ENS Security Levels: Low, Medium, and High

The National Security Framework (ENS) is the Spanish regulatory framework that establishes the principles, minimum requirements, and security levels applicable to information systems in the public sector and to companies that manage sensitive information or collaborate with the government. The objective of the ENS is to protect information and digital services against threats, ensuring the confidentiality, integrity, availability, authenticity, and traceability of data.

A key element of the ENS is its three security levels (Low, Medium, and High), which determine the protection measures that each organization must implement according to the potential impact of a security incident. Below, we detail each level with practical examples for companies.

What Are Security Levels in the ENS?

The security levels in the ENS are established based on the impact a security incident would have on the organization, its assets, services, or affected individuals. Each security dimension (confidentiality, integrity, availability, authenticity, and traceability) can be affected to different degrees, resulting in a security category for the information system.

In summary:

• Low Level: Limited impact.

• Medium Level: Serious impact.

• High Level: Very serious impact.

This classification not only serves to evaluate risks but also to determine the security measures and controls to apply and the type of ENS certification required.

Low Security Level

When Is It Applied?

The Low level is assigned to systems where a security incident would have limited consequences on processes, assets, or individuals. This means that while a failure could occur, the impact would not compromise essential functions or cause severe losses.

Key Characteristics

Organizations categorized at this level implement basic security measures, sufficient to protect information from common threats but without complex requirements. Typical measures include:

• Basic access and authentication policies.
  
  
• Anti-malware and antivirus controls.
  
  
• Periodic backups.
  
  
• Basic event monitoring.

Examples:

Small businesses or startups with low-impact information, such as:

• Small online stores managing customer data without sensitive financial information.
  
  
• Local service companies recording contacts and internal administrative data.
  
  
• Internal document management systems with restricted access.

In these cases, a security incident would not halt core activities or cause significant harm to clients or the company itself.

Medium Security Level

When Is It Applied?

The Medium level is appropriate for systems where a security breach could cause serious damage to the organization or its users, though not catastrophic. This level is common in companies with sensitive information or services supporting important business processes.

Requirements and Controls

This level requires more rigorous and specific security controls. Some measures include:

• Enhanced or multi-factor authentication (e.g., 2FA).

• Advanced access controls.
  
  
• Continuous monitoring and internal auditing.
  
  
• Documented risk management.
  
  
• Business continuity plan.

Unlike the Low level, Medium-level ENS certification requires an external audit by an accredited organization.

Examples:

Companies or systems with significant impact, such as:

• E-commerce platforms processing payments and customer data with personal and financial information.
  
  
• SaaS platforms managing enterprise user data.
  
  
• IT departments in mid-sized companies, where a failure would affect key operations.

A security incident in these contexts could result in significant financial losses or operational difficulties, hence the need for reinforced controls.

High Security Level

When Is It Applied?

The High level applies when an incident would have a very serious impact on the organization, its assets, or affected individuals. This level is reserved for the most critical systems, where the managed information is highly sensitive or vital for the continuity of essential services.

Advanced Requirements and Controls

The security measures required at this level are the strictest in the ENS and include:

• Mandatory multi-factor authentication for all access.
  
  
• Advanced data encryption at rest and in transit.
  
  
• Integrated monitoring and continuous security event tracking.
  
  
• Granular access control and identity management.
  
  
• Detailed incident response and business continuity plans.
  
  
• Periodic audits and penetration testing.

Additionally, the High-level certification process requires an accredited external audit and higher maturity levels in implemented security processes.

Examples:

Typical cases of companies or systems at the High level:

• Banks processing critical financial transactions.
  
  
• Cloud infrastructure providers supporting government services.
  
  
• Healthcare organizations with sensitive clinical records and health data.
  
  
• Technology platforms managing government or strategic data.
  

In these organizations, a security breach can trigger severe reputational, legal, or essential service compliance consequences.

How Levels Impact Business Cybersecurity Strategy

Benefits of Proper Classification

Correctly classifying systems according to the ENS helps companies to:

• Prioritize security investments aligned with actual risk.
  
  
• Comply with legal and regulatory requirements, especially when working with government agencies or sensitive data.
  
  
• Demonstrate trust and maturity to clients and partners through recognized certifications.

Relationship with Other Security Standards

The ENS does not exist in isolation; many companies combine its implementation with other security frameworks, such as ISO/IEC 27001, to achieve a comprehensive approach to information security management.

The ENS security levels (Low, Medium, and High) are fundamental for any organization managing information systems to evaluate risks, determine security requirements, and establish controls proportional to the potential impact of threats.

For companies, understanding these levels not only improves internal protection but also enables regulatory compliance, enhances reputation, and strengthens the trust of clients, suppliers, and public entities.