If your company works or wants to work with the Spanish Public Administration, the question is not whether you need ENS — it is how much it will cost and how long it will take. This guide has the real numbers you will not easily find elsewhere.
What is ENS certification
The Esquema Nacional de Seguridad (ENS) is the mandatory cybersecurity framework for Spanish Public Administrations, established by Royal Decree 311/2022. It regulates how they must protect their information systems and the data they process.
Unlike ISO 27001, which is a voluntary international standard, ENS has regulatory standing in Spain. Non-compliance has direct consequences: lost contracts, system disqualification in audits by the CCN (National Cryptology Centre) and, for public bodies, administrative liability.
ENS certification is issued by auditing bodies accredited by ENAC (National Accreditation Body) and is valid for two years, after which renewal is required.
Who is required to certify
The direct obligation applies to Public Administrations: ministries, regional governments, local councils, public universities, public hospitals, regulatory bodies, etc.
But the obligation extends to private companies providing services to those administrations. If your company meets any of the following criteria, you need ENS:
- Software or SaaS provider for public bodies (hospitals, schools, councils, ministries).
- Cloud computing company hosting data or systems of public administration.
- IT consultancy or integrator with access to public bodies' information systems.
- Telecommunications provider serving public administrations.
- Cybersecurity company contracted by public bodies for security management.
Requirement in public tenders: An increasing number of public procurement contracts in Spain require ENS certification as a technical solvency requirement. Without it, you cannot participate in certain public sector tenders, regardless of your company's size or track record.
The three certification levels: Basic, Medium and High
ENS is not a single certification. Information systems are categorised into three levels based on the potential impact of a security incident:
| Level | Criterion | Typical examples | Controls |
|---|---|---|---|
| Basic | Limited impact in case of incident | Informational website, simple transactional portal, internal document management | ~74 measures |
| Medium | Serious impact: harm to interests, individuals or institutional reputation | Electronic health records, tax systems, public procurement platforms | ~150 measures |
| High | Very serious impact: irreparable harm, risk to national security or individuals | Critical defence systems, critical infrastructure, emergency services | ~200 measures |
Most private companies supplying public administration need to certify at Medium Level. High Level is less common and typically applies to contracts with security, defence or national critical infrastructure bodies.
How much does ENS certification cost
Price ranges vary primarily based on certification level, number of systems in scope and the company's security starting point:
| ENS Level | First-year cost (total) | Maintenance + renewal (biennial) | Estimated timeline |
|---|---|---|---|
| Basic | EUR 12,000 - 25,000 | EUR 6,000 - 12,000/2-year cycle | 3-6 months |
| Medium | EUR 25,000 - 45,000 | EUR 10,000 - 20,000/2-year cycle | 6-10 months |
| High | EUR 45,000 - 85,000+ | EUR 20,000 - 40,000/2-year cycle | 10-16 months |
About these ranges: These are for companies of 10-200 employees with one or several systems in scope. Companies with many different digital services or highly distributed infrastructure may exceed the upper range. If you already have ISO 27001 implemented, the cost drops 20-30% because many controls are already covered.
Cost breakdown (Medium Level reference, 60-employee company)
| Item | Range | Notes |
|---|---|---|
| Initial GAP analysis | EUR 2,500 - 5,000 | Assessment of current state vs. ENS Medium Level requirements |
| Implementation consulting | EUR 12,000 - 22,000 | Policy design, control implementation, system documentation |
| Pre-audit penetration test | EUR 3,000 - 7,000 | Required or strongly recommended before the certification audit |
| Staff training | EUR 2,000 - 6,000 | FUNDAE-subsidisable. Security awareness, security roles, security officer |
| Certification audit (ENAC) | EUR 5,000 - 12,000 | Conducted by ENAC-accredited body. Price varies by body and scope |
| Tools and licences | EUR 2,000 - 5,000/year | SIEM, vulnerability management, asset inventory. Many may already be in place |
The certification process step by step
The first step is determining the ENS level that applies to your systems: Basic, Medium or High. This is done by assessing the potential impact of a security incident. The level is determined by the most critical dimension (confidentiality, integrity or availability) of the data you process.
Once the level is known, the current state is assessed against ENS requirements. The result is a list of gaps: missing controls, policies to document, pending technical measures. This analysis defines the real project scope and allows an accurate budget to be provided.
The controls identified in the GAP analysis are implemented. This includes organisational measures (policies, procedures, roles), technical measures (encryption, access controls, monitoring) and physical measures (access control to facilities). For Medium Level, approximately 150 measures are required, though not all require the same effort.
A formal document justifying which measures apply, which do not and why. This is one of the key documents the certification auditor reviews. It must be well-written and justified.
Internal review to confirm the implemented system works as documented. Generates evidence for the certification audit. Any non-conformities found are corrected before the external auditor is engaged.
The ENAC-accredited body conducts the audit in two phases: document review and on-site audit. If there are no major non-conformities, the ENS certificate is issued. This certificate is valid for two years, with a mandatory interim review.
Realistic timelines
The most common bottleneck is the technical controls implementation phase, especially when deploying monitoring systems (SIEM), vulnerability management or a complete review of access policies. The audit itself is rarely the problem — the challenge is arriving at it with everything in order.
Common mistake: Underestimating the volume of documentation ENS requires. Implementing technical controls is not enough. The auditor will verify that each measure has its policy, its operational procedure and its evidence records. Many companies arrive at the audit with well-configured technology but without the documentation to prove it.
ENS and ISO 27001: differences and synergies
A common misconception: many companies think ISO 27001 is equivalent to ENS or that one replaces the other. That is not the case.
| ENS | ISO 27001 | |
|---|---|---|
| Type | Spanish regulatory framework (RD 311/2022) | Voluntary international standard |
| Mandatory | Required for public bodies and their suppliers | Voluntary (may be required by private contracts) |
| Scope | Spanish public sector and its supply chain | Any organisation, public or private, worldwide |
| Renewal | Every 2 years (with annual interim review) | Every 3 years (with annual surveillance audits) |
| Certification body | ENAC-accredited in Spain | Any internationally accredited body (AENOR, Bureau Veritas, SGS, TUV...) |
That said, having ISO 27001 significantly accelerates ENS certification. Technical and organisational controls overlap by 60-70%. A company with ISO 27001 already has a security culture, documented policies and basic controls in place. This reduces the implementation effort for ENS and the overall project timeline.
The optimal strategy for companies wanting to work with both the Spanish public sector and demanding private clients: certify ISO 27001 first and use that ISMS as the foundation for ENS. Two certifications, much of the work shared.
Free assessment: ENS and ISO 27001
If you are unsure which ENS level applies to you or want to know how far you are from certification, we provide a free initial assessment. In one session, we identify your applicable level, a basic GAP analysis and an indicative budget.
Request free assessmentFrequently asked questions
How much does ENS certification cost exactly?
For Medium Level, the typical first-year range is EUR 25,000-45,000 for a company of 10-200 employees. That includes GAP analysis, consulting, pre-audit pentest, training (FUNDAE-subsidisable) and the certification audit. Basic Level can range from EUR 12,000-25,000.
My company is private. Do we need ENS?
It depends on whether you provide digital services to public bodies. If you sell software, cloud, IT services or data management to local councils, ministries, public hospitals, public universities or other public bodies, you probably do. Check the tender documents for your current or future contracts — many already require it explicitly.
Is ISO 27001 equivalent to ENS?
No, but it helps significantly. They are different frameworks: ISO 27001 is international and voluntary; ENS is Spanish and mandatory for the public sector. Having ISO 27001 covers 60-70% of the work needed for ENS, but does not replace it.
How long is ENS certification valid?
Two years. There is an interim surveillance audit (at year one) and at the end of the cycle a full renewal audit is required. Renewal costs are lower than the initial process because the system is already implemented.
Can ENS training be subsidised through FUNDAE?
Yes. Cybersecurity training required to implement and maintain ENS (staff awareness, security roles, system security officer) is eligible for your annual FUNDAE training credit. In many cases it covers 100% of the training budget.
Your team needs secure AI training
The EU AI Act requires AI literacy for all staff from August 2026. Our courses cover compliance, AI agents and governance. FUNDAE can subsidise 100% of the cost.