ECP vs ENS (Spain): CyFun vs Spain's National Security Framework
ENS (Esquema Nacional de Seguridad) is Spain's mandatory national cybersecurity framework — Royal Decree 311/2022, owned by CCN (Centro Criptológico Nacional, part of Spain's intelligence service CNI), and mandatory for all Spanish public administrations and private entities providing ICT services to the public sector. Easy Cyber Protection is a CyFun audit-readiness platform for Belgian MSPs. Both operate in the cybersecurity compliance space, but for different countries, different enforcement authorities, and fundamentally different delivery models.
At a glance
| ENS (Spain) | Easy Cyber Protection / CyFun | |
|---|---|---|
| Owning authority | CCN — Centro Criptológico Nacional (part of CNI — Spain's national intelligence service) | CCB — Centre pour la Cybersécurité Belgique (ECP implements CyFun) |
| Year established / last updated | 2010 (RD 3/2010); major revision May 2022 (RD 311/2022) | CyFun 2025 (aligned with NIST CSF 2.0) |
| Legal status | Mandatory by law for Spanish public administrations + private ICT suppliers to the public sector | Operational — Belgium's CCB-issued NIS2 compliance path; audits running |
| Entity coverage | All Spanish public administrations (state, regional, local) + private entities providing ICT services to the public sector | Belgian entities registered under NIS2 (CCB portal) |
| Structure | 73 security measures in 4 groups (org.* / op.* / mp.*); 3 security levels (BASIC / MEDIUM / HIGH); 5 security dimensions | 4 tiers: Small, Basic, Important, Essential — each with YAML-implemented controls |
| Certification / assessment | ENAC-accredited audit bodies; mandatory for MEDIUM and HIGH systems; 2-year certificate validity | CAB audit by accredited body; ECP generates signed .ecpbundle.zip audit bundle |
| Compliance cost | BASIC: €12K–€25K; MEDIUM: €25K–€45K; HIGH: €100K+ (industry estimates); internal implementation 3–12 months | MSP charges client €100–400/month via ECP platform — absorbed into MSP service fee |
| MSP / portfolio model | No multi-tenant track — entity-level framework; private ICT suppliers must certify their own systems | Purpose-built for MSP portfolio delivery: partner dashboard, white-label, per-client management |
| NIS2 relationship | Complementary but not fully equivalent to NIS2 obligations; Spain's NIS2 transposition law pending parliament (mid-2026) | CyFun is Belgium's official NIS2 implementation path; CCB-issued |
| Geography | Spain (CCN jurisdiction) | Belgium-first; Ireland co-adopting CyFun as of 2026 |
Sources: RD 311/2022 (BOE), ens.ccn.cni.es, ccb.belgium.be. Last verified 2026-06-29.
Where ENS applies
- You supply ICT services (software, cloud, hosting, managed services) to Spanish public administrations — ENS certification is a mandatory pre-condition for public contracts
- You operate information systems within Spanish government bodies — every system handling public data must be categorised and certified against ENS
- You are a private company whose systems have been classified at MEDIUM or HIGH security level — ENAC-accredited external audit is mandatory
- You want to align with Spain's CCN-STIC security guides — CCN publishes 600+ technical guidelines that operationalise the 73 ENS measures
- You are bidding for Spanish public-sector ICT contracts — buyers require ENS compliance declarations from suppliers
Where ECP / CyFun applies
- Your clients are Belgian (or Irish) — CyFun is the CCB's official NIS2 compliance path, the one Belgian auditors and the CCB assess against
- You are a Belgian MSP and want to package CyFun audit-readiness as a repeatable service across your client portfolio — not a bespoke €25K–€45K ENS-style certification project per client
- You need NL / FR / EN materials with Belgian regulatory context (CCB alignment, VLAIO kmo-portefeuille leverage for Flemish clients)
- You want predictable MSP economics: one per-client fee by size (XS €25 / S €75 / M €250 / L €825 / XL €2,750 / XXL €9,075), no monthly base, billed annually upfront
- Your clients need a CAB audit deliverable — ECP generates the signed .ecpbundle.zip that an accredited audit body accepts
The compliance cost comparison
This comparison is framework-vs-platform, not tool-vs-tool. ENS is a mandatory government framework — the cost is the certification project it requires. ECP is a platform that MSPs pay for and resell to clients. The numbers below illustrate what each path costs a typical Belgian SME via ECP versus a private ICT supplier certifying systems at ENS MEDIUM level.
