ESN and obligations for IT service providers

The same requirements that are being demanded internally to the Public Administration are also being demanded to any supplier that offers any service related to information security. These entities are adopting the condition of subject obliged by the ENS (National Security Scheme).

Therefore, suppliers must have a security level similar to that required by the public entity. In short, they must be certified with respect to the provisions of the ENS. But this is not the only obligation that is being demanded.

Providers of services to public entities, as suppliers of such entities, are required to document and provide the following information to their public administration clients:

Description of services and modality.
Information about the security architecture.
Location of information.
Security measures implemented.
Compliance with current data protection regulations.
Security incidents.
Subcontracting chain and its changes.

In short, through these new requirements, IT service providers are asked for transparency and support in complying with the National Security Scheme compliance requirements. In particular, for those controls for which both the public entity and its service provider are responsible for control compliance.

Salesforce has just achieved certification in the National Security Scheme (ENS) at the High level, to provide its services to the public sector in Spain. Obtaining ENS certification at this level in Spain supports Salesforce's commitment to comply with security controls, enabling customers to use this solution to handle the most sensitive and confidential data.

PKF Attest has the highest certification as a Salesforce partner with extensive experience tackling Salesforce projects in companies of different industries and sizes.