accesskey _ mod _ content

National security - ENS

Introduction

The Royal Decree 311/2022, of 3 may, which regulates the national security (Opens in new window) replaces the Royal Decree 3/2010, of 8 january, which regulates the national security in the area of E-government.

The Royal Decree 311/2022 updates the national security ( ENS ) for:

  • First, aligning the NHIS with the normative framework and the strategic context in place to ensure security in the administration. In order to achieve this, it clarifies the scope of the NHIS and updates the references to the current legal framework, so as to simplify and harmonize the mandates of the TEAMS.
  • Second, to introduce the ability to adjust the requirements of the TEAMS to ensure their adaptation to the reality of certain groups or types of systems, in response to the similarity of the risks they face its information systems.
  • Thirdly, strengthen the protection against the trends in cybersecurity through the revision of the basic principles, the minimum requirements and security measures must be taken by the entities subject to the TEAMS.

Affected systems will be adapted to the provisions of royal decree within 24 months from its entry into force.

Objectives

The national security ( ENS ) pursues the following major objectives:

  • Create the conditions of security in the use of electronic means through measures to ensure the safety of, data systems, communications and electronic services, allowing the exercise of rights and duties through such means.
  • Promote the management of security.
  • Promote prevention, detection and correction to ensure better resilience in the scene of cyber threats and cyber attacks.
  • Promoting equal treatment of security to facilitate cooperation in the provision of public services when they involve digital various entities. This involves providing the common elements that guide the actions of public Sector entities and their suppliers in the area of security of information technologies.
  • Serve as a model of good practices , in line with what was said in the recommendations of the OECD Digital Security Risk Management for Economic and Social Prosperity OECD Recommendation and Companion Document (Opens in new window) .

Elements of the national security

The main elements of the ENS are the following:

  • The basic principles to be considered in decision-making on the security council (arts. 5-11).
  • The minimum requirements that would allow adequate protection of information (arts. 12-27).
  • The mechanism for achieving compliance with the basic principles and minimum requirements through security measures provided the nature of information and services to protect (arts. 28, 40, 41, annex I and Annex II).
  • The use of infrastructures and common services (item 29).
  • The profiles of specific implementation (item 30).
  • The report of the state of the security council (item 32)
  • The audit of the security council (item 31 and Annex III).
  • The response to security incidents (arts. 33 and 34).
  • The use of certificates (item 19 and Annex II).
  • Compliance (item 38).
  • Training and awareness-raising (additional provision first).
  • Safety guides (second additional provision).
  • The technical instructions of the security council (second additional provision).

The primary mandate of the ENS this is the one established in article 12 ‘ common security and minimum security ’, “ every public administration will have a security policy formally adopted by the competent organ ”, which “ is the set of guidelines governing the way in which an organization manages and protects the information that concerns and the services provided ” and will be established in accordance with the basic principles and will be developed to implement the minimum requirements, in proportion to the risks identified in each system.

The technical instructions of the security council binding, are essential for proper, uniform and consistent implementation of the requirements and measures contained in the outline and, in particular, to indicate the common way to act in specific areas.

The safety guides CCN-STIC (Opens in new window) published by the National Centre Cryptologic, in particular, the collection of guides of the series 800, and available in the Portal del CCN-CERT, help better compliance with the national security.

Scope of application

The Scope of application the national security includes the entire public Sector, as provided in article 2 of law 40/2015; the systems that treat classified information, without prejudice to the implementation of law 9/1968 of 5 april, of official secrets; and information systems of private sector entities when providing services or provide solutions to public sector entities for the exercise of its powers and administrative powers.

Adequacy of national security

An alignment mandated at the national security generically requires addressing the following issues, expressed succinctly:

  • Preparing and adopting security policy , including the objectives or mission of the organization, the regulatory framework of activities, the definition of roles of the security council, the structure and composition of the committee on the management and coordination of security, the guidelines regarding the structuring of documentation for the security council, and the risks arising from the processing of personal data.
  • Categorizing response systems the valuation of the information submitted and the services provided.
  • To conduct risk analysis , including the assessment of existing regional security measures.
  • Preparing and adopting the declaration of applicability the measures of annex II to the TEAMS.
  • Develop a plan of adequacy for the enhancement of security, on the basis of the shortcomings identified, including estimated timelines for implementation.
  • Establish, operate and monitor the security measures through the ongoing management of security.
  • The security auditing to verify compliance with the requirements of the TEAMS.
  • Obtain and to promote compliance with the NHIS .
  • Report on the state security.

ENS alignment

Figure: Adequacy of National security.

The NHIS

Article 38 on ‘ with conformity assessment procedures for the national security ’ points out that all those subject to the information systems affected by the TEAMS will publicity of declarations and certifications under ENS in their internet gateways or headquarters. This obligation affects the entire Public Sector, to classified information systems and the private sector entities that provide solutions and services to the exercise of powers and administrative powers.

The Technical instruction of the security council in accordance with the national security (Opens in new window) establishes the criteria and procedures for the ascertainment of responsiveness, as well as for advertising that conformity. Precise mechanism for generating and publicity of the declarations of conformity and the features of the security council achieved in the implementation of the TEAMS.

Further information,

Fill in the form of Contact (Opens in new window) to send your request for information.