The European Union Agency for Cybersecurity (ENISA) released the updated National Capabilities Assessment Framework (NCAF 2.0) on April 22, 2026, providing national authorities with a methodology to evaluate the maturity of their cybersecurity strategies and identify strengths, gaps, and priority areas. The framework, accompanied by an online tool, aims to support policymakers, experts, and government officials in strengthening national capabilities and aligning with EU legislative initiatives such as the NIS2 Directive.
Framework aligns with evolving EU cybersecurity landscape
The NCAF 2.0 reflects the evolving EU cybersecurity policy landscape and is aligned with key legislative initiatives such as the NIS2 Directive. It also supports Member States in preparing for the voluntary peer review process foreseen under Article 19 of the NIS2 Directive. This follows the European Commission's April 19 outline of NIS2 and Digital Networks Act proposals for EU cybersecurity and fraud protection, which require member states to adopt national cybersecurity strategies and inform recipients of essential services about significant cyber threats.
Tool facilitates mutual learning and best practice exchange
At EU level, NCAF 2.0 provides a common reference framework to facilitate mutual learning, the exchange of best practices, and discussions on cybersecurity capability development. The framework allows Member States to adapt the assessment to their national context and priorities, contributing to strengthening the collective cybersecurity posture of the EU. This builds on ENISA's decade-long support for Member States in developing and implementing guidelines for national cybersecurity strategies.
Prior coverage shows rising cyber threats
The update comes amid heightened cybersecurity concerns across the EU. On April 20, EU cybersecurity agency CERT-EU reported that the ShinyHunters group breached the European Commission's cloud infrastructure, stealing personal data. Days earlier, on April 19, the European Commission confirmed it was investigating cyberattacks after data theft, with EU states warning of a Kremlin-linked campaign. Ransomware remained a major threