HSEM, HSES and HPS in Spain: what they are and when defence suppliers may need them

HSEM, HSES and HPS in Spain matter when defence suppliers move closer to classified programmes, secure facilities or protected information. Understanding the difference helps industrial and technology companies avoid the wrong compliance sequence.

They should be treated carefully. HSEM, HSES and HPS are not universal requirements for every company that wants to sell to defence in Spain. They are linked to access to, handling of or storage of classified information. Whether they apply depends on the contract, programme, classification level, customer, tender requirements, role of the company and type of information involved.

For a manufacturer, engineering company, software firm, systems integrator, maintenance provider or dual-use technology supplier, the right question is not “Do we need these clearances to sell to defence?” The right question is “Does this specific opportunity involve classified information, and what type of clearance does it require?”

When HSEM, HSES or HPS may actually apply

HSEM, HSES and HPS belong to the field of industrial security related to classified information. In business terms, they help distinguish three different levels: the company, the facility and the individual.

  • HSEM: company security clearance. It applies to the company or contractor.
  • HSES: facility security clearance. It applies to a specific site or establishment.
  • HPS: personnel security clearance. It applies to specific individuals.

This distinction matters. A company may be cleared to access classified information and still not be authorised to store that information in its own facilities. Similarly, a specific person may need a personal clearance even if the company already has a company-level clearance.

These clearances are also granted for a specific classification level, so simply “having the clearance” is not enough: the authorised level and the precise scope of the activity, contract or programme also matter.

What is HSEM?

HSEM stands for Habilitación de Seguridad de Empresa, usually understood as a company security clearance. It recognises the company’s capability and commitment to protect classified information within the framework of a classified activity, contract or programme, up to the authorised level and when there is a real associated need.

HSEM should not be treated as a commercial badge. Having it does not guarantee contracts, replace technical credibility or remove the need for market positioning, documentation discipline and relationships with customers and integrators. It is a security clearance that makes sense when a concrete opportunity requires access to classified information.

HSEM may become relevant in situations such as:

  • participation in a Spanish defence programme involving classified information;
  • collaboration with a prime contractor requiring access to classified documentation;
  • engineering, software, integration or maintenance work linked to a classified contract;
  • participation in national or international programmes requiring company-level clearance.

What is HSES?

HSES stands for Habilitación de Seguridad de Establecimiento, or facility security clearance. It refers to specific facilities, not to the company in general. It may apply to an office, plant, laboratory, engineering centre or other site where classified information may be handled or stored when required.

The difference with HSEM is clear: HSEM refers to the company; HSES refers to the facility. A company should not assume that a company-level clearance automatically covers every site.

HSES may be relevant if the company needs to work with classified documentation in its own facilities, keep classified media on site, operate a controlled area or prepare a specific environment for handling classified information. If the company does not handle or store classified information in its own facilities, HSES may not be necessary.

What is HPS?

HPS stands for Habilitación Personal de Seguridad, or personnel security clearance. It applies to individuals, not to the company as a whole. It is required when a specific person needs access to classified information because of their role in a programme, contract or project.

In a technology or industrial company, HPS may be relevant for certain people in engineering, security, integration, programme management, technical support or contract management if they need access to classified information. Other employees without a real need to know should not be treated as automatic candidates.

Comparison table: HSEM, HSES and HPS

Clearance Who or what it applies to Purpose What it does not automatically imply
HSEM Company or contractor Recognises the company’s capability and commitment to protect classified information within the framework of a classified activity, contract or programme It does not by itself allow classified information to be handled or stored in the company’s own facilities
HSES Specific facility or establishment Allows classified information to be handled or stored in authorised facilities, when required It does not replace HSEM or automatically cover all company sites
HPS Specific individual Allows a person to access classified information within the authorised scope It does not clear the whole company or the whole workforce

When these clearances may apply

HSEM, HSES and HPS may apply when a company participates in activities, contracts, programmes or projects involving classified information. The need should be assessed case by case.

Relevant factors include:

  • whether the opportunity involves classified information;
  • the classification level of that information;
  • whether the company acts as prime contractor, subcontractor, integrator or technology partner;
  • whether information is accessed at the customer’s premises or handled in the supplier’s own facilities;
  • whether documents, media, drawings, specifications or data must be stored;
  • which people have a real need to access the information;
  • what the tender, contract, customer or prime contractor requires.

Subcontractors: do not assume the requirement disappears

For subcontractors, the need for HSEM, HSES or HPS may be driven by the prime contract and by the type of classified information they must access. A company entering the defence sector through an integrator should therefore not assume that these requirements do not apply: it should review what information it will handle, where it will handle it and what the prime contractor requires.

What companies should avoid: requesting clearances “just in case”

One of the most inefficient approaches is to pursue security clearances without a clear opportunity, a demonstrable need or an understanding of the classification level involved. These clearances should not be used as decorative marketing credentials. They are tools for protecting classified information when there is a real need to access, handle or store it.

