
ENISA NCAF 2.0
ENISA's structured tool for scoring EU member-state national cybersecurity capability maturity under NIS2.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Does NCAF 2.0 give the Commission the evidence it needs to escalate NIS2 infringement cases?
Timeline for ENISA NCAF 2.0
Mentioned in: ENISA puts water and rail in risk zone
Cybersecurity: Threats and DefencesENISA scores NIS2 maturity with NCAF 2.0
Cybersecurity: Threats and DefencesWhat is ENISA NCAF 2.0 and why was it released?
How does NCAF 2.0 relate to NIS2 compliance?
Which EU countries are failing NIS2 compliance in 2026?
Background
The National Capabilities Assessment Framework 2.0 (NCAF 2.0) is a structured assessment tool published by ENISA to help EU member states evaluate and benchmark their national cybersecurity capabilities. It provides a common methodology across domains including governance, threat intelligence, Incident Response, operational security, and legislative frameworks — enabling member states to identify gaps against baseline requirements and track progress over time.
NCAF 2.0 is the successor to the original NCAF (version 1.0), which ENISA published in 2023 as a voluntary self-assessment companion to NIS2 transposition. The 2.0 revision deepened the measurement granularity, added a comparative benchmarking layer between member states, and aligned its capability domains more directly to the obligations that NIS2 places on national competent authorities — including designating supervisory bodies, establishing national CSIRTs, and maintaining sector-specific risk registers. The framework is not legally binding; it functions as a compliance mirror that national competent authorities can use to demonstrate maturity to the European Commission.
ENISA released NCAF 2.0 on 22 April 2026, timed to coincide with mounting European Commission pressure on the 19 member states still under reasoned opinions for partial NIS2 transposition . By mid-2025, only 14 of 27 EU member states had fully transposed NIS2 into national law, leaving a significant portion of the EU's essential and important-entity sectors outside the enforcement perimeter. NCAF 2.0 gives national competent authorities a defensible self-assessment narrative; it also gives the Commission a standardised evidence base for the next phase of infringement proceedings. For CISOs tracking the EU regulatory environment, NCAF 2.0 signals that compliance pressure will shift from political deadlines to capability benchmarks — organisations operating in multiple EU jurisdictions will face divergent supervision quality depending on their host state's maturity score.