Last May, Royal Decree 311/2022 was published, which regulates the National Security Scheme (ENS), which aims to (i) reinforce the protection of services and data, as an essential asset for the Digital Administration against attackers and/or threats and (ii) adapt to the current regulatory framework after the entry into force of such relevant regulations as the General Data Protection Regulation or the NIS Directive.

Some news What this new version of the ENS brings with it are the following:

New principle of “continuous surveillance”: It entails a permanent evaluation of the security status of the assets, to detect vulnerabilities and identify configuration deficiencies. Its objective is to detect and respond to anomalous activities or behaviors.
Specific Compliance Profiles: adapt the National Security Framework by rationalizing the required resources without undermining the required protection as a result of a risk analysis.
Risk analysis: the data protection officer must advise the controller or processor in the risk analysis (art. 24, RGPD) and in the impact assessment (art. 35, RGPD) from the beginning of the processing.
Supply chain protection: The private company that provides its services to public administrations must designate a Point or Contact Person (POC).
Security incident notification: Public administrations must notify the CCN-CERT. And private companies subject to the ENS must go to INCIBE-CERT.
Training and awareness: The CCN and INAP will develop awareness and training programs aimed at staff of public sector entities.

Regarding security measures, there have also been some significant changes. The following are added:

Cloud services [op.nub.1]
Systems interconnection [op.ext.4]
Supply chain protection [op.ext.3]
Alternative means [op.cont.4]
Surveillance [op.mon.3]
Other devices connected to the network [mp.eq.4]

In addition, the measurement requirements have been codified and organized as follows:

Base requirements.
Possible security reinforcements (R), aligned with the level of security pursued, which add (+) to the base requirements of the measure, but which are not always incremental to each other; so that, in certain cases, you can choose between applying one reinforcement or another.

And last but not least, regarding the period of adaptation to the new ENS, an expiration period of 24 months is established from the entry into force of this RD, therefore, as of 05/05/2024 they will no longer have the accredited status of the certificates issued against the RD 3/2010.

Learn this and much more in our Master of Compliance and Data Protection.

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.