ENS Audit and Assessments; we are ready when you are! Call +1 (888) 896-7580 today.

Achieve ENS Certification with Lazarus Alliance. Learn how our assessment helps meet mandatory National Security Framework requirements.

Lazarus Alliance will coordinate directly with your organization to schedule your National Security Framework (ENS) assessment. Our assessors will help identify the level of the certification based on your company’s specific business requirements. Your company will be awarded certification at the appropriate ENS level upon demonstrating the appropriate maturity in capabilities and organizational maturity.

The National Security Framework is a mandatory Law for companies in the public sector and their technology suppliers, which lays down the necessary conditions to guarantee trust in the use of electronic media. To this end, it establishes a series of measures that guarantee the security of the systems, data, communications, and electronic services, allowing the exercise of rights and the fulfillment of duties via these media.

The framework establishes the security policy for the use of electronic media and consists of basic principles and minimum requirements that allow adequate protection of information systems, services, and their information.

The National Security Scheme (ENS)

The Esquema Nacional de Seguridad (ENS), established under Royal Decree 311/2022 (updating Royal Decree 3/2010), is a Spanish regulatory framework designed to ensure the security of information systems used by public and private entities. Its primary purpose is to protect information and services by promoting a consistent, risk-based approach to cybersecurity, safeguarding confidentiality, integrity, availability, authenticity, and traceability of data.

ENS applies to:

  • Public entities: All public administration bodies, including central, regional, and local government organizations, to secure their electronic services and data.
  • Private entities: Organizations providing services to public administrations or handling sensitive data linked to public services, such as critical infrastructure providers or contractors.

The scheme mandates the implementation of security measures proportional to the risk level of systems, categorized as Basic, Medium, or High, and requires certification to demonstrate compliance. Certification involves a rigorous process of documentary and on-site audits to verify adherence to ENS security requirements, ensuring robust protection against cyber threats.

ENS Security Levels (Esquema Nacional de Seguridad – Royal Decree 311/2022)

The Spanish ENS classifies every information system into one of three security levels — Low (Bajo), Medium (Medio), or High (Alto) — based on the potential impact of a security incident on the dimensions of confidentiality, integrity, authenticity, traceability, and availability.

Level When it applies (impact of a compromise) Certification Requirement (since May 2025)
LOW (Bajo) Minor or negligible damage to the organization, citizens, or the State. No significant harm to rights, economic activity, or essential services. Declaration of conformity only (self-declaration). No mandatory third-party certification.
MEDIUM (Medio) Considerable damage: affects a significant number of users, causes relevant economic loss, or hinders the normal functioning of services (but not critical). Mandatory third-party certification by an ENAC-accredited entity (e.g., Lazarus Alliance).
HIGH (Alto) Very serious damage: large-scale impact on citizens’ rights, significant economic or financial repercussions, or disruption of essential/critical services (including national security or classified information). Mandatory third-party certification (most rigorous audit scope) + additional requirements (e.g., use of CCN-approved cryptographic products for classified data).

How the level is determined

The organization must carry out a formal risk analysis (threats × vulnerabilities × asset value) for each of the five security dimensions. The highest resulting impact across any dimension defines the overall system level.

Example:

  • If loss of confidentiality would cause “considerable” harm → Medium
  • If loss of availability could paralyze a critical public service → High

Since May 2025, all existing Medium- and High-level systems must hold a valid ENS certificate issued by an ENAC-accredited certification body. New systems must be certified before entering production.

Need help determining your system’s ENS level or achieving certification? Call Lazarus Alliance at +1 (888) 896-7580 — we are an ENAC-qualified ENS certification body and have successfully certified dozens of international providers and Spanish public entities.

Achieve ENS Certification with Lazarus Alliance. Learn how our assessment helps meet mandatory National Security Framework requirements.

ENS Certification Audit Timeline with Lazarus Alliance

Lazarus Alliance follows a structured, ISO/IEC 17065-compliant process. Our approach uses critical path methodology and the IT Audit Machine (ITAM) platform to accelerate audits by up to 46%, focusing on proactive gap identification and efficient evidence handling. Full initial certification typically takes 3-6 months from kickoff, depending on scope, readiness, and remediation needs.

