Ciberseguridad y cumplimiento

ENS technical implementation: Annex II measures with MAGERIT and CCN tools

ENS compliance is not resolved with documents alone: every measure in Annex II of RD 311/2022 requires real, verifiable technical implementation. Summum Sistemas delivers that implementation using the MAGERIT v3 risk analysis methodology with the CCN's PILAR tool, selects measures proportionate to your system's category and deploys them rigorously across your infrastructure. At the end of the project, your system does not merely comply on paper: it has active technical controls in place and the evidence package the conformity auditor needs to issue the declaration or certification of conformity your category requires.

RegulationRD 311/2022 · Annex II + Annex III
MethodologyMAGERIT v3 · PILAR · CCN-STIC (806, 808, 809)
ProfileCompanies supplying systems or services to Spanish public bodies

Annex II of Royal Decree 311/2022, which governs the Esquema Nacional de Seguridad, sets out the security measures that must be applied by information systems subject to the ENS, grouped into three frameworks: organisational (policies, roles and responsibilities), operational (planning, access control, exploitation, external services, incident management and continuity) and protection measures (facilities, systems, communications, information media, applications and users). Each measure is applied according to the system's category — basic, medium or high — and is detailed in the CCN-STIC 800 series guides, particularly CCN-STIC 808 for measure compliance verification. Implementing these measures effectively and demonstrably requires technical knowledge of the Spanish regulatory framework, experience with the systems most commonly used in public-procurement environments, and proficiency in the tools the CCN itself provides to facilitate the process.

Summum Sistemas applies MAGERIT v3 — the Risk Analysis and Management Methodology for Public Administration Information Systems, maintained by Spain's Ministry of Finance — and the PILAR tool (Procedimiento Informático Lógico para el Análisis de Riesgos), developed and distributed by the CCN, to carry out the risk analysis that underpins Annex II measure selection. The analysis begins with an asset inventory, assesses interdependencies among assets, and determines the impact that a materialised threat would have on the five CIDAT security dimensions. The output — the risk map and its treatment plan — justifies which Annex II measures must be applied, at what reinforcement level and by when, and is one of the documents conformity auditors scrutinise most closely.

For basic-category systems, the CCN provides the INES tool (Índice Nacional de Evaluación de la Seguridad), which guides the self-assessment required for the declaration of conformity and generates the results report. For medium and high categories, the AMPARO tool facilitates continuous management of the security system once implemented. For preparing the conformity audit — both the prior internal audit and the process with the ENAC-accredited body — the CCN provides CLARA (CHECKlist-based Lightweight Assessments for Reviewing Administration), which structures the auditor's verification checklists. Summum Sistemas has hands-on experience with all these tools and integrates them into its workflow so that the compliance process is traceable, efficient and directly usable in the conformity audit.

The ENS technical implementation process.

The process · four stages
01

Asset inventory and CIDAT dimension valuation

We identify and classify the in-scope information system assets: facilities, hardware, software, services, data and personnel. For each asset and service we determine the value across the five security dimensions (confidentiality, integrity, availability, authenticity and traceability) using the impact scale of Annex I of RD 311/2022, arriving at the definitive system category before selecting any measures.

02

Risk analysis with MAGERIT v3 and PILAR tool

We carry out the full risk analysis using MAGERIT v3 methodology and the CCN's PILAR tool: threat identification by asset type, likelihood and impact estimation, residual risk calculation and treatment-plan definition. The risk analysis is the core document that justifies Annex II measure selection and that conformity auditors examine with the greatest rigour.

03

Adequacy plan and Annex II measure selection

With the risk analysis complete, we produce the adequacy plan following CCN-STIC 806. We select the Annex II measures applicable to the system's category, define the reinforcement level required for each, prioritise by impact on residual risk and set a realistic implementation schedule with assigned owners.

04

Technical implementation of security controls

We carry out technical control implementation: operating system and service hardening following CCN-STIC platform guides, network segmentation and access control, deployment of security detection and response systems (SIEM/EDR), verified backup configuration, patch and vulnerability management, and encryption of communications and data at rest. Each control is documented with evidence of its configuration and operation.

What is included

What ENS technical implementation includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System asset inventory and valuation

    Full catalogue of in-scope assets — facilities, hardware, software, data, services and personnel — with CIDAT valuation per asset and per service, in the format required by MAGERIT v3 and the PILAR tool.

  • MAGERIT v3 risk analysis using PILAR

    Full threat, vulnerability, likelihood and impact analysis, with a residual risk map and treatment plan that justifies Annex II measure selection. Exported in the PILAR report format for direct use in the conformity audit.

