{"id":205050,"date":"2026-04-23T06:21:00","date_gmt":"2026-04-23T10:21:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/23\/enisa-updates-ncaf-2-0-to-help-governments-measure-and-close-cybersecurity-gaps-push-cyber-maturity-benchmarking\/"},"modified":"2026-04-23T06:35:16","modified_gmt":"2026-04-23T10:35:16","slug":"enisa-updates-ncaf-2-0-to-help-governments-measure-and-close-cybersecurity-gaps-push-cyber-maturity-benchmarking","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/23\/enisa-updates-ncaf-2-0-to-help-governments-measure-and-close-cybersecurity-gaps-push-cyber-maturity-benchmarking\/","title":{"rendered":"ENISA updates NCAF 2.0 to help governments measure and close cybersecurity gaps, push cyber maturity benchmarking"},"content":{"rendered":"

ENISA updates NCAF 2.0 to help governments measure and close cybersecurity gaps, push cyber maturity benchmarking<\/a><\/p>\n

https:\/\/industrialcyber.co\/regulation-standards-and-compliance\/enisa-updates-ncaf-2-0-to-help-governments-measure-and-close-cybersecurity-gaps-push-cyber-maturity-benchmarking\/<\/a><\/p>\n

Publish Date: 2026-04-23 06:21:00<\/a><\/p>\n

Source Domain: industrialcyber.co<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The EU Agency for Cybersecurity (ENISA) published an updated version of its National Capabilities Assessment Framework, NCAF 2.0, designed to help national authorities evaluate the maturity of their cybersecurity strategies and identify where further investment is needed. The revised framework and accompanying online tool give governments a structured way to measure progress at both strategic and operational levels, pinpointing strengths, gaps, and priority areas in the implementation of National Cybersecurity Strategies (NCSS).<\/p>\n

At the European level, NCAF 2.0 serves as a common reference point to encourage mutual learning and the sharing of best practices among member states. The framework has been updated to reflect the evolving EU cybersecurity policy landscape, including alignment with the NIS2 Directive, and is intended to help member states prepare for the voluntary peer review process.<\/p>\n

NCAF 2.0 intends to help Member States identify areas of improvement and build capabilities. The revised framework also takes into account recent regulatory frameworks such as NIS2 (e.g., Articles 7, 19, 21 and 23), the CRA, and others, helping Member States to identify areas for improvement and strengthen their cybersecurity capabilities.<\/p>\n

In the next phase, the NCAF maturity model was revised to reflect significant changes in the EU cybersecurity landscape since 2020, while retaining the original methodological framework. Updates included incorporating new requirements for national cybersecurity strategies and peer reviews under NIS2, revising the descriptions of the five maturity levels, and reorganising the clustering of ENISA\u2019s strategic objectives developed for the NCSS map.<\/p>\n

The self-assessment framework is designed to support Member States in strengthening their cybersecurity capabilities by defining maturity levels at multiple layers \u2013 objective level, cluster level and overall (global) level. It can be used voluntarily by Member States as a self-assessment framework to evaluate the maturity of their cybersecurity capabilities, measuring performance against a defined set of 20 objectives.\u00a0<\/p>\n

Additionally, Member States may carry out assessments at the national level across all objectives, a selected cluster of objectives, or a single objective, depending on their priorities. The results remain confidential unless a Member State chooses to publish them voluntarily. Within the framework, all assessed objectives carry equal weight and are considered equally important. The structure also allows Member States to track progress over time and measure improvements in their cybersecurity posture.<\/p>\n

Despite differences across NCSSs and action plans, Member States tend to converge around a set of common strategic priorities. ENISA has analyzed these overlaps and identified 20 core strategic objectives. This updated list expands on the original 17 objectives in the NCAF and introduces additional thematic areas.<\/p>\n

These objectives focus on strengthening the cyber resilience and cyber hygiene of the private sector, including small and medium-sized enterprises, while promoting broader cybersecurity awareness and good cyber hygiene practices. They emphasize closing the cybersecurity skills gap and fostering research, development, and innovation. They also prioritize enhancing incident preparedness and response, addressing cybercrime, and deepening international cooperation.<\/p>\n

The framework highlights the importance of establishing trusted information-sharing mechanisms and mutual assistance processes, alongside developing robust crisis management frameworks. It calls for securing digital identities and building trust in digital public services, as well as conducting national-level risk assessments and strengthening cybersecurity governance.<\/p>\n

Further, the objectives include implementing effective cybersecurity risk management measures and incident reporting mechanisms, while ensuring an appropriate balance between security and privacy. They stress improving supply chain cybersecurity, protecting critical sectors, and establishing coordinated vulnerability disclosure policies. Finally, they promote the adoption of active cyber protection measures to strengthen overall national resilience.<\/p>\n

