The European Union Agency for Cybersecurity (ENISA) has released an updated National Capabilities Assessment Framework - NCAF 2.0 - designed to give national authorities a structured, measurable methodology for evaluating and closing gaps in their cybersecurity strategies. The revised framework arrives as EU member states navigate compliance deadlines under the NIS2 Directive, placing new pressure on governments and, by extension, the critical infrastructure operators and private-sector entities within its scope.
Background
For over a decade, ENISA has supported EU member states in developing and refining national cybersecurity strategies. The original NCAF tool launched in 2022, and the agency has now issued a substantially revised version to keep pace with a shifting regulatory landscape. On January 16, 2023, Directive (EU) 2022/2555, known as NIS2, entered into force, replacing Directive (EU) 2016/1148. Member states were required to transpose NIS2 into national law by October 17, 2024. NIS2 serves as a key reference point for the NCAF 2.0 revision, with ENISA explicitly incorporating its requirements into the updated maturity model.
ENISA has also published companion guidance documents supporting NIS2 implementation, including technical guidance on cybersecurity risk management measures covering 13 thematic areas and a handbook for cyber stress testing. The acceleration of EU-level cybersecurity policy output reflects sustained regulatory momentum following a wave of disruptive incidents across critical sectors.
Details
ENISA published NCAF 2.0 to help national authorities evaluate the maturity of their cybersecurity strategies and identify where further investment is needed. The revised framework and accompanying online tool give governments a structured way to measure progress at both strategic and operational levels.
NCAF 2.0 measures performance against a defined set of 20 objectives organized across four thematic clusters: capacity building and awareness, cyber threats and incident management, legal and regulatory, and regulatory and policy frameworks. The regulatory and policy frameworks cluster assesses member states' capacity to improve supply chain cybersecurity, promote active cyber protection, and safeguard critical information infrastructure, while also evaluating their ability to establish coordinated vulnerability disclosure frameworks and balance security with privacy.
Updates to the maturity model include incorporating new requirements for national cybersecurity strategies and peer reviews under NIS2, revising the descriptions of the five maturity levels, and reorganizing the clustering of ENISA's strategic objectives. The revised framework accounts for NIS2 Articles 7, 19, 21, and 23, the Cyber Resilience Act, and other regulatory instruments, helping member states identify areas for improvement and strengthen cybersecurity capabilities.
The framework also supports member states in preparing for the voluntary peer review process established under Article 19 of the NIS2 Directive. Member states may conduct assessments at the national level across all objectives, a selected cluster, or a single objective, depending on their priorities.
Early feedback from member states indicates practical value. Greece praised the framework's alignment with NIS2 and its effectiveness in identifying strengths, gaps, and overlaps, as well as supporting implementation planning and interinstitutional coordination - including in public bodies with limited resources. Italy found the framework valuable for informing the forthcoming policy cycle through better prioritization, clearer timelines, and the establishment of benchmarks.
For private-sector critical infrastructure operators, the implications of NCAF 2.0 extend beyond government ministries. The NIS2 Directive sets out cybersecurity risk management requirements across 18 critical sectors - including digital infrastructure, energy, transport, and health - that must be transposed into national law. As national authorities use NCAF 2.0 to benchmark and close their own capability gaps, they are expected to tighten requirements on operators within those sectors, including timelines for risk assessments, incident reporting, and supply chain controls. Organizations in these supply chains should prepare for heightened scrutiny of cybersecurity practices, including more rigorous customer assessments and stricter incident reporting and downstream supply chain security obligations.
Outlook
The updated framework aims to strengthen the EU's collective cybersecurity posture while allowing member states to adapt the assessment to their national context and priorities. ENISA has indicated the framework is designed as a living instrument, subject to periodic review as both the regulatory landscape and the threat environment evolve. For critical infrastructure operators in energy, transport, manufacturing, and healthcare, NCAF 2.0 signals a continuing shift from self-attestation toward evidence-based, measurable compliance - with national peer reviews under NIS2 likely to impose tighter scrutiny on how maturity claims are substantiated. Supply chain risk programs and third-party governance frameworks will face increasing pressure to align with the structured benchmarks that NCAF 2.0 now makes available to member state regulators.
Related coverage: ENISA's Secure-by-Design Playbook Advances OT/IT Lifecycle Security | UK Cyber Security and Resilience Bill Targets OT Asset Owners
