The Esquema Nacional de Seguridad, approved by Royal Decree RD 311/2022 of 3 May, is not a documentary management standard: it is a technical-operational framework that requires the genuine implementation of security measures on information systems. Annex II of RD 311/2022 organises those measures into three frameworks — organisational, operational and protective — structured across 16 families and 75 specific measures, with different requirements depending on the category of the system (basic, medium or high). Operational measures include the op.nub family for cloud computing, which is especially relevant for suppliers offering SaaS or cloud infrastructure services to the Burgos public administration. Complying with the ENS means those measures are technically implemented, configured and verifiable — not merely drafted into a policy document.
In Burgos, the main public-sector bodies subject to the ENS are the Diputación Provincial de Burgos, the Ayuntamiento de Burgos and the Universidad de Burgos (UBU). All three contract technology services, management software, connectivity and system maintenance from private companies. When a company based in Burgos — or with ambitions to tender in the province — seeks to access that contracting market, it must demonstrate that its own systems comply with the ENS at the category corresponding to the service provided. This is not a future requirement: the sole transitional provision of RD 311/2022 set 5 May 2024 as the deadline for existing systems. New systems must comply from the moment they go into production.
Summum Sistemas approaches the compliance process from an engineering standpoint. The starting point is a risk analysis following the MAGERIT methodology (Metodología de Análisis y GEstión de Riesgos de los sistemas de Información de las Administraciones Públicas), the CCN's reference methodology for the ENS. We use the PILAR tool (Procedimiento Informático-Lógico para el Análisis de Riesgos), developed by the Centro Criptológico Nacional, which models assets, threats and safeguards in a traceable way and produces a residual risk report that can be directly referenced before the auditing body. Once the risks are identified, we design and implement the technical safeguards from Annex II that close the detected gaps: access control (op.acc), service continuity (op.cont), monitoring and audit (op.mon), communications protection (mp.com) and user workstation protection (mp.eq), among others. For verification of the conformity status we use INES (Instrumento Nacional de Evaluación de la Seguridad), the CCN platform that generates the ENS system status report and serves as the basis for the basic-category declaration of conformity.