Hard2bit implements and adapts systems to Spain's National Security Framework (RD 311/2022) and accompanies clients during the ENAC audit. Two offices in Leganés and Las Rozas, deep knowledge of the Madrid public-sector ecosystem and our own ENS HIGH certification. For companies, municipalities and tech providers in the Community of Madrid.
Hard2bit Madrid passes this audit
ENS HIGH category
RD 311/2022 · cert. ENS_2.026.061 · ACCM · ENAC 48/C-PR503
In Madrid since
2013 · 13 years
Operational offices
2 · Leganés + Las Rozas
Own certification
ENS · HIGH + 5 ISO
Verifiable qualification
We are certified at ENS HIGH category (RD 311/2022) and ISO/IEC 27001:2022. Five ISO certifications of our own and a Pyme Innovadora seal. Our own ENS audit is performed by ACCM under ENAC accreditation. When we prepare a Madrid client, we do it from lived experience — not from a manual.
Executive summary
Local context
Madrid concentrates the highest density of public administration in Spain: ministries, autonomous bodies and state agencies headquartered in the capital, the regional government of the Community of Madrid, the 178 municipalities of the region and the constellation of related bodies (regional ministries, public foundations, public companies, SERMAS hospitals, universities). The Madrid ENS ecosystem isn't just any one — it's probably the most demanding in the country.
Within that ecosystem, ENS projects typically have tight contractual deadlines, detailed tenders and the need for in-person interaction with public officials. Having a consultant 30 minutes away by car from the client's office — not on a video call — changes project rhythm and ENAC-accredited audit outcome.
Hard2bit has been in Madrid since 2013, with operational offices in Leganés (south of Madrid) and Las Rozas (west). We know tenders, calendars, criteria and counterparts of the Madrid public sector. That familiarity accelerates critical phases: scope definition, DICAT categorization, evidence gathering and accompaniment during the audit with the accredited body.
Service scope
Eight modules covering the full lifecycle: from initial categorization through annual internal audit and 2-year renewal. Engaged as a full cycle or as stand-alone modules depending on starting point.
Impact analysis across the five DICAT dimensions (Availability, Integrity, Confidentiality, Authenticity, Traceability) and assignment of the correct category — defendable before an ENAC-accredited auditor.
Clear map of non-compliance against Annex II measures, prioritization by criticality and effort, separating quick wins from structural work.
Formal evaluation of assets, threats, safeguards and residual risk using MAGERIT methodology. Defendable basis for justifying decisions before auditor and steering committee.
Real grounding: identities in Entra ID, hardening, logging, backups, continuity, third parties, encryption, periodic reviews. Not just policies — operations.
Minimum viable documentation oriented to operations and audit. No paperwork bloat. End-to-end traceability: requirement → control → evidence → owner.
We're physically present in Madrid during the official audit: handle auditor requests, organize evidence in real time, help clarify scope and technical aspects. The audit is run by ACCM; we're on the client's side.
ENS requires periodic internal review of the system. We act as external internal auditor (not the official audit — the mandatory internal one), produce formal report and associated action plan.
Operational cadence between renewals (every 2 years for Medium and High): review of relevant changes, evidence updates, non-conformity management, ongoing support.
Hard2bit methodology
Six phases covering the full project cycle, from initial diagnosis through sustainment between renewals. Designed for projects in Madrid with on-site presence when it matters.
We define the system in scope, sites, dependencies, third parties, the public-sector relationship and target timeline. In Madrid this commonly involves identifying contracts with the Community of Madrid, Madrid City Council or related bodies.
We determine category (Basic, Medium, High) across the five DICAT dimensions with defendable criterion. A poorly resolved categorization contaminates the entire project — and shows in real sample during the ENAC-accredited audit.
We assess gaps against Annex II measures of RD 311/2022. We generate a prioritized backlog with owners, dates and dependencies. Quick wins separated from structural work.
Formal MAGERIT-compatible risks, documented decisions (mitigate / accept / transfer / avoid), technical grounding of measures and evidence implementation with end-to-end traceability.
On-site in Madrid during the official audit. We handle auditor requests in real time, organize evidence on demand, help clarify scope and technical aspects. The audit is run by the accredited body; we are on the client's side.
Post-certification: operational cadence, management of relevant changes, mandatory annual internal audit and preparation for the renewal that arrives every 2 years for Medium and High categories.
