Share on social networks!

News of the new national security scheme

Last May, Royal Decree 311/2022 was published, which regulates the National Security Scheme (ENS), which aims to (i) reinforce the protection of services and data, as an essential asset for the Digital Administration against attackers and/or threats and (ii) adapt to the current regulatory framework after the entry into force of such relevant regulations as the General Data Protection Regulation or the NIS Directive.

Some news What this new version of the ENS brings with it are the following:

  1. New principle of “continuous surveillance”: It entails a permanent evaluation of the security status of the assets, to detect vulnerabilities and identify configuration deficiencies. Its objective is to detect and respond to anomalous activities or behaviors.
  2. Specific Compliance Profiles: adapt the National Security Framework by rationalizing the required resources without undermining the required protection as a result of a risk analysis.
  3. Risk analysis: the data protection officer must advise the controller or processor in the risk analysis (art. 24, RGPD) and in the impact assessment (art. 35, RGPD) from the beginning of the processing.
  4. Supply chain protection: The private company that provides its services to public administrations must designate a Point or Contact Person (POC).
  5. Security incident notification: Public administrations must notify the CCN-CERT. And private companies subject to the ENS must go to INCIBE-CERT.
  6. Training and awareness: The CCN and INAP will develop awareness and training programs aimed at staff of public sector entities.

Regarding security measures, there have also been some significant changes. The following are added:

  • Cloud services [op.nub.1]
  • Systems interconnection [op.ext.4]
  • Supply chain protection [op.ext.3]
  • Alternative means [op.cont.4]
  • Surveillance [op.mon.3]
  • Other devices connected to the network [mp.eq.4]

In addition, the measurement requirements have been codified and organized as follows:

  • Base requirements.
  • Possible security reinforcements (R), aligned with the level of security pursued, which add (+) to the base requirements of the measure, but which are not always incremental to each other; so that, in certain cases, you can choose between applying one reinforcement or another.

And last but not least, regarding the period of adaptation to the new ENS, an expiration period of 24 months is established from the entry into force of this RD, therefore, as of 05/05/2024 they will no longer have the accredited status of the certificates issued against the RD 3/2010.

Learn this and much more in our Master of Compliance and Data Protection.

IT Lawyer | Governance, Risk & Compliance | Privacy

Subscribe to our newsletter to stay up to date with all the news

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad
Blog Master Dpo

Leave a comment