8MAY

ENISA scores NIS2 maturity with NCAF 2.0

3 min read

10:57UTC

ENISA released National Capabilities Assessment Framework 2.0 on 22 April; 19 EU member states remain under reasoned opinions for partial NIS2 transposition.

← Back to CISA's deadline outruns Palo Alto's patch Jump to analysis ↓

TechnologyDeveloping

Key takeaway

ENISA scores capability gaps; UK and EU are converging on the same regulatory architecture from different routes.

ENISA, the European Union Agency for Cybersecurity, released National Capabilities Assessment Framework 2.0 mid-week to score EU member-state cybersecurity maturity against the NIS2 directive ¹. NCAF 2.0 gives national authorities a maturity scoring tool covering governance, capacity, services and operational cooperation. 19 of 27 member states remain under reasoned opinions, the formal European Commission infringement notice for non-implementation, with only 14 of 27 having fully transposed NIS2 by mid last year.

The transposition gap matters because NIS2 carries a fine ceiling of 2 per cent of worldwide turnover for in-scope operators, but that ceiling cannot be applied in member states whose national law has not yet implemented the directive. ENISA's framing treats the gap as a capability problem as much as a legal one: member-state authorities lack the operational maturity to execute incident reporting, supply-chain risk management and managerial accountability obligations that NIS2 transposition would impose. NCAF 2.0 is the diagnostic instrument before the procurement and recruitment programmes that follow.

The framework runs in parallel to the UK Cyber Security and Resilience Bill track, which reached Report Stage in March and applies similar baseline obligations to UK operators. Both jurisdictions are converging on the same regulatory architecture from different starting points: Brussels via directive plus national transposition, London via primary statute. The ICO £14 million fine against Capita earlier this spring cited absent Privileged Access Management as a GDPR failure, signalling that NIS2-equivalent baseline obligations are already being enforced through adjacent UK data-protection law before the bill reaches statute.

Deep Analysis

In plain English

The EU passed a cybersecurity law called NIS2, which requires companies and government agencies in critical sectors, energy, healthcare, water, transport, to meet certain minimum security standards and report incidents. Of the 27 EU member countries, only 14 had turned the EU law into their own national law by mid-2025. ENISA, the EU's cybersecurity agency, published a new scoring tool on 22 April to measure each country's progress. The 13 countries still missing the standard face formal EU enforcement proceedings.

Deep Analysis

Root Causes

NIS2 imposes obligations that require legislative transposition and institutional capacity alike: national Computer Security Incident Response Teams (CSIRTs), sector-specific supervisory authorities, cross-border information-sharing mechanisms, and technical audit capabilities.

Most of the 19 non-compliant member states lack one or more of these. Passing the law is the easy part; staffing the CSIRT, building the supervisory authority and establishing the inter-agency coordination is multi-year programme work.

The fine ceiling of 2 per cent of worldwide turnover applies to regulated operators, not to member-state governments. The Commission's enforcement tools against non-transposing states are reasoned opinions and court proceedings, not fines against national budgets. This asymmetry means member states face lower direct incentive pressure to fund compliance infrastructure than private-sector operators face for non-compliance with transposed obligations.

What could happen next?

Consequence
Operators in NIS2-covered sectors across the 19 member states under reasoned opinions face a legally uncertain compliance environment: NIS2 obligations may apply under European Commission interpretation while national law has not yet specified the implementing requirements.
Short term · 0.8
Precedent
NCAF 2.0 score publication will create a public-ranking dynamic among member states; countries at the bottom of the maturity index face political pressure to accelerate capacity investment to avoid reputational comparison.
Medium term · 0.7
Opportunity
Cybersecurity capability vendors targeting national CSIRT and supervisory authority procurement in the 19 non-compliant member states have a demand signal supported by ENISA's formal capability-gap documentation.
Short term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU Network and Information Security Directive (NIS1) transposition in 2018 followed a similar pattern: the October 2018 deadline was missed by 11 member states, and the European Commission issued reasoned opinions rather than immediately pursuing fines.

Full transposition across all 28 member states took until 2020, with Germany, Belgium and Spain as the last major economies to complete it. NIS2's transposition gap is proportionally larger at 19 of 27 states and involves a more demanding obligations set, suggesting a longer runway to full implementation than NIS1's two-year lag.

Counter-parallel: The GDPR's May 2018 enforcement date provided the Commission with a more muscular enforcement posture than NIS1: fines above 2 per cent of global turnover were issued against Meta, Amazon and other major operators within the first three years.

NIS2's fine ceiling mirrors GDPR, but the enforcement mechanism depends on national supervisory authority capacity, which is precisely what NCAF 2.0 scores as deficient in 19 member states. GDPR's fine record does not translate directly to NIS2, because GDPR fines were levied by authorities with existing mature enforcement infrastructure.

Consensus view: ENISA's own 2025 Threat Assessment found that 19 of 27 member states lacked the operational capacity to execute NIS2's incident-reporting, supply-chain risk and managerial accountability obligations even if fully transposed in law.

The NCAF 2.0 maturity scoring tool reflects ENISA's shift from treating the transposition gap as a legal enforcement problem to treating it as a capability-building problem: you cannot fine a national authority into acquiring the forensic analysts, SOC infrastructure and inter-agency coordination mechanisms NIS2 requires.

Counter-view: The European Policy Centre's digital governance programme argues that ENISA's capability-framing risks providing political cover for member states that have made deliberate legislative choices not to transpose.

Poland and Hungary, two of the 19 under reasoned opinions, have not transposed NIS2 in part because of domestic political resistance to EU-mandated regulatory obligations. Treating non-transposition as a capability deficit rather than a political choice mischaracterises the enforcement problem and removes Commission pressure from states that are choosing non-compliance.

Key tension: Whether the Commission will use NCAF 2.0 scores as an evidence base for escalating infringement proceedings against non-compliant states, or whether the framework becomes a diplomatic softening of enforcement pressure in a period of EU institutional stress.

Sources:ENISA

Mentions:Cyber Resilience Act →Spain →European Commission →Poland →Meta →Germany →European Union →Capita →Hungary →Amazon →Belgium →ENISA NCAF 2.0 →NIS2 →ENISA →SOC →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

ENISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 19 Apr 2026

Read story →

This Event

ENISA scores NIS2 maturity with NCAF 2.0

Brussels treats NIS2's transposition gap as a capability problem as much as an enforcement one, in parallel with the UK Cyber Security and Resilience Bill track.

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.