What we deliver
A set of artifacts that sustain the ENS lifecycle, from initial categorization to annual internal audit. All the traceability the ENAC-accredited audit requires.
Formal system categorization
DICAT document with justified impact analysis and assigned category. The first piece an ENAC-accredited auditor reviews when sampling.
Gap analysis against RD 311/2022
Measure-by-measure map of Annex II with current state, gap, priority, estimated effort and dependencies.
MAGERIT-compatible risk analysis
Assets, threats, vulnerabilities, safeguards, residual risk and treatment plan with defendable criterion.
Documentation set: policies, procedures, records
Minimum viable documentation. No bloat. Clear structure: policy → procedure → record → evidence.
Requirement → control → evidence → owner traceability
Master table connecting each Annex II measure with its operational evidence and its owner. The piece auditors traverse when sampling.
Prioritized adequacy plan
Actionable backlog with owner, date, priority and expected closure evidence. Quick wins separated from structural work.
On-site accompaniment during the official audit
Active presence during ENAC-accredited audit days. On-demand evidence organization, owner support, technical clarification.
Annual internal audit report
Mandatory ENS internal audit with formal report, classified findings and associated action plan. Evidence the system stays alive between renewals.
Why Hard2bit Madrid
We're not a remote consultant claiming to be from Madrid. We have two operational offices in the region: Leganés (south of Madrid) and Las Rozas (west). We drive there. For accompaniment during ENAC-accredited audit, steering committee sessions, owner workshops or executive presentations, on-site presence changes the outcome.
See where we are →Operating in Madrid since 2013. We know tenders, timelines, vocabulary, criteria and counterparts of the Madrid public sector: Community of Madrid, Madrid City Council, the 178 municipalities of the region and related bodies. That familiarity accelerates adequacy and reduces friction.
About Hard2bit →We are certified at ENS HIGH category (certificate no. ENS_2.026.061, issued by ACCM under ENAC accreditation no. 48/C-PR503). We know the ACCM process from the other side of the table. When we prepare a Madrid client, we do it from lived experience, not from a manual.
View verifiable certificate →Irene Ocando, head of our compliance practice, audits in ISO 27001, ENS, NIS2 and ISO 22301. Thilina Manana, Director of Operations, is a CQI IRCA ISO/IEC 27001:2022 Lead Auditor. We know what the auditor will ask before they walk in the room.
View Compliance & GRC pillar →Specialist team
Auditors with real experience in ENS projects and the ENAC-accredited certification body. The professionals who sign decisions your organization will defend before the auditor.
Head of Cybersecurity Projects
Senior GRC and compliance specialist with over 30 years of experience. Auditor in ISO 27001, ENS, NIS2, ISO 22301, ISO 20000-1 and ISO 9001. Master's in Data Science (UCAV/Indra). Direct interaction with certification bodies and project experience across Madrid public-sector entities.
Director of Operations & Security
Director of Operations & Security and co-founder. CQI IRCA ISO/IEC 27001:2022 Lead Auditor. Operational experience in tech providers serving the Madrid public sector and ENS adequacy projects across cloud, M365 and hybrid environments.
Sectors in Madrid
The concentration of public administration, public health, universities, energy and regulated entities makes Madrid a market where ENS appears across very diverse sectors.
Community of Madrid, Madrid City Council, the 178 municipalities of the region and related bodies. ENS mandatory. Typical categories: Medium or High.
Hospitals, primary care, systems linked to SERMAS and private centers with public agreements. Convergence with NIS2 (essential sector) and GDPR.
Public and private universities based in Madrid, learning platforms, academic management systems. Typically Medium; critical services may require High.
Essential sectors under NIS2 with strong Madrid presence. ENS applies when systems are linked to public sector or administrative concessions.
Regulated sector under DORA. ENS applies if there's a relationship with Madrid public administrations (public entities, EU funds, institutional contracts). Multi-framework evidence reuse.
Technology companies in Madrid with public-sector clients or aspiring to have them. Typical category: Medium. Focus on application, cloud, identity and dependencies.
Anonymized case
Madrid-based tech provider delivering services to a regional body of the Community of Madrid. The contract required ENS Medium certification within five months. Initial categorization was biased (auto-declared Basic that the system didn't support). We restructured: correct categorization to Medium, gap analysis against Annex II measures, prioritized adequacy plan, implementation of technical measures across cloud and M365, on-site accompaniment during the ACCM audit. Certificate issued on time, no non-conformities.
