IT Partner? See how to deliver NIS2 audit-readiness

View partner offer →
By · Founder, Easy Cyber Protection · · How we write this

ECP vs ENS (Spain): CyFun vs Spain's National Security Framework

ENS (Esquema Nacional de Seguridad) is Spain's mandatory national cybersecurity framework — Royal Decree 311/2022, owned by CCN (Centro Criptológico Nacional, part of Spain's intelligence service CNI), and mandatory for all Spanish public administrations and private entities providing ICT services to the public sector. Easy Cyber Protection is a CyFun audit-readiness platform for Belgian MSPs. Both operate in the cybersecurity compliance space, but for different countries, different enforcement authorities, and fundamentally different delivery models.

At a glance

ENS (Spain) Easy Cyber Protection / CyFun
Owning authority CCN — Centro Criptológico Nacional (part of CNI — Spain's national intelligence service) CCB — Centre pour la Cybersécurité Belgique (ECP implements CyFun)
Year established / last updated 2010 (RD 3/2010); major revision May 2022 (RD 311/2022) CyFun 2025 (aligned with NIST CSF 2.0)
Legal status Mandatory by law for Spanish public administrations + private ICT suppliers to the public sector Operational — Belgium's CCB-issued NIS2 compliance path; audits running
Entity coverage All Spanish public administrations (state, regional, local) + private entities providing ICT services to the public sector Belgian entities registered under NIS2 (CCB portal)
Structure 73 security measures in 4 groups (org.* / op.* / mp.*); 3 security levels (BASIC / MEDIUM / HIGH); 5 security dimensions 4 tiers: Small, Basic, Important, Essential — each with YAML-implemented controls
Certification / assessment ENAC-accredited audit bodies; mandatory for MEDIUM and HIGH systems; 2-year certificate validity CAB audit by accredited body; ECP generates signed .ecpbundle.zip audit bundle
Compliance cost BASIC: €12K–€25K; MEDIUM: €25K–€45K; HIGH: €100K+ (industry estimates); internal implementation 3–12 months MSP charges client €100–400/month via ECP platform — absorbed into MSP service fee
MSP / portfolio model No multi-tenant track — entity-level framework; private ICT suppliers must certify their own systems Purpose-built for MSP portfolio delivery: partner dashboard, white-label, per-client management
NIS2 relationship Complementary but not fully equivalent to NIS2 obligations; Spain's NIS2 transposition law pending parliament (mid-2026) CyFun is Belgium's official NIS2 implementation path; CCB-issued
Geography Spain (CCN jurisdiction) Belgium-first; Ireland co-adopting CyFun as of 2026

Sources: RD 311/2022 (BOE), ens.ccn.cni.es, ccb.belgium.be. Last verified 2026-06-29.

Where ENS applies

  • You supply ICT services (software, cloud, hosting, managed services) to Spanish public administrations — ENS certification is a mandatory pre-condition for public contracts
  • You operate information systems within Spanish government bodies — every system handling public data must be categorised and certified against ENS
  • You are a private company whose systems have been classified at MEDIUM or HIGH security level — ENAC-accredited external audit is mandatory
  • You want to align with Spain's CCN-STIC security guides — CCN publishes 600+ technical guidelines that operationalise the 73 ENS measures
  • You are bidding for Spanish public-sector ICT contracts — buyers require ENS compliance declarations from suppliers

Where ECP / CyFun applies

  • Your clients are Belgian (or Irish) — CyFun is the CCB's official NIS2 compliance path, the one Belgian auditors and the CCB assess against
  • You are a Belgian MSP and want to package CyFun audit-readiness as a repeatable service across your client portfolio — not a bespoke €25K–€45K ENS-style certification project per client
  • You need NL / FR / EN materials with Belgian regulatory context (CCB alignment, VLAIO kmo-portefeuille leverage for Flemish clients)
  • You want predictable MSP economics: one per-client fee by size (XS €25 / S €75 / M €250 / L €825 / XL €2,750 / XXL €9,075), no monthly base, billed annually upfront
  • Your clients need a CAB audit deliverable — ECP generates the signed .ecpbundle.zip that an accredited audit body accepts

The compliance cost comparison

This comparison is framework-vs-platform, not tool-vs-tool. ENS is a mandatory government framework — the cost is the certification project it requires. ECP is a platform that MSPs pay for and resell to clients. The numbers below illustrate what each path costs a typical Belgian SME via ECP versus a private ICT supplier certifying systems at ENS MEDIUM level.

