Sector público

Technical Implementation of the ENS in Bilbao for Public-Sector Suppliers

If your company provides technology services to the Basque Government, the Diputación Foral de Bizkaia, Bilbao City Council or the University of the Basque Country (UPV/EHU), Spain's National Security Framework — the Esquema Nacional de Seguridad, enacted by RD 311/2022 (BOE-A-2022-7191) — requires your information systems to meet its technical requirements. Summum Sistemas handles the operational side: risk analysis using the MAGERIT methodology, threat modelling with the CCN's own PILAR tool, implementation of the 73 technical controls in Annex II, and the evidence package you need for your declaration or certificate of conformity. Stronger bids in the Basque public market, real security in your systems.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeICT suppliers to the public sector in Bilbao and Bizkaia
ApproachTechnical implementation · MAGERIT · PILAR · INES · Annex II

Royal Decree 311/2022, of 3 May, which enacts the Esquema Nacional de Seguridad (ENS), extends in Article 2 the obligation to comply to the information systems of private entities that provide services or supply solutions to public-sector entities subject to the ENS. In Bilbao that reaches any company supplying Bilbao City Council, the Diputación Foral de Bizkaia — whose institutional seat sits in the city — the Basque Government bodies and services that operate from Bilbao, or the University of the Basque Country (UPV/EHU), with an established presence in the territory through Bizkaia Aretoa and the Leioa campus. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for systems already in operation; operating without compliance from that date can bar access to contracts with any of these public bodies.

Summum Sistemas approaches ENS compliance from its own area of expertise: the technical implementation of the security controls in Annex II of RD 311/2022. That Annex covers 73 controls organised into three frameworks — organisational, operational and protection measures — and sixteen families, seven of them within the operational block, which includes the op.nub family specifically designed for cloud services. Writing policies is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed, and evidence produced to demonstrate that each control is actually in place and verifiable.

Risk analysis is the core of the process: the ENS requires that the selection and proportionality of security controls be grounded in a formal analysis of the risks the in-scope systems are exposed to. Summum Sistemas uses MAGERIT — the CCN's reference methodology — supported by the PILAR tool and by INES to assess implementation maturity by control family. One detail specific to Basque public bodies: alongside ENAC-accredited inspection entities, the Basque Government has, since 2026, Cyberzaintza, the Basque Cybersecurity Agency, recognised by the CCN as a Technical Audit Body (OAT) for certifying ENS compliance across the Basque public sector. We build the technical analysis and evidence package so it can be presented to either ENAC or Cyberzaintza, depending on which conformity route your contracting authority follows.

The Technical Implementation of the ENS in Bilbao for Public-Sector Suppliers process.

The process · four stages
01

Asset inventory and ENS category determination

We build the information asset inventory — hardware, software, data, services and communications — that falls within the ENS scope for your organisation. We assess the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each service delivered to Bilbao City Council, the Diputación Foral de Bizkaia, the Basque Government or UPV/EHU, and determine the system category — basic, medium or high — in accordance with Annex I of RD 311/2022. This category sets which Annex II controls are mandatory and which conformity path you must follow.

02

Risk analysis with MAGERIT and threat modelling with PILAR

We carry out the risk analysis following MAGERIT v3 methodology: asset identification, dependency mapping, applicable threats from the MAGERIT catalogue, frequency and impact assessment, and residual risk calculation after safeguards are applied. Modelling is performed with the CCN's PILAR tool, which generates a structured report on assets, threats and risks usable directly as technical evidence, whether presented to an ENAC-accredited entity or to Cyberzaintza.

03

Maturity assessment with INES and technical gap mapping

We apply the INES questionnaire (Informe Nacional del Estado de Seguridad) to assess the current implementation level of each of the 73 Annex II controls in the families corresponding to the assigned category. The result is a maturity map by family — from L0 (non-existent) to L5 (optimised) — and a prioritised list of technical gaps, with effort estimates and dependencies between controls.

04

Technical implementation of the Annex II controls

We implement the outstanding technical controls: hardening of operating systems and services following the CCN-STIC guides (511, 570, 610 and vendor-specific ones), access control and strong authentication, logging and monitoring of security events, vulnerability management with a documented patch cycle, encryption of communications and storage, and backups aligned with control mp.info.9. For cloud services, we work through the op.nub family: cloud provider assessment, supply chain and access controls specific to the cloud environment.

What is included

What Technical Implementation of the ENS in Bilbao for Public-Sector Suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • MAGERIT risk analysis report built with PILAR

    Formal risk analysis under MAGERIT v3, run with the CCN's PILAR tool: asset inventory, dependency tree, threat and impact assessment and residual risk calculation. A document presentable as technical evidence to any ENS conformity body.

