CC-05 · Public sector compliance

ENS (National Security Framework)

Alignment with updated RD 311/2022 across its three categories (Basic, Medium, High). Can be combined with ENS for AI systems.

RD311/2022 updated
CategoriesBasic · Medium · High
ClusterCons. + Cal. + Sist.

The ENS is the mandatory framework for public administrations and their technology supply chain. If you sell to the public sector or want to bid for its tenders, sooner or later you need to be compliant.

Three categories based on the data processed: Basic (unclassified data), Medium (sensitive data or continuous services), High (classified data or critical services). The scope of work varies considerably between them; our initial diagnosis starts by placing you in the right category before quoting.

We coordinate the regulatory side (policy, procedures, statement of applicability) with the technical side (Sistemas) and the management system (Calidad). Where applicable, we add ENS-IA (ENIA) if you have artificial intelligence systems within scope.

B

Basic category

Unclassified data. Simple system, occasional service to the public sector.

€8,000–15,000
M

Medium category

Sensitive data or continuous service. Most ICT suppliers to the public sector.

€15,000–30,000
A

High category

Classified data or critical service. Defence, infrastructure, strategic healthcare.

€30,000–80,000

The ENS (National Security Framework) process.

The process · four stages
01

Categorisation

We place you in the right category before quoting.

02

Statement of applicability

Master document justifying which controls apply and which do not.

03

Implementation

Procedures based on the CCN-STIC framework. Technical part with Sistemas.

04

Audit

Prior internal, external and annual maintenance.

What is included

What ENS (National Security Framework) includes.

The operational detail: what we deliver as part of the engagement and what we keep active afterwards.

  • Applicability and category analysis

    Reasoned decision (Basic/Medium/High) based on data and criticality.

  • Statement of applicability

    Point-by-point compliance with CCN-STIC.

  • Procedures and policies

    Tailored to CCN templates, not generic.

  • Prior internal audit

    Same rigour as the external audit. No surprises.

  • Framework maintenance

    Annual review, renewal, query support.

  • ENIA (ENS-IA) where applicable

    Specific module if your systems use AI within scope.

Regulatory framework

The regulatory framework.

RD 311/2022 updated the ENS. Mandatory framework for public administrations and their supply chain.

ES RD 311/2022 Applicable to this service
CCN STIC Applicable to this service
ENIA IA Applicable to this service
EU NIS2 Applicable to this service

Frequently asked questions about ENS (National Security Framework).

When do I need ENS?

If you sell to public administration or want to be included in its tenders. Also if you are a supplier to a supplier.

Are the three categories very different?

Yes: Basic for unclassified data, Medium for sensitive data, High for classified or critical data.

Does it expire?

2 years with accredited certification or 3 years with self-assessment.