Ciberseguridad y cumplimiento

Technical implementation of the ENS in Palencia for public-sector suppliers

The Diputación Provincial de Palencia and the Ayuntamiento de Palencia require their technology contractors and suppliers to demonstrate compliance with Spain's Esquema Nacional de Seguridad before awarding contracts that involve access to their information systems. RD 311/2022 (BOE-A-2022-7191), of 3 May, leaves no room for doubt: if your company operates systems that interconnect with those of any Palencia public-sector entity, you must comply and prove it. Summum Sistemas approaches this process from the technical angle that matters most to security and IT departments: risk analysis using the MAGERIT methodology, modelling and evaluation with the CCN's PILAR tool, real implementation of all 75 Annex II measures across the three frameworks, and preparation of the technical evidence that the conformity auditor will require.

RegulationRD 311/2022 · BOE-A-2022-7191
Local scopeDiputación de Palencia · Ayuntamiento de Palencia
ApproachTechnical implementation: MAGERIT · PILAR · INES · Annex II ENS

Spain's Esquema Nacional de Seguridad, approved by Royal Decree 311/2022 of 3 May, applies not only to public administrations but also to private suppliers whose information systems interact with those of the public sector. In the Palencia area, this means that any technology company providing services to the Diputación Provincial de Palencia, the Ayuntamiento de Palencia, or any dependent body — the Instituto Provincial de Bienestar Social, municipal autonomous bodies, local consortia — must align its systems with the applicable security category: basic, medium or high, depending on the impact that a security incident would have on the five CIDAT security dimensions (confidentiality, integrity, availability, authenticity and traceability). The transitory provision of RD 311/2022 set 5 May 2024 as the final deadline for pre-existing systems. Operating without compliance is already a formal breach that jeopardises the ability to bid for public contracts and can transfer liability to the contracting administration.

Annex II of RD 311/2022 sets out 75 security measures distributed across three frameworks and sixteen families. The organisational framework (four families) regulates the security policy, internal regulations, operating procedures and the system authorisation process. The operational framework (seven families) covers planning, access control, operations, external services — including the op.nub cloud family, particularly relevant given the growing use of SaaS platforms by Palencia public bodies — service continuity, system monitoring and acquisition of new components. The protection measures framework (five families) addresses facilities and infrastructure, personnel management, equipment, communications, information media, applications and integration into the development lifecycle, and protection of services. Summum Sistemas implements these measures on real production systems, not just on paper: each measure is technically operational and documented with verifiable evidence.

The risk analysis methodology required by the ENS in Spain is MAGERIT, developed by the Higher Council for e-Government Administration. MAGERIT structures the analysis across three volumes: the method (analysis and treatment process), the element catalogue (assets, threats, typed safeguards) and the techniques guide. Summum Sistemas applies the current version of MAGERIT to the organisation's real asset inventory — servers, applications, networks, data, personnel — assesses threats against each asset, calculates intrinsic and residual risk after safeguards, and produces the risk report documenting treatment decisions. This analysis is not a generic template: it is performed specifically on the systems within the ENS scope and modelled using the CCN's PILAR tool, whose XML-exportable output can be directly used by conformity auditors and by the contracting administration when requesting evidence of the supplier's security posture.

The Technical implementation of the ENS in Palencia for public-sector suppliers process.

The process · four stages
01

Scope definition and technical categorisation of the system

We identify the information systems within the ENS scope: which services you provide to the Diputación de Palencia, the Ayuntamiento de Palencia or other Palencia public bodies, what data you handle on their behalf, and which infrastructures support those services. We assess the impact on the five CIDAT dimensions to determine the system category under Annex I of RD 311/2022. This step is the technical foundation of the entire project: an incorrect categorisation can leave out mandatory measures or unnecessarily oversize the implementation effort.

02

Risk analysis with MAGERIT and modelling in PILAR

We build the asset inventory of the in-scope system, apply the MAGERIT threat catalogue, assess the likelihood and impact of each threat-asset pair, and calculate the intrinsic risk. We model the analysis in the CCN's PILAR tool, which manages the safeguard catalogue, simulates treatment scenarios and generates risk reports in standard format. The deliverable includes the residual risk map after proposed safeguards and the technical justification for treatment decisions: mitigation, transfer, acceptance or elimination.

03

Implementation of the 75 Annex II measures

We technically implement the Annex II measures applicable to the system's category, prioritised by risk: highest-impact gaps first. We act on real production systems: access control configuration, hardening of operating systems and services, encryption of communications and storage, audit log configuration and event monitoring, network segmentation, verified backup procedures and service continuity. The op.nub family is specifically addressed if the organisation uses cloud services as part of the in-scope system.

04

INES evaluation and technical evidence package

Once the measures are in place, we evaluate the system's compliance status using the CCN's INES tool (Instrumento Nacional de Evaluación de la Seguridad). INES generates a standardised security status report that public administrations use to know the compliance level of their own systems and that some Palencia bodies may require from their suppliers as proof of the level achieved. We prepare the full technical evidence package: PILAR and INES reports, documented configurations, measure verification test results and monitoring and audit logs, all structured for review by the conformity audit body.

