Ciberseguridad y cumplimiento

Technical implementation of the ENS in Tenerife

The Cabildo de Tenerife, the Ayuntamiento de Santa Cruz de Tenerife, the Universidad de La Laguna and the island municipalities are all subject to the Esquema Nacional de Seguridad (ENS). Their technology suppliers are too: RD 311/2022 (BOE-A-2022-7191) requires that the information systems of contracting entities be brought into conformity at the same level as the public bodies they serve. Summum Sistemas accompanies technology companies in Tenerife in the dimension that demands the most from them under the ENS: the technical plane. Risk analysis using MAGERIT methodology, asset and threat modelling with the CCN's PILAR tool, implementation of the 75 Annex II measures, and preparation of the technical evidence required by the conformity audit. No invented figures, no fictitious offices: genuine accompaniment in the technical and operational domain.

RegulationRD 311/2022 · BOE-A-2022-7191
ProfileTechnology suppliers to the Public Administration in Tenerife
FocusTechnical implementation: MAGERIT · PILAR · INES · Annex II

The Esquema Nacional de Seguridad, approved by Royal Decree 311/2022 of 3 May, is not merely a documentary framework: its Annex II contains 75 security measures across three frameworks — organisational, operational and protective — and 16 families. The operational family includes 7 sub-families and 33 measures, among them op.nub (cloud service security), which is particularly relevant for technology companies providing cloud infrastructure to Canarian public bodies. For a supplier to the Cabildo de Tenerife or the Ayuntamiento de Santa Cruz, ENS conformity does not end when a security policy is approved: it truly begins when the technical measures underpinning that policy are implemented, verified and documented.

Tenerife concentrates a significant share of Canarian public sector activity: the Cabildo de Tenerife as the island's reference administration, the Ayuntamiento de Santa Cruz de Tenerife as the capital of the autonomous community, the Universidad de La Laguna (ULL) with its academic management and research systems, and dozens of municipalities with their own digital services. Companies wishing to tender for or continue supplying these bodies must demonstrate ENS conformity at the category corresponding to the systems they manage. The Canarian special economic regime — with IGIC instead of VAT — does not alter this obligation: the ENS applies equally across all of Spain, including the islands.

Summum Sistemas approaches conformity from the angle that defines the actual work of technical implementation. The first step is risk analysis using MAGERIT methodology (Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información), the CCN's official framework for identifying assets, assessing threats, estimating impact and calculating residual risk. On that analysis the proportionate selection of Annex II measures is built, supported by PILAR — the tool developed by the Centro Criptológico Nacional that automates asset valuation and risk calculation according to MAGERIT — and by INES, the CCN tool for self-assessment of ENS compliance. The combination of official methodology and official tools ensures that the analysis is traceable, repeatable and accepted by ENAC-accredited conformity auditors.

The Technical implementation of the ENS in Tenerife process.

The process · four stages
01

Asset inventory and MAGERIT risk analysis

We compile the complete inventory of information assets — systems, services, data, applications, infrastructure — within the ENS scope for contracts with public bodies in Tenerife: the Cabildo, municipalities, the ULL or other Canarian public sector entities. Against that inventory we apply MAGERIT v3 methodology to assess each asset across the five CIDAT dimensions, identify relevant threats from the CCN catalogue, and calculate inherent and residual risk. The result is the risk analysis report that underpins all subsequent technical decisions and that conformity auditors regard as the core document of the ENS dossier.

02

PILAR modelling and INES compliance report

We run the analysis in PILAR (the CCN's official tool), entering assets, dependencies and CIDAT valuations to obtain the required security profile and the automatic selection of proportionate Annex II measures. In parallel, we complete the INES tool with the current compliance status of each measure to produce a precise gap map: what is implemented, what is partially covered and what still needs to be addressed, with the maturity level L0–L5 for each control.

03

Technical implementation of Annex II measures

We carry out the implementation of the outstanding technical measures across the three Annex II frameworks: in the operational framework, we configure access controls (op.acc), secure system operation (op.exp), service continuity (op.cont) and security event monitoring (op.mon); in the protection framework, we apply device hardening (mp.com, mp.si), communications protection (mp.com) and encryption of sensitive information (mp.info); for cloud services (op.nub), we verify that the shared responsibility model with the cloud provider is documented and that the controls applicable to the tenant are effectively implemented.

04

Operational cybersecurity: monitoring and incident response

ENS conformity is not a one-off project: the regulation demands continuous vigilance. We configure or review the security event monitoring mechanisms (SIEM, audit logs, anomaly alerts) and establish incident management procedures in accordance with the Scheme. Where the contracting public body — Cabildo, municipality or ULL — requires incident notification to the CCN-CERT, we verify that the supplier has the channels and procedures necessary to meet that requirement within the timeframes mandated by the regulation.

What is included

What Technical implementation of the ENS in Tenerife includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • MAGERIT risk analysis report with PILAR

    Risk analysis document prepared using MAGERIT v3 methodology and run in the CCN's PILAR tool: CIDAT-valued asset inventory, CCN catalogue threat identification, inherent and residual risk calculation, and required security profile for systems within scope with Tenerife public bodies.

