Royal Decree 311/2022 of 3 May, approving the Esquema Nacional de Seguridad, extends well beyond the public sector itself: Article 2 makes it mandatory for private organisations that provide services or supply technology solutions to any ENS-subject public entity to bring their own information systems into compliance. In the Las Palmas de Gran Canaria area that means suppliers of the Gobierno de Canarias — whose public administration directorate leads the region's digital transformation agenda — the Cabildo de Gran Canaria, the Ayuntamiento de Las Palmas de Gran Canaria and the Universidad de Las Palmas de Gran Canaria (ULPGC). If your information systems interact with those of any of these bodies — because you provide them with a managed service, supply software, process citizen data on their behalf or manage communications infrastructure underpinning their systems — ENS compliance is a legal obligation. The single transitional provision of RD 311/2022 set 5 May 2024 as the deadline for pre-existing systems; operating without compliance since that date constitutes a breach that may block access to public contracts.
Summum Sistemas approaches ENS compliance from the technical and operational angle: the effective implementation of the security measures set out in Annex II of RD 311/2022. That Annex groups 75 measures into three frameworks and sixteen families. The organisational framework covers security policy, internal regulations and procedures, the authorisation process and the acquisition of new components. The operational framework, with its seven families — planning (op.pl), access control (op.acc), operation (op.exp), external services (op.ext), incident management (op.mon), service continuity (op.cont) and cloud operation (op.nub) — contains the 33 most technically demanding measures, including those specifically governing cloud environments (op.nub), which are particularly relevant in a market like Gran Canaria where many ICT companies rely on public cloud infrastructure to serve public-sector clients. The protection measures, across nine families, cover physical environment, personnel management, workstation protection, communications protection, information media, software applications, information protection and services protection.
Risk analysis using the MAGERIT methodology and the CCN's PILAR tool is the technical core of the compliance process. MAGERIT enables the identification of all information assets in scope — hardware, software, data, services, communications and facilities — the mapping of dependencies between them, and the calculation of the impact that each materialised threat would have on the five CIDAT security dimensions: confidentiality, integrity, availability, authenticity and traceability. The PILAR tool, developed and distributed by the CCN, implements this methodology in a structured environment that generates reports directly usable as technical evidence before conformity auditors. Alongside PILAR, the CCN provides INES (Índice Nacional de Evaluación de la Seguridad), which assesses the maturity level of each Annex II measure's implementation and produces the status dashboard that accompanies either the declaration of conformity or the audit by an ENAC-accredited inspection body.