Ciberseguridad y cumplimiento

Technical implementation of the ENS in León: MAGERIT, PILAR and Annex II for suppliers to León's public sector

The Diputación de León, the Ayuntamiento de León and the Universidad de León (ULE) are subject to Spain's National Security Framework (Esquema Nacional de Seguridad) under RD 311/2022 (BOE-A-2022-7191). So are their technology suppliers and contractors: if your company provides software, cloud services, systems maintenance or any solution that comes into contact with their information systems, the ENS applies to you with the same force as to the public body itself. At Summum Sistemas we handle the technical-operational side of that compliance: risk analysis using the MAGERIT methodology and the CCN's PILAR tool, implementation of the 75 Annex II controls across three frameworks and sixteen families, security event monitoring, system hardening and the preparation of the technical evidence that the conformity auditor requires. We do not issue certificates — that is the exclusive remit of ENAC-accredited inspection bodies — but we provide the technical depth needed to reach that audit with every guarantee.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileTechnology suppliers to León's public administration
FocusTechnical implementation: MAGERIT · PILAR · Annex II · operational cybersecurity

Real Decreto 311/2022, of 3 May, approves Spain's National Security Framework and updates the requirements that public-sector bodies and their suppliers must apply to their information systems. In León, the main bodies subject to the ENS are the Diputación de León — which provides services to dozens of municipalities across the province and manages both its own and delegated information systems — the Ayuntamiento de León, and the Universidad de León (ULE), whose research and academic management activities generate an ecosystem of technology suppliers that in many cases have not yet completed their conformity process. Operating without conformity constitutes a breach that can block access to tenders and contracts with these bodies, since public procurement regulations require that the applicable security requirements be met for each contract.

Article 2 of RD 311/2022 extends the ENS's scope to private entities that provide services or solutions to public-sector bodies. This includes software integrators, management application developers, cloud service providers (with particular attention to the op.nub family of Annex II controls), TIC infrastructure maintenance companies and any organisation that processes data on behalf of a public body in León. The level of demand depends on the system category — basic, medium or high — determined in accordance with Annex I of RD 311/2022 based on the potential impact of a security incident across the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability). The category also determines the conformity route: basic category permits a self-assessed declaration of conformity; medium and high categories require certification by an inspection body accredited by ENAC under the UNE-EN ISO/IEC 17065 standard.

Annex II of RD 311/2022 organises the mandatory security controls into 75 measures distributed across three frameworks — organisational framework, operational framework and protection measures — and sixteen families. The operational framework covers seven families and thirty-three measures, including the op.nub family, specific to cloud services, whose relevance has grown considerably as León's public administration has adopted cloud solutions for its internal management and citizen-facing systems. At Summum Sistemas we address each of these families from a technical standpoint: risk analysis using the MAGERIT methodology and the CCN's PILAR tool, secure configuration of operating systems and services, vulnerability management, privileged access control, security event monitoring and correlation (SIEM), communications and storage encryption, and continuity plans aimed at guaranteeing service availability at the levels required by the contracted system.

The Technical implementation of the ENS in León process.

The process · four stages
01

Technical system categorisation and ENS scope definition

We identify all in-scope information systems — those that interact with the systems of the Diputación de León, the Ayuntamiento de León or the ULE — and assess them under Annex I of RD 311/2022. For each service we analyse the potential impact of a security incident across the five CIDAT dimensions, determine the resulting category (basic, medium or high) and define the subset of Annex II controls that are mandatory for that category. This phase produces the categorisation report, which documents the decision rationale with full regulatory traceability.

02

Risk analysis with MAGERIT and PILAR

We carry out the risk analysis following the MAGERIT methodology (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información), developed by the CCN and the obligatory reference in the ENS context. We use the PILAR tool to model assets, threats, vulnerabilities and impacts, and to generate the risk map with the criticality level of each system asset. The output is the risk analysis report that underpins the justified selection of Annex II controls and that the conformity auditor will review as the centrepiece of the conformity dossier.

03

Implementation of the 75 Annex II controls

We design and implement the Annex II security controls applicable to the system's category: organisational framework (policies, roles, risk management, product procurement), operational framework (planning, access control, operations, external services, continuity, monitoring and the op.nub family for cloud environments) and protection measures (facilities, systems, data, communications, media). Each control is documented with traceable and verifiable technical evidence for the conformity audit.

04

CCN tools: INES and conformity-state verification

We use the CCN's INES tool (Informe Nacional del Estado de Seguridad) to self-assess the maturity level of the implemented controls and generate metrics that reflect the system's actual degree of compliance. This periodic assessment identifies deviations before the external audit and allows the action plan to be adjusted accordingly. INES metrics are also comparable with those of the public sector, which facilitates communication with contracting bodies in León about the state of the conformity process.

