Skip to main content
For sales to Spanish public administration — ministries, public universities, town councils, public hospitals — the key framework is the Esquema Nacional de Seguridad (ENS), regulated by Real Decreto 311/2022. The ENS applies to public-sector information systems and to the providers that supply them technology or services.
ZeroKeyUSB is not itself “ENS certified” — ENS conformity applies to systems and organizations. The device is positioned as a technical control that helps an ENS-scoped system meet its requirements, particularly around identity, access control and authentication.

ENS dimensions ZeroKeyUSB supports

The ENS organizes safeguards across operational and protection measures. A credential device contributes mainly to access control and information protection:
ENS areaContribution
Identification & authenticationStrong, unique passwords and TOTP second factors, gated by a Master PIN on a physical device
Access controlCredentials are unreachable without the device and PIN; access is granted only on a deliberate action
Protection of informationCredentials encrypted at rest with a key held in a secure element; no cloud storage
Protection against malwareThe vault is off-host and encrypted, reducing the value of an infected endpoint
Operation without local softwareNo agent or driver to install, reducing the managed-system attack surface
Traceability of designOpen-source firmware, signed images, and documented threat model support risk documentation

The CPSTIC / CCN-STIC path (medium term)

For a security product used by Spanish administration, the reference catalogue is the CPSTIC of the CCN (Centro Criptológico Nacional) — the list of qualified/approved ICT security products for use under the ENS. Inclusion in CPSTIC typically relies on an evaluation recognized by the CCN, such as LINCE or Common Criteria, following the relevant CCN-STIC guides. This is a deliberate, later phase. The groundwork already in place helps:
  • Signed firmware and a hardware-protected bootloader (secure boot).
  • A defined product category — “offline secure credential storage device.”
  • Architecture and threat documentation that an evaluation would build on.
  • A secure provisioning process and permanently locked secure element.
A realistic sequence, when a large public buyer requires it:
  1. Scope the product as an evaluable target of evaluation.
  2. Prepare architecture, threat model and secure-manufacturing documentation.
  3. Engage an accredited lab for LINCE (or Common Criteria) as CPSTIC requires.
  4. Apply for CPSTIC listing.

Suggested statement

ZeroKeyUSB is designed to support the access-control and authentication requirements of the Spanish National Security Framework (ENS, RD 311/2022) as a technical control within a public-sector system. Formal product evaluation (LINCE / Common Criteria) and CPSTIC listing are planned for when a qualifying public buyer requires them.