Full Report
Strengthening secure cloud modernization for Spain’s public sector through CPSTIC certification.
Analysis Summary
# Regulation/Compliance: Spanish National Security Framework (ENS) & CPSTIC Certification
## Overview
The **Esquema Nacional de Seguridad (ENS)** is Spain’s mandatory national security framework designed to establish trust in the use of electronic communications. The **CPSTIC** (ICT Security Products and Services Catalog) is the curated list of products and services formally certified by the Spanish intelligence community to meet ENS standards. Inclusion in CPSTIC signifies that a technology provider has undergone rigorous assessment to be trusted with public sector data and systems.
## Key Details
- **Issuing Authority:** National Cryptologic Center (CCN - *Centro Criptológico Nacional*), part of the CNI (*Centro Nacional de Inteligencia*).
- **Effective Date:** Ongoing; Wiz certification announced March 3, 2026.
- **Jurisdiction:** Spain.
- **Status:** In Effect.
## Requirements
### Mandatory Requirements
1. **ENS Alignment:** Products must demonstrate strict adherence to the security controls outlined in the Royal Decree 311/2022 (the latest update to the ENS).
2. **CPSTIC Inclusion:** For high-security-level public sector projects, agencies are mandated to use products listed in the CPSTIC catalog.
3. **Formal Assessment:** Providers must undergo a formal evaluation process by the CCN to verify that the security claims of the product (functional and assurance) are valid.
4. **Configuration Standards:** Use of the product must follow the specific secure configuration guidelines provided by the CCN.
### Recommended Practices
1. **Zero Trust Integration:** Aligning cloud security with the five pillars of the Zero Trust Maturity Model.
2. **Continuous Monitoring:** Utilizing platforms like Wiz to automate evidence collection and posture monitoring year-round rather than performing point-in-time audits.
3. **Shadow AI Detection:** Monitoring and securing AI service usage to prevent unmanaged "Shadow AI" within public sector pipelines.
## Affected Organizations
- **Industries:** All Spanish public sector agencies (national, regional, and local) and private sector companies serving as contractors/providers to the Spanish government.
- **Organization Size:** All sizes; mandatory for any entity processing public sector data.
- **Geographic Scope:** Spain (specifically entities operating within the Spanish administrative framework).
## Compliance Timeline
- **Ongoing:** ENS compliance is a continuous requirement for public administration.
- **March 3, 2026:** Wiz platform officially added to the CPSTIC catalog.
- **Immediate:** Public sector agencies can now legally procure and deploy Wiz for ENS-regulated environments.
## Implementation Guidance
### Assessment Phase
- Identify the "Category" of the system (Basic, Intermediate, or High) as defined by the ENS based on the criticality of the information handled.
- Review the CPSTIC catalog to ensure third-party cloud security tools (like CNAPPs) are certified for the required category.
### Implementation Phase
- Deploy the certified platform (Wiz) via a "connect-in-minutes" architecture to gain full-stack visibility.
- Map existing cloud infrastructure (VMs, containers, serverless) to ENS control requirements.
### Validation Phase
- Use built-in compliance frameworks (ISO, NIST, and ENS-aligned templates) to automate the collection of evidence.
- Audit the "Security Graph" to identify "toxic combinations" (vulnerabilities + exposure) that violate ENS safety mandates.
## Technical Requirements
- **Cloud Native Application Protection (CNAPP):** Integration of CSPM, CWPP, and CIEM into a single source of truth.
- **Vulnerability Management:** Continuous scanning of virtual machines, containers, and serverless functions.
- **Identity & Entitlement Management (CIEM):** Monitoring permissions to ensure the principle of least privilege.
- **Data Protection:** Scanning for exposed secrets and malware within the cloud environment.
## Penalties & Enforcement
- **Fines:** Non-compliance with ENS can lead to administrative sanctions under the Law on the Legal Regime of the Public Sector.
- **Other Consequences:** Loss of government contracts for private vendors; prohibition from processing sensitive public data; reputational damage.
- **Enforcement:** Audits are conducted by the CCN or accredited independent auditors to ensure continuous adherence to the framework.
## Related Standards
- **ISO 27001/27017/27018:** International standards for information security and cloud privacy (Wiz is cross-certified).
- **SOC 2 Type 2:** Operational security and privacy reporting.
- **NIST Framework:** Alignment with US federal cybersecurity standards.
- **IRAP:** Alignment with Australian public sector security requirements.
## Resources
- **Official Documentation:** [CPSTIC Catalog - Wiz Entry](https://cpstic.ccn.cni.es/en/catalogue/756-wiz) (Defanged)
- **Guidance Documents:** [Wiz Trust Center](https://www.wiz.io/trust-center) (Defanged)
- **Framework Info:** [Spanish National Cryptologic Center (CCN)](https://www.ccn-cert.cni.es/ens.html) (Defanged)
## Practical Recommendations
- **Inventory Check:** If you are a contractor for the Spanish government, verify that your security stack (specifically CNAPP) is CPSTIC-certified to avoid contract termination.
- **Modernize Security:** Replace legacy point solutions with a consolidated platform to simplify the reporting required for ENS audits.
- **Focus on AI:** As public sectors adopt AI, ensure your CPSTIC-certified tools provide visibility into AI pipelines to meet emerging security mandates.