Certifications and regulatory compliance | Compliance

ENS compliance alignment

We align your company with the requirements of the National Security Framework (RD 311/2022) by implementing policies, controls, and processes that ensure information protection and enable access to public sector contracts.

NIS2 directive compliance

We prepare your organization to comply with the European NIS2 Directive, strengthening risk management, system security, and incident response capabilities.

ISO 27001 certification

We help you implement an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022 and prepare your company to successfully pass the certification process.

Support through every phase of the process

At ESED – Cyber Security & IT Solutions, we work with you as part of your team.

You have access to a CISO and professionals with over 15 years of experience who guide you step by step.

Clear and efficient approach

We know the certification requirements and the critical points in the process.

"We know what certifications require and where companies often stumble."

You gain Knowledge, not just a certificate

We don’t just implement measures. We work with you so your team understands cybersecurity and can manage it in the future.

We make it practical and real.

We implement measures that work in your day-to-day operations, not just to pass an audit.

We prepare your company to comply with the ENS and strengthen its cybersecurity

We help organizations meet the requirements of the National Security Framework (ENS) by adapting their systems and processes to the cybersecurity standards set by the regulation.

We assess your current situation, identify gaps relative to ENS controls, and define an action plan to achieve compliance.

We support you in risk management, implementing security measures, preparing documentation, and getting your organization ready to successfully achieve certification.

Additionally, when we prepare a company for ENS certification, we are already aligning its security measures with the requirements of Directive (EU) 2022/2555 (NIS2).

The National Security Framework (ENS), regulated by Royal Decree 311/2022, is the regulatory framework that establishes the basic principles and minimum security requirements that organizations must follow when using electronic means in the public sector in Spain.

Its goal is to ensure that information systems handle data and services in a secure, reliable, and continuous manner, protecting the five dimensions of security: Availability, Integrity, Confidentiality, Authenticity, and Traceability.

The ENS is mandatory for:

All Spanish public administrations (Art. 2, Law 40/2015).
Public agencies and entities governed by public law.
Private sector entities that provide services to or manage information for the public sector, including their supply chain.
Systems that process classified information.

Additionally, the ENS classifies systems into three categories (BASIC, MEDIUM, and HIGH) based on the potential impact of an incident on each security dimension. This classification determines the security measures required from among the 73 listed in Annex II of RD 311/2022.

Its application has also extended to private companies that want to enhance their positioning, access public contracts, or demonstrate a high level of cybersecurity maturity.

The ENS is not just a set of technical controls; it is a comprehensive information security management model.

Ensure security as an integral process (Art. 6), not merely as a set of technical measures.
Manage security based on risk analysis (Art. 7).
Prevent, detect, respond to, and preserve information in the event of incidents (Art. 8).
Ensure service continuity and the periodic reassessment of security measures (Art. 10).
Establish a common security framework with a clear differentiation of responsibilities (Art. 11).

Why you need to certify?

Approve an Information Security Policy with clearly defined roles: Information Owner, Service Owner, Security Officer, and System Owner (Art. 13).
Conduct a risk analysis and prepare the Statement of Applicability, detailing the Annex II measures applicable according to the system’s category.
Implement organizational, operational, and protective security measures: access control, encryption, backups, monitoring, and incident management.
Establish incident management procedures (Art. 25) and a business continuity plan.
Train personnel in cybersecurity and ENS compliance.
Obtain compliance confirmation:
- Statement of Compliance for BASIC category systems (via compliance profile).
- Certificate of Compliance for MEDIUM/HIGH category systems (through an ENAC-accredited certification body, following CCN-STIC 808 standards).
Review and improve regularly: ENS requires continuous monitoring and periodic reassessment of security measures (Art. 10).

Access to public sector contracts

ENS compliance is a mandatory requirement in public procurement specifications (Art. 2.3, RD 311/2022). Certification allows your company to participate in public sector tenders and projects.

Enhanced information security

Ensures the protection of systems and data against cyberattacks, unauthorized access, and data loss, reducing operational risks.

Improved business trust and reputation

Demonstrating ENS compliance conveys reliability and a commitment to security, strengthening your company’s image with clients and partners.

Regulatory compliance and reduced legal risks

Facilitates adherence to applicable regulations, ENS, NIS2, GDPR and lowers the likelihood of security incidents and legal liabilities.

We align your company with the NIS2 Directive to meet european cybersecurity requirements

Directive (EU) 2022/2555 (NIS2) is the European regulation that strengthens cybersecurity requirements for essential and important entities across 18 critical sectors. It mandates systematic risk management, enhanced protection of systems and networks, and mandatory reporting of significant incidents within 24 to 72 hours.

In Spain, transposition is in an advanced stage through the Draft Law on Cybersecurity Coordination and Governance (approved by the Council of Ministers in January 2025), pending parliamentary approval.

Even though the national law is not yet in force, the Directive’s requirements already influence supervision, public procurement, and supply chain audits.

Risk management

Requires the implementation of proportionate measures to prevent and mitigate incidents (Art. 21).

Protection of systems and networks

Mandates technical controls for supply chain security, encryption, access control, and vulnerability management.

Incident reporting

Requires early warning within 24 hours and full notification within 72 hours to the relevant CSIRT (Art. 23).

Management accountability

Governing bodies must approve and oversee cybersecurity measures and can be held personally liable in cases of negligence (Art. 20).

Expanded scope

Covers sectors such as energy, transportation, healthcare, water, digital infrastructure, public administration, food, postal services, waste management, and research.

Distinction between essential and important entities

Subject to different levels of supervision and penalties (up to €10 million or 2% of global turnover for essential entities).

European coordination

Common standards, peer evaluations, and cooperation between national CSIRTs.

Resilience and trust

Demonstrates maturity to clients, regulators, and business partners.

ISO/IEC 27001:2022 is an international standard that sets the requirements for implementing, maintaining, and improving an Information Security Management System (ISMS). Its goal is to protect the confidentiality, integrity, and availability of information.

It applies to any organization, regardless of size, sector, or location. It is especially relevant for:

Companies that handle sensitive data (customer, financial, healthcare, etc.)
Technology service providers (SaaS, cloud, IT)
Entities required to meet regulatory compliance
Organizations working with third parties that demand security assurances

Protect information against unauthorized access, loss, or alteration
Systematically manage security risks
Establish clear controls and policies
Build trust with clients, partners, and regulators
Ensure business continuity

To obtain certification, an organization must implement an ISMS in accordance with the standard. Key points include:

Define the scope of the ISMS and identify stakeholders and their requirements
Ensure management commitment, establish a security policy, and assign roles and responsibilities
Identify risks, analyze their impact and likelihood, and define treatment measures
Implement organizational, technical, and physical controls such as access management, incident handling, encryption, and backups
Manage training, documentation, and controlled operation of security processes
Conduct internal audits, management reviews, and monitor key indicators
Handle nonconformities, apply corrective actions, and keep the ISMS up to date