For autonomous communities, city councils, provincial councils, autonomous bodies, state agencies, defense, judiciary and tech providers serving the Spanish public sector. Adequacy to ENS RD 311/2022 (Spain's National Security Framework), NIS2 compliance as essential sector and recurring operations with CCN-STIC as technical reference. We don't replace the auditor — we sit on the public-sector client's side.
We pass this audit ourselves — operational credibility ENS HIGH category RD 311/2022 · cert. ENS_2.026.061 · ACCM · ENAC 48/C-PR503 Subsectors
8 covered · all public-sector levels
Regulatory framework
ENS · NIS2 · LRJSP · LPACAP · ENI
Approach
Compliance + technical + DFIR unified
Verifiable qualification
Hard2bit is certified at ENS HIGH category (RD 311/2022) and ISO/IEC 27001:2022. We pass our own audit with ACCM under ENAC accreditation every two years. When a Spanish public administration hires us, we don't enter as an outside consultant explaining ENS — we enter as an organization that lives its own ENS HIGH and knows the process from the audited side.
Executive summary
Sectoral context
Spain's public sector operates under a dense, country-specific regulatory landscape: ENS RD 311/2022 mandatory across the entire sector, NIS2 as essential sector, GDPR with a public-sector-specific regime, Laws 40/2015 and 39/2015 defining the e-government portal and electronic procedure, ENI for interoperability, and an extensive CCN-STIC body of guidance as practical technical reference. Compliance isn't optional here — it's a public function.
On top of that framework sits an operational reality with its own asymmetries: small and mid-sized municipalities with limited IT budget and shared tech providers; legacy systems coexisting with modern citizen-facing services; the e-government portal as a critical, highly visible asset; municipal ransomware as a recurring threat that paralyzes the citizen census, tax collection and front-desk operations; and an administrative calendar (budgets, council plenary sessions, fiscal year-ends) that often dictates project timelines more than any technical roadmap.
Hard2bit addresses the Spanish public sector by combining compliance (ENS, NIS2, public-sector GDPR regime, integration with CCN-STIC), recurring technical capability (SOC/MDR, vulnerability management, hardening, infrastructure audit) and ransomware-ready response (24/7 retainer + forensics with chain of custody). Without replacing the auditor — always on the public-sector client's side, opposite the ENAC-accredited body.
Audience
The Spanish public sector spans very different levels: state, regional, provincial, local. And within each level, entities with different operational and regulatory needs. We adapt the service to each.
Spain's 17 regional governments and their consejerías (regional ministries) running their own systems and citizen-facing services. ENS typically Medium or High category. NIS2 overlap when regional critical infrastructure is involved.
Provincial capitals, mid-sized municipalities and small towns. Recurring targets of municipal ransomware with direct impact on the citizen census (padrón), tax collection, public registry and citizen services. ENS applies based on category assigned to each system.
Spain's intermediate administration (diputaciones, cabildos, consells insulares) operating shared services, technical assistance for small municipalities and common platforms (multi-municipal e-government, citizen census, tax collection). Multi-entity ENS adequacy is common.
Public entities with their own legal personality attached to ministries or regional ministries. ENS mandatory, with typical scenarios in Medium or High categories depending on the citizen-facing service.
Public-owned companies (state, regional or municipal) and foundations within the public sector. ENS applies to the scope tied to public-sector services; ISO 27001 is common when there's a mix of private and public clientele.
Systems linked to defense, law enforcement, civil protection and emergency services. ENS category typically High. Crossover with CCN-STIC (technical guidance from Spain's National Cryptologic Centre), critical infrastructure law and sector-specific regulation.
Judicial case management systems, prosecution, public registries (commercial, property, civil) and associated services. Particularly sensitive data, procedural traceability and tightly interconnected architecture across public administration.
Private companies providing technology services to Spanish public administration through contracts or tender awards. ENS applies to the system or service under contract. Category defined by the public client or by the contracted scope.
Regulatory framework
Dense but coherent framework. We design projects to reuse evidence across regulations and reduce the documentation burden that often suffocates entities without delivering real security.
Spain's National Security Framework (Esquema Nacional de Seguridad). Mandatory for all Spanish public-sector entities and for their tech providers under contract. Categories Basic, Medium or High depending on impact across the DICAT dimensions (Availability, Integrity, Confidentiality, Authenticity, Traceability). Audited by ENAC-accredited certification bodies.
EU-wide cybersecurity directive. Public administration is one of the 11 essential sectors under NIS2. Applies to entities above the thresholds set in Spain's national transposition and to critical tech providers serving the public sector. Coexists with ENS — most evidence is reusable.
GDPR with Spanish complementary law (LOPDGDD) and a specific public-sector regime: lawful basis usually grounded on public interest or exercise of official authority, mandatory record of processing activities and a separate sanctions regime. Citizen data is frequently special-category.
Spanish laws governing the public-sector legal regime (40/2015) and electronic administrative procedure (39/2015). They mandate e-government portals, electronic registry, electronic identification and signature, electronic archiving and electronic notifications. The operational backbone of public-sector IT.
