Real Decreto 311/2022, of 3 May, approves Spain's National Security Framework and updates the requirements that public-sector bodies and their suppliers must apply to their information systems. In León, the main bodies subject to the ENS are the Diputación de León — which provides services to dozens of municipalities across the province and manages both its own and delegated information systems — the Ayuntamiento de León, and the Universidad de León (ULE), whose research and academic management activities generate an ecosystem of technology suppliers that in many cases have not yet completed their conformity process. Operating without conformity constitutes a breach that can block access to tenders and contracts with these bodies, since public procurement regulations require that the applicable security requirements be met for each contract.
Article 2 of RD 311/2022 extends the ENS's scope to private entities that provide services or solutions to public-sector bodies. This includes software integrators, management application developers, cloud service providers (with particular attention to the op.nub family of Annex II controls), TIC infrastructure maintenance companies and any organisation that processes data on behalf of a public body in León. The level of demand depends on the system category — basic, medium or high — determined in accordance with Annex I of RD 311/2022 based on the potential impact of a security incident across the five CIDAT dimensions (confidentiality, integrity, availability, authenticity and traceability). The category also determines the conformity route: basic category permits a self-assessed declaration of conformity; medium and high categories require certification by an inspection body accredited by ENAC under the UNE-EN ISO/IEC 17065 standard.
Annex II of RD 311/2022 organises the mandatory security controls into 75 measures distributed across three frameworks — organisational framework, operational framework and protection measures — and sixteen families. The operational framework covers seven families and thirty-three measures, including the op.nub family, specific to cloud services, whose relevance has grown considerably as León's public administration has adopted cloud solutions for its internal management and citizen-facing systems. At Summum Sistemas we address each of these families from a technical standpoint: risk analysis using the MAGERIT methodology and the CCN's PILAR tool, secure configuration of operating systems and services, vulnerability management, privileged access control, security event monitoring and correlation (SIEM), communications and storage encryption, and continuity plans aimed at guaranteeing service availability at the levels required by the contracted system.