Delonia Software, S.L. has obtained the Certificate of Conformity with the National Security Scheme (ENS). Adok Certification has verified that the information systems evaluated, in which all the security dimensions were certified in the ALTA category, as well as the associated services of Delonia Software S.L. have been audited and comply with the requirements established in Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme (The ALTA category is the most demanding level of certification granted by the ENS).
The National Security Scheme (ENS) is a regulatory framework in Spain that establishes measures to guarantee the protection of information in the systems of public administrations and entities that provide services to them. The official website of the National Security Scheme explains that: ‘it provides a common framework of basic principles, requirements, and security measures for adequate protection of the information processed and the services provided, in order to ensure access, confidentiality, integrity, traceability, authenticity, availability and conservation of the data, information and services used by electronic means that they manage in the exercise of their competences’.
In a nutshell, the National Security Scheme establishes the principles and requirements for the protection of information in the field of eGovernment. It applies both to Public Administrations and to service providers that handle information for public sector entities. Likewise, for any private entity, contracting the services of a company with ENS certification will provide an additional guarantee of security, reliability, and compliance with good practices. This is decisive in projects where the handling of sensitive information is important, for example, in healthcare projects and solutions.
It is similar to ISO 27001, as both aim to ensure information security. However, the ENS is more specific in terms of evidence management and specific requirements that organisations must comply with. Moreover, it is a widely required standard in Spain, especially for companies working with public bodies. Likewise, for a private company that needs to contract the services of a third party, ENS certification ensures a commitment to information security, a very relevant aspect in a context where securing systems requires increasingly advanced capabilities and resources.
Key points on the National Security Scheme (ENS)
- It was first implemented on 8 January 2010 with Royal Decree 3/2010. It is kept up to date to adapt to changes in the cybersecurity landscape and evolving technologies.
- It aims to strengthen the defence capabilities against cyber threats to the public sector and collaborating entities. It establishes technical and organisational measures to mitigate risks such as ransomware, phishing or security breaches. It includes measures related to cloud services, interconnection of systems, protection of the supply chain and other devices connected to the network.
- It guarantees the security and rights of citizens. It strengthens digital public services (such as electronic offices or medical records) by ensuring their integrity and confidentiality.
- It must meet the profile approved by the National Cryptologic Centre (CCN), which in turn depends on the CNI (National Intelligence Centre). The CCN is the technical arm of the ENS, providing the necessary tools and knowledge for its effective implementation.
- To meet the requirements of the ENS, there are three categories: BASIC, MEDIUM and HIGH. In the BASIC category, a self-assessment has to be carried out every two years. In the MEDIUM and especially in the HIGH category, in addition to the formal certification audits carried out every two years, an internal audit is carried out annually.
- The National Security Scheme and the General Data Protection Regulation (GDPR) are complementary. Compliance with one facilitates compliance with the other. The ENS complies with the Organic Law on Data Protection (LOPD-GDD) and the EU General Data Protection Regulation (GDPR). With regard to the processing of personal data by ENS, security measures are implemented to prevent loss, alteration or unauthorised access.
- Conformity with the ENS of information systems that support solutions or provide competence services to public sector entities is a legal imperative. Compliance shall be displayed with an electronic document in a non-editable format.
- It covers systems vital to the state (energy, transport, defence) whose vulnerability could affect national security. The ENS is key to the digital resilience of the state; its implementation protects both institutions and citizens.
