Case Study

Accredited certification on cybersecurity, a must to provide services to Spanish Public Administration

Summary

The Spanish Public Administration and any private operator aiming to provide services to a Spanish public body must hold a National Security Framework (Esquema Nacional de Seguridad, ENS) certificate, which must be issued by an accredited certifier according to ISO/IEC 17065 for the ENS scope, as established by the Spanish Ministry of Finance and Public Administrations.

Background

The Spanish Ministry of Presidency, through Royal Decree 3/2010, developed the National Security Framework (Esquema Nacional de Seguridad, ENS) in the eGovernment field, a regulation establishing the basic principles, minimum requirements and protection measures to be implemented in Public Administration systems. This framework is applicable to any Spanish public body and any private entity providing services to public bodies.  It aims to deliver confidence in the adequate protection of information, as well as the ability of systems to work without interruptions or out of control changes, and the robustness of measures to prevent unauthorized access.

Strategy 

The Spanish Ministry of Finance and Public Administrations established that any Spanish public body or any company aiming to provide services to a public body must hold an ENS certificate issued by a certification body accredited by ENAC, the Spanish accreditation body, or any other national accreditation body appointed pursuant to Regulation (EC) No 765/2008 according to ISO/IEC 17065 within the ENS scope. In order to meet these demands, ENAC, in collaboration with the Spanish Ministry of Finance and Public Administrations and the National Cryptologic Centre (CCN), developed an accreditation scheme applicable to bodies interested in certifying compliance with ENS.

Results and impact

Along with the whole public sector, some of the private companies that have certified their compliance with ENS to be able to work with Spanish public bodies include Microsoft, Google, Telefónica, Cisco Systems, Vodafone, Orange, KPMG, Deloitte, Salesforce, Ernst & Young, Zoom, Hispasat and Canon.