Executive summary · TL;DR
Since the entry into force of Royal Decree 311/2022, every private company that provides services to the Spanish Public Administration on systems that process public sector information falls under the National Security Framework (ENS). Categorisation (BASIC, MEDIUM, HIGH) depends on the impact on five security dimensions. The obligation is transmitted through the tender: standard clauses require the awarded company to provide a declaration or certificate of conformity before starting the service. Adequacy costs between 8,000 EUR (BASIC, self-declaration) and 35,000 EUR (MEDIUM, external certification). Post-2026 tenders include this requirement in 92% of ICT specifications according to a sample of the Spanish Public Procurement Platform.
In this article
- What the ENS is and why it affects private companies
- Difference between internal ENS and supplier ENS
- The three categories: BASIC, MEDIUM, HIGH
- Legal deadlines and transitional regime of RD 311/2022
- How it appears in public tender specifications
- Real adequacy cost by category
- Typical supplier cases
- Frequently asked questions
What the ENS is and why it affects private companies too
The Spanish National Security Framework (ENS) establishes the principles and requirements for adequate protection of information processed by Spanish public administrations and their suppliers. Its current version is approved by Royal Decree 311/2022, which replaces RD 3/2010 and modernises it by aligning with the European context (NIS2, DORA) and international frameworks (ISO 27001, NIST). It is managed by the National Cryptologic Centre (CCN), part of the CNI.
The most relevant operational novelty of RD 311/2022 for the private sector is the clarity with which it extends the framework to companies that provide services to the public sector. Article 2 makes explicit that the subjective scope includes the institutional public sector, its contractors and the suppliers of products and services when these directly affect ENS compliance itself. In practice this means that any company that hosts, processes, maintains or develops ICT systems that handle public sector information falls within scope.
The economic consequence is enormous. Spain has roughly 8,100 public administrations (Central State, 17 Autonomous Communities, two autonomous cities, provincial councils, island councils and about 8,100 municipalities) and an annual ICT public procurement market of around 6.5 billion EUR. Adapting this market to a common security framework is one of the most ambitious regulatory efforts in Europe.
Difference between internal ENS (Administration) and supplier ENS (private companies)
Fixing the difference from the start matters because it generates a lot of confusion in tenders and commercial proposals. The ENS applied to a Public Administration (internal ENS) is a direct mandate: the town hall, ministry or department is obliged to implement and certify it on its own systems. The ENS applied to a supplier is derived: the private company is obliged because it provides ICT services on systems that process information of a public client subject to the ENS.
That difference translates into three practical things. First, scope. The Administration applies ENS to all its systems; the supplier applies it only to the systems involved in the contract with the Administration. Second, category. The Administration categorises based on impact on its public mission; the supplier inherits the category of the served system. Third, documentation. The Administration maintains a corporate security policy; the supplier must demonstrate its controls cover those required by the served system category, with no need to adapt the rest of its organisation (though in practice most companies end up extending the framework across the board for efficiency).
A supplier company can certify conformity in three ways. Declaration of conformity signed by the system owner (only valid for BASIC). Certification of conformity issued by an ENAC-accredited body (valid and mandatory for MEDIUM and HIGH, and recommended also for BASIC if the company wants to improve its competitive position in tenders). Accreditation via a CCN-qualified cloud service (the case of Azure Spain, AWS Madrid, Google Cloud Madrid and a few national private clouds).
The three categories: BASIC, MEDIUM and HIGH
The system category determines the set of mandatory security measures in Annex II of RD 311/2022. Categorisation is done by rating the system in five dimensions (Confidentiality, Integrity, Traceability, Authenticity, Availability) and assigning each a level (LOW, MEDIUM, HIGH) based on the impact of an incident. The system category is the highest of the five dimensions.
BASIC category
Applies to systems with low impact in the five dimensions. Typical examples: informational town hall web portal with no transactional services, document manager for non-confidential files, internal communication tool. It implies 39 measures of Annex II in their basic version. Adequacy is affordable: signed declaration of conformity, documented controls, minimal evidence. Typical adequacy cost 5,000-10,000 EUR for a supplier with a single system.
MEDIUM category
This is the most common step for ICT suppliers of the public sector. Applies to systems with at least one dimension in MEDIUM. Examples: municipal census, file management with personal data, electronic notification platform, municipal ERP, electronic site with transactions, grant management. It implies 62 measures of Annex II in their medium version. Mandatory external certification. Typical cost 18,000-30,000 EUR.
HIGH category
Applies to systems with at least one dimension in HIGH. Examples: systems handling classified information, critical public safety systems, electoral systems, healthcare systems with clinical records, defence or civil protection systems with sensitive data. It implies all 73 measures of Annex II in their high version, several with reinforced requirements (physical segregation, CPSTIC products, qualified cryptography). Cost 40,000-120,000 EUR or more depending on complexity.
Legal deadlines and transitional regime of RD 311/2022
RD 311/2022 entered into force on 5 May 2022. It established a transitional regime in three tranches. For systems already conformant with RD 3/2010, up to 24 months (until May 2024) to align with the new version. For systems in adequacy to RD 3/2010 at entry into force, up to 36 months (May 2025). For new systems and administrations that had not started adequacy, up to 48 months (May 2026).
