Dokuflex is a document management system aligned with the requirements of Spain's National Security Framework (ENS) Medium level, ISO 27001 and GDPR. Built for Spanish public administrations, healthcare, energy and banking. Data encrypted inside the EU, full access auditing and document traceability ready for any public tender or inspection.
The Esquema Nacional de Seguridad (ENS) — Spain's National Security Framework — is the regulatory framework that defines the minimum security principles and requirements for the information systems of Spanish public administrations and their technology providers. It is governed by Royal Decree 311/2022 of 3 May, which updates the former RD 3/2010 and incorporates controls aligned with ISO/IEC 27001 and the EU NIS2 Directive.
The ENS classifies systems into three levels depending on the impact a security failure would have on the confidentiality, integrity, availability, authenticity and traceability of the service:
The ENS is mandatory for every Spanish public administration (central, regional and local), their dependent bodies and the technology providers that serve them. Since RD 311/2022 entered into force it also applies to operators of essential services and digital service providers under NIS2.
If your organisation is a Spanish public administration or a supplier signing contracts with one, ENS compliance is not optional. Article 156 of Law 9/2017 on Public Sector Contracts (LCSP, Spain's Public Procurement Law) requires successful bidders to evidence technical and organisational means consistent with the ENS to deliver the service. In practice, public-tender specifications routinely set ENS Medium as the minimum required level.
Beyond mandatory use in the public sector, an ENS-aligned DMS is strongly recommended in regulated private sectors where sector regulators and corporate buyers demand equivalent levels of security:
A document management system without ENS alignment effectively rules you out of any relevant Spanish public tender and exposes you to penalties under Law 39/2015 (electronic administrative procedure), Law 40/2015 (public sector legal regime) and the GDPR.
Dokuflex is aligned with the technical and organisational requirements of ENS Medium set out in Annex II of Royal Decree 311/2022. This means the platform implements the controls required for systems classified as Medium across the five dimensions (confidentiality, integrity, availability, authenticity and traceability). The compliance team delivers the statement of applicability and the CCN-STIC control matrix as part of the technical bid for every deployment.
Data at rest encrypted with AES-256-GCM. Traffic on TLS 1.3 with qualified cipher suites. Key management rotated and segregated per environment.
Granular RBAC by user, group, case file and field. MFA enforced for privileged roles. SAML / OIDC integration with Active Directory, Azure AD and the Spanish Cl@ve identity service.
Every access, download, modification and deletion is recorded in an immutable log with a qualified time-stamp. Exportable for inspections.
Retention policies configurable per document type and organisational unit. Secure deletion with cryptographic overwriting at the end of the lifecycle.
Backups encrypted with georedundant replication across EU regions. Quarterly recovery drills. RPO and RTO documented in the SLA.
CCN-CERT notification procedure aligned with the CCN-STIC 817 guide. Response plan and breach notification within the 72-hour GDPR timeframe.
The Spanish National Cryptologic Centre (CCN) publishes the CCN-STIC guides, which describe technically how to apply the ENS. Three of them are especially relevant for a document management system:
Methodology to classify the system as Low, Medium or High based on the impact across the five security dimensions. Dokuflex supports the customer through this valuation and delivers the categorisation applicable to the specific deployment.
Verification checklist used by the external auditor to validate that every control in Annex II of the ENS is implemented. Dokuflex delivers evidence (logs, configurations, policies, screenshots) in an auditable format.
Defines specific security profiles for common products (email, document management, electronic signature). Applies to the control matrix Dokuflex covers in its catalogue of applicability.
The ENS does not live in isolation. Organisations operating in Spain coexist with three complementary frameworks, each with a specific scope:
All three frameworks share the same underlying controls (encryption, access, audit, incident management) but answer different questions: ENS asks "can I deliver this public service with guarantees?"; ISO 27001 asks "do I manage security systematically?"; the GDPR asks "do I respect the rights of data subjects?".
Dokuflex is aligned with all three and allows you to map controls once, reducing the cost of maintaining three separate statements of applicability.
Dokuflex is deployed in four profiles where ENS, ISO 27001 and GDPR compliance is a non-negotiable condition.
Digital administrative case files, electronic registry, public procurement, definitive archive. Compliance with Laws 39/2015 and 40/2015, integration with SIR, notification platforms and the single electronic archive.