  • INES gap report with L0–L5 maturity map

    Output of the CCN INES self-assessment tool: current status of each Annex II measure for the assessed system, L0–L5 maturity level per control, gap relative to the required profile, and prioritised closure plan ranked by impact on system category.

  • Documented technical implementation of Annex II measures

    Record of the configuration and implementation of technical controls across the three Annex II frameworks: operating system and service hardening, access control configuration, event monitoring, communications protection and encryption, with traceable evidence for each implemented measure.

  • Incident management and monitoring procedures

    Security operational procedures (SOPs) for the detection, classification, response and notification of security incidents, including communication channels with the CCN-CERT where the Canarian public body's contract requires it, and alert thresholds for the monitoring system.

  • op.nub compliance report for cloud services

    For suppliers delivering infrastructure or platform cloud services to bodies such as the Cabildo de Tenerife or the ULL: shared responsibility model analysis, verification of tenant-applicable op.nub controls from Annex II, and documentation of the security agreement with the cloud provider.

  • Technical evidence package for the conformity audit

    Structured dossier of technical evidence ready to present to an ENAC-accredited entity (medium or high category) or to support the self-assessed conformity declaration (basic category): configuration captures, audit logs, vulnerability analysis results and control review records.

Frequently asked questions about Technical implementation of the ENS in Tenerife.

Does the ENS apply to companies that only work with the Cabildo de Tenerife or Canarian municipalities?

Yes. Article 2 of RD 311/2022 establishes that the ENS applies to public sector entities and to the information systems of suppliers that provide services or solutions to them. The Cabildo de Tenerife, the island's municipalities and the Universidad de La Laguna are all public sector entities subject to the ENS. Their technology contractors — software companies, cloud service providers, system maintenance firms, data processors — must conform to the same level as the Administration they serve. The Canarian special fiscal regime (IGIC instead of VAT) does not modify this obligation: the ENS is national legislation applicable across the entire Spanish territory, including the archipelago.

What is MAGERIT and why does the CCN require it for ENS risk analysis?

MAGERIT is the Methodology for the Analysis and Management of Information System Risks, developed by the former Ministry of Public Administration and maintained by the CCN. RD 311/2022 does not explicitly mandate MAGERIT, but the CCN-STIC 803 guide (System Valuation under the ENS) establishes MAGERIT as the official reference methodology for risk analysis and system categorisation. The PILAR tool, developed by the CCN, implements MAGERIT in automated form and generates risk reports in the format that ENAC-accredited conformity auditors expect. Using MAGERIT and PILAR is not a legal obligation, but it is the path that guarantees traceability, reproducibility and acceptance in the certification process.

What is the difference between a basic conformity declaration and ENAC certification?

For basic-category systems, the organisation may self-assess its ENS compliance and issue its own conformity declaration, following the CCN-STIC 809 procedure. No external third party is required: responsibility lies with the organisation itself. For medium or high-category systems, conformity must be certified by an inspection body accredited by ENAC under UNE-EN ISO/IEC 17065. Summum Sistemas does not issue any conformity certificate — that is the exclusive competence of ENAC-accredited bodies; our role is to prepare systems so they pass that process with the technical evidence fully in order.

Is cloud security (op.nub) a relevant requirement for ULL or Cabildo de Tenerife suppliers?

Yes, and increasingly so. The op.nub family of Annex II governs security requirements when systems within scope use third-party infrastructure, platform or software as a service. For a supplier serving a SaaS application to the Cabildo de Tenerife or the Universidad de La Laguna with that application hosted on a cloud provider, op.nub requires documenting the shared responsibility model, verifying tenant-applicable controls and ensuring the cloud provider holds the certifications or security reports — such as the CCN's ENS for cloud providers — that allow trust in the chain of custody. Summum Sistemas reviews and documents this aspect as part of the technical implementation.

How long does technical ENS implementation take for a medium-sized technology supplier in Tenerife?

It depends on the system category, prior technical maturity and the number of systems within scope. For a supplier with basic-category systems and partially implemented security practices, technical implementation can be completed in three to five months. For medium category, with more complex systems and no previously documented hardening, the typical timeframe is six to twelve months, covering MAGERIT/PILAR analysis, technical measure implementation and evidence package compilation. In all cases, coordination with Summum Calidad on the documentary plane is done in parallel, without extending the overall timeline.

Can Canarian technology companies apply IGIC on ENS implementation contracts with public bodies?

The IGIC (Impuesto General Indirecto Canario) regime applies to companies established in the Canary Islands providing services in the archipelago. In contracts between a Canarian technology company and a Canarian public body (Cabildo, municipality, ULL), invoicing is governed by IGIC rules, not mainland VAT. This affects the taxation of the technical ENS implementation services provided by Summum Sistemas in Tenerife, but does not modify either the content of the ENS requirements or the conformity timeline. RD 311/2022 applies throughout the national territory regardless of the regional fiscal regime.