About the RNS

The CCN-CERT has traditionally collaborated and collaborates in several SOCs of different sizes, at the level of Ministries, Provincial Councils/Town Halls or Local Entities, recently accruing Essential Services Operators. In this dynamic, the need arose to create a tool to interconnect the SOCs so that any suspicious cyberattack attempts could be stopped in its tracks immediately, even before determining whether it was an actual attack or not.

Subsequently, in late 2020, the European Commission launched its Cybersecurity Strategy for the Digital Decade whereby European network of SOCs, based on Artificial Intelligence tools, took on a relevant role. The Commission's justification stems from the fact that Europe had suffered a pandemic of ransomware and the existing CSIRT network at European level had not been able to stop it. So the emphasis now was on detection in the SOCs.

All of which led the CCN-CERT to create the National Network of SOCs, a platform that incorporates the SOCs of all public bodies of the Spanish Administration, together with the provider entities which supply said SOC services and the public entities that benefit from them.

Its main aim is to boost the protection capability of its members by almost immediately blocking any sign of irregular activity that is being detected at any point of the Administration.

Participating entities

Entities from the following categories may join the National Network of SOCs:

Public entities

Public entities

Bodies of the Spanish Public Administration. Their security services are generally provided by contracted providers.

Provider entities

Provider entities

Companies that, with their own staff, provide their cybersecurity or SOC services (Implementation, Operation, Maintenance...) to any entity of the Spanish Public Administration.

Entidades invitadas

Guest entities

Entities that do not meet the requirements of the 2 previous categories, but to which it is wished to allow access to the information exchanged in the RNS.

Public entities and providers interact with each other through SOCs and the following scenarios may arise:

Private SOC

belonging to a Provider, which provides service to one or several Public Administrations. Its manager will thus be someone from the company. And the name will be related with said company. e.g. SOC CompanyA

Public SOC

rendered by one or several Providers (or even with their own staff) and which covers one or several Public Administrations. Its manager will be a public employee. And the name will be related with the Public Administration. e.g. SOC MinistryB

In addition, at present the provider entities may have the following levels (based on their participation):

icono gold Gold

Providers with a high level of participation. They will have immediate access to all the information shared and consolidated in the RNS.

icono informed Informed

Suppliers with a normal level of participation. They will have access to the information shared and consolidated in the RNS, but with some delay.

Participation will be measured through shared technical information which will be valued and scored in line with the nature thereof and its relevance. Given that the RNS is intended to serve as a tool to improve the information security of Public Administrations, said Administrations will be able to progressively promote the adoption of this categorisation of "Gold" and "Informed" as differentiating values when evaluating commercial proposals from providers competing for public contracts.

