NexTReT, along with Pymelegal, aims to address two important topics for the public sector: compliance with the ENS and the GDPR.
What is the ENS?
The National Security Scheme (ENS) is a state-level regulation that ensures the protection and security of information within the scope of the public administration and its providers, against any threat that may occur.
It was created in 2010 with the aim of protecting information systems and sensitive data managed by public entities on a daily basis, ensuring their: Availability, Integrity, Confidentiality, Authenticity, and Traceability.
In 2022, the regulation was revised to adapt it to the logical and physical threats surrounding us. This regulatory framework defines the basic principles, minimum requirements, and security measures to ensure adequate protection of the information processed and the services of the Spanish Public Sector and its collaborating providers.
Who is obligated to comply with the ENS?
The ENS is mandatory for all entities of the Spanish public sector at the state, regional, and local levels. This includes:
- General State Administration bodies.
- Managing entities and common services of Social Security.
- State agencies and autonomous bodies.
- Public Law entities with their own legal personality linked to or dependent on the General State Administration, autonomous communities, and local entities.
- Public universities and other public bodies linked to them.
- Public business entities and other public bodies.
Providers of the Administration who have relations with services will also be obligated to comply.
Complying with the ENS is not only a legal obligation but also helps preserve the reputation and trust of public organizations.
What security measures does the ENS include?
The ENS establishes a series of security measures to guarantee the protection of information within the scope of public administration in Spain. These measures cover various areas, some of the most important ones are:
- Risk management: The ENS requires public entities to conduct periodic risk assessments to identify threats and vulnerabilities and establish measures to mitigate risk.
- Security policy: Public entities must define and document an information security policy that establishes principles and objectives to follow within the organization.
- Physical security: Measures must be implemented to protect information assets, such as surveillance systems, physical access controls to facilities, or protection against fires and natural disasters.
- Information systems security: Requirements must be established to protect information systems, such as user authentication and authorization, password management, data encryption, patch management and updates, and protection against malware and other cyberattacks.
- Incident management security: Procedures and resources must be in place to detect, manage, and respond to information security incidents effectively, minimizing impact and restoring operability as soon as possible.
- Data protection: Measures must be established to protect the confidentiality, integrity, and availability of data, including information classification and labeling policies, data access control, backup procedures, and record management.
- Training and awareness: Training and awareness in information security must be provided to staff to promote a security culture and ensure compliance with these policies.
These are just some of the security measures included in Annex II of the ENS, allowing public entities and their providers to ensure the security of systems and processed information, thus guaranteeing their security in an increasingly digital and complex environment.
Relationship between the GDPR and the ENS: Why should you comply with both regulations?
The ENS and the GDPR are two key regulations in the field of security, each with its own focus, but complementary to each other:
- Both are aimed at protecting the confidentiality, integrity, and availability of information. The ENS focuses on information security in general and covers both personal and non-personal data, while the GDPR specifically focuses on the protection of personal data and establishes more detailed requirements regarding its processing, such as collection, processing, and storage of such data.
- Both regulations aim to promote high security standards in the treatment of information. The ENS establishes measures for public entities, and the GDPR applies to all sectors and economic activities.
- Organizations subject to both the ENS and the GDPR must comply with the requirements and obligations of both regulations.
- The risk management approach promoted by the ENS can complement the risk-based approach of the GDPR. Both regulations urge to identify and assess risks in the treatment of information and personal data and to implement measures to mitigate risk.
- Non-compliance with the GDPR can result in severe financial penalties that can rise to millions of euros in serious cases for private companies. For public administrations, warnings and reputational damage are factors that must be taken into account.
How we can help you with your ENS certification
The process to comply and subsequently certify with the ENS is complex, but NexTReT can assist you. Our extensive experience helping other companies and public bodies obtain ENS certification and HIGH-level ENS certification in all our services endorse us.
Certification is a necessary requirement to bid for many public tenders, and it also demonstrates the organization’s commitment to information security.
If you need to address ENS compliance, NexTReT can assist you with a preliminary assessment and audit to define your personalized roadmap.
Remember that it is important to comply with both regulations we have discussed to protect the security of information and data.
If you need help implementing data protection in your business, contact NexTReT, and we will provide you with the proposal your business needs.