  • Documented adequacy plan (CCN-STIC 806)

    Document listing the Annex II measures applicable to the system's category, the required reinforcement level for each, implementation priority, schedule and responsible parties, following the structure of CCN-STIC 806.

  • Technical implementation of Annex II controls

    Verified configuration of technical controls: system hardening (CCN-STIC guides by platform), network segmentation, access control, security event monitoring, verified backups, patch management and encryption of communications and data.

  • CCN tool reports (INES, AMPARO, CLARA)

    Generation and delivery of evaluation reports produced by official CCN tools in the format expected by conformity auditors: INES report for basic category, AMPARO reports for medium and high categories, and CLARA checklists for the audit.

  • Technical evidence package for the conformity audit

    Structured compilation of all technical evidence required by the conformity auditor: configuration screenshots, logs, recovery test results, incident records and control documentation, ready to present in the declaration or certification of conformity process.

Frequently asked questions about ENS technical implementation.

What is MAGERIT and why is it relevant to ENS compliance?

MAGERIT (Risk Analysis and Management Methodology for Public Administration Information Systems) is the reference risk-analysis methodology for the ENS, maintained by Spain's Ministry of Finance. While RD 311/2022 does not mandate MAGERIT exclusively, CCN-STIC guides 806 and 808 reference it as the standard methodology, and conformity auditors are familiar with its outputs. Using MAGERIT with the CCN's PILAR tool ensures that the risk analysis is directly interpretable in the audit process and that the generated reports are valid without further adaptation.

Which Annex II technical measures are most demanding for medium and high-category systems?

Among the most technically demanding Annex II measures for medium and high categories are: robust access control with strong authentication (mp.ac), communications security management (op.exp.8), system hardening (op.exp.7), information-media protection (mp.si), incident management with logging and forensic analysis capability (op.exp.3), and service continuity with verified backups and tested recovery plans. Each measure has reinforcement levels (reinforcement 1, 2 or 3) applied according to the system's category.

What CCN tools are available to support ENS compliance?

The Centro Criptológico Nacional provides several free tools: PILAR for risk analysis using the MAGERIT methodology; INES (National Security Evaluation Index) for self-assessment of basic-category systems; AMPARO for ongoing security-system management in medium and high categories; and CLARA for auditor verification checklists. The CCN also publishes per-platform hardening guides (CCN-STIC series) and the CPSTIC catalogue of qualified ICT security products and services to guide solution selection.

How many measures does ENS Annex II contain, and which are mandatory for each category?

Annex II of RD 311/2022 contains 75 security measures grouped across the organisational framework (4 measures), operational framework (31 measures across five groups: planning, access control, exploitation, external services, and incident and continuity management) and protection measures (40 measures across six groups: facilities, systems, communications, media, applications and IT users). Not all are mandatory for all categories: basic-category systems apply a smaller subset; the higher the category, the greater the number of measures and the higher the reinforcement level required for each. The adequacy plan tailors this selection to your specific system.

Can a private company use the CCN's PILAR and INES tools?

Yes. The CCN makes PILAR, INES and AMPARO available to any organisation that needs to comply with the ENS — both public-sector entities and private-sector suppliers — with free access subject to registration. PILAR has demonstration and full versions; the basic version is sufficient for basic-category systems. Summum Sistemas has hands-on experience with these tools and integrates them into the compliance process to produce reports directly usable in the conformity audit.

What is a Specific Compliance Profile (PCE) and when does it apply?

A Specific Compliance Profile (Perfil de Cumplimiento Específico, PCE) is a CCN-approved document that defines a pre-determined set of Annex II measures tailored to a specific type of information system or sector, simplifying the compliance process for that profile. When a PCE exists that matches your system type, it may be followed instead of carrying out a full risk analysis, provided the system fits exactly within the defined profile. The CCN publishes current PCEs on its portal; Summum Sistemas evaluates during initial assessment whether your system is a candidate for using a PCE.

What is the technical difference between a declaration of conformity and ENS certification?

From a technical standpoint, both routes require Annex II controls to be genuinely implemented and verifiable through evidence. The difference lies in who verifies: for a declaration of conformity (basic category), the organisation self-assesses its controls using the INES tool and declares its conformity; for certification (medium or high category), an ENAC-accredited inspection body independently verifies the evidence on site. The rigour required in evidence documentation must be equally high in both cases, as the contracting public authority may request review of the declaration at any time.