ENS 2022. How does it affect you?

ENS 2022. How does it affect you?

ENS 2022. Everything you need to know.

On 3 May 2022, Royal Decree 311/2022 regulating the National Security Scheme (ENS) was published in the Official State Gazette, repealing Royal Decree 3/2010 and its subsequent update in 2015. 

This new regulation updates, clarifies and implements the previous regulation, which although it has been mandatory and has been implemented for several years, it is still being ignored by many entities.

On 3 May 2022, Royal Decree 311/2022 regulating the National Security Scheme (ENS) was published in the Official State Gazette, repealing Royal Decree 3/2010 and its subsequent update in 2015. 

This new regulation updates and implements the previous regulation, which, although it has been mandatory for several years, is still being ignored by many entities.

Are you obliged to comply with the ENS?

As stipulated in article 2 of RD 311/2022, the ENS is applicable to and mandatory for the entire public sector. This includes the administrations of the State, Autonomous Communities, Local Administrations and public law entities. These administrations are obliged to comply with it and to adapt their information systems.

Likewise, it will also apply to systems that process classified information, to public sector entities when they carry out the deployment of 5G networks, and to private sector entities “when, in accordance with the applicable regulations and by virtue of a contractual relationship, they provide services or solutions to public sector entities for the exercise by the latter of their competences and administrative powers”.

Therefore, if your company has contractual relations with a public administration, it is also obliged to comply with the ENS.

What are the most important new features and changes in the ENS?

Below you will find a summary of the main new features of this new version of the National Security Scheme:

One of the first new features is the incorporation of the “specific compliance profile”. The aim of this is to ensure that compliance with the new scheme can be achieved in a more effective and efficient way, rationalising resources without undermining the protection sought and required.

This compliance profile will allow the ENS to be adapted to each organisation, highlighting the personalisation and capacity to adapt to specific needs, especially for smaller companies with more limited resources.

Secondly, the new ENS establishes a protocol for action in the event of cyber-incidents focused on two main objectives: on the one hand, to articulate the response to incidents and, on the other, to establish the conditions for notifying cybersecurity incidents. In this regard, the obligation to notify the CCN-CERT (National Cryptologic Centre – Computer Emergency Response Team) of security incidents is established as follows:

Public sector entities shall notify the CCN of incidents that have a significant impact on the security of information systems. 

Private sector entities that provide services to public entities must notify INCIBE-CERT of incidents that affect them, which will inform the CCN-CERT.

Thirdly, another of the new features of the ENS is the incorporation of a new coding system for the requirements of security measures. In this respect, the main objective is to facilitate the security of information systems, their implementation and auditing in a proportionate manner. 

The requirements for measures have been codified and organised as follows: pre-existing baseline requirements and possible security enhancements, with some enhancements being optional. The statement of applicability will now become more important.

In the area of principles, requirements and measures, the ENS has added the basic principle of continuous monitoring, the function of which is the continuous assessment of the security status of assets, to detect possible vulnerabilities and identify configuration deficiencies. 

Broadly speaking, the minimum requirements remain almost unchanged, with some adjustments such as the change of terminology from “security by default” to “least privilege”.

On the other hand, in order to achieve compliance with the basic principles and minimum requirements, the security measures set out in Annex II of the ENS are applied, which are divided into three groups: organisational framework [org], operational framework [op] and protection measures [mp].

With the update of the ENS, there have been no changes to the organisational framework. However, in the operational framework and protection measures, those measures that have a greater impact on security configuration, intrusion detection, supply chain protection, etc. have been reinforced. 

In this regard, the Point or Person of Contact (POC) has been established, which is a measure aimed at designating a person responsible for incident management to know who to turn to. 

Likewise, new measures have been incorporated, such as those relating to the protection of cloud services, interconnection and other interconnected devices that respond to current changes and the projection of the times to come. 

Last but not least, the new ENS entrusts the CCN and the National Institute of Public Administration with the development of awareness-raising, sensitization and training programs aimed at the staff of public sector entities.

The CCN-CERT (National Cryptologic Centre) has published on its website several infographics on the new ENS that can be easily consulted and are of great interest.

What is the deadline for adaptation?

Although it is true that the ENS is already applicable to new information systems, its Single Transitional Provision establishes a period of 24 months for pre-existing systems to achieve full compliance before its entry into force. In short, the new National Security Scheme must be implemented before 5 May 2024, so we recommend that you start updating to this new ENS as soon as possible.

If you still have any doubts, Seifti can help you to better understand these changes and their adaptation to the new version of the standard.

1 Comment
  • zoritoler imol

    January 22, 2023 at 6:12 pm Reply

    WONDERFUL Post.thanks for share..extra wait .. …

Post a Comment

Skip to content