ENS Audit Timeline Overview

Phase Estimated Duration Key Activities Lazarus Alliance Specifics
1. Application & Contract 1-2 weeks Submit application with system scope, security level (Low/Medium/High), and details; review for feasibility; sign contract. ITAM setup for evidence upload; quick scoping call to align on timeline/costs. No consulting—pure audit focus.
2. Stage 1: Documentary Audit 2-3 weeks Off-site review of docs (e.g., policies, risk assessments, Annex II measures); identify gaps/non-conformities. Remote via ITAM; automated checks for 70-80% overlap with ISO 27001 if applicable; issue remediation roadmap.
3. Remediation (Client-Led) 4-8 weeks (if gaps found) Address non-conformities (e.g., controls for cloud security, incident reporting). Advisory guidance only (per accreditation); monitor via ITAM for faster resolution.
4. Stage 2: On-Site Audit 1-2 weeks In-depth testing, interviews, and verification at your site(s); confirm controls operate effectively. On-site team (1-3 days per location); test per ENS category (stricter for High); preliminary report issued.
5. Certification Decision 1-2 weeks Independent review of findings; resolve minor issues; issue a certificate if compliant. Committee decision; certificate valid 2 years (not 5—per ENS standard), with ENS mark/logo usage rights.
Total Initial Certification 3-6 months From application to certificate. Accelerated via ITAM; post-May 2024 compliance achieved efficiently for existing systems.
6. Surveillance Audits Annual (1-3 days each) Brief on-site/remote review of changes, incidents, and controls. Limited testing; confirm ongoing compliance; no major remediation expected.
7. Renewal Audit Every 2 years (full repeat of Stages 1-5) Comprehensive re-evaluation against current ENS requirements. Scoped by prior surveillance; ensures continuity.

For a tailored ENS audit quote or to begin, call +1 (888) 896-7580—Lazarus Alliance Cybervisor™ teams are ready.

Frequently Asked Questions

The updated ENS significantly raises the bar compared to the 2010 version: stronger risk management requirements, mandatory certification for medium- and high-level systems, new security measures (e.g., cloud security, supply-chain security, and cryptology), stricter timelines for incident reporting (within 24 hours for significant incidents), and explicit alignment with NIS2 and other EU regulations.

  • Low: Basic protection for non-critical information or services
  • Medium: Applies when there is a moderate risk to confidentiality, integrity, or availability
  • High: Required for systems handling classified information, critical services, or where a compromise could cause severe damage to citizens or the State. The level is determined through a formal risk analysis based on the dimensions of confidentiality, integrity, authenticity, traceability, and availability.

Yes. All information systems that reached Medium or High level must obtain ENS certification. Existing systems have until May 2024 to achieve certification under the new Royal Decree 311/2022. New systems must be certified before going into production.

The process includes:

  • Formal risk assessment and determination of security level
  • Gap analysis against the more than 75 security measures in Annex II
  • Implementation or remediation of controls
  • Preparation of the Declaration of Applicability (DoA) and Security Statement
  • Independent conformity assessment (audit) by an ENAC-accredited entity
  • Issuance of the ENS certificate (valid for 5 years with annual follow-up audits)

Yes. Any organization (regardless of location) that processes information or provides electronic services to the Spanish public administration must comply with the ENS at the level required by the contract or service. Many public tenders now explicitly require ENS certification as a prerequisite.

ENS is fully aligned with NIS2 requirements in Spain. An organization with a mature ISO 27001 certification can achieve ENS certification faster because approximately 70–80% of controls overlap, but ENS has additional Spain-specific requirements (e.g., national cryptology, specific incident reporting to INCIBE, and supply-chain requirements).

Lazarus Alliance provides end-to-end ENS services, including:

  • Initial risk and security-level assessment
  • Gap analysis and remediation roadmaps
  • Implementation support for technical and organizational measures
  • Preparation of all required documentation (DoA, security policies, etc.)
  • Full conformity assessment audits (we are an ENAC-qualified entity)
  • Ongoing maintenance and annual surveillance audits. We have helped numerous Spanish public entities and international providers successfully obtain high-level ENS certification on time.

