Municipalities, provincial councils, consortia, autonomous bodies, public companies, public-sector foundations: the Spanish public sector operates under a composite regulatory framework that few IT providers fully understand. Meeting ENS, reinforced GDPR for administration, transparency, public procurement and NIS2 simultaneously is not improvised.
Impulso Tecnológico works with Spanish public-sector entities for over 15 years. We know the specific demands: ENS as a sine qua non to bid, the clauses of Law 9/2017 on Public Sector Contracts, reporting to the Court of Auditors, the political timelines of legislatures that shift priorities every 4 years.
Typical challenges in the public sector
- ENS not certified or expired: the National Security Scheme is mandatory for IT systems handling administration data. Without active certification you can't contract with central government or many regional ones.
- Mandatory procurement without flexibility: minor contracts (≤ €40k), open procedure, negotiated without publication — each form has timelines, publicity requirements and specific obligations.
- Transparency + mandatory portals: Law 19/2013 requires publishing contracts, salaries, organization charts. Portals must stay active and updated.
- NIS2 applies to many administrations: especially mid-sized (>50 employees) and those operating essential services (water, energy, transport).
- Reinforced personal data: citizen data has specific legal basis, specific retention periods, extended subject rights.
- Legacy systems and slow migration: inherited municipal ERPs, obsolete document managers, intranets 15 years old.
How we tackle it at Impulso
- ENS turnkey certification: scope diagnosis, statement of applicability, adequacy plan, documentary evidence, audit support. We have prepared ENS High, Medium and Basic since 2018.
- Procurement support: drafting unbiased technical specs, evaluating technical bids, handling Q&A, managing the tender process.
- Transparency compliance: integration with public procurement platforms, automated transparency portals.
- Public cybersecurity with Fortinet + Sophos: perimeter protection, MFA on all administrative accounts, 24/7 monitoring, incident management with CCN-CERT reporting.
- NIS2 step by step: scope analysis, treatment plan, documentary evidence, incident drills.
- Orderly legacy migration: phased plan, pilot tests, user training, change management.
Spanish public sector regulatory framework
- ENS (Royal Decree 311/2022): Spanish security framework for public IT systems. Basic, Medium or High by sensitivity. Mandatory for contracting with central government.
- Law 9/2017 LCSP: Public Sector Contracts. Procedures, timelines, publicity, award criteria.
- Law 19/2013 on Transparency: obligation to publish economic, contractual and organizational information.
- GDPR + LOPDGDD: citizen data with specific legal basis (public interest).
- NIS2: applies to administrations providing essential services (water, energy, transport) and mid-sized ones (>50 employees).
- Law 39/2015 LPACAP: common administrative procedure. Digital identity, electronic notifications, registry.
Why Impulso for the public sector
- ENS experience since 2018: prepared certifications, knowledge of nuances between High / Medium / Basic, incident management with CCN-CERT.
- Procurement know-how: we know how to write a technical spec that passes Audit and how not to fall into clauses TACRC will overturn.
- Iberian coverage: technicians in Madrid and Lisbon with experience in Spanish and Portuguese bodies.
- Documented compliance, not marketing: evidence ready for CCN, AEPD, Court of Auditors, IGAE.
If your administration needs ENS certification, NIS2 preparation, or to reinforce an IT provider that doesn't understand the public sector, we offer a free initial diagnosis: visit, executive plan, closed budget within two weeks.