Sector público

Technical Implementation of the ENS in Málaga for Public-Sector Suppliers

If your company provides technology services to the Junta de Andalucía, the Diputación Provincial de Málaga, the Ayuntamiento de Málaga or the Universidad de Málaga (UMA), Spain's National Security Framework — the Esquema Nacional de Seguridad, enacted by RD 311/2022 (BOE-A-2022-7191) — requires you to bring your information systems into compliance. The dense community of ICT companies based at the Parque Tecnológico de Andalucía (PTA) that serves these bodies shares the same obligation. Summum Sistemas guides you through that process from the operational angle: risk analysis using the MAGERIT methodology, threat modelling with the CCN's own PILAR tool, implementation of the 73 technical controls in Annex II, and production of the evidence package you need to obtain your declaration or certificate of conformity. Stronger bids, real security in your systems.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeICT suppliers to the public sector in Málaga
ApproachTechnical implementation · MAGERIT · PILAR · INES · Annex II

Royal Decree 311/2022, of 3 May, which enacts the Esquema Nacional de Seguridad (ENS), is not a regulation that applies exclusively to public bodies: Article 2 extends the obligation to comply to the information systems of private entities that provide services or supply solutions to public-sector entities that are themselves subject to the ENS. In the Málaga area, this means that any company supplying the Junta de Andalucía, the Diputación Provincial de Málaga, the Ayuntamiento de Málaga or the Universidad de Málaga (UMA) must bring its systems into compliance before it can operate or bid on public contracts. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for systems already in operation; from that date onwards, operating without compliance constitutes a breach that may bar access to public procurement.

Summum Sistemas approaches ENS compliance from its own area of expertise: the technical implementation of the security controls in Annex II of RD 311/2022. That Annex covers 73 controls organised into three frameworks — organisational, operational and protection measures — and sixteen families, seven of them within the operational block, which includes the op.nub family specifically designed for cloud services. Writing policies is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed and evidence produced to demonstrate that each control is actually in place and verifiable. The op.nub family is particularly relevant in Málaga given the concentration of SaaS and IaaS providers based at the Parque Tecnológico de Andalucía that serve public bodies across Andalusia.

Risk analysis is the core of the process. The ENS requires that the selection and proportionality of security controls be grounded in a formal analysis of the risks to which the in-scope systems are exposed. Summum Sistemas uses the MAGERIT methodology — the CCN's official reference for risk analysis in the context of Spain's public administration — supported by the CCN's own PILAR tool, which enables structured modelling of assets, threats, vulnerabilities and impacts and generates the reports that conformity auditors expect to see. To assess the current level of implementation of each control, we also use INES (Informe Nacional del Estado de Seguridad), the CCN's self-assessment tool, which provides a maturity scorecard by family and control. The result is technically sound, regulation-referenced analysis that can be presented to any ENAC-accredited inspection body.

The Technical Implementation of the ENS in Málaga for Public-Sector Suppliers process.

The process · four stages
01

Asset inventory and ENS category determination

We build the information asset inventory — hardware, software, data, services and communications — that falls within the ENS scope for your organisation, including the cloud services that many Parque Tecnológico de Andalucía companies deliver to the Junta de Andalucía and to public bodies in Málaga. From that inventory we assess the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each service delivered to the public administration, and we determine the system category — basic, medium or high — in accordance with Annex I of RD 311/2022. This category is the starting point that determines which Annex II controls are mandatory and which conformity path you must follow.

02

Risk analysis with MAGERIT and threat modelling with PILAR

We carry out the risk analysis following MAGERIT v3 methodology: asset identification, dependency mapping, applicable threats from the MAGERIT catalogue, frequency and impact assessment, and residual risk calculation after safeguards are applied. The modelling is performed with the CCN's PILAR tool, which generates a structured report on assets, threats and risks that can be used directly as technical evidence in the ENS conformity process. The outcome is the objective basis on which Annex II controls are selected and prioritised.

03

Maturity assessment with INES and technical gap mapping

We apply the INES questionnaire (Informe Nacional del Estado de Seguridad) to assess the current implementation level of each of the 73 Annex II controls in the families that correspond to the assigned category. The result is a maturity map by family — from L0 (non-existent) to L5 (optimised) — and a prioritised list of technical gaps that need to be closed, with effort estimates and dependencies between controls. You know exactly where you stand and what needs to be done, without shortcuts and without over-engineering.

04

Technical implementation of Annex II controls

We implement the pending technical controls: OS and service hardening in line with the relevant CCN-STIC guides (511, 570, 610 and vendor-specific ones), configuration of access control and strong authentication mechanisms, deployment of security event logging and monitoring systems, vulnerability management with a documented patching cycle, encryption of communications and storage, and backup configuration in accordance with control mp.info.9 of Annex II. For Parque Tecnológico de Andalucía companies operating on a cloud model, we work in detail on the op.nub family controls: provider assessment, supply chain management and cloud-specific access controls.

