ENS for Tech Companies: A Practical Certification Guide
Why ENS matters now
Spain’s Esquema Nacional de Seguridad (National Security Framework) is no longer just for government agencies. Since the Royal Decree 311/2022 update, any technology company providing services to the Spanish public sector — or aspiring to — needs certification. And the market has noticed: public procurement tenders increasingly list ENS as a requirement, not a merit.
For a technology company with 30-200 people, ENS certification might look like a bureaucratic exercise. It shouldn’t be. Well executed, the process structures the organization’s security and creates a reusable framework for other certifications (ISO 27001, SOC 2). Poorly executed, it’s a documentation project that goes stale the day after the audit.
This guide assumes your company is a technology vendor (software development, cloud, data, consulting) needing ENS certification at medium category. It’s the most common scenario and the one with the most nuance.
Phase 1: Gap analysis (weeks 1-3)
The gap analysis is the phase most teams want to skip and the one that delivers the most value. Without knowing where you stand, you can’t plan where you need to go.
What to assess
ENS at medium category requires 55 security measures grouped into three frameworks:
Organizational framework (org): Security policy, security standards, operational procedures, authorization process. These are documents, but not empty ones. The auditor will verify they exist, are management-approved, and that staff knows about them.
Operational framework (op): Planning, access control, operations, external services, service continuity, system monitoring. This is where most of the technical work lives. Configuration management, vulnerability management, malware protection, activity logging.
Protection measures (mp): Facilities protection, personnel protection, equipment protection, communications protection, information media protection, application protection, information protection, service protection.
The gap analysis deliverable
A document indicating for each control:
| Status | Meaning |
|---|---|
| Compliant | Control implemented and documented |
| Partially compliant | Implemented but documentation missing, or documented but implementation missing |
| Non-compliant | Doesn’t exist |
| Not applicable | Justification for why it doesn’t apply |
In our experience, a tech company with good development practices but no explicit ENS focus typically sits at 40-50% compliance. Encryption in transit is already there (HTTPS everywhere). Basic access management exists (SSO, roles). What’s typically missing: formal documentation, systematic vulnerability management, centralized activity logging, and public-sector-specific controls.
Phase 2: Compliance plan (weeks 3-5)
With the gap analysis in hand, the compliance plan defines actions to close the gaps. It’s not a generic document; it’s a plan with owners, deadlines, and dependencies.
Practical prioritization
Not all controls cost the same. Our recommended sequence:
First: foundational documentation. Security policy, standards, roles and responsibilities. Without this, nothing else has a framework. Cost: low. Time: 1-2 weeks. Impact: high (unblocks everything else).
Second: access management. If you already have an IdP (Google Workspace, Azure AD, Okta), implement MFA, review roles, configure password policies, and document it. It’s the most visible control in audit and has the most overlap with ISO 27001. Cost: medium. Time: 2-4 weeks.
Third: logging and monitoring. Centralize logs, configure alerts, implement basic detection. You don’t need an enterprise SIEM for medium category; Wazuh (open source) or your cloud provider’s native logging covers the requirements. Cost: low-medium. Time: 2-4 weeks.
Fourth: vulnerability management. Periodic scans (Trivy for containers, Nuclei or Nessus for infrastructure), documented patching process, and a vulnerability register with tracking. Cost: low. Time: 2-3 weeks.
Fifth: service continuity. Continuity plan, recovery plan, documented tests. If you operate in cloud with infrastructure as code, recovery is easier to demonstrate. Cost: medium. Time: 3-4 weeks.
The enemy: documentation
Let’s be honest. For most engineering teams, security documentation is the most tedious aspect of ENS. Incident management procedures, continuity plans, acceptable use policies, access review records. You have to write it, maintain it, and prove it.
Two approaches that work:
Templates + adaptation: Spain’s CCN-CERT publishes guides (CCN-STIC series) with templates for most required documents. They’re not perfect, but they’re a starting point the auditor knows and accepts. Adapting them to your reality is faster than writing from scratch.
Documentation as code: Policies and procedures in a Git repository, versioned, with pull requests for changes. The commit date is evidence of revision history. The PR demonstrates who approved the change. Not the traditional approach, but modern auditors accept it (and some prefer it).
Phase 3: Implementation (months 2-6)
Implementation is where the plan becomes reality. The technical controls requiring the most effort for cloud-based tech companies:
Configuration management (op.exp.2)
ENS requires system configurations to be documented, controlled, and auditable. If you already use Terraform, Ansible, Helm charts, or similar, you’re 80% there. What’s missing:
- A documented configuration baseline for each system type.
- A change management process recording who changed what and when.
- Periodic verification that actual configuration matches the baseline.
Tools like AWS Config, Azure Policy, or custom compliance scripts cover verification. The key point: infrastructure as code isn’t just good engineering; it’s compliance evidence.
