ENS compliance is not about filling in forms: it requires implementing real, verifiable technical and organisational security controls, documenting them and being able to demonstrate to an auditor that they operate continuously. The catalogue of those controls is in Annex II of Royal Decree 311/2022 of 3 May (BOE-A-2022-7191), which lists the 75 security measures required for systems subject to the ENS.
What is Annex II of the ENS and how is it structured?
Annex II of RD 311/2022 organises security measures across three frameworks that cover all aspects of the governance, operation and technical protection of information systems:
- Organisational framework: four measures establishing the security policy, regulations, procedures and security management process. These are the documentary backbone underpinning everything else.
- Operational framework: 33 measures across seven families: planning (op.pl), access control (op.acc), operation (op.exp), external resources (op.ext), cloud services (op.nub, a new family introduced by ENS 2022), service continuity (op.cont) and system monitoring (op.mon). These families cover everything from security architecture and configuration management to event detection and incident response capability.
- Protection measures: measures across eight families: facilities and infrastructure (mp.if), personnel management (mp.per), equipment protection (mp.eq), communications protection (mp.com), information media protection (mp.si), information applications protection (mp.sw), information protection (mp.info) and services protection (mp.s). Each family groups the technical controls specific to each layer of the system.
This hierarchical structure is not arbitrary: organisational measures are the prerequisite that gives coherence to everything else, operational measures ensure that day-to-day operations work correctly, and protection measures anchor technical controls to each layer of the system.
What does the reinforcement level mean and how does it vary by category?
Not all Annex II measures are applied with the same intensity across all systems. Each measure has one or more reinforcement levels (commonly referred to as R1, R2 and R3 in CCN-STIC series 800 guide terminology) that determine the depth and rigour of implementation:
- Basic category: the smallest subset of measures is applied at the minimum reinforcement level, focused on essential controls that reduce the most common risks.
- Medium category: additional measures are added and the reinforcement level is raised. For example, access control in medium category may require two-factor authentication where basic only required a strong password.
- High category: all applicable measures are applied at the maximum reinforcement level. Requirements for resilience, redundancy, encryption and traceability are significantly more stringent.
This graduated scale ensures that the compliance plan is always proportionate to the actual criticality of the system. A basic category system managing low-sensitivity data is not obliged to implement the same controls as a high category system supporting critical state services.
Which technical measures in Annex II are most demanding?
For medium and high category systems, the measures that concentrate the greatest technical complexity and the highest volume of evidence requirements are typically:
- Access control with strong authentication (op.acc): user identification with multi-factor mechanisms, privilege management with separation of duties and periodic review of access rights.
- OS and service hardening (mp.s / op.exp.7): removal of unnecessary services, restrictive permission configuration and application of platform-specific CCN-STIC guides (Windows, Linux, databases, web servers).
- Incident management with logging and forensic capability (op.exp.3): event detection systems, SIEM alert correlation, response procedures and forensic analysis capability to determine the scope of an incident.
- Service continuity and verified backups (op.cont): periodically tested disaster recovery plans, backups with integrity verification and documented recovery times.
- Communications protection and encryption (mp.com): encryption of sensitive external and internal communication channels, digital certificate lifecycle management and periodic review of cryptographic strength.
- Vulnerability and patch management (op.exp.4 / op.exp.6): documented process for identifying, assessing and applying security updates within defined timeframes, with an exception register.
Technically implementing these measures requires knowledge of platform-specific CCN-STIC guides and mastery of CCN tools — especially PILAR for the risk analysis underpinning the measure selection — as explained in detail in the guide on MAGERIT and CCN tools for the ENS.
How is it demonstrated that Annex II measures are effectively implemented?
ENS conformity is not declared: it is evidenced. Both in the self-assessed declaration of conformity (basic category) and in certification by an ENAC-accredited body (medium and high category), the core of the process is the documentation of evidence proving that each Annex II measure is active and effective.
The most common types of evidence are:
- System and service configuration screenshots demonstrating the hardening applied.
- Log and alert records proving the monitoring system is active.
- Minutes of periodic backup recovery tests.
- Vulnerability analysis reports and records of applied patches.
- Cybersecurity training records for personnel with system access.
- Reports produced by CCN tools: PILAR (risk analysis), INES (basic self-assessment) and AMPARO (medium/high continuous management).
Security incident management is an area of particular focus for conformity auditors, as Annex II requires not only the ability to detect and respond, but also to learn from each incident and improve controls. A robust incident response framework, such as that analysed in the article on incident response and forensic analysis, is a valuable asset when the auditor examines the evidence for this family of measures.
What is the relationship between ENS Annex II measures and ISO 27001 controls?
There is significant overlap between the measures in ENS Annex II and the controls in Annex A of ISO 27001:2022. This is not coincidental: both standards are based on risk-managed governance and cover equivalent domains — access management, cryptography, physical security, incident management, continuity, compliance. However, there are aspects specific to the ENS that have no direct equivalent in ISO 27001, and vice versa.
For organisations that already hold ISO 27001 certification or are working towards it, a gap analysis between the two frameworks allows for precise identification of which Annex II measures are already covered by implemented ISO controls and which require additional implementation. The Summum Calidad team prepares the integrated gap analysis, while Summum Sistemas executes the technical implementation of the missing controls, providing complete coverage of the ENS compliance project.
What concrete steps should be taken to implement Annex II measures in an orderly way?
The sequence recommended by CCN-STIC series 800 guides for orderly Annex II implementation is:
- Categorise the system in accordance with Annex I of RD 311/2022, determining impact on the five CIDAT dimensions.
- Carry out the risk analysis using MAGERIT v3 methodology and the CCN's PILAR tool, obtaining the residual risk map that justifies the measure selection.
- Prepare the compliance plan following CCN-STIC Guide 806, selecting the Annex II measures applicable to the system's category and prioritising by impact on residual risk.
- Implement technical and organisational controls applying platform- and domain-specific CCN-STIC guides.
- Document evidence for each implemented and operational control.
- Verify compliance using the INES tool (basic category) or AMPARO (medium/high), generating reports in the format expected by auditors.
- Obtain conformity: issue the self-assessed declaration (basic) or undergo audit by the ENAC-accredited body (medium/high).
Summum Sistemas executes the technical implementation of this process, applying MAGERIT and CCN tools with rigour and producing the evidence package the auditor needs. Our ENS technical implementation service covers everything from asset inventory to delivery of the complete evidence package for the conformity audit.