Key Takeaways
- ENISA’s updated National Capabilities Assessment Framework (NCAF 2.0) offers a voluntary self‑assessment tool for EU Member States to measure the maturity of their National Cybersecurity Strategies (NCSS) across 20 strategic objectives.
- The framework is organized into four thematic clusters—Capacity Building & Awareness, Cooperation & Collaboration, Cybersecurity Governance, and Regulatory & Policy Frameworks—each containing a set of objectives that reflect current EU policy, notably the NIS2 Directive.
- Maturity is expressed through five levels, assessed via two types of indicators per objective: five generic strategy‑maturity questions and 871 cybersecurity‑capacity questions, each tagged as requisite (1) or optional (0) for a given level.
- Development of NCAF 2.0 involved a survey of 14 Member States, pilot testing in Greece, Italy, and Luxembourg, and incorporation of feedback to align the framework with NIS2 requirements and practical usability.
- The tool supports gap identification, strategy formulation, preparation for the voluntary NIS2 peer review, and cross‑national learning while preserving confidentiality of results unless a state chooses to publish them.
- Practical guidance recommends allocating roughly 15 person‑days for the assessment, designating a coordinating body, using the NCSS as a scope guide (but not a constraint), and interpreting scores consistently over time to track progress.
Overview and Purpose of NCAF 2.0
The EU Agency for Cybersecurity (ENISA) released an updated version of its National Capabilities Assessment Framework, NCAF 2.0, to help national authorities evaluate the maturity of their cybersecurity strategies and pinpoint where further investment is required. By providing a structured method to measure progress at both strategic and operational levels, the framework enables governments to identify strengths, gaps, and priority areas in implementing their National Cybersecurity Strategies (NCSS). At the EU level, NCAF 2.0 serves as a common reference point that encourages mutual learning and the sharing of best practices among Member States, while also aligning with the evolving EU cybersecurity policy landscape, notably the NIS2 Directive, and preparing countries for the voluntary peer‑review process introduced under that legislation.
Framework Structure and Core Objectives
NCAF 2.0 retains the original methodological approach but revises its maturity model to reflect significant changes in the EU cybersecurity environment since 2020. The framework is built around 20 core strategic objectives—an expansion from the original 17—that were derived from common themes across Member States’ NCSSs. These objectives address cyber resilience and hygiene for the private sector (including SMEs), cybersecurity awareness, skills development, research and innovation, incident preparedness and response, cybercrime mitigation, international cooperation, trusted information‑sharing mechanisms, crisis management, digital identity security, public‑service trust, national risk assessments, cybersecurity governance, supply‑chain security, critical‑sector protection, coordinated vulnerability disclosure, and active cyber protection measures. Each objective carries equal weight in the assessment.
Maturity Levels and Indicator Design
The framework defines five maturity levels, ranging from initial/ad‑hoc to optimized/innovating. For each objective, two sets of indicators are provided: (1) five generic strategy‑maturity questions that are repeated identically for every objective at each maturity level, and (2) a set of cybersecurity‑capacity questions totalling 871 items, each tailored to the specific subject area of the objective. Every question is tagged with a binary value (0 or 1) indicating whether it is requisite for the corresponding maturity level, and each receives a unique identifier composed of the objective number, maturity level, and question number. This design ensures comprehensive coverage while allowing flexibility in how Member States apply the tool.
Development Process: Survey, Pilot, and Feedback Integration
Before finalizing NCAF 2.0, ENISA conducted a survey covering four areas: updated maturity‑level descriptions, revised NCSS‑objective goals, the new clustering of strategic objectives, and maturity questions for three selected objectives (national cybersecurity governance, cybersecurity risk‑management measures, and supply‑chain cybersecurity). Fourteen Member States responded, providing data that validated the proposed changes. The collected feedback was integrated into the framework’s maturity levels, objective goals, clustering structure, and indicator set, forming the first draft of NCAF 2.0. The draft was then piloted in Greece, Italy, and Luxembourg. Luxembourg highlighted the framework’s usefulness for structured strategy preparation but called for simplification; Greece praised its strong alignment with NIS2 and its effectiveness in identifying strengths, gaps, overlaps, and supporting implementation planning; Italy valued the tool for informing the forthcoming policy cycle through better prioritisation, clearer timelines, and benchmark establishment, while suggesting methodological simplifications and complementarity with the EU Cybersecurity Index.
