FAQ

The ENS, based on the establishment and development of basic principles and minimum requirements, provides organisations that have their information systems compliant with its provisions and managed in the exercise of their competences, with adequate protection of the services provided and the information processed by them, in order to ensure the access, confidentiality, integrity, traceability, authenticity, availability and preservation of data, information and services directly or indirectly supported by electronic means.

For both public sector organisations and private sector organisations that provide them with solutions or services, the provisions of the ENS enable them to meet the principles of action and security requirements of public administrations that enable them to achieve their objectives.

For citizens, the ultimate recipients of the public service, it is a guarantee that the public bodies with which they interact have the necessary security conditions to safeguard their information and rights.

The National Security Framework, as set out in Article 2, is applicable to public sector entities, to private sector entities that provide them with services and, in general, to the supply chain of the latter, to the extent that a prior risk analysis so determines.

In addition, it should be remembered that the ENS measures are also applicable to those entities determined by Organic Law 3/2018, of 5 December, on Data Protection and guarantees of digital rights, when processing personal data.

Finally, the ENS also applies to systems that process classified information, and it may be necessary to adopt complementary security measures specific to these systems, which are also subject to Law 9/1968, of 5 April, on Official Secrets (LSO), and those derived from international commitments undertaken by Spain, or as a consequence of its membership of international organisations or forums.

The National Security Framework is specifically regulated by the following legislation:

• The Royal Decree 311/2022, of 3 May, which regulates the National Security Framework.
• The Resolution of 27 March 2018, of the Secretary of State for Civil Service, approving the Technical Security Instruction on Auditing the Security of Information Systems..
• The Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Security Instruction in accordance with the National Security Framework..
• The Resolution of 7 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction on the Security Status Report..
• The Resolution of 13 April 2018, of the Secretary of State for Civil Service, approving the Technical Security Instruction on Security Incident Notification..

A list of other cybersecurity-related legislation in Spain can be found in the Code of Cybersecurity Law published by the BOE.

The CCN-STIC Guides, classified in several Series, comprise a set of documents, instructions, guidelines and recommended best practices, developed by the National Cryptologic Centre in order to provide organisations with adequate tools to improve the degree of cybersecurity of their information systems. More specifically, the CCN-STIC 800 Series comprises a set of guides to promote the implementation of the ENS and to help improve compliance with its provisions.

The CCN's INES/AMPARO solution, includes templates of practically all the relevant documents that may be required to draw up the ENS Adequacy Plan and its practical implementation, especially oriented to the information security management layer applied to the information system(s).

If your organisation falls within the scope of application of the ENS, you must comply with the provisions of Royal Decree 311/2022. To do so, you must begin the process of adaptation to the ENS and, as a first step, you must undertake the approval of the organisation's Information Security Policy (ISP), assigning the roles determined by the ENS.

µCeENS is an innovative methodology that benefits from the new features of the RD 311/2022, of 3 May, to facilitate obtaining the Certification of Conformity in the National Security Framework (ENS) based on a Specific Compliance Profile (PCE).

With this methodology the necessary support and assistance are provided to achieve the Compliance Certification with the ENS from the phase prior to the adaptation, until after it has been obtained, all of which is automated in the Cybersecurity Governance tools (INES-AMPARO).

STIC 800 guides

The Adequacy Plan is an ordered set of actions aimed at satisfying the requirements of the ENS. This plan should include the following phases:

• Prepare and approve the Information Security Policy (PSI) and the Internal Security Regulations, including the definition of roles and the assignment of responsibilities to them. In the case of systems handling classified information, additional security organisation criteria shall also be taken into account..
• Analyse and categorise the information systems, taking into account the assessment of the information handled, whether it includes personal data, and the assessment of the services provided.
• Prepare the Statement of Initial Applicability of the measures in Annex II of the ENS, taking into account, if applicable, a certain Compliance Profile to which the information system(s) may be attached.
• Develop a Risk Analysis to verify that the security measures derived from the Statement of Initial Applicability are adequate and sufficient.
• Obtain the final Declaration of Applicability.
• Initiate actions to implement the rest of the measures required for the defined security level and security category.

The Information Security Policy (ISP) is a high-level document that shows an organisation's commitment to information security and determines the set of guidelines that govern how an organisation manages and protects the information it handles and the services it provides. Such a document should be accessible to all members of the organisation and written in a simple, precise and understandable way.

As this is a high-level document in the organisation, it should be brief, leaving the technical details for other normative documents that develop it. As it is a public document, it should not highlight vulnerabilities that could be exploited by malicious actors.

