The National Security Scheme (ENS) regulated by Royal Decree 311/2022 in the field of electronic address aims to determine what are the security policies in the use of electronic media, guaranteeing the proper use of the information and services provided.
History and evolution of the ENS
The ENS has undergone a progressive evolution over the years since its first appearance in the Royal Decree. The main objective is to establish minimum requirements to guarantee security (data, communications, and electronic services) in electronic media and to create common guides of use for Public Administrations and technology providers in the private sector.
The growing use of digital technologies has imposed new cybersecurity programs on them. In fact, the increasing number of cyberattacks on agencies and users has been evidenced.
The ENS was established in article 42 law 11/2007, the CCN (National Cryptological Center) established in the Royal Decree the STIC Security Guides (Information Technologies) to improve compliance with the ENS, in accordance with the provisions of article 29 of Royal Decree 3/2010.
Currently, it is governed by Royal Decree 311/2022, posted on 3 may, which has 7 chapters, distributed in 41 chapters.
Brief Summary of Chapters
Compiling a summary of each of them:
- General Provisions
It includes the scope and information system that processes personal data. The application in private companies that provide services to public entities must consider the procedures integrated in the National Security System included in Law 36/2015.
The treatment of personal information must be regulated according to the Law (LOPDGDD) (Organic Law on Data Protection and Guarantee of Digital Rights).
- Basic principles of the ENS
They regulate comprehensive security, risk-based security management, prevention, detention, response and conservation, existence of lines of defense, continuous surveillance, periodic reassessment, and differentiation of responsibilities.
The awareness of the participants and the application of the corresponding security measures are promoted.
- Cybersecurity policies and minimum-security requirements
It refers to the set of guidelines that govern the structuring of security documentation, the system, and its access management.
The CCN responsible for the security of Information and Communication Technologies (ICTs) defines the approved security guidelines.
Attention will be paid to the information of the technological devices, applying procedures that ensure the recovery and conservation of data.
- System Security: Auditing, Reporting, and Security Incidents
It establishes an ordinary regular auditor, at least every two years, to verify compliance with the National Security Scheme imposed. In the case of modifications, extraordinary audits must be carried out. In these audits, the reports will be submitted to the system and security officer and even the possibility of being required by the CCN.
The CCN-CERT (Information Security Incident Response Capacity of the National Cryptological Center) provides technical support and assistance to any fallow in the information systems, offering recommendations and practices to apply the ENS.
- Compliance rules
The rules of digital administration, the life cycle of systems and services, the different control mechanisms that each entity must have and the determination procedures with the ENS, in which they certify their conformity in accordance with the provisions of the Technical Security Instruction, are detailed.
- Update of the National Security Scheme
The National Security Scheme will be updated permanently, perfecting over time to adapt to technological advances.
- Categorization of information systems
Security categories and powers are determined according to the services it offers and information it handles.
As a digitizing company, at CENUTM Digital we help companies maintain a high level of cybersecurity while always respecting current regulatory compliance. If you want to know more, do not hesitate to contact us.
What’s new in the National Security Scheme 2022
- Differences in the basic principles of the ENS
In the 2010 National Security Scheme, the basic principles in prevention, reaction, and recovery. Currently and under the new ENS, the principle of detention is introduced, through continuous surveillance.
- Changes to minimum requirements
Information systems must be designed following the minimum privileges, guaranteeing their configuration, administration, and registration to authorized persons.
- New security measures
Protection of cloud services, those companies that provide cloud services, must comply with CCN-STIC security measures.
- National Cybersecurity Plan
The frame of reference of the ESN policy (National Security Strategy) together with the security law of the Royal Decree. Its features include:
- The development of a national platform that allows the monitoring and follow-up of possible threats.
- The promotion of cybersecurity in SMEs and the self-employed.
- The creation of an integrated cybersecurity system at national level
- Promote greater knowledge of cybersecurity in companies
Which companies must comply with the ENS 2022?
The following must comply with the National Security Scheme:
- Public administrations, organizations belonging to the public sector. (General State Administration, Autonomous Communities and Local Administration)
- Those private companies that offer services or provide solutions to public entities.
This security scheme imposes actions included in the new National Security Plan that aims to strengthen and increase the cultural level of cybersecurity.
CENTUM Digital and the National Cybersecurity Scheme
At CENTUM Digital we care about our clients. We help our clients to comply with the National Security Scheme, both in the public and private sphere, complying with the established regulations and providing security in companies.