Thematic Clusters and Their Objectives
NCAF 2.0 organizes the 20 objectives into four thematic clusters that reflect key areas of cybersecurity capacity within a national strategy:
- Capacity Building & Awareness – assesses the ability to raise awareness of cyber risks, strengthen cyber resilience and hygiene, continuously develop capabilities, enhance knowledge and skills, and advance intellectual property rights and research & development.
- Cooperation & Collaboration – evaluates information‑sharing effectiveness, mutual‑assistance processes, joint action against cybercrime, and cooperation at national and international levels to understand and respond to evolving threats.
- Cybersecurity Governance – measures capacity to establish effective governance structures, conduct risk assessments and management, develop crisis‑management frameworks, implement incident‑reporting mechanisms, and foster trust in digital identities and public services.
- Regulatory & Policy Frameworks – gauges the ability to put in place regulatory and policy instruments that improve supply‑chain security, promote active cyber protection, safeguard critical information infrastructure, establish coordinated vulnerability disclosure, and balance security with privacy considerations.
While clustering is a core feature, Member States retain the freedom to arrange objectives according to their national priorities.
Implementation Guidance and Practical Benefits
ENISA provides detailed recommendations for rolling out the framework. Member States should anticipate coordination efforts to gather and consolidate data from a wide range of stakeholders across government bodies, public agencies, and the private sector; experience shows the self‑assessment typically requires around 15 person‑days. Designating a central coordinating body is advised to liaise among stakeholders. The NCSS should guide the scope of the assessment but not constrain it—objectives not explicitly covered by a strategy can still be assessed if relevant capabilities exist. Consistency in score interpretation over time is essential, especially as national strategies evolve on three‑ to five‑year cycles.
The framework yields two score types: an overall general coverage ratio (based on all 20 objectives) and an overall specific coverage ratio (based on the objectives selected by the Member State, usually those present in its NCSS). The specific ratio is always equal to or higher than the general ratio, as the latter may include unaddressed objectives that lower the score. Adding a new objective raises the general ratio but may lower the specific maturity score if the new objective is at an early stage.
When completing the questionnaire, if a definitive answer is difficult, respondents should choose the most generally applicable response; if a question yields contradictory answers across contexts, the negative response should be recorded, signaling a need for remediation or future improvement.
ENISA notes several tangible benefits: NCAF 2.0 supplies structured information, good practices, and guidelines that support long‑term strategy development; it helps identify gaps or missing elements within NCSSs, enabling systematic remediation; it guides continuous improvement efforts, thereby strengthening overall cybersecurity capabilities; it aids preparation for the NIS2 voluntary peer review by clarifying assessment scope and focus; it enhances the credibility of NCSSs before the public and international partners; and it promotes outreach, transparency, and public trust in participating organizations.
Linkage to EU‑Level Instruments and Future Outlook
NCAF 2.0 is positioned to underpin the voluntary peer reviews established under Article 19 of the NIS2 Directive, serving as a practical tool for mutual learning and exchange of national practices. The EU Cybersecurity Index (EU‑CSI) already draws on selected NCAF questions to assess aspects of a country’s cybersecurity posture, and over time the EU‑CSI is expected to evolve toward closer alignment with NCAF, reinforcing consistent measurement of cybersecurity maturity across the Union. Additionally, ENISA’s refreshed NCSS Interactive Map—launched last June—complements NCAF 2.0 by providing a dynamic platform that tracks and compares Member States’ strategic objectives, implementation measures, and best practices, offering a clear, comparative view of Europe’s collective cybersecurity posture.
In summary, NCAF 2.0 equips EU Member States with a comprehensive, flexible, and evidence‑based instrument to self‑assess, improve, and benchmark their national cybersecurity capabilities, thereby supporting stronger, more coordinated resilience against cyber threats throughout the Union.