Spain's National Security Framework establishing digital certificate requirements for e-government services, mandating certificate inventory and lifecycle management at Basic, Medium, and High assurance levels.
The ENS (Esquema Nacional de Seguridad), updated by Royal Decree 311/2022, establishes the security framework for Spain's entire public administration and its suppliers. It defines three assurance levels — Basic, Medium, and High — with increasingly strict cryptographic and certificate management requirements at each level.
The CCN (Centro Criptológico Nacional) provides technical guidance through the CCN-STIC series of publications, covering everything from approved cryptographic algorithms to detailed implementation guidelines. Digital certificates are mandatory for authentication, electronic signatures, and secure communications across all assurance levels.
The updated ENS v2.0 modernizes the framework to address current threats, aligns with international standards such as ISO 27001, and strengthens requirements for supply chain security. All public entities and their technology providers must achieve ENS certification through accredited audit bodies.
Information systems must be categorized into Basic, Medium, or High assurance levels based on the impact of a security breach, with each level imposing progressively stricter security controls.
ENS mandates the use of digital certificates for user authentication and access control, with qualified certificates required at Medium and High assurance levels for e-government services.
ENS defines cryptographic requirements for data protection including approved algorithms, minimum key lengths, and protocol standards aligned with CCN-STIC technical guidelines.
Organizations must maintain complete certificate inventories, implement automated renewal processes, and ensure timely revocation to meet ENS operational security requirements.
The CCN (Centro Criptológico Nacional) issues CCN-STIC technical guides providing detailed implementation guidance for ENS security controls, including cryptographic and certificate standards.
Public entities must undergo ENS certification audits conducted by accredited bodies, demonstrating compliance with all applicable security controls at their categorization level.
Spain establishes the Esquema Nacional de Seguridad, creating a mandatory security framework for all public administration information systems.
Initial review and update cycle addresses emerging threats and lessons learned from early ENS implementation across public entities.
Major overhaul modernizes the framework with updated security controls, alignment with international standards, and strengthened cryptographic requirements.
All public administration entities and their suppliers must achieve full compliance with the updated ENS requirements by this deadline.
ENS evolves to align with NIS2 Directive transposition and broader European cybersecurity frameworks, ensuring cross-border consistency.
The ENS framework places digital certificates at the center of public administration security, with requirements that scale by assurance level. Here are the critical areas:
Systems categorized at Medium and High assurance levels must use qualified digital certificates for user authentication and electronic signatures, requiring robust PKI infrastructure.
ENS certification audits require a complete inventory of all digital certificates in use, including their purpose, validity, issuing CA, and associated systems.
Specific cryptographic algorithms and key lengths must comply with CCN-STIC guidelines, directly affecting certificate profiles, signature algorithms, and key generation practices.
Certificate-based authentication is required for e-government portals, enabling secure citizen access to public services and ensuring the integrity of administrative transactions.
Complete certificate inventory with Horizon — Horizon provides full certificate discovery and inventory across your entire infrastructure, ensuring audit readiness for ENS certification at any assurance level.
Automated lifecycle management — Automated certificate issuance, renewal, and revocation meets ENS operational security requirements, eliminating manual gaps and ensuring continuous compliance.
CCN-STIC policy enforcement — Policy enforcement for CCN-STIC cryptographic standards, automatically detecting and flagging certificates that do not meet approved algorithm and key length requirements.
Audit-ready ENS reports — Generate comprehensive compliance reports mapped directly to ENS security controls, streamlining the certification audit process and demonstrating ongoing adherence.