Logo Name Category Level
Accenture Provider icono informado Informed
Administración de la Comunidad de Castilla y León Public
Agència de Ciberseguretat de Catalunya Public
Agencia Estatal de Administración Tributaria Public
Aiuken Cybersecurity Provider icono Gold Gold
Ajuntament d'Alcoi Public
Ajuntament de Lleida Public
Ajuntament de Paterna Public
Ajuntament de València Public
Ajuntament de Vila-real Public
AndalucíaCERT, centro de seguridad TIC de la Junta de Andalucía Public
Ayuntamiento de A Coruña Public
Ayuntamiento de Albacete Public
Ayuntamiento de Alcorcón Public
Ayuntamiento de Alicante Public
Ayuntamiento de Almería Public
Ayuntamiento de Burgos Public
Ayuntamiento de Cáceres Public
Ayuntamiento de Córdoba Public
Ayuntamiento de Gandía Public
Ayuntamiento de Getafe Public
Ayuntamiento de Granada Public
Ayuntamiento de Huelva Public
Ayuntamiento de Ibiza / Ajuntament d'Eivissa Public
Ayuntamiento de Icod de los Vinos Public
Ayuntamiento de Jaén Public
Ayuntamiento de Logroño Public
Ayuntamiento de Málaga Public
Ayuntamiento de Molina de Segura Public
Ayuntamiento de Murcia Public
Ayuntamiento de Palencia Public
Ayuntamiento de Plasencia Public
Ayuntamiento de Santa Cruz de Tenerife Public
Ayuntamiento de San Vicente del Raspeig Public
Ayuntamiento de Valladolid Public
Ayuntamiento de Vigo Public
Ayuntamiento de Vitoria-Gasteiz / Vitoria-Gasteizko Udala Public
Banco de España Public
BE:SEC Provider icono Gold Gold
BeDisruptive Provider icono Informado Informed
Bullhost Provider icono Gold Gold
Cabildo de Tenerife Public
Casa de su Majestad el Rey Public
Cellnex Provider icono Gold Gold
Centro Ciberseguridad Ayuntamiento de Madrid (CCMAD) Public
Cipher a Prosegur company Provider icono Informado Informed
Ciudad Autónoma de Ceuta Public
Comisión Nacional de los Mercados y la Competencia (CNMC) Public
CSA Provider icono Gold Gold
Centro de Seguridad TIC de la Comunidad Valenciana (CSIRT-CV) Public
Concello de Ourense Public
CSIRT-SATEC Provider icono Gold Gold
Concello de Ponteareas Public
Deloitte Provider icono Gold Gold
Deputación de Lugo Public
Diputación de Albacete Public
Diputación de Alicante Public
Diputación de Almería Public
Diputación de Badajoz Public
Diputación de Castellón Public
Diputación de Granada Public
Diputación de Jaén Public
Diputación de Valladolid Public
Diputación Provincial de A Coruña Public
Diputación Provincial de Burgos Public
Diputación Provincial de Cádiz Public
Diputación Provincial de Huesca Public
Diputación Provincial de Málaga Public
Diputación Provincial de Palencia Public
Diputación Provincial de Segovia Public
Diputación de Valencia Public
Donostiako Udala / Ayuntamiento de San Sebastián Public
EJIE – Sociedad Informática del Gobierno Vasco Public
Enaire Public
Entelgy Innotec Security Provider icono Informado Informed
EDNON ENOC-CSIRT Provider icono Informado Informed
ENUSA Industrias Avanzadas Public
ESPDEF-CERT – Mando Conjunto del Ciberespacio Public
esPublico Servicios para la Administración S.A. Provider icono Gold Gold
Evolutio Cloud Enabler S.A.U. Provider icono Gold Gold
EY Transforma Servicios de Consultoría Provider icono Informado Informed
Excmo. Ayuntamiento de Castro Urdiales Public
Excmo. Ayuntamiento de Fuenlabrada Public
Excmo. Ayuntamiento de Rivas Vaciamadrid Public
Excmo. Ayuntamiento de Utrera Public
Fábrica Nacional de Moneda y Timbre - Real Casa de la Moneda Public
FEGA, Fondo Español de Garantía Agraria Public
Fujitsu Technology Solutions S.A. Provider Informed icon Informed
Getronics Proveedor icono Informado Informed
Global Technology – CSIRT Provider icono Informado Informed
GMV Provider icono Gold Gold
Gobierno de Aragón Public
Gobierno de La Rioja Public
Google Cloud Provider icono Informado Informed
Grupo CIES Provider icono Gold Gold
Grupo ICA Sistemas y Seguridad Provider icono Gold Gold
Grupo Oesía Provider icono Gold Gold
Grupo S21Sec Gestión, S.A.U. Provider icono informado Informed
Hispasec Provider icono Gold Gold
Inetum España SA Provider icono Gold Gold
Ingenia – Babel Cybersecurity Provider icono Gold Gold
Innovaciones Tecnológicas del Sur, S.L. (INNOVASUR) Provider icono Gold Gold
Intec Provider icono informado Informed
Investigación y consulting, S.A. Provider icono informado Informed
IThinkUPC Provider icono Gold Gold
ITS by Ibermática Provider icono Informed Informed
Kyndryl España S.A. Provider icono Gold Gold
Light Eyes Provider icono Informado Informed
Madrid Digital Public
MAPFRE S.A. Provider icono Gold Gold
MNEMO Evolution & Integration Services, S.A. Provider icono Gold Gold
NTT DATA Spain Provider icono Gold Gold
OneCyber Provider icono Informado Informed
OneseQ Provider icono Gold Gold
PERSEUS Provider icono Gold Gold
Principado de Asturias Public
Redes System Provider icono Gold Gold
Región de Murcia Public
Renfe Operadora Public
RTVE Public
S2 Grupo Provider icono Gold Gold
Secretaria General de Administración Digital Public
Secure&IT Provider icono InformadoInformed
SEGIPSA. Sociedad Mercantil Estatal de Gestión Inmobiliaria de Patrimonio, M.P.S.A. Public
SEIDOR-CSIRT Provider icono Informado Informed
SERESCO Provider icono Informado Informed
Servicio de Salud de las Illes Balears Public
SIA, an Indra company Provider icono informado Informed
Sigma Gestión Universitaria, A.I.E (M.P) Public
SILME - Servei d'Informàtica Local de Menorca Public
Sirt Provider icono Informado Informed
SOC corporativo del Gobierno de Canarias Public
Sothis Provider icono Gold Gold
T-Systems Iberia Provider icono Gold Gold
Telefónica Tech Cyber Security & Cloud Provider icono Gold Gold
Transports Metropolitans de Barcelona (TMB) Public
Unitel Sistema de Comunicaciones de Castilla-La Mancha SLU Provider icono GoldGold
Universidad Miguel Hernández Public
Universitat Politècnica de Catalunya Public
Versia Cyber Shield Provider icono Informado Informed
Wise Security Global Provider icono Gold Gold
Xunta de Galicia - Centro de respuesta a incidentes de seguridad de la información (CSIRT.gal) Public

