20MAY

ENISA scores NIS2 maturity with NCAF 2.0

3 min read

09:58UTC

ENISA released National Capabilities Assessment Framework 2.0 on 22 April; 19 EU member states remain under reasoned opinions for partial NIS2 transposition.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

ENISA scores capability gaps; UK and EU are converging on the same regulatory architecture from different routes.

ENISA, the European Union Agency for Cybersecurity, released National Capabilities Assessment Framework 2.0 mid-week to score EU member-state cybersecurity maturity against the NIS2 directive ¹. NCAF 2.0 gives national authorities a maturity scoring tool covering governance, capacity, services and operational cooperation. 19 of 27 member states remain under reasoned opinions, the formal European Commission infringement notice for non-implementation, with only 14 of 27 having fully transposed NIS2 by mid last year.

The transposition gap matters because NIS2 carries a fine ceiling of 2 per cent of worldwide turnover for in-scope operators, but that ceiling cannot be applied in member states whose national law has not yet implemented the directive. ENISA's framing treats the gap as a capability problem as much as a legal one: member-state authorities lack the operational maturity to execute incident reporting, supply-chain risk management and managerial accountability obligations that NIS2 transposition would impose. NCAF 2.0 is the diagnostic instrument before the procurement and recruitment programmes that follow.

The framework runs in parallel to the UK Cyber Security and Resilience Bill track, which reached Report Stage in March and applies similar baseline obligations to UK operators. Both jurisdictions are converging on the same regulatory architecture from different starting points: Brussels via directive plus national transposition, London via primary statute. The ICO £14 million fine against Capita earlier this spring cited absent privileged access management as a GDPR failure, signalling that NIS2-equivalent baseline obligations are already being enforced through adjacent UK data-protection law before the bill reaches statute.

Deep Analysis

In plain English

The EU passed a cybersecurity law called NIS2, which requires companies and government agencies in critical sectors, energy, healthcare, water, transport, to meet certain minimum security standards and report incidents. Of the 27 EU member countries, only 14 had turned the EU law into their own national law by mid-2025. ENISA, the EU's cybersecurity agency, published a new scoring tool on 22 April to measure each country's progress. The 13 countries still missing the standard face formal EU enforcement proceedings.

Deep Analysis

Root Causes

NIS2 imposes obligations that require legislative transposition and institutional capacity alike: national Computer Security Incident Response Teams (CSIRTs), sector-specific supervisory authorities, cross-border information-sharing mechanisms, and technical audit capabilities.

Most of the 19 non-compliant member states lack one or more of these. Passing the law is the easy part; staffing the CSIRT, building the supervisory authority and establishing the inter-agency coordination is multi-year programme work.

The fine ceiling of 2 per cent of worldwide turnover applies to regulated operators, not to member-state governments. The Commission's enforcement tools against non-transposing states are reasoned opinions and court proceedings, not fines against national budgets. This asymmetry means member states face lower direct incentive pressure to fund compliance infrastructure than private-sector operators face for non-compliance with transposed obligations.

What could happen next?

Consequence
Operators in NIS2-covered sectors across the 19 member states under reasoned opinions face a legally uncertain compliance environment: NIS2 obligations may apply under European Commission interpretation while national law has not yet specified the implementing requirements.
Short term · 0.8
Precedent
NCAF 2.0 score publication will create a public-ranking dynamic among member states; countries at the bottom of the maturity index face political pressure to accelerate capacity investment to avoid reputational comparison.
Medium term · 0.7
Opportunity
Cybersecurity capability vendors targeting national CSIRT and supervisory authority procurement in the 19 non-compliant member states have a demand signal supported by ENISA's formal capability-gap documentation.
Short term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU Network and Information Security Directive (NIS1) transposition in 2018 followed a similar pattern: the October 2018 deadline was missed by 11 member states, and the European Commission issued reasoned opinions rather than immediately pursuing fines.

Full transposition across all 28 member states took until 2020, with Germany, Belgium and Spain as the last major economies to complete it. NIS2's transposition gap is proportionally larger at 19 of 27 states and involves a more demanding obligations set, suggesting a longer runway to full implementation than NIS1's two-year lag.

Counter-parallel: The GDPR's May 2018 enforcement date provided the Commission with a more muscular enforcement posture than NIS1: fines above 2 per cent of global turnover were issued against Meta, Amazon and other major operators within the first three years.

NIS2's fine ceiling mirrors GDPR, but the enforcement mechanism depends on national supervisory authority capacity, which is precisely what NCAF 2.0 scores as deficient in 19 member states. GDPR's fine record does not translate directly to NIS2, because GDPR fines were levied by authorities with existing mature enforcement infrastructure.

Consensus view: ENISA's own 2025 Threat Assessment found that 19 of 27 member states lacked the operational capacity to execute NIS2's incident-reporting, supply-chain risk and managerial accountability obligations even if fully transposed in law.

The NCAF 2.0 maturity scoring tool reflects ENISA's shift from treating the transposition gap as a legal enforcement problem to treating it as a capability-building problem: you cannot fine a national authority into acquiring the forensic analysts, SOC infrastructure and inter-agency coordination mechanisms NIS2 requires.

Counter-view: The European Policy Centre's digital governance programme argues that ENISA's capability-framing risks providing political cover for member states that have made deliberate legislative choices not to transpose.

Poland and Hungary, two of the 19 under reasoned opinions, have not transposed NIS2 in part because of domestic political resistance to EU-mandated regulatory obligations. Treating non-transposition as a capability deficit rather than a political choice mischaracterises the enforcement problem and removes Commission pressure from states that are choosing non-compliance.

Key tension: Whether the Commission will use NCAF 2.0 scores as an evidence base for escalating infringement proceedings against non-compliant states, or whether the framework becomes a diplomatic softening of enforcement pressure in a period of EU institutional stress.

Sources:ENISA

Mentions:Cyber Resilience Act →Spain →European Commission →Poland →Meta →Germany →European Union →Capita →Hungary →Amazon →Belgium →ENISA NCAF 2.0 →NIS2 →ENISA →SOC →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

ENISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 19 Apr 2026

Read story →

This Event

ENISA scores NIS2 maturity with NCAF 2.0

Brussels treats NIS2's transposition gap as a capability problem as much as an enforcement one, in parallel with the UK Cyber Security and Resilience Bill track.

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.