ENS Annex II security measures: how they apply by category

·

ENS compliance is not about filling in forms: it requires implementing real, verifiable technical and organisational security controls, documenting them and being able to demonstrate to an auditor that they operate continuously. The catalogue of those controls is in Annex II of Royal Decree 311/2022 of 3 May (BOE-A-2022-7191), which lists the 75 security measures required for systems subject to the ENS.

What is Annex II of the ENS and how is it structured?

Annex II of RD 311/2022 organises security measures across three frameworks that cover all aspects of the governance, operation and technical protection of information systems:

This hierarchical structure is not arbitrary: organisational measures are the prerequisite that gives coherence to everything else, operational measures ensure that day-to-day operations work correctly, and protection measures anchor technical controls to each layer of the system.

What does the reinforcement level mean and how does it vary by category?

Not all Annex II measures are applied with the same intensity across all systems. Each measure has one or more reinforcement levels (commonly referred to as R1, R2 and R3 in CCN-STIC series 800 guide terminology) that determine the depth and rigour of implementation:

This graduated scale ensures that the compliance plan is always proportionate to the actual criticality of the system. A basic category system managing low-sensitivity data is not obliged to implement the same controls as a high category system supporting critical state services.

Which technical measures in Annex II are most demanding?

For medium and high category systems, the measures that concentrate the greatest technical complexity and the highest volume of evidence requirements are typically:

Technically implementing these measures requires knowledge of platform-specific CCN-STIC guides and mastery of CCN tools — especially PILAR for the risk analysis underpinning the measure selection — as explained in detail in the guide on MAGERIT and CCN tools for the ENS.

How is it demonstrated that Annex II measures are effectively implemented?

ENS conformity is not declared: it is evidenced. Both in the self-assessed declaration of conformity (basic category) and in certification by an ENAC-accredited body (medium and high category), the core of the process is the documentation of evidence proving that each Annex II measure is active and effective.

The most common types of evidence are:

Security incident management is an area of particular focus for conformity auditors, as Annex II requires not only the ability to detect and respond, but also to learn from each incident and improve controls. A robust incident response framework, such as that analysed in the article on incident response and forensic analysis, is a valuable asset when the auditor examines the evidence for this family of measures.

What is the relationship between ENS Annex II measures and ISO 27001 controls?

There is significant overlap between the measures in ENS Annex II and the controls in Annex A of ISO 27001:2022. This is not coincidental: both standards are based on risk-managed governance and cover equivalent domains — access management, cryptography, physical security, incident management, continuity, compliance. However, there are aspects specific to the ENS that have no direct equivalent in ISO 27001, and vice versa.

For organisations that already hold ISO 27001 certification or are working towards it, a gap analysis between the two frameworks allows for precise identification of which Annex II measures are already covered by implemented ISO controls and which require additional implementation. The Summum Calidad team prepares the integrated gap analysis, while Summum Sistemas executes the technical implementation of the missing controls, providing complete coverage of the ENS compliance project.

What concrete steps should be taken to implement Annex II measures in an orderly way?

The sequence recommended by CCN-STIC series 800 guides for orderly Annex II implementation is:

  1. Categorise the system in accordance with Annex I of RD 311/2022, determining impact on the five CIDAT dimensions.
  2. Carry out the risk analysis using MAGERIT v3 methodology and the CCN's PILAR tool, obtaining the residual risk map that justifies the measure selection.
  3. Prepare the compliance plan following CCN-STIC Guide 806, selecting the Annex II measures applicable to the system's category and prioritising by impact on residual risk.
  4. Implement technical and organisational controls applying platform- and domain-specific CCN-STIC guides.
  5. Document evidence for each implemented and operational control.
  6. Verify compliance using the INES tool (basic category) or AMPARO (medium/high), generating reports in the format expected by auditors.
  7. Obtain conformity: issue the self-assessed declaration (basic) or undergo audit by the ENAC-accredited body (medium/high).

Summum Sistemas executes the technical implementation of this process, applying MAGERIT and CCN tools with rigour and producing the evidence package the auditor needs. Our ENS technical implementation service covers everything from asset inventory to delivery of the complete evidence package for the conformity audit.