Information to be shared

The main asset of the National Network of SOCs is the shared information regarding indicators of attacks or compromises (IOA/IOC) which may be occurring at the current time in any of the member entities. So that they can be blocked. To be precise:

  • IP addresses of attackers (or alleged attackers)
  • Domain from compromised (or supposedly compromised) sites
  • Specific URL with harmful content
  • Signatures or Hashes of files with harmful content
  • E-mail addresses propagating harmful content
  • Threat detection rules owing to network behaviour (SNORT rules), harmful content (YARA rules) or behaviour monitored in the SIEM (SIGMA rules).

It is not the aim of the National Network of SOCs to share information that may contain personal data or data of the victims. Nor reports or generic investigations on threats in cyberspace if they are not taking effect in any of the members. As regards the first point, each entity will have to worry about filtering the information it deems appropriate. And as far as the second point is concerned, this involves the REYES solution of the CCN-CERT, where all the cyberintelligence information is centralised.

Additionally, as the attendant technological infrastructure is deployed, the following may also be shared:

  • Generic detection rules and use cases
  • Blacklists with the shared IOAs/IOCs
  • Metrics and indicators to be used in a SOC to improve its management
  • Whitelists with legitimate locations
  • Vulnerabilities
  • SIEM alerts

Technological infrastructure

ElementNetwork integration is materialised through the use of collaborative tools. Firstly, by means of an instant messaging solution (Element), both by the public entities that benefit from the SOC services and by the companies that provide their services thereat. This solution is used both to spread alerts about ongoing incidents (or indicators of possible incidents) and to share other types of information of interest: cybersecurity reports, SOC operating procedures, administrative or service contracting procedures…


MispAnother collaborative tool is the threat information sharing platform (MISP) where both Indicators of Attacks (IOA) and Indicators of Compromise (IOC) are registered, centralised and distributed. In reading mode, for those less mature public entities that only need to access the technical data of a threat in certain situations (for example, in the event of an alert notified through the messaging solution). Or in integration mode, directly connecting the tools of the most mature SOCs, in such a way that the distribution of the indicators to be blocked is provided to the rest of the entities.


