Royal Decree regulating the National Security Scheme (Spanish acronym: Esquema Nacional de Seguridad)

May 4, 2022

Royal Decree 311/2022, of May 3, which regulates the National Security Scheme.

The purpose of Royal Decree 3/2010, of January 8, 2010, which regulates the National Security Scheme in the field of Electronic Administration (hereinafter, ENS) was to determine the security policy in the use of electronic media of the entities within its scope of application, being constituted by the basic principles and minimum requirements that have been adequately guaranteeing the security of the information processed and the services provided by such entities.

For its part, Law 40/2015, of October 1, on the Legal Regime of the Public Sector, extended the scope of application of the ENS to the entire public sector, establishing in its Article 3, which regulates the general principles, the need for public administrations to relate with each other and with their bodies, public agencies and related or dependent entities through electronic means, which will guarantee the interoperability and security of the systems and solutions adopted by each of them and the protection of personal data, and will facilitate the provision of services to the interested parties preferably by such means, pointing out the ENS as a fundamental instrument for the achievement of the objectives of its Article 156.

The ENS is constituted by the basic principles and minimum requirements necessary for an adequate protection of the information processed and the services provided by the entities within its scope, in order to ensure the access, confidentiality, integrity, traceability, authenticity, availability and preservation of the data, information and services used by electronic means that they manage in the exercise of their competences. The purpose of this Royal Decree is to regulate the ENS, established in Article 156.2 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector.

The Royal Decree is structured in forty-one articles distributed in seven chapters, three additional provisions, one transitory provision, one derogatory provision, three final provisions and four annexes.

