ENS Compliance & Certification: The Spanish Standard for Digital Sovereignty.
Compliance with the Esquema Nacional de Seguridad (ENS) — Royal Decree 311/2022 is often a contractual requirement to work with Spanish public administration, and a strong signal of security maturity. We help you achieve audit-ready compliance for Basic, Medium and High categories.
What RD 311/2022 changes in practice
The ENS update via Royal Decree 311/2022 reflects a more demanding threat landscape. For many organizations, the biggest shift is moving from “point-in-time compliance” to a model that expects continuous oversight.
At Hard2bit, we deliver a pragmatic roadmap so the certification process does not block operations — it strengthens them through measurable controls, governance, and evidence.
NIS2 alignment
We align ENS controls with European requirements to reduce duplicated effort and improve traceability.
Audit readiness
We support you end-to-end: scoping, evidence, remediation and preparation for an accredited conformity assessment.
ENS security dimensions
ENS evaluates security across key dimensions that we assess in depth:
- Confidentiality Information is accessible only to authorized individuals.
- Integrity Assurance that information has not been altered in an unauthorized manner.
- Availability Access to services and systems when needed (continuity).
- Authenticity & Traceability Unambiguous identification and logging of relevant actions.
System categorization
The technical requirements depend on the nature and impact of the information and services involved.
| Category | Risk profile | Audit requirement |
|---|---|---|
| Basic | Low-impact systems. Supervised self-assessment. | Every 2 years (self-assessment) |
| Medium | Moderate impact on critical services or sensitive data. | External audit (mandatory) |
| High | Essential systems, critical infrastructures or highly protected data. | External audit (highest rigor) |
Our compliance methodology
Gap Analysis
Assess your current state against RD 311/2022 requirements and ENS controls.
Risk Assessment (PILAR)
Perform a structured risk assessment using official methodologies (e.g., PILAR) where applicable.
Policies, Procedures & Evidence
Build the required governance set and evidence for audit readiness and continuous oversight.
Ready to work with the public sector?
Obtain ENS compliance with a specialized, audit-ready approach.
ENS FAQ
Is ENS mandatory for private companies? ↓
Yes, if you provide services/solutions to Spanish public administration or process public-sector information. ENS is commonly required in public tenders and contracts.
How long is the certification valid? ↓
Typically 2 years, with follow-up reviews. The updated ENS model emphasizes continuous oversight and reviews after significant changes.
Can we rely on an external CISO during ENS adequacy? ↓
Yes. A virtual CISO (vCISO) service fits particularly well in ENS projects where the organization doesn't have an internal security leadership role: governance, steering committees, risk analysis, auditor liaison and continuity of the framework after the declaration or certification.
How does ENS compare to ISO 27001, NIS2 and DORA? ↓
ENS, ISO 27001, NIS2 and DORA coexist and largely reuse the same evidence if the project is designed with traceability. See the full side-by-side in the ENS vs ISO 27001 vs NIS2 vs DORA comparison, which helps decide sequencing and where evidence can be shared across frameworks.
Do you also help us prepare for the ENAC-accredited audit itself? ↓
Yes. Hard2bit does not perform the official ENS audit (that is done by an ENAC-accredited body, such as ACCM). We sit on the client's side: pre-audit, mock audits with real questions, gap closure plan and on-site accompaniment during the official audit. See ENS audit readiness service for the full scope.
Start an ENS project
Tell us your target category (Basic/Medium/High) and we’ll propose a realistic delivery plan.