GRC Consulting

Who it applies to

The ENS is mandatory for all Spanish public administrations and private suppliers that handle public administration information systems or provide technology services to public entities.

This includes local councils, county councils, provincial governments, regional bodies and any company wishing to contract with the administration in ICT areas.

Security levels

• Basic — systems with limited impact in case of compromise
• Medium — systems with considerable impact
• High — systems with serious or very serious impact

The level is determined by the risk analysis across the security dimensions of each system (confidentiality, integrity, availability, authenticity and traceability).

Our process

1. GAP analysis — review of the current state against the 73 ENS framework controls
2. Categorisation — determination of the security level of systems
3. Adequacy plan — prioritised measures to achieve compliance within the established timeframe
4. Implementation — support in deploying technical and organisational measures
5. Statement of applicability — document recording applied measures and justification for excluded ones
6. Audit preparation — pre-audit review and support throughout the certification or conformity process

Who it applies to

NIS2 affects essential and important entities in the sectors listed in Annexes I and II of the Directive: energy, transport, banking, digital infrastructure, healthcare, food, manufacturing, digital services and others.

The size criterion is key: organisations with 50 or more employees or turnover exceeding €10M operating in listed sectors. Public administrations are included regardless of size.

Penalties

• Essential entity: up to €10M or 2% of annual global turnover
• Important entity: up to €7M or 1.4% of annual global turnover
• Personal liability for management bodies in case of repeated non-compliance

Our process

1. Applicability assessment — we determine whether your organisation is an essential or important entity, or falls outside scope
2. Gap analysis — review of the 10 mandatory measures under Art. 21 of the Directive
3. Measures plan — prioritised actions with owners and deadlines
4. Implementation — technical and organisational support in deployment
5. Notification and registration — support in registering as an affected entity with the competent authority
6. Ongoing review — NIS2 is not a one-off project, it is a permanent management obligation

Who it applies to

ISO 27001 is not required by law, but is increasingly demanded by corporate clients, in public tenders and as a supply chain requirement.

Any organisation, regardless of size or sector, can implement an ISMS and obtain certification from an accredited body. Certification demonstrates that security management is systematic, audited and continuously improved.

For SMEs

The standard allows you to scale scope: you can certify a specific service, a system or the entire organisation. There is no need to do it all at once.

Our process

1. GAP analysis — review of the current state against Annex A controls of ISO 27001:2022
2. Scope definition — delimitation of the ISMS: systems, processes and assets included
3. Risk analysis — identification, assessment and treatment of security risks
4. Statement of applicability (SoA) — document justifying the inclusion or exclusion of each control
5. Control implementation — technical and organisational measures from the treatment plan
6. Internal audit — pre-certification review to detect gaps
7. Certification audit support — accompaniment during the certification body's audit