On a day like today, ten years ago, approving the
Royal Decree 3/2010
of 8 January, regulating the National security scheme
in the field of E-government. 21 days later, on 29 January, is published in the official newsletter of the State, BOE, establishing the basic principles and minimum requirements that, according to the general interest, allowed adequate protection of information, communications and services of public administrations.
Subsequently, in 2015, expanded the scope of
Esquema Nacional de Seguridad (ENS)
throughout the public Sector of the hand of Law 40/2015
and was modified via the "(简) 951/
of October 23 in the light of lessons learned and Community policy context, particularly of the rules
incluía de forma pionera, 75 medidas de seguridad de obligado cumplimiento por parte del Sector Público español, tanto en el marco organizativo, como operacional y de protección.
A fortress which has positioned our country as a reference in the European Union and which is the result of a collective effort of public administrations in Spain, with the collaboration of the private Sector, which actively contributed to its development and implementation led by the
Political ministry Territorial and Public Function through the General secretariat of administration Digital,
, (in 2010, when it was adopted, ministry of the presidency) and central National PKIX
The ENS has become the main tool to strengthen cybersecurity in the public Sector and has been accompanied by
61 Guides CCN-STIC
(Series 800), 14 cybersecurity solutions
developed by the CCN and 4 Technical safety Instructions (
published in the BOE on notification of incidents, audit of safety in information systems, in accordance with the own scheme and the report of the state of security.
Precisely, to compile this report and to establish a measurement system of the security of the public Sector, the
the solution developed
(National report of the state of security)
to facilitate more fast and intuitive its adequacy finding the
. It has made five editions of the report
and the 6th ongoing. In 2019, 1006 entities had loaded their data, off the 799 a year earlier.
The general assessment that emerges from the report
is that it has to maintain the effort of implantation of ENS, especially when it shows that your application helps better protection against cyber threats.
Also in 2015 established criteria for achieving compliance with the outline and its corresponding
Statement and certification of conformity with the
so that the collaboration of the
with the National accreditation entity (
led to the outline of accreditation and certification that has allowed to the timestamp 8 accredited certification entities
and at the end of 2019 over 160 certified institutions (public and private).
Finally, and already in 2018, created the
Certification council of national security Scheme (
), whose objective is to help the proper implementation of
and, consequently, to the best and most guarantor provision of public services.
ENS under revision
En este momento de aniversario es preciso realizar una revisión del ENS en la que, aprendiendo de la experiencia de estos diez años, se pueda preparar el Esquema para afrontar las nuevas amenazas; mejorar las capacidades de vigilancia y diseñar respuestas cada vez más eficaces frente a los ataques; para reducir la superficie de exposición a vulnerabilidades y deficiencias de configuración de los sistemas.
This requires, first, ENS align with the legal framework and the strategic context to the date of 2020 to provide security in the digital service; secondly, introducing flexibility to facilitate implementation of the ENS to specific needs of certain collectives of entities or technologies; and thirdly, update the ENS to facilitate the response to trends in cybersecurity, reduce vulnerabilities and promote the active defence through the revision, in light of the state of the art of the basic principles, the minimum requirements and security measures, focusing in particular on issues such as monitoring systems, the monitoring tools advanced threat detection and correlation of events, and the provision of observatories surveillance purposes, more specific approximations for notification and managing incidents, measures for the use of services in the cloud, and to help the protection of personal data as described in the First Additional Provision of the Organic Law 3/2018.