On 3rd May, Royal Decree 311/2022 regulating the National Security Scheme (ENS) was published. This regulation repeals the previous ENS of 2010.

• The new ENS will apply to information systems of private sector entities, when under a contractual relationship, they provide services or solutions to public sector entities.
• Tendering procedures for public contracts: the tender documents must include all the necessary requirements to ensure compliance with the ENS of the information systems on which the services provided by the contractors are based, such as the submission of the corresponding Declarations or Certifications of Conformity with the ENS.

The change in the regulatory framework is substantial and all in-scope companies are advised to immediately assess the impact of this standard on their business and their level of alignment with the new ENS.

Background information

• The ENS is undoubtedly a legal standard of the highest relevance regulating digital security at the national level.
• The ENS is the central regulatory reference when it comes to configuring digital security governance systems in organisations. It consists of a set of regulations that make it possible to create and maintain the necessary security conditions in the use of electronic media, through measures that guarantee the security of systems, data, communications and electronic services.
• Until now, the ENS was regulated in RD 3/2010, and was only preferentially applicable to public administrations.

The new applicability of the CSA to private sector companies

• The most relevant development of the new ENS is precisely the extension of its scope of application, which goes beyond the previous strict scope limited to the public sector. From now on, many private companies will be obliged to comply with the regulations included in the ENS.
• This follows from Article 2.3 which provides for the direct application of the ENS to private sector companies:

1. Where there is a contractual relationship and they provide services or solutions to public sector entities.
2. When the administrative or technical specifications of the contracts entered into by the entities of the sector contemplate the need to comply with the requirements necessary to ensure compliance with the ENS of the information systems on which the services provided by the contractors are based.
3. When public procurement procedures require the presentation of the corresponding Declarations or Certifications of Conformity with the ENS.

Furthermore, the applicability of the ENS is also extended to the supply chain of these private contractor companies to the extent necessary and in accordance with the results of the corresponding risk analysis, as set out in the new regulatory framework.

Highlights for private sector companies of the new ENS

• These private companies will be required to have a Security Policy approved by the body with the highest executive powers, with the minimum content and requirements set out in Article 12 of the new ENS.
• This means providing legal certainty to the content, structure and obligations of the Security Policies that companies must pass.
• It introduces and regulates basic principles that can be universally applied as a basis for building a robust system of digital security governance.

1.        Security as an integral process.

2.        Risk-based security management.

3.        Prevention, detection, response and maintenance.

4.        The existence of lines of defence.

5.        Continuous surveillance.

6.        Periodic reassessment.

7.        Differentiation of responsibilities.

From the point of view of the organisation of companies, this last principle of differentiation of responsibilities is very relevant, since for the first time the different functions of those responsible are ordered in a taxonomical way: information manager; service manager; security manager and system manager.

• Furthermore, the responsibility for the information security systems shall be differentiated from the responsibility for the operation of information systems.
• In addition, the principle is established that the security of information security systems must involve all members of the organisation and must therefore be known by all persons within the organisation.
• In the case of outsourced digital security services, the organisation providing these services must designate a POC (Point or Person of Contact) for the security of the information processed and the service provided

For more information, see the Royal Decree 311/2022, of 3rd May, regulating the National Security Scheme or you can download the full document here. 

Vicente Moret, Of Counsel in the Legaltech area

Cristina Durante, Associate in the Legaltech area