Spain's national security scheme for public administrations and the suppliers that serve them.
Public-sector entities and any supplier handling public-sector data.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Categorisation Low / Medium / High by impact.
75 controls (Low) to 134 controls (High) across operational, organisational, and physical families.
External certification for Medium and High categories.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
ENS profile selector (Low / Medium / High) with control mapping per CCN-STIC 800 series.
Audit pack export aligned with CCN-STIC 802 (audit methodology).
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
ENS Declaration of Conformity.
Audit pack per CCN-STIC 802.
These frameworks share substantial control overlap with ENS. Customers running one assessment typically satisfy the others with the same evidence base.
European Union
Germany's federal IT baseline protection methodology — the standard for federal administration and KRITIS operators.
European Union
France's qualification for sovereign cloud providers handling sensitive public-sector or OIV workloads.
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.