More public tenders in Spain every year include ENS certification as a technical solvency requirement. Software companies, IT integrators and cloud providers find themselves unable to bid for a public contract without it. This guide answers the question everyone has but few answer with real numbers: how much does it cost and how long does it take.
What is the ENS
The Esquema Nacional de Seguridad (ENS) is Spain's mandatory cybersecurity framework for the public sector, regulated by Royal Decree 311/2022. It defines the principles and requirements that Spanish public administrations must meet to protect the information they manage and the services they provide.
ENS certification is issued by auditing entities accredited by ENAC (Entidad Nacional de Acreditacion, Spain's national accreditation body). It has a validity of two years with mandatory annual monitoring.
Who oversees compliance: The National Cryptological Centre (CCN-CERT), part of Spain's intelligence services, is the ENS technical reference body. It publishes guidance (CCN-STIC series) and conducts its own audits in public organisations. Its approval of tools and providers carries real weight in certification processes.
Who is required to comply
The direct obligation falls on Spanish public administrations: ministries, regional governments, municipalities, public bodies, public universities, public healthcare centres. But the scope extends further. Private companies providing services to these administrations and having access to their systems or data must demonstrate ENS compliance. In practice, this affects:
- Software and SaaS companies selling applications to public bodies.
- Cloud providers hosting public administration systems or data.
- IT consultancies with access to public sector infrastructure.
- System integrators managing technology environments for public bodies.
- Cybersecurity companies contracted for security management by public organisations.
The three certification levels: Basic, Medium and High
| Level | Definition | Examples | Approx. controls |
|---|---|---|---|
| Basic | Limited impact: minor damage to operations or image | Informational websites, internal document managers, simple online procedures | ~74 measures |
| Medium | Serious impact: significant damage to operations, interests or individuals | Electronic health records, tax systems, public procurement platforms, civil registries | ~150 measures |
| High | Very serious impact: irreparable damage, threat to national security or lives | Critical national defence systems, national critical infrastructure, emergency services | ~200 measures |
Most private companies supplying the public sector need Medium Level. High Level applies to contracts involving national security, defence or critical infrastructure and is less common in the private market.
How much does ENS certification cost
| ENS Level | First-year cost | Biennial renewal | Estimated timeline |
|---|---|---|---|
| Basic | 12,000 - 22,000 EUR | 5,000 - 10,000 EUR | 3-5 months |
| Medium | 25,000 - 45,000 EUR | 10,000 - 18,000 EUR | 6-9 months |
| High | 45,000 - 85,000+ EUR | 20,000 - 40,000 EUR | 10-16 months |
If you already have ISO 27001: The first-year cost can be reduced by 25-35% because many controls are already implemented and documented. ENS and ISO 27001 share 60-70% of technical and organisational controls.
The certification process step by step
Determine which ENS level applies to your systems based on the potential impact of a security incident on confidentiality, integrity and availability of information. This step is mandatory and must be documented.
Assessment of the current state against the requirements of the determined level. The result is a map of gaps: missing controls, undocumented policies, pending technical measures. This defines the actual project scope and allows accurate budgeting.
Identification and assessment of assets, threats and vulnerabilities. Definition of the Risk Treatment Plan (RTP) and Declaration of Applicability (DOA). These documents are critical for the certification audit.
Implementation of the Annex II ENS controls applicable to the certified level: organisational framework measures (policies, roles), operational measures (asset management, continuity) and protection measures (encryption, access controls, monitoring).
Verification that the implemented system works as documented and generates the necessary evidence. Finding non-conformities before the external auditor saves time and money.
The external auditor reviews documentation and verifies on-site that controls are implemented and working. If there are no major non-conformities, the ENS certificate is issued. Validity: two years with annual monitoring.
Realistic timelines
ENS and ISO 27001: differences and synergies
| ENS | ISO 27001 | |
|---|---|---|
| Nature | Spanish regulatory framework (RD 311/2022) | International voluntary standard |
| Mandatory | Mandatory for public sector and digital suppliers | Voluntary (contractually required) |
| Scope | Spanish public sector and supply chain | Any organisation worldwide |
| Certificate validity | 2 years with annual monitoring | 3 years with annual surveillance audits |
| Control overlap | 60-70% shared controls | |
The most efficient strategy for companies wanting to operate in both the Spanish public market and demanding private markets: certify ISO 27001 first and use that ISMS as the base for ENS. The 60-70% overlap means much of the work is already done when you start the ENS process.
Free ENS and ISO 27001 assessment
If you are not sure which ENS level applies to you or how far you are from certification, we offer a free initial assessment. In one session: applicable level, basic GAP analysis and indicative budget.
Request free assessmentFrequently asked questions
How much does ENS Medium Level certification cost?
For a company of 10-200 employees, the typical first-year range is 25,000-45,000 EUR. This includes GAP analysis, implementation consulting, pre-audit pentest, staff training and the ENAC-accredited certification audit. With ISO 27001 already in place, costs can be reduced by 25-35%.
My company is private. Do I need ENS?
If you provide digital services to Spanish public bodies (software, cloud, IT, cybersecurity), you probably do. ENS requirements in public procurement are growing. Review your current or target contract specifications: many already include it as a technical solvency requirement.
Is ENS the same as ISO 27001?
No. ENS is a Spanish mandatory framework; ISO 27001 is an international voluntary standard. Having ISO 27001 covers 60-70% of what ENS requires, but it does not replace it.