Royal Decree 311/2022, of 3 May, which enacts the Esquema Nacional de Seguridad (ENS), is not a regulation that applies exclusively to public bodies: Article 2 extends the obligation to comply to the information systems of private entities that provide services or supply solutions to public-sector entities that are themselves subject to the ENS. In the Málaga area, this means that any company supplying the Junta de Andalucía, the Diputación Provincial de Málaga, the Ayuntamiento de Málaga or the Universidad de Málaga (UMA) must bring its systems into compliance before it can operate or bid on public contracts. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for systems already in operation; from that date onwards, operating without compliance constitutes a breach that may bar access to public procurement.
Summum Sistemas approaches ENS compliance from its own area of expertise: the technical implementation of the security controls in Annex II of RD 311/2022. That Annex covers 73 controls organised into three frameworks — organisational, operational and protection measures — and sixteen families, seven of them within the operational block, which includes the op.nub family specifically designed for cloud services. Writing policies is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed and evidence produced to demonstrate that each control is actually in place and verifiable. The op.nub family is particularly relevant in Málaga given the concentration of SaaS and IaaS providers based at the Parque Tecnológico de Andalucía that serve public bodies across Andalusia.
Risk analysis is the core of the process. The ENS requires that the selection and proportionality of security controls be grounded in a formal analysis of the risks to which the in-scope systems are exposed. Summum Sistemas uses the MAGERIT methodology — the CCN's official reference for risk analysis in the context of Spain's public administration — supported by the CCN's own PILAR tool, which enables structured modelling of assets, threats, vulnerabilities and impacts and generates the reports that conformity auditors expect to see. To assess the current level of implementation of each control, we also use INES (Informe Nacional del Estado de Seguridad), the CCN's self-assessment tool, which provides a maturity scorecard by family and control. The result is technically sound, regulation-referenced analysis that can be presented to any ENAC-accredited inspection body.