What is included

What Technical implementation of the ENS in Palencia for public-sector suppliers includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • System categorisation report (Annex I ENS)

    Technical document justifying the ENS category assigned to the system — basic, medium or high — by assessing the impact on the five CIDAT dimensions for each service provided to Palencia public bodies, with a traceable methodology referenced to Annex I of RD 311/2022.

  • MAGERIT risk analysis with exportable PILAR model

    Asset inventory, threat assessment and intrinsic and residual risk calculation applying the MAGERIT methodology, modelled in the CCN's PILAR tool and exported in standard format for review by the contracting administration and the ENS conformity audit body.

  • Technical implementation of Annex II measures

    Operational configuration and deployment of the 75 security measures of Annex II of RD 311/2022 across the three frameworks (organisational, operational and protection) on the real in-scope systems, including the op.nub family for environments with cloud services.

  • INES report and compliance status evaluation

    Assessment of the system's compliance level using the CCN's INES tool, with a standard-format exportable report that certifies to the contracting Palencia administration the actual security status of the supplier's system.

  • Complete technical evidence package

    Structured set of verifiable evidence: PILAR and INES reports, documented configurations, measure verification test results, monitoring and audit logs, and operating procedure documentation, all ready for presentation to the conformity audit body.

  • Technical support during the conformity audit

    Technical accompaniment during the audit by the ENAC-accredited body: responding to the auditor's queries, providing additional evidence and swiftly correcting minor deviations detected during the process, minimising the risk of non-conformities that could delay obtaining conformity.

Frequently asked questions about Technical implementation of the ENS in Palencia for public-sector suppliers.

Does the ENS apply to technology suppliers of the Diputación de Palencia and the Ayuntamiento de Palencia?

Yes. Article 2 of RD 311/2022 establishes that the ENS applies to the information systems of public-sector entities and to those of their suppliers when such systems are connected to or exchange information with the public sector. Both the Diputación Provincial de Palencia and the Ayuntamiento de Palencia are local entities subject to the ENS, which extends the obligation to their technology suppliers: software companies, system maintenance providers, cloud services contracted by the administration, IT support firms and any other service in which the supplier's systems come into contact with those of the Palencia administration.

What is MAGERIT and why is it used for the ENS?

MAGERIT (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información de las Administraciones Públicas) is the official risk analysis methodology for the Spanish public sector, developed by the Higher Council for e-Government Administration. The ENS requires that in-scope information systems have an up-to-date risk analysis as the basis for the proportional selection of Annex II security measures. MAGERIT is the reference methodology for that analysis in the context of the Spanish public administration and its suppliers: it defines the process, the catalogue of typed assets, threats and safeguards, and establishes how to calculate and document risk in a way that is understandable and verifiable by conformity auditors.

Which CCN tools are used in the technical implementation of the ENS?

The Centro Criptológico Nacional (CCN) makes available to public-sector entities and their suppliers a set of free tools that Summum Sistemas integrates into the implementation process. PILAR is the MAGERIT-based risk modelling and evaluation tool: it allows building the asset inventory, assessing threats, managing the safeguard catalogue and generating risk reports in standard format. INES (Instrumento Nacional de Evaluación de la Seguridad) is the ENS compliance self-assessment tool: it generates a security status report that some administrations, including Palencia public-sector bodies, may request from their suppliers as evidence of the compliance level achieved.

How many Annex II measures must be implemented and which are the most critical?

Annex II of RD 311/2022 contains 75 security measures across three frameworks and sixteen families. The number of mandatory measures depends on the system category: basic, medium or high. For a basic-category system, the measures marked [B] are required; for medium, those marked [B] and [M]; for high, all measures marked [B], [M] and [A]. Not all measures carry the same weight in practice: the most critical for technology suppliers are typically those in the operational framework, especially access control (op.acc), system operations (op.exp), service continuity (op.cont) and, where cloud services are used, the cloud services family (op.nub). Summum Sistemas prioritises implementation based on the actual risk profile of each organisation.

What is the difference between a declaration of conformity and certification under the ENS?

For basic-category systems, the conformity route is the self-assessed declaration of conformity: the organisation itself evaluates its system following the CCN-STIC 809 procedure, documents the results and signs the declaration of conformity, which can be registered with the CCN. For medium or high-category systems, conformity must be certified by an inspection body accredited by ENAC under the standard UNE-EN ISO/IEC 17065. Summum Sistemas does not issue any ENS conformity certificate — that is the exclusive competence of ENAC-accredited bodies — but it technically prepares the system to pass the certification process with the best possible guarantees.

How long does the technical ENS implementation take for a Palencia public-sector supplier?

It depends on the system category, the size of the organisation and the starting point in terms of technical security. For basic-category systems with a reasonably well-ordered infrastructure, the technical implementation process — MAGERIT analysis, measure configuration and evidence preparation — can be completed in two to four months. For medium category, the typical timeframe is four to eight months. For high category, with complex systems, it may require eight to fourteen months. In all cases, the MAGERIT risk analysis with PILAR is the starting point: without it, it is not possible to correctly size the implementation effort or justify the proportional selection of measures that the ENS requires.