The security policy, in application of the principle of differentiation of responsibilities referred to in article 11 of the ENS, should be known by all persons belonging to the organisation and should unequivocally define the roles responsible for ensuring compliance with it. An additional common practice is for it to be accessible from the organisation's website, portal or virtual office and, for certain public bodies, to be published in the Official State Gazette (BOE), the Gazette of the Autonomous Community, or the Official Provincial Gazette (BOP), as appropriate.

This policy shall be approved by the Directorate General of the organisation (the highest body concerned in the Public Sector), and shall be set out in a written document, which clearly states at least the following:

• The objectives or mission of the organisation.
• The legal and regulatory framework in which the activities will take place.
• Security roles or functions, defining for each, the duties and responsibilities of the position, as well as the procedure for their appointment and renewal.
• The structure of the committee(s) for the management and coordination of security, detailing its (their) scope of responsibility, membership and relationship to other elements of the organisation.
• Guidelines for the structuring of system safety documentation, its management and access.

The roles of the ENS are those assumed by the persons responsible for ensuring compliance, based on the differentiation of responsibilities set out in Article 11 of the ENS and considering that responsibility for the security of information systems must be differentiated from responsibility for their operation.

In particular, a distinction shall be mainly made between the Information Officer, the Service Officer, the Security Officer and the System Administrator.

As indicated in the organisation's Information Security Policy (PSI), this will detail the attributions of each person responsible and the coordination and conflict resolution mechanisms.

As a summary:

• The person in charge of the service shall determine the requirements for the services provided.
• The data controller shall determine the requirements of the information processed. The roles of the data controller and the service manager may be played by the same natural person acting on his or her behalf.
• The Security Officer shall determine decisions to satisfy information and service security requirements, oversee the implementation of measures necessary to ensure that the requirements are satisfied, and report on these matters to the Information Security Committee.
• The system manager, alone or through own or contracted resources, shall be responsible for developing the concrete form of implementing security in the system and for the supervision of the day-to-day operation of the system, and may delegate to administrators or operators under his responsibility.

The security officer shall be separate from the system administrator and there should be no hierarchical dependency between them. If, due to the size and lack of resources of the organisation, this is not possible, appropriate compensatory measures should be implemented to ensure differentiation of responsibilities and absence of conflict of interest.

The ENS also foresees the role of the Security Administrator (ASEG) as a resource for those organisations in which the Security Manager (RSEG) does not have all the necessary technical knowledge and can rely on him/her. In this case, the RSEG will have a more strategic performance while the ASEG will have a more operational performance. An example would be a Local Agency appointing the Secretary of the City Council as the RSEG, who should be supported by an internal or an external ASEG contracted as a service provision.

In order to implement the organisation of an entity's security, committees can be created, which will be articulated and function as collegiate bodies in accordance with administrative regulations.

The Information Security Committee is responsible for aligning the organisation's information security activities.

Its composition will include at least all the roles of the ENS (service manager, information manager, security manager and system manager). It is good practice to include the Data Protection Officer (DPO), because the first additional provision of the LOPD-GDD determines that, in the public and linked private sector, the security measures of the ENS will be used to protect information of a personal nature, so the DPO has common interests regarding the ENS.

In organisations where there is a Corporate Security Committee, whose responsibility is to align all security activities of the organisation, such as property security, physical security, etc., the Information Security Committee could be included in it.

Likewise, in large organisations, it can be useful to split the Information Security Committee into two: a Committee more oriented towards Security Management, with the power to adopt any decision within the scope of its competences, and another Technical Committee, more oriented towards the day-to-day running of security and its continuous monitoring. This distribution allows for a performance that is closer to the organisation.

The ENS does not provide for sanctions for non-compliance. However, as with the rest of the legislation applicable to Public Administrations, the non-existence (or inapplicability, as the case may be) of a sanctioning regime does not prevent the persistence of the so-called Patrimonial Liability of Public Administrations, by virtue of which the citizen must be compensated for the pecuniary damage suffered as a consequence of damage caused by action or omission of the Public Administrations, knowing that, in any case, the alleged damage must be effective, economically assessable and individualised in relation to a person or group of persons.

The liability of the Public Administrations, in our legal system, is based not only on the generic principle of effective protection in the exercise of legitimate rights and interests recognised in art. 24, EC, but also in art. 106.2, EC, which provides that individuals, under the terms established by law, shall have the right to be compensated for any injury they suffer to any of their property and rights, except in cases of force majeure, provided that it is a consequence of the operation of public services.

