SlideShare a Scribd company logo

The National Security Framework of Spain

The National Security Framework (ENS) provides the basic principles and minimum security requirements, proportionality through categorization into three steps, security measures updated and adapted to Digital Government, flexibility mechanisms through compliance profiles, accreditation and conformity through a certification scheme with the National Accreditation Entity, ENAC, and monitoring through the Annual Report on State of Security, along with more than 100 support guides ( CCN-STIC) and a collection of support tools provided by CCN-CERT, plus the references in the instruments for central procurement of IT services and products. The ENS is applicable to the entire public sector, to systems that process classified information, to those who provide services or provide solutions to public sector entities, and to the supply chain of such contractors on the basis of risk analysis.

1 of 32
Download to read offline
0
The National Security
Framework
(ENS - Esquema Nacional de Seguridad)
29th Plenary Meeting of the NIS
Cooperation Group
29th November 2023
Miguel A. Amutio
Deputy DG for Cybersecurity Planning and Coordination
General Secretariat for Digital Government
Secretary of State for Digitization and Artificial Intelligence
Ministry for Digital Transformation
1
2010 2014 -16 2017
National Security
Strategy 2017
Regulation eIDAS
GDPR
NIS Directive
Updated
ENS Technical Security Instructions
• Compliance with ENS
• Annual Repport
Administrative Laws 39/2015, 40/2015
ICT Strategy – Shared Services Declaration
(includes Shared Managed Security Services)
National
Security
Framework
National
Interoperability
Framework
2018
ENS Instructions
• Auditing
• Notification of incidents
CoCENS Council for
Certification of ENS
NIS transposition
Law Data Protection
(Adding to GDPR)
Regulation Critical
Infrastructure Protection
National Cybersecurity
Strategy 2013
Risk Analysis Methodology
Magerit v3
2011-13 2019
Cybersecurity Regulation
National Guide on Notification of Cyberincidents
National Cybersecurity Strategy 2019
Ministers Council Agreement on the Cybersecurity
Operations Center of the General State Administration
EU Digital Strategy
EU Strategy for Data
EU on AI White Paper
EU Cybersecurity Package
España Digital 2025
National Cybersecurity Forum
Regulation ECCC
Development of NIS Transposition
Plan for Digitization of Public Administrations 2021 – 20215
Recovery Plan (Next generation EU funding)
Ministers Council Agreement Action Plan on Cybersecurity
2020 2021
2022
RDL 7/2022 Security 5G
Cybersecurity National Plan
New National Security Framework
Proposal Regulation Cybersecurity EUIBAS
Proposal Regulation information security EUIBAS
Council Conclusions on protection of supply chain
Directive 2022/2555 NIS2
Regulation 2022/2554 DORA
Directive 2022/2557 CER
European Cybersecurity Skills Framework (ECSF)
2022 2023
Communication Cyber Skills Academy
Adequacy Decision EU-US Data Privacy Framework
Proposal Cybersolidarity Act
Proposal modification Cybersecurity Act
Adenda Recovery Plan
Cybersecurity
A collective and multidisciplinary effort, sustained along the time
Source: Miguel A. Amutio
2
A global approach to cybersecurity
Source: Miguel A.Amutio
Legal
framework
Governance
Cooperation
Community
Capabilities
Services
Solutions
Interaction
Evolution
Digital
Government
▪ National
Cybersecurity:
▪ CNCS
▪ FNCS
▪ Digital Government
▪ General State
▪ eGov Sectorial
Commission
▪ ENS - CoCENS
+ Funding
Certified Products
(Catalogue CPSTIC)
Strategic context: National (ENCS 2019), European
3
National Security Framework
Big decisions, why and how (1/2)
Around 2006, when drafting the eGovernment Law, on the basis of previous
experience, it was decided to develop a security instrument tailored to the
protection needs of information and services provided BY and provided TO
Public Administrations (though not limited to the specific need of eGovernment at the time).
It should be embedded in the administrative legislation.
Aligned with the National and European strategic and legal framework.
And it should be the reference for:
• Data Protection
• Protection of Critical Infrastructures, as well as Essential Services (at
least for the ones managed by the Public Sector)
4
National Security Framework
Big decisions, why and how (2/2)
The National Security Framework was created by the eGovernment Law in 2007.
The ENS was first implemented by a Royal Decree in 2010, to be aplicable by all
Public Administrations, as a result of a public effort by the public and private sectors.
It was included in the Administrative Laws of 2015 which superseded the previous
administrative and eGovernment legislation.
It was updated in 2015 in the light of experience and evolution of National and
European legislation (e.g. eIDAS, etc.)
The ENS was revamped in 2022:
• To be aligned with the current National and European strategic and legal framework.
• To introduce flexibility that facilitates implementation for specific contexts (e.g. Local Entities, etc.).
• To respond to cybersecurity need and trends.
5
National Security Framework
More big decisions
It was decided to include Public Administration within Strategic Sectors in the legislation for the
Protection of Critical Infrastructures.
In the transposition of NIS1:
• It was decided to align the identification of essential services and their operators with the
procedures defined for the designation of Operators of Critical Infrastructures.
• The security obligations of essential service operators and digital service providers refer to
the National Security Framework (ENS) as a reference.
In the COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015 on the interoperability
framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on
electronic identification and trust services for electronic transactions in the internal market, article 10 states:
Information assurance and security standards: 1. Node operators of nodes providing
authentication shall prove that, in respect of the nodes participating in the interoperability
framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by
equivalent methods of assessment, or by complying with national legislation.