Electronic health records, informed consents, lab-test management and consent transfer to research. Special-category data (art. 9 GDPR) with reinforced encryption, clinical role segregation and full audit per episode.
Critical supply contracts, CNMC regulatory documentation, capex files subject to sector audit. Compliance with the NIS2 Directive, Critical Infrastructure Protection Law 8/2011 and document traceability for European regulators.
KYC, regulated client files (Bank of Spain, CNMV, SEPBLAC), mortgage and financing contracts. DORA compliance, anti-money-laundering and document retention for the legally applicable terms.
Article 156 of Law 9/2017 on Public Sector Contracts regulates the means and documentation that the awarded bidder must provide to evidence its technical solvency. When the contract involves processing information for public administrations, the technical specifications explicitly require the bidder to operate with means aligned with the ENS, usually at the Medium level.
In practice, technical specifications (PPT) commonly include clauses such as:
"The document management system shall meet the requirements of Spain's National Security Framework at Medium level (RD 311/2022) and provide measures for encryption, access control, audit logging and secure deletion, with data located within the European Economic Area."
Dokuflex helps the bidder meet the specification with:
If you have an ongoing tender, the compliance team delivers the dossier within 48 business hours.
The ENS audit is a periodic process (at least every two years) that verifies the system maintains the controls assigned to its level. It is conducted by a certification body accredited by ENAC, following the CCN-STIC 808 guide. The standard procedure has five phases:
CCN-STIC 803 is applied to classify the system as Low, Medium or High across the five security dimensions. The outcome drives the applicable control matrix.
The system owner documents which Annex II controls apply, how they are implemented and which exceptions exist. This document is the basis for the rest of the audit.
The auditor reviews policies, procedures, technical configurations, logs and evidence. They apply the CCN-STIC 808 checklist and request screenshots, records and functional tests.
The auditor interviews the system owner, the information security officer and administrators. They run access-control tests, backup-recovery tests and review historical incidents.
The final report lists findings (conformities, minor and major non-conformities) and, where applicable, issues the declaration of compliance. Non-conformities require a corrective action plan with deadlines.
Dokuflex supports its customers throughout the process by delivering technical evidence (logs, configurations, screenshots), the platform's statement of applicability, and direct assistance to the auditor during functional tests on the product.
Dokuflex is aligned with the technical and organisational requirements of ENS Medium defined in RD 311/2022, ISO 27001 and GDPR. Formal ENS Medium certification is an external audit process carried out by an ENAC-accredited body; when it is in progress or applies to a specific deployment we state it explicitly in the technical bid. As a matter of transparency, we do not claim certification where only alignment exists.
Yes. Dokuflex has been deployed under public tender specifications that require measures aligned with ENS Medium (art. 156 LCSP and RD 311/2022). The compliance team delivers the technical bid, statement of applicability, CCN-STIC control matrix and evidence on encryption, access control, audit log and secure deletion required by the contracting authority.
RD 311/2022 defines three levels based on the impact of a security failure on the service: Low (limited harm), Medium (serious harm) and High (very serious or critical harm). Each level adds controls on top of the previous one. ENS Medium typically applies to most document management services run by Spanish public administrations and regulated industries handling sensitive data.
Audit five blocks: 1) ENS statement of applicability signed by the vendor, 2) data encryption at rest (AES-256) and in transit (TLS 1.3), 3) role-based access control and auditable log for each access, 4) documented retention and secure deletion policy, 5) physical location of data inside the EU and CCN-STIC 803/808/850 control matrix. Ask for verifiable evidence, not generic statements.
Special-category data (health, biometric, racial origin, political opinions, etc.) require reinforced protection under art. 32 GDPR: encryption, pseudonymisation, strict access control and a complete record of processing activities. Dokuflex applies AES-256 encryption, granular role-based access, immutable logs and retention policies configurable per document type to cover the processing of these data.
Yes. Backups are stored encrypted (AES-256) in data centres located within the European Union, with intra-EU georedundant replication. There are no international transfers outside the EEA, which avoids the risks of transfers to countries without an adequacy decision under Chapter V of the GDPR.
Information for guidance only, prepared by the Dokuflex Compliance Team. For specific cases consult your legal counsel or the competent authority.
Book a demo with the Dokuflex compliance team or download the ENS Medium technical bid ready to submit to the contracting authority.
Explore related solutions: