Sector público

Technical Implementation of the ENS in Seville for Public-Sector Suppliers

Seville hosts the seat of the Presidency of the Junta de Andalucía at the Palacio de San Telmo, alongside the Diputación de Sevilla, the Ayuntamiento de Sevilla, the Universidad de Sevilla and the Universidad Pablo de Olavide. All five are public-sector bodies subject to Spain's National Security Framework, and RD 311/2022 (BOE-A-2022-7191) extends that obligation to any company providing them with technology services or solutions that interact with their systems. Summum Sistemas delivers the technical implementation of all 73 Annex II controls: risk analysis using the MAGERIT methodology, threat modelling with the CCN's PILAR tool, system hardening and the evidence package that supports your declaration or certificate of conformity. Applied engineering, not paperwork.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeICT suppliers to the public sector in Seville
ApproachTechnical implementation · MAGERIT · PILAR · INES · Annex II

Article 2 of RD 311/2022 leaves no room for interpretation: the Esquema Nacional de Seguridad (ENS) also applies to private entities whenever their information systems provide services to, or process data on behalf of, public-sector bodies that are themselves subject to the ENS. In Seville that reaches suppliers of the Junta de Andalucía — whose Presidency is seated at the Palacio de San Telmo — the Diputación de Sevilla, the Ayuntamiento de Sevilla, the Universidad de Sevilla and the Universidad Pablo de Olavide. The transitional provision set 5 May 2024 as the compliance deadline for systems already in operation; new systems must comply from the moment they go into production, and failing to do so can exclude a company from public procurement with any of these bodies.

Summum Sistemas handles the area that is its own: the genuine technical implementation of the security controls in Annex II of RD 311/2022. That Annex organises 73 controls into three frameworks — organisational, operational and protection — spread across 16 families, seven of them within the operational block, which includes the op.nub family for cloud services, particularly relevant for SaaS suppliers serving Andalusian public bodies over cloud infrastructure. Writing a security policy is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed, and verifiable technical evidence produced that every control is genuinely in place.

The starting point of any serious implementation is risk analysis. The ENS requires that the selection of Annex II controls be grounded in a formal analysis proportional to the system's category. Summum Sistemas applies the CCN's MAGERIT methodology — the official reference for risk analysis within Spain's public administration — and executes it with the PILAR tool, which models assets, threats and safeguards in a traceable way and produces the residual-risk report that conformity auditors expect to see. To verify implementation status control by control, we also use INES (Informe Nacional del Estado de Seguridad), the CCN's self-assessment platform, which produces the status scorecard by family and underpins the declaration of conformity.

The Technical Implementation of the ENS in Seville for Public-Sector Suppliers process.

The process · four stages
01

Scope, affected bodies and ENS categorisation

We identify the information systems in scope and the services you provide to public bodies in Seville — the Junta de Andalucía, the Diputación, the Ayuntamiento, the Universidad de Sevilla, the Universidad Pablo de Olavide or others — together with the data flows connecting your systems to theirs. We apply Annex I of RD 311/2022 to determine the ENS category (basic, medium or high) by assessing impact across the five CIDAT dimensions. That category sets which Annex II controls are mandatory and which conformity path applies.

02

MAGERIT risk analysis with the PILAR tool

We carry out the risk analysis using MAGERIT v3 methodology and model it with PILAR, the CCN's tool: asset inventory, dependency mapping, applicable threats from the MAGERIT catalogue, frequency and impact assessment, and residual-risk calculation after existing safeguards. The resulting report is the objective basis on which Annex II controls are selected and prioritised, and it forms part of the technical conformity file.

03

Maturity assessment with INES and gap mapping

We apply the INES questionnaire to assess the genuine implementation level of the Annex II controls in the families that correspond to the assigned category. The result is a maturity map by family and a prioritised list of technical gaps, with effort estimates and dependencies between controls, so you know exactly what is missing before facing the conformity audit.

04

Technical implementation of Annex II controls

We implement the pending controls: OS and service hardening in line with the CCN-STIC guides, access control and strong authentication, encryption of communications and storage, backups, security event monitoring and logging, and vulnerability management with a documented patching cycle. For cloud services we also address the op.nub family: cloud provider assessment, environment segregation and specific access controls.

