Categorise your system under Annex I of Royal Decree 311/2022 and, in under three minutes, assess your readiness across the three Annex II domains: organisational, operational and protective. Get a readiness percentage per domain, concrete gaps and next steps.
The ENS assesses the impact of an incident across five security dimensions. Mark the level of harm a failure would cause in each one — if a dimension doesn't apply to your system, mark "Not affected". Your final category is that of the highest level you reach in any dimension (art. 40 and Annex I, RD 311/2022).
Annex II groups 73 measures into three domains. These 4 are the foundation of the organisational domain: without them, the rest of the technical measures have nothing to stand on. Mark your actual situation, not the one you'd like to have.
8 representative measures out of the 33 this domain requires, one per family: planning, access control, operations, external resources, cloud services, continuity and monitoring.
8 representative measures out of the 36 this domain requires, one per family: facilities, personnel, equipment, communications, media, applications, information and services.
Mark the impact on the five Annex I dimensions — confidentiality, integrity, traceability, authenticity and availability. Your category is that of the highest level you reach.
20 representative questions out of the 73 Annex II measures, grouped into organisational, operational and protective.
The logic is local JavaScript: no answer is ever sent to a server or stored anywhere.
Category (art. 40, Annex I) + applicability of measures per domain (Annex II) + audit or self-assessment regime (art. 31 and 38).
Per domain, with your concrete gaps prioritised and next steps to close them — plus the link to go deeper into your specific case.
The ENS — Spain's National Security Framework, Royal Decree 311/2022, of 3 May (BOE-A-2022-7191) — regulates the security of information systems across the entire Spanish public sector, and also reaches private companies that, under a contractual relationship, provide services or solutions to public administrations for the exercise of their powers, including their supply chain when a risk analysis requires it (art. 2). The most common confusion among SMEs bidding for or holding a public-sector contract in Spain isn't not knowing the ENS exists — it's not knowing which category their system falls into. And that category determines how many measures, and at what level of reinforcement, they must apply.
Annex I assesses the impact an incident would have across five security dimensions: confidentiality, integrity, traceability, authenticity and availability. Each affected dimension is assigned a level — LOW (limited harm, easily reparable), MEDIUM (serious harm, difficult to repair) or HIGH (very serious or irreparable harm) — and here's the rule most SMEs overlook: the category of the whole system is that of the highest level reached in any single dimension. If your system's availability is only LOW but the confidentiality of the data it handles is HIGH, the entire system is HIGH category, with all 73 Annex II measures applying at their most demanding level of reinforcement (art. 40 and Annex I, section 4).
Security measures are split across three domains: the organisational domain [org], with 4 measures that form the base of everything — policy, regulations, procedures and authorisation process; the operational domain [op], with 33 measures across seven families (planning, access control, operations, external resources, cloud services, service continuity and monitoring); and the protective measures [mp], with 36 measures across eight families that protect concrete assets — facilities, personnel, equipment, communications, media, applications, information and services. Not all 73 apply equally to every system: each carries reinforcements (R1, R2...) that activate depending on your category, and the set you apply is formalised in the Statement of Applicability, a document signed by the security officer (art. 28).
Here's the second detail that most changes your compliance effort: BASIC category systems only require a self-assessment to declare ENS conformity, while MEDIUM or HIGH category systems need a certification audit, with an ordinary review at least every two years and an extraordinary one if the system undergoes substantial changes (art. 31 and 38). For HIGH category systems, if the audit finds serious deficiencies, the system owner may temporarily suspend information processing or service provision until they're remedied (art. 31.6). Systems that already existed before RD 311/2022 came into force had 24 months to adapt — a deadline that expired in May 2024 — while new systems apply the regulation from their conception.
If the self-assessment places you in MEDIUM or HIGH category with significant gaps, the 73 ENS measures explained with their applicability (Spanish source) has the full detail of every control per domain, and the ENS certification process, requirements and costs (Spanish source) covers the next step toward the audit. For the full text of the regulation, see the summary of Royal Decree 311/2022 in force (Spanish source). All of this is part of our regulatory compliance area, where we also cover NIS2, DORA, GDPR and the AI Act. And if you're not yet sure whether those other regulations apply to you too, our sister tool which regulation applies to me? checks them all at once.
The ENS (Esquema Nacional de Seguridad — Spain's National Security Framework) is Royal Decree 311/2022, of 3 May, which regulates the security of information systems across the entire Spanish public sector. It also applies to private companies that, under a contractual relationship, provide services or solutions to public administrations for the exercise of their powers — including those contractors' supply chain when the risk analysis requires it (art. 2).
The impact of an incident is assessed across five security dimensions — confidentiality, integrity, traceability, authenticity and availability (Annex I) — assigning each one a LOW, MEDIUM or HIGH level. The system's category is that of the highest level reached in any dimension: if a single dimension reaches HIGH, the whole system is HIGH category, even if the others are lower (art. 40 and Annex I, section 4).
Annex II lists 73 measures across three domains: organisational (4), operational (33) and protective (36). Not all apply equally: each measure carries reinforcements (R1, R2...) that activate depending on the system's category. The set of measures and reinforcements you apply is formalised in the Statement of Applicability, signed by the security officer (art. 28).
It depends on the category: BASIC category systems only require a self-assessment to declare conformity, while MEDIUM or HIGH category systems need a certification audit, with an ordinary review at least every two years (art. 31 and 38, RD 311/2022).
No. It's an automated guide based on your answers, meant to show you where to start — not a Statement of Applicability or a conformity certification. It does not replace the official audit when your category requires one. And nothing is stored: the test runs entirely in your browser using JavaScript, with no answer ever sent to any server.
Book a free 30-minute session. We'll go through your result, clarify which gap matters most for your case, and what concrete steps to take first — categorisation, Statement of Applicability, or audit preparation.
Book a free session →