ENS MEDIUM certification — Spanish private ICT supplier, mid-size system
- • ENS legal framework (RD 311/2022): free (official text via BOE)
- • MEDIUM-level system categorisation and gap analysis: typically €8K–€15K (consulting)
- • MEDIUM-level certification audit by ENAC-accredited body: €25K–€45K (industry estimates)
- • Annual surveillance audit: ~30–40% of initial certification cost per cycle
- • Internal implementation: 3–12 months of CISO or project manager time
- • 2-year certification cycle — recertification required every 2 years
ENS certification costs are industry estimates; actual quotes vary by system complexity, number of measures in scope, and auditor. CCN publishes no official cost figures. Suppliers must hold valid ENS certificates to maintain access to public contracts.
ECP / CyFun — Belgian SME via MSP (20-client portfolio, S-size avg)
- • Per-client (S-size, 100–999 entities): 20 × €75 = €1,500 / month
- • Total recurring ECP platform cost to MSP: €1,500 / month (billed annually upfront)
- • MSP charges SME client: €200 / month (suggested range €100–400)
- • Client's annual cost: €2,400 — vs €25K–€45K ENS MEDIUM certification
- • MSP revenue: 20 × €200 = €4,000 / month — gross margin ~€2,500 / month (~€30K / year)
Per-client fee by site size (XS €25 / S €75 / M €250 / L €825 / XL €2,750 / XXL €9,075). No monthly base; billed annually upfront. Every client gets the full feature set including AI and integrations from day one.
Framework coverage overlap
ENS and CyFun address similar cybersecurity domains — both are government-issued frameworks derived from international standards (ISO 27001, NIST CSF). The difference is jurisdiction and target audience: ENS covers Spanish public sector systems; CyFun covers Belgian NIS2-registered entities. Control areas overlap but the certification paths are entirely separate.
| Control area | ENS (Spain) | CyFun / ECP |
|---|---|---|
| Governance & risk management | org.1–org.4 organisational measures; risk analysis mandatory for all security levels | CyFun Basic + Important includes governance controls; ECP wiki enforces policy ownership |
| Access control & identity | op.acc.* measures — 7 sub-measures including privilege management (op.acc.6) | CyFun PR.AC controls; ECP access register + evidence collection |
| Incident detection & response | op.mon.* monitoring + op.exp.* operational measures; CCN-CERT incident reporting pathway | CyFun DE.CM + RS controls; ECP incident log + CSIRT notification workflow |
| Supply chain / ecosystem | mp.s.* service protection measures; ICT suppliers must hold own ENS compliance | CyFun ID.SC; ECP vendor register template |
| Secure configuration & hardening | mp.eq.* equipment measures + CCN-STIC hardening guides (600+ technical guides) | CyFun PR.IP controls in Basic and above |
| Security monitoring (SOC/SIEM) | op.mon.* measures; HIGH systems require continuous monitoring | CyFun DE.CM; included in Important / Essential tiers |
| ISO 27001 relationship | ENS aligns with ISO 27001 principles; CCN publishes crosswalk guides (CCN-STIC 825) | Overlap significant; dedicated ISO 27001 support planned but not yet shipped |
| NIS2 Article 21 compliance | Complementary but not fully equivalent — Spain's NIS2 transposition law still pending parliament | Yes — CyFun is Belgium's implementation of Article 21; CCB-issued |
Sources: RD 311/2022 Annex II; CCN ENS documentation (ens.ccn.cni.es); CCB CyFun 2025. Mapping is indicative — actual gap analysis requires professional assessment.
Common questions
Does ENS compliance satisfy NIS2 in Belgium?