Malware protection (op.exp.6)
Traditional antivirus doesn’t apply to most tech companies running Linux/containers. What does apply:
- Container image scanning in the CI pipeline (Trivy, Snyk Container).
- Static dependency analysis (Dependabot, Renovate + security audits).
- Endpoint protection on developer workstations (if using macOS/Windows).
The auditor wants to see that a process exists, runs automatically, and findings are managed.
Activity logging (op.exp.8)
Every in-scope system must generate activity logs recording: who accessed, when, from where, and what they did. Logs must be stored securely (immutable or tamper-protected) for the retention period defined in policy.
For a cloud-based company, the practical approach:
- CloudTrail / Activity Log / Audit Log from the cloud provider for infrastructure operations.
- Structured application logs (JSON) shipped to a centralized system.
- Access logs for sensitive data with business context fields (which case, which data).
- Minimum 12-month retention (ENS doesn’t specify an exact period, but 12 months is the accepted practice for medium category).
Encryption (mp.com, mp.info)
ENS at medium category mandates encryption in transit and recommends encryption at rest. In practice:
- TLS 1.2+ for all communications. No exceptions.
- Encryption at rest for databases and storage. In cloud, enable native encryption (RDS encryption, S3 server-side encryption).
- Key management: Cloud provider KMS or HashiCorp Vault. Keys must not be hardcoded or in repositories.
Phase 4: Internal audit (month 5-6)
The internal audit is mandatory before certification. It must be conducted by someone independent of the implementation team. This can be an internal team from another area or an external consultant.
The internal audit has two purposes:
- Identify non-conformities before the external auditor finds them. Fixing an internal finding is cheaper than explaining one during the certification audit.
- Generate evidence that the continuous improvement cycle works. The external auditor will see the internal audit report, identified non-conformities, and corrective actions. This demonstrates system maturity.
Practical advice: don’t aim for a clean internal audit. Aim for one that finds things that need fixing. An audit with zero findings generates more suspicion than one with managed findings.
Phase 5: Certification (month 6-8)
Certification is performed by an entity accredited by ENAC (Spain’s National Accreditation Body). About a dozen entities are accredited for ENS audits in Spain.
What to expect from the audit
The auditor will review:
- Complete documentation: Policy, standards, procedures, compliance plan, statement of applicability, risk analysis, internal audit report.
- Technical evidence: Actual configurations, logs, scan results, access records, continuity tests.
- Interviews: They’ll speak with the security officer, technical staff, and possibly non-technical personnel to verify that training is real.
Non-conformities
Non-conformities are classified as:
- Major: Complete absence of a required control, or a control that doesn’t work at all. These block certification until corrected.
- Minor: The control exists but has deficiencies. Certification can be obtained with a corrective plan.
- Observations: Improvement suggestions. Don’t affect certification.
In our experience, the most common non-conformities at tech companies:
- Lack of documented security training for all personnel.
- Access reviews without demonstrable periodicity.
- Continuity plan without documented tests.
- Supplier management without formal security evaluation.
None of these are technical. They’re process and documentation issues. Which reinforces the point: the technical part is the easy part.
Realistic cost and timeline
For a technology company of 50-150 people, cloud-based infrastructure, and medium maturity:
| Item | Estimate |
|---|---|
| Gap analysis + plan (consultancy) | EUR 5,000-15,000 |
| Technical implementation (internal) | 2-4 months of 1-2 people |
| Documentation (internal + consultancy) | EUR 8,000-20,000 |
| Tools (SIEM, scanning, compliance) | EUR 5,000-15,000/year |
| Internal audit | EUR 3,000-8,000 |
| Certification (external auditor) | EUR 8,000-18,000 |
| Total estimate | EUR 30,000-75,000 |
| Total timeline | 6-8 months |
The range is wide because it depends enormously on the starting point. A company with ISO 27001 can certify for ENS in 3-4 months at half the cost. A company with no formal security framework will need the high end of the range.
After certification
ENS certification isn’t a project; it’s a continuous management system. It requires:
- Annual risk analysis review.
- Annual internal audits.
- Procedure updates when systems change.
- Periodic staff training.
- Recertification every 2 years (medium category).
The most common post-certification mistake: relaxing. Thirty percent of companies that certify have problems at recertification because they stopped maintaining the system. A managed compliance service that keeps the system alive between audits is worth the investment.
ENS is not a destination. It’s a starting point for mature security management that, incidentally, opens the doors to the Spanish public sector market and paves the way to ISO 27001 and SOC 2. For the latest ENS 2025 requirements for cloud providers, see our recent analysis.
Tags
About the author
abemon engineering
Engineering team
Multidisciplinary engineering, data and AI team headquartered in the Canary Islands. We build, deploy and operate custom software solutions for companies at any scale.