Spain Esquema Nacional de Seguridad (ENS)
The ENS (Esquema Nacional de Seguridad) is a set of security controls and standards that are required to be implemented by service providers to allow the processing of data for Spanish public services (such as governments and public organizations).
In 2007, the Spanish government enacted Law 11/2007, which established a legal framework to give citizens electronic access to government and public services. This law is the basis for Esquema Nacional de Seguridad (National Security Framework), which is governed by Royal Decree (RD) 3/2010. The goal of the framework is to build trust in the provision of electronic services, and ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of data, information, and services.
The framework applies to all public organizations and government agencies in Spain that purchase cloud services, as well as to providers of information and communications technologies (ICT). It guides these agencies and companies in implementing effective controls for security in the cloud and on premises, in compliance with Spanish and EU security and privacy standards.
The framework establishes core policies and mandatory requirements that both government agencies and their service providers must meet. It defines a set of specific security controls, many of which align directly with ISO/IEC 27001, relating to availability, authenticity, integrity, confidentiality, and traceability. The sensitivity of the information, low, intermediate, or high, determines the security measures that must be applied to protect it.
Each government agency is required to adopt a risk-management approach to security, whereby they identify and assess risks, and then apply security controls appropriate to those risks. Service providers, too, must comply with the stringent framework requirements to help ensure that their procedures, technical capacities, and operations are secure and enable agencies to comply with the regulations.
The framework prescribes an accreditation process that is voluntary for systems handling information of low sensitivity, but mandatory for systems handling information at an intermediate or high level of sensitivity. An audit is performed by an accredited independent auditor. The report is then reviewed in a process of certification before risk-management controls are accepted in the final step of accreditation.