University of Valencia logo Logo ICT Service [SIUV] Logo del portal

Updated ENS of the public sector

  • Julio Marti Vento
  • May 5th, 2022
Image de la noticia

BOE, yesterday published Royal Decree 311/2002 of May 3, which regulates the National Security Scheme. This RD updates the ENS and is part of the package of urgent actions, adopted on May 25, 2021, to strengthen defense capabilities against cyber threats on the public sector and collaborating entities that supply technologies and services to it.

ENS in force to date dates from 2010 (modified by Royal Decree 951/2015), a stage with a regulatory, social and technological context that has undergone a radical evolution. The now approved establishes the security policy for the adequate protection of the information processed and the services provided through a common approach of basic principles (7), minimum requirements (15), security measures and compliance and monitoring mechanisms for the Public Administration, as well as for technology providers in the private sector that collaborate with the Administration.

The new RD, in its article 33, assigns the National Cryptologic Center (CCN) the role of public coordinator at the state level of the technical response of the incident response teams, through the CCN-CERT. It is established that “public sector entities will notify the CCN of those incidents that have a significant impact on the security of their information systems”. It will be the CCN that "will exercise the national coordination of the technical response of the CSIRTs" and that determines "the risk of reconnection of the affected system or systems, indicating the procedures to be followed and the safeguards to be implemented in order to reduce the impact for , as far as possible, prevent the circumstances that led to it from happening again.

News of the ENS

Among the novelties of the new ENS is the incorporation of the figure of the compliance profile, whose objective is to achieve a more effective and efficient adaptation to the Scheme, rationalizing the resources required without undermining the protection sought and required. In the case of Public Universities, a "Specific Compliance Profile for Universities" has been developed: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/800-guia-esquema -national-security-/6449-ccn-stic-881a-specific-compliance-profile-universities.html

In the same way, the establishment of a protocol for action in the event of cyber incidents is included, where the notification conditions to the CCN-CERT are established, and a new codification system of the requirements of the security measures, whose purpose is to facilitate in a proportionate manner the security of information systems, their implementation and auditing.