Detect, decide, remediate, verify and log — with defendable evidence for an ACCM/ENAC audit. Designed for tech providers serving the Spanish public sector and for any system in scope of the Esquema Nacional de Seguridad (Basic, Medium and High categories).
Scope
Systems in Basic, Medium or High category
Output
Operational programme + auditable evidence
Approach
Technical + compliance + reporting unified
Verifiable qualification
We don't just help you comply with ENS: our own organization is certified at ENS HIGH category (Royal Decree 311/2022) and ISO/IEC 27001:2022. Vulnerability management forms part of the ACCM/ENAC-audited scope. We know the deliverables — and the auditor's questions — from the other side of the table.
Executive summary
ENS & vulnerabilities
Spain's National Security Framework (Esquema Nacional de Seguridad), regulated by Royal Decree 311/2022, is not satisfied by a one-off scan every now and then. What ENS requires — and what an ACCM/ENAC audit verifies — is a full cycle: detection on a formalized cadence, documented decision on every finding, remediation with owner and date, closure verification and traceable logging across the whole process.
That requirement materializes across several measures of Annex II of RD 311/2022. The most direct reference is op.exp.4 — Maintenance and security updates, but vulnerability management also feeds op.exp.10, op.exp.11, op.acc.6, mp.eq.1 and mp.sw.2. In Medium and High categories, all of these measures are audited with a real sample — having the document is not enough; you must show the record.
The most common mistake isn't lacking a scanner: it's lacking the tissue around it that turns a scan into auditable evidence. Updated inventory, signed policy, recorded decisions, closure verification and periodic review. That is the difference between a clean ENS certification and a certification with non-conformities.
Annex II, RD 311/2022
Vulnerability management is not a single ENS measure — it feeds several controls in Annex II. These are the most relevant ones and how we connect them with the operational programme:
RD 311/2022 requires identifying, assessing and applying security updates and patches across in-scope systems. Vulnerability management is the operational lever that materializes this measure with defendable evidence.
Detection and response against malicious software. Connects to the vulnerability cycle whenever a patch or hardening change mitigates an exploitable vector.
Recording of relevant actions: scans, findings, remediation decisions, validations and exceptions. Without traceable logs, ENAC auditors cannot mark the control as satisfied.
Hardening of access on assets identified as vulnerable. Directly connects with technical remediation that produces operational evidence.
Technical maintenance and secure configuration of in-scope equipment. Vulnerability management feeds this control with continuous detection and post-change validation.
Pre-production validation of software. Vulnerability management provides technical-review evidence before and after deployment.
References cited come from Annex II of Spain's Royal Decree 311/2022, of 3 May, regulating the National Security Framework (Esquema Nacional de Seguridad). Measure codes (op.exp.X, op.acc.X, mp.eq.X, mp.sw.X) are those used in the official text of the RD.
DICAT categorization
Programme intensity depends on the system's category (Basic, Medium or High), determined by the impact across the DICAT dimensions (Availability, Integrity, Confidentiality, Authenticity, Traceability).
Common entry point for SMEs starting work with Spanish public administration. Lighter, but still requires minimum traceability.
Standard for tech providers serving systems with medium impact. The quality of evidence is the difference between a clean certification and audit findings.
Essential systems, critical infrastructure, defense, essential state services. Hard2bit operates at this level — we are certified at HIGH category.
Hard2bit methodology
Six steps that turn isolated scans into a programme defendable before ACCM/ENAC. Each step leaves a traceable deliverable that goes into the audit dossier.
We map the system under ENS: in-scope assets, dependencies, third parties, sites and accountable roles. We validate the categorization (DICAT dimensions) to understand which reinforcements RD 311/2022 imposes on each asset.
We build a real (not paper) technical inventory: hosts, exposed services, identities, M365/Entra ID, cloud, third parties. Without an updated and verifiable inventory, no evidence of vulnerabilities will withstand an ENAC audit.
We define frequency, tooling and scan scope based on the ENS category and the asset's criticality. We document the cadence as operational policy so it can be defended in audit.
We validate findings, eliminate false positives and prioritize by ENS criticality, real exposure and exploitability. Every decision (patch, mitigate, accept, transfer) is logged with owner and date — that's what auditors check.
We coordinate technical remediation with your ITSM/CAB, validate closure via re-scan or manual verification and capture signed evidence. Technical closure without documented verification doesn't count for ENS.
Monthly report with auditable KPIs (MTTR, average exposure, % closed within SLA), quarterly review with leadership and an annual programme review. Direct output to the dossier handed to the ENAC audit.
What we deliver
We don't ship a PDF. We ship the set of artifacts that defend the op.exp.4 control and connected ones before the ACCM/ENAC auditor, with end-to-end traceability per critical asset.
ENS-aligned vulnerability management policy
Operational document with cadence, owners, prioritization criteria, remediation SLAs and exceptions — the document handed to the ENAC auditor.