Recommended

Aplicación de la ley de protección de datos personales
Aplicación de la ley de protección de datos personalesAplicación de la ley de protección de datos personales
Aplicación de la ley de protección de datos personalesEY Perú
 
Regulatory terminology of ADR and Establishing pharmacovigilance center's i...
Regulatory terminology of ADR  and  Establishing pharmacovigilance center's i...Regulatory terminology of ADR  and  Establishing pharmacovigilance center's i...
Regulatory terminology of ADR and Establishing pharmacovigilance center's i...SIRAJUDDIN MOLLA
 
Tietoturva ja tietosuoja Office 365 -palveluissa
Tietoturva ja tietosuoja Office 365 -palveluissaTietoturva ja tietosuoja Office 365 -palveluissa
Tietoturva ja tietosuoja Office 365 -palveluissaHarto Pönkä
 
Tietosuoja perusopetuksessa ja toisella asteella
Tietosuoja perusopetuksessa ja toisella asteellaTietosuoja perusopetuksessa ja toisella asteella
Tietosuoja perusopetuksessa ja toisella asteellaHarto Pönkä
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
Governing Information Security
Governing Information SecurityGoverning Information Security
Governing Information SecurityRoberto Reale
 
Roberto Reale - Governing Information Security
Roberto Reale - Governing Information SecurityRoberto Reale - Governing Information Security
Roberto Reale - Governing Information SecurityLegal Hackers Roma
 
Strategy and experience of Spain in interoperability for eGovernment. Governm...
Strategy and experience of Spain in interoperability for eGovernment. Governm...Strategy and experience of Spain in interoperability for eGovernment. Governm...
Strategy and experience of Spain in interoperability for eGovernment. Governm...Miguel A. Amutio
 

More Related Content

Similar to The National Security Framework of Spain

CTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-DebeesingCTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-Debeesingsegughana
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
CTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea GlorisoCTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea Glorisosegughana
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...Miguel A. Amutio
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
E govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdfE govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdfprojecte doscinczero1
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementchristophefeltus
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfAlexandre Pinheiro
 
Cyber security for smart cities an architecture model for public transport
Cyber security for smart cities   an architecture model for public transportCyber security for smart cities   an architecture model for public transport
Cyber security for smart cities an architecture model for public transportAndrey Apuhtin
 
Digital transformation in the Spanish Government
Digital transformation in the Spanish Government Digital transformation in the Spanish Government
Digital transformation in the Spanish Government Miguel A. Amutio
 
Digital strategy for cyprus
Digital strategy for cyprusDigital strategy for cyprus
Digital strategy for cyprusAnima Slides
 
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Miguel A. Amutio
 
European Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology SecurityEuropean Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology SecurityDavid Sweigert
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115James Bryce Clark
 
Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Mohan C. de SILVA
 

Similar to The National Security Framework of Spain (20)

CTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-DebeesingCTO-CybersecurityForum-2010-Trilok-Debeesing
CTO-CybersecurityForum-2010-Trilok-Debeesing
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
CTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea GlorisoCTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea Gloriso
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
 
E govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdfE govermentinlocalandregionaladministrations onlineversionpdf
E govermentinlocalandregionaladministrations onlineversionpdf
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdf
 
Cyber security for smart cities an architecture model for public transport
Cyber security for smart cities   an architecture model for public transportCyber security for smart cities   an architecture model for public transport
Cyber security for smart cities an architecture model for public transport
 
Digital transformation in the Spanish Government
Digital transformation in the Spanish Government Digital transformation in the Spanish Government
Digital transformation in the Spanish Government
 
Session 2.1 Martin Mühleck
Session 2.1 Martin MühleckSession 2.1 Martin Mühleck
Session 2.1 Martin Mühleck
 
Digital strategy for cyprus
Digital strategy for cyprusDigital strategy for cyprus
Digital strategy for cyprus
 
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
Experience and strategy of Spain in eGovernment: three keys to sucess, the ba...
 
European Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology SecurityEuropean Directive DRAFT Network and Information Technology Security
European Directive DRAFT Network and Information Technology Security
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
 
Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016Compliance for Real-Time communications-June2016
Compliance for Real-Time communications-June2016
 
Day 02 - EDPS Technology & Privacy unit.pdf
Day 02 - EDPS Technology & Privacy unit.pdfDay 02 - EDPS Technology & Privacy unit.pdf
Day 02 - EDPS Technology & Privacy unit.pdf
 
Cybersecurity isaca
Cybersecurity isacaCybersecurity isaca
Cybersecurity isaca
 

More from Miguel A. Amutio

Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Miguel A. Amutio
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Miguel A. Amutio
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónMiguel A. Amutio
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadMiguel A. Amutio
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasMiguel A. Amutio
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadMiguel A. Amutio
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneMiguel A. Amutio
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesMiguel A. Amutio
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMiguel A. Amutio
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosMiguel A. Amutio
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesMiguel A. Amutio
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaMiguel A. Amutio
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadMiguel A. Amutio
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadMiguel A. Amutio
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADMiguel A. Amutio
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainMiguel A. Amutio
 
Nuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalNuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalMiguel A. Amutio
 

More from Miguel A. Amutio (20)

Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
Conference THE FUTURE IS DATA Panel: Leaders of the European Open Data Maturi...
 
Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...Mejora de la adecuación de los sistemas de la Administración General del Esta...
Mejora de la adecuación de los sistemas de la Administración General del Esta...
 
Código de interoperabilidad - Introducción
Código de interoperabilidad - IntroducciónCódigo de interoperabilidad - Introducción
Código de interoperabilidad - Introducción
 
El Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en CiberseguridadEl Centro Europeo de Competencias en Ciberseguridad
El Centro Europeo de Competencias en Ciberseguridad
 
V Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendenciasV Encuentros CCN ENS. Novedades, retos y tendencias
V Encuentros CCN ENS. Novedades, retos y tendencias
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity Context
 
Contexto Europeo de Ciberseguridad
Contexto Europeo de CiberseguridadContexto Europeo de Ciberseguridad
Contexto Europeo de Ciberseguridad
 
El nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que vieneEl nuevo ENS ante la ciberseguridad que viene
El nuevo ENS ante la ciberseguridad que viene
 
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantesCryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
CryptoParty 2022. El Esquema Nacional de Seguridad para principiantes
 
Medidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración PúblicaMedidas del Estado para garantizar la seguridad en la Administración Pública
Medidas del Estado para garantizar la seguridad en la Administración Pública
 
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximosLa preservación digital de datos y documentos a largo plazo: 5 retos próximos
La preservación digital de datos y documentos a largo plazo: 5 retos próximos
 
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedadesINAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
INAP- SOCINFO. El nuevo Esquema Nacional de Seguridad: principales novedades
 
Presente y futuro de la administración electrónica
Presente y futuro de la administración electrónicaPresente y futuro de la administración electrónica
Presente y futuro de la administración electrónica
 
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La LagunaEl nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
El nuevo Esquema Nacional de Seguridad. Jornadas CRUE TIC La Laguna
 
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de SeguridadIV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
IV Encuentro ENS - El nuevo Esquema Nacional de Seguridad
 
Revista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridadRevista SIC. El nuevo esquema nacional de seguridad
Revista SIC. El nuevo esquema nacional de seguridad
 
El nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de SeguridadEl nuevo Esquema Nacional de Seguridad
El nuevo Esquema Nacional de Seguridad
 
Actualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGADActualización del ENS. Presentación CCN-CERT / SGAD
Actualización del ENS. Presentación CCN-CERT / SGAD
 
Implementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in SpainImplementation of the European Interoperability framework in Spain
Implementation of the European Interoperability framework in Spain
 
Nuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digitalNuevos retos en ciberseguridad para la administración digital
Nuevos retos en ciberseguridad para la administración digital
 

Recently uploaded

Monroe Downtown Master Plan Public Meeting 2 Presentation
Monroe Downtown Master Plan Public Meeting 2 PresentationMonroe Downtown Master Plan Public Meeting 2 Presentation
Monroe Downtown Master Plan Public Meeting 2 Presentationabbystainfield
 
PM International Conference 24 Poster Template
PM International Conference 24 Poster TemplatePM International Conference 24 Poster Template
PM International Conference 24 Poster Templatenissamant
 
Item # 4 - Community Improvement Grant Awards
Item # 4 - Community Improvement Grant AwardsItem # 4 - Community Improvement Grant Awards
Item # 4 - Community Improvement Grant Awardsahcitycouncil
 
Trading standards: How exposure to global trade shapes our living standards
Trading standards: How exposure to global trade shapes our living standardsTrading standards: How exposure to global trade shapes our living standards
Trading standards: How exposure to global trade shapes our living standardsResolutionFoundation
 
PMAI PM24 International Conference Program Schedule
PMAI PM24 International Conference Program SchedulePMAI PM24 International Conference Program Schedule
PMAI PM24 International Conference Program Schedulenissamant
 
Lecture Presentation on Project Proposal
Lecture Presentation on Project ProposalLecture Presentation on Project Proposal
Lecture Presentation on Project ProposalJo Balucanag - Bitonio
 
Manuscript Template Name of the Author PM24
Manuscript Template Name of the Author PM24Manuscript Template Name of the Author PM24
Manuscript Template Name of the Author PM24nissamant
 
2023 Winter Springs Water and Wastewater Rate Study Presentation
2023 Winter Springs Water and Wastewater Rate Study Presentation2023 Winter Springs Water and Wastewater Rate Study Presentation
2023 Winter Springs Water and Wastewater Rate Study PresentationVictoriaColangelo
 
Presentation of the European Youth Foundation
Presentation of the European Youth FoundationPresentation of the European Youth Foundation
Presentation of the European Youth FoundationEuropeanYouthFoundation
 
How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...
How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...
How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...Centre of Policy and Legal Reform
 
""THE BARANGAY NUTRITION COMMITTEE.pptx"
""THE BARANGAY NUTRITION COMMITTEE.pptx"""THE BARANGAY NUTRITION COMMITTEE.pptx"
""THE BARANGAY NUTRITION COMMITTEE.pptx"rodilyAcua
 