Public administrations shall compensate individuals for the application of legislative acts of a non-expropriatory nature in law and which they have no legal duty to bear, when so provided for in the legislative acts themselves and under the terms specified in those acts.

Notwithstanding the above, the inadequate behaviour of the Administration may also be due to negligence or lack of due diligence on the part of public employees, for which reason, but apart from the aforementioned Liability of Public Administrations, the non-compliant civil servant could be subject to disciplinary sanctions, a circumstance that occurs not only in the case of the Head of Security, but in any other public post or position..

At present, the ENS does not establish any requirements to be appointed as Security Officer (RSEG) beyond the appropriate competence to perform the functions as such.

However, it should be noted that within the framework of the National Cybersecurity Forum (FNCS), the National Framework for Cybersecurity Officers has been defined, and although it is already available on the FNCS website, it has not yet been officially promulgated. When this happens, the National Accreditation Entity (ENAC) will supervise the implementation of this certification framework, which, as with the DPD certification, will be voluntary.

The categories of information systems in the ENS and how to determine them is defined in Annex I of Royal Decree 311/2022. It states that the category of a system is based on the assessment of the impact that an incident affecting the security of the information processed or the services provided would have on the organisation:

a) Achieve its objectives.

b) Protect the assets in its charge.

c) Ensure compliance with the legal order.

Security risk analysis is a systematic process for estimating the magnitude of risks to which an organisation's information systems are exposed.

The level of stringency in security-oriented risk management will depend on the category of the system, with an informal analysis being sufficient for BASIC category.

As a generalised system, in a first phase known as identification, the most relevant assets of the system are determined and, for each of them, the possible threats. Then, in a second phase known as analysis, the risk value is obtained for each binomial (asset - threat) based on the estimated probability of the threat materialising and the impact or degradation of the asset if it does occur. Then, by comparing each risk value obtained with the so-called threshold or risk appetite defined in the organisation, those risks considered unacceptable are evaluated and must be addressed in order to reduce them, if possible, to values below the threshold.

There are various ways of dealing with risks assessed as unacceptable: avoiding the circumstances that cause them, reducing the likelihood of their occurrence, limiting their consequences, transferring or sharing them with another organisation, or even accepting that they may occur and providing resources to act when necessary.

For follow-up of treatment or mitigation actions, a Risk Treatment Plan (RTP) is usually established which contains the status of each action, the person responsible, the expected start and end date, the resources required, etc.

In some organisations, the PTR is included, in whole or in part, in the so-called Master Security Plan which, when implemented and operated, must satisfy the level of risk accepted by the organisation's management.

The ENS does not impose any specific methodology for risk analysis and management other than the need to use a recognised methodology, the functionality and results of which are verifiable.

The MAGERIT methodology is highly evolved and widespread in the public sector, with other generic methodologies and standards, such as ISO 31000:2018 on risk management guidelines, not contradicting but rather complementing each other.

Within the scope of the ENS, it is the document that formalises the list of security measures included in Annex II of Royal Decree 311/2022, which are applicable to the information system in question, in accordance with its category. It must be approved by subscription by the person responsible for security (RSEG) or, where appropriate, by the minutes of the Security Committee of which the RSEG is a member.

In addition, as stated in Article 28.2 of the ENS, the security measures assessed according to the category of the system, specified by means of basic requirements and mandatory reinforcements, may be supplemented by mandatory reinforcements for a higher category or by optional reinforcements, if required to address specific risks assessed as unacceptable in the organisation. They may also include security measures laid down only for higher categories. In that case they shall also be reflected in the Statement of Applicability.

Conversely, certain security measures established for the category of the system may be waived if it becomes apparent that they do not apply to the information system, as is the case, for example, with time stamps for HIGH category, which are not used in all organisations. This should be justified in the Statement of Applicability.

Likewise, the security measures referenced in Annex II of the ENS may be replaced by other compensatory measures, provided that it is documented that they provide equal or better protection against the risk to the assets. They shall be stated in the Declaration of Applicability, linking the study prepared as determined in the CCN-STIC 819 guide on compensatory measures.

Finally, complementary supervision measures may be put in place, for a limited temporary period sometimes necessary to fully implement a security measure. Such complementary measures compensate for the provisional status of the measure. They should also be reflected in the Statement of Applicability.

A Specific Compliance Profile (PCE) is a set of security measures, whether or not included in Royal Decree 311/2022 which, as a result of the mandatory risk analysis, are applicable to a specific entity or sector of activity and for a specific security category.