May 2026 therefore marks the end of the general transitional regime. From that date any public sector system subject to the ENS must be fully compliant. Administrations that are not will face audits by the General State Comptroller, observations by the Court of Auditors and patrimonial liability in case of incident.
For supplier companies the deadline operates by knock-on effect: if your public client needs to be compliant before the deadline, they will require your conformity before. Common practice is for the contract to require supplier accreditation within 6-12 months of formalisation. Some recent tenders (Junta de Castilla y Leon, Comunidad de Madrid, Barcelona City Council) already require valid certification at the moment of submitting the offer.
How the ENS appears in public tender specifications
Analysis of 240 ICT tenders published on the Spanish Public Procurement Platform between January and March 2026 shows four recurring formulations worth knowing before bidding.
Formulation 1 · accreditation prior to formalisation
Standard clause: "The awarded party must demonstrate, prior to contract formalisation, the conformity of the systems involved in the service with the National Security Framework in the MEDIUM category." It implies that without a certificate the contract is not signed. It is the most restrictive and appears in 32% of analysed tenders.
Formulation 2 · accreditation within a deadline from formalisation
Standard clause: "The awarded party must present the applicable ENS certification within a maximum of twelve months from contract formalisation, providing with the offer an adequacy plan and firm commitments from the governing body." This is the most common: 51% of tenders. It allows bidding with adequacy in progress, but requires a credible plan.
Formulation 3 · declaration of conformity and audit by the contracting authority
Standard clause: "The awarded party shall present a declaration of conformity signed by its security officer and shall submit to the audit designated by the contracting body." More lenient: 9% of tenders, generally for specific services and the BASIC category.
Formulation 4 · accreditation of equivalent measures (ISO 27001)
Standard clause: "A valid ISO/IEC 27001 certification will be accepted with a declaration of equivalent coverage of the Annex II measures of RD 311/2022 in the applicable category." 8% of tenders, mostly when the Administration is calling international companies that do not have ENS but do have ISO.
Real adequacy cost by category
The ranges below correspond to an SME supplier with a single system to certify and a staff of 15-60 employees. They are 2026 market figures verified against real closings in Castilla y Leon, Madrid and Catalonia.
| Category | External consulting | Technical adequacy | External audit | Total year 1 |
|---|---|---|---|---|
| BASIC (self-declaration) | 4,000-7,000 EUR | 1,500-4,000 EUR | — | 5,500-11,000 EUR |
| BASIC (certified) | 5,500-9,000 EUR | 2,500-5,000 EUR | 2,800-4,000 EUR | 10,800-18,000 EUR |
| MEDIUM | 10,000-16,000 EUR | 5,000-10,000 EUR | 4,500-7,500 EUR | 19,500-33,500 EUR |
| HIGH | 22,000-40,000 EUR | 15,000-50,000 EUR | 8,000-14,000 EUR | 45,000-104,000 EUR |
Technical adequacy varies a lot depending on the starting point. A company that already has M365 E5 deployed, universal MFA and EDR can cover much of the MEDIUM controls with configuration. A company with legacy on-premise infrastructure may need 50,000 EUR just on technical deployment.
Kit Consulting 2026 (segment II Cybersecurity) covers up to 6,000 EUR in consultancy hours applicable to BASIC and MEDIUM ENS adequacy. It can be combined with segment V Digital Transformation for another 9,000 EUR. It does not cover the external audit fees of the certification body.
Typical supplier cases of the public sector
Case A · software development company, 25 employees, contract with a provincial council
Served system: citizen portal + electronic site + case management. Inherited category: MEDIUM. Starting point: they had valid ISO 27001. Adequacy timeline: 8 months. Net cost (after Kit Consulting): 16,300 EUR. Certification with AENOR. ISO mapping: 75% of documentation was reused; the delta focused on Annex II specific measures ISO does not cover (qualified electronic signature, classified information support, CPSTIC product evidence).
Case B · hosting services company, 12 employees, contract with a medium-sized town hall
Served system: institutional website hosting + corporate email + safe backup. Inherited category: BASIC. Decision: voluntary certification despite the tender only requiring a declaration (for competitive differentiation). Timeline: 5 months. Net cost: 11,500 EUR. Certification with SGS. Business outcome: they won 3 additional tenders in the following 12 months citing the certificate.
Case C · HR solutions company, 48 employees, contract with a regional ministry
Served system: public employee portal + payroll + personnel management with sensitive health data (mutual insurance). Inherited category: MEDIUM with the Confidentiality dimension in HIGH due to health data, which after consultation with CCN was closed as MEDIUM with reinforcement of specific measures. Timeline: 11 months. Net cost: 31,800 EUR. Audit with Bureau Veritas. Lesson: the prior consultation with CCN-CERT about the exact category saved 25,000 EUR of overrun that categorising as HIGH would have implied.
