Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures
Spain ENS overview
In 2007, the Spanish government enacted Law 11/2007, which established a legal framework to give citizens electronic access to government and public services. This law is the basis for Esquema Nacional de Seguridad (National Security Framework), which is governed by the updated Royal Decree (RD) 311/2022. The goal of the framework is to build trust in the provision of electronic services, and ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of data, information, and services.
The framework applies to all public organizations and government agencies in Spain that purchase cloud services, as well as to providers of information and communications technologies (ICT). It guides these agencies and companies in implementing effective controls for security in the cloud and on premises, in compliance with Spanish and EU security and privacy standards.
The framework establishes core policies and mandatory requirements that both government agencies and their service providers must meet. It defines a set of specific security controls, many of which align directly with ISO/IEC 27001, relating to availability, authenticity, integrity, confidentiality, and traceability. The sensitivity of the information, low, intermediate, or high, determines the security measures that must be applied to protect it.
Each government agency is required to adopt a risk-management approach to security, whereby they identify and assess risks, and then apply security controls appropriate to those risks. Service providers, too, must comply with the stringent framework requirements to help ensure that their procedures, technical capacities, and operations are secure and enable agencies to comply with the regulations.
The framework prescribes an accreditation process that is voluntary for systems handling information of low sensitivity, but mandatory for systems handling information at an intermediate or high level of sensitivity. An audit is performed by an accredited independent auditor. The report is then reviewed in a process of certification before risk-management controls are accepted in the final step of accreditation.
Microsoft and Spain ENS high-level security measures
Microsoft Azure and Microsoft Office 365 have gone through a rigorous assessment by BDO, an independent auditor, which issued an official statement of their compliance. BDO reports that the security measures in both services, and their information systems and data processing facilities, comply at the high level with RD 3/2010 without requiring any corrective measures. Microsoft was the first hyperscale cloud service provider to receive this certification in Spain.
Microsoft in-scope cloud platforms & services
- Azure
- Microsoft 365 & Microsoft 365 for Education
- Dynamics 365
Microsoft 365 and ENS High
Microsoft 365 (Office 365) environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Microsoft 365 & Microsoft 365 for Education applicability and in-scope services
Use the following table to determine applicability for your Microsoft 365 and Microsoft 365 for Education services and subscription:
Applicability | In-scope services |
---|---|
Commercial | Microsoft Viva (includes Connections, Insights, Learning and Engage), Microsoft 365 (includes Word, Excel, PowerPoint, Outlook, Sharepoint, Exchange, OneNote, OneDrive, Microsoft Planner, Sway, Whiteboard, Delve, Microsoft Forms, Microsoft To Do and Windows), Microsoft Purview (includes Audit, Adaptative Protection, Communication Compliance, eDiscovery, Compliance Manager, Information Protection, Data Lifecycle Management, Insider Risk Management, Data Loss Prevention and Unified Data Governance aka Azure Purview), Microsoft Teams (includes Audio Conferencing and Phone System), Microsoft Outlook Web App, Microsoft Outlook Mobile, Microsoft Copilot for Microsoft 365, Copilot in Windows, Microsoft Copilot with commercial data protection, Microsoft Exchange Online Protection, Microsoft Defender XDR (includes Microsoft Defender for Endpoint, Microsoft Defender for Identity and Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, Microsoft Intune |
Dynamics 365 and ENS High
Dynamics 365 applicability and in-scope services
Use the following table to determine applicability for your Dynamics 365 services and subscription:
Applicability | In-scope services |
---|---|
