ENS 2025 Cloud Compliance: BÁSICA, MEDIA, ALTA Requirements
ENS is no longer just for public administration
Royal Decree 311/2022 (which updated the original 2010 Esquema Nacional de Seguridad) extended ENS scope to all technology providers serving the Spanish public sector. That includes cloud providers, software companies, system integrators, and technology consultancies.
If you are not familiar with ENS: think of it as Spain’s equivalent of FedRAMP, but for all public sector levels — national, regional, and local government. It defines mandatory security controls for any system that processes public sector data.
In 2025, Spain’s National Cryptologic Center (CCN) has published new technical guidelines (CCN-STIC 800 series) that specify requirements for cloud service providers. These are not optional if your company sells or wants to sell to the Spanish public sector.
What changed
Three main changes affect cloud providers.
Cloud service classification by level. The CCN now classifies cloud services into three categories based on required security level: basic, medium, and high. A document storage service for non-classified data may require basic. A service processing citizen personal data requires medium. Anything touching national security data or sensitive public sector data requires high.
The level determines which controls you must implement. High level requires: encryption in transit and at rest with CCN-approved algorithms, multi-factor authentication for all administrative access, audit logs of all operations for a minimum of 5 years, and data centers located within EU territory.
Supply chain. ENS now requires first-tier providers to verify that their subcontractors (infrastructure providers, third-party services) also comply. If your cloud service runs on AWS or Google Cloud, you need to document that the underlying infrastructure provider holds adequate certifications. AWS has high-level ENS certification. Google Cloud has medium (and is in process for high). Azure has high.
Incident notification. Notification timelines have tightened. High-level incidents must be reported to CCN-CERT within 24 hours (previously 72). Medium-level within 48 hours. And the notification is not a generic email; it requires a structured report with impact assessment, containment measures, and a remediation plan.
Who this directly affects
If your company meets any of these criteria, pay attention:
- You sell software or cloud services to any Spanish public administration (national, regional, or local)
- You are a subcontractor of an integrator selling to the public sector
- You operate infrastructure that hosts public sector data
- You want to bid on public contracts that include a technology component
Company size is irrelevant. A 5-person startup selling a document management SaaS to a town council is subject to the same requirements as a large provider.
What to do
ENS certification is a formal process audited by accredited entities (ENAC, Spain’s national accreditation body). But there are preliminary steps before you get there.
Determine your required level. It depends on the type of data you handle and the security level required by your public sector clients. If unsure, the CCN publishes guide CCN-STIC 803 with detailed classification criteria.
Run a gap analysis. Compare your current controls against the requirements for your target level. Guides CCN-STIC 804 (security measures) and 808 (audits) detail the specific controls. Many companies discover they already meet 60-70% of basic-level controls simply by having good security practices.
Implement missing controls. The most common gaps we see in technology SMEs: lack of a formal documented security policy, absence of centralized audit logging, and lack of a tested business continuity plan. None require expensive technology; they require process and documentation.
Get certified. The ENS audit is performed by an accredited entity. The typical process takes 2-4 months for basic level and 4-8 months for medium. Cost ranges from EUR 5,000 to EUR 25,000 depending on scope and complexity.
The STIC catalog as an accelerator
The CCN maintains the STIC Products and Services Catalog (CPSTIC), a list of technology products that have been evaluated and approved for public sector use. Inclusion is not mandatory, but it is an enormous competitive advantage in public procurement.
The inclusion process is independent of ENS certification but complementary. It requires a technical evaluation of the product by the CCN, which can take 3-6 months.
Why this matters beyond Spain
ENS aligns with the EU’s NIS2 Directive (Network and Information Security), which all member states must transpose by October 2024. For companies that need ENS alongside ISO 27001 and SOC 2, our unified certification guide details the overlap between frameworks. Companies that achieve ENS compliance are well-positioned for NIS2 requirements across Europe. The control frameworks overlap significantly, especially around incident notification, supply chain security, and governance.
For companies based outside Spain looking to serve the Spanish public sector, ENS certification is effectively a market access requirement. But it is also a strong signal of security maturity that resonates across European public procurement.
If you need to assess your current compliance level, our cloud and DevOps team performs ENS assessments tailored to cloud providers. You can also explore our managed services that include ENS compliance as part of the service.
Frequently asked questions
- What is the ENS (Esquema Nacional de Seguridad)?
- The Esquema Nacional de Seguridad is Spain's mandatory cybersecurity framework for public-sector information systems and their technology suppliers, established by Real Decreto 311/2022. It defines binding security controls across three risk categories and is overseen by the Centro Criptológico Nacional (CCN). Unlike voluntary frameworks, ENS certification is a legal prerequisite to contract with any Spanish public administration.
- Which ENS category applies to my SaaS product?
- Category depends on the sensitivity of data your service processes. BÁSICA covers non-classified administrative data with low impact if compromised. MEDIA applies when handling citizen personal data, social services data, or systems where a breach causes significant disruption. ALTA applies to systems touching classified information, critical infrastructure, or national security data. CCN-STIC 803 provides the official classification criteria, and your public-sector client's own security assessment will typically dictate the required level.
- What is the difference between BÁSICA, MEDIA, and ALTA?
- The three categories map to increasing control requirements. BÁSICA requires a documented security policy, access control, and basic audit logs. MEDIA adds mandatory multi-factor authentication for administrative access, formal incident response, and supply-chain verification. ALTA requires CCN-approved encryption algorithms, audit logs retained for 5+ years, EU-territory data centers, and 24-hour incident notification to CCN-CERT. CCN-STIC 884 is the definitive reference for cloud-specific controls at each level.
- When do cloud providers need ENS 2025 compliance?
- Real Decreto 311/2022 entered into force in May 2022, with a transition period that ended in 2024. Providers bidding on new public contracts now need active ENS certification at the required category. Existing contracts typically included a compliance clause with a deadline set by the contracting authority. In practice, CCN is enforcing compliance on new procurement processes as of 2025.
- Who needs to conduct an ENS audit?
- ENS audits must be performed by entities accredited by ENAC (Entidad Nacional de Acreditación), Spain's national accreditation body. Internal self-assessments are permitted for gap analysis but do not produce a valid certification. For MEDIA and ALTA, an accredited external auditor is mandatory. The CCN publishes a list of accredited audit entities on the CCN-CERT portal.
- What happens if my cloud service is not ENS-certified?
- Non-certified providers are ineligible for public procurement contracts that require ENS compliance, which covers virtually all technology contracts with Spanish public administration. Under Spain's transposition of NIS2 (Directive 2022/2555), penalties for non-compliance can reach €10 million or 2% of global annual turnover. Additionally, prime contractors are increasingly requiring ENS certification from their cloud subcontractors as a supply-chain obligation.
- How much does ENS certification cost?
- Certification costs range from approximately €5,000–€10,000 for BÁSICA scope to €15,000–€25,000 for MEDIA, and €25,000–€50,000+ for ALTA, depending on system scope and the accredited auditor. The largest cost is typically internal preparation: gap remediation, documentation, and audit-readiness work. Many technology SMEs complete BÁSICA preparation in 3–6 months with existing staff.
- Is ISO 27001 sufficient, or do I still need ENS certification separately?
- ISO 27001 is not a substitute for ENS. While there is significant overlap in controls — especially around risk management, asset management, and incident response — ENS has Spain-specific requirements that ISO 27001 does not cover, including CCN-approved cryptographic algorithms, specific audit log retention mandates, and CCN-CERT incident notification obligations. That said, an existing ISO 27001 certification can meaningfully accelerate ENS preparation, typically reducing MEDIA-level gap remediation effort by 40–60%.
