Updates on Spanish ENS for public procurement: new PCE for the health sector

The deadline for full adaptation of suppliers to the National Security Scheme (NSS) of Spanish public administrations is approaching. The PEC for the Health Sector has just been announced. However, it is not only necessary to obtain the corresponding authorisations/declarations, but also to have the entire architecture of the supplier enabled in order to be awarded contracts or to be able to execute the service or supply that is awarded.

1. The National Security Framework or System (hereinafter referred to as the "ENS") consists of the basic principles and minimum requirements necessary for adequate protection of the information submitted by the private sector that provides services or solutions to public sector entities for the exercise of their administrative powers and competencies.

Its purpose is to ensure access, confidentiality, integrity, traceability, authenticity, availability, and preservation of data, information, and services used electronically in the exercise of their competencies.

The Spanish ENS is currently regulated by Royal Decree 311/2022 of May 3, which updates the first version of the ENS approved in 2010, adapting it to legislative changes since its initial version (GDPR and new European and cybersecurity regulations). In its new version, the ENS stipulates that by May 4, 2024, both the public and private sectors must achieve full compliance with the ENS. This obligation also extends to contractors' supply chains, to the extent necessary and in accordance with the results of the corresponding risk analysis.

2. Full compliance with the ENS will be evidenced by the display of the corresponding conformity badge established by the administrative or technical specifications, which will require the submission of Declarations or Certifications of Conformity with the ENS, depending on whether the information systems are categorized as BASIC (requiring only self-assessment) or MEDIUM OR HIGH (in which case they will require a biannual formal audit conducted by qualified personnel independent of the service/system being audited), in accordance with the documentary models contained in the Security Technical Instruction of October 13, 2016.

It is important to remember that such classification must be proportional to the nature of the information handled, the services provided, and the risks to which they are exposed, and must be justified in the administrative documentation of the tendering process. Seeking precisely that proportionality, a new CCN-STIC 891 Guide on Specific Compliance Profile (PCE) for Healthcare and Patient Care (Primary Care and Specialized Care) has been published this month. This document aims to facilitate compliance with the ENS in this sector, including a set of security measures, whether or not included in Royal Decree 311/2022, but which, after the mandatory risk analysis, are applicable in this area and ensure a minimum level of security.

3. Finally, it is important to note, as indicated by administrative contract tribunals, that compliance with the ENS cannot be substituted by the classification as a service contractor, as it is not a solvency requirement, but rather a characteristic that the product or service in question must meet, although it can also be configured as a contract execution condition (but not for its award). There arises a doubt as to whether from that date onwards, a future commitment to having one or the other would suffice, in case of becoming a contractor and in the execution of the contract, a circumstance which they consider as a more competitive option than the requirement of accreditation in the offer itself, and therefore more convenient, provided it is suitable for the object of the contract and the concurrent circumstances are considered. Some reports from the Consultative Board support this possibility if it is a condition of execution, a possibility that must be recalibrated in light of the end of the transitional period on May 4.
4. At Fieldfisher, we provide legal compliance advice on these requirements from the perspective of public procurement, and through our Tech&Data team, in collaboration with information systems auditors with extensive experience in the field, we assist organizations at all stages of implementing Information Security Management Systems based on market standards, including the ENS (Gap Analysis, implementation, auditing, and certification support).