Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme (ENS) is a national framework of reference for the management of Information Security in Spain and applies to public organisations and those private organisations that work with public organisations. Directive (EU) 2022/2555 on measures to ensure a high common level of cybersecurity across the Union Directive (NIS 2) and its transposition into Spanish law, applies to 18 sectors, including public organisations. It is necessary to establish alignments between both regulations to reduce duplication in efforts and costs.
Those organizations that are certified in the ENS HIGH category have a lot of progress in achieving compliance with NIS 2 by sharing many principles and security measures, but not completely.
Main connections between NIS 2 and ENS:
1. Risk-Based Approach:
- NIS 2 establishes the need to carry out risk assessments and adopt security measures proportionate to the identified risks.
- ENS also relies on risk management as one of its core principles, requiring organizations to assess and mitigate risks to information security.
2. Common safety measures:
- Both regulations include the implementation of specific security controls, such as data protection, incident management, and business continuity for the ENS HIGH category.
- El ENS detalla controles y medidas técnicas, organizativas y procedimentales que se alinean con los requisitos de seguridad de NIS 2
3. Continous Updating and Improvement:
- NIS 2 insists on the need to continuously update security measures to adapt to new threats.
- ENS promotes continuous safety improvement, regular review of policies and procedures, and adaptation to new risks.
4. Cooperation and Communication:
- NIS 2 requires entities to cooperate and share information with competent authorities and other relevant actors.
- The ENS also encourages inter-entity cooperation and communication with the CCN to ensure a coordinated response to security incidents.
There are certain areas where NIS 2 introduces additional or distinct requirements that may not be fully covered by the ENS.
Some differences in which NIS 2 goes beyond ENS:
1. Corporate Governance Requirements
- NIS 2 introduces specific requirements on corporate governance, including the obligation for the administrative or management bodies of entities to supervise and approve security and risk management measures.
- Although the ENS HIGH category requires the assignment of clear responsibilities in information security, it does not specify in such detail the direct involvement of management bodies in the management and supervision
2. Incident Reporting
- NIS 2 sets out stricter and more detailed requirements on incident reporting, including specific deadlines and criteria for early and final reporting. It may also require notification of significant incidents to users and other stakeholders.
- While the ENS requires notification of security incidents, the timelines and criteria may not be as detailed or strict as those in NIS 2.
3. International and Cross-Border Cooperation:
- NIS 2 emphasises cross-border cooperation and coordination between EU Member States, including participation in European networks of Computer Security Incident Response Teams (CSIRTs).
- ENS focuses on national cooperation and, while promoting collaboration, does not specify in as much detail the mandatory cross-border cooperation required by NIS 2.
4. Capacity and resource development
- NIS 2 insists on the need for entities to invest in developing adequate capacities and resources to manage cybersecurity, including continuous training and awareness of personnel.
- While the ENS stresses the importance of training and resources, NIS 2 can be more specific in its requirements to ensure that capabilities are constantly updated.
5. Supply chain and third parties
- NIS 2 includes requirements to manage and mitigate risks associated with suppliers and the supply chain, ensuring that these third parties also meet appropriate security standards.
- Although the ENS addresses third-party security, it may not do so with the same breadth or specificity in terms of supply chain and ongoing monitoring of suppliers.
6. Operational resilience and recovery
- NIS 2 emphasizes the need for entities to not only prevent and respond to incidents, but also to continuously maintain and improve operational resilience and resilience.
- The ENS HIGH category encompasses business continuity and disaster recovery, but may not have the same ongoing emphasis on operational resilience as NIS 2.
In summary, although the ENS HIGH category covers a wide range of security measures including reinforcements, NIS 2 introduces certain additional and more detailed requirements in areas such as governance, incident reporting, international cooperation, supply chain management, and operational resilience. Organisations that are ENS certified should have specialised external support to carry out a thorough analysis and assessment that identifies what is not covered in their statement of applicability and they need to implement additional measures.
