Not all EU member states approach national cybersecurity with the same depth, resources, or governance architecture - and until now, no broadly agreed-upon yardstick existed for measuring that disparity. ENISA's release of the National Capabilities Assessment Framework 2.0 (NCAF 2.0)1National Capabilities Assessment Framework 2.0 (NCAF 2.0) in April 2026 represents the agency's most substantive attempt to bridge that measurement gap, providing a structured methodology governments can use to assess, compare, and improve their cybersecurity posture at both strategic and operational levels.
What NCAF 2.0 Is - and Why It Matters Now
The National Capabilities Assessment Framework 2.0 is a key EU instrument designed by ENISA to help member states assess and strengthen their national cybersecurity capabilities. A voluntary, flexible, and adaptable tool, it provides a structured methodology to evaluate maturity across 20 strategic objectives, enabling policymakers to identify gaps, set priorities, and drive evidence-based decision-making.
The timing of the update is significant. NCAF 2.0 aligns fully with the NIS2 Directive, serving as practical support for the development and implementation of National Cybersecurity Strategies (NCSS) and preparation for Article 19 peer reviews. With NIS2 now the operative legislative baseline across the bloc, governments face mounting pressure to demonstrate compliance and capability - not merely on paper but at a level of operational specificity that can withstand external scrutiny.
The revised framework and online tool give national authorities a practical, flexible way to gauge where NCSS implementation stands and where further effort is needed. Through its structured assessment approach, member states can identify strengths, gaps, and priority areas. By evaluating the maturity of objectives defined within national strategies, authorities can track progress at both strategic and operational levels.
From 17 to 20: What Changed in the Structural Update
NCAF 2.0 is not a wholesale redesign but a targeted, evidence-based revision. During the revision phase, the maturity model was updated to reflect significant changes in the EU cybersecurity landscape since 2020 while retaining the original methodological framework. Updates included incorporating new requirements for national cybersecurity strategies and peer reviews under NIS2, revising the descriptions of the five maturity levels, and reorganizing the clustering of ENISA's strategic objectives developed for the NCSS map.
NCAF 2.0 expands the framework's strategic objective count from 17 to 20, with additional objectives addressing areas such as supply chain cybersecurity and active cyber protection. The updated objectives cover implementing effective cybersecurity risk management measures and incident reporting mechanisms while ensuring an appropriate balance between security and privacy. They stress improving supply chain cybersecurity, protecting critical sectors, and establishing coordinated vulnerability disclosure policies. They also promote adopting active cyber protection measures to strengthen overall national resilience.
The four thematic clusters organizing these objectives have been restructured:
- Capacity building and awareness assesses member states' ability to raise awareness of cybersecurity risks and threats, strengthen cyber resilience and hygiene, develop cybersecurity capabilities continuously, and enhance knowledge and skills across the domain.
- Cooperation and collaboration evaluates how effectively member states share information and cooperate with stakeholders at national and international levels. It also assesses their capacity to address and counter cybercriminal activity, recognizing cooperation as a critical tool for understanding and responding to an evolving threat environment.
- Cybersecurity governance measures member states' capacity to establish effective governance and good practices. It covers national cybersecurity governance, risk assessment and management, crisis management, incident reporting mechanisms, and fostering trust in public services and digital identities.
- Regulatory and policy frameworks measures member states' capacity to implement the regulatory and policy instruments needed to improve supply chain cybersecurity, promote active cyber protection, and safeguard critical information infrastructure. It also assesses their ability to establish coordinated vulnerability disclosure frameworks and balance security with privacy.
Maturity Benchmarking: Five Levels, Equal Weight
A central feature of NCAF 2.0 is its structured five-level maturity model. Each level represents a stage of development in national cybersecurity capabilities: Level 1 (Foundation) reflects countries that have begun their cybersecurity journey but lack a comprehensive, coordinated approach; Level 2 (Developing) indicates strategies are in place but implementation remains in early stages; Level 3 (Established) applies to member states with well-established frameworks, clear governance structures, and resource allocation; Level 4 (Mature) describes a strategy aligned across all sectors with ongoing evaluations; and Level 5 (Advanced) characterizes countries with an adaptive, forward-looking strategy responsive to emerging threats and technological advancements.
Notably, NCAF 2.0 assigns equal weight to all 20 assessed objectives, with no single capability area treated as more foundational than another. The self-assessment framework defines maturity levels at multiple layers - objective level, cluster level, and overall (global) level. Member states can use it voluntarily to evaluate the maturity of cybersecurity capabilities against a defined set of 20 objectives. Assessments may cover all objectives, a selected cluster, or a single objective, depending on national priorities.
