Ciberseguridad y cumplimiento

ENS Technical Implementation in Salamanca

The Diputación Provincial de Salamanca, the Ayuntamiento de Salamanca and the Universidad de Salamanca (USAL) are subject to the Esquema Nacional de Seguridad (National Security Framework) regulated by RD 311/2022 (BOE-A-2022-7191). If your company intends to tender or deliver technology services to any of these public bodies, your information systems must be brought into ENS compliance to the same standard required of the public entity itself. Summum Sistemas addresses that compliance from the technical and operational side: risk analysis using MAGERIT methodology, modelling with Centro Criptológico Nacional tools (PILAR, INES), systems hardening and application of the 75 measures in Annex II of RD 311/2022. No fabricated offices, no certification claims that can only be issued by ENAC-accredited bodies.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileTechnology suppliers to Salamanca's public sector
MethodologyMAGERIT · PILAR · INES · Annex II ENS

RD 311/2022, of 3 May, extends the Esquema Nacional de Seguridad well beyond the administrations themselves: any private entity whose information systems process, transmit or support public-sector services is obliged to comply to the same standard as the contracting administration. In Salamanca, this directly affects companies providing software, infrastructure, telecommunications, network maintenance or data-processing services to the Diputación Provincial de Salamanca, the Ayuntamiento de Salamanca or the Universidad de Salamanca — an institution that, as part of the Spanish public university sector, falls fully within the ENS scope. The general deadline to bring existing systems into compliance was 5 May 2024; systems launched after that date must comply from day one of operation. Operating outside the ENS not only exposes the company to regulatory breaches but can directly bar access to new public tenders in Salamanca.

The technical starting point for any ENS compliance project is a risk analysis of the in-scope systems. The ENS does not mandate a specific methodology, but it expressly recognises MAGERIT — the methodology developed by Spain's Consejo Superior de Administración Electrónica — as the de facto reference for the public sector. Summum Sistemas works with MAGERIT v3 to identify and value assets, threats and vulnerabilities, calculate intrinsic and residual risk, and document risk-treatment decisions. The analysis is modelled in PILAR, the Centro Criptológico Nacional tool that automatically generates risk reports in the format required both by public-sector entities and by ENAC-accredited inspection bodies that certify medium- and high-category systems. INES, also from the CCN, complements the analysis by providing a structured and exportable assessment of ENS compliance maturity.

Annex II of RD 311/2022 organises security measures into three frameworks — organisational, operational and protection — covering 16 families and a total of 75 measures. For each system category — basic, medium or high — Annex II specifies which measures are mandatory and at what reinforcement level (r1, r2 or r3). Summum Sistemas handles the technical implementation of the operational and protection measures: access-control policies (op.acc), continuity management (op.cont), communications protection (mp.com), information-media protection (mp.si), services protection (mp.s) and, critically, the op.nub family, which governs the use of cloud computing services and is especially relevant for suppliers who host their solutions on cloud infrastructure. Technical control implementation is complemented by preparing the evidence package — records, logs, vulnerability-assessment results — that the compliance auditor needs in order to verify that measures are genuinely operational, not merely documented.

The ENS Technical Implementation in Salamanca process.

The process · four stages
01

System categorisation and MAGERIT scope

We identify the information systems within the ENS scope: applications, infrastructure, cloud services and communications that support or process information from Salamanca's public sector. We determine the system category — basic, medium or high — by assessing the impact on the five CIDAT dimensions in accordance with Annex I of RD 311/2022. In parallel, we begin the MAGERIT asset inventory: essential assets (services and information), support assets (hardware, software, facilities, personnel) and inter-dependencies, which form the basis for the risk analysis.

02

Risk analysis with MAGERIT and modelling in PILAR

We value assets, threats and vulnerabilities according to MAGERIT v3 methodology, calculate intrinsic and residual risk, and document the risk-acceptance criteria approved by management. The analysis is modelled in PILAR to generate CCN-format reports: the system risk profile, Annex II compliance indicators and a prioritised gap map. INES is used to self-assess the ENS maturity level before implementation begins, so that effort is concentrated where the gap is greatest.

03

Technical implementation of Annex II measures

We apply the Annex II measures that correspond to the system's category: OS and service hardening in accordance with CCN-STIC guides, access-control and privilege-management configuration (op.acc), cryptographic key management implementation or review (mp.si), security event monitoring and management (op.mon), and adaptation of cloud services to the ENS op.nub profile — including verification of the ENS compliance level of the cloud provider in use.

04

Technical evidence package preparation

We structure the evidence package that demonstrates genuine implementation of technical controls: vulnerability-assessment results, hardening reports, security event records, continuity and recovery test minutes, and user-access management logs. Everything is organised according to the evidence index that ENS compliance auditors expect to review. Technical documentation is coordinated with the normative and organisational package developed by Summum Calidad in integrated projects.

What is included

What ENS Technical Implementation in Salamanca includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Asset inventory and MAGERIT v3 risk analysis

    Identification and valuation of essential and support assets, threat and vulnerability analysis, intrinsic and residual risk calculation, and documentation of risk-treatment decisions, all in accordance with the MAGERIT v3 methodology recognised by the CCN.

  • PILAR modelling and CCN reports

    Risk-analysis modelling in the CCN's PILAR tool, generating risk and ENS compliance reports in the format required by compliance auditors and ENAC-accredited inspection bodies.

  • ENS maturity self-assessment with INES

    Initial assessment of Annex II compliance using the CCN's INES tool, identifying the highest-impact gaps before implementation begins and focusing effort where the risk of non-conformity is greatest.

  • Hardening and Annex II technical controls

    Implementation of Annex II technical measures: system and service hardening per CCN-STIC guides, access-control configuration (op.acc), cryptographic key management (mp.si), event monitoring (op.mon) and cloud-service adaptation to the ENS op.nub profile.

  • Technical evidence package for the audit

    Compilation of the complete technical evidence package: vulnerability-assessment results, hardening reports, event records, continuity test minutes and access-management logs, organised according to the compliance auditors' review index.

  • Technical pre-audit review (medium and high categories)

    For medium- or high-category systems, an internal review that replicates the ENAC-accredited body's scrutiny: Annex II measure coverage, detection of technical deviations and remediation before the conformity audit, minimising the risk of non-conformities.

Frequently asked questions about ENS Technical Implementation in Salamanca.

Why does the Universidad de Salamanca (USAL) extend the ENS obligation to its suppliers?

The USAL is a public university integrated into the Spanish public university sector and, as such, falls within the ENS scope defined in Article 2 of RD 311/2022. When the USAL contracts technology services — academic management software, cloud infrastructure, systems maintenance or data processing — the supplier's systems that interact with the university's own systems become subject to the same ENS compliance level required of the affected university system. Operating without that compliance can prevent the company from being awarded new contracts with the USAL or any other public body in Salamanca.

What is the difference between the technical implementation by Summum Sistemas and the normative support provided by Summum Calidad?

Summum Sistemas handles the technical and operational side: MAGERIT risk analysis, PILAR modelling, systems hardening, access-control and monitoring configuration, cloud-service adaptation to the ENS op.nub profile, and preparation of the technical evidence package. Summum Calidad handles the normative and documentary side: information security management system, Statement of Applicability, security policy in accordance with Article 12 of RD 311/2022, and coordination of the declaration or conformity certification. In an integrated project, both teams work in parallel so that security engineering and the management system are coherent and free of duplication.

What CCN tools are used in the project and what are they for?

We primarily use PILAR and INES, both developed by the Centro Criptológico Nacional. PILAR is the risk analysis and management tool that implements the MAGERIT methodology: it models assets, threats and vulnerabilities, calculates intrinsic and residual risk, and generates risk and ENS compliance reports in the format required by compliance auditors. INES is the ENS self-assessment tool: it measures the degree of compliance with each Annex II measure before implementation begins, identifies the highest-impact gaps and produces the maturity report that serves as the starting point for the work plan.

What is the op.nub family in Annex II and why does it matter for Salamanca suppliers?

The op.nub family (use of cloud services) is one of the seven families in the operational framework of Annex II of RD 311/2022. It governs the requirements that cloud computing services used in ENS-subject systems must meet: the cloud provider must have its own ENS conformity level or equivalent, and the client — in this case the technology supplier to Salamanca's public sector — must verify and document that conformity. It is a particularly relevant family because many suppliers to the Diputación, the Ayuntamiento or the USAL host their solutions on public or private cloud infrastructure, and ENS compliance requires that layer to meet the standard's requirements as well.

How long does a technical ENS implementation project take for a Salamanca public-sector supplier?

The duration depends on the system category, infrastructure complexity and the security baseline in place. For basic-category systems with relatively straightforward infrastructure, the MAGERIT analysis, Annex II measure implementation and evidence package preparation can be completed in three to five months. For medium- or high-category systems with more complex infrastructure or extensive cloud components, the project typically requires eight to fourteen months. In both cases, the timeline is significantly shorter if the company already has documented security practices in place, even without ISO 27001 certification.

Can Summum Sistemas officially certify or audit ENS compliance?

No. Conformity certification for medium- or high-category systems can only be issued by an inspection body accredited by ENAC in accordance with the UNE-EN ISO/IEC 17065 standard. For basic-category systems, the self-assessed declaration of conformity is issued by the organisation itself following the CCN-STIC 809 procedure. Summum Sistemas is not an ENAC-accredited body and does not act as a conformity auditor: our role is to prepare systems from the technical side so that they pass that process with the greatest possible assurance, not to issue the certificate.