PM 24: TENTATIVE TECHNICAL PROGRAM STRUCTURE
PM 24: TENTATIVE TECHNICAL PROGRAM STRUCTUREPM 24: TENTATIVE TECHNICAL PROGRAM STRUCTURE
PM 24: TENTATIVE TECHNICAL PROGRAM STRUCTUREnissamant
 
UN Summit of the Future: Draft Outcome Document
UN Summit of the Future: Draft Outcome DocumentUN Summit of the Future: Draft Outcome Document
UN Summit of the Future: Draft Outcome DocumentEnergy for One World
 
2024: The FAR, Federal Acquisition Regulations - Part 7
2024: The FAR, Federal Acquisition Regulations - Part 72024: The FAR, Federal Acquisition Regulations - Part 7
2024: The FAR, Federal Acquisition Regulations - Part 7JSchaus & Associates
 
Observance of the International Mother Language Day (IMLD) 2024.pdf
Observance of the International Mother Language Day (IMLD) 2024.pdfObservance of the International Mother Language Day (IMLD) 2024.pdf
Observance of the International Mother Language Day (IMLD) 2024.pdfChristina Parmionova
 
Vertical Integration Webinar Presentation-Regions4.pptx
Vertical Integration Webinar Presentation-Regions4.pptxVertical Integration Webinar Presentation-Regions4.pptx
Vertical Integration Webinar Presentation-Regions4.pptxNAP Global Network
 
IEF Energy Outlooks Comparison Report-2024
IEF Energy Outlooks Comparison Report-2024IEF Energy Outlooks Comparison Report-2024
IEF Energy Outlooks Comparison Report-2024Energy for One World
 

Recently uploaded (20)

Monroe Downtown Master Plan Public Meeting 2 Presentation
Monroe Downtown Master Plan Public Meeting 2 PresentationMonroe Downtown Master Plan Public Meeting 2 Presentation
Monroe Downtown Master Plan Public Meeting 2 Presentation
 
Revised Investigative Report on City Officials
Revised Investigative Report on City OfficialsRevised Investigative Report on City Officials
Revised Investigative Report on City Officials
 
PM International Conference 24 Poster Template
PM International Conference 24 Poster TemplatePM International Conference 24 Poster Template
PM International Conference 24 Poster Template
 
Item # 4 - Community Improvement Grant Awards
Item # 4 - Community Improvement Grant AwardsItem # 4 - Community Improvement Grant Awards
Item # 4 - Community Improvement Grant Awards
 
Trading standards: How exposure to global trade shapes our living standards
Trading standards: How exposure to global trade shapes our living standardsTrading standards: How exposure to global trade shapes our living standards
Trading standards: How exposure to global trade shapes our living standards
 
2024 Economic Forecast Forum Presentation
2024 Economic Forecast Forum Presentation2024 Economic Forecast Forum Presentation
2024 Economic Forecast Forum Presentation
 
PMAI PM24 International Conference Program Schedule
PMAI PM24 International Conference Program SchedulePMAI PM24 International Conference Program Schedule
PMAI PM24 International Conference Program Schedule
 
Lecture Presentation on Project Proposal
Lecture Presentation on Project ProposalLecture Presentation on Project Proposal
Lecture Presentation on Project Proposal
 
Manuscript Template Name of the Author PM24
Manuscript Template Name of the Author PM24Manuscript Template Name of the Author PM24
Manuscript Template Name of the Author PM24
 
2023 Winter Springs Water and Wastewater Rate Study Presentation
2023 Winter Springs Water and Wastewater Rate Study Presentation2023 Winter Springs Water and Wastewater Rate Study Presentation
2023 Winter Springs Water and Wastewater Rate Study Presentation
 
Presentation of the European Youth Foundation
Presentation of the European Youth FoundationPresentation of the European Youth Foundation
Presentation of the European Youth Foundation
 
How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...
How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...
How to upgrade EU benchmarking in Fundamentals: the case of judicial reform i...
 
""THE BARANGAY NUTRITION COMMITTEE.pptx"
""THE BARANGAY NUTRITION COMMITTEE.pptx"""THE BARANGAY NUTRITION COMMITTEE.pptx"
""THE BARANGAY NUTRITION COMMITTEE.pptx"
 
PM 24: TENTATIVE TECHNICAL PROGRAM STRUCTURE
PM 24: TENTATIVE TECHNICAL PROGRAM STRUCTUREPM 24: TENTATIVE TECHNICAL PROGRAM STRUCTURE
PM 24: TENTATIVE TECHNICAL PROGRAM STRUCTURE
 
UN Summit of the Future: Draft Outcome Document
UN Summit of the Future: Draft Outcome DocumentUN Summit of the Future: Draft Outcome Document
UN Summit of the Future: Draft Outcome Document
 
Rahil Foundation
Rahil Foundation Rahil Foundation
Rahil Foundation
 
2024: The FAR, Federal Acquisition Regulations - Part 7
2024: The FAR, Federal Acquisition Regulations - Part 72024: The FAR, Federal Acquisition Regulations - Part 7
2024: The FAR, Federal Acquisition Regulations - Part 7
 
Observance of the International Mother Language Day (IMLD) 2024.pdf
Observance of the International Mother Language Day (IMLD) 2024.pdfObservance of the International Mother Language Day (IMLD) 2024.pdf
Observance of the International Mother Language Day (IMLD) 2024.pdf
 