Spain's interoperability framework for the public sector. Defines how public bodies exchange information among themselves and with citizens. Coexists with ENS and is complemented by CCN-STIC technical guidance.
An extensive body of technical guidance (over 800 documents) published by Spain's CCN. Practical operational reference for implementing ENS in real systems: hardening, secure configuration per product, incident management, cryptography and security architecture.
EU regulation on electronic identification and trust services (eIDAS) and the associated Spanish framework. Foundation for electronic signature, time-stamping, qualified certificates and trust services that are essential in any Spanish public-sector e-government portal.
For public-sector entities responsible for or linked to critical infrastructure (energy, water, transport, public communications). Coexists with ENS and NIS2 with a specific focus on operators designated by Spain's CNPIC.
Hard2bit applicable services
Ten Hard2bit catalog services applied to the public-sector context. Engaged complete, by blocks or as incident response with 24/7 DFIR retainer.
Adequacy to RD 311/2022 with DICAT categorization, gap analysis, plan, evidence and accompaniment during the audit with the ENAC-accredited body. Reusable with NIS2 and ISO 27001.
View ENS service →Pre-audit, mock audits with real questions, gap closure plan and on-site accompaniment during the official audit. Designed for entities facing an upcoming audit or 2-year renewal cycle.
View ENS audit readiness →Operational vulnerability management cycle aligned with ENS cadence and ENAC-audit-defendable evidence. One of the most-audited measures in Medium and High categories.
View vulnerability management for ENS →NIS2 compliance for public-sector entities within the directive's scope. Evidence reuse with ENS to reduce effort and simplify supervisor reporting.
View NIS2 service →Detection, investigation and response 24/7, focused on public-sector scenarios: municipal ransomware, identity abuse over AD/M365, attacks on e-government portals and exfiltration precursors.
View managed SOC/MDR →24/7 contract with activation in minutes and prior readiness onboarding. For city councils and entities where in-house DFIR capability doesn't exist and incidents demand immediate response.
View IR retainer 24/7 →Technical review of network, segmentation, Active Directory, M365/Entra ID, hardening and hybrid environments. Prioritized backlog and 30/60/90 plan with evidence useful for ENS audit and supervisory reporting.
View infrastructure & network audit →Web, infrastructure, identity and cloud pentesting on public-sector systems. Special care with e-government portals, citizen-facing services and critical administrative systems. Under coordination protocol.
View pentesting →Technical forensic investigation with chain of custody for disciplinary, regulatory or judicial proceedings. Useful when an incident requires traceability for the data controller or competent authority.
View digital forensics →Virtual CISO for mid-sized and small city councils, public foundations and entities with limited security headcount. Security governance, steering committees, auditor liaison and framework continuity between projects.
View vCISO →Hard2bit methodology
Six phases adapted to the institutional reality: dense regulatory framework, administrative calendar, dependence on tech providers and citizen-facing services as critical assets.
We understand the entity type (autonomous community, city council, autonomous body, public foundation, agency, defense, judiciary), citizen-facing services, legacy systems, dependence on tech providers, contractual framework with the parent administration and administrative timelines.
ENS categorization across in-scope systems. Additional mapping of NIS2 if applicable by scale, GDPR public-sector regime, Law 40/2015 and relevant CCN-STIC guidance. No regulatory bloat — only what truly applies.
Gaps against Annex II of RD 311/2022 with backlog prioritized as blocking / recommended / optional. Quick wins to reduce technical exposure ahead of contractual deadlines with the parent administration.
Technical landing of measures: hardening, segmentation, M365/Entra ID, vulnerability management, monitoring, backups and continuity. CCN-STIC guidance is the standard operational reference in Spanish public sector.
Accompaniment during audit with the accredited body. Periodic reporting to the security officer, governance committee and, when applicable, to the parent administration (regional ministry, ministry, provincial council).
After certification: operational cadence, management of relevant changes, mandatory annual internal audit and preparation for the renewal due every 2 years for Medium and High categories. Continuous work, not one-off project.
Why Hard2bit in public sector
Hard2bit is certified at ENS HIGH category (cert. ENS_2.026.061, ACCM under ENAC 48/C-PR503). When a Spanish public administration hires us, we don't enter as an outside consultant explaining ENS — we enter as an organization that lives its own ENS HIGH and knows the process from the audited side.
The Spanish public sector faces ransomware regularly. The combined capability of compliance (maintain evidence and reporting), technical (segmentation, hardening, monitoring) and incident response (24/7 retainer + forensics with chain of custody) shortens response windows when an incident hits.
Operating since 2013. Offices in Leganés and Las Rozas in the Community of Madrid, where the highest density of Spanish public administration concentrates. We know tenders, administrative calendars, criteria and counterparts of the Spanish public sector.
Given the nature of the public sector, we don't publish nominative references of public entities that hire us. Specific details are shared in direct conversation with confidentiality commitment from both sides.