The PCEs must be approved by the National Cryptologic Centre, allowing for a more effective and efficient adaptation of the ENS, rationalising the resources required without undermining the protection pursued and enforceable.

When the implementation of a PCE requires specific security configurations, depending on the different technologies, it will be published together with the corresponding STIC Configuration Guides.

To date, PCEs are available for Local Agencies, Universities and Cloud Services.

The procedure for obtaining compliance with the National Security Framework is regulated in article 38 of the ENS, as well as in the resolution of 13 October 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction (ITS) for compliance with the National Security Framework. This ITS is currently being revised to bring it into line with Royal Decree 311/2022.

In summary, there are two distinct pathways:

• The Certificate of Conformity, valid for all categories of the system (BASIC, MEDIUM and HIGH).
• The Declaration of Conformity is only valid for BASIC category systems.

As regards the difference in compliance requirements between a BASIC and a MEDIUM or HIGH category system, most of them are of a technical or management nature, being common to all those related to the organisation of security.

If it is decided to undertake the compliance of information systems with the ENS in a gradual manner, the option of first addressing compliance with the BASIC category and then evolving to meet the requirements of the MEDIUM or HIGH category is a good option, as long as it is agreed in the Security Committee, and thus established in minutes, as a roadmap and not as an end.

It would be a mistake to think that by achieving compliance with the requirements of the BASIC category, you are already in compliance with the requirements of the ENS, as these requirements are determined by the category of the system, and if this is higher than the category of compliance achieved, you would not be in compliance with all the requirements demanded.

The Declaration of Conformity with the National Security Framework is only applicable to BASIC category information systems, and will be obtained after a self-assessment that, on an ordinary basis, verifies compliance with the requirements contemplated in the Framework, at least every two years. This self-assessment shall comply with the provisions on auditing in Article 34 and Annex III of the Royal Decree 311/2022, It may be carried out by the same personnel who administer the information system or by the person delegated by them.

The Certification of Conformity with the National Security Framework is applicable to information systems of any category (BASIC, MEDIUM and HIGH), and will be carried out by means of a formal audit procedure that, on an ordinary basis, verifies compliance with the requirements contemplated in the Framework, at least every two years. This audit shall be carried out in accordance with the provisions of article 34 and annex III of Royal Decree 311/2022 and shall be performed by certification bodies (EC) accredited by ENAC, or in the process of being accredited, or by technical audit bodies (OAT) aimed at certain public sector organisations.

The Declaration of Conformity and the Certificate of Conformity are mandatory for the information systems of the entities within the scope of application of the ENS, whether public or private, and must be evidenced by the publication of the corresponding official seal of conformity, for the category of the system, on the website, portal or electronic office of the organisation. This seal must be linked to the certificate or declaration of conformity obtained.

Additionally, Certifications of Conformity will be published on the CCN website for both certified public sector and certified private sector companies.

In accordance with the provisions of article 2.3 of Royal Decree 311/2022, the administrative or technical specifications of the contracts entered into by public sector entities included in the scope of application of the ENS shall include all those requirements necessary to ensure compliance with the ENS of the information systems on which the services provided by the contractors are based, such as the presentation of the corresponding Declarations or Certifications of Conformity with the ENS.

This caution shall also extend to the supply chain of such contractors, to the extent necessary and in accordance with the results of the relevant risk analysis.

Likewise, the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Framework, currently in the process of being updated to the Royal Decree 311/2022, when private sector operators provide services or solutions to public entities, which are required to comply with the National Security Framework, they must be able to display the corresponding Declaration of Conformity with the National Security Framework, in the case of BASIC category systems, or the Certification of Conformity with the National Security Framework, in the case of BASIC, MEDIUM or HIGH category systems, using the same procedures as those required in the mentioned Technical Security Instruction for public entities.

Therefore, it is the responsibility of the contracting public entities to notify the private sector operators involved in the provision of technological solutions or the provision of services, of the obligation that such solutions or services comply with the provisions of the National Security Framework and have the corresponding Declarations or Certifications of Conformity, as indicated in this Technical Security Instruction.

As a guarantee of compliance with the above, public entities using solutions or services provided or rendered by private sector organisations that display a Declaration or Certification of Conformity with the National Security Framework may at any time request the corresponding Self-Assessment or Audit Reports from such organisations, in order to verify the adequacy and suitability of the aforementioned declarations.

The CCN currently maintains on its website a list of private operators whose information systems have obtained ENS Compliance Certification.