Inventory of assets in ENS scope
Hosts, services, identities, dependencies and third parties tagged with criticality across the DICAT dimensions. Maintained and verifiable.
Signed log of scans and findings
Each cycle leaves a record: date, tool, scope, findings and triage. Evidence that the system is being reviewed at the agreed cadence.
Prioritized and traceable remediation backlog
Each vulnerability with owner, priority, plan, target date, status and closure evidence. Direct mapping to the affected ENS controls.
Closure evidence per critical finding
Documented post-remediation verification through re-scan, technical proof or configuration validation. Without it, the control is not deemed satisfied.
Monthly executive and technical report
Auditable KPIs (MTTR, average finding age, % SLA compliance by criticality), exposure trend and prioritized backlog for leadership and engineering.
ENS periodic review record
Quarterly review with the security lead, committee or vCISO. Evidence that the programme is governed, not just executed.
Support during ENAC audit
We prepare technical defenses, address auditor requests and close non-conformities with a documented action plan.
Why Hard2bit
We don't just help with ENS vulnerability management: our own organization is certified under ENS HIGH category (certificate no. ENS_2.026.061, issued by ACCM under ENAC accreditation no. 48/C-PR503), with 73 measures in place and HIGH level across all five DICAT dimensions. Vulnerability management is part of that certified scope. We know the deliverables, the cadence and the auditor's questions from the other side of the table.
View verifiable ENS HIGH certificate →Irene Ocando, head of our compliance practice, audits in ISO 27001, ENS, NIS2 and ISO 22301. Thilina Manana, our Director of Operations, is a CQI IRCA ISO/IEC 27001:2022 Lead Auditor with hands-on operational experience. We know what the ACCM auditor will ask before the project starts, not after.
View Compliance & GRC pillar →We tie every finding to an asset, an ENS measure, an evidence and an owner. Vulnerability management doesn't end in a PDF — it ends in a control that passes the ENAC audit.
View generic vulnerability management →When the system also lives under ISO 27001, NIS2 or DORA, we reuse analysis, evidence and records. A single well-built piece of evidence can satisfy four frameworks at once. We explain how in the four-framework comparison.
View ENS vs ISO 27001 vs NIS2 vs DORA →Specialist team
Auditors and operators with real experience in ENS projects and ACCM/ENAC audits. Not generic profiles: these are the people who sign the decisions an organization later defends before the auditor.
Head of Cybersecurity Projects
Senior GRC and compliance specialist with over 30 years of experience. Auditor in ISO 27001, ENS, NIS2, ISO 22301, ISO 20000-1 and ISO 9001. Master's in Data Science (UCAV/Indra). Direct interaction with certification bodies.
Director of Operations & Security
Director of Operations & Security and co-founder. CQI IRCA ISO/IEC 27001:2022 Lead Auditor. Hands-on experience in security operations and vulnerability management within regulated environments and ENS-certified providers to the Spanish public sector.
Anonymized case
In a recent project for a tech provider with services contracted by a local administration in Spain, the engagement started as a documentation review ahead of the ENAC audit. What was missing wasn't inventory or scans, but the auditable connection between each finding, its remediation decision and the closure evidence. We restructured the operation in six weeks: policy, cadence, signed records, backlog prioritized by ENS criticality and closure verification. The audit closed with no non-conformities on op.exp.4 or on the connected logging controls (op.exp.11).
— Irene Ocando · Head of Cybersecurity Projects
Case summarized and anonymized due to contractual confidentiality. Technical and client details available under NDA.
What we see fail in audit
Running a scanner every quarter is not a vulnerability management programme. ENS demands the full cycle: detect, decide, remediate, verify, log.
When inventory doesn't match the real environment, scans become partial. ENAC audits look for end-to-end traceability: asset → vulnerability → closure.
Accepting a risk is valid if justified and signed off. Failing to record that decision turns it into an audit finding.
Marking a vulnerability as closed without a re-scan or technical validation leaves the control without evidence. One of the most common findings in ENS certification.
ENS demands governance, not only operations. Without a periodic review record signed by leadership or a vCISO, the control is considered incomplete.
M365, Entra ID, AWS, Azure, GCP and tech vendors are typically inside ENS scope. Vulnerability management must cover them with the same traceability.
Who it's for
ENS is mandatory. Vulnerability management is one of the most-audited controls by ACCM/ENAC. Applies to internal management systems, e-government portals and citizen-facing services.
Private companies acting as contractors or subcontractors. ENS applies to the system or service under contract — including the vulnerability cycle of in-scope components.
SaaS handling information for Spanish public bodies. Typical category: Medium or High. Vulnerability management must cover application, infrastructure and cloud dependencies.