Representative scenario
A Spanish municipality of around 80,000 inhabitants suffered a ransomware attack with partial encryption of administrative systems (citizen census, tax collection, internal management) over a long-weekend bank holiday. Internal technical capacity was limited and the contract with the usual tech provider was in renewal process, adding transition complexity during the incident. The project was organized in four parallel tracks: containment and forensics with chain of custody, prioritized recovery of citizen-facing services (census and front-desk operations first, registry and tax collection second), rebuild of the ENS programme from categorization onwards with the new provider chain, and a communication plan to citizens and the municipal council. The audit with the accredited body was completed within the contractual administrative timeline; the incident was documented with lessons learned, and a 24/7 retainer was consolidated so the next attempt would not find the same structure.
Frequently asked questions
Direct answers to questions we hear most from security officers, secretaries, financial controllers and IT directors in the Spanish public sector.
Yes. Spanish RD 311/2022 establishes the ENS obligation for the entire Spanish public sector, including city councils, autonomous communities, provincial councils, autonomous bodies, state agencies, public foundations and linked entities. The applicable category (Basic, Medium or High) depends on impact across DICAT dimensions and on services provided to citizens.
No. The official ENS audit is performed by an ENAC-accredited certification body (in many projects, ACCM). Hard2bit is a consultant: we implement, adapt, prepare evidence and accompany clients during the audit with the certification body. Separation between certifier and consultant is the right model and what serious public-sector buyers expect.
Yes. We adapt effort and modality to size: for small municipalities, Basic category with self-assessment plus vCISO is typical; for mid-sized ones, Medium with ENAC-accredited audit. Provincial councils or island councils often offer shared platforms worth leveraging to avoid duplicate effort.
It's a common, manageable scenario when handled well. ENS adequacy responsibility lies with the public entity (it's the data controller and system owner), not the specific provider. The change requires updating inventory, contracts, access, keys and traceability of the new services; the audit must accept the transition if documented. We accompany that transition without breaking the cycle.
Spanish public administration is an essential sector under NIS2 when it exceeds national transposition thresholds. ENS and NIS2 coexist and share most evidence if the project is designed with shared traceability. We explain it in the framework comparison.
We work with Spanish public-sector entities at ENS High category, which covers most institutional non-classified scenarios. For classified information processing (under ENS or specific defense regulation), additional accreditation requirements apply and are assessed case by case before scope is committed.
Typically between 6 and 12 months to walk into audit with a clean sample, depending on category, number of in-scope systems, technical maturity and internal staff availability. Entities with ISO 27001 already in place or that reuse parent-administration platforms can shorten the timeline significantly.
Yes. The 24/7 retainer includes activation in minutes, preventive hours bundle and prior readiness onboarding on the entity's architecture. Designed especially for municipalities and small entities where in-house DFIR doesn't exist and ransomware doesn't wait for office hours.
Yes. The CCN-STIC body of guidance from Spain's National Cryptologic Centre is the standard technical reference for implementing ENS in real Spanish public-sector systems. We use it as operational basis for hardening, per-product configuration, incident management and security architecture, complemented with internal guidance and project experience.
When applicable (responsible regional ministry, ministry, provincial council, NIS2 competent authority or CCN-CERT for incidents), we prepare reporting in the format useful for that interlocution. The formal line with the parent administration is always handled by the public entity; we provide the technical information and necessary evidence.
The e-government portal and citizen services (citizen census, tax collection, registry, appointments) are usually the most exposed assets and have the highest reputational impact when down. We treat them as critical scenarios in DICAT categorization, in pentesting and in continuity plans. An e-government portal outage is an event citizens see and councils judge.
We operate with strict confidentiality commitment as standard practice. We don't publish nominative references of public-sector clients on landing pages or public materials. Specific details handled in direct conversation.
Related
If your public entity operates in the Community of Madrid: on-site presence in Leganés and Las Rozas, knowledge of Madrid's public-sector ecosystem and on-site accompaniment during the ENS audit.
View ENS Madrid →For public hospitals, primary care and public-sector healthcare entities with ENS + NIS2 + reinforced GDPR for special-category clinical data.
View healthcare sector →Detail of NIS2 service: scope, fit with ENS and GDPR, incident reporting and multi-framework evidence reuse.
View NIS2 →ENS lifecycle without geographic or sectoral focus: categorization, gap analysis, risks, measures, audit and sustainment.
View ENS service →Side-by-side of the four frameworks to understand overlaps and control reuse between them.
View comparison →Cross-cutting view of governance, risk and compliance underpinning any public-sector project.
View GRC pillar →Let's talk
A short call to diagnose where the system stands, which frameworks apply (ENS, NIS2, ENI, CCN-STIC), which risks are critical for citizen-facing services and where it makes sense to start. Confidential conversation, no commitment.
Page reviewed: 2026-04-28. Hard2bit · Cybersecurity company in Spain since 2013 · ENS HIGH category · ISO/IEC 27001:2022
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
