accesskey _ mod _ content


The digital processing of the public Sector must be accompanied by organizational and technical measures to protect the information managed and the services provided, proportionate to the risks from unintended actions or illicit weapons, particularly the cyber threats, errors or shortcomings and accidents or disasters.

The Law 39/2015, of 1 october, of Common Administrative Procedure of the public authorities (Opens in new window) collects between the rights of persons in their relations with public administrations, set out in article 13, the relative “ to the protection of personal data, and in particular the security and confidentiality of the data included in the files, systems and applications of the public administrations ”. At the same time that security is among the principles of action of the public administrations, as well as the guarantee of protection of personal data, as provided for in the Law 40/2015, of 1 october, from The Legal Regime of the public Sector (Opens in new window) in its article 3 which deals with the general principles relating to the relations of the administrations by electronic means.

In response to the foregoing, article 156 of the law 40/2015 reflects the National security scheme (NHIS) que “tiene por objeto establecer la política de seguridad en la utilización de medios electrónicos en el ámbito de la presente Ley, y está constituido por los principios básicos y requisitos mínimos que garanticen adecuadamente la seguridad de la información tratada”.

The NHIS was established by article 42 of law 11/2007 and regulated by the Royal Decree 3/2010, of 8 january (Opens in new window) , which was amended by the Royal Decree 951/2015 (Opens in new window) in order to update them in the light of experience gained in its implementation, of the evolution of technology and cyber threats and regulatory context of international and european level.

The technical instructions of the security council binding, are essential for proper, uniform and consistent implementation of the requirements and measures contained in the outline and, in particular, to indicate the common way to act in specific areas: Report of the state security; Notice of security incidents; Audit of security; Accordance with the national security; Acquisition of products of the security council; Cryptology of employment in the national security; Interconnection in the national security; and safety requirements in outsourced environments.

Safety guides for the so-called National Cryptologic, CCN-STIC guides (Opens in new window) and commercially available Portal del CCN-CERT (Opens in new window) , ayudan al mejor cumplimiento de lo establecido en el Esquema Nacional de Seguridad, en particular, de la colección de guías de la serie 800.

The NHIS was prepared in the light of the state of art and the main actors in the area of security of information from the european Union, oecd, national and international standardization, similar actions in other countries, etc.

The NHIS is the result of a coordinated by the ministry of Territorial policy and Public role together with the centre National Cryptologic (NCC) and the participation of all public administrations, through the Collegiate bodies with competence in respect of digital administration. It also has borne in mind the views of industry associations of the ict sector.


The national security (NHIS) pursues the following objectives:

  • Create the conditions of security in the use of electronic means through measures to ensure the safety of, data systems, communications and electronic services, allowing the exercise of rights and duties through such means.
  • Promote the management of security .
  • Promote the prevention, detection and correction for better resilience in the scene of cyber threats and cyber attacks.
  • Promoting equal treatment of security to facilitate cooperation in the provision of public services when they involve digital various entities. This involves providing the common elements that guide the actions of public Sector entities in the area of security of information technologies; also provide a common language to facilitate interaction, as well as communication security requirements of the information to the Industry.
  • Serve as a model of good practices, in line with what was said in the recommendations of the OECD ' Digital Security Risk Management for Economic and Social Prosperity - OECD Recommendation and Companion Document

In the national security is conceived security as an integral activity, in which there is no specific sections conjunctural or treatments, because the weakness of a system is determined by its most fragile and often this point is coordination between appropriate measures individually but poorly assembled.

Elements of the national security

The main elements of the NHIS are as follows:

  • The basic principles to be considered in decision-making on the security council (arts. 4-10).
  • The minimum requirements that would allow adequate protection of information (arts. 11-26).
  • The mechanism for achieving compliance with the basic principles and minimum requirements through security measures provided a la naturaleza de la información y los servicios a proteger (arts. 27, 43, 44, Anexo I y Anexo II).
  • The use of infrastructures and common services (item 28).
  • Safety guides (item 29).
  • The technical instructions of the security council (item 29 and additional provision fourth).
  • Electronic communications (arts. 31 to 33)
  • The audit of the security council (item 34 and Annex III).
  • The response to security incidents (arts. 36 and 37).
  • The use of certificates (item 18., annex II and Annex V).
  • Compliance (item 41).
  • Training and awareness-raising (additional provision first).

The primary mandate of the NHIS is laid out in article 11 ‘ minimum security ’, “ all the higher echelons of public administrations formally must have its security policy that unifies the ongoing management of the security council, to be adopted by the competent superior Body ”, to be established on the basis of the basic principles and which will continue to implement the minimum requirements.

Ámbito of implementation

The Scope of application the national security is the public Sector, as provided for in article 2 of the law 39/2015 and 40/2015 on the subjective scope and what is said on the public sector institutional. Are excluded from the Scope of application systems that treat classified information regulated by law 9/1968 of 5 april official secrets, and its implementing rules.

Adequacy of national security

Una adecuación ordenada al Esquema Nacional de Seguridad requiere el tratamiento de las siguientes cuestiones, expresadas de forma muy sucinta:

See the NHIS Adequacy


El ENS en su artículo 41 sobre ‘Publicación de conformidad’ señala que los órganos y Entidades de Derecho Público darán publicidad en las correspondientes sedes electrónicas a las declaraciones de conformidad, y a los distintivos de seguridad de los que sean acreedores, obtenidos respecto al cumplimiento del ENS. Tras la entrada en vigor de las leyes 39/2015 y 40/2015 afecta a todas las entidades del Sector Público en España, así como a los operadores del Sector Privado que les prestan soluciones y servicios, no solo de seguridad, o que estén interesadas en la certificación de la conformidad con el ENS.

' Technical instruction of the security council in accordance with the NHIS » establece los criterios y procedimientos para la determinación de la conformidad, así como para la publicidad de dicha conformidad. Precisa los mecanismos de obtención y publicidad de las declaraciones de conformidad y de los distintivos de seguridad obtenidos respecto al cumplimiento del ENS.

Further information,

Fill in the form of Contact (Opens in new window) to send your request for information.

Subscribe to the youtube channel of OBSAE
Subscribe to the youtube channel of OBSAE