FRAMEWORK · ENS

ENS — Spanish National Security Scheme.
RD 311/2022. Three categories covered.

Mandatory for Spanish public sector and critical providers. Itamite covers families mp.eq (equipment protection), op.exp (operations), mp.com (communications) in Basic, Medium and High Categories. Signed report for CCN-CERT and certification body.

See pricing ENS demo

Who is subject to ENS

ENS applies to: General State Administration, Autonomous Communities, Local Entities, public bodies and public law entities. Public sector providers that provide services or manage public sector information (most corporate IT). Regulated private sector in sectors where another regulation refers to ENS (e.g. NIS2 may invoke ENS for Spanish entities).

Category is determined by impact analysis on C-I-D-A-T dimensions (confidentiality, integrity, availability, authenticity, traceability): Basic (low impact in all), Medium (medium impact in some), High (high impact in some).

CONTROL FAMILIES

What Itamite covers from ENS Annex II

mp.eq — Equipment protection

mp.eq.1 Clear desk. mp.eq.2 Workstation lock (screen lock). mp.eq.3 Laptop protection (encryption). mp.eq.4 Other devices connected to the network.

op.exp — Operations

op.exp.1 Asset inventory. op.exp.2 Security configuration. op.exp.3 Configuration management. op.exp.4 Maintenance (patches). op.exp.5 Change management. op.exp.6 Malware protection (AV). op.exp.7 Incident management. op.exp.8-11 Logs and protection.

mp.com — Communications protection

mp.com.1 Secure perimeter (firewall). mp.com.2 Confidentiality protection (transit encryption). mp.com.3 Authenticity/integrity protection. mp.com.4 Network segregation.

op.acc — Access control

op.acc.1 Identification. op.acc.2 Access requirements. op.acc.3 Segregation of duties. op.acc.5 Authentication mechanism. op.acc.6 Local access. op.acc.7 Remote access.

op.mon — System monitoring

op.mon.1 Intrusion detection (with EDR integration). op.mon.2 Metrics system (measured posture). op.mon.3 Surveillance (continuous alerts).

mp.s — Service protection

mp.s.1 Denial of service protection. mp.s.2 Server protection. mp.s.8 Published information protection.

CERTIFICATION PROCESS

How to obtain ENS conformity

01

System categorization

C-I-D-A-T impact analysis → determine category (Basic/Medium/High). Itamite helps with inventory data, but formal categorization is done by your CISO or consultant.

02

Risk analysis

MAGERIT v3 methodology (Spanish public sector standard) or ISO 27005. Itamite provides complete inventory and posture data as input. Methodology is led by your team or consultant.

03

Measures implementation

You apply Annex II controls according to your category. Itamite covers technical measures of mp.eq, op.exp, mp.com automatically. Organizational measures (policies, training, supplier management) are manual work.

04

Conformity audit

For Medium or High Category: mandatory audit by accredited entity (biannual renewal). Itamite report is the technical evidence you give to the auditor for covered controls. For Basic: conformity declaration signed by the responsible.

05

Distinction and registry

After conformity: you obtain the corresponding ENS distinction and it's registered with CCN-CERT. Renewal every 2 years with full audit. Continuous maintenance with annual reviews.

FAQ

Common ENS questions

Is my private company required to comply with ENS?
If you provide services to the public sector that imply access to their systems or information, yes. The public sector must require it in the contract. If your sector is in NIS2 with some reference to ENS, also. For pure private sector, ENS is voluntary but provides competitive advantage in public tenders.
What category should I certify?
Determined by the impact analysis of your system. For typical local public sector with non-classified data: Basic. For autonomous or state public sector with sensitive personal data: Medium. For critical infrastructure, defense, regional healthcare: High. Your DPO or consultant guides you.
Is Itrion Software ENS certified?
Yes, Medium Category certified (European IONOS hosting is also at ENS High). Working on internal High Category. Conformity documentation available upon request for public sector clients.
How long to get ENS Medium conformity with Itamite?
Typical total time: 3-6 months. Technical part (Itamite measures) is ready in 4-6 weeks after deploying the agent. Organizational part (policies, MAGERIT risk analysis, adequacy plan) and audit by accredited entity take the rest of the time.
What entities accredit ENS?
ENAC maintains the official list: AENOR, Bureau Veritas, DNV, SGS, TÜV, LEET Security, Audisec, BDO, among others. Get quotes from several to compare. Typical initial audit cost: €8,000-15,000 + €4,000-7,000 biannual renewal.

Public sector or critical provider needing ENS?

Demo focused on your category with a real public sector case. We show you the adequacy plan.

See pricing Request ENS demo