What is included

What Technical Implementation of the ENS in Málaga for Public-Sector Suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • MAGERIT risk analysis report with PILAR

    Formal risk analysis following MAGERIT v3, executed with the CCN's PILAR tool: asset inventory, dependency tree, threat and impact assessment, and residual risk calculation. Presentable as technical evidence before ENS conformity auditors.

  • INES maturity assessment by control family

    Implementation status report for the Annex II controls, generated with the CCN's INES tool, with maturity level per family (L0–L5) and a prioritised gap map to be closed before the conformity audit.

  • Documented technical hardening per system

    Application of the relevant CCN-STIC guides to each operating system, service and component in scope: security configuration, removal of unnecessary services, least-privilege management and evidence of every change applied with version and date record.

  • Monitoring and security event management deployment

    Configuration of logging, correlation and alerting mechanisms for security events in accordance with the op.mon and op.exp controls of Annex II: log sources, retention, critical-event alerts and documented technical incident response procedure.

  • Vulnerability management plan and evidence

    Documented cycle for identifying, assessing, prioritising and remediating technical vulnerabilities: periodic scans, prioritisation criteria by criticality and ENS category, patch application records and closure validation. Covers control op.exp.3 of Annex II.

  • op.nub technical controls for cloud providers

    Cloud provider security assessment, environment segregation and access controls specific to the op.nub family of Annex II, aimed at SaaS/IaaS companies at the Parque Tecnológico de Andalucía that serve the public administration.

Summum cluster

How it connects with its sisters.

The technical implementation of the Annex II controls works best when combined with the documentary and normative layer managed by Summum Calidad: security policy, Declaration of Applicability integrated with ISO 27001, and preparation of the declaration or certificate of conformity. Both teams work in a coordinated way within a single project, with no duplication of effort and a single point of contact for the client.

Frequently asked questions about Technical Implementation of the ENS in Málaga for Public-Sector Suppliers.

Why do I need ENS compliance if I supply the Junta de Andalucía or the Ayuntamiento de Málaga?

Article 2 of RD 311/2022 extends the ENS obligation to the information systems of private entities that provide services to public-sector bodies that are themselves subject to the ENS. The Junta de Andalucía, the Diputación Provincial de Málaga, the Ayuntamiento de Málaga and the Universidad de Málaga (UMA) are all subject to the ENS as public administrations. If your information systems interact with any of theirs — because you provide a service, supply software or process data on their behalf — ENS compliance is mandatory and may be required in public procurement tender specifications.

My company is based at the Parque Tecnológico de Andalucía and delivers a SaaS service. What does that mean for the ENS?

If your cloud service processes information or supports a body subject to the ENS, the op.nub family of Annex II applies: assessment of the cloud provider's security, environment segregation, access management specific to the cloud environment and control of the service supply chain. This is a dedicated set of controls that adds to the rest of Annex II and requires a specific analysis of the shared-responsibility model between your company and the cloud infrastructure provider you use.

What is MAGERIT and why does the ENS require it?

MAGERIT is the Methodology for the Analysis and Management of Information Systems Risks (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información) developed by the CCN. The ENS requires that the selection and application of Annex II controls be based on a formal risk analysis proportional to the system category. MAGERIT is the CCN's reference methodology for that analysis in the context of Spain's public administration: it allows assets, threats and residual risks to be identified and calculated in a structured, traceable way. ENS conformity auditors are familiar with this methodology and expect to find it documented in the risk analysis evidence.

What is PILAR and what does it contribute to the compliance process?

PILAR is the risk analysis tool developed by the CCN that implements the MAGERIT methodology. It enables modelling of system assets, their dependencies, applicable threats from the MAGERIT catalogue and implemented safeguards, and it generates structured risk and maturity reports. Its use in the ENS compliance process is highly regarded by conformity auditors because it provides traceability and objectivity: results are reproducible, comparable across periods and directly presentable as technical evidence during audit.

How many controls does ENS Annex II contain and which ones apply to my company?

Annex II of RD 311/2022 covers 73 controls organised into three frameworks and sixteen families: the organisational framework (4 controls), the operational framework — with 7 families and 33 controls, including the op.nub family for cloud services — and the protection measures framework — with 8 families and 36 controls. Which controls are mandatory for your company depends on the system category (basic, medium or high) that results from the CIDAT impact analysis. Summum Sistemas carries out the diagnostic to determine exactly which subset applies to your specific situation.

Does Summum Sistemas issue the ENS conformity certificate or declaration?

No. For basic-category systems, the declaration of conformity is issued by the organisation itself through a self-assessment process, in accordance with CCN-STIC 809. For medium- or high-category systems, the conformity certificate must be issued by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Sistemas does not issue any conformity certificate — that is the exclusive remit of ENAC-accredited bodies. What we do is implement the technical controls of Annex II, produce the evidence package and prepare your systems to pass that conformity process with the greatest possible confidence.