  • INES maturity assessment by control family

    Implementation status report on Annex II controls, generated with the CCN's INES tool, with a maturity level per family (L0-L5) and a prioritised gap map to close before the conformity audit.

  • Documented technical hardening by system

    Application of the relevant CCN-STIC guides to every operating system, service and component in scope: security configuration, removal of unnecessary services, least-privilege management and evidence of every change with version and date logged.

  • Security event monitoring and management

    Configuration of logging, correlation and alerting mechanisms under the op.mon and op.exp controls of Annex II: log sources, retention, alerts on critical events and a documented technical incident response procedure.

  • Vulnerability management plan and evidence

    A documented cycle of identification, assessment, prioritisation and remediation of technical vulnerabilities: periodic scans, prioritisation criteria by ENS category, patch records applied and closure validation (control op.exp.3).

  • Evidence package ready for ENAC or Cyberzaintza

    A structured set of the technical documentation required for the declaration of conformity (basic category, CCN-STIC 809) or for the audit by an ENAC-accredited entity or by Cyberzaintza as the Basque public sector's Technical Audit Body, as applicable.

Summum cluster

How it connects with its sisters.

The technical implementation of the Annex II controls is complemented by the documentary and regulatory work that Summum Calidad handles in Bilbao: security policy, Statement of Applicability integrated with ISO 27001, and preparation of the declaration or certificate of conformity. The two teams work in a coordinated way on a single project, without duplication and with one point of contact for the client.

Frequently asked questions about Technical Implementation of the ENS in Bilbao for Public-Sector Suppliers.

Why do I need to comply with the ENS if I supply Bilbao City Council or the Diputación Foral de Bizkaia?

Article 2 of RD 311/2022 extends the ENS obligation to the information systems of private entities that provide services to public-sector entities subject to the ENS itself. Bilbao City Council, the Diputación Foral de Bizkaia, the Basque Government and the University of the Basque Country (UPV/EHU) are all subject to the ENS as Public Administrations. If your information systems come into contact with any of these bodies — because you provide them a service, supply them software or process data on their behalf — ENS compliance is mandatory and can be required as a condition in public procurement tenders.

What is Cyberzaintza and how does it relate to ENS conformity in Bilbao?

Cyberzaintza is the Basque Cybersecurity Agency, part of the Basque Government. In 2026 it obtained recognition from Spain's National Cryptologic Centre (CCN) as a Technical Audit Body (OAT) for the public sector, which enables it to certify ENS compliance across the Basque public administration. For a supplier in Bilbao, this means the conformity audit for medium or high category systems can be processed through Cyberzaintza in addition to ENAC-accredited inspection entities, depending on what the contracting authority requires. Summum Sistemas prepares the technical analysis and evidence package so it is valid under either route.

What is MAGERIT and why does the ENS require it?

MAGERIT is the Risk Analysis and Management Methodology for Information Systems developed by the CCN. The ENS requires the selection and application of Annex II controls to be grounded in a formal risk analysis proportional to the system's category. MAGERIT is the CCN's reference methodology for that analysis in the context of Spain's public administration: it enables asset identification, threat modelling and residual risk calculation in a structured, traceable way — exactly what auditors accredited by ENAC and Cyberzaintza expect to see.

How many controls does Annex II of the ENS have, and which ones are mandatory for my company?

Annex II of RD 311/2022 covers 73 controls organised into three frameworks and sixteen families: the organisational framework (4 controls), the operational framework — with 7 families and 33 controls, including the op.nub family for cloud services — and the protection measures — with 8 families and 36 controls. Which controls are mandatory for your company depends on the system category (basic, medium or high) resulting from the impact analysis across the five CIDAT dimensions. Summum Sistemas runs the diagnostic to determine exactly the subset applicable to your case.

What does the op.nub family in Annex II cover, and when does it apply to me as a supplier in Bizkaia?

The op.nub family (cloud operation) within the operational framework sets specific security requirements for cloud computing services. It applies whenever the in-scope system uses IaaS, PaaS or SaaS services as part of its architecture. Its controls cover cloud provider assessment, environment segregation, access management in the cloud environment and the cloud service supply chain. If you provide services on public cloud infrastructure to Bilbao City Council, the Diputación Foral de Bizkaia or the Basque Government, this family must be explicitly addressed in your risk analysis and compliance plan.

Does Summum Sistemas issue the ENS certification or declaration of conformity?

No. For basic category systems, the declaration of conformity is issued by the organisation itself as a self-assessment, under CCN-STIC 809. For medium or high category systems, certification is issued by an ENAC-accredited inspection entity or, for the Basque public sector, it can be processed through Cyberzaintza as the CCN-recognised Technical Audit Body. Summum Sistemas does not issue any certificate: we implement the Annex II technical controls, produce the evidence package and prepare your systems to pass that conformity process with confidence.