What is ENISA and what does it regulate?: ENISA is the EU Agency for Cybersecurity, responsible for cybersecurity certification schemes, threat landscape reports and technical guidance to the European Commission on NIS2 and CRA implementation. It opened a consultation on EU Digital Identity Wallet certification in April 2026 and published the NCAF 2.0 NIS2 maturity framework on 22 April 2026.Source: ENISA
What is ENISA's National Capabilities Assessment Framework and why does it matter?: NCAF 2.0, published by ENISA on 22 April 2026, is a structured framework for EU member states to benchmark their national cybersecurity maturity against NIS2 obligations. It was released alongside the European Commission's 19 reasoned opinions on member states that have not yet fully transposed NIS2 into national law.Source: ENISA / European Commission, April 2026
Which EU countries are behind on NIS2 implementation?: The European Commission issued 19 reasoned opinions in April 2026 identifying member states with NIS2 transposition gaps. ENISA's NCAF 2.0 provides the benchmarking framework against which those gaps are now formally assessed.Source: European Commission / ENISA April 2026

Background

The European Union Agency for Cybersecurity (ENISA) opened a public consultation on a draft EU Digital Identity Wallet certification scheme on 3 April 2026, a significant milestone in establishing the security-assurance requirements that wallet implementations must achieve under eIDAS2. The certification scheme will define how the EU Digital Wallet intersects with the Cyber Resilience Act (CRA) product-security requirements that apply from 11 December 2027. On 22 April 2026, ENISA published the National Capabilities Assessment Framework v2 (NCAF 2.0), designed to support member-state benchmarking of NIS2 maturity, alongside the European Commission's 19 reasoned opinions identifying NIS2 transposition gaps across member states.

ENISA is the EU's central cybersecurity agency, responsible for developing cybersecurity certification schemes, threat-landscape assessments and supporting member-state CERTs. It publishes the annual ENISA Threat Landscape report, manages the EU cybersecurity certification framework under the Cybersecurity Act, and provides technical guidance to the European Commission on NIS2 and CRA implementation.

For technology vendors building EU Digital Identity Wallet infrastructure, ENISA's certification consultation is the primary technical-standard input document. The intersection of eIDAS2 certification and CRA product-security obligations creates a dual-compliance engineering requirement: wallets must meet both identity-assurance standards and connected-product vulnerability-reporting obligations. The NCAF 2.0 release adds a second delivery: member states now have a structured self-assessment framework to measure where their national cybersecurity capability sits against NIS2 obligations, with the Commission's transposition-gap opinions creating accountability pressure for lagging states.

How the World Sees Them

Technology vendors

ENISA's Digital Wallet certification scheme defines conformance-testing requirements; vendors must plan for both eIDAS2 certification and CRA product-security obligations in the same engineering roadmap.

European Commission

ENISA's Digital Wallet certification consultation and NCAF 2.0 are parallel delivery milestones for the eIDAS2 and NIS2 programmes; the 19 reasoned opinions signal the Commission is now enforcing transposition compliance.

Civil liberties community

ENISA's certification scheme is the mechanism through which privacy-protective design requirements (selective disclosure, minimal data retention) become auditable technical standards.

Member states (NIS2 laggards)

NCAF 2.0 provides a structured self-assessment framework; states named in the Commission's reasoned opinions face formal infringement pressure alongside the new benchmarking tool.