7JUN

ENISA scores NIS2 maturity with NCAF 2.0

3 min read

10:08UTC

ENISA released National Capabilities Assessment Framework 2.0 on 22 April; 19 EU member states remain under reasoned opinions for partial NIS2 transposition.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

ENISA scores capability gaps; UK and EU are converging on the same regulatory architecture from different routes.

ENISA, the European Union Agency for Cybersecurity, released National Capabilities Assessment Framework 2.0 mid-week to score EU member-state cybersecurity maturity against the NIS2 directive ¹. NCAF 2.0 gives national authorities a maturity scoring tool covering governance, capacity, services and operational cooperation. 19 of 27 member states remain under reasoned opinions, the formal European Commission infringement notice for non-implementation, with only 14 of 27 having fully transposed NIS2 by mid last year.

The transposition gap matters because NIS2 carries a fine ceiling of 2 per cent of worldwide turnover for in-scope operators, but that ceiling cannot be applied in member states whose national law has not yet implemented the directive. ENISA's framing treats the gap as a capability problem as much as a legal one: member-state authorities lack the operational maturity to execute incident reporting, supply-chain risk management and managerial accountability obligations that NIS2 transposition would impose. NCAF 2.0 is the diagnostic instrument before the procurement and recruitment programmes that follow.

The framework runs in parallel to the UK Cyber Security and Resilience Bill track, which reached Report Stage in March and applies similar baseline obligations to UK operators. Both jurisdictions are converging on the same regulatory architecture from different starting points: Brussels via directive plus national transposition, London via primary statute. The ICO £14 million fine against Capita earlier this spring cited absent privileged access management as a GDPR failure, signalling that NIS2-equivalent baseline obligations are already being enforced through adjacent UK data-protection law before the bill reaches statute.

Deep Analysis

In plain English

The EU passed a cybersecurity law called NIS2, which requires companies and government agencies in critical sectors, energy, healthcare, water, transport, to meet certain minimum security standards and report incidents. Of the 27 EU member countries, only 14 had turned the EU law into their own national law by mid-2025. ENISA, the EU's cybersecurity agency, published a new scoring tool on 22 April to measure each country's progress. The 13 countries still missing the standard face formal EU enforcement proceedings.

Deep Analysis

Root Causes

NIS2 imposes obligations that require legislative transposition and institutional capacity alike: national Computer Security Incident Response Teams (CSIRTs), sector-specific supervisory authorities, cross-border information-sharing mechanisms, and technical audit capabilities.

Most of the 19 non-compliant member states lack one or more of these. Passing the law is the easy part; staffing the CSIRT, building the supervisory authority and establishing the inter-agency coordination is multi-year programme work.

The fine ceiling of 2 per cent of worldwide turnover applies to regulated operators, not to member-state governments. The Commission's enforcement tools against non-transposing states are reasoned opinions and court proceedings, not fines against national budgets. This asymmetry means member states face lower direct incentive pressure to fund compliance infrastructure than private-sector operators face for non-compliance with transposed obligations.

What could happen next?

Consequence
Operators in NIS2-covered sectors across the 19 member states under reasoned opinions face a legally uncertain compliance environment: NIS2 obligations may apply under European Commission interpretation while national law has not yet specified the implementing requirements.
Short term · 0.8
Precedent
NCAF 2.0 score publication will create a public-ranking dynamic among member states; countries at the bottom of the maturity index face political pressure to accelerate capacity investment to avoid reputational comparison.
Medium term · 0.7
Opportunity
Cybersecurity capability vendors targeting national CSIRT and supervisory authority procurement in the 19 non-compliant member states have a demand signal supported by ENISA's formal capability-gap documentation.
Short term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU Network and Information Security Directive (NIS1) transposition in 2018 followed a similar pattern: the October 2018 deadline was missed by 11 member states, and the European Commission issued reasoned opinions rather than immediately pursuing fines.

Full transposition across all 28 member states took until 2020, with Germany, Belgium and Spain as the last major economies to complete it. NIS2's transposition gap is proportionally larger at 19 of 27 states and involves a more demanding obligations set, suggesting a longer runway to full implementation than NIS1's two-year lag.

Counter-parallel: The GDPR's May 2018 enforcement date provided the Commission with a more muscular enforcement posture than NIS1: fines above 2 per cent of global turnover were issued against Meta, Amazon and other major operators within the first three years.

NIS2's fine ceiling mirrors GDPR, but the enforcement mechanism depends on national supervisory authority capacity, which is precisely what NCAF 2.0 scores as deficient in 19 member states. GDPR's fine record does not translate directly to NIS2, because GDPR fines were levied by authorities with existing mature enforcement infrastructure.

Consensus view: ENISA's own 2025 Threat Assessment found that 19 of 27 member states lacked the operational capacity to execute NIS2's incident-reporting, supply-chain risk and managerial accountability obligations even if fully transposed in law.

The NCAF 2.0 maturity scoring tool reflects ENISA's shift from treating the transposition gap as a legal enforcement problem to treating it as a capability-building problem: you cannot fine a national authority into acquiring the forensic analysts, SOC infrastructure and inter-agency coordination mechanisms NIS2 requires.

Counter-view: The European Policy Centre's digital governance programme argues that ENISA's capability-framing risks providing political cover for member states that have made deliberate legislative choices not to transpose.

Poland and Hungary, two of the 19 under reasoned opinions, have not transposed NIS2 in part because of domestic political resistance to EU-mandated regulatory obligations. Treating non-transposition as a capability deficit rather than a political choice mischaracterises the enforcement problem and removes Commission pressure from states that are choosing non-compliance.

Key tension: Whether the Commission will use NCAF 2.0 scores as an evidence base for escalating infringement proceedings against non-compliant states, or whether the framework becomes a diplomatic softening of enforcement pressure in a period of EU institutional stress.

Sources:ENISA

Mentions:Cyber Resilience Act →Spain →European Commission →Poland →Meta →Germany →European Union →Capita →Hungary →Amazon →Belgium →ENISA NCAF 2.0 →NIS2 →ENISA →SOC →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

ENISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 19 Apr 2026

Read story →

This Event

ENISA scores NIS2 maturity with NCAF 2.0

Brussels treats NIS2's transposition gap as a capability problem as much as an enforcement one, in parallel with the UK Cyber Security and Resilience Bill track.

Led to

ENISA puts water and rail in risk zone

ENISA released NCAF 2.0 in April to benchmark EU member-state NIS2 maturity (ID:2922); NIS360 2026 is the sector-level companion, moving from member-state scores to sector risk-zone designation.

Occurred 28 May 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.