Spain's Esquema Nacional de Seguridad, approved by Royal Decree 311/2022 of 3 May, applies not only to public administrations but also to private suppliers whose information systems interact with those of the public sector. In the Palencia area, this means that any technology company providing services to the Diputación Provincial de Palencia, the Ayuntamiento de Palencia, or any dependent body — the Instituto Provincial de Bienestar Social, municipal autonomous bodies, local consortia — must align its systems with the applicable security category: basic, medium or high, depending on the impact that a security incident would have on the five CIDAT security dimensions (confidentiality, integrity, availability, authenticity and traceability). The transitory provision of RD 311/2022 set 5 May 2024 as the final deadline for pre-existing systems. Operating without compliance is already a formal breach that jeopardises the ability to bid for public contracts and can transfer liability to the contracting administration.
Annex II of RD 311/2022 sets out 75 security measures distributed across three frameworks and sixteen families. The organisational framework (four families) regulates the security policy, internal regulations, operating procedures and the system authorisation process. The operational framework (seven families) covers planning, access control, operations, external services — including the op.nub cloud family, particularly relevant given the growing use of SaaS platforms by Palencia public bodies — service continuity, system monitoring and acquisition of new components. The protection measures framework (five families) addresses facilities and infrastructure, personnel management, equipment, communications, information media, applications and integration into the development lifecycle, and protection of services. Summum Sistemas implements these measures on real production systems, not just on paper: each measure is technically operational and documented with verifiable evidence.
The risk analysis methodology required by the ENS in Spain is MAGERIT, developed by the Higher Council for e-Government Administration. MAGERIT structures the analysis across three volumes: the method (analysis and treatment process), the element catalogue (assets, threats, typed safeguards) and the techniques guide. Summum Sistemas applies the current version of MAGERIT to the organisation's real asset inventory — servers, applications, networks, data, personnel — assesses threats against each asset, calculates intrinsic and residual risk after safeguards, and produces the risk report documenting treatment decisions. This analysis is not a generic template: it is performed specifically on the systems within the ENS scope and modelled using the CCN's PILAR tool, whose XML-exportable output can be directly used by conformity auditors and by the contracting administration when requesting evidence of the supplier's security posture.