The Government updates the National Security Scheme in the field of Public Administration

The Council of Ministers has today approved, on the proposal of the Ministry of Economic Affairs and Digital Transformation, a Royal Decree that updates the National Security Scheme (ENS), and is part of the package of urgent actions, adopted on May 25, to strengthen defense capacities against cyberthreats on the public sector and the collaborating entities that supply technologies and services to it.

The National Security Scheme in force to date dates from 2010, a stage with a normative, social and technological context that has undergone radical evolution.

El ENS It establishes the security policy for the adequate protection of the information processed and the services provided through a common approach of basic principles, minimum requirements, protection measures and compliance and monitoring mechanisms, for the public administration, as well as the technological suppliers of the private sector that collaborate with the administration.

Among the innovations introduced by the Royal Decree are: the adequacy of the ENS the new regulatory framework and the existing strategic context to guarantee security in the Digital Administration; the adjustment of requirements to needs, collectives of entities and technological areas for a more effective and efficient application; the updating of basic principles and security measures to facilitate a better response to new trends and cybersecurity needs.

The new normative text seeks to guarantee the protection of information systems in the entities within its scope of application, reducing vulnerabilities and promoting continuous surveillance, establishing in turn optimal response mechanisms and security measures, within the current legal, technological, strategic and cyberthreat framework.

New security measures, for example, have included those relating to cloud services, system interconnection, supply chain protection, alternative media, surveillance and other network-connected devices.

Security Status Report

The Royal Decree states that the Sectoral Commission of Electronic Administration, a technical body for the cooperation of the State with the autonomous communities and local entities in the field of digital administration, will collect the information of the main variables of cybersecurity.

The results of the report will be used by the competent authorities that will promote the appropriate measures that facilitate the continuous improvement of the state of security.

The National Cryptological Center (CCN), of the National Intelligence Center (CNI) attached to the Ministry of Defense, will coordinate the response to security incidents of public sector entities. For their part, private sector entities that provide services to public entities will notify the response to security incidents to the National Cybersecurity Institute of Spain (INCIBE).

For the development of the Royal Decree, the Secretary of State for Digitization and Artificial Intelligence, on the proposal of the Sectoral Committee for Electronic Administration and on the initiative of the National Cryptological Center, will approve the mandatory technical security instructions, which will take into account the applicable European harmonized standards.

The approval of this Royal Decree is also part of the implementation of the Digitalization Plan of Public Administrations 2021-2025, one of the main instruments for the fulfillment of the Recovery, Transformation and Resilience Plan and its Component 11 called “Modernization of Public Administrations”, as well as for the development of the investments and reforms foreseen in the Digital Spain agenda.

The Digitalization Plan expressly includes, among its reforms, the updating of the ENS in order to evolve the security policy of all entities of the Spanish public sector, taking into account the regulations of the European Union aimed at increasing the level of cybersecurity of information systems.