Once the framework update was concluded, a survey was designed to ensure the revised NCAF aligned with member states\u2019 needs and expectations. It covered four areas: the updated maturity level descriptions, the revised set of goals for NCSS objectives, the proposed new clustering of strategic objectives, and maturity questions for three selected objectives, including strengthening national cybersecurity governance, establishing cybersecurity risk management measures, and improving supply chain cybersecurity. The responses collected from member states served to validate these four elements and inform the next steps in developing the revised framework. In total, 14 member states completed the survey.<\/p>\n

ENISA detailed that the update of the NCAF maturity model guided the development of maturity questions in the next phase. The goals of each objective were broken down into more granular subgoals, detailing the activities required to achieve them, with maturity questions then formulated for each subgoal and maturity level to ensure comprehensive coverage. These questions drew on EU legislation, relevant policy documents, and best practices reflected in member states\u2019 NCSSs and action plans. The process was initially applied to the three objectives included in the survey before being extended to the remaining 17.<\/p>\n

In parallel, feedback collected from member states during the survey was reviewed and incorporated into the relevant sections of the framework. The updated maturity levels, revised objective goals, new clustering structure, and maturity questions for all 20 objectives were then brought together into the first draft of NCAF 2.0.<\/p>\n

The draft was subsequently piloted with Greece, Italy, and Luxembourg to assess its effectiveness in supporting the development and revision of the NCSSs. The pilot broadly confirmed the framework\u2019s practical value. Luxembourg highlighted its usefulness in promoting a structured approach to strategy preparation, particularly through systematic mapping of existing frameworks, legislation, and practices, while also calling for simplification.\u00a0<\/p>\n

ENISA noted that Greece praised its strong alignment with NIS2 and its effectiveness in identifying strengths, gaps, and overlaps, and in supporting implementation planning and interinstitutional coordination, including in public bodies with limited resources. Italy found the framework valuable for informing the forthcoming policy cycle through better prioritisation, clearer timelines, and the establishment of benchmarks, while also offering proposals to strengthen the methodology, simplify the framework, and ensure complementarity with the EU Cybersecurity Index.<\/p>\n

One of the goals of NCAF 2.0 is to evaluate cybersecurity capabilities based on the priorities outlined in the various NCSS. Fundamentally, the framework assesses the level of maturity of the cybersecurity capabilities of the Member States in the domains defined by the NCSS objectives. Thus, the results of the framework support Member State policymakers in framing national strategies on cybersecurity by providing them with national-level intelligence on the state of play.\u00a0<\/p>\n

On a practical level, ENISA found that the NCAF delivers several tangible benefits. It provides structured information, including good practices and guidelines, that supports the development of long-term cybersecurity strategies. It helps identify gaps or missing elements within NCSSs, allowing governments to address weaknesses more systematically. The framework also contributes to strengthening overall cybersecurity capabilities by guiding continuous improvement efforts.<\/p>\n

In addition, the NCAF supports Member States in preparing for the NIS2 peer review process, particularly by helping define the scope and focus of assessments. It enables authorities to anticipate emerging challenges and policy issues before they escalate. Beyond operational value, the framework enhances the credibility of NCSSs in the eyes of both the general public and international partners. It also promotes outreach and transparency, which in turn improves the public image and trustworthiness of participating organizations.<\/p>\n

NCAF 2.0 is structured around four thematic clusters representing key areas of cybersecurity capacity within a national cybersecurity strategy.<\/p>\n

The first, capacity building and awareness, assesses member states\u2019 ability to raise awareness of cybersecurity risks and threats, strengthen cyber resilience and hygiene, develop cybersecurity capabilities continuously, and enhance knowledge and skills across the domain. It also addresses improvements in intellectual property rights and advances in cybersecurity research and development.<\/p>\n

The second, cooperation and collaboration, evaluates how effectively member states share information and cooperate with different stakeholders at national and international levels, including through mutual assistance processes. It also assesses their capacity to address and counter cybercriminal activity, recognising cooperation as a critical tool for understanding and responding to an evolving threat environment.<\/p>\n

The third, cybersecurity governance, measures member states\u2019 capacity to establish effective governance and good practices in the cybersecurity domain. It covers national cybersecurity governance, risk assessment and management, crisis management, incident reporting mechanisms, and fostering trust in public services and digital identities.<\/p>\n

The fourth, regulatory and policy frameworks, measures member states\u2019 capacity to put in place the regulatory and policy instruments needed to improve supply chain cybersecurity, promote active cyber protection, and safeguard critical information infrastructure. It also assesses their ability to establish coordinated vulnerability disclosure frameworks and to balance security with privacy.<\/p>\n

Each cluster contains a set of strategic objectives that member states may incorporate into their national cybersecurity strategy. While clustering is an integral feature of NCAF 2.0, member states remain free to organise these objectives as they see fit.<\/p>\n

