Spanish ICT Security Product Catalogue

CPSTIC Inclusion: Your Key to the Public Sector

We manage the entire process to get your product listed in the CPSTIC Catalogue, the de facto requirement for selling to the Spanish government and strategic companies.

Get a Quote See the Process
CPSTIC Catalogue Hero Image
Get a Quote

What is the CPSTIC Catalogue?

The CPSTIC (ICT Security Product Catalogue), officially defined in the CCN-STIC 105 document, is the official portfolio of cybersecurity products and services approved for use within the Spanish Public Administration and entities governed by the National Security Framework (ENS).

For all practical purposes, being listed is the non-negotiable entry ticket for public sector procurement. It is the official proof that a product meets Spain’s rigorous security standards, making it the default choice for government buyers.

See the official CPSTIC Catalogue →
Logo CPSTIC

CPSTIC Catalogue

An essential requirement for contracting with the Public Administration.

Evaluation paths we offer

We help you choose the route that fits your product’s maturity, target category, and timelines.

LINCE icon

LINCE

Agile, cost-effective evaluation designed for CPSTIC inclusion. Ideal when your target is CPSTIC.

  • Threat-driven testing
  • Allows direct access to ENS MEDIUM Category
  • Faster time-to-catalogue
  • Great for SMEs and new entrants
  • According to CCN-STIC 2001
CPSTIC icon

STIC / Complementary STIC

For cloud products and services or when you already have CC/LINCE but need to evaluate additional requirements.

  • The designated path for Cloud/SaaS products and services
  • Enables access to ENS HIGH and ENS MEDIUM Categories
  • Closes gaps to meet CPSTIC requirements
  • Tailored, focused effort
  • According to CCN-STIC 106
Common Criteria icon

Common Criteria / EUCC

Internationally recognized certification. From EAL2 upwards, with conformance to the family’s Security Functional Requirements (SFR) for CPSTIC.

  • Global recognition
  • Enables access to ENS HIGH Category
  • Strong fit for high-assurance needs
  • Builds maximum trust for enterprise sales
  • According to norms EUCC / CC:2022

Choosing the Right Path to CPSTIC

Your product and goals determine the most efficient route. Here’s how the main paths compare for CPSTIC Catalogue inclusion.

LINCE Logo LINCE
CPSTIC Logo STIC / Complementary STIC
CC Logo Common Criteria / EUCC
Your Goal IsYou need fast, direct entry to the Spanish market (CPSTIC).Cloud products and services or products with existing certifications needing a top-up.Products requiring the highest assurance for global markets.
Core FocusFunctional analysis and penetration testing.Targeted evaluation of specific gaps against CCN requirements.Exhaustive formal documentation and process verification.
Time & EffortLowFocused & FastHigh (Months/Years)
CostMost AffordableCost-EffectiveSignificant Investment

Why Partner with Us for CPSTIC?

We combine deep regulatory knowledge with strategic project management to deliver results, not just reports.

Strategic Pathfinding

We don’t just follow a checklist. We analyze your product and goals to find the fastest, most cost-effective route to inclusion.

End-to-End Management

From initial scoping to final submission and CCN liaison, we manage the entire lifecycle, freeing up your team to focus on your product.

Unmatched Expertise

Our team possesses deep, hands-on experience with the specific requirements of CPSTIC families and the nuances of the CCN’s processes.

Your Proven Roadmap to the CPSTIC Catalogue

We handle the complexity, you get the result. Our process adapts to your product's unique needs, ensuring the most efficient path to inclusion.

1

Strategic Scoping & Pathfinding

We start with a free analysis of your product and goals. We then determine the most efficient path for you: a LINCE evaluation, a STIC / Complementary STIC, or a direct Gap Analysis for existing certifications.

2

Documentation & Evidence Assembly

We manage the creation of all required documentation, including the Security Target and support for manuals, ensuring it meets the CCN’s rigorous standards so you don’t have to worry about the paperwork.

3

Evaluation & Technical Liaison

If testing is required, we perform the evaluation with no waiting queues. If issues are found, we work with your team to resolve them. Throughout the process, we act as your single technical point of contact, managing all queries to ensure a smooth process.

4

Submission & Follow-up

We prepare and submit the complete package to the CCN, proactively managing all communications and follow-ups to ensure a smooth and timely review for CPSTIC inclusion.

5

Successful Listing & PES Documentation

Your product is officially included in the CPSTIC Catalogue. We then generate the mandatory Secure Usage Procedure (PES) document to finalize your listing.

Frequently Asked Questions

Is Common Criteria or EUCC mandatory for CPSTIC?
No. LINCE, STIC or a Complementary STIC evaluation are valid and more efficient routes. We help you determine the best path.
Which ENS Categories does CPSTIC qualification cover?
CPSTIC qualification is the primary mechanism to demonstrate compliance with the Spanish National Security Framework (ENS), supporting products and services for use in systems up to the ENS HIGH Category.
How long does the CPSTIC inclusion process take?
The timeline varies. If your product only requires a gap analysis against an existing certification, the process can take just a few days. If additional testing is needed, it typically takes a few weeks. In every scenario, our process is optimized to get you listed in the CPSTIC Catalogue as fast as possible.
Do you provide end-to-end support for documentation?
Yes. We handle the entire documentation process, including the Security Target (if necessary), the differential analysis, and its submission.
What are the main categories of the CPSTIC Catalogue, and how do they apply to my product?
The CPSTIC Catalogue is divided into three categories: Approved Products, which are suitable for handling classified information; Qualified Products and Services, which meet the security requirements for sensitive information under the ENS; and Compliance and Governance Products and Services, which facilitate compliance with security regulations. Each category addresses specific security needs and helps position your product for public sector procurement.
What are CPSTIC families?
CPSTIC families are the official categories used to classify cybersecurity products based on their primary function (e.g., Firewalls, EDR, or SIEM). These families help ensure that your product is evaluated against the most relevant criteria for its intended use. The full list of families is detailed in the CCN-STIC 140 guide.
What is the CCN-STIC 106 guide?
The CCN-STIC 106 is the official guide from the CCN that outlines the different procedures for including products in the CPSTIC Catalogue. Our expertise allows us to navigate the process efficiently, choosing the best strategy for your product and ensuring all requirements are met.
How long will my product remain in the CPSTIC Catalogue?
The duration of inclusion in the CPSTIC Catalogue depends on the entry process, but the maximum period is 5 years. We monitor your product and manage the requalification process before its inclusion in the CPSTIC Catalogue expires.
We are a foreign company. Can you manage the entire CPSTIC process for us?
Absolutely. We specialize in acting as the local strategic partner for international companies. We manage all interactions with the CCN, handle documentation in Spanish, and navigate the entire process on your behalf, eliminating geographical and language barriers.
What does the CPSTIC requalification process involve?
Requalification involves re-testing, adapted to the current state of the art, to ensure the product remains secure against new threats. Because it builds upon the previous evaluation, this process is significantly faster and more cost-effective than the initial inclusion. We manage this process to ensure a smooth renewal.
What happens if my product fails to meet the requirements during the evaluation?
This is a common and constructive part of the process. Our role is not just to audit, but to improve your product. If we find any gaps, we provide a detailed report and work with your team to define the best remediation strategy. The goal is to ensure your product achieves compliance efficiently, not just to issue a "pass" or "fail" verdict.

Ready to Enter the CPSTIC Catalogue?

Schedule a free, no-obligation consultation to analyze your product and get a clear roadmap for CPSTIC inclusion.