ENS MEDIUM certification — Spanish private ICT supplier, mid-size system

  • • ENS legal framework (RD 311/2022): free (official text via BOE)
  • • MEDIUM-level system categorisation and gap analysis: typically €8K–€15K (consulting)
  • • MEDIUM-level certification audit by ENAC-accredited body: €25K–€45K (industry estimates)
  • • Annual surveillance audit: ~30–40% of initial certification cost per cycle
  • • Internal implementation: 3–12 months of CISO or project manager time
  • • 2-year certification cycle — recertification required every 2 years

ENS certification costs are industry estimates; actual quotes vary by system complexity, number of measures in scope, and auditor. CCN publishes no official cost figures. Suppliers must hold valid ENS certificates to maintain access to public contracts.

ECP / CyFun — Belgian SME via MSP (20-client portfolio, S-size avg)

  • • Per-client (S-size, 100–999 entities): 20 × €75 = €1,500 / month
  • • Total recurring ECP platform cost to MSP: €1,500 / month (billed annually upfront)
  • • MSP charges SME client: €200 / month (suggested range €100–400)
  • • Client's annual cost: €2,400 — vs €25K–€45K ENS MEDIUM certification
  • • MSP revenue: 20 × €200 = €4,000 / month — gross margin ~€2,500 / month (~€30K / year)

Per-client fee by site size (XS €25 / S €75 / M €250 / L €825 / XL €2,750 / XXL €9,075). No monthly base; billed annually upfront. Every client gets the full feature set including AI and integrations from day one.

Framework coverage overlap

ENS and CyFun address similar cybersecurity domains — both are government-issued frameworks derived from international standards (ISO 27001, NIST CSF). The difference is jurisdiction and target audience: ENS covers Spanish public sector systems; CyFun covers Belgian NIS2-registered entities. Control areas overlap but the certification paths are entirely separate.

Control area ENS (Spain) CyFun / ECP
Governance & risk management org.1–org.4 organisational measures; risk analysis mandatory for all security levels CyFun Basic + Important includes governance controls; ECP wiki enforces policy ownership
Access control & identity op.acc.* measures — 7 sub-measures including privilege management (op.acc.6) CyFun PR.AC controls; ECP access register + evidence collection
Incident detection & response op.mon.* monitoring + op.exp.* operational measures; CCN-CERT incident reporting pathway CyFun DE.CM + RS controls; ECP incident log + CSIRT notification workflow
Supply chain / ecosystem mp.s.* service protection measures; ICT suppliers must hold own ENS compliance CyFun ID.SC; ECP vendor register template
Secure configuration & hardening mp.eq.* equipment measures + CCN-STIC hardening guides (600+ technical guides) CyFun PR.IP controls in Basic and above
Security monitoring (SOC/SIEM) op.mon.* measures; HIGH systems require continuous monitoring CyFun DE.CM; included in Important / Essential tiers
ISO 27001 relationship ENS aligns with ISO 27001 principles; CCN publishes crosswalk guides (CCN-STIC 825) Overlap significant; dedicated ISO 27001 support planned but not yet shipped
NIS2 Article 21 compliance Complementary but not fully equivalent — Spain's NIS2 transposition law still pending parliament Yes — CyFun is Belgium's implementation of Article 21; CCB-issued

Sources: RD 311/2022 Annex II; CCN ENS documentation (ens.ccn.cni.es); CCB CyFun 2025. Mapping is indicative — actual gap analysis requires professional assessment.

Common questions

Does ENS compliance satisfy NIS2 in Belgium?