When contracting an outsourced service, providers wishing to participate in the provision of technological solutions or the provision of services must be notified of the obligation for such solutions or services to comply with the provisions of the National Security Framework and to have the corresponding Declarations or Certifications of Conformity, as indicated in article 2.3 of the ENS and in the Technical Security Instruction. A possible example of inclusion in a specification would be:

"Article 2 of the current Royal Decree 311/2022 of 3 May, which regulates the National Security Framework, provides that the administrative or technical specifications of the contracts entered into by public sector entities included in the scope of application of the ENS Royal Decree shall include all those requirements necessary to ensure compliance with the ENS of the information systems on which the services provided by contractors are based, such as the presentation of the corresponding Declarations or Certifications of Conformity with the ENS. This caution shall also extend to the supply chain of such contractors, to the extent necessary and in accordance with the results of the corresponding risk analysis".

Consequently, the CONTRACTING ENTITY considers it necessary that the suppliers that are going to participate in the tender must be able to exhibit the corresponding Certification of Conformity with the National Security Framework, accepting instead, however, a Declaration of Conformity with the ENS, only when the system for which they are bidding has been declared a BASIC category.

Therefore, based on the above, and the analysis of the risks to which the supplies and services subject to the tender are exposed, the CONTRACTING ENTITY establishes as necessary that the TENDERING ENTITY must be able to display the corresponding Declaration or Certification of Conformity with the National Security Framework, for the security category [indicate the CATEGORY], or higher, of the systems involved in the provision of the services indicated, as well as maintaining the conformity in force during the term of the contract. This declaration, or certificate, of conformity with the ENS is understood to cover in its scope, as a minimum, the scope of the contract.

In the event that the successful tenderer is unable to maintain compliance with the ENS during the term of the contract - due to loss, withdrawal or suspension of the Certificate of Conformity or inability to maintain the Declaration of Conformity - it shall immediately and without undue delay communicate this circumstance to the CONTRACTING ENTITY, which shall consider the impact of this circumstance on the performance of the contract".

By virtue of the principle of proportionality and in order to facilitate compliance with the National Security Framework for local authorities, specific compliance profiles may be implemented, comprising the set of security measures that, following the mandatory risk analysis, are applicable to a specific security category.

A Specific Compliance Profile (SCP) is a set of security measures, whether or not covered by the Royal Decree 311/2022 which, as a result of the mandatory risk analysis, are applicable to a specific entity or sector of activity and for a specific security category.

In the specific case of Local Bodies with less than 20,000 inhabitants, they may make use, if they consider it appropriate, of the Specific Compliance Profile for small and medium-sized local bodies.

The CCN has published a guide for each of the authorised PCE, such as the specific compliance profile for universities, and some of these guides are in the process of being harmonised with Royal Decree 311/2022.

A Provincial Council or Cabildo that provides services to local entities within its sphere of competence is obliged to ensure that the information systems that support such services are compliant and certified in accordance with the provisions of the National Security Framework.

The Local Bodies using these services, as the service providers, are responsible for determining the security category required for these systems, in accordance with the ENS, and for requesting the corresponding Provincial Council or Cabildo to issue the Declaration or Certification of Conformity with the ENS for these systems.

However, there is a Specific Certification Framework with the ENS (MCE-ENS) for local authorities, which consists of a joint certification process of the ENS of a group of local councils dependent on a higher body, such as a Provincial or Foral Council, a Cabildo or an Island Council, among others.

This MCE-ENS is considered the best solution to obtain compliance with the ENS for those Local Agencies that, due to their resources, cannot access it individually.

The National Security Framework is a legal standard that aims to guarantee the security of the information systems of the entities within its scope, the information processed and the services provided, while the Personal Data Protection Regulation aims to protect the rights of personal data subjects, in particular their right to data protection.

However, from a practical point of view, both standards are intended to provide systems with sufficient security to achieve their objectives. Therefore, not only they are not incompatible, but also, they are complementary and the compliance with one facilitates the compliance with the other. This is indicated in a Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights, which, in its first additional provision, obliges certain data controllers to apply to the processing of personal data the security measures that correspond to those provided in the National Security Framework, as well as to promote a degree of implementation of equivalent measures in the companies or foundations linked to them subject to private law.

This report is regulated by the Technical Security Instruction on the Security Status Report, approved by resolution of 7 October 2016, of the Secretary of State for Public Administrations. This regulation establishes the conditions relating to the collection and communication of data that allows the main information security variables of the systems included in the scope of application of the National Security Framework to be known, and to draw up a general profile of the state of cybersecurity in the Public Administrations.

