Accredited certification bodies
The National Accreditation Entity (ENAC) makes available to interested parties the accreditation framework for entities wishing to certify compliance with the National Security Framework (ENS)..
The accreditation framework has been developed by ENAC in close collaboration with the General Secretariat for Digital Administration (Ministry of Economic Affairs and Digital Transformation) and the National Cryptologic Centre (CCN).
In the case of systems classified as LIMITED DIFFUSION (LD) or equivalent, an entity must be accredited by ENAC in the scope of application of the National Security Framework in accordance with the UNE-EN ISO/IEC 17065:2012 standard in order to certify compliance with STIC requirements. In addition, security auditing entities must have a valid Company Security Clearance (HSEM in Spanish initials).
Compliance with STIC requirements in the field of classified systems (LD) may also be certified among those auditing entities that comply with one of the following options (CCN-STIC-101):
- Be an entity, organ, body, agency and unit linked to or dependent on the Public Administrations whose competencies include the development of information systems audits, as stated in its creation regulations or structural decrees and whose due impartiality is guaranteed.
- Exceptionally, be a company validated by the CCN, which has demonstrated sufficient technical capability to carry out STIC audits/inspections on systems handling classified information.
It would be desirable to try to ensure that all systems (those already certified and those in the process of certification) reach 05.05.2024 with a RD 311/2022 certificate or are in the process of obtaining one, for which the National Cryptologic Centre (CCN) urges accredited Certification Entities to advise their clients on such matters, which will undoubtedly avoid possible situations of expiry of Certifications and will improve confidence in the information systems within the scope of application of the ENS certified in accordance with the new RD.
As indicated in the Security Guide CCN-STIC CCN-CERT IC-01/19 ENS: General Audit and Certification Criteria, when an exceptional situation arises -such as the one caused by Covid-19-, which advises the opening of a temporary hiatus in the relationship between Certification Bodies and their clients, or the temporary extension of the Certificates of Conformity issued, the CCN may, in the exercise of its powers, extend the validity of the Certificates of Conformity by issuing a communication or after the analysis of each specific case that, in this regard, is submitted for its consideration.
The date indicated when an entity is in the process of accreditation corresponds to the date on which the accreditation was requested from ENAC. During the 12-month period, the company in the process of accreditation may carry out audits and issue certificates. If accreditation has not been obtained during this period, the entity in the process must cease its certification activities..
Certification bodies accredited or in the process of accreditation to issue certifications of conformity with the ENS and systems classified with the degree of LIMITED DISCLOSURE (LD) or equivalent:

ENS accreditation status | Business name | Webpage | ENS accreditation status (accredited by ENAC) | ENS accreditation status (recognized as OAT) | STIC accreditation status (DL) |
---|---|---|---|---|---|
ADOK CERTIFICACIÓN | ADOK CERTIFICACIÓN, S.L. | EN PROCESO 20-04-2023 | - | - | |
Cámara Certifica | Certificación y Confianza, Cámara S.L.U. | - | - | ||
Agència de Ciberseguretat de Catalunya | Agència de Ciberseguretat de Catalunya | - | - | ||
Audertis Audit Services | Audertis Audit Services, S.L. | - | |||
BDO Auditores | BDO Auditores, S.L.P. | - | - | ||
Bureau Veritas Certificación | Bureau Veritas Iberia, S.L. | - | - | ||
AENOR Internacional | AENOR Internacional, S.A.U. | - | |||
DNV GL Business Assurance España | DNV GL Business Assurance España, S.L. (Unipersonal) | - | - | ||
CESTIC - Centro de Sistemas y Tecnologías de la Información y las Comunicaciones | Secretaría de Estado de Defensa (Ministerio de Defensa) | - | |||
European Quality Assurance Spain | European Quality Assurance Spain, S.L. | - | - | ||
IMQ Ibérica - Certificación de Sistemas de Calidad y de Producto | IMQ Ibérica - Certificación de Sistemas de Calidad y de Producto, S.L. (Unipersonal) | - | - | ||
IVAC - Instituto de Certificación | IVAC - Instituto de Certificación, S.L. | - | - | ||
LEET Security | LEET Security, S.L. | - | - | ||
LGAI Technological Center (APPLUS) | LGAI Technological Center, S.A. (APPLUS) | - | - | ||
Mando Conjunto del Ciberespacio (MCCE) / ESPDEF-CERT | Ministerio de Defensa / Estado Mayor de la Defensa (EMAD) | - | |||
OCA Global | OCA Instituto de Certificación S.L. (Unipersonal) | - | - | ||
S2 Grupo | S2 Grupo | - | - | ||
SGS International Certification Services Ibérica | SGS International Certification Services Ibérica, S.A.U. | EN PROCESO | - | - | |
Sistemas Informáticos Abiertos | Sistemas Informáticos Abiertos, S.A.U. | - | - | ||
SGS BRIGHTSIGHT BARCELONA | SGS BRIGHTSIGHT BARCELONA, S.L. (Unipersonal) | - | - |