Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

ENISA scores NIS2 maturity with NCAF 2.0

3 min read
08:16UTC

ENISA released National Capabilities Assessment Framework 2.0 on 22 April; 19 EU member states remain under reasoned opinions for partial NIS2 transposition.

TechnologyDeveloping
Key takeaway

ENISA scores capability gaps; UK and EU are converging on the same regulatory architecture from different routes.

ENISA, the European Union Agency for Cybersecurity, released National Capabilities Assessment Framework 2.0 mid-week to score EU member-state cybersecurity maturity against the NIS2 directive 1. NCAF 2.0 gives national authorities a maturity scoring tool covering governance, capacity, services and operational cooperation. 19 of 27 member states remain under reasoned opinions, the formal European Commission infringement notice for non-implementation, with only 14 of 27 having fully transposed NIS2 by mid last year.

The transposition gap matters because NIS2 carries a fine ceiling of 2 per cent of worldwide turnover for in-scope operators, but that ceiling cannot be applied in member states whose national law has not yet implemented the directive. ENISA's framing treats the gap as a capability problem as much as a legal one: member-state authorities lack the operational maturity to execute incident reporting, supply-chain risk management and managerial accountability obligations that NIS2 transposition would impose. NCAF 2.0 is the diagnostic instrument before the procurement and recruitment programmes that follow.

The framework runs in parallel to the UK Cyber Security and Resilience Bill track, which reached Report Stage in March and applies similar baseline obligations to UK operators. Both jurisdictions are converging on the same regulatory architecture from different starting points: Brussels via directive plus national transposition, London via primary statute. The ICO £14 million fine against Capita earlier this spring cited absent privileged access management as a GDPR failure, signalling that NIS2-equivalent baseline obligations are already being enforced through adjacent UK data-protection law before the bill reaches statute.

Deep Analysis

In plain English

The EU passed a cybersecurity law called NIS2, which requires companies and government agencies in critical sectors, energy, healthcare, water, transport, to meet certain minimum security standards and report incidents. Of the 27 EU member countries, only 14 had turned the EU law into their own national law by mid-2025. ENISA, the EU's cybersecurity agency, published a new scoring tool on 22 April to measure each country's progress. The 13 countries still missing the standard face formal EU enforcement proceedings.

Deep Analysis
Root Causes

NIS2 imposes obligations that require legislative transposition and institutional capacity alike: national Computer Security Incident Response Teams (CSIRTs), sector-specific supervisory authorities, cross-border information-sharing mechanisms, and technical audit capabilities.

Most of the 19 non-compliant member states lack one or more of these. Passing the law is the easy part; staffing the CSIRT, building the supervisory authority and establishing the inter-agency coordination is multi-year programme work.

The fine ceiling of 2 per cent of worldwide turnover applies to regulated operators, not to member-state governments. The Commission's enforcement tools against non-transposing states are reasoned opinions and court proceedings, not fines against national budgets. This asymmetry means member states face lower direct incentive pressure to fund compliance infrastructure than private-sector operators face for non-compliance with transposed obligations.

What could happen next?
  • Consequence

    Operators in NIS2-covered sectors across the 19 member states under reasoned opinions face a legally uncertain compliance environment: NIS2 obligations may apply under European Commission interpretation while national law has not yet specified the implementing requirements.

    Short term · 0.8
  • Precedent

    NCAF 2.0 score publication will create a public-ranking dynamic among member states; countries at the bottom of the maturity index face political pressure to accelerate capacity investment to avoid reputational comparison.

    Medium term · 0.7
  • Opportunity

    Cybersecurity capability vendors targeting national CSIRT and supervisory authority procurement in the 19 non-compliant member states have a demand signal supported by ENISA's formal capability-gap documentation.

    Short term · 0.75
First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

ENISA· 30 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.