Vertical Integration Webinar Presentation-Regions4.pptx
Vertical Integration Webinar Presentation-Regions4.pptxVertical Integration Webinar Presentation-Regions4.pptx
Vertical Integration Webinar Presentation-Regions4.pptx
 
IEF Energy Outlooks Comparison Report-2024
IEF Energy Outlooks Comparison Report-2024IEF Energy Outlooks Comparison Report-2024
IEF Energy Outlooks Comparison Report-2024
 

The National Security Framework of Spain

  • 1. 0 The National Security Framework (ENS - Esquema Nacional de Seguridad) 29th Plenary Meeting of the NIS Cooperation Group 29th November 2023 Miguel A. Amutio Deputy DG for Cybersecurity Planning and Coordination General Secretariat for Digital Government Secretary of State for Digitization and Artificial Intelligence Ministry for Digital Transformation
  • 2. 1 2010 2014 -16 2017 National Security Strategy 2017 Regulation eIDAS GDPR NIS Directive Updated ENS Technical Security Instructions • Compliance with ENS • Annual Repport Administrative Laws 39/2015, 40/2015 ICT Strategy – Shared Services Declaration (includes Shared Managed Security Services) National Security Framework National Interoperability Framework 2018 ENS Instructions • Auditing • Notification of incidents CoCENS Council for Certification of ENS NIS transposition Law Data Protection (Adding to GDPR) Regulation Critical Infrastructure Protection National Cybersecurity Strategy 2013 Risk Analysis Methodology Magerit v3 2011-13 2019 Cybersecurity Regulation National Guide on Notification of Cyberincidents National Cybersecurity Strategy 2019 Ministers Council Agreement on the Cybersecurity Operations Center of the General State Administration EU Digital Strategy EU Strategy for Data EU on AI White Paper EU Cybersecurity Package España Digital 2025 National Cybersecurity Forum Regulation ECCC Development of NIS Transposition Plan for Digitization of Public Administrations 2021 – 20215 Recovery Plan (Next generation EU funding) Ministers Council Agreement Action Plan on Cybersecurity 2020 2021 2022 RDL 7/2022 Security 5G Cybersecurity National Plan New National Security Framework Proposal Regulation Cybersecurity EUIBAS Proposal Regulation information security EUIBAS Council Conclusions on protection of supply chain Directive 2022/2555 NIS2 Regulation 2022/2554 DORA Directive 2022/2557 CER European Cybersecurity Skills Framework (ECSF) 2022 2023 Communication Cyber Skills Academy Adequacy Decision EU-US Data Privacy Framework Proposal Cybersolidarity Act Proposal modification Cybersecurity Act Adenda Recovery Plan Cybersecurity A collective and multidisciplinary effort, sustained along the time Source: Miguel A. Amutio
  • 3. 2 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 4. 3 National Security Framework Big decisions, why and how (1/2) Around 2006, when drafting the eGovernment Law, on the basis of previous experience, it was decided to develop a security instrument tailored to the protection needs of information and services provided BY and provided TO Public Administrations (though not limited to the specific need of eGovernment at the time). It should be embedded in the administrative legislation. Aligned with the National and European strategic and legal framework. And it should be the reference for: • Data Protection • Protection of Critical Infrastructures, as well as Essential Services (at least for the ones managed by the Public Sector)
  • 5. 4 National Security Framework Big decisions, why and how (2/2) The National Security Framework was created by the eGovernment Law in 2007. The ENS was first implemented by a Royal Decree in 2010, to be aplicable by all Public Administrations, as a result of a public effort by the public and private sectors. It was included in the Administrative Laws of 2015 which superseded the previous administrative and eGovernment legislation. It was updated in 2015 in the light of experience and evolution of National and European legislation (e.g. eIDAS, etc.) The ENS was revamped in 2022: • To be aligned with the current National and European strategic and legal framework. • To introduce flexibility that facilitates implementation for specific contexts (e.g. Local Entities, etc.). • To respond to cybersecurity need and trends.
  • 6. 5 National Security Framework More big decisions It was decided to include Public Administration within Strategic Sectors in the legislation for the Protection of Critical Infrastructures. In the transposition of NIS1: • It was decided to align the identification of essential services and their operators with the procedures defined for the designation of Operators of Critical Infrastructures. • The security obligations of essential service operators and digital service providers refer to the National Security Framework (ENS) as a reference. In the COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, article 10 states: Information assurance and security standards: 1. Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation.
  • 7. 6 National Security Framework Embedded in Administrative Legislation “The National Security Framework aims to establish the security policy within the scope of this Law, and it is constituted by the basic principles and minimum requirements that adequately guarantee the security of the information processed.” (Ar. 156) Security, a general principle of action by Public Administrations “The Public Administrations will interact with each other and with their linked or dependent bodies, public organizations and entities through electronic means, which ensure the interoperability and security of the systems and solutions adopted by each of them, they will guarantee the protection of data, and they will preferably facilitate the joint provision of services to interested parties.” (Art. 3.2) Law 40/2015 on the Legal Regime of the Public Sector Rights of citizens To the protection of personal data, and, in particular, to the security and confidentiality of the data in the files, systems and applications of the Public Administrations. Art. 13 h) Law 39/2015 on the Common Administrative Procedure of Public Administrations
