Ciberseguridad y cumplimiento

Technical Implementation of the ENS in Valladolid for Public-Sector Suppliers

If your company provides technology services to the Junta de Castilla y León, the Diputación Provincial de Valladolid, the Ayuntamiento de Valladolid or the Universidad de Valladolid (UVa), Spain's National Security Framework — the Esquema Nacional de Seguridad, enacted by RD 311/2022 (BOE-A-2022-7191) — requires you to bring your information systems into compliance. Summum Sistemas guides you through that process from the operational angle: risk analysis using the MAGERIT methodology, threat modelling with the CCN's own PILAR tool, implementation of the 75 technical controls in Annex II, and production of the evidence package you need to obtain your declaration or certificate of conformity. Stronger bids, real security in your systems.

RegulationRD 311/2022 · BOE-A-2022-7191
ScopeICT suppliers to the public sector in Valladolid
ApproachTechnical implementation · MAGERIT · PILAR · INES · Annex II

Royal Decree 311/2022, of 3 May, which enacts the Esquema Nacional de Seguridad (ENS), is not a regulation that applies exclusively to public bodies: Article 2 extends the obligation to comply to the information systems of private entities that provide services or supply solutions to public-sector entities that are themselves subject to the ENS. In the Valladolid area, this means that any company supplying the Junta de Castilla y León — whose headquarters are located in the city — the Diputación Provincial de Valladolid, the Ayuntamiento de Valladolid or the Universidad de Valladolid must bring its systems into compliance before it can operate or bid on public contracts. The transitional provision of RD 311/2022 set 5 May 2024 as the deadline for systems already in operation; from that date onwards, operating without compliance constitutes a breach that may bar access to public procurement.

Summum Sistemas approaches ENS compliance from its own area of expertise: the technical implementation of the security controls in Annex II of RD 311/2022. That Annex covers 75 controls organised into three frameworks — organisational, operational and protection measures — and sixteen families, seven of them within the operational block, which includes the op.nub family specifically designed for cloud services. Writing policies is not enough: systems must be configured, services hardened, monitoring deployed, vulnerabilities managed and evidence produced to demonstrate that each control is actually in place and verifiable.

Risk analysis is the core of the process. The ENS requires that the selection and proportionality of security controls be grounded in a formal analysis of the risks to which the in-scope systems are exposed. Summum Sistemas uses the MAGERIT methodology — the CCN's official reference for risk analysis in the context of Spain's public administration — supported by the CCN's own PILAR tool, which enables structured modelling of assets, threats, vulnerabilities and impacts and generates the reports that conformity auditors expect to see. To assess the current level of implementation of each control, we also use INES (Informe Nacional del Estado de Seguridad), the CCN's self-assessment tool, which provides a maturity scorecard by family and control. The result is technically sound, regulation-referenced analysis that can be presented to any ENAC-accredited inspection body.

The Technical Implementation of the ENS in Valladolid for Public-Sector Suppliers process.

The process · four stages
01

Asset inventory and ENS category determination

We build the information asset inventory — hardware, software, data, services and communications — that falls within the ENS scope for your organisation. From that inventory we assess the impact a security incident would have on the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability) for each service delivered to the public administration, and we determine the system category — basic, medium or high — in accordance with Annex I of RD 311/2022. This category is the starting point that determines which Annex II controls are mandatory and which conformity path you must follow.

02

Risk analysis with MAGERIT and threat modelling with PILAR

We carry out the risk analysis following MAGERIT v3 methodology: asset identification, dependency mapping, applicable threats from the MAGERIT catalogue, frequency and impact assessment, and residual risk calculation after safeguards are applied. The modelling is performed with the CCN's PILAR tool, which generates a structured report on assets, threats and risks that can be used directly as technical evidence in the ENS conformity process. The outcome is the objective basis on which Annex II controls are selected and prioritised.

03

Maturity assessment with INES and technical gap mapping

We apply the INES questionnaire (Informe Nacional del Estado de Seguridad) to assess the current implementation level of each of the 75 Annex II controls in the families that correspond to the assigned category. The result is a maturity map by family — from L0 (non-existent) to L5 (optimised) — and a prioritised list of technical gaps that need to be closed, with effort estimates and dependencies between controls. You know exactly where you stand and what needs to be done, without shortcuts and without over-engineering.

04

Technical implementation of Annex II controls

We implement the pending technical controls: OS and service hardening in line with the relevant CCN-STIC guides (511, 570, 610 and vendor-specific ones), configuration of access control and strong authentication mechanisms, deployment of security event logging and monitoring systems, vulnerability management with a documented patching cycle, encryption of communications and storage, and backup configuration in accordance with control mp.info.9 of Annex II. For cloud services, we address the op.nub family controls: provider assessment, supply chain management and cloud-specific access controls.

