RD 311/2022, of 3 May, extends the Esquema Nacional de Seguridad well beyond the administrations themselves: any private entity whose information systems process, transmit or support public-sector services is obliged to comply to the same standard as the contracting administration. In Salamanca, this directly affects companies providing software, infrastructure, telecommunications, network maintenance or data-processing services to the Diputación Provincial de Salamanca, the Ayuntamiento de Salamanca or the Universidad de Salamanca — an institution that, as part of the Spanish public university sector, falls fully within the ENS scope. The general deadline to bring existing systems into compliance was 5 May 2024; systems launched after that date must comply from day one of operation. Operating outside the ENS not only exposes the company to regulatory breaches but can directly bar access to new public tenders in Salamanca.
The technical starting point for any ENS compliance project is a risk analysis of the in-scope systems. The ENS does not mandate a specific methodology, but it expressly recognises MAGERIT — the methodology developed by Spain's Consejo Superior de Administración Electrónica — as the de facto reference for the public sector. Summum Sistemas works with MAGERIT v3 to identify and value assets, threats and vulnerabilities, calculate intrinsic and residual risk, and document risk-treatment decisions. The analysis is modelled in PILAR, the Centro Criptológico Nacional tool that automatically generates risk reports in the format required both by public-sector entities and by ENAC-accredited inspection bodies that certify medium- and high-category systems. INES, also from the CCN, complements the analysis by providing a structured and exportable assessment of ENS compliance maturity.
Annex II of RD 311/2022 organises security measures into three frameworks — organisational, operational and protection — covering 16 families and a total of 75 measures. For each system category — basic, medium or high — Annex II specifies which measures are mandatory and at what reinforcement level (r1, r2 or r3). Summum Sistemas handles the technical implementation of the operational and protection measures: access-control policies (op.acc), continuity management (op.cont), communications protection (mp.com), information-media protection (mp.si), services protection (mp.s) and, critically, the op.nub family, which governs the use of cloud computing services and is especially relevant for suppliers who host their solutions on cloud infrastructure. Technical control implementation is complemented by preparing the evidence package — records, logs, vulnerability-assessment results — that the compliance auditor needs in order to verify that measures are genuinely operational, not merely documented.