Sectors with high regulatory sensitivity. ENS coexists with NIS2 and GDPR. Vulnerability management feeds evidence for all three frameworks at once.
HIGH category typical. Requires reinforcements in cadence, validation and traceability. Hard2bit operates natively at this level.
Frequently asked questions
Direct answers to the questions we hear most from CISOs, IT Managers, compliance leads and internal auditors.
Yes. RD 311/2022, Annex II, includes operational measures requiring identification, assessment and application of security updates across in-scope systems. Measure op.exp.4 is the most direct reference, although vulnerability management also feeds op.exp.10, op.exp.11, op.acc.6 and mp.eq.1. In Medium and High categories it is one of the most-reviewed controls during ENAC audit.
RD 311/2022 doesn't fix a single numerical frequency. Cadence must be proportional to asset criticality and to the system's category (Basic, Medium or High). The organization formalizes the frequency in its policy, justifies it and sustains it over time. The ENAC auditor then verifies the cadence is met and that traceable evidence exists.
No. An isolated scan is not vulnerability management. ENS requires a full cycle: detection, triage, documented decisions, remediation, verification and logging. Without that cycle and traceable evidence, the control is not satisfied at the ENAC audit, especially for Medium and High categories.
Signed operational policy, inventory of in-scope assets, scan logs with date and scope, documented triage, backlog prioritized by criticality, closure evidence per finding (re-scan or technical validation), KPIs and a periodic review record signed by leadership or the security lead. The auditor reviews a real sample, not just the document.
Basic allows self-assessment: policy, inventory and minimum logging. Medium requires an ENAC-accredited audit with formalized cadence, traceable records and prioritized backlog. High adds reinforcements on critical assets, cross-validation, auditable KPIs and exhaustive traceability. Hard2bit operates at HIGH category — certified.
It fits very well. ISO 27001 (controls A.8.8 and A.8.9), NIS2 (vulnerability and risk management) and ENS (op.exp.4 and connected) share nearly identical requirements. A well-designed implementation can satisfy all three frameworks at once if the evidence is built with traceability. We explain how in the ENS vs ISO 27001 vs NIS2 vs DORA comparison.
We execute the full cycle when in scope: detection, triage, coordination with your ITSM/CAB, patching, hardening, cloud or IAM changes and closure verification. Your organization keeps decision-making; we provide the operations, the evidence and the traceability for ENS audit.
An operational and auditable programme is typically built in 6–10 weeks: scope, inventory, policy, first scan cycle, triage and prioritized backlog. The governance side (periodic review, record, KPIs) consolidates within the first quarter. Organizations already certified under ISO 27001 can shorten timelines by reusing existing evidence.
Yes. ENS-compliant vulnerability management must cover any in-scope asset, including Microsoft 365, Entra ID, Azure, AWS, GCP and third-party dependencies. Excluding cloud or identity from the programme is one of the most frequent findings in ENS audits of modern tech providers.
If it's identified, prioritized and tracked with a documented action plan, it isn't necessarily a non-conformity — it's a managed vulnerability. It becomes a problem when there is no record, no documented decision or no closure verification. The line between a clean certification and a finding usually lies in evidence quality, not in the absence of vulnerabilities.
Yes — and it's the strongest combination for ENS Medium or High. Vulnerability management feeds the 24/7 managed SOC with critical assets to monitor; the SOC feeds the programme back with active-exploitation detection. Both share inventory, records and evidence.
Yes. We prepare technical defenses, organize evidence by audited control, address auditor requests and, if findings appear, close non-conformities with a documented action plan. Audit support is included in the service when the full programme is contracted.
Related
If you need full ENS adequacy (categorization, gap analysis, risks, measures, audit) — not just the vulnerability management cycle — start here.
View ENS service →If your system is not under ENS, our standard managed vulnerability management covers the full cycle without the RD 311/2022 layer.
View vulnerability management →Reuse controls, evidence and policies between ISO 27001 and ENS to reduce audit effort.
View ISO 27001 →For essential or important sectors under the European directive. Shares much with ENS in risk and vulnerability management.
View NIS2 →Continuous detection and response over the critical assets identified. Common combination with vulnerability management at ENS Medium and High.
View SOC →Controlled offensive validation of real exploitable exposure. Complementary to vulnerability management; not a replacement.
View pentesting →Let's talk
A short call to review scope, category and starting point. You'll leave with clear quick wins, an effort estimate and which evidence to reinforce ahead of the next ACCM/ENAC audit cycle.
Page reviewed: 2026-04-28. Hard2bit · Cybersecurity company in Spain since 2013 · ENS HIGH category · ISO/IEC 27001:2022
Antes de irte…
Te damos un diagnóstico rápido de 15 min y te decimos qué priorizar primero: M365, pentesting, vulnerabilidades, SOC y/o DORA, NIS2, ENS o ISO 27001.
Sin spam. Respuesta en 24h.