In order to comply with the above obligation, the CCN has developed the INES project (National Security Status Report), facilitating the work of all agencies. Through this project, the collection of organised, delegated and supervised information is enabled.

No. Two possibilities are distinguished according to the category of the system:

• BASIC category information systems must carry out a self-assessment or a formal certification audit every two years to verify that they continue to meet the requirements of their category.
• MEDIUM category information systems, and especially HIGH category information systems, as they require an information security management system based on a cycle of continuous improvement and supervision of their security, as provided for in Annex II of the ENS on security architecture, must show that in addition to the formal certification audits carried out every two years by a certification body or a OAT, they carry out an annual internal compliance audit aimed at improvement based on the monitoring of the deviations found.

Pursuant to article 2 of the current Royal Decree 311/2022, of 3 May, and the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instructions in accordance with the National Security Framework, implementing Royal Decree 311/2022 (ENS), when private sector operators provide services or solutions to public entities, which are required to comply with the National Security Framework, they must be able to display the corresponding Declaration of Conformity with the National Security Framework, in the case of BASIC category systems, or the Certification of Conformity with the National Security Framework, in the case of MEDIUM or HIGH category systems, and optionally those of BASIC, using the same procedures as those required in the said Technical Security Instruction for public entities.

The compliance with the ENS of information systems that support solutions or provide services to public sector entities is a legal imperative. Indeed, in accordance with the provisions of Article 2 of the current Royal Decree 311/2022, of 3 May, and the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, which approves the Technical Instruction on Security in accordance with the National Security Framework, for the development of the (ENS), when private sector operators provide services or solutions to public entities, which are required to comply with the National Security Framework, they must be able to display the corresponding Declaration of Compliance with the National Security Framework, they must be able to display the corresponding Declaration of Conformity with the National Security Framework, in the case of BASIC category systems, or the Certification of Conformity with the National Security Framework, in the case of MEDIUM or HIGH category systems, and optionally those of BASIC, using the same procedures as those required in the said Technical Security Instruction for public entities.

Therefore, by complying with the above, it will be able to participate in tenders for services with Public Administrations in which compliance with the ENS and evidence of such compliance is required.

In accordance with the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Instruction on Security in accordance with the National Security Framework, implementing Royal Decree 311/2022 (ENS), the Certification Bodies (EC) of the systems must be accredited by the National Accreditation Body (ENAC) for the certification of systems within the scope of application of the National Security Framework in accordance with standard UNE-EN ISO/IEC 17065:2012 Conformity assessment. Requirements for bodies that certify products, processes and services.

Furthermore, the ENS Technical Audit Bodies (OAT) may certify information systems according to the ENS in their area of competence.

The Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction in accordance with the National Security Framework, specifies as its scope of application, exclusively, the information systems of the entities within the scope of application of the ENS, when such systems develop statutory competences of the public entity in question.

However, the services supported by the certified information systems will benefit from such certification, as their enumeration should appear in the ENS Conformity Certifications, for general knowledge.

The Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Security Instruction on compliance with the National Security Framework, prescribes that compliance with the ENS of a BASIC category system shall be displayed with the corresponding Declaration of Conformity, making use of its specific Conformity Mark. Similarly, in the case of MEDIUM or HIGH category systems, the ENS Conformity Certification shall be displayed by means of its specific Conformity Mark. In both cases, they shall be electronic documents, in non-editable format and shall have the appearance shown in annexes III and IV of the mentioned Technical Instruction.

In accordance with the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction in accordance with the National Security Framework, the system certification bodies must be accredited by the National Accreditation Entity (ENAC) for the certification of systems within the scope of application of the National Security Framework in accordance with the UNE-EN ISO/IEC 17065:2012 Conformity assessment. Requirements for bodies that certify products, processes and services, and must therefore be subject to the accreditation procedure established by ENAC for this Framework.

In accordance with the provisions of Article 2 of the current Royal Decree 311/2022, of 3 May, and the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction in accordance with the National Security Framework, implementing Royal Decree 311/2022 (ENS), when private sector operators provide services or solutions to public entities, which are required to comply with the National Security Framework, they must be able to display the corresponding Declaration of Conformity with the National Security Framework, in the case of BASIC category systems, or the Certification of Conformity with the National Security Framework, in the case of MEDIUM or HIGH category systems, and optionally for BASIC systems, using the same procedures as those required in the said Technical Security Instruction for public entities.

