let us separate what each one protects, precisely mark where they overlap, and explain how to reuse work from one framework for the other.
What Does ENS Protect, and What Does GDPR Protect?
The core difference lies in each regulation's object, and understanding it is the key to not conflating them.
ENS (Spanish National Security Framework), governed by Royal Decree 311/2022 and with its legal basis in Law 40/2015, protects information systems: servers, applications, networks, backups, processes. Its question is "are my systems secure and trustworthy?" It measures security across five dimensions — confidentiality, integrity, traceability, authenticity and availability (the so-called CIDAT set) — and classifies each system in basic, medium or high category based on the impact an incident would have. For the detail of the full framework, see the complete ENS guide.
GDPR (EU Regulation 2016/679), on the other hand, protects natural persons with respect to the processing of their personal data. Its question is "am I processing people's data lawfully, fairly and securely?" It covers far more than security: lawfulness of processing, information to data subjects, rights of access or erasure, legal basis, retention periods, international transfers… Security is only one piece of the regulation, not the whole of it.
In other words: ENS is an information security regulation; GDPR is a data protection regulation that, among many other things, also requires security. That is why one does not replace the other — but it is also why they cross at a very specific point.
Where Exactly Do ENS and GDPR Overlap?
The overlap lives in a single GDPR article: Article 32, "Security of processing." That article obliges the controller and processor to implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk." It expressly lists, among others, encryption and pseudonymisation, the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems, recovery after an incident, and periodic testing of the effectiveness of those measures.
That list in Article 32 is, almost word for word, the language of ENS. The five CIDAT dimensions are the same security properties that Article 32 requires to be guaranteed. And there is a second, prior point of contact: Article 5.1.f of GDPR, the principle of "integrity and confidentiality," which states as an objective what Article 32 concretises in measures. Where GDPR says "ensure confidentiality, integrity and availability," ENS responds "here is the Annex II control catalogue to achieve it."
The overlap is therefore not coincidental: it is the set of technical and organisational security measures. Outside that set, each regulation goes its own way. ENS tells you nothing about how to inform a data subject or the legal basis for processing; GDPR does not require you to categorise your systems as basic/medium/high or to undergo CCN conformity auditing.
The Legal Link between the Two Frameworks: Additional Provision 1 of LOPDGDD
Here is the fact that closes the circle and that many people are unaware of. Organic Law 3/2018 (LOPDGDD), which implements GDPR in Spain, includes an Additional Provision 1 titled "Security measures in the public sector." That provision is the hinge between the two frameworks, and it says two decisive things:
- Paragraph 1: ENS shall include the measures to be implemented when personal data are processed to prevent their loss, alteration or unauthorised access, adapting the risk-determination criteria for data processing to those established in Article 32 of GDPR.
- Paragraph 2: public-sector controllers (those listed in Article 77.1 of the same law) shall apply to personal data processing the corresponding security measures provided for in ENS, and shall promote an equivalent level in privately-law-governed companies or foundations linked to them. And when a third party provides the service (concession, management delegation or contract), its measures must be those of the originating administration and must conform to ENS.
The consequence is clear: for a public administration, complying with ENS is the way to comply with Article 32 of GDPR. These are not two rival security frameworks to be manually reconciled; the Spanish legislator already connected them. CCN-CERT has stated it plainly: ENS contains the measures the public sector must apply to comply with GDPR requirements in this area. This fits within the broader regulatory map I describe in my analysis of cybersecurity regulation in Spain (GDPR, ENS, NIS2 and DORA), where ENS and GDPR are two of the layers coexisting on the same system.