• Chapter I comprises the general provisions regulating the purpose of the standard, its scope of application, the reference to information systems that process personal data and the definitions The scope of application is that provided for in Article 2 of Law 40/2015, of October 1, to which are added the systems that process classified information, without prejudice to the applicable regulations, and it may be necessary to supplement the security measures of this Royal Decree with others specific to such systems, derived from the international commitments undertaken by Spain or its membership in international bodies or forums on the matter.
  Likewise, the requirements of the ENS will be applicable to the information systems of private sector entities, when in accordance with the applicable regulations and by virtue of a contractual relationship they provide services to public sector entities for the exercise by the latter of their competences and administrative powers. As mentioned above, considering that the digital transformation has led to an increase in the risks associated with the information systems that support public services and that the private sector is also immersed in the digital transformation of its business processes, both types of information systems are exposed to the same type of threats and risks. Therefore, private sector operators that provide services to public sector entities, due to the high intertwining of one and the other, must ensure the same level of security that applies to systems and information in the public sector, all in accordance, moreover, with the special requirements established in both Organic Law 3/2018, of December 5, and Organic Law 7/2021, of May 26.
  On the other hand, when public sector entities carry out the installation, deployment and operation of 5G networks or the provision of 5G services, in addition to the provisions of this Royal Decree, the provisions of Royal Decree-Law 7/2022, of 29 March, on requirements to ensure the security of fifth generation electronic communications networks and services shall apply, in particular, the provisions of its Article 17 regarding security management by public administrations, as well as its implementing regulations.
• Chapter II, comprising Articles 5 to 11, regulates the basic principles that must govern the ENS, which are listed in Article 5: comprehensive security; risk-based security management; prevention, detection, response and preservation; existence of lines of defense; continuous monitoring and periodic reassessment; and differentiation of responsibilities.
• Chapter III refers to the Security Policy and the minimum requirements to allow adequate protection of information and services.
  Articles 12 to 27 define these requirements: organization and implementation of the security process; risk management, consisting of a process of identification, analysis, evaluation and treatment of risks; personnel management; professionalism; authorization and control of access; protection of facilities; acquisition of security products and contracting of security services; least privilege; integrity and updating of the system; protection of information stored and in transit; prevention against other interconnected information systems; recording of activity and detection of harmful code; security incidents; business continuity; and continuous improvement of the security process.
  Article 28 goes on to state that in order to comply with these minimum requirements, the measures set out in Annex II must be adopted, in accordance with a series of considerations to that effect. However, such security measures may be replaced by other compensatory measures, provided that there is documentary evidence that the protection they provide is at least equivalent, and that they meet the basic principles and minimum requirements indicated above.
  Article 29 calls for the use of common infrastructures and services of the public administrations in order to achieve greater efficiency and feedback of the synergies of each group.
  Finally, Article 30 establishes the possibility of implementing specific compliance profiles, as well as accreditation schemes for entities implementing secure configurations.
• Chapter IV deals with the security audit, the security status report and the response to security incidents.
  The security audit is developed in full in article 31, detailing the characteristics of the audit procedure, as well as the corresponding reports. On an extraordinary basis, such audit shall be carried out whenever substantial modifications are made to the information systems that may have an impact on the required security measures. The audit shall be carried out according to the category of the system and, if applicable, the specific compliance profile that corresponds, according to the provisions of Annexes I and III and in accordance with the provisions of the Technical Security Instruction on Security Auditing of Information Systems Security. In the performance of security audits, the generally recognized criteria, working methods and methods of conduct shall be used, as well as the national and international standardization applicable to this type of activities. The audit report shall state the degree of compliance with this Royal Decree, identifying the findings of compliance and non-compliance detected. It shall also include the audit methodological criteria used, the scope and objective of the audit, and the data, facts and observations on which the conclusions drawn are based, all in accordance with the aforementioned Technical Instruction on Security Auditing of Information Systems Security. The audit reports shall be submitted to the system manager and to the security manager. These reports will be analyzed by the latter, who will present his conclusions to the system manager for appropriate corrective action. In the case of HIGH category systems, in view of the audit report and the possible seriousness of the deficiencies found, the system manager may temporarily suspend the processing of information, the provision of services or the total operation of the system, until such time as they are adequately corrected or mitigated. The audit reports may be requested by the heads of each organization, with competences on information technology security, and by the CCN.
  Article 32, on the security status report, highlights the role of the Sectorial Commission of Electronic Administration in this area, as well as that of the CCN and the competent collegiate bodies in the field of digital administration in the General State Administration.
  The prevention, detection and response to security incidents is regulated in articles 33 and 34, separating, on the one hand, the aspects related to the response capacity and, on the other hand, those related to the provision of response services to security incidents, both to the Public Sector entities and to the private sector organizations that provide them with services.
• Chapter V, Articles 35 to 38, defines the conformity standards, which are divided into four: Digital Administration, life cycle of services and systems, control mechanisms and procedures for determining conformity with the ENS.
• Chapter VI, consisting of its only article, Article 39, establishes the obligation of permanent updating, in accordance with the legal framework in force at any given time, the evolution of technology and standards in security and systems, as well as the aforementioned new threats and attack vectors.
  The articles of the operative part conclude with Chapter VII, which develops the procedure for the categorization of information systems, defining in Article 40 the security categories and in Article 41 the powers in this respect.

Regarding the three additional provisions:

1. The first regulates the awareness, sensitization and training programs for the personnel of public sector entities to be developed by the CCN and the National Institute of Public Administration.
2. The second additional provision regulates the mandatory technical security instructions and the information and communication technology security guides (CCN-STIC guides).
3. Finally, the third additional provision establishes compliance with the Do No Significant Harm (DNSH) principle and the conditions for climate and digital labeling.

The sole transitory provision sets a term of twenty-four months for the information systems within the scope of application of this Royal Decree, existing prior to its entry into force, to achieve full compliance with the ENS.

The repealing provision abolishes Royal Decree 3/2010, of January 8, as well as any other provisions of equal or lower rank that oppose the provisions of this Royal Decree.

Finally, the rule has three final provisions:

1. The first of these lists the titles of competence.
2. The second final provision empowers the head of the Ministry of Economic Affairs and Digital Transformation to issue the necessary provisions for its application and development, without prejudice to the competences of the autonomous communities for the development and execution of the basic State legislation.
3. The third one orders the entry into force on the day following its publication in the BOE (Official Gazette).

The Royal Decree is complemented by four annexes: Annex I regulates the security categories of information systems, detailing the sequence of actions to determine the security category of a system; Annex II details the security measures; Annex III deals with the purpose, levels and interpretation of the security audit and , finally, Annex IV includes the glossary of terms and definitions.