Spain's National Security Framework (ENS) audit: what it requires and how to prepare
By the QuantumSec team
Spain's National Security Framework (Esquema Nacional de Seguridad, ENS) regulates the security of information systems used by Spanish public administrations and the companies that provide services to them. Unlike NIS2 or DORA, the ENS has been in force since 2010, and its current version (Royal Decree 311/2022) requires a periodic, formal audit process — not just a statement of intent. This guide explains what that audit involves and how to prepare your organization before going through it.
What the ENS is and who it applies to
The ENS is mandatory for Spanish public administrations and for any private company providing them services that involve handling their information or using their systems. It commonly appears as a requirement in public tenders: if your company wants to bid for contracts with the administration, you need to be able to demonstrate ENS compliance.
The three categories: basic, medium and high
The ENS classifies each system based on the impact an incident would have across five dimensions: confidentiality, integrity, availability, authenticity and traceability. That categorization (basic, medium or high) determines which security measures from Annex II apply and, crucially, which type of verification is required: self-assessment for basic category, formal audit for medium and high.
What the certification audit verifies
For medium or high category systems, compliance is demonstrated through a formal audit — not a self-assessment — that reviews compliance with the organizational framework measures (policies, regulations, procedures), the operational framework (planning, access control, operations) and protection measures (facility, personnel, equipment, communications and information protection). The result is a Certification of Conformity with the ENS, issued by a certification body accredited by ENAC (the Spanish national accreditation body).
ENS audit vs pentesting: what each one delivers
The ENS certification audit verifies that the organizational and technical measures required by Annex II are in place — it's a compliance audit against a regulatory framework. A pentest confirms whether those measures withstand a real attack, regardless of whether they're formally documented. Many organizations combine both: a pentest before the formal audit helps detect and fix technical weaknesses that might otherwise surface during the certification audit.
Frequency: why it isn't a one-off task
ENS compliance isn't obtained once and forgotten. For basic category, the self-assessment must be repeated at least every two years. For medium and high categories, the Certification of Conformity must be renewed through a new formal audit on the same two-year cycle. Treating the ENS as a one-off project instead of an ongoing process is the most common mistake among organizations approaching it for the first time.
How to prepare before the formal audit
The starting point is a gap analysis comparing your organization's actual situation against the measures required for your category. From there: document any missing policies and procedures, implement the pending technical measures, and — especially if it has never been done — run a prior pentest or vulnerability assessment so you reach the formal audit confident that the documented measures also work in practice.
FAQ
Can a private company need to comply with the ENS even if it is not a public administration?
Yes. Any private company providing services to a Spanish public administration that involve handling its information or using its systems may be required to demonstrate ENS compliance, usually as a tender or contract requirement.
How often does the ENS audit or self-assessment need to be repeated?
At least every two years, both for the basic-category self-assessment and for the formal certification audit of medium and high categories.
Do I need to run a pentest to get ENS certified?
It isn't a mandatory documentary requirement in itself, but it's strongly recommended as preparation: it helps confirm that the technical measures you'll declare in the certification audit actually hold up against a real attack, not just on paper.