Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration


- Augst
Posted by: José Ruiz
Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration

It is no surprise that the number of products and services included in the reference catalogue of cybersecurity products for the Administration CPSTIC / CCN - STIC 105 is continuously growing, with the certifications / qualifications obtained in the previous year being surpassed every year.

There are several reasons for this remarkable growth, among which we can highlight:

  • The commitment of manufacturers to improve cybersecurity in their products.

  • The good work and desire to improve the field of cybersecurity by all the actors involved in the process: manufacturers, accredited assessment laboratories, Certification Bodies and public administrations in general.

  • Legal compliance for working with the Public Administration. We will focus particularly on this last point, which we will develop below.

    Legal compliance for working with the Public Administration

    More than a year ago, Royal Decree 311/2022 of 3rd of May, which regulates the National Security Scheme (ENS, by its acronym in Spanish), introduced the reference to the CCN’ s Catalogue of Information and Communication Technology Security Products and Services (CPSTIC), together with the collection of requirements and reinforcements relating to certified/qualified products and services depending on their taxonomy.

    One of the achievements of the new version of the ENS has been to unite the security requirements established in the ENS with the efforts that the CCN has been making for several years with the creation of the CPSTIC product catalogue.

    Is it mandatory for my product or service to be part of the CPSTIC catalogue in order to work with the Public Administration?

    According to the ENS, and we quote an extract from point 4.1.5 concerning Certified Components:

    The CCN Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) will be used to select the products or services supplied by a third party that form part of the security architecture of the system and those that are expressly referenced in the measures of this royal decree.
    From this extract it can be deduced that, indeed having a cybersecurity certification or qualification applied to the ICT product that guarantees the correct implementation of the product’s security functionality is mandatory, according to what is set out in the ENS.

    What is the Dynamic Public Administration Procurement System?

    It is a fully electronic method of ongoing procurement and is available to any interested company that meets the selection criteria for the entire duration of the procurement process. This technique allows a large number of offers to be made available, thus increasing competition. It is based on two stages:

    In the initial stage, companies that meet the necessary selection criteria are included in the dynamic procurement system, while, in the second stage, companies admitted in the previous round submit their bid.

    In these dynamic procurement systems, the general conditions for requiring security certifications/qualifications have been included, as well as the admissible means of accrediting security, with links to the ENS, the CPSTIC and also to the certifications that may come with Regulation (UE) 2019/881.

    ¿How to include my product in the CPSTIC CCN - STIC 105 catalogue? We can help you.

  • LINCE evaluation: Original assessment for on premise products, the scope of this certification is at national level (Spain).

  • STIC evaluation: Similar to the LINCE assessment, but focused on to products developed in the cloud. It also requires the evaluation of the cloud part according to annex G "Cloud services".

  • Complementary STIC: For those products that have a Common Criteria certification and aim to enter the catalogue. It basically consists of complementing the original certification with functional and penetration tests.

    You can find more information in the following links:

  • Our website.

  • Our Youtube channel.

    Cloud native solutions, welcome to the CPSTIC / CCN-STIC 105 Catalogue

    The SaaS market is growing every year, and administrations are increasingly opting to use this type of solutions in their daily management and operations. Therefore, evaluating solutions developed in the cloud has been an urgent need to be solved. In 2020, CCN published "Annex G", which applies to the "Cloud Services" taxonomy, thus creating the first evaluation framework for qualifying cloud products in Spain and Europe.

    This initiative, presented at the last CCN conference, has made it possible to modernise the catalogue and bring it into line with the reality in administrations. Cloud service providers such as AWS, Google and Microsoft already have cloud services included in the catalogue.

    Success stories of qualified products and services.

    The catalogue grows and adapts to the needs of the market. The qualification of certain products has been a real milestone beyond our borders. Here are some of them:

  • Electric vehicle chargers: Several studies reflect the potential impact of a cyber-attack on the electric vehicle charger network. The requirement to comply with LINCE certification by one of Spain largest electricity utilities has improved the sector’s cybersecurity at the national level.

  • Video identification tools: This is the first time that national legislation - ministerial order (Order ETD/465/2021, 6 May) - has been created requiring cybersecurity certification/qualification for an IT product. As such a pioneering product, it has required the creation of an evaluation methodology by CCN that is a world first.

  • OT Security - Port management software: Strengthening the cybersecurity of critical infrastructures is one of the objectives of the Administration. It is a pioneering project at national level in which software of these characteristics is evaluated. This evaluation resulted in the creation of the OT Security category within the CPSTIC catalogue.


    The Spanish administration is implementing mechanisms for the use of ICT products that have passed a security assessment and have a secure use procedure. This work provides administrations with a very beneficial tool for the procurement of cybersecurity products.

    Additionally, both through the dynamic procurement system and in the drafting of tender documents by the various administrations, we see the necessary impetus to encourage manufacturers to continue to invest in the certification/qualification processes for their products.

    Nothing is perfect and we still see calls for tender requesting the ENS for a product instead of its inclusion in the CPSTIC catalogue but looking back, we are creating an ever-stronger path to do our bit in preventing cyber-attacks.

  • José Ruiz/CTO

    Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

    In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.