Spanish ICT Security Product Catalogue

CPSTIC Inclusion: Your Key to the Public Sector

We manage the entire process to get your product listed in the CPSTIC Catalogue, the de facto requirement for selling to the Spanish government and strategic companies.

Assess the Right Route See the Process
CPSTIC Catalogue Hero Image
Assess My Route

What is the CPSTIC Catalogue?

The CPSTIC (ICT Security Product Catalogue), officially defined in the CCN-STIC 105 document, is the official portfolio of cybersecurity products and services approved for use within the Spanish Public Administration and entities governed by the National Security Framework (ENS).

For all practical purposes, being listed is the non-negotiable entry ticket for public sector procurement. It is the official proof that a product meets Spain’s rigorous security standards, making it the default choice for government buyers.

See the official CPSTIC Catalogue →
Logo CPSTIC

CPSTIC Catalogue

An essential requirement for contracting with the Public Administration.

LINCE as a route to CPSTIC

Two CCN-STIC guides explain when LINCE is the right route

For on-prem software, hardware and IoT products, LINCE is often the direct route towards CPSTIC inclusion. These guides explain the framework and methodology behind that decision.

CCN-STIC 2001

Explains the LINCE certification framework and helps manufacturers understand when this route applies to on-prem software, hardware and IoT.

See CCN-STIC 2001 guide →

CCN-STIC 2002

Details the LINCE evaluation methodology, minimum evidence and the technical preparation expected from the vendor.

See CCN-STIC 2002 guide →
See CCN-STIC guides for LINCE →

CICLON or LINCE?

Choose the right certification path according to how your product is deployed.

Choose CICLON

Cloud

The right fit for cloud-native products that need to prove security in SaaS, PaaS or IaaS environments.

  • Cloud deployment and shared-responsibility model
  • Continuous monitoring of the SBOM, relevant dependencies, CICLON evaluation of integration components, and cloud-provider ENS or EUCS certification
  • Frequent fit for CPSTIC ambitions in regulated cloud scenarios
See CICLON route →

Choose LINCE

Software on-premises

The better fit for products deployed on customer infrastructure, installed on-premises or delivered outside a cloud service model.

  • Point-in-time evaluation instead of iterative monitoring
  • Useful for on-premises software, installed applications and on-prem products
  • Clear path when the cloud model is not central to the product
See LINCE route →

Evaluation paths we offer

We help you choose the route that fits your product’s maturity, target category, and timelines.

LINCE icon

LINCE

Agile, cost-effective evaluation designed for software, hardware and other on-prem products seeking CPSTIC inclusion.

  • Threat-driven testing
  • Allows direct access to ENS MEDIUM Category
  • Faster time-to-catalogue
  • Great for SMEs and new entrants
  • According to CCN-STIC 2001
CICLON icon

CICLON

The primary route for cloud products and services such as SaaS, PaaS and IaaS when your goal is CPSTIC inclusion in Spain.

  • CICLON is the designated path for Cloud/SaaS products and services
  • Designed for dynamic cloud architectures
  • Supports the target CPSTIC and ENS scope
  • Includes evaluation plus continuous monitoring
Complementary STIC icon

Complementary STIC

For products that are already certified and only need to cover specific additional gaps required for CPSTIC inclusion.

  • Used for gaps in already certified products
  • Focused evaluation effort
  • Useful when a full new route is not necessary
  • Aligned with the remaining CPSTIC requirements
  • According to CCN-STIC 106
Common Criteria icon

Common Criteria / EUCC

Internationally recognized certification. From EAL2 upwards, with conformance to the family’s Security Functional Requirements (SFR) for CPSTIC.

  • Global recognition
  • Enables access to ENS HIGH Category
  • Strong fit for high-assurance needs
  • Builds maximum trust for enterprise sales
  • According to norms EUCC / CC:2022

Choosing the Right Path to CPSTIC

Your product and goals determine the most efficient route. Here’s how the main paths compare for CPSTIC Catalogue inclusion.

LINCE Logo LINCECICLON Logo CICLON
CPSTIC Logo Complementary STIC
CC Logo Common Criteria / EUCC
Your Goal IsYou need fast, direct CPSTIC entry for software, hardware or other on-prem products.You need CPSTIC access for a cloud product or service.You already have a certified product and only need to close specific gaps.Products requiring the highest assurance for global markets.
Core FocusFunctional analysis and penetration testing.Cloud evaluation, web/cloud pentesting and continuous monitoring.Targeted closure of remaining gaps in already certified products.Exhaustive formal documentation and process verification.
Time & EffortLowVariable according to cloud scopeFocusedHigh (Months/Years)
CostMost AffordableAdapted to architecture and monitoring scopeAdjusted to the pending gaps onlySignificant Investment

Why Partner with Us for CPSTIC?