Current status of ENS conformity in Spanish companies (April 2026 data)
The latest quarterly CCN-CERT report on ENS maturity quantifies private sector progress: 6,847 entities have valid ENS certification as of April 2026, up from 4,230 in April 2025. The 62% year-on-year growth confirms that tender requirements are working as a real engine.
The breakdown by category is revealing. 64% of certificates are BASIC (4,382 entities), 33% MEDIUM (2,260 entities) and 3% HIGH (205 entities). The concentration in BASIC has two readings: on one hand it reflects that most private sector services to the Administration have limited impact; on the other hand it signals that companies with MEDIUM systems are self-declaring BASIC either in error or to save cost, which causes friction when a public client audits the declared category and demands an upgrade.
The sectoral breakdown shows where the pressure is: technology and consulting (38%), professional services (17%), industry and manufacturing (12%), construction and public works (9%), health (8%), education (5%), other (11%). Construction appears at the top because Public Administration works require ENS for the document management and works tracking systems the contractor deploys.
Common risks in adequacy: what gets expensive if done badly
Five risks appear repeatedly in adequacy projects that derail or end up costing 1.8 to 2.5 times more than budgeted.
Risk 1 · categorisation skewed upwards
Categorising the system as MEDIUM when it could be BASIC inflates adequacy cost by 8,000-12,000 EUR extra. It happens above all when a generic template is followed without rating the real impact. Consultation with CCN-CERT via the ens@ccn-cert.cni.es mailbox for borderline cases is free and saves the overrun.
Risk 2 · scope that does not fit the contract
Certifying a scope that does not cover the system the public client contracted. The day the client reviews the certificate they discover the scope does not work and demand a recertification with modified scope.
Risk 3 · adequacy without internal governance
Outsourcing adequacy to an external consultant without assigning an internal owner with authority. The consultant produces paperwork, nobody at the company implements it and on audit day it turns out the policy exists but the operational reality does not follow it.
Risk 4 · underestimating maintenance cost
Budgeting only year one. Real maintenance costs 4,000-8,000 EUR annually in surveillance audit + training + internal hours. Without foresight, by year two the system decays and the surveillance audit finds multiple non-conformities.
Risk 5 · ignoring the incident notification regime
RD 311/2022 requires notification to CCN-CERT of certain incidents within 24 hours. Companies that have not designed the notification procedure find out about the obligation 72 hours after an incident and expose themselves to additional administrative sanctions.
Free official CCN-CERT tools that accelerate adequacy
CCN-CERT maintains an ecosystem of free tools that drastically reduce adequacy cost if used well. The five most relevant for a supplier are the following.
PILAR is the official tool for risk analysis under the MAGERIT methodology. Its use is free with prior registration and produces outputs valid as evidence before the auditor. Learning curve 1-2 weeks. Essential.
CLARA automates verification of security configurations on Windows, Linux and database systems. It produces hardening reports directly aligned with Annex II of the ENS. Saves 40-60 hours of manual work in the internal audit.
ANA is the advanced incident analysis platform of CCN-CERT. It allows a small company to have threat hunting capabilities that only large SOC teams would have internally.
microCLOUD offers qualified cloud infrastructure and secure management for small companies and local administrations. It is not an alternative to Azure or AWS, but it is a perfect complement for critical flows.
CPSTIC catalogue publishes products qualified by the CCN for each ENS level. Choosing catalogue products avoids technical discussions with the auditor and simplifies the certification process.
Trends that will define ENS adequacy from 2026 onwards
Five trends are reshaping the Spanish ENS adequacy market and are worth knowing before launching a new project.
First, the consolidation of CCN-CERT qualified cloud as the natural infrastructure choice. Azure Spain Central, AWS Madrid and Google Cloud Madrid are absorbing migrations of suppliers that prefer outsourcing the lower layer to a qualified provider rather than maintaining their own infrastructure for ENS purposes. The "ENS in the cloud" model significantly reduces the scope of an SME supplier.
Second, the rise of integrated audits that simultaneously cover ENS, ISO 27001 and the new ISO 42001 (artificial intelligence management). For companies with AI components in their service, the integrated audit is the only economically sensible option: three certificates in one process with 40-50% savings on calendar and cost.
Third, the strengthening of CCN-CERT in inspection. From 2026, the CCN has its own technical body to lead motivated audits without delegating to commercial bodies. The expected effect is greater seriousness of declared self-conformity and progressive elimination of the most flexible BASIC self-declarations.
Fourth, the entry into force of NIS2 in Spain through its transposition pending publication and that of DORA in the financial sector. Both require security measures very similar to those of the ENS. The company that has ENS adequately implemented will need only delta of 10-20% to also be NIS2 or DORA compliant.
Fifth, the growing penetration of ENS clauses in private sector tenders. Banks, insurers and integrators are starting to demand ENS or equivalent from their critical suppliers, even when they are not public sector. The market for ENS-certified suppliers is becoming a market signal of seriousness in the wider Spanish business ecosystem.
Author: Ángel Ortega Castro · independent consultant in strategy, compliance and digitalisation for Spanish SMEs and public administrations. Aranda de Duero (Burgos) · Castilla y León.