  • 8. 7 National Security Framework General objectives Create the necessary conditions of trust through measures to guarantee security, enabling citizens and Public Sector entities to exercise their rights and fulfil their duties. Promote: • Continuous management of security. • Prevention, detection and response to cyber threats and cyber attacks. • Homogeneous approach to security that facilitates cooperation in the provision of services by means of a common language and elements appropriate to the Public Sector. Provide leadership on best practices. Facilitate interoperability of data and services supporting the National Interoperability Framerwork.
  • 9. 8 An overview (RD 311/2022) • General provisions, object, scope of application, … (arts. 1 – 4) • Basic principles, which serve as a guide. (arts. 5 – 11) • Security policy and minimum requirements, mandatory compliance. (arts. 12 – 28) • Categorization of systems for the adoption of proportionate security measures (arts. 28, 40, 41, Annexes I and II) • Procurement of security products and services. Use of certified products. Role of the Certification Body (OC-CCN) (art. 19 and Annex II) • Use of common infrastructure and services (art. 29) • Specific compliance profiles (art. 30) • The security audit that verifies compliance with the ENS. (art. 31 and A-III) • Annual Report on the Security Status (art. 32) • Response to security incidents (arts. 33 and 34) • Compliance with the ENS (arts. 35 to 38) • Permanent updating (art. 39) • Training (D.a. 1st) • Technical security instructions (D.a. 2nd) • Security guides (D.a. 2nd) • Systems adaptation (d.t.u) -> 24 months • Annex I. System security categories • Annex II. Security measures • Annex III. Security audit • Annex IV. Glossary 41 Articles 4 Annexes English version available (*) (*) Link to the English version: https://administracionelectronica.gob.es/dam/jcr:eb23ff83-ebdb-487e-abd2- 8654f837794f/RD_311-2022_of-3_May_ENS.pdf Link to the official version in Spanish: https://www.boe.es/eli/es/rd/2022/05/03/311
  • 10. 9 ▪ The whole Public Sector in Spain. ▪ Systems that handle classified information. ▪ Providers of services and solutions to entities of the Public Sector. ▪ Public sector entities and third parties providing services to them, in the processing and protection of personal data. ▪ And… ▪ The calls for procurement will include the requirements to ensure compliance with the ENS (extended to the supply chain on the basis of risk analysis). ▪ Providers should have a security policy. ▪ Providers of outsourced services shoud have a Point of Contact for the security of information handled and services provided, and for incident management. It is aplicable to…
  • 11. 10 Compliance Monitoring Annual Report - Support, Guides and Tools Legal base Scope ✓Public Sector Classified Information Technical Instructions ✓Royal Decree 3/2010 ✓Updated 2015 ✓Royal Decree 311/2022 Administrative laws 40/2015 y 39/2015 ✓ Annual Report ✓ Compliance with the ENS ✓ Audit ✓ Notification of incidentes ✓ Certifiers accredited by ENAC ✓ Certified entities (public/private) ✓ Council for the Certification of ENS (CoCENS) ✓> 100 Guides CCN-STIC Series 800 - ✓> 23 Solutions by References ✓ 9 Editions of the Annual Report ✓ Law 3/2018 (add to GDPR) ✓ Transposition of NIS - RD-l 12/2018 - RD 43/2021 ✓ ✓ Providers Supply Chain (on the basis of Risk analisys) ✓ Development Specific Profiles > 10 Specific Profiles for: - Local Entities - Cloud environments - Others ✓
  • 12. 11 Organizational framework 4 Security policy Security regulations Security procedures Authorization process Operational framework 33 Protection measures 36 Planning (5) Access control (6) Operation (10) External resources (4) Cloud services (1) Continuity of service (4) System monitoring (3) Facilities and infrastrucure (7) Staff management (4) Protection of equipment (4) Protection of communications (4) Protection of information media (5) Protection of IT applications (2) Protection of information (6) Protection of services (4) Source: ENS Infographics Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Proportionate to 3 categories (High, Medium, Low) and 5 security dimensions (Confidentiality [C], Integrity [I], Accountability [Acc], Authenticity [Auth], Availability [A]) Security Measures (I/IV)
  • 13. 12 Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Security Measures (II/IV) The security measures provided by ENS satisfy the measures by NISCG In relation to article 21, with added value (coding, levels, reinforcements)
  • 14. 13 Organizational framework: measures related to the global organization of security. Operational framework: measures to be taken to protect the operation of the system as an integral set of components for an end. Protection measures: focus on protecting specific assets, depending on their nature and the quality required by the level of security of the dimensions concerned. Security Measures (III/IV) The security measures provided by ENS satisfy the measures by NISCG In relation to article 21, with added value (coding, levels, reinforcements)
  • 15. 14 Security measures, their requirements, and reinforcements are coded to facilitate both implementation and auditing. Example: Security Measures (IV/IV)
