Sector público

Technical Implementation of the ENS in Madrid for Public-Sector Suppliers

If your company provides technology services to the Comunidad de Madrid, the Ayuntamiento de Madrid, bodies of the Spanish central government based in the capital, or public universities such as the Universidad Complutense de Madrid, Spain's National Security Framework — the Esquema Nacional de Seguridad, enacted by RD 311/2022 (BOE-A-2022-7191) — requires you to bring your information systems into compliance. This is not a minor formality: the Comunidad de Madrid's own cybersecurity agency has been recognised by Spain's National Cryptologic Centre (CCN) as an ENS Technical Audit Body, and the Ayuntamiento de Madrid already certifies its own systems — its Electronic Office and Taxpayer Portal, at the MEDIUM category — against the very same framework you are required to meet as a supplier. Summum Sistemas guides you through that process from the operational angle: risk analysis using the MAGERIT methodology, threat modelling with the CCN's own PILAR tool, implementation of the 73 technical controls in Annex II, and production of the evidence package you need to obtain your declaration or certificate of conformity. Stronger bids, real security in your systems.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeICT suppliers to the Comunidad de Madrid, the Ayuntamiento and central government bodies
ApproachTechnical implementation · MAGERIT · PILAR · INES · Annex II

Royal Decree 311/2022, of 3 May, which enacts the Esquema Nacional de Seguridad (ENS), is not a regulation that applies exclusively to public bodies: Article 2 extends the obligation to comply to the information systems of private entities that provide services or supply solutions to public-sector entities that are themselves subject to the ENS. Madrid concentrates within its municipal area and metropolitan region the headquarters of the Comunidad de Madrid, the Ayuntamiento de Madrid, most ministries and bodies of Spain's central government, and several public universities — including the Universidad Complutense de Madrid, which has maintained its own active ENS compliance plan since 2023 — making the capital the country's largest hub of technology-related public procurement. Any company that provides digital services, supplies software or operates systems that come into contact with those of these institutions must bring its systems into compliance before it can operate or bid on public contracts. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for systems already in operation; from that date onwards, operating without compliance constitutes a breach that may bar access to public procurement.

Summum Sistemas approaches ENS compliance from its own area of expertise: the technical implementation of the security controls in Annex II of RD 311/2022. That Annex covers 73 controls organised into three frameworks — organisational, operational and protection measures — and sixteen families, seven of them within the operational block, which includes the op.nub family specifically designed for cloud services, highly relevant for SaaS suppliers operating within Madrid's public-sector ecosystem. Writing policies is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed and evidence produced to demonstrate that each control is actually in place and verifiable.

Risk analysis is the core of the process. The ENS requires that the selection and proportionality of security controls be grounded in a formal analysis of the risks to which the in-scope systems are exposed. Summum Sistemas uses the MAGERIT methodology — the CCN's official reference for risk analysis in the context of Spain's public administration — supported by the CCN's own PILAR tool, which enables structured modelling of assets, threats, vulnerabilities and impacts and generates the reports that conformity auditors expect to see. To assess the current level of implementation of each control, we also use INES (Informe Nacional del Estado de Seguridad), the CCN's self-assessment tool, which provides a maturity scorecard by family and control. The result is technically sound, regulation-referenced analysis that can be presented to any ENAC-accredited inspection body.

The Technical Implementation of the ENS in Madrid for Public-Sector Suppliers process.

The process · four stages
01

Asset inventory and ENS category determination

We build the information asset inventory — hardware, software, data, services and communications — that falls within the ENS scope for your organisation. From that inventory we assess the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each service delivered to the Comunidad de Madrid, the Ayuntamiento de Madrid or central government bodies, and we determine the system category — basic, medium or high — in accordance with Annex I of RD 311/2022. This category is the starting point that determines which Annex II controls are mandatory and which conformity path you must follow.

02

Risk analysis with MAGERIT and threat modelling with PILAR

We carry out the risk analysis following MAGERIT v3 methodology: asset identification, dependency mapping, applicable threats from the MAGERIT catalogue, frequency and impact assessment, and residual risk calculation after safeguards are applied. The modelling is performed with the CCN's PILAR tool, which generates a structured report on assets, threats and risks that can be used directly as technical evidence in the ENS conformity process. The outcome is the objective basis on which Annex II controls are selected and prioritised.

03

Maturity assessment with INES and technical gap mapping

We apply the INES questionnaire (Informe Nacional del Estado de Seguridad) to assess the current implementation level of each of the 73 Annex II controls in the families that correspond to the assigned category. The result is a maturity map by family — from L0 (non-existent) to L5 (optimised) — and a prioritised list of technical gaps that need to be closed, with effort estimates and dependencies between controls. You know exactly where you stand and what needs to be done, without shortcuts and without over-engineering.

04

Technical implementation of Annex II controls

We implement the pending technical controls: OS and service hardening in line with the relevant CCN-STIC guides (511, 570, 610 and vendor-specific ones), configuration of access control and strong authentication mechanisms, deployment of security event logging and monitoring systems, vulnerability management with a documented patching cycle, encryption of communications and storage, and backup configuration in accordance with control mp.info.9 of Annex II. For cloud services, we address the op.nub family controls: provider assessment, supply chain management and cloud-specific access controls — particularly relevant for SaaS suppliers serving the public administration based in Madrid.

What is included

What Technical Implementation of the ENS in Madrid for Public-Sector Suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • MAGERIT risk analysis report with PILAR

    Formal risk analysis following MAGERIT v3, executed with the CCN's PILAR tool: asset inventory, dependency tree, threat and impact assessment, and residual risk calculation. Presentable as technical evidence before ENS conformity auditors.

  • INES maturity assessment by control family

    Implementation status report for the Annex II controls, generated with the CCN's INES tool, with maturity level per family (L0–L5) and a prioritised gap map to be closed before the conformity audit.

  • Documented technical hardening per system

    Application of the relevant CCN-STIC guides to each operating system, service and component in scope: security configuration, removal of unnecessary services, least-privilege management and evidence of every change applied with version and date record.

  • Monitoring and security event management deployment

    Configuration of logging, correlation and alerting mechanisms for security events in accordance with the op.mon and op.exp controls of Annex II: log sources, retention, critical-event alerts and documented technical incident response procedure.

  • Vulnerability management plan and evidence

    Documented cycle for identifying, assessing, prioritising and remediating technical vulnerabilities: periodic scans, prioritisation criteria by criticality and ENS category, patch application records and closure validation. Covers control op.exp.3 of Annex II.

  • Complete evidence package for conformity

    Structured set of all technical documentation required for the declaration of conformity (basic category, under CCN-STIC 809) or for audit by an ENAC-accredited body (medium or high category): reports, screenshots, logs, records and procedures indexed by control family.

Summum cluster

How it connects with its sisters.

The technical implementation of the Annex II controls works best when combined with the documentary and normative layer managed by Summum Calidad in Madrid: security policy, Declaration of Applicability integrated with ISO 27001, and preparation of the declaration or certificate of conformity. Both teams work in a coordinated way within a single project, with no duplication of effort and a single point of contact for the client.

Frequently asked questions about Technical Implementation of the ENS in Madrid for Public-Sector Suppliers.

Why do I need ENS compliance if I supply the Comunidad de Madrid or the Ayuntamiento de Madrid?

Article 2 of RD 311/2022 extends the ENS obligation to the information systems of private entities that provide services to public-sector bodies that are themselves subject to the ENS. The Comunidad de Madrid and the Ayuntamiento de Madrid are subject to the ENS as public administrations: in fact, the Comunidad de Madrid's cybersecurity agency has been recognised by the CCN as an ENS Technical Audit Body, and the Ayuntamiento de Madrid already certifies its own systems (Electronic Office, Taxpayer Portal) at the MEDIUM category. If your information systems interact with theirs — because you provide a service, supply software or process data on their behalf — ENS compliance is mandatory and may be required in public procurement tender specifications.

Does the ENS also affect suppliers of central government bodies and Madrid's public universities?

Yes. Ministries and bodies of Spain's central government based in Madrid, and the capital's public universities — such as the Universidad Complutense de Madrid, which has maintained its own ENS compliance plan since 2023 — are public-sector entities subject to the Framework. Their contracts for digital services, software development, systems maintenance or data processing carry the ENS compliance obligation through to their private suppliers.

What is MAGERIT and why does the ENS require it?

MAGERIT is the Methodology for the Analysis and Management of Information Systems Risks (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información) developed by the CCN. The ENS requires that the selection and application of Annex II controls be based on a formal risk analysis proportional to the system category. MAGERIT is the CCN's reference methodology for that analysis in the context of Spain's public administration: it allows assets, threats and residual risks to be identified and calculated in a structured, traceable way. ENS conformity auditors are familiar with this methodology and expect to find it documented in the risk analysis evidence.

What is PILAR and what does it contribute to the compliance process?

PILAR is the risk analysis tool developed by the CCN that implements the MAGERIT methodology. It enables modelling of system assets, their dependencies, applicable threats from the MAGERIT catalogue and implemented safeguards, and it generates structured risk and maturity reports. Its use in the ENS compliance process is highly regarded by conformity auditors because it provides traceability and objectivity: results are reproducible, comparable across periods and directly presentable as technical evidence during audit.

How many controls does ENS Annex II contain and which ones apply to my company?

Annex II of RD 311/2022 covers 73 controls organised into three frameworks and sixteen families: the organisational framework (4 controls), the operational framework — with 7 families and 33 controls, including the op.nub family for cloud services — and the protection measures framework — with 8 families and 36 controls. Which controls are mandatory for your company depends on the system category (basic, medium or high) that results from the CIDAT impact analysis. Summum Sistemas carries out the diagnostic to determine exactly which subset applies to your specific situation.

Does Summum Sistemas issue the ENS conformity certificate or declaration?

No. For basic-category systems, the declaration of conformity is issued by the organisation itself through a self-assessment process, in accordance with CCN-STIC 809 — the same approach already used by the Ayuntamiento de Madrid for some of its systems, though in its case via full certification for MEDIUM category. For medium- or high-category systems, the conformity certificate must be issued by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Sistemas does not issue any conformity certificate — that is the exclusive remit of ENAC-accredited bodies. What we do is implement the technical controls of Annex II, produce the evidence package and prepare your systems to pass that conformity process with the greatest possible confidence.