Commercial | Copilot Studio, Dynamics 365 Sales, Dynamics 365 Customer Insights Journey, Dynamics 365 Customer Insights Data, Dynamics 365 Finance, Dynamics 365 Supply Chain Management, Dynamics 365 Business Central, Dynamics 365 Customer Service (includes Omnichannel), Dynamics 365 Field Service (includes Remote Assist), Dynamics 365 Human Resources, Dynamics 365 Project Operations, Dynamics 365 Commerce, Dynamics 365 Fraud Protection, Dynamics 365 Customer Voice, Power Platform (includes Power BI, Power Apps, Power Automate and Power Pages), Copilot in Power Platform (includes Copilot for Power Apps, Copilot for Power Automate, Copilot for Power Pages and Copilot for Power BI), Copilot for Sales, Copilot for Service, Copilot for Finance, Copilot for Dynamics 365 |
Microsoft Azure and ENS High
Azure applicability and in-scope services
Use the following table to determine applicability for your Azure services and subscription:
Applicability | In-scope services |
---|---|
Commercial | Azure Confidential Computing, Microsoft Entra (includes Entra ID, Entra ID Governance, Entra External ID, Entra Domain Services, Entra Verified ID, Entra Permissions Management, Entra Workload ID, Entra Internet Access y Entra Private Access), Azure Site Recovery, Azure Virtual Network, Azure ExpressRoute, Azure Load Balancer, Azure Backup, Azure AI Services (includes Azure OpenAI, Azure Cognitive Search, Azure AI Vision, Azure AI Custom Vision, Azure AI Language, Azure AI Speech, Azure AI Translator, Azure AI Document Intelligence, Azure AI Bot Service, Azure AI Audio & Video, Azure AI Anomaly Detector, Azure AI Content Safety, Azure AI Personalizer, Azure AI Metrics Advisor y Azure AI Immersive Reader), Azure AI Studio (includes Azure OpenAI Studio, Azure Machine Learning Studio, Azure Language Studio, Azure Speech Studio, Azure Vision Studio, Azure Custom Translator Studio, Azure Document Intelligent Studio y Azure Content Safety Studio), Copilot for Azure, Azure SQL, Azure Cosmos DB, Azure SQL Database, Azure Database for PostgreSQL, Azure SQL Managed Instance, Azure Database for MySQL, Azure Cache for Redis, Azure Database for MariaDB, Azure Storage (includes Blob, Archive, Disk, File y Data Box), Azure Synapse Analytics |
Azure Databricks, Azure Data Factory, Azure HDInsight, Azure Analysis Services, Azure Data Lake, Azure Data Lake Analytics, Microsoft Fabric, Fabric Copilot, Power BI Embedded, Azure DevOps, Azure IoT Hub, Azure Event Hubs, Azure Log Analytics, Azure Monitor, Azure Key Vault (includes Standard, Premium y Managed HSM), Microsoft Sentinel, Microsoft Copilot for Security, Microsoft Defender for IoT, Microsoft Defender for Cloud, Microsoft Defender Cloud Security Posture Management, Microsoft Defender External Attack Surface Management (EASM), Azure DDOS Protection, Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall, Azure Application Gateway, Azure VPN Gateway, Azure Bastion, Azure Virtual Machines, Azure Kubernetes Service, Azure Container Instances, Azure Container Registry, Azure Containers Apps, Azure App Service, Azure Web Apps, Azure Logic Apps, Azure API Management, Azure Service Bus, Azure Event Grid, Azure VMWare Solution, Azure Virtual Desktop (AVD), Azure Arc |
Audits, reports, and certificates
The certification is valid for two years, with an annual surveillance audit.
Azure
- Azure National Security Framework (ENS) Certificate (Spanish)
- Azure National Security Framework (ENS) Audit Report (Spanish)
Microsoft 365 and Microsoft 365 for Education
- Microsoft 365 & Microsoft 365 for Education National Security Framework (ENS) Certificate (Spanish)
- Microsoft 365 & Microsoft 365 for Education National Security Framework (ENS) Audit Report (Spanish)
Dynamics 365
- Dynamics 365 National Security Framework (ENS) Certificate (Spanish)
- Dynamics 365 National Security Framework (ENS) Audit Report (Spanish)
Frequently asked questions
How can I get copies of the audit reports and certifications?
The Service Trust Portal provides the audit reports and certifications in both Spanish and English. Your auditors can use them to compare Microsoft cloud services results with your own legal and regulatory requirements.
Where do I start with my organization's own compliance effort?
If your organization is using Azure or Office 365, you can use ENS Microsoft audit reports and accreditation as part of your own accreditation process. However, you are responsible for engaging an auditor to evaluate your implementation for compliance, and for ensuring that the controls and processes within your own organization align with the framework.
Resources
- Esquema Nacional de Seguridad of Spain (Spanish and English)
- Microsoft Online Services Terms
- Compliance on the Microsoft Trust Center