  • 16. 15 ✓ Specific compliance profiles (art. 30): They will include the set of security measures that, because of the mandatory risk analysis, are suitable for a specific security category. ✓ Profiles seek to introduce the ability to adjust the ENS requirements to the specific needs of certain: • Groups: Local Entities, Universities, Paying Agencies,… • Technological areas: cloud services,… Examples: ✓ CCN-STIC-881A. Perfil de Cumplimiento Específico Universidades ✓ CCN-STIC 883A Perfil de Cumplimiento Específico Ayuntamientos pequeños (menos de 5.000 habitantes) ✓ CCN-STIC 883B Perfil Cumplimiento Específico Ayuntamientos de menos de 20.000 habitantes ✓ CCN-STIC 883C Perfil de Cumplimiento Específico Ayuntamientos de entre 20.000 y 75.000 habitantes ✓ CCN-STIC 883D Perfil de Cumplimento Específico Diputaciones ✓ CCN-STIC-884 Perfil de cumplimiento específico para Azure Servicio de Cloud Corporativo ✓ CCN-STIC-885 Perfil de cumplimiento específico para Office 365 Servicio de Cloud Corporativo ✓ CCN-STIC-886 Perfil de cumplimiento específico para Sistemas Cloud Privados y Comunitarios ✓ CCN-STIC-887 Perfil de cumplimiento específico para AWS Servicio de Cloud Corporativo ✓ CCN-STIC-888 Perfil de Cumplimiento Específico para Google Cloud Servicio de Cloud Corporativo Responding to specific needs
  • 17. 16 Procedure and roles, in the light of experience and on the basis of the roles defined in the transposition of NIS1. Role of CISRTs: • CCN-CERT, notified by entities of the Public Sector, and national coordinator • INCIBE-CERT, notified by entities of the Private Sector • ESPDEF-CERT, notified by entities in the scope of National Defense Role of the General Secretariat for Digital Government, SGAD, provider of common and shared services, in collaboration with the CCN-CERT. Role of the Ministry of Interior (Cybersecurity Coordination Office, OCC), involved when an essential operator who has been designated as a critical operator suffers an incident. Response to cybersecurity incidentes
  • 18. 17 Use of certified products on the basis of proportionality. Role of the Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) recognized. It offers a set of reference products whose security functionalities have been certified. The instruments for central procurement refer to the ENS for security requirements and to the means to show the compliance. Procurement of security products e.g. DYNAMIC SYSTEM FOR PROCUREMENT OF SYSTEM, DEVELOPMENT AND APPLICATION SOFTWARE SUPPLIES, OF THE STATE CENTRALIZED PROCUREMENT SYSTEM - SDA 25 The specifications for the procurement include: - Security requirements - How to show the compliance with the security requirements by means of the reference to: - National Security Framework (ENS) - Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) or equivalent - Reference to (coming) European certification schemas
  • 19. 18 Those in scope should show compliance with the ENS. Public Sector Entities, service providers or solution providers: same procedures and documents. Certification entities Accreditation by in accordance with UNE-EN ISO/IEC 17065, for certification of systems within the scope of application of the ENS. Declaration of Compliance Applicable to Basic category information systems. Self-assessment for the declaration. Certification of Compliance Mandatory application to information systems of Medium or High categories and voluntary application in Basic category. Audit for certification. Labels Compliance ✓ It allows the unification of criteria of certifying entities through the ENS Certification Council (CoCENS). ✓ At any time, any person or entity can consult the status of a Certification of Compliance with the ENS, in a centralized portal maintained by the CCN based on the information provided by the certification entities.
  • 20. 19 Monitoring - Annual Report ▪ Article 32. Security status report ▪ Security Measurement: 4.7.2 Metric System [op.mon.2] There is a tool for collecting and consolidating data for the State of Security Report Main contents of the report: - General information about organisms - Risk management - Organizational security information - Economic and human resources - Security measures of Annex II of the ENS.In - formation about interconnections - Security application (authentication methods, outsourced services, change management, continuity of services, training, awareness...) - Incident management (number and response times). - Audits and certifications. Versions of the report: Global and by context 177 218 877 55 Participation by type of organism Year 2022 General State Admin Regions Local Bodies Universities 768 898 933 1008 1327 886 1078 1187 1283 1747 500 800 1100 1400 1700 2000 2018 2019 2020 2021 2022 Developments in participation Included in the report Registered in Governance 1327 bodies + 30% compared to 2021 Some figures of 9 edition:
  • 21. 20 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 22. 21 General State Administration Gobernanza y Cooperación TIC Working Groups (…ENS, COCS) Sectorial Commission for eGovernment Public Administrations Working Groups (…WG Security) CIO (SGAD) Council for the Certification of ENS Established: 2018 Presidence: CCN Members: SGAD, ENAC, accredited certifies of the ENS Mission: Implementation of the certification of the compliance with the ENS + Community Cooperation, Governance, Community
  • 23. 22 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 24. 23 Capacities, services and solutions ✓ COCS provides SOC horizontal cybersecurity services. ✓ It facilitates compliance with the ENS. ✓ > 100 entities within its scope (General State Administration) ✓ Catalogue of solutions provided by the CCN-CERT. ✓ Audit, detection, SIEM, CTI exchange, … ✓ They facilitate the implementation of the ENS. ✓ National Network of SOCs. ✓ Collaboration and exchange of information between the SOCs of the Spanish public sector. ✓ 141 Members, 89 public entities, 52 providers (31 Gold, 21 Informed) ✓ Promotion of cybersecurity capacities in regional governments and local entities.