Results remain confidential unless a member state chooses to publish them voluntarily. This design choice addresses a persistent tension in EU-wide benchmarking: the need for comparable data at the bloc level versus national sensitivity about disclosing capability gaps that adversaries could exploit.
Incident Response and Risk Governance: Operational Implications
For industrial operators and critical infrastructure managers, the governance cluster carries direct operational relevance. The framework explicitly evaluates the maturity of crisis management and incident reporting mechanisms - competencies that translate directly to how prepared a national government is to coordinate response to large-scale cyber incidents affecting industrial sectors.
ENISA notes that the NCAF can serve as a foundation for discussions within the voluntary peer reviews established under Article 19 of the NIS2 Directive, functioning as a practical tool to support mutual learning and the exchange of national practices. For organizations operating under NIS2 across multiple EU jurisdictions, the consistency of national-level incident response frameworks directly affects how cross-border incidents are handled, escalated, and resolved.
The NCAF also supports member states in preparing for the NIS2 peer review process, particularly by helping define the scope and focus of assessments. It enables authorities to anticipate emerging challenges and policy issues before they escalate. This forward-looking dimension is particularly relevant as EU-CyCLONe and national CSIRT networks increasingly need common ground for large-scale incident coordination.
Cross-Border Benchmarking: Progress and Persistent Challenges
The ambition of NCAF 2.0 extends beyond individual national assessments. The EU Cybersecurity Index (EU-CSI) already draws on elements of the NCAF, using selected questions to assess aspects of a country's cybersecurity posture. Over time, the EU-CSI is expected to evolve in closer alignment with the NCAF, reinforcing consistency in how cybersecurity maturity is measured across the EU.
However, comparable metrics across 27 member states remain a structural challenge. The framework's voluntary nature means uptake is uneven, and confidential self-assessment results cannot feed into EU-wide benchmarking without member state consent. A self-assessment using NCAF 2.0 typically requires approximately 15 person-days and involves engaging a wide range of stakeholders, according to ENISA's own guidance - a non-trivial resource commitment for smaller national authorities with limited dedicated cybersecurity staff.
Pilot testing of the updated framework revealed this tension directly. The draft was piloted with Greece, Italy, and Luxembourg to assess its effectiveness. The pilot broadly confirmed the framework's practical value. Luxembourg highlighted its usefulness in promoting a structured approach to strategy preparation through systematic mapping of existing frameworks, legislation, and practices, while also calling for simplification. ENISA noted that Greece praised the framework's strong alignment with NIS2 and its effectiveness in identifying strengths, gaps, and overlaps, and in supporting implementation planning and interinstitutional coordination - including in public bodies with limited resources.
The pilot feedback points to a fundamental design tension ENISA will need to navigate in subsequent iterations: depth of assessment versus accessibility for resource-constrained governments.
Implications for Industrial Operators and OT-Facing Policy
For senior operations leaders and industrial IT/OT managers, the NCAF 2.0 update is relevant primarily as a policy signal. The maturity levels and cluster weightings within a given member state will shape the regulatory and support environment in which industrial operators function - influencing how national authorities prioritize sector-specific cybersecurity requirements, how funding flows to industrial resilience programs, and how incident reporting obligations evolve under NIS2 implementation.
The framework's explicit treatment of supply chain cybersecurity as a standalone strategic objective also signals continued regulatory focus on third-party risk in critical sectors. By providing a structured methodology for assessing cybersecurity efforts, NCAF 2.0 enables national authorities to make data-driven decisions that enhance their overall security posture. The framework promotes mutual learning and best practice sharing among EU member states, fostering collaboration on key cybersecurity issues.
This article is part of ongoing coverage of the EU regulatory landscape for industrial cybersecurity. For analysis of how ENISA's secure-by-design principles intersect with OT product development, see ENISA's Secure-by-Design Playbook Advances OT/IT Lifecycle Security.
Key Takeaways
- NCAF 2.0 expands ENISA's national maturity framework from 17 to 20 strategic objectives, restructured across four thematic clusters.
- The update fully aligns with the NIS2 Directive, including support for voluntary Article 19 peer reviews.
- A five-level maturity model provides a common reference for benchmarking government cybersecurity capabilities across the EU.
- Results remain confidential by default, limiting EU-wide comparative benchmarking unless member states opt to publish.
- Piloted with Greece, Italy, and Luxembourg, the framework demonstrated practical value while highlighting the need for simplification for resource-constrained authorities.
- Industrial operators should monitor how NCAF 2.0 adoption shapes national regulatory priorities, incident response coordination, and supply chain security policy in member states where they operate.