No. ENS is Spain's national information security framework for public sector systems, enforced by CCN. Belgium's NIS2 compliance path is CyFun, issued by the CCB. A Belgian entity audited by a Belgian CAB body is assessed against CyFun, not ENS. The two frameworks overlap in control philosophy (both draw from ISO 27001 and NIST CSF) but serve different legal regimes in different countries. Belgium does not recognise ENS certification for NIS2 compliance purposes.

Can ECP help Spanish entities comply with ENS?

Not natively. ECP implements CyFun (the Belgian CCB framework). The control areas overlap — ENS measures and CyFun controls both derive from ISO 27001 / NIST CSF foundations — but ECP does not generate CCN-ready compliance documentation or the ENS compliance declarations required for Spanish public contracts. A Spanish entity using ECP would get a strong head start on the underlying control work, but would still need ENAC-accredited auditors and CCN-specific documentation for formal ENS certification.

Why is ENS certification so much more expensive than CyFun via ECP?

Different models. ENS is a government compliance framework that sets obligations and requires ENAC-accredited external auditors for MEDIUM and HIGH systems. Certification requires hiring auditors, running gap analyses, implementing 73 measures, and maintaining documentation per CCN-STIC guides — which explains the €25K–€45K typical cost for MEDIUM systems. ECP packages CyFun compliance into a guided platform with policy templates, evidence collection, and audit bundles — the MSP delivers this as a monthly service rather than a project. The platform absorbs the complexity; the per-client cost drops dramatically.

Why is Spain's NIS2 transposition still pending in 2026?

Spain missed the EU NIS2 transposition deadline (October 17, 2024). The Spanish Council of Ministers approved a draft NIS2 transposition law in January 2025, but as of mid-2026 it remains under parliamentary review. CCN has indicated ENS compliance will provide a strong basis for NIS2 compliance for public sector entities, but the exact legal relationship between ENS certification and NIS2 obligations is still to be defined once the transposition law passes.

Deliver CyFun audit-readiness to your Belgian clients

If you are a Belgian MSP, CyFun — not ENS — is the compliance path your clients need. ECP packages it as a monthly MSP service: guided workflows, evidence collection, white-label reports, and a signed audit bundle your CAB auditor accepts.

Related

Fact check

ClaimSourceAccessed
ENS established by RD 3/2010; updated by Royal Decree 311/2022, 3 May 2022 BOE — Boletín Oficial del Estado, RD 311/2022 2026-06-29
CCN — Centro Criptológico Nacional is the ENS governance authority, part of CNI CCN official site 2026-06-29
73 security measures in 4 groups (org.* / op.* / mp.*); 3 security levels (BASIC / MEDIUM / HIGH); 5 security dimensions RD 311/2022 Annex II + ens.ccn.cni.es 2026-06-29
Mandatory for all Spanish public administrations + private ICT suppliers to public sector RD 311/2022 Article 2 (scope) 2026-06-29
ENAC-accredited bodies perform ENS audits; mandatory for MEDIUM/HIGH; 2-year certificate validity CCN ENS certification information 2026-06-29
ENS cert costs: BASIC €12K–€25K; MEDIUM €25K–€45K; HIGH €100K+ (industry estimates) Industry estimates — Delbion ENS certification guide 2026-06-29
Spain's NIS2 transposition draft approved by Council of Ministers January 2025; pending parliament as of mid-2026 NIS2 Directive transposition tracker — Spain 2026-06-29
ENS compliance is complementary to but not fully equivalent to NIS2 obligations ENS and NIS2 analysis — eIPosgrados cybersecurity blog 2026-06-29
ECP pricing: per-client by site size (XS €25 / S €75 / M €250 / L €825 / XL €2,750 / XXL €9,075), no monthly base, billed annually ECP ADR-0035 per-client-only pricing 2026-06-29
CyFun is Belgium's official NIS2 compliance path, CCB-issued CCB Centre pour la Cybersécurité Belgique 2026-06-29
TARS AI
Ask me about NIS2, CyFun & compliance