What is included

What Technical Implementation of the ENS in Seville for Public-Sector Suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • ENS categorisation report (Annex I)

    Technical document justifying the assigned category — basic, medium or high — by assessing impact across the five CIDAT dimensions for each service provided to public bodies in Seville, with a traceable methodology and explicit reference to RD 311/2022.

  • MAGERIT risk analysis with PILAR report

    Formal risk analysis under MAGERIT v3, executed with the CCN's PILAR tool: asset inventory, dependency tree, threat and impact assessment and residual-risk calculation, presentable as technical evidence before conformity auditors.

  • INES maturity assessment by control family

    Implementation status report for the Annex II controls, generated with the CCN's INES tool, with maturity level per family and a prioritised gap map to be closed before the conformity audit.

  • Documented technical hardening per system

    Application of the CCN-STIC guides to each operating system, service and component in scope: security configuration, removal of unnecessary services, least-privilege management and evidence of every change with version and date record.

  • Monitoring and vulnerability management

    Configuration of logging, correlation and alerting mechanisms for security events (op.mon, op.exp) and a documented cycle for identifying, prioritising and remediating technical vulnerabilities, with patch records and closure validation.

  • Complete evidence package for conformity

    Structured set of all technical documentation required for the declaration of conformity (basic category, CCN-STIC 809) or for audit by an ENAC-accredited body (medium or high category): reports, screenshots, logs and procedures indexed by control family.

Frequently asked questions about Technical Implementation of the ENS in Seville for Public-Sector Suppliers.

Why does the ENS affect my company if I only work with the Diputación de Sevilla or the Ayuntamiento de Sevilla?

Article 2 of RD 311/2022 extends the ENS obligation to the information systems of private entities providing services or solutions to public-sector bodies subject to the Framework. The Diputación de Sevilla and the Ayuntamiento de Sevilla are subject to the ENS as public administrations. If your systems handle data belonging to either of them, host software they use, or exchange information with their systems, ENS compliance is mandatory and may be a technical-solvency requirement in procurement tender specifications.

Do the Universidad de Sevilla and the Universidad Pablo de Olavide also require ENS compliance from their suppliers?

Yes. Both are public universities and therefore public-sector bodies subject to the ENS. Their digital-service contracts — software development, system hosting, student or research data processing, cloud services — pass on the ENS compliance obligation to the private suppliers involved. Their tender specifications increasingly include specific clauses requiring proof of compliance with the Framework.

What does the PILAR tool add over a bespoke risk analysis done in a spreadsheet?

PILAR is the risk analysis tool developed by the CCN that implements the MAGERIT methodology in a structured way, with catalogues of assets, threats and safeguards aligned with Annex II of RD 311/2022. It generates reports in the format conformity auditors expect, with reproducible results comparable across reviews. A hand-built spreadsheet analysis is not prohibited, but it makes it harder to trace threats, risks and applied controls, which tends to generate findings during an ENAC audit.

How many controls does ENS Annex II contain and which apply to me in Seville?

Annex II of RD 311/2022 covers 73 controls organised into three frameworks and 16 families: the organisational framework (4 controls), the operational framework — 7 families and 33 controls, including the op.nub family for cloud services — and the protection controls — 8 families and 36 controls. Which controls are mandatory depends on your system's category (basic, medium or high), determined by the CIDAT impact analysis. Summum Sistemas carries out that diagnostic to determine exactly which subset applies to your company.

What is the op.nub family and why does it matter for Junta de Andalucía suppliers using public cloud?

The op.nub family within the operational framework of Annex II sets out the security requirements specific to cloud computing services: cloud provider assessment, environment segregation, access management and the cloud services supply chain. It applies whenever the in-scope system uses IaaS, PaaS or SaaS infrastructure. For ICT suppliers of the Junta de Andalucía or other Seville public bodies operating on public cloud infrastructure, this family must be explicitly addressed in the risk analysis and the implementation plan.

Does Summum Sistemas issue the ENS conformity certificate?

No. For basic-category systems, the declaration of conformity is issued by the organisation itself through self-assessment, under CCN-STIC 809. For medium- or high-category systems, the certificate is issued by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Sistemas does not issue any certificate — that is the exclusive remit of ENAC-accredited bodies — we implement the Annex II technical controls, produce the evidence package and prepare your systems to pass that process with confidence.