ENISA also detailed NCAF indicators, organised by cluster. For each cluster, a table sets out the full set of indicators in the form of questions aligned with specific maturity levels, with the questionnaire serving as the primary instrument for self-assessment.<\/p>\n

For each objective, two sets of indicators are included. The first is a set of generic strategy maturity questions, comprising five generic questions for each maturity level, repeated consistently across all objectives. The second is a set of cybersecurity capacity questions, totalling 871 questions that are numbered, maturity-level specific, and tailored to the subject area covered by each objective.<\/p>\n

Each question is accompanied by a tag, either 0 or 1, indicating whether it is a requisite indicator for the corresponding maturity level. Each question is also assigned an identification number composed of the objective number, maturity level, and question number. Unless otherwise specified, all questions apply at the national level.\u00a0<\/p>\n

ENISA notes that the NCAF can also serve as a foundation for discussions within the voluntary peer reviews established under Article 19 of the NIS2 Directive. In this role, it functions as a practical tool to support mutual learning and the exchange of national practices among Member States. The EU Cybersecurity Index (EU-CSI) already draws on elements of the NCAF, using selected questions to assess aspects of a country\u2019s cybersecurity posture. Over time, the EU-CSI is expected to evolve in closer alignment with the NCAF, reinforcing consistency in how cybersecurity maturity is measured across the EU.<\/p>\n

The document also sets out guidelines and recommendations for member states on rolling out the framework and completing the questionnaire.<\/p>\n

Member states should anticipate coordination activities required to gather and consolidate data. Experience shows that completing a self-assessment typically requires around 15 person-days and involves engaging a wide range of stakeholders. Sufficient time should therefore be allocated during the preparation phase to identify all relevant stakeholders across government bodies, public agencies, and the private sector. It is also recommended that a central body or agency be designated to coordinate and liaise among all relevant stakeholders, given the breadth of material that needs to be gathered.<\/p>\n

The assessment exercise should also be used as an opportunity to share knowledge and foster dialogue on cybersecurity topics. Lessons from member states indicate that discussions held through individual interviews or collective workshops provide a valuable forum for sharing perspectives and identifying areas for improvement. Sharing results can help raise awareness and promote cybersecurity initiatives, alongside highlighting key achievements.<\/p>\n

When defining the scope of the assessment, the national cybersecurity strategy should be used as a guide but not a constraint. The 20 objectives in NCAF 2.0 were derived from objectives commonly addressed in national strategies, and while the strategy can inform which objectives to prioritise, it should not exclude others. Where a member state holds relevant cybersecurity capabilities in an area not explicitly covered by its strategy, that objective can still be assessed.<\/p>\n

Where the scope of the national strategy evolves, care should be taken to ensure that score interpretation remains consistent across editions. Since many member states operate on three to five-year roadmaps, scope changes between successive strategies can affect maturity scores, and it is recommended to compare results across the full set of strategic objectives from one year to the next.<\/p>\n

On the scoring mechanism, two levels of scores are produced: an overall general coverage ratio based on the complete list of strategic objectives in the framework, and an overall specific coverage ratio based on the objectives selected by the member state, typically those present in its national strategy. By design, the specific coverage ratio will always be equal to or higher than the general ratio, as the latter may include objectives not yet addressed, which can lower the overall score. When a member state adds a new objective, the general coverage ratio will rise, though the specific maturity score may fall if the newly added objective is at an early stage of development.<\/p>\n

Finally, when completing the questionnaire, member states should bear in mind that its primary purpose is to support cybersecurity capacity building. Where a definitive answer is difficult to provide, the response most generally applicable should be selected. If a question is answered positively in one context but negatively in another, the negative response should be recorded, as it signals that action is required, whether through a remediation plan or by addressing the gap in future developments.<\/p>\n

Last June, the ENISA refreshed its NCSS Interactive Map, a dynamic digital platform that tracks and compares how EU Member States are shaping their national cybersecurity agendas. The platform breaks down each country\u2019s strategic objectives, implementation measures, and best practices, providing a clear, comparative view of how Europe is strengthening its collective cybersecurity posture.<\/p>\n

\t\t\t\t\tAnna Ribeiro\t\t\t\t<\/p>\n

\t\t\t\t\tIndustrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.\t\t\t\t<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

ENISA updates NCAF 2.0 to help governments measure and close cybersecurity gaps, push cyber maturity…<\/p>\n","protected":false},"author":1,"featured_media":205051,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/industrialcyber.co\/wp-content\/uploads\/2026\/04\/2026.04.23-ENISA-updates-NCAF-2.0-to-help-governments-measure-and-close-cybersecurity-gaps-push-cyber-maturity-benchmarking.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-205050","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205050"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=205050"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205050\/revisions"}],"predecessor-version":[{"id":205052,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205050\/revisions\/205052"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/205051"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=205050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=205050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=205050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}