In recent years, cybersecurity has moved beyond being just a “technical matter” to become a strategic and legal priority. Threats are increasing, attacks are becoming more sophisticated, and, moreover, regulatory demands continue to grow. In Spain, it’s no longer enough to have antivirus software and a password policy: you need to demonstrate that security is managed seriously, documented, and with objective criteria.
——————————————————————————
And this is where three key frameworks that every technical organization should know (and apply) come into play: ENS, ISO/IEC 27001, and the NIS2 Directive.
——————————————————————————
Let’s break it down:
ENS – National Security Framework
The ENS is the “cybersecurity regulation” for public administrations in Spain (and for companies that work with them). It establishes the basic principles, measures, and controls that systems must apply to protect information and digital services. The latest version (RD 311/2022) goes far beyond mere paperwork: it requires you to classify your systems according to risk (low, medium, or high) and apply specific measures based on that. We’re talking about access control, encryption, traceability, incident response, business continuity, etc.
——————————————————————————
Do you work with the government, develop software for them, or manage public data? Then the ENS applies to you, no ifs, ands, or buts.
——————————————————————————
ISO/IEC 27001 – Information Security
If the ENS is the local regulation, ISO/IEC 27001 is the international reference framework for managing information security. It’s a standard that tells you how to set up an Information Security Management System (ISMS) from scratch: identify assets, assess risks, implement controls, audit, improve…
The advantage is that it works for any type of organization, public or private. And if you also achieve certification, you can demonstrate to clients, partners, and auditors that your company knows what it’s doing in terms of security.
Its controls (those of the famous Annex A) cover everything: from how access is managed to how disaster recovery is planned.
NIS2 – New European Directive
And if you haven’t heard of NIS2 yet, start getting familiar. This new European directive (published in 2022 and already in the process of transposition in Spain) focuses on critical sectors: energy, transport, health, banking, water, digital services, and many more. But be aware: it doesn’t only apply to “large companies.” If you provide essential or technological services to organizations in these sectors (even if you are an SME), it may also affect you.
NIS2 requires:
- Active management of cyber risk,
- Specific technical measures,
- Incident notification (in less than 24-72 hours),
- Public oversight,
- And sanctions if you don’t comply.
In short: it’s not just a suggestion, it’s a legal obligation.
How do they relate to each other?
Although ENS, ISO 27001, and NIS2 come from different places (one is Spanish, another international, another European), they all share the same fundamental principles:
- identify risks, apply appropriate controls,
- have clear procedures,
- and review everything continuously.
The good news is that they can be perfectly integrated.
If you already have an ISMS based on ISO 27001, you can extend it to cover what the ENS requires (e.g., information classification, specific roles, concrete ENS measures).
If you are also affected by NIS2, you can map its requirements (incident notification, supply chain security, governance) within the same system.
The result? A more efficient system that avoids duplication and keeps you aligned with the law and best practices.
Why implement the standards?
Complying with these regulations is not just a legal obligation. It is also a way to:
- protect your business against real threats,
- provide guarantees to your customers,
- avoid fines,
- and above all, ensure that your operation can continue to function no matter what happens.
Today, compliance is competing.
Do you want help integrating these frameworks realistically into your organization? Let’s talk:
