ISMS Copilot for the Spanish public sector
ENS is mandatory under Royal Decree 311/2022 — get the categorisation, CCN-STIC measures and Spanish NIS 2 right before the audit.
ENS categorisation (Basica/Media/Alta) explained
- Run the ENS security categorisation across the dimensions to land in Basica, Media or Alta
- Map your controls to Royal Decree 311/2022, the legal instrument that makes ENS mandatory
- Select and implement security measures using the relevant CCN-STIC guides
- Operate ENS incident management and notification procedures to the CCN-CERT
- Prepare for Spain's forthcoming NIS 2 transposition for essential entities — competent authorities are pending designation; INCIBE-CERT and CCN-CERT act as the reference CSIRTs in the interim — separate from AEPD data-protection supervision
- Cross-map existing ISO 27001 controls to ENS per CCN-STIC 825 so certification work is not duplicated
Built for the public administration and the supplier bidding into one
ENS categorisation guidance (Basica / Media / Alta) tied to the impact dimensions
Royal Decree 311/2022 compliance mapping — the binding ENS legal basis
CCN-STIC guide implementation support for measure selection and hardening
Forthcoming NIS 2 transposition readiness for Spanish essential entities alongside ENS
GDPR and AEPD alignment for personal data inside public-sector systems
Spanish-language support with native terminology (SGSI, ENS, CCN)
ENS categorisation (Basica/Media/Alta) explained
Spanish public-sector compliance is baseline-driven and legally compulsory. The Esquema Nacional de Seguridad is mandatory for all Spanish public administrations — central, regional and local — and for private organisations providing electronic services or solutions to public entities, under Royal Decree 311/2022. The first decision is categorisation: each system is rated across security dimensions and lands in Basica, Media or Alta, which determines how many and how strict the required measures are. The measures themselves are operationalised through the CCN-STIC guide series, and CCN-STIC 825 provides the official mapping between ENS and ISO 27001 so an existing ISMS is a credible starting point. Spain's forthcoming NIS 2 transposition will layer essential-entity obligations on top for in-scope operators — the transposition is still pending and competent authorities are not yet designated, so ENS remains the operative baseline today. ISMS Copilot runs the categorisation, maps controls to RD 311/2022 and the CCN-STIC measures, and reuses your ISO 27001 work via CCN-STIC 825. ISMS Copilot does not issue ENS certification.
ENS framework guidance →Frequently Asked Questions
Who must comply with ENS, and on what legal basis?
All Spanish public administrations — central, regional and local — and any private organisation providing electronic services or solutions to public entities must comply with the Esquema Nacional de Seguridad. The binding legal instrument is Royal Decree 311/2022. If you are bidding into a Spanish public tender, ENS conformity at the relevant category is typically a procurement gate.
What does ENS categorisation (Basica, Media, Alta) actually decide?
Categorisation rates each system across security dimensions and assigns it to Basica, Media or Alta. That category determines which measures from the framework are mandatory and how strictly they must be implemented. The Copilot runs the categorisation and then selects the corresponding measures using the relevant CCN-STIC guides.
We have ISO 27001 — does that help with ENS?
Yes. CCN-STIC 825 provides the official mapping between ENS and ISO 27001. ISMS Copilot uses that mapping so your existing Annex A controls feed directly into the ENS measure set, plus readiness for the forthcoming Spanish NIS 2 transposition where you will be an essential entity, without duplicating the work.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.