Tucuvi has obtained the ENS High level certification, the most demanding tier of Spain's National Security Framework (Esquema Nacional de Seguridad). This recognition validates compliance with a set of advanced security measures for the processing of sensitive information, aligned with the requirements applicable to the public sector, including the Spanish National Health System (SNS).
Tucuvi has obtained the ENS High level certification, the most demanding tier of Spain's National Security Framework (Esquema Nacional de Seguridad). This recognition validates compliance with a set of advanced security measures for the processing of sensitive information, aligned with the requirements applicable to the public sector, including the Spanish National Health System (SNS).
In practice, ENS High level certification can facilitate the integration of Tucuvi in hospitals and public administrations, by providing formal evidence of compliance in information security, helping to streamline vendor evaluation processes.
What ENS is and why the High level matters
The National Security Framework (ENS), regulated by Royal Decree 311/2022, sets out the principles and requirements that public administrations and their technology providers must meet in cybersecurity.
RD 311/2022 classifies systems into three levels:
- Basic
- Medium
- High
The ENS High level in the healthcare sector applies to systems that:
- Manage especially sensitive information, such as clinical data
- Support essential or critical public services
- Present a high potential impact in the event of security incidents
What obtaining ENS High level certification involves
For an AI solution applied to the healthcare sector, reaching this level requires compliance with all the security measures defined in Annex II of RD 311/2022 for the High category, following an audit performed by a certification body accredited by ENAC.
This includes the implementation of advanced controls in areas such as:
- Encryption and information protection
- Activity monitoring and logging
- Security incident management
- Service continuity and operational resilience
In this context, ENS High level constitutes the reference framework for information protection in public healthcare environments, aligning infrastructure and security policies with the demanding requirements of the ENS certification.
A complete compliance framework
Tucuvi holds three key certifications to operate AI in healthcare with full guarantees of security, traceability, and regulatory compliance:
- ENS High level: certifies compliance with a set of advanced security measures under the National Security Framework, aligned with the requirements for protecting systems that manage sensitive information in the Spanish public sector.
- CE Mark Class IIb (MDR): attests that the software meets the European requirements for safety, performance, and risk management applicable to medium-to-high risk medical devices, in accordance with the Medical Device Regulation.
- ISO/IEC 27001: certifies the implementation of an information security management system (ISMS) that enables the identification, assessment, and mitigation of risks in a structured and continuous way.
“In AI applied to healthcare, compliance is not a step you complete at the end; it is a product decision from day one. Every certification we hold is the result of designing our processes against demanding standards, and doing so consistently over time. That is the only way to operate responsibly in this sector.” – Clara Soler, QARA & AI Governance Director
What ENS High level means for hospitals and public administrations
For information security teams, public procurement, and clinical leadership, ENS High level certification can have an impact across several key areas:
- It facilitates public procurement
Public administrations require ENS compliance from their vendors, with High level being the most common in healthcare environments. Holding a valid certificate simplifies tender processes, reduces the technical documentation burden, and provides direct evidence of regulatory compliance.
- It reduces the security assessment burden
Information security and data protection teams may not need to start evaluations from scratch in every case: the certification covers a broad set of standard controls, reduces additional security questionnaires, and allows the assessment to focus on integration with clinical systems (EHR, data flows).
- It supports operational continuity in clinical environments
Certification at its highest level requires the application of measures such as:
- More demanding recovery objectives (RTO/RPO)
- Multi-factor authentication (MFA) at all levels
- Continuous system monitoring
- Business continuity and disaster recovery plans
These measures help reduce the risk of disruptions and improve service resilience, which is particularly relevant in clinical AI environments.
A commitment to security and traceability
This certification is part of a broader commitment: the adoption of artificial intelligence in the healthcare system requires providers capable of verifiably demonstrating their maturity in risk management, beyond general statements.
Clinical teams using Tucuvi to interact with patients need to trust that information is processed, stored, and transmitted under high standards of security and traceability.
Visit our Security Trust Center to learn more about the controls in place. For more information on how Tucuvi can integrate into your organization with these security guarantees, get in touch with our team.