What is included

What Technical Implementation of the ENS in Valladolid for Public-Sector Suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • MAGERIT risk analysis report with PILAR

    Formal risk analysis following MAGERIT v3, executed with the CCN's PILAR tool: asset inventory, dependency tree, threat and impact assessment, and residual risk calculation. Presentable as technical evidence before ENS conformity auditors.

  • INES maturity assessment by control family

    Implementation status report for the Annex II controls, generated with the CCN's INES tool, with maturity level per family (L0–L5) and a prioritised gap map to be closed before the conformity audit.

  • Documented technical hardening per system

    Application of the relevant CCN-STIC guides to each operating system, service and component in scope: security configuration, removal of unnecessary services, least-privilege management and evidence of every change applied with version and date record.

  • Monitoring and security event management deployment

    Configuration of logging, correlation and alerting mechanisms for security events in accordance with the op.mon and op.exp controls of Annex II: log sources, retention, critical-event alerts and documented technical incident response procedure.

  • Vulnerability management plan and evidence

    Documented cycle for identifying, assessing, prioritising and remediating technical vulnerabilities: periodic scans, prioritisation criteria by criticality and ENS category, patch application records and closure validation. Covers control op.exp.3 of Annex II.

  • Complete evidence package for conformity

    Structured set of all technical documentation required for the declaration of conformity (basic category, under CCN-STIC 809) or for audit by an ENAC-accredited body (medium or high category): reports, screenshots, logs, records and procedures indexed by control family.

Summum cluster

How it connects with its sisters.

The technical implementation of the Annex II controls works best when combined with the documentary and normative layer managed by Summum Calidad: security policy, Declaration of Applicability integrated with ISO 27001, and preparation of the declaration or certificate of conformity. Both teams work in a coordinated way within a single project, with no duplication of effort and a single point of contact for the client.

Frequently asked questions about Technical Implementation of the ENS in Valladolid for Public-Sector Suppliers.

Why do I need ENS compliance if I supply the Junta de Castilla y León or the Ayuntamiento de Valladolid?

Article 2 of RD 311/2022 extends the ENS obligation to the information systems of private entities that provide services to public-sector bodies that are themselves subject to the ENS. The Junta de Castilla y León, the Diputación Provincial de Valladolid, the Ayuntamiento de Valladolid and the Universidad de Valladolid are all subject to the ENS as public administrations. If your information systems interact with any of theirs — because you provide a service, supply software or process data on their behalf — ENS compliance is mandatory and may be required in public procurement tender specifications.

What is MAGERIT and why does the ENS require it?

MAGERIT is the Methodology for the Analysis and Management of Information Systems Risks (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información) developed by the CCN. The ENS requires that the selection and application of Annex II controls be based on a formal risk analysis proportional to the system category. MAGERIT is the CCN's reference methodology for that analysis in the context of Spain's public administration: it allows assets, threats and residual risks to be identified and calculated in a structured, traceable way. ENS conformity auditors are familiar with this methodology and expect to find it documented in the risk analysis evidence.

What is PILAR and what does it contribute to the compliance process?

PILAR is the risk analysis tool developed by the CCN that implements the MAGERIT methodology. It enables modelling of system assets, their dependencies, applicable threats from the MAGERIT catalogue and implemented safeguards, and it generates structured risk and maturity reports. Its use in the ENS compliance process is highly regarded by conformity auditors because it provides traceability and objectivity: results are reproducible, comparable across periods and directly presentable as technical evidence during audit.

How many controls does ENS Annex II contain and which ones apply to my company?

Annex II of RD 311/2022 covers 75 controls organised into three frameworks and sixteen families: the organisational framework (4 controls), the operational framework — with 7 families and 33 controls, including the op.nub family for cloud services — and the protection measures framework — with 9 families and 38 controls. Which controls are mandatory for your company depends on the system category (basic, medium or high) that results from the CIDAT impact analysis. For each control, Annex II specifies whether it applies at basic, medium or high level. Summum Sistemas carries out the diagnostic to determine exactly which subset applies to your specific situation.

What does the op.nub family cover and when does it apply to me?

The op.nub (cloud operation) family within the operational framework of Annex II sets out the specific security requirements for cloud computing services. It applies when the in-scope system uses IaaS, PaaS or SaaS services as part of its architecture. The op.nub controls cover cloud provider assessment, environment segregation, access management in the cloud environment and the cloud services supply chain. For ICT suppliers of the Junta de Castilla y León or the Ayuntamiento de Valladolid that use public cloud infrastructure, this family is particularly relevant and must be explicitly addressed in the risk analysis and compliance plan.

Does Summum Sistemas issue the ENS conformity certificate or declaration?

No. For basic-category systems, the declaration of conformity is issued by the organisation itself through a self-assessment process, in accordance with CCN-STIC 809. For medium- or high-category systems, the conformity certificate must be issued by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Sistemas does not issue any conformity certificate — that is the exclusive remit of ENAC-accredited bodies. What we do is implement the technical controls of Annex II, produce the evidence package and prepare your systems to pass that conformity process with the greatest possible confidence.