When talking about certification or qualification of products, services, or systems in Spain, it is very common to hear statements such as “I spoke with the CCN”, “I want to be listed in the CCN catalogue”, or “I need to certify my product through the CCN”.
However, this way of referring to the process oversimplifies the reality.
Within the Centro Criptológico Nacional (CCN), there are several distinct entities, each with a very specific role. Not understanding this structure is one of the most common mistakes in certification projects, often leading to delays, unnecessary costs, or poor strategic decisions.
If you are a manufacturer, developer, integrator, or security manager, understanding how these pieces fit together is essential to grasp what is really happening during a certification process.
If you prefer a quick walkthrough, you can watch the full explanation here:
The three key pillars of the ecosystem
At a high level, the system is built around three main components: the Certification Body, the CPSTIC, and the regulatory framework responsible for defining the Esquema Nacional de Seguridad.
Although they are often mentioned together, each plays a different and complementary role.
The Certification Body: who issues the certificate
The Certification Body is responsible for issuing security certificates for products evaluated under methodologies such as Common Criteria or LINCE.
A key point to clarify from the outset is that the Certification Body does not perform the technical evaluation of the product. That responsibility lies with independent laboratories, which have been previously accredited and have demonstrated the required technical competence, resources, and procedures to evaluate security products.
The process, in simplified terms, starts with a certification readiness review. One of the main elements analyzed is the Security Target, a document where the manufacturer defines the security problem the product addresses, the security functions it implements, and the environment in which it is intended to operate. In parallel, the Certification Body verifies that the selected laboratory is technically capable of evaluating that specific type of product.
Once approved, the evaluation begins in the laboratory. After completing the evaluation activities, the lab produces the Evaluation Technical Report (ETR). This report is then reviewed by the Certification Body, which, if everything is compliant, issues the certificate.
At this point, one of the most important concepts in certification must be clearly understood: certification always applies to a specific product version, under a defined configuration and within specific operational conditions. It does not apply to a product in general terms.
CPSTIC: who qualifies products and services
Once the role of the Certification Body is clear, it becomes easier to understand the function of the CPSTIC.
CPSTIC manages the official catalogue of ICT security products and services used in the public sector. Its role is not to certify, but to qualify products and services, meaning to determine whether they are suitable for use in systems that must comply with the ENS.
The qualification process is particularly relevant for systems classified as Medium or High under the Esquema Nacional de Seguridad, where security products are required to be included in the catalogue.
CPSTIC also organizes products into families—such as firewalls, intrusion detection systems, or identity management solutions—and defines the security requirements that products must meet to be included in each category. In addition, it establishes and maintains the qualification procedures and keeps the catalogue up to date.
Certification vs qualification: two different but connected processes
One of the most common sources of confusion is the relationship between certification and qualification.
The Certification Body issues certificates. CPSTIC, in many cases, uses those certifications as a basis to qualify products and include them in the catalogue. These are therefore different processes, although closely linked.
In an ideal scenario, a manufacturer obtains a certification—such as Common Criteria or LINCE—that covers the relevant security functionalities. CPSTIC then uses that certification to qualify the product.
However, reality is not always that straightforward.
Market reality: beyond the theoretical model
Traditional certifications are rigorous, time-consuming processes tied to specific product versions evaluated in controlled environments. The market, however, evolves much faster, with frequent software updates, new hardware models, and increasing adoption of cloud deployments.
To adapt to this reality, CPSTIC includes different qualification mechanisms that go beyond traditional certification. In many cases, it is possible to extend qualification to new product versions through differential analysis, documentation reviews, or additional testing, without requiring a full certification process again.
This approach provides flexibility while maintaining security assurance, but it also adds complexity when defining the right certification strategy.
Typical real-world scenarios
When applying this model in practice, several common scenarios emerge.
A company may pursue a Common Criteria certification to achieve international recognition, without targeting the Spanish public sector. In this case, the interaction is primarily with the Certification Body, and CPSTIC is not involved.
In contrast, if the objective is to operate in environments that must comply with ENS, inclusion in the CPSTIC catalogue becomes essential. In these cases, it is common to start by aligning with CPSTIC requirements and then proceed with certification.
Another frequent scenario involves products that are already qualified but evolve over time. In these situations, the process is often managed through CPSTIC and may not require a new certification, depending on the impact of the changes introduced.
ENS: the framework that connects everything
The Esquema Nacional de Seguridad does not certify products. Instead, it defines the security requirements that systems must meet and how they should be audited.
ENS certifications are carried out by accredited private entities that assess organizations against this framework. During these audits, one key aspect that is verified is that the security products used in the system are qualified in the CPSTIC catalogue.
This is what ultimately links regulation, catalogue, and certification.
Conclusion
When viewed as a whole, the system follows a clear logic: the regulatory framework defines the rules, CPSTIC determines which products are acceptable, and the Certification Body provides technical validation.
Understanding this structure is not only useful to interpret the process, but also essential to make informed decisions from the outset. In a context where time, cost, and complexity are significant factors, having a clear strategy makes a substantial difference.
Need help with certification?
At Digital Cubes, we support manufacturers and developers in defining and executing certification strategies aligned with their business objectives, whether at an international level or within the ENS ecosystem.
If you are working on product certification or want to identify the most efficient approach for your case, we can help you navigate the process with confidence.