Before moving forward, companies should also review the requirements to sell to the Spanish defence sector and distinguish between certifications, registers, technical solvency, industrial security and commercial readiness.

Before moving forward, a company should ask:

  • Which opportunity justifies the clearance?
  • Is there a contract, programme, customer or prime contractor requiring it?
  • Is the information classified, or merely sensitive but unclassified?
  • Will the information be handled in the customer environment or in the supplier’s own facilities?
  • Which people need access, and for what functions?
  • What classification level is involved?

Relationship with tenders, prime contractors and integrators

Many defence opportunities in Spain do not start with an open tender visible to every supplier. A company may enter the market as a subcontractor, specialised supplier, technology partner or part of a supply chain led by a prime contractor.

In those cases, security requirements may come from the tender, the prime contract, the public customer, an international programme or the integrator. Companies should therefore review not only public procurement channels, but also the qualification, security, quality and compliance requirements of major industrial actors.

The strategic sequence is simple: identify the opportunity, understand whether classified information is involved, then assess which clearance may be required.

Common mistakes

  • Assuming that every company selling to defence in Spain needs HSEM.
  • Confusing HSEM with permission to store classified information in company premises.
  • Forgetting that HSES applies to specific facilities, not to the company in general.
  • Assuming that HPS covers the whole workforce when it applies to specific individuals.
  • Starting clearance processes without a real opportunity or defined need.
  • Failing to ask the customer or prime contractor about the required level and scope.
  • Treating industrial security as separate from commercial and technical strategy.

Practical checklist for defence suppliers

  • Define the product, service or capability to be positioned in the Spanish defence sector.
  • Identify whether the opportunity involves classified information.
  • Review tender documents, customer requirements or prime contractor conditions.
  • Distinguish clearly between company, facility and person.
  • Determine whether the company needs access, handling, generation or storage of classified information.
  • Identify which people have a real need to know.
  • Assess whether internal industrial security processes must be prepared.
  • Avoid starting clearance work without a clear operational or contractual justification.
  • Connect security analysis with business development, technical readiness and compliance.

When defence consulting in Spain can help

An industrial or technology company may have strong capabilities for defence but still be unsure whether HSEM, HSES, HPS or other preparations are relevant. In that situation, defence consulting can help distinguish between what is essential, what is useful and what is unnecessary at a given stage.

The goal is not to recommend clearances automatically. The goal is to analyse the opportunity, understand the type of information involved, clarify the company’s role in the value chain, identify customer requirements and build a realistic roadmap.

From Vicente Millán’s perspective, entering the Spanish defence sector requires translating industrial and technological capabilities into specific market requirements. In industrial security, that means avoiding overreaction, avoiding underestimation and making decisions based on the actual opportunity.

Conclusion

To place HSEM, HSES and HPS within the broader set of registers, certifications and entry routes, see the guide to entering the Spanish defence market.

HSEM, HSES and HPS are relevant when a company comes into contact with classified information in defence contracts, programmes or projects in Spain. But they should not be presented as universal requirements for selling to defence.

HSEM refers to the company, HSES to the facility and HPS to specific individuals. Their need depends on the contract, classification level, customer, tender, programme and type of information handled.

The key for an industrial or technology company is not to accumulate clearances. It is to understand the opportunity it wants to pursue, the information it may need to access, the applicable classification level and the real requirements that separate it from credible participation.

Do you want to understand whether your company should prepare for industrial security requirements in the Spanish defence sector? We can review your capabilities, target opportunities and the most realistic roadmap to move forward without overdimensioning requirements.

FAQ about HSEM, HSES and HPS in Spain

Does every company selling to defence in Spain need HSEM?

No. HSEM may be required when the company needs to generate or access classified information in a specific contract, programme or project. It is not a universal requirement for every defence supplier.

Does HSEM allow a company to store classified information in its own facilities?

No, not by itself. HSEM recognises the company’s capability to protect classified information within the authorised scope. Handling or storing classified information in company facilities may require HSES when applicable.

What is the difference between HSEM and HSES?

HSEM applies to the company or contractor. HSES applies to a specific authorised facility where classified information may be handled or stored up to a specific authorised level.

Who needs HPS?

HPS applies to specific individuals who need access to classified information because of their role in a contract, programme or project. It does not apply automatically to the whole workforce.

Should a foreign supplier obtain HSEM, HSES or HPS before entering the Spanish defence market?

Not necessarily. The first step is to identify a real opportunity, understand whether classified information is involved and check what the customer, tender or prime contractor requires.

Do these clearances guarantee defence business in Spain?

No. They are security requirements when applicable. They do not replace technical competence, commercial positioning, partner strategy, documentation quality or credibility with customers.

External sources