ENS in the Spanish Public Sector: The 2026 Update

The Esquema Nacional de Seguridad (ENS), governed by Real Decreto 311/2022, is the security framework that public-sector bodies in Spain — and the private suppliers that serve them — must comply with. For a municipal IT department, the ENS is not abstract policy; it is a concrete obligation that shapes procurement, architecture, and day-to-day operations. With the framework continuing to bed in, this is a good moment to translate it into estate terms.

Categorising your systems

The ENS works by category. Each system is classified — Basic, Medium, or High — based on the impact a security incident would have across the dimensions of confidentiality, integrity, availability, authenticity, and traceability. The category drives the set of security measures you must implement; the higher the category, the more demanding the controls. The first practical task for any administration is therefore an honest categorisation of its systems, because over-classifying wastes scarce resources and under-classifying leaves you exposed and non-compliant.

Mapping to a municipal estate

A typical town hall's ICT estate spans several categories at once:

• Citizen-facing services (the electronic register, online procedures, payment portals) often sit at Medium, sometimes High, because availability and integrity directly affect citizens' rights.
• Internal administrative systems — document management, HR, finance — usually land at Medium given the personal data they hold.
• Supporting infrastructure (network, identity, backups) inherits the category of the most sensitive system it serves, which is where many administrations under-scope.

The most common mistake we see is categorising the visible applications carefully while treating the shared infrastructure beneath them as an afterthought. A High-category service running on Basic-category foundations is not compliant — and not safe.

Where smaller administrations get stuck

Resource constraints are the recurring theme. Smaller municipalities frequently lack a dedicated security function, rely heavily on external providers, and struggle to maintain the continuous evidence the ENS expects. Three moves help disproportionately: insist that suppliers demonstrate their own ENS conformity in writing, lean on the shared and reusable resources the framework and national bodies provide rather than building everything in-house, and treat the required self-assessment or audit as a planning tool through the year rather than a once-off hurdle.

The ENS rewards administrations that treat it as an operating model rather than a certificate. Get categorisation right, extend the same rigour to the infrastructure layer, hold your suppliers to the same standard, and the compliance obligation becomes a genuine improvement in the security of public services — which is, after all, the point.