What is included

What Technical implementation of the ENS in León includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (Annex I, RD 311/2022)

    Technical document justifying the category assigned to the system — basic, medium or high — by assessing the impact across the five CIDAT dimensions for each in-scope service, with traceable methodology referenced to RD 311/2022 and to the León public-body systems involved.

  • MAGERIT risk analysis using the PILAR tool

    Comprehensive analysis of assets, threats, vulnerabilities and impacts following the CCN's MAGERIT methodology, executed with the PILAR tool: risk map, criticality assessment and prioritised treatment plan in line with the system's category.

  • Annex II 75-control implementation plan

    Design and implementation of the mandatory Annex II controls of RD 311/2022 across the three frameworks and sixteen families applicable to the system's category, with timeline, responsible parties and technical evidence for each implemented control.

  • INES status report and maturity metrics

    Periodic assessment of control maturity using the CCN's INES tool, with metrics comparable to those of León's public sector and an action plan to close gaps identified before the conformity audit.

  • Hardening configuration and vulnerability management

    Documented secure configuration of operating systems, services and communications in line with the applicable CCN-STIC guides, together with a structured vulnerability management process covering CCN-CERT advisories and patch application records.

  • Technical evidence package for the conformity audit

    Complete set of structured technical evidence for the ENS conformity audit: MAGERIT/PILAR reports, configuration records, monitoring logs, continuity-test minutes and incident traces, organised in the format expected by ENAC-accredited inspection bodies.

Frequently asked questions about Technical implementation of the ENS in León.

Why does the ENS affect technology suppliers to the Diputación de León and the Ayuntamiento de León?

Article 2 of RD 311/2022 extends the ENS's scope to private entities that provide services or solutions to public-sector bodies subject to the framework. The Diputación de León, the Ayuntamiento de León and the Universidad de León (ULE) are all subject to the ENS. Any company supplying them with software, cloud services, systems maintenance or data processing must therefore bring its own information systems into ENS conformity in the parts that interact with the public administration's systems. Without that conformity, a company may be excluded from tenders or have the validity of existing contracts called into question.

What is MAGERIT and why is it the reference methodology for the ENS?

MAGERIT (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información) is the risk analysis methodology developed by the CCN (National Cryptology Centre) and adopted as the reference in the ENS context. Article 13 of RD 311/2022 requires a risk analysis that identifies threats to the information systems, estimates the likelihood of their occurrence and assesses their potential impact. MAGERIT provides the structured framework for carrying out that analysis, and the PILAR tool — also from the CCN — enables it to be executed in a traceable way and generates the risk report that the conformity auditor will review as the central document in the conformity dossier.

What does the op.nub family of Annex II cover and why is it relevant for companies providing cloud services to the ULE or the Diputación?

The op.nub family in the operational framework of Annex II sets out the specific controls that must be applied when public-sector information systems operate on cloud infrastructure or cloud services. If your company provides cloud services to the Universidad de León, the Diputación de León or the Ayuntamiento de León — whether as an IaaS, PaaS or SaaS provider — you must implement the op.nub controls applicable to the system's category: protection of data in transit and at rest, resource segmentation, identity and access management in multi-tenant environments, and service-level agreements that guarantee the required availability. At Summum Sistemas we implement these controls technically and with full documentation.

What is the difference between a declaration of conformity and certification in the ENS?

For basic-category systems, ENS conformity is demonstrated through a self-assessed declaration of conformity produced by the organisation itself, following the procedure set out in CCN-STIC 809. For medium- or high-category systems, conformity requires an audit carried out by an inspection body accredited by ENAC under the UNE-EN ISO/IEC 17065 standard, which then issues the conformity certificate. Summum Sistemas does not issue certificates — that is the exclusive remit of accredited inspection bodies — but implements the necessary technical controls and prepares the evidence so that you can pass that process with every guarantee.

How many Annex II controls are mandatory and how is it determined which ones apply to my company?

Annex II of RD 311/2022 contains 75 security measures organised across three frameworks (organisational, operational and protection) and sixteen families. Not all of them are mandatory for every system: the level of demand for each measure — marked as basic, medium or high within Annex II itself — depends on the system category determined under Annex I. A basic-category system must comply with the measures marked as basic; a medium-category system must comply with those marked basic and medium; a high-category system must comply with all three levels. At Summum Sistemas we determine exactly which subset applies to your situation after the technical categorisation of your system.

Which CCN tools does Summum Sistemas use in León projects?

We work with the two main tools that the CCN makes available for ENS conformity. PILAR (Procedimiento Informático de Análisis de Riesgos) is used for risk analysis following the MAGERIT methodology: asset, threat, vulnerability and impact modelling, and generation of a traceable risk map. INES (Informe Nacional del Estado de Seguridad) is used for periodic self-assessment of the maturity level of the implemented controls, generating metrics comparable to those of the public sector and enabling deviations to be identified before the conformity audit.