National Cybersecurity Assessment Framework (NCAF) Tool

In brief

The ENISA page presents the National Capabilities Assessment Framework 2.0 (NCAF 2.0) as a practical EU tool for helping member states assess and strengthen their national cybersecurity capabilities. It is described as a voluntary, flexible, and adaptable framework built around 20 strategic objectives, giving policymakers a structured way to evaluate national maturity, identify gaps, and set priorities. ENISA emphasizes that the updated framework is fully aligned with the NIS2 Directive, meaning it is intended not only as a self-assessment instrument but also as practical support for national cybersecurity strategies and preparation for Article 19 peer reviews. The page frames NCAF 2.0 as a product of member-state experience and best practices, aimed at improving both national readiness and the EU’s collective cyber resilience.

The page also explains the framework through four broad evaluation clusters: capacity-building and awareness, cooperation and collaboration, cybersecurity governance, and regulatory and policy frameworks. Together, these cover issues such as cyber hygiene, skills, incident preparedness, information sharing, cybercrime response, governance quality, crisis management, supply-chain security, critical infrastructure protection, and coordinated vulnerability disclosure. ENISA says the main benefits are clearer visibility into a country’s maturity level, the ability to identify areas for improvement, and stronger capability-building over time. The updated NCAF 2.0 report was published by ENISA on 22 April 2026, and the page presents it as a structured mechanism for turning cybersecurity strategy from a high-level ambition into measurable, evidence-based policy action.

‍

Source: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncaf