Who is required to comply with ENS in Spain?

Spanish public administration bodies and technology providers (suppliers/contractors) that deliver services or process public-sector information. ENS is commonly required in public tenders and contracts.

What changed with Royal Decree 311/2022?

RD 311/2022 updates the ENS model, strengthens continuous security oversight, and improves alignment with European requirements (including NIS2), reinforcing governance and ongoing monitoring expectations.

ENS Compliance & Certification: The Spanish Standard for Digital Sovereignty.

Compliance with the Esquema Nacional de Seguridad (ENS) — Royal Decree 311/2022 is often a contractual requirement to work with Spanish public administration, and a strong signal of security maturity. We help you achieve audit-ready compliance for Basic, Medium and High categories.

Start an ENS project

High category experience

What RD 311/2022 changes in practice

The ENS update via Royal Decree 311/2022 reflects a more demanding threat landscape. For many organizations, the biggest shift is moving from “point-in-time compliance” to a model that expects continuous oversight.

At Hard2bit, we deliver a pragmatic roadmap so the certification process does not block operations — it strengthens them through measurable controls, governance, and evidence.

NIS2 alignment

We align ENS controls with European requirements to reduce duplicated effort and improve traceability.

Audit readiness

We support you end-to-end: scoping, evidence, remediation and preparation for an accredited conformity assessment.

ENS security dimensions

ENS evaluates security across key dimensions that we assess in depth:

Confidentiality Information is accessible only to authorized individuals.
Integrity Assurance that information has not been altered in an unauthorized manner.
Availability Access to services and systems when needed (continuity).
Authenticity & Traceability Unambiguous identification and logging of relevant actions.

System categorization

The technical requirements depend on the nature and impact of the information and services involved.

Category	Risk profile	Audit requirement
Basic	Low-impact systems. Supervised self-assessment.	Every 2 years (self-assessment)
Medium	Moderate impact on critical services or sensitive data.	External audit (mandatory)
High	Essential systems, critical infrastructures or highly protected data.	External audit (highest rigor)

Our compliance methodology

Gap Analysis

Assess your current state against RD 311/2022 requirements and ENS controls.

Risk Assessment (PILAR)

Perform a structured risk assessment using official methodologies (e.g., PILAR) where applicable.

Policies, Procedures & Evidence

Build the required governance set and evidence for audit readiness and continuous oversight.

Ready to work with the public sector?

Obtain ENS compliance with a specialized, audit-ready approach.

Request an ENS quote

ENS FAQ

Is ENS mandatory for private companies? ↓

Yes, if you provide services/solutions to Spanish public administration or process public-sector information. ENS is commonly required in public tenders and contracts.

How long is the certification valid? ↓

Typically 2 years, with follow-up reviews. The updated ENS model emphasizes continuous oversight and reviews after significant changes.

Start an ENS project

Tell us your target category (Basic/Medium/High) and we’ll propose a realistic delivery plan.

Go to contact