  • 25. 24 European Crossborder Platform for the Exchange of Cyberintelligence info ✓ EU funding DIGITAL ✓ Cybersecurity Work Prgramme ✓ Cross-border platforms for pooling data on Cybersecurity threats between several Member States ✓ Call for Expression of Interest to select entities in Member States and other elligible countries willing to deploy and manage cross-border SOC platforms. ENSOC Architecture
  • 26. 25 A global approach to cybersecurity Source: Miguel A.Amutio Legal framework Governance Cooperation Community Capabilities Services Solutions Interaction Evolution Digital Government ▪ National Cybersecurity: ▪ CNCS ▪ FNCS ▪ Digital Government ▪ General State ▪ eGov Sectorial Commission ▪ ENS - CoCENS + Funding Certified Products (Catalogue CPSTIC) Strategic context: National (ENCS 2019), European
  • 27. 26 Funding Agreement of the Council of Ministers on Urgent Measures on Cybersecurity (25.05.2021) Line 2 - Action 5 Meausure 9 April 2019 July 2020 October 2021 January 2021 May 2021 Funding Next Generation EU Funding from Nex Generation EU through the Plan for Recovery, Transformation and Resilience: ✓ Cybersecurity Operations Center of the General State Administration (COCS) ✓ Solutions provided by CCN-CERT required by the COCS ✓ Improvement of the implementation of the ENS in the General State Administration. ✓ Cybersecurity capacities in other Public Administrations, Regional Governments, and, particularly, Local Entities, as well as improvement of the implementation of the ENS. ✓ Other investments in cybersecurity.
  • 28. 27 • Regulation 910/2014 eIDAS • Regulation 2016/679 GDPR • Regulation 2019/881 Cybersecurity Act • Regulation 2021/887 ECCC • Directive 2016/1148 NIS • Regulation 2018/1724 Single Digital Gateway • Regulation 2022/2554 DORA • Directive 2022/2555 NIS2 • Directiva 2022/2557 resilience of critical entities (CER) • Regulation 2022/868 Data Governance Act • Council Conclusions on security of the Supply Chain • EU Policy on Cyber Defence • Adequacy Decision EU-US Data Privacy Framework • Proposal Regulation Artificial Intelligence • Proposal Regulation Data Act • Proposal Regulation Europa Interoperable • Proposal Cyberresilience Act (CRA) • Proposal Regulation eIDAS2 • Proposal Regulation on Cybersecurity of EU Institutions • Proposal Regulation on information security of EU Institutions • Proposals European Certification Schemes (EUCC, EUCS) • Proposal Cybersolidarity Act • Proposal modification Cybersecurity Act (No exhaustivo) • Multi Stakeholder Platform for ICT Standards • CIO Network • Expert Group on Interoperability • Group Coordination SDG • European Blockchain Services Infrastructure • eIDAS Expert Group • … • European Cybersecurity Competence Center (ECCC) • Network of NCCs • Group Cooperation NIS • CyCLONe – European Cyber Crises Liaison Organisation Network • Joint Cyber Unit – Cooperation of Cybersecurity Communities • International Cooperation on Cybersecurity standards and specifications • Cooperation with third countries, … • Trans-European TESTA Network • CEF Building Blocks, … • ENISA • CERT-EU (for EUIBAS) • CSIRT Network, … • Next Generation EU • Digital Europe Programme - Cybersecurity • Horizon Europe • Other instruments for funding Cooperation Governance Community Legal Framework Operational capacities Services Solutions Funding ▪ Alignment ▪ Transposition ▪ Implementation ▪ Participation ▪ Contribution to factsheets, etc. EU Cybersecurity Context
  • 29. 28 Photo by Annie Spratt on Unsplash Measures for Risk management • Security policies • Incident management (prevention, detection and response) • Continuity of activities • Supply chain security • Security in acquisition, development and maintenance of networks and systems. Supply chain • Policies and procedures to evaluate the effectiveness of measures. • Basic cyber hygiene practices and cybersecurity training. • Policies and procedures relating to cryptography and encryption • Human resources security,… • Specific vulnerabilities of supplier and service providers. The ENS positions Spain in a favorable condition for the agile implementation of the transposition of the NIS2 Directive. Enlarged scope: Public Administration (General State, Regional Govs; Local Entities, to be determined) Main obligations for entities in the scope: Public Administrations, in the scope of NIS2
  • 30. 29 Conclusions ✓ The ENS provides basic principles and security requirements, proportionality through categorization, updated security measures, flexibility mechanisms through specific profiles, plus accreditation and compliance mechanisms through a certification scheme with ENAC, as well as monitoring through the Annual Report on the state of security, along with more than 100 support guides and a collection of support tools provided by the CCN-CERT. ✓ Applicable to the whole public sector, systems that handle classified information, and providers of solutions and services. ✓ Global approach which engages legal framework; governance cooperation and community; capacities, solutions and services; and funding. ✓ Aligned with cybersecurity context, tailored to digital government including aspects not treated in standards, but coherent with international standards. ✓ It is flexible. At the same time enables harmonization of criteria. Continuously tuned to the evolution of threat on information systems. The ENS satisfy the measures proposed by NISCG for article 21. ✓ 13 years of experience. ✓ A sound basis for the implementation of NIS2 in Spain.
  • 32. 31 Many thanks 29th Plenary Meeting of the NIS Cooperation Group 29th November 2023