14JUN

ENISA scores NIS2 maturity with NCAF 2.0

3 min read

11:51UTC

ENISA released National Capabilities Assessment Framework 2.0 on 22 April; 19 EU member states remain under reasoned opinions for partial NIS2 transposition.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

ENISA scores capability gaps; UK and EU are converging on the same regulatory architecture from different routes.

ENISA, the European Union Agency for Cybersecurity, released National Capabilities Assessment Framework 2.0 mid-week to score EU member-state cybersecurity maturity against the NIS2 directive ¹. NCAF 2.0 gives national authorities a maturity scoring tool covering governance, capacity, services and operational cooperation. 19 of 27 member states remain under reasoned opinions, the formal European Commission infringement notice for non-implementation, with only 14 of 27 having fully transposed NIS2 by mid last year.

The transposition gap matters because NIS2 carries a fine ceiling of 2 per cent of worldwide turnover for in-scope operators, but that ceiling cannot be applied in member states whose national law has not yet implemented the directive. ENISA's framing treats the gap as a capability problem as much as a legal one: member-state authorities lack the operational maturity to execute incident reporting, supply-chain risk management and managerial accountability obligations that NIS2 transposition would impose. NCAF 2.0 is the diagnostic instrument before the procurement and recruitment programmes that follow.

The framework runs in parallel to the UK Cyber Security and Resilience Bill track, which reached Report Stage in March and applies similar baseline obligations to UK operators. Both jurisdictions are converging on the same regulatory architecture from different starting points: Brussels via directive plus national transposition, London via primary statute. The ICO £14 million fine against Capita earlier this spring cited absent privileged access management as a GDPR failure, signalling that NIS2-equivalent baseline obligations are already being enforced through adjacent UK data-protection law before the bill reaches statute.

Deep Analysis

In plain English

The EU passed a cybersecurity law called NIS2, which requires companies and government agencies in critical sectors, energy, healthcare, water, transport, to meet certain minimum security standards and report incidents. Of the 27 EU member countries, only 14 had turned the EU law into their own national law by mid-2025. ENISA, the EU's cybersecurity agency, published a new scoring tool on 22 April to measure each country's progress. The 13 countries still missing the standard face formal EU enforcement proceedings.

Deep Analysis

Root Causes

NIS2 imposes obligations that require legislative transposition and institutional capacity alike: national Computer Security Incident Response Teams (CSIRTs), sector-specific supervisory authorities, cross-border information-sharing mechanisms, and technical audit capabilities.

Most of the 19 non-compliant member states lack one or more of these. Passing the law is the easy part; staffing the CSIRT, building the supervisory authority and establishing the inter-agency coordination is multi-year programme work.

The fine ceiling of 2 per cent of worldwide turnover applies to regulated operators, not to member-state governments. The Commission's enforcement tools against non-transposing states are reasoned opinions and court proceedings, not fines against national budgets. This asymmetry means member states face lower direct incentive pressure to fund compliance infrastructure than private-sector operators face for non-compliance with transposed obligations.

What could happen next?

Consequence
Operators in NIS2-covered sectors across the 19 member states under reasoned opinions face a legally uncertain compliance environment: NIS2 obligations may apply under European Commission interpretation while national law has not yet specified the implementing requirements.
Short term · 0.8
Precedent
NCAF 2.0 score publication will create a public-ranking dynamic among member states; countries at the bottom of the maturity index face political pressure to accelerate capacity investment to avoid reputational comparison.
Medium term · 0.7
Opportunity
Cybersecurity capability vendors targeting national CSIRT and supervisory authority procurement in the 19 non-compliant member states have a demand signal supported by ENISA's formal capability-gap documentation.
Short term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU Network and Information Security Directive (NIS1) transposition in 2018 followed a similar pattern: the October 2018 deadline was missed by 11 member states, and the European Commission issued reasoned opinions rather than immediately pursuing fines.

Full transposition across all 28 member states took until 2020, with Germany, Belgium and Spain as the last major economies to complete it. NIS2's transposition gap is proportionally larger at 19 of 27 states and involves a more demanding obligations set, suggesting a longer runway to full implementation than NIS1's two-year lag.

Counter-parallel: The GDPR's May 2018 enforcement date provided The Commission with a more muscular enforcement posture than NIS1: fines above 2 per cent of global turnover were issued against Meta, Amazon and other major operators within the first three years.

NIS2's fine ceiling mirrors GDPR, but the enforcement mechanism depends on national supervisory authority capacity, which is precisely what NCAF 2.0 scores as deficient in 19 member states. GDPR's fine record does not translate directly to NIS2, because GDPR fines were levied by authorities with existing mature enforcement infrastructure.

Consensus view: ENISA's own 2025 Threat Assessment found that 19 of 27 member states lacked the operational capacity to execute NIS2's incident-reporting, supply-chain risk and managerial accountability obligations even if fully transposed in law.

The NCAF 2.0 maturity scoring tool reflects ENISA's shift from treating the transposition gap as a legal enforcement problem to treating it as a capability-building problem: you cannot fine a national authority into acquiring the forensic analysts, SOC infrastructure and inter-agency coordination mechanisms NIS2 requires.

Counter-view: The European Policy Centre's digital governance programme argues that ENISA's capability-framing risks providing political cover for member states that have made deliberate legislative choices not to transpose.

Poland and Hungary, two of the 19 under reasoned opinions, have not transposed NIS2 in part because of domestic political resistance to EU-mandated regulatory obligations. Treating non-transposition as a capability deficit rather than a political choice mischaracterises the enforcement problem and removes Commission pressure from states that are choosing non-compliance.

Key tension: Whether The Commission will use NCAF 2.0 scores as an evidence base for escalating infringement proceedings against non-compliant states, or whether the framework becomes a diplomatic softening of enforcement pressure in a period of EU institutional stress.

Sources:ENISA

Mentions:Cyber Resilience Act →Spain →European Commission →Poland →Meta →Germany →European Union →Capita →Hungary →Amazon →Belgium →ENISA NCAF 2.0 →NIS2 →ENISA →SOC →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

ENISA· 30 Apr 2026

Read original →

Causes and effects

Caused by

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 19 Apr 2026

Read story →

This Event

ENISA scores NIS2 maturity with NCAF 2.0

Brussels treats NIS2's transposition gap as a capability problem as much as an enforcement one, in parallel with the UK Cyber Security and Resilience Bill track.

Led to

ENISA puts water and rail in risk zone

ENISA released NCAF 2.0 in April to benchmark EU member-state NIS2 maturity (ID:2922); NIS360 2026 is the sector-level companion, moving from member-state scores to sector risk-zone designation.

Occurred 28 May 2026

Read story →

NIS2 fines now reach directors personally

ENISA NCAF 2.0's member-state NIS2 maturity benchmarking in April 2026 established the documented readiness gaps the Commission now pursues via CJEU referrals.

Occurred 1 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.