— Irene Ocando · Head of Cybersecurity Projects
Case summarized and anonymized due to contractual confidentiality. Details available under NDA.
Frequently asked questions
Direct answers to the questions we hear most from CISOs, IT Managers, compliance leads and Madrid public-sector officials.
Yes. Hard2bit has two offices in the Community of Madrid: Leganés (south of Madrid) and Las Rozas (west). We have operated since 2013. For meetings, steering committees, owner workshops or accompaniment during ENAC-accredited audit, we can be on-site.
No. The official ENS audit is performed by an ENAC-accredited certification body (in many Madrid projects, ACCM). Hard2bit does everything before and alongside: implementation, adequacy, risk analysis, evidence, accompaniment during the official audit and post-certification sustainment. The separation is the right one — a single provider should not be both certifier and consultant.
Yes. We work both with public bodies (municipalities and regional bodies) and with private tech providers holding contracts with Madrid public administrations. Knowledge of the ecosystem (tenders, timelines, counterparts) reduces friction during the project.
The regulatory framework is the same (RD 311/2022), but scope and approach differ. In public bodies, ENS usually applies to the entire system and categorization tends to be Medium or High. In private companies, ENS applies to the system or service under the public-sector contract, and scope can be defined with criterion. Methodology adapts to the case.
Typically 6 to 12 months to walk into audit with a clean sample, depending on category (Basic, Medium or High), number of in-scope systems, technical maturity and client team availability. Organizations with ISO 27001 in place can shorten timelines by reusing controls.
We work on demand with municipalities, autonomous bodies and entities tied to Madrid local government. For small municipalities, Basic with self-assessment is typical; for medium and large, Medium with ENAC audit. We adapt effort and timeline to the actual scope.
Both modes, depending on client preference and project phase. For initial diagnosis, key workshops, steering committees and accompaniment during the official audit, we recommend on-site whenever possible (Madrid makes this easy due to proximity). For documentation review, technical configuration and monthly reporting, remote.
Hard2bit is a client of ACCM: they audit and certify our own ENS HIGH every 2 years under ENAC accreditation. That professional relationship gives us real knowledge of the process from the audited side. We are not part of ACCM or ENAC; we are consultants who know the process from the outside.
Yes, and it usually pays off. A well-designed implementation allows reuse of policies, inventories, risk analysis, controls, evidence and reporting across ENS, ISO 27001, NIS2 and DORA. We explain how in the four-framework comparison.
For accompaniment during ENAC-accredited audit, owner workshops, executive sessions or close work with technical teams, on-site presence changes the outcome. Having the consultant 30 minutes away by car shortens feedback cycles and removes coordination friction when what matters happens in the room. Madrid is also the densest public-administration ecosystem in Spain — knowing that ecosystem matters.
It depends on target category (Basic, Medium, High), number of in-scope systems, starting maturity, documentation and technical scope, timeline and on-site/remote modality. The initial diagnostic session is always the first step to scope a proposal. Request it without commitment.
Yes. NIS2 coexists with ENS in many sectors (healthcare, energy, transport, public administration). We design projects with multi-framework lens to reuse evidence and reduce effort. The team covers ENS, ISO 27001, NIS2 and ISO 22301 with the same base methodology.
Related
If you need the general ENS service without Madrid focus: full ENS adequacy lifecycle under RD 311/2022.
View ENS service →If your ENAC-accredited audit is near: pre-audit, mock audits with real questions, gap closure plan and accompaniment.
View ENS audit readiness →Operational vulnerability management aligned with ENS — one of the most-audited controls in Medium and High categories.
View vulnerability management for ENS →Sister pattern: ISO 27001 with local Madrid focus. Compatible and reusable with ENS when designed with shared traceability.
View ISO 27001 Madrid →For essential or important sectors under the European directive. ENS and NIS2 commonly coexist in healthcare, energy and public administration.
View NIS2 →Side-by-side view to understand overlaps, optimal sequencing and control reuse across the four frameworks.
View comparison →Let's talk in Madrid
A short call to diagnose where the system stands, which category fits the scope, what timeline is realistic and how to walk into the ENAC-accredited audit with criterion. On-site in Leganés, Las Rozas or your office.
Page reviewed: 2026-04-28. Hard2bit · Cybersecurity company in Madrid since 2013 · Offices in Leganés and Las Rozas · ENS HIGH category · ISO/IEC 27001:2022
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
