Ciberseguridad y cumplimiento

Technical implementation of the ENS in Burgos

The Diputación Provincial de Burgos, the Ayuntamiento de Burgos and the Universidad de Burgos (UBU) are public-sector entities subject to Spain's Esquema Nacional de Seguridad (ENS). Royal Decree RD 311/2022 (BOE-A-2022-7191) of 3 May also requires their suppliers and contractors to bring their information systems into compliance. If your company tenders for or provides technology services to any of those bodies, the ENS already applies to you. Summum Sistemas accompanies you through the genuine technical implementation of the 75 measures in Annex II: risk analysis using the MAGERIT methodology, use of CCN tools (PILAR and INES), system hardening, security monitoring and preparation of the technical evidence package. No empty documentation: applied engineering that underpins the declaration or certification of conformity.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeSuppliers and contractors to the public sector in Burgos
FocusTechnical implementation: MAGERIT · PILAR · INES · Annex II

The Esquema Nacional de Seguridad, approved by Royal Decree RD 311/2022 of 3 May, is not a documentary management standard: it is a technical-operational framework that requires the genuine implementation of security measures on information systems. Annex II of RD 311/2022 organises those measures into three frameworks — organisational, operational and protective — structured across 16 families and 75 specific measures, with different requirements depending on the category of the system (basic, medium or high). Operational measures include the op.nub family for cloud computing, which is especially relevant for suppliers offering SaaS or cloud infrastructure services to the Burgos public administration. Complying with the ENS means those measures are technically implemented, configured and verifiable — not merely drafted into a policy document.

In Burgos, the main public-sector bodies subject to the ENS are the Diputación Provincial de Burgos, the Ayuntamiento de Burgos and the Universidad de Burgos (UBU). All three contract technology services, management software, connectivity and system maintenance from private companies. When a company based in Burgos — or with ambitions to tender in the province — seeks to access that contracting market, it must demonstrate that its own systems comply with the ENS at the category corresponding to the service provided. This is not a future requirement: the sole transitional provision of RD 311/2022 set 5 May 2024 as the deadline for existing systems. New systems must comply from the moment they go into production.

Summum Sistemas approaches the compliance process from an engineering standpoint. The starting point is a risk analysis following the MAGERIT methodology (Metodología de Análisis y GEstión de Riesgos de los sistemas de Información de las Administraciones Públicas), the CCN's reference methodology for the ENS. We use the PILAR tool (Procedimiento Informático-Lógico para el Análisis de Riesgos), developed by the Centro Criptológico Nacional, which models assets, threats and safeguards in a traceable way and produces a residual risk report that can be directly referenced before the auditing body. Once the risks are identified, we design and implement the technical safeguards from Annex II that close the detected gaps: access control (op.acc), service continuity (op.cont), monitoring and audit (op.mon), communications protection (mp.com) and user workstation protection (mp.eq), among others. For verification of the conformity status we use INES (Instrumento Nacional de Evaluación de la Seguridad), the CCN platform that generates the ENS system status report and serves as the basis for the basic-category declaration of conformity.

The Technical implementation of the ENS in Burgos process.

The process · four stages
01

Scope and technical categorisation of the system

We identify the information systems in scope, the services you provide to public bodies in Burgos — Diputación, Ayuntamiento, UBU or others — and the data flows with their systems. Using that information, we apply Annex I of RD 311/2022 to determine the ENS category (basic, medium or high) by assessing the potential impact on the five CIDAT security dimensions. The category defines the mandatory subset of Annex II measures and the conformity route: self-assessed declaration for basic, certification by an ENAC-accredited body for medium or high.

02

MAGERIT risk analysis using the PILAR tool

We conduct the risk analysis following the MAGERIT methodology with the CCN's PILAR tool. We model information assets, their dependencies, the applicable threats and the existing safeguards. The result is a residual risk report that technically justifies the selection of Annex II measures and forms part of the conformity file. This analysis is mandatory for medium and high-category systems, and strongly recommended for basic category to make implementation decisions proportionate to the actual risk.

03

Technical implementation of Annex II measures

We technically implement the operational and protective Annex II measures applicable to the system category: secure configuration of operating systems and services (mp.sw, mp.eq), access control and privilege management (op.acc), communications and storage encryption (mp.com, mp.si), backup and recovery (mp.si), security event monitoring and audit logs (op.mon), and service continuity management (op.cont). For cloud-based services, we additionally apply the op.nub family of measures, including verification of contractual conditions with the cloud provider as required by the ENS.

04

INES verification and preparation of the evidence package

We use INES (Instrumento Nacional de Evaluación de la Seguridad) to generate the system status report under the ENS. This report, produced by the CCN tool, reflects the degree of implementation of each Annex II measure and serves as the documentary basis for the self-assessed declaration of conformity for basic-category systems or as the starting documentation for the ENAC audit in medium and high categories. We also compile the complete technical evidence package: configuration screenshots, system audit logs, vulnerability analysis results and continuity and recovery test records.

What is included

What Technical implementation of the ENS in Burgos includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • ENS categorisation report (Annex I, RD 311/2022)

    Technical document justifying the assigned category — basic, medium or high — by assessing the impact on the five CIDAT dimensions for each service provided to public bodies in Burgos, with a traceable methodology and explicit references to RD 311/2022.

  • MAGERIT risk analysis with PILAR report

    Complete analysis of assets, threats and safeguards conducted with the CCN's PILAR tool, including a residual risk report and prioritised safeguard recommendations ranked by risk level and implementation cost.

  • Technical implementation plan for Annex II measures

    Technical roadmap detailing the Annex II measures to be implemented or strengthened, with owners, timelines, target configurations and verification criteria for each applicable control family.

  • Security configurations and documented hardening

    Documentation of the security configurations implemented: hardening of operating systems and services, firewall rules, password and access policies, encryption settings and monitoring parameters, in line with the applicable CCN-STIC guides.

  • INES report and technical evidence package

    ENS status report generated with INES, supplemented by the complete technical evidence package: configuration screenshots, system audit logs, vulnerability analysis results and continuity and recovery test records.

  • Support for the declaration of conformity or ENAC audit

    For basic category: preparation of the self-assessed declaration of conformity (CCN-STIC 809). For medium or high: pre-audit technical review, correction of deviations and technical support throughout the accredited body's (ENAC) conformity audit.

Frequently asked questions about Technical implementation of the ENS in Burgos.

Does the ENS apply to my company if I only provide services to the Ayuntamiento de Burgos or the UBU?

Yes. Article 2 of RD 311/2022 establishes that the ENS applies to the information systems of public-sector entities and to those of private entities that provide services or supply solutions to them. The Ayuntamiento de Burgos and the Universidad de Burgos (UBU) are public-sector entities subject to the ENS. If your company manages data from those bodies, runs software on their infrastructure or provides services in which their systems interact with yours, the ENS applies to you regardless of your company's size or the value of the contract.

What does PILAR add compared to conducting the risk analysis in a spreadsheet?

PILAR is the risk analysis tool developed by the Centro Criptológico Nacional (CCN) specifically for the ENS. It implements the MAGERIT methodology in a structured way, with catalogues of assets, threats and safeguards aligned with Annex II of RD 311/2022, and generates reports in the format expected by conformity auditors. A spreadsheet-based analysis is not prohibited by the standard, but it increases the risk of methodological inconsistencies and makes it harder to trace the links between threats, risks and applied measures — which can generate observations during an ENAC conformity audit.

What is INES and what role does it play in the ENS compliance process?

INES (Instrumento Nacional de Evaluación de la Seguridad) is the CCN tool that allows organisations to record and verify the implementation status of the Annex II measures of the ENS. It produces a status report that reflects the degree of compliance with each measure, differentiated by level (basic, medium or high), and serves as the documentary basis for the self-assessed declaration of conformity for basic-category systems. For medium or high-category systems, the INES report forms part of the dossier submitted to the ENAC-accredited auditing body.

Does the Diputación de Burgos require the ENS from its suppliers in every contract?

The requirement varies according to the type of service and the conditions of each tender. The Diputación de Burgos, as an administration subject to the ENS, must ensure that its technology suppliers also comply with the framework. In practice, contracts for ICT services, software development, system hosting and data processing for the Diputación increasingly include clauses requiring the supplier's ENS accreditation. Not holding that accreditation can disqualify a bid at the technical solvency stage or generate contractual breaches during service delivery.

How many Annex II measures are mandatory for a basic-category system?

Annex II of RD 311/2022 organises 75 measures across 16 families and three frameworks (organisational, operational and protective). Not all measures are mandatory at their maximum level for basic-category systems: each measure has a differentiated level of requirement depending on the system category (B/M/H or n/a when not applicable). In practice, a basic-category system must apply the basic level of all measures marked as applicable at that level, which typically amounts to between 40 and 50 active measures depending on the system's scope. The MAGERIT/PILAR risk analysis determines which ones apply in each specific case.

What is the difference between Summum Sistemas' support and contracting an ENS certification audit?

Summum Sistemas is not an ENAC-accredited inspection body and does not issue ENS conformity certificates. Our work is technical and preparatory: we analyse risks using MAGERIT/PILAR, implement the Annex II measures, generate the evidence with INES and prepare the system to pass the conformity audit. The certificate is issued by the ENAC-accredited third party (ISO/IEC 17065) that the company engages. The practical difference is that arriving at that audit with systems technically implemented and the evidence package ready significantly reduces the risk of non-conformities and the overall cost of the process.