Regardless of the fact that private providers must display the corresponding ENS Compliance Certification in relation to the information systems to be used in the performance of the contract, we do not believe that it is superfluous to recall in the Tender Documents the obligation of bidders to adapt the location of the servers of the services subject to tender to the provisions of Royal Decree-Law 14/2019 and to include, in addition to the aforementioned ENS Compliance Certification, the provisions set out in Article 5.5 of said Royal Decree-Law, which amends Law 9/2017, of 8 November, on Public Sector Contracts, and which indicates that the processing of special categories of data (in addition to requiring the consent of the user, in accordance with the provisions of the RGPD), requires that such processing be carried out within Spanish territory, so that, if an external service provider is used to process such biometric data for the purpose of identification, the systems used must be located in Spain.

It is mandatory for the information systems of any entity, whether Spanish or not, to have ENS Compliance Certification, after having passed the corresponding Certification Audit. In fact, as can be seen in the list of companies with Conformity Certification on the CCN website, there are several non-Spanish companies whose information systems are not located in Spain.

The procedure for achieving ENS Compliance Certification can be found in the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction on compliance with the National Security Framework (BOE, No. 265. Wednesday 2 November 2016 Sec. III. P. 76365).

The requirement for the use of two-factor authentication in MEDIUM category systems can be implemented in different ways, such as the use of external tokens, digital certificates or the use of one-time passwords (OTP) sent via SMS or via an application on the user's mobile phone.

However, the risk analysis required by the ENS will determine the strictness of the application of the double factor and the possibility of using, where appropriate, an adequate compensatory measure (as indicated in CCN-STIC Guide 819) which, taking into account the risk, can adequately and justifiably compensate for the non-application of the double factor. Furthermore, as indicated in Article 27 of the ENS, it must be documented that such measures provide equal or better protection against the risk to the assets and that the basic principles and minimum requirements set out in Chapters II and III of the ENS are met.

The proper implementation of the compensatory measure will be subject to review at the periodic or certification audit of the system.

The CCN's Catalogue of Information and Communication Technology Security Products and Services (CPSTIC), published under guide CCN-STIC 105, will be used to select the products or services supplied by a third party that form part of the system's security architecture and those that are expressly referenced in the ENS measures.

In case there are no products or services in the CPSTIC that implement the required functionalities, the certified products as described in Article 19 of the ENS shall be used. One possibility is Common Criteria or other internationally recognised product certification.

One possibility, if a major technology investment has just been made in products from reputable manufacturers, is to apply several complementary vigilance measures until the scheduled replacement, e.g. increase monitoring of current products and be alert to vulnerability advisories (CVEs) from the manufacturer and the reference CERT, and immediately apply the necessary patches and updates, among other measures.

The Catalogue of Information and Communication Technology Security Products (CPSTIC) includes the Approved Products for the handling of classified information and the Qualified Products for the handling of sensitive information, so that it can serve as a reference for the organisations obliged by the ENS.

As stated in Article 38 of the ENS, information systems must be subject to a regular audit at least every two years to verify compliance with the requirements of the ENS.

In addition, on an extraordinary basis, this audit shall be carried out whenever substantial modifications are made to the information system that may have an impact on the required security measures. The performance of this extraordinary audit, if it is complete, shall determine the date of calculation of the two years established for the performance of the next regular ordinary audit, as indicated in the previous paragraph. If it is not complete, as it has been limited to a few specific measures that have only been affected by the modifications made to the system, the date for calculating the two years in which the certification must be renewed shall not be altered.

On the other hand, as indicated in the Resolution of 13 October 2016, of the Secretary of State for Public Administrations, approving the Technical Instruction on Security in accordance with the National Security Framework, the Certification of Conformity with the ENS of information systems with MEDIUM or HIGH categories will be carried out by means of a formal audit procedure that, on a regular basis, verifies compliance with the requirements contemplated in the Framework, at least every two years. This audit shall be carried out in accordance with the provisions of article 38 and annex III of Royal Decree 311/2022.

This same Technical Security Instruction states that the ENS Compliance Certification will be based on the result of the aforementioned audit, which will be valid for two years, provided that, as indicated above, it is not necessary to carry out an extraordinary audit beforehand.

In view of the above, the "Date of renewal of the conformity certification" appearing in the Certificate of Conformity may never exceed two calendar years from the "Date of initial conformity certification" (which must be understood as the date on which the Certification Body or, where applicable, the Technical Audit Body (OAT), decides to grant the mentioned Certification), and may be less if circumstances so require.

