ENISA Publishes National Capabilities Assessment Framework (NCAF) 2.0 – 2026 Edition
The European Union Agency for Cybersecurity (ENISA) has released the National Capabilities Assessment Framework (NCAF) 2.0 – 2026 Edition, providing an updated tool to support EU Member States in assessing and strengthening their national cybersecurity capabilities.
Updated framework aligned with evolving EU legislation
The new version reflects developments in the EU cybersecurity landscape, particularly the NIS2 Directive, as well as other key legislative instruments such as the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA).
NCAF 2.0 aims to support Member States in evaluating the maturity of their national cybersecurity strategies (NCSS) and improving both strategic and operational capabilities.
Structure and methodology
The framework introduces a five-level maturity model, ranging from foundational to advanced levels, enabling countries to measure progress over time.
It is structured around 20 strategic objectives, grouped into four main clusters:
Capacity building and awareness
Cooperation and collaboration
Cybersecurity governance
Regulatory and policy frameworks
Each objective is supported by detailed maturity questions and indicators, allowing Member States to conduct a structured self-assessment.
Key focus areas
The updated framework places emphasis on several areas, including:
Cybersecurity risk management measures
Incident reporting mechanisms
Supply chain cybersecurity
Protection of critical sectors
Information sharing and cooperation
Voluntary tool for continuous improvement
NCAF 2.0 is designed as a voluntary self-assessment framework, allowing Member States to track progress over time and identify areas for improvement. Assessment results are not published unless a Member State chooses to do so.
The framework can also support peer review processes under NIS2 and facilitate discussions on cybersecurity capabilities across the EU.
Read the full document below.