In the short term, the existing federated deployment of the cyber incident notification tool LUCIA will be integrated into the RNS. So that it can be used as another indicator both of the SOC's commitment to the rest of the members and of the evolution of cyber incidents in national territory.

And in the medium-term, other solutions will be integrated into the RNS: IRIS for the real-time display of cybersecurity status in the RNS; ANA to be able to generate from the RNS a warning system in the event of the publication of vulnerabilities; the SIEM, to collect those critical alerts generated by the SOCs and which can serve as a data source to correlate incidents from a global perspective

All of which is centralised at this website, where in the private area you will have access not only to the information belonging to the entity itself but to all shared information. And the entities will also be able to share with the others interesting information such as: use cases, examples of specifications, service indicators for SOC, procedures…

Examples of usage of said infrastructure

Critical incident in Entity with MISP: the entity involved shares the attendant IOA/IOC in Element, anticipating that which will later be in the MISP. If the event is already in MISP, the ID may be provided in the Element message so that people access the MISP to obtain the information.

Entities without MISP: they receive the information via Element and can act by blocking. If the MISP ID has been shared, they will have to access the MISP via the website to download the information and block it.

Entities with MISP: they receive the information via Element so as to receive advance notice (and to be able to carry out blocking in advance), but they may wait for the information to be synchronised with their MISP.

Non-critical incident in Entity with MISP: the entity will register the incident in the MISP, with its usual procedure, without the need to alert via Element.

Entities without MISP: if they don’t enter the MISP, they won’t know

Entities with MISP: the entity will be synchronised and they may act as usual.

Incident in Entity without MISP: the entity may upload the information to the RNS MISP via Element. If said information passes the assessment process, it will be shared via Element with the other entities as well as through the MISP.

Benefits of participating

For providers with "Gold" level, the main benefit is the access to all the IOC/IOA shared in the RNS from the outset. So, the protection from said threats to clients can be transferred almost immediately. And, indirectly, better positioning vis-à-vis the contracting processes in which belonging to the National Network of SOCs with said level has been specified as a requirement.

For the other providers, the benefits are the same although they are slightly delayed over time.

And as regards public entities, not only access to the aforementioned indicators, but also to a sharing forum where they will be able to exchange recommendations about SOC management. Such as contracting models, recommendations on suppliers, the definition of indicators for the measurement of services…

Accession and permanence

The requirements for an organisation to join the National Network of SOCs as a public entity are:

  • Belonging to the Public Sector(in Spain)
  • Having cybersecurity or SOC services
  • Accepting the code of ethics and professional conduct of the RNS
  • Having installed and using LUCIA to notify incidents to the CCN-CERT regarding any of their clients (or being in the process of implementing

In turn, the requirements that companies must meet to join as Providers are:

  • Being a company (public or private)
  • Providing cybersecurity or SOC services to the Public Sector (in Spain)
  • Accepting the code of ethics and professional conduct of the RNS
  • Using LUCIA to notify incidents to the CCN-CERT regarding any of their clients (or being in the process of implementing)

If the requirements listed above are met, the accession process consists of:

  • Application by the entity: Filling in the accesion form to be found at the website of the RNS, indiating whether you are a public entity or a provider.
  • Provisioning by the RNS in the available tools. And notification to the entity of the relevant credentials
  • Confirmation of accession and publication of the membership at the website.

Once they have joined the National Network of SOCs, the entities must comply with the following terms of permanence which will be reviewed on a quarterly basis:

  • To keep meeting the accession requirements
  • To use the tools at the disposal of the RNS: continuously accessing the messaging solution and being aware about the information exchanged; accessing the exchange solution in due time in order to have the capacity to download the technical information exchanged;…
  • Additionally, for provider entities, sharing technical information which is innovative and relevant. Using the tools available to the RNS, so that said information can be properly assessed and scored.

If the terms of permanence are not met, expulsion from the RNS will be considered.