No. ENS is Spain's national information security framework for public sector systems, enforced by CCN. Belgium's NIS2 compliance path is CyFun, issued by the CCB. A Belgian entity audited by a Belgian CAB body is assessed against CyFun, not ENS. The two frameworks overlap in control philosophy (both draw from ISO 27001 and NIST CSF) but serve different legal regimes in different countries. Belgium does not recognise ENS certification for NIS2 compliance purposes.
Can ECP help Spanish entities comply with ENS?
Not natively. ECP implements CyFun (the Belgian CCB framework). The control areas overlap — ENS measures and CyFun controls both derive from ISO 27001 / NIST CSF foundations — but ECP does not generate CCN-ready compliance documentation or the ENS compliance declarations required for Spanish public contracts. A Spanish entity using ECP would get a strong head start on the underlying control work, but would still need ENAC-accredited auditors and CCN-specific documentation for formal ENS certification.
Why is ENS certification so much more expensive than CyFun via ECP?
Different models. ENS is a government compliance framework that sets obligations and requires ENAC-accredited external auditors for MEDIUM and HIGH systems. Certification requires hiring auditors, running gap analyses, implementing 73 measures, and maintaining documentation per CCN-STIC guides — which explains the €25K–€45K typical cost for MEDIUM systems. ECP packages CyFun compliance into a guided platform with policy templates, evidence collection, and audit bundles — the MSP delivers this as a monthly service rather than a project. The platform absorbs the complexity; the per-client cost drops dramatically.
Why is Spain's NIS2 transposition still pending in 2026?
Spain missed the EU NIS2 transposition deadline (October 17, 2024). The Spanish Council of Ministers approved a draft NIS2 transposition law in January 2025, but as of mid-2026 it remains under parliamentary review. CCN has indicated ENS compliance will provide a strong basis for NIS2 compliance for public sector entities, but the exact legal relationship between ENS certification and NIS2 obligations is still to be defined once the transposition law passes.
Deliver CyFun audit-readiness to your Belgian clients
If you are a Belgian MSP, CyFun — not ENS — is the compliance path your clients need. ECP packages it as a monthly MSP service: guided workflows, evidence collection, white-label reports, and a signed audit bundle your CAB auditor accepts.
Related
Fact check
| Claim | Source | Accessed |
|---|---|---|
| ENS established by RD 3/2010; updated by Royal Decree 311/2022, 3 May 2022 | BOE — Boletín Oficial del Estado, RD 311/2022 | 2026-06-29 |
| CCN — Centro Criptológico Nacional is the ENS governance authority, part of CNI | CCN official site | 2026-06-29 |
| 73 security measures in 4 groups (org.* / op.* / mp.*); 3 security levels (BASIC / MEDIUM / HIGH); 5 security dimensions | RD 311/2022 Annex II + ens.ccn.cni.es | 2026-06-29 |
| Mandatory for all Spanish public administrations + private ICT suppliers to public sector | RD 311/2022 Article 2 (scope) | 2026-06-29 |
| ENAC-accredited bodies perform ENS audits; mandatory for MEDIUM/HIGH; 2-year certificate validity | CCN ENS certification information | 2026-06-29 |
| ENS cert costs: BASIC €12K–€25K; MEDIUM €25K–€45K; HIGH €100K+ (industry estimates) | Industry estimates — Delbion ENS certification guide | 2026-06-29 |
| Spain's NIS2 transposition draft approved by Council of Ministers January 2025; pending parliament as of mid-2026 | NIS2 Directive transposition tracker — Spain | 2026-06-29 |
| ENS compliance is complementary to but not fully equivalent to NIS2 obligations | ENS and NIS2 analysis — eIPosgrados cybersecurity blog | 2026-06-29 |
| ECP pricing: per-client by site size (XS €25 / S €75 / M €250 / L €825 / XL €2,750 / XXL €9,075), no monthly base, billed annually | ECP ADR-0035 per-client-only pricing | 2026-06-29 |
| CyFun is Belgium's official NIS2 compliance path, CCB-issued | CCB Centre pour la Cybersécurité Belgique | 2026-06-29 |