Ciberseguridad y cumplimiento

ENS Technical Implementation in Las Palmas de Gran Canaria for Public Administration Suppliers

If your company provides technology services to the Gobierno de Canarias, the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria or the Universidad de Las Palmas de Gran Canaria (ULPGC), the Esquema Nacional de Seguridad (RD 311/2022, BOE-A-2022-7191) requires your information systems to be technically compliant. Summum Sistemas guides you through that process from the operational side: risk analysis using the MAGERIT methodology, threat modelling with the CCN's PILAR tool, implementation of all 75 measures in Annex II and production of the technical evidence package for your declaration or certificate of conformity. Real compliance, stronger bids for public contracts in the Canary Islands.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeICT suppliers to the Public Administration in Las Palmas de Gran Canaria
ApproachTechnical implementation · MAGERIT · PILAR · INES · Annex II

Royal Decree 311/2022 of 3 May, approving the Esquema Nacional de Seguridad, extends well beyond the public sector itself: Article 2 makes it mandatory for private organisations that provide services or supply technology solutions to any ENS-subject public entity to bring their own information systems into compliance. In the Las Palmas de Gran Canaria area that means suppliers of the Gobierno de Canarias — whose public administration directorate leads the region's digital transformation agenda — the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the Universidad de Las Palmas de Gran Canaria (ULPGC). If your information systems interact with those of any of these bodies — because you provide them with a managed service, supply software, process citizen data on their behalf or manage communications infrastructure underpinning their systems — ENS compliance is a legal obligation. The single transitional provision of RD 311/2022 set 5 May 2024 as the deadline for pre-existing systems; operating without compliance since that date constitutes a breach that may block access to public contracts.

Summum Sistemas approaches ENS compliance from the technical and operational angle: the effective implementation of the security measures set out in Annex II of RD 311/2022. That Annex groups 75 measures into three frameworks and sixteen families. The organisational framework covers security policy, internal regulations and procedures, the authorisation process and the acquisition of new components. The operational framework, with its seven families — planning (op.pl), access control (op.acc), operation (op.exp), external services (op.ext), incident management (op.mon), service continuity (op.cont) and cloud operation (op.nub) — contains the 33 most technically demanding measures, including those specifically governing cloud environments (op.nub), which are particularly relevant in a market like Gran Canaria where many ICT companies rely on public cloud infrastructure to serve public-sector clients. The protection measures, across nine families, cover physical environment, personnel management, workstation protection, communications protection, information media, software applications, information protection and services protection.

Risk analysis using the MAGERIT methodology and the CCN's PILAR tool is the technical core of the compliance process. MAGERIT enables the identification of all information assets in scope — hardware, software, data, services, communications and facilities — the mapping of dependencies between them, and the calculation of the impact that each materialised threat would have on the five CIDAT security dimensions: confidentiality, integrity, availability, authenticity and traceability. The PILAR tool, developed and distributed by the CCN, implements this methodology in a structured environment that generates reports directly usable as technical evidence before conformity auditors. Alongside PILAR, the CCN provides INES (Índice Nacional de Evaluación de la Seguridad), which assesses the maturity level of each Annex II measure's implementation and produces the status dashboard that accompanies either the declaration of conformity or the audit by an ENAC-accredited inspection body.

The ENS Technical Implementation in Las Palmas de Gran Canaria for Public Administration Suppliers process.

The process · four stages
01

Asset inventory and ENS category determination

We compile the inventory of information assets — hardware, software, data, services and communications — that fall within the ENS scope of your organisation, taking into account your service contracts with the Gobierno de Canarias, the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria or the ULPGC. From that inventory we assess the impact that a security incident would have on the five CIDAT dimensions for each in-scope service and determine the system category — basic, medium or high — in accordance with Annex I of RD 311/2022. The category defines which Annex II measures are mandatory and which conformity route applies: self-assessed declaration (basic) or certification by an ENAC-accredited body (medium or high).

02

Risk analysis with MAGERIT and threat modelling with PILAR

We carry out the full risk analysis following the MAGERIT v3 methodology: asset identification and valuation, dependency tree, selection of threats from the MAGERIT catalogue, frequency and impact estimation, intrinsic risk calculation and residual risk calculation after safeguards. Modelling is performed with the CCN's PILAR tool, which generates a structured report of assets, threats and risks directly presentable as technical evidence before conformity auditors. The risk analysis underpins the proportional selection of Annex II measures and is the document most closely scrutinised during the ENS conformity process.

03

Maturity assessment with INES and technical gap mapping

We apply the CCN's INES questionnaire to assess the current implementation level of each Annex II measure relevant to the assigned system category. The result is a maturity map by measure family — from L0 (non-existent) to L5 (optimised) — and a prioritised list of technical gaps with effort estimates and interdependencies. This precise diagnosis prevents over-implementation of measures that do not correspond to the assigned category and focuses resources on the controls that most effectively reduce actual risk.

04

Technical implementation of Annex II measures

We carry out the implementation of pending technical controls: hardening of operating systems and services following CCN-STIC guides (511, 570, 610 and platform-specific guides), configuration of access control mechanisms and strong authentication, deployment of security event logging and monitoring systems, vulnerability management with a documented patching cycle, encryption of communications and data at rest, and configuration of verified backups in accordance with measure mp.info.9. For cloud architectures — common among Gran Canaria's ICT companies — we specifically address the measures in the op.nub family: cloud provider assessment, cloud-environment access controls and cloud supply chain management.

What is included

What ENS Technical Implementation in Las Palmas de Gran Canaria for Public Administration Suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • MAGERIT risk analysis report with PILAR

    Formal risk analysis in accordance with MAGERIT v3, carried out with the CCN's PILAR tool: asset inventory, dependency tree, threat and impact assessment across CIDAT dimensions and residual risk calculation. Presentable as technical evidence before ENS conformity auditors.

  • INES maturity assessment by measure family

    Implementation status report for Annex II measures generated with the CCN's INES tool, with maturity level by family (L0–L5) and a prioritised gap map to close before the conformity audit. Includes the cloud operation family (op.nub), relevant for cloud-based service architectures.

  • Documented technical hardening per system

    Application of CCN-STIC guides to each operating system, service and component in scope: security configuration, removal of unnecessary services, least-privilege management and a record of each change applied with version and date. Covers servers, workstations and network components in scope.

  • Security event monitoring and management deployment

    Configuration of logging, correlation and alerting mechanisms for security events in line with Annex II measures op.mon and op.exp: log sources, retention policy, critical-event alerts and a documented and verifiable technical incident response procedure.

  • Vulnerability management plan and evidence

    Documented cycle of technical vulnerability identification, assessment, prioritisation and remediation: periodic scans, prioritisation criteria by criticality and ENS category, patch records and closure validation. Covers Annex II measure op.exp.3.

  • Complete evidence package for conformity

    Structured set of all technical documentation required for the declaration of conformity (basic category, CCN-STIC 809) or for the audit by an ENAC-accredited body (medium or high category): reports, screenshots, logs, minutes and procedures organised by Annex II measure family.

Summum cluster

How it connects with its sisters.

The technical implementation of Annex II measures carried out by Summum Sistemas is coordinated with the documentary and regulatory work managed by Summum Calidad: system categorisation, Statement of Applicability integrated with ISO 27001, security policy and support through the declaration or certification of conformity process. Two teams, one coordinated project, full ENS coverage for suppliers to the Canary Islands public sector.

Frequently asked questions about ENS Technical Implementation in Las Palmas de Gran Canaria for Public Administration Suppliers.

Why do I need ENS compliance if I am a supplier to the Gobierno de Canarias or the Cabildo de Gran Canaria?

Article 2 of RD 311/2022 extends the ENS obligation to the information systems of private organisations providing services to public-sector entities that are themselves subject to the ENS. The Gobierno de Canarias, the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the ULPGC are all public administrations subject to the ENS. If your information systems interact with those of any of these bodies — because you provide them with a service, supply software or process citizen data on their behalf — ENS compliance is mandatory and may be required in public procurement specifications. The single transitional provision of RD 311/2022 set 5 May 2024 as the deadline for pre-existing systems.

Which public bodies in Las Palmas de Gran Canaria require ENS compliance from their suppliers?

Any public-sector entity subject to the ENS may require compliance from its ICT suppliers. In Las Palmas de Gran Canaria the main contracting bodies are the Gobierno de Canarias (and its departments, including the Consejería de Administración Pública, Justicia y Seguridad), the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the Universidad de Las Palmas de Gran Canaria (ULPGC). Autonomous bodies and instrumental entities of these institutions that manage their own information systems are also included. The ENS makes no distinction between mainland Spain and the islands: the technical requirements are identical throughout national territory.

Does ENS compliance in the Canary Islands have any specific features compared to the rest of Spain?

From a regulatory standpoint the ENS is identical across the entire national territory, including the Canary Islands. RD 311/2022 establishes no territorial exceptions or special regime for the archipelago. However, the economic context does have relevant particularities for contracting: companies based in the Canary Islands are subject to the Impuesto General Indirecto Canario (IGIC) instead of VAT, which affects the cost structure of compliance projects but not the ENS's technical requirements. IGIC does not alter the obligation to comply, the way evidence is documented or how conformity is demonstrated before auditors.

What is MAGERIT and why is it the reference methodology for the ENS?

MAGERIT (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información) is the risk analysis methodology developed by the CCN and maintained by the Ministry of Finance and Public Administration. The ENS requires that the selection of Annex II measures be grounded in a formal risk analysis proportionate to the category of the system. MAGERIT is the CCN's reference methodology for that analysis in the context of the Spanish public administration: it enables asset identification, official-catalogue threat modelling and structured, traceable residual risk calculation. ENS conformity auditors are familiar with its reports, which streamlines the declaration or certification process.

How many measures are in Annex II of the ENS and which ones apply to my company?

Annex II of RD 311/2022 contains 75 measures in three frameworks and sixteen families: the organisational framework (4 measures), the operational framework with 7 families and 33 measures — including the op.nub family for cloud services, especially relevant for ICT companies using cloud infrastructure — and the protection measures with 9 families and 38 measures. Which measures are mandatory for your company depends on the system category (basic, medium or high) resulting from the CIDAT impact analysis. Summum Sistemas carries out the initial diagnosis to determine exactly the subset applicable to your case, avoiding both unnecessary over-implementation and gaps that could produce non-conformities.

Does Summum Sistemas issue the ENS certificate or declaration of conformity?

No. For basic-category systems the declaration of conformity is issued by the organisation itself through self-assessment in accordance with the CCN-STIC 809 procedure. For medium or high category systems the certificate of conformity is issued by an inspection body accredited by ENAC in accordance with the UNE-EN ISO/IEC 17065 standard. Summum Sistemas does not issue any conformity certificate — that is the exclusive remit of ENAC-accredited bodies. What we do is technically implement the Annex II measures, carry out the MAGERIT risk analysis with PILAR, assess the implementation status with INES and produce the evidence package that your systems need to pass that conformity process with the highest possible guarantees.