Lazarus Alliance services

Benefits of ENS Compliance

The benefits of obtaining an ENS (Esquema Nacional de Seguridad) certification, as regulated by Royal Decree 311/2022 in Spain, are significant for both public and private entities, ensuring robust cybersecurity and compliance with the National Security Framework. Below are the key benefits:

  1. Enhanced Cybersecurity: ENS certification ensures that information systems meet stringent security requirements for confidentiality, integrity, availability, authenticity, and traceability. By implementing risk-based security measures tailored to system categories (Basic, Medium, High), organizations reduce vulnerabilities and protect against cyber threats like data breaches or unauthorized access.
  2. Regulatory Compliance: For public entities, ENS certification is mandatory to comply with Royal Decree 311/2022, ensuring adherence to national standards for secure electronic services. Private entities working with public administrations (e.g., contractors or critical infrastructure providers) also meet legal obligations, avoiding penalties or exclusion from public contracts.
  3. Increased Trust and Credibility: Certification demonstrates a commitment to cybersecurity, enhancing trust among clients, partners, and stakeholders. Public and private entities can showcase their compliance with a recognized national standard, strengthening their reputation for reliability and security.
  4. Access to Public Sector Opportunities: Private organizations with ENS certification gain a competitive edge when bidding for contracts with public administrations, as compliance is often a prerequisite for collaboration or service provision in sectors like healthcare, finance, or critical infrastructure.
  5. Risk Management and Resilience: The ENS framework promotes a risk-based approach, requiring organizations to identify, assess, and mitigate risks systematically. This improves operational resilience, reduces the likelihood of incidents, and ensures faster recovery from potential disruptions.
  6. Standardized Security Practices: Certification aligns systems with a unified set of security measures, fostering consistent and interoperable cybersecurity practices across departments or business units. This is particularly beneficial for large organizations or those operating in complex IT environments.
  7. Protection of Sensitive Data: ENS certification ensures robust protection for sensitive information, such as personal data or critical operational data, aligning with data protection regulations like the GDPR. This reduces the risk of legal liabilities and reputational damage from data leaks.
  8. Market Differentiation: For private entities, ENS certification signals a high level of cybersecurity maturity, distinguishing them from competitors in industries where security is a priority, such as technology, telecommunications, or public service providers.
  9. Support for Digital Transformation: By securing information systems, ENS certification enables organizations to safely adopt digital technologies, cloud services, and e-government initiatives, supporting innovation while maintaining compliance.
  10. Continuous Improvement: The certification process includes periodic surveillance and renewal audits (typically every 2-3 years), ensuring ongoing compliance and encouraging organizations to maintain and update their security measures in response to evolving threats.

By achieving ENS certification, organizations not only meet regulatory requirements but also build a stronger, more secure foundation for their operations, fostering trust and enabling secure collaboration in Spain’s public and private sectors.

Achieve ENS Certification with Lazarus Alliance. Learn how our assessment helps meet mandatory National Security Framework requirements.

Talk with one of our experts

Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.

We're here to answer any questions you may have.

Download our company brochure.

Achieve ENS Certification with Lazarus Alliance. Learn how our assessment helps meet mandatory National Security Framework requirements.

ENS Certification Process

The certification process for the Esquema Nacional de Seguridad (ENS), as regulated by Royal Decree 311/2022 in Spain, involves a structured series of stages to verify that an organization’s information systems comply with the National Security Framework’s requirements. Below is a clear description of the certification process, including its stages, based on the ENS scheme and aligned with UNE-EN ISO/IEC 17065:2012 standards for certification bodies like Lazarus Alliance:

