Royal Decree 311/2022, of 3 May, which enacts the Esquema Nacional de Seguridad (ENS), is not a regulation that applies exclusively to public bodies: Article 2 extends the obligation to comply to the information systems of private entities that provide services or supply solutions to public-sector entities that are themselves subject to the ENS. In the Barcelona area, this means that any company supplying the Generalitat de Catalunya, the Ajuntament de Barcelona, the Diputació de Barcelona, l'Àrea Metropolitana de Barcelona or public universities such as the Universitat de Barcelona (UB), the Universitat Autònoma de Barcelona (UAB), the Universitat Politècnica de Catalunya (UPC) or the Universitat Pompeu Fabra (UPF) must bring its systems into compliance before it can operate or bid on public contracts. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for systems already in operation; from that date onwards, operating without compliance constitutes a breach that may bar access to public procurement.
Summum Sistemas approaches ENS compliance from its own area of expertise: the technical implementation of the security controls in Annex II of RD 311/2022. That Annex covers 73 controls organised into three frameworks — organisational, operational and protection measures — and sixteen families, seven of them within the operational block, which includes the op.nub family specifically designed for cloud services, highly relevant in Barcelona's dense ecosystem of SaaS and cloud providers. Writing policies is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed and evidence produced to demonstrate that each control is actually in place and verifiable.
Risk analysis is the core of the process. The ENS requires that the selection and proportionality of security controls be grounded in a formal analysis of the risks to which the in-scope systems are exposed. Summum Sistemas uses the MAGERIT methodology — the CCN's official reference for risk analysis in the context of Spain's public administration — supported by the CCN's own PILAR tool, which enables structured modelling of assets, threats, vulnerabilities and impacts and generates the reports that conformity auditors expect to see. To assess the current level of implementation of each control, we also use INES (Informe Nacional del Estado de Seguridad), the CCN's self-assessment tool, which provides a maturity scorecard by family and control. The result is technically sound, regulation-referenced analysis that can be presented to any ENAC-accredited inspection body.