Therefore, the audit should be planned accordingly so that the subsequent certification decision can be taken within the validity period of the preceding certification.

If an entity has a Medium category ENS Conformity Certification in force for any of its systems, and, subsequently, the Certification Body performs an extraordinary audit to increase the category in which it has only audited the measures that differ for the High category, the High category Conformity Certification cannot go beyond the expiration date expressed in the pre-existing Medium category Conformity Certificate. In other words, an extraordinary audit (if not extraordinary, it must be complete) does not alter the expiration date of the existing certification, whether to increase the scope, to increase the category, or to adapt the certification to specific changes in the information system.

However, if a full audit had been carried out (thus auditing all measures), the ENS Compliance Certification could be valid for the usual two (2) years.

Royal Decree 311/2022, in its Annex III (Security audits), determines that a risk analysis must be carried out with annual review and approval.

In case there are no products or services in the CPSTIC that implement the required functionalities, certified products as described in Article 19 of the ENS shall be used. One possibility is Common Criteria or other internationally recognised product certification.

A possible 'temporary' alternative, as long as there are no products of this nature in the catalogue, is to purchase products from reputable manufacturers and in the meantime apply several complementary surveillance measures, e.g. increase the monitoring of these products and be attentive to vulnerability warnings (CVE) from the manufacturer and the reference CERT, immediately applying the necessary patches and updates, among other measures, assessing in any case the resulting risk.

Another option is to provide remote access using a desktop virtualisation infrastructure, such as Citrix Cloud, Akamai's Enterprise Application Access or similar, which allows you to access your desktops by adding a layer of security to implement two-factor authentication without directly exposing your computers to the internet, while maintaining traceability of user actions. In addition, it is advisable to install EDR type endpoint protection.

In any case, solutions that expose computers directly to the internet should be avoided, but if no other solution is possible, additional security measures such as two-factor authentication or limiting and controlling the IP address from which users connect should be implemented.

In order to resolve doubts, the "Abstract - Security measures for remote access" has been published. It contains solutions that allow for the agile implementation of remote access to an organisation's resources, minimising the impact on IT resources and optimising the time required to put them into production. In addition, the document "CCN-CERT BP/18 Security recommendations for teleworking situations and surveillance reinforcement (March 2020)" is also available.

In any case, if you have any additional questions regarding the qualification of products within the ENS, you can contact the group in charge of publishing the ICT Security Products Catalogue (CPSTIC) directly at cpstic.ccn@cni.es.

At the moment there is no formal training for ENS. However, the training provided by the CCN can be found in the training section of the ENS Validation Environment (EVENS).

For more specific questions, please contact formacion.ccn@cni.es.

The ENS Compliance Audit shall be carried out by the Certification Body (CB) in accordance with the security levels in each dimension and the security category decided by the contracting body, taking into account that the power to carry out the assessments referred to in Article 40, as well as, where appropriate, their subsequent modification, always corresponds to the contracting body, through the person or persons responsible for the information and services affected, and that, based on these assessments, it shall be the person or persons responsible for security who shall determine the security category of the system.

Therefore, if the contracting entity requests the Certification Body to assess its information system against the requirements of the MEDIUM security category, the audit of compliance with the ENS shall be carried out as requested by the client.

In any case, once this phase has been completed, a roadmap for continuous improvement should be established in order to extend security coverage towards the final intended category.

As indicated above, the ENS Compliance Audit shall be carried out by the Certification Body (CB) in accordance with the security levels in each dimension and the security category decided by the contracting body, taking into account that the power to make the assessments referred to in Article 40, and, where appropriate, their subsequent modification, always corresponds to the contracting body, through the person or persons responsible for the information and services affected, and that, on the basis of these assessments, it shall be the person or persons responsible for security who shall determine the security category of the system.

Therefore, the Certification Body, based on the requirements of the contracting entity regarding the security category it wishes to be evaluated, and the result of the previous documentary study provided by its client regarding the information system(s) to be audited, shall prepare and send to the client, for its approval, an Offer-Proposal-Contract, containing all the necessary details regarding the evaluation in question, including the required audit days, the way they are going to be carried out (on-premises, telematic or mixed), the rights and responsibilities of each party, and the cost.

At the start date of the audit, altering the category of the system from HIGH to MEDIUM could have an impact on the expected audit time, which could also alter the final cost of the audit process.

However, if it is proven that there is no operational or technical impediment to admitting this downgrading, the final decision to stop or continue the audit process shall be in the hands of the Certification Body and its client, based on the principle of party autonomy in the contract.