accesskey _ mod _ content


The digital processing of the public Sector must be accompanied by organizational and technical measures to protect the information managed and the services provided, proportionate to the risks from unintended actions or illicit weapons, particularly the cyber threats, errors or shortcomings and accidents or disasters.

The Law 39/2015, of 1 october, of Common Administrative Procedure of the public authorities (Opens in new window) collects between the rights of persons in their relations with public administrations, set out in article 13, the relative “ to the protection of personal data, and in particular the security and confidentiality of the data included in the files, systems and applications of the public administrations ”. At the same time that security is among the principles of action of the public administrations, as well as the guarantee of protection of personal data, as provided for in the Law 40/2015, of 1 october, from The Legal Regime of the public Sector (Opens in new window) in its article 3 which deals with the general principles relating to the relations of the administrations by electronic means.

In response to the foregoing, article 156 of the law 40/2015 reflects the National security scheme (NHIS) “ seeks to establish the policy of security in the use of electronic means within the scope of this Law, with the basic principles and minimum requirements that adequately ensured information security treated ”.

The NHIS was established by article 42 of law 11/2007 and regulated by the Royal Decree 3/2010, of 8 january (Opens in new window) , which was amended by the Royal Decree 951/2015 (Opens in new window) in order to update them in the light of experience gained in its implementation, of the evolution of technology and cyber threats and regulatory context of international and european level.

The technical instructions of the security council binding, are essential for proper, uniform and consistent implementation of the requirements and measures contained in the outline and, in particular, to indicate the common way to act in specific areas: Report of the state security; Notice of security incidents; Audit of security; Accordance with the national security; Acquisition of products of the security council; Cryptology of employment in the national security; Interconnection in the national security; and safety requirements in outsourced environments.

Safety guides for the so-called National Cryptologic, CCN-STIC guides (Opens in new window) and commercially available Portal del CCN-CERT (Opens in new window) help the better compliance with the national security, in particular, the collection of guides of the series 800.

The NHIS was prepared in the light of the state of art and the main actors in the area of security of information from the european Union, oecd, national and international standardization, similar actions in other countries, etc.

The NHIS is the result of a coordinated by the ministry of Territorial policy and Public role together with the centre National Cryptologic (NCC) and the participation of all public administrations, through the Collegiate bodies with competence in respect of digital administration. It also has borne in mind the views of industry associations of the ict sector.


The national security (NHIS) pursues the following objectives:

  • Create the conditions of security in the use of electronic means through measures to ensure the safety of, data systems, communications and electronic services, allowing the exercise of rights and duties through such means.
  • Promote the management of security .
  • Promote the prevention, detection and correction for better resilience in the scene of cyber threats and cyber attacks.
  • Promoting equal treatment of security to facilitate cooperation in the provision of public services when they involve digital various entities. This involves providing the common elements that guide the actions of public Sector entities in the area of security of information technologies; also provide a common language to facilitate interaction, as well as communication security requirements of the information to the Industry.
  • Serve as a model of good practices, in line with what was said in the recommendations of the OECD ' Digital Security Risk Management for Economic and Social Prosperity - OECD Recommendation and Companion Document

In the national security is conceived security as an integral activity, in which there is no specific sections conjunctural or treatments, because the weakness of a system is determined by its most fragile and often this point is coordination between appropriate measures individually but poorly assembled.

Elements of the national security

The main elements of the NHIS are as follows:

  • The basic principles to be considered in decision-making on the security council (arts. 4-10).
  • The minimum requirements that would allow adequate protection of information (arts. 11-26).
  • The mechanism for achieving compliance with the basic principles and minimum requirements through security measures provided the nature of information and services to protect (arts. 27, 43, 44, annex I and Annex II).
  • The use of infrastructures and common services (item 28).
  • Safety guides (item 29).
  • The technical instructions of the security council (item 29 and additional provision fourth).
  • Electronic communications (arts. 31 to 33)
  • The audit of the security council (item 34 and Annex III).
  • The response to security incidents (arts. 36 and 37).
  • The use of certificates (item 18., annex II and Annex V).
  • Compliance (item 41).
  • Training and awareness-raising (additional provision first).

The primary mandate of the NHIS is laid out in article 11 ‘ minimum security ’, “ all the higher echelons of public administrations formally must have its security policy that unifies the ongoing management of the security council, to be adopted by the competent superior Body ”, to be established on the basis of the basic principles and which will continue to implement the minimum requirements.

Ámbito of implementation

The Scope of application the national security is the public Sector, as provided for in article 2 of the law 39/2015 and 40/2015 on the subjective scope and what is said on the public sector institutional. Are excluded from the Scope of application systems that treat classified information regulated by law 9/1968 of 5 april official secrets, and its implementing rules.

Adequacy of national security

An alignment mandated at the national security requires the treatment of the following issues, expressed very briefly:

See the NHIS Adequacy


The NHIS in its article 41 on ‘ publishing in accordance ’ notes that the bodies and public law entities will advertising for electronic headquarters for the declarations of conformity, and to the safety of those who are creditors, obtained in the implementation of the NHIS. Following the entry into force of law 39/2015 and 40/2015 affects all entities of the public Sector in Spain, as well as to the private Sector operators providing solutions and services, not only of the security council, or who are interested in the certification of conformity with the TEAMS.

' Technical instruction of the security council in accordance with the NHIS » Establishes the criteria and procedures for the ascertainment of responsiveness, as well as for advertising that conformity. Precise mechanism for generating and publicity of the declarations of conformity and the features of the security council achieved in the implementation of the TEAMS.

Further information,

Fill in the form of Contact (Opens in new window) to send your request for information.