Open Telekom Cloud complies with Esquema Nacional de Seguridad in Spain

In this article, you will read

• what lies behind the Esquema Nacional de Seguridad (ENS) certificate,
• what significance it has particularly for the Spanish market,
• and what status the Open Telekom Cloud has achieved.

ENS certification ("Esquema Nacional de Seguridad") is the Spanish gold standard for cloud and IT security and thus Spain's contribution to sovereign cloud usage. Similar to the German IT baseline protection certification, it is a mandatory requirement for all cloud providers working with public sector entities in Spain. T-Systems Iberia achieved ENS certification (ENS-0879/25) for the Open Telekom Cloud in October 2025 and is now officially listed on the Gobernanza de la ciberseguridad nacional website.

ENS certification, officially known as Esquema Nacional de Seguridad, is Spain's national security framework for public institutions, cloud providers, and IT service providers. It defines standards for data confidentiality, integrity, and availability, similar to ISO standards, but specifically for the requirements of the Spanish administration. For cloud providers, ENS certification is not only a compliance tool, but also a prerequisite for access to public contracts. Companies without ENS certification cannot participate in tenders.

As part of the certification process, IT and cloud providers are divided into three categories: nivel basico, nivel medio, and nivel alto. They may be used for tasks that correspond to this level.  Simple web portals for citizens, for example, require "basico"; IT service providers for medium-sized authorities, tax or financial authorities, health authorities, and central administration systems require "medio"; national security authorities, central health information systems, and critical infrastructures require "alto."

ENS essentially examines cloud offerings to determine the extent to which they allow users to meet data sovereignty and data protection requirements. Providers must ensure that data is stored and processed within Spain or the EU. At the same time, mechanisms must be in place to provide data in a structured, machine-readable, and exportable format. This facilitates switching between cloud providers and complies with the principles of data portability. Since personal data may be involved, the ENS certificate also requires GDPR compliance.

In October 2025, the Open Telekom Cloud received ENS certification on the initiative of T-Systems Iberia. Jaime San Andres the Country Security Officer (CSO) at T-Systems Iberia explains the reason for the initiative: "Spanish customers are currently looking for alternatives to US hyperscalers for data sovereignty reasons. When selecting alternative cloud providers, ENS certification is a decisive factor, at least for customers in the public sector." As a national sovereignty standard, ENS is also important for the healthcare sector, banks, energy and utility companies. In short, cloud providers in Spain need the certificate as proof that their cloud supports sovereignty strategies.

The T-Systems Iberia team led by Gemma Perez-Robles and Jaime San Andres received intensive support from the Open Telekom Cloud team in Hungary and Germany during the certification process. This is because the certification included technical, organizational, and regulatory audits – not just "paperwork," but verification that security controls are actually being implemented. The operating team led by Akos Szakacs provided the evidence for this.

The certification process began in June and took around four months. In October, T-Systems Iberia received the ENS certificate ENS-0879/25 with the nivel alto, i.e., the highest level for all five aspects (confidentiality, integrity, traceability, authenticity, and availability of data). The Open Telekom Cloud can now be used in Spain for digitalization projects in compliance with ENS and GDPR. The certification process was supervised by the renowned auditor Applus Certification B.U. The certificate is valid for two years. To retain the certificate, the Open Telekom Cloud undergoes a mandatory internal audit every year and an external re-audit every two years.

"The established security mechanisms of the Open Telekom Cloud not only convince German auditors, but also meet requirements in Spain," summarizes Gemma Perez-Robles from T-Systems Iberia. This renewed expansion of the certification base is also a clear signal to other European countries: The Open Telekom Cloud is a highly sovereign cloud that can be used in regulated environments and industries.

As an ENS-certified provider, Open Telekom Cloud is now eligible to participate in public tenders in Spain, even when sensitive data is involved. The certification also has implications for other sectors such as healthcare, finance, and energy supply.

ENS supports the data sovereignty strategies of European companies and public sector entities. ENS certification ensures that data remains in European data centers and is not automatically accessible from third countries. Cloud providers with ENS certification meet EU-wide security requirements and offer Data Act compliance. "Last but not least, the certificate ensures that security controls are not just on paper, but are actually implemented," the Spanish CSO resumes.