ENS vs GDPR: Comparison Table
This is the comparison I use to help a senior management team understand in thirty seconds that they are dealing with two regulations that share a meeting point, not a duplicated regulation.
| Criterion | ENS | GDPR |
|---|---|---|
| What is protected | Information systems (data, services, infrastructure) | Personal data of natural persons |
| Reference regulation | Royal Decree 311/2022; legal basis in Law 40/2015 | EU Regulation 2016/679; LOPDGDD 3/2018 in Spain |
| Who is obligated | Public sector and suppliers providing services to it | Any controller or processor handling personal data (public or private) |
| Focus | Information security (five CIDAT dimensions) | Comprehensive data protection (lawfulness, rights, security, etc.) |
| How measured | Basic / medium / high category by impact | Risk analysis for rights and freedoms; DPIA (Data Protection Impact Assessment) if high risk |
| Point of overlap | Technical and organisational security measures: ENS Annex II ≈ GDPR Article 32 (linked by LOPDGDD Additional Provision 1) | |
| Who supervises | CCN; conformity audit and certification | AEPD (and regional data protection authorities) |
| Sanctions regime | No own fines; non-compliance is administrative liability | Fines up to €20 million or 4% of annual turnover |
Can I Reuse ENS Work for GDPR Compliance (and Vice Versa)?
Yes — and that is exactly what I recommend in order not to pay for the same work twice. The overlap translates into shared deliverables. These are the ones I reuse in nearly every project:
- Asset and system inventory. ENS requires knowing your systems; GDPR requires knowing where personal data is located. A single inventory serves both: which system processes which data, at what level of criticality.
- Risk analysis. ENS risk analysis (across the five dimensions) and the GDPR Article 32 risk assessment share methodology. Additional Provision 1 expressly calls for adapting ENS risk criteria to Article 32. A single technical analysis serves both — although GDPR adds the perspective of individuals' rights.
- Annex II security measures. Encryption, access control, activity logging, backups, incident management… are exactly the measures Article 32 expects to see in place. Implementing ENS Annex II is, in practice, documenting the technical and organisational measures that GDPR will require you to demonstrate.
- Incident management and breach notification. ENS requires an incident response procedure; GDPR requires notifying personal data breaches to AEPD within 72 hours. A single detection and response workflow covers both obligations, with a specific branch for notification to the supervisory authority.
- Audit evidence. The records, policies and logs you generate for ENS conformity auditing are the best accountability evidence that GDPR requires from controllers.
What you cannot reuse — because it simply does not exist in ENS — is the purely "data" layer of GDPR: the record of processing activities, legal bases, information clauses, processor contracts, management of data subjects' rights, or the DPIA (Data Protection Impact Assessment) when processing entails high risk. That part must be built separately, and is usually coordinated by the Data Protection Officer (DPO), who is mandatory in public administrations.
What About Private Companies? ENS by Contractual Pull
A widespread — and mistaken — belief is that ENS "only applies to public administrations." In practice, ENS reaches many private companies through contractual pull. Additional Provision 1 says so and tender documents confirm it: if you provide a service to the public sector that involves processing its data or systems, you must apply the ENS measures corresponding to the service category. This makes ENS conformity a requirement in many calls for applications.
For those companies, the ENS-GDPR crossover becomes doubly profitable: the ENS conformity that the public contract requires gives you, almost as a bonus, most of the Article 32 security measures that GDPR already required of you as a controller of your own processing activities. I develop this applied to the public sector and its supplier chain. If your company processes data and wants to organise both security and privacy, the natural starting point is my GDPR compliance guide for companies.
Where to Start: ENS or GDPR?
There is no universal order, but there is a logic that works in almost every case. If you are a public administration or a supplier obligated by contract, start with ENS: it gives you the structured security framework (inventory, categorisation, Annex II measures), and once that work is done, Article 32 of GDPR is largely covered. Build the GDPR data layer on top: record of processing activities, legal bases, rights and information to data subjects.
If you are a private company without public contracts, start with GDPR, because it is your direct obligation, and use ENS (or ISO 27001) as a reference catalogue for concretising the Article 32 technical measures. The sequence matters less than the principle: create one inventory, one risk analysis and one set of measures, and let them serve both regulations. Working the frameworks separately — with two teams and two timelines — is the mistake that generates the most excess cost.
Common Mistakes at the ENS-GDPR Intersection
- Believing ENS "covers" GDPR. It covers the security element (Article 32), not the rest: lawfulness, rights, information obligations, international transfers. Certifying ENS and forgetting the record of processing activities means non-compliance with GDPR.
- Believing GDPR "covers" ENS. It does not: GDPR does not require you to categorise systems or undergo CCN conformity auditing. Those are specific ENS obligations.
- Duplicating risk analysis. Performing one for security and another for data protection, without reusing anything, multiplies cost without adding value.
- Forgetting suppliers. Both ENS (via Additional Provision 1 and tender documents) and GDPR (processor contracts) extend obligations to the supply chain. That is where the most real breaches occur.
Frequently Asked Questions about ENS and GDPR
Does ENS cover GDPR?
Not entirely. ENS covers the security element of GDPR — Article 32, technical and organisational measures — thanks to Additional Provision 1 of LOPDGDD, which connects both frameworks for the public sector. But GDPR is much broader: lawfulness of processing, information to data subjects, rights, legal bases, retention periods, and international transfers all fall outside ENS. Certifying ENS advances security compliance, not the rest of data protection.
Where do ENS and GDPR overlap?
They overlap on technical and organisational security measures. GDPR Article 32 requires ensuring confidentiality, integrity, availability and resilience, and ENS provides the specific control catalogue (Annex II) and the five CIDAT dimensions to achieve it. GDPR Article 5.1.f (the integrity and confidentiality principle) states the objective that ENS materialises in controls. Additional Provision 1 of LOPDGDD is the regulation that legally connects the two.
Can I use ENS compliance to satisfy GDPR?
Yes, and it is recommended. A single system inventory, a single risk analysis and a single set of ENS Annex II measures simultaneously satisfy the Article 32 security-of-processing requirements. ENS incident management also feeds into GDPR breach notification to AEPD. What ENS does not give you — record of processing activities, legal bases, information clauses, DPIA (Data Protection Impact Assessment), rights management — must be built separately, usually under DPO coordination.
What is the difference between ENS security and GDPR security?
GDPR sets the objective openly ("measures appropriate to the risk") and leaves the controller to decide how to achieve it; ENS provides the detailed how: a closed catalogue of measures, organised by category and dimension, verified through conformity auditing. That is why they fit so well: ENS is a quantified, auditable response to Article 32's generic requirement. In the public sector, that response is not optional — Additional Provision 1 makes it mandatory.
Conclusion: Two Regulations, One Compliance Project
ENS and GDPR do not compete — they complement each other. ENS secures systems; GDPR protects people. They share the terrain of security measures, and in the public sector that terrain is stitched together by Additional Provision 1 of LOPDGDD, which makes ENS the route for complying with GDPR Article 32. For any administration — or any supplier bidding for public contracts — the practical conclusion is one: organise everything as a single compliance project, with one inventory, one risk analysis and one set of measures serving both regulations, and build separately only the GDPR-specific layer that ENS does not touch. If you want help fitting the pieces together for your specific case, you can get in touch or learn about the consultancy work I do in Castilla y León and Las Palmas.
Sources
- EU Regulation 2016/679 (GDPR) — Articles 5.1.f and 32, EUR-Lex
- Organic Law 3/2018 (LOPDGDD) — Additional Provision 1, BOE
- Royal Decree 311/2022, governing ENS — BOE
- Law 40/2015 on the Legal Regime of the Public Sector (ENS legal basis) — BOE
- AEPD — Spanish Data Protection Authority (guides on security of processing, GDPR Article 32)
- CCN-CERT — ENS contains the measures the public sector must apply to comply with GDPR requirements
- CCN ENS Portal (National Cryptologic Centre)
Content by Ángel Ortega Castro. Informational content, updated as of publication date; programme status may change. Always verify with BOE and Red.es for current deadlines.
Image: "Some days are like a big jigsaw puzzle…" by katerha — CC BY 2.0 (licence). Source: Flickr.