We combine deep regulatory knowledge with strategic project management to deliver results, not just reports.

Strategic Pathfinding

We don’t just follow a checklist. We analyze your product and goals to find the fastest, most cost-effective route to inclusion.

End-to-End Management

From initial scoping to final submission and CCN liaison, we manage the entire lifecycle, freeing up your team to focus on your product.

Unmatched Expertise

Our team possesses deep, hands-on experience with the different CPSTIC families and taxonomies, as well as the nuances of the CCN’s processes.

Your Proven Roadmap to the CPSTIC Catalogue

We handle the complexity, you get the result. Our process adapts to your product's unique needs, ensuring the most efficient path to inclusion.

1

Strategic Scoping & Pathfinding

We start with a free analysis of your product and goals. We then determine the most efficient path for you: LINCE for on-premises software, products with a hardware component and other on-prem products, CICLON for cloud, or Complementary STIC when an already certified product only needs to close specific gaps.

2

Documentation & Evidence Assembly

We manage the creation of all required documentation, including the Security Target and support for manuals, ensuring it meets the CCN’s rigorous standards so you don’t have to worry about the paperwork.

3

Evaluation & Technical Liaison

If testing is required, we perform the evaluation with no waiting queues. If issues are found, we work with your team to resolve them. Throughout the process, we act as your single technical point of contact, managing all queries to ensure a smooth process.

4

Submission & Follow-up

We prepare and submit the complete package to the CCN, proactively managing all communications and follow-ups to ensure a smooth and timely review for CPSTIC inclusion.

5

Successful Listing & PES Documentation

Your product is officially included in the CPSTIC Catalogue. We then generate the mandatory Secure Usage Procedure (PES) document to finalize your listing.

Frequently Asked Questions

Is Common Criteria or EUCC mandatory for CPSTIC?
No. LINCE, CICLON or a Complementary STIC evaluation can be valid and more efficient routes. We help you determine the best path according to whether your product is on-premises, cloud, or already certified.
Which ENS Categories does CPSTIC qualification cover?
CPSTIC qualification is the primary mechanism to demonstrate compliance with the Spanish National Security Framework (ENS), supporting products and services for use in systems up to the ENS HIGH Category.
How long does the CPSTIC inclusion process take?
The timeline varies. If your product only requires a gap analysis against an existing certification, the process can take just a few days. If additional testing is needed, it typically takes a few weeks. In every scenario, our process is optimized to get you listed in the CPSTIC Catalogue as fast as possible.
Do you provide end-to-end support for documentation?
Yes. We handle the entire documentation process, including the Security Target (if necessary), the differential analysis, and its submission.
What are the main categories of the CPSTIC Catalogue, and how do they apply to my product?
The CPSTIC Catalogue is divided into three categories: Approved Products, which are suitable for handling classified information; Qualified Products and Services, which meet the security requirements for sensitive information under the ENS; and Compliance and Governance Products and Services, which facilitate compliance with security regulations. Each category addresses specific security needs and helps position your product for public sector procurement.
What are CPSTIC families?
CPSTIC families are the official categories used to classify cybersecurity products based on their primary function (e.g., Firewalls, EDR, or SIEM). These families help ensure that your product is evaluated against the most relevant criteria for its intended use. The full list of families is detailed in the CCN-STIC 140 guide.
What is the CCN-STIC 106 guide?
The CCN-STIC 106 is the official guide from the CCN that outlines the different procedures for including products in the CPSTIC Catalogue. Our expertise allows us to navigate the process efficiently, choosing the best strategy for your product and ensuring all requirements are met.
How long will my product remain in the CPSTIC Catalogue?
The duration of inclusion in the CPSTIC Catalogue depends on the entry process, but the maximum period is 5 years. We monitor your product and manage the requalification process before its inclusion in the CPSTIC Catalogue expires.
We are a foreign company. Can you manage the entire CPSTIC process for us?
Absolutely. We specialize in acting as the local strategic partner for international companies. We manage all interactions with the CCN, handle documentation in Spanish, and navigate the entire process on your behalf, eliminating geographical and language barriers.
What does the CPSTIC requalification process involve?
Requalification involves re-testing, adapted to the current state of the art, to ensure the product remains secure against new threats. Because it builds upon the previous evaluation, this process is significantly faster and more cost-effective than the initial inclusion. We manage this process to ensure a smooth renewal.
What happens if my product fails to meet the requirements during the evaluation?
This is a common and constructive part of the process. Our role is not just to audit, but to improve your product. If we find any gaps, we provide a detailed report and work with your team to define the best remediation strategy. The goal is to ensure your product achieves compliance efficiently, not just to issue a "pass" or "fail" verdict.

Ready to Enter the CPSTIC Catalogue?

Schedule a free, no-obligation consultation to analyze your product and get a clear roadmap for CPSTIC inclusion.