  1. Application and Contract:
    - Description: The organization seeking certification submits an application to an accredited certification body. The application includes details about the information system(s) to be certified, their scope, and the security category (Basic, Medium, or High) as per ENS requirements.
    - Activities: The certification body reviews the application for completeness and feasibility, defines the scope of certification, and agrees on a legally enforceable certification contract with the client, outlining responsibilities, timelines, and costs.
    - Outcome: A formal agreement is signed, ensuring the client commits to providing necessary access and documentation for the certification process.
  2. Documentary Audit (Stage 1):
    - Description: The certification body conducts an off-site review of the organization’s documentation to assess compliance with ENS requirements.
    - Activities:
    - Review of the organization’s security policies, risk assessments, security measures, and procedures for confidentiality, integrity, availability, authenticity, and traceability.
    - Verification that the system’s security measures align with the ENS category (Basic, Medium, or High) as outlined in Royal Decree 311/2022.
    - Identification of any gaps or non-conformities in documentation.
    - Outcome: A report is issued detailing findings, including any non-conformities that must be addressed before proceeding to the next stage. The organization may need to implement corrective actions.
  3. On-Site Audit (Stage 2):
    - Description: The certification body conducts an on-site evaluation to verify the implementation and effectiveness of the security measures documented in Stage 1.
    - Activities:
    - Inspection of physical and logical security controls, including access controls, incident response mechanisms, and system configurations.
    - Interviews with personnel to confirm adherence to documented procedures.
    - Testing of technical measures (e.g., encryption, authentication systems) and operational processes to ensure they meet ENS requirements for the specified category.
    - Assessment of compliance with any corrective actions identified in Stage 1.
    - Outcome: A detailed audit report is produced, highlighting compliance status and any remaining non-conformities. Major non-conformities must be resolved before certification can be granted.
  4. Certification Decision:
    - Description: The certification body reviews the findings from both audit stages to make an impartial decision on granting ENS certification.
    - Activities:
    - An independent review committee or designated decision-maker evaluates the audit reports, ensuring objectivity and compliance with UNE-EN ISO/IEC 17065:2012.
    - Verification that all non-conformities (major and minor) have been adequately addressed.
    - Outcome: If compliant, the organization is granted ENS certification, valid for a period defined by the scheme (typically 2-3 years). The certification body issues a certificate and authorizes the use of the ENS mark/logo under specified conditions.
  5. Surveillance Audits:
    - Description: Periodic audits are conducted during the certification validity period to ensure ongoing compliance with ENS requirements.
    - Activities:
    - Annual or biennial surveillance audits (depending on the scheme and system category) to verify continued adherence to security measures.
    - Review of changes to the system, risk assessments, or security incidents since certification.
    - Assessment of complaint records and corrective actions taken by the organization.
    - Outcome: A surveillance report confirms compliance or identifies non-conformities requiring corrective action to maintain certification.
  6. Renewal Audit:
    - Description: At the end of the certification validity period (typically 2-3 years), a renewal audit is conducted to recertify the system.
    - Activities:
    - A comprehensive re-evaluation similar to Stages 1 and 2, assessing the system against current ENS requirements and any updates in Royal Decree 311/2022.
    - Review of surveillance audit findings and the organization’s ongoing compliance.
    - Outcome: If successful, a new certificate is issued, extending the certification for another cycle. Non-conformities may delay or prevent renewal until resolved.

Achieve ENS Certification with Lazarus Alliance. Learn how our assessment helps meet mandatory National Security Framework requirements.

Additional Notes

  • Accreditation Requirements: The certification body must be accredited by a national accreditation body (e.g., ENAC in Spain) to ensure impartiality and competence, as per UNE-EN ISO/IEC 17065:2012.
  • Client Responsibilities: The organization must provide access to documentation, personnel, and facilities, maintain records of complaints, and notify the certification body of significant system changes, as outlined in ISO/IEC 17065 clause 4.1.2.
  • ENS-Specific Considerations: The process aligns with the ENS scheme’s focus on risk-based security measures, with stricter requirements for higher system categories (Medium and High). The Centro Criptológico Nacional (CCN) provides additional guidance on ENS implementation, which the certification body incorporates into the audit process.
  • Non-Conformities: Any non-conformities identified during audits must be addressed within a timeframe agreed with the certification body. Major non-conformities (e.g., critical security gaps) typically require resolution before certification, while minor ones may be addressed during surveillance.

This structured process ensures that certified systems meet the ENS’s rigorous security standards, protecting sensitive information and enabling compliance with Spanish regulations.

ENS Certification Audits and Assessments; we are ready when you are! Call +1 (888) 896-7580 today.