ENS 2025: New Requirements for Cloud Providers

ENS is no longer just for public administration

Royal Decree 311/2022 (which updated the original 2010 Esquema Nacional de Seguridad) extended ENS scope to all technology providers serving the Spanish public sector. That includes cloud providers, software companies, system integrators, and technology consultancies.

If you are not familiar with ENS: think of it as Spain’s equivalent of FedRAMP, but for all public sector levels — national, regional, and local government. It defines mandatory security controls for any system that processes public sector data.

In 2025, Spain’s National Cryptologic Center (CCN) has published new technical guidelines (CCN-STIC 800 series) that specify requirements for cloud service providers. These are not optional if your company sells or wants to sell to the Spanish public sector.

What changed

Three main changes affect cloud providers.

Cloud service classification by level. The CCN now classifies cloud services into three categories based on required security level: basic, medium, and high. A document storage service for non-classified data may require basic. A service processing citizen personal data requires medium. Anything touching national security data or sensitive public sector data requires high.

The level determines which controls you must implement. High level requires: encryption in transit and at rest with CCN-approved algorithms, multi-factor authentication for all administrative access, audit logs of all operations for a minimum of 5 years, and data centers located within EU territory.

Supply chain. ENS now requires first-tier providers to verify that their subcontractors (infrastructure providers, third-party services) also comply. If your cloud service runs on AWS or Google Cloud, you need to document that the underlying infrastructure provider holds adequate certifications. AWS has high-level ENS certification. Google Cloud has medium (and is in process for high). Azure has high.

Incident notification. Notification timelines have tightened. High-level incidents must be reported to CCN-CERT within 24 hours (previously 72). Medium-level within 48 hours. And the notification is not a generic email; it requires a structured report with impact assessment, containment measures, and a remediation plan.

Who this directly affects

If your company meets any of these criteria, pay attention:

• You sell software or cloud services to any Spanish public administration (national, regional, or local)
• You are a subcontractor of an integrator selling to the public sector
• You operate infrastructure that hosts public sector data
• You want to bid on public contracts that include a technology component

Company size is irrelevant. A 5-person startup selling a document management SaaS to a town council is subject to the same requirements as a large provider.

What to do

ENS certification is a formal process audited by accredited entities (ENAC, Spain’s national accreditation body). But there are preliminary steps before you get there.

Determine your required level. It depends on the type of data you handle and the security level required by your public sector clients. If unsure, the CCN publishes guide CCN-STIC 803 with detailed classification criteria.

Run a gap analysis. Compare your current controls against the requirements for your target level. Guides CCN-STIC 804 (security measures) and 808 (audits) detail the specific controls. Many companies discover they already meet 60-70% of basic-level controls simply by having good security practices.

Implement missing controls. The most common gaps we see in technology SMEs: lack of a formal documented security policy, absence of centralized audit logging, and lack of a tested business continuity plan. None require expensive technology; they require process and documentation.

Get certified. The ENS audit is performed by an accredited entity. The typical process takes 2-4 months for basic level and 4-8 months for medium. Cost ranges from EUR 5,000 to EUR 25,000 depending on scope and complexity.

The STIC catalog as an accelerator

The CCN maintains the STIC Products and Services Catalog (CPSTIC), a list of technology products that have been evaluated and approved for public sector use. Inclusion is not mandatory, but it is an enormous competitive advantage in public procurement.

The inclusion process is independent of ENS certification but complementary. It requires a technical evaluation of the product by the CCN, which can take 3-6 months.

Why this matters beyond Spain

ENS aligns with the EU’s NIS2 Directive (Network and Information Security), which all member states must transpose by October 2024. For companies that need ENS alongside ISO 27001 and SOC 2, our unified certification guide details the overlap between frameworks. Companies that achieve ENS compliance are well-positioned for NIS2 requirements across Europe. The control frameworks overlap significantly, especially around incident notification, supply chain security, and governance.

For companies based outside Spain looking to serve the Spanish public sector, ENS certification is effectively a market access requirement. But it is also a strong signal of security maturity that resonates across European public procurement.

If you need to assess your current compliance level, our cloud and DevOps team performs ENS assessments tailored to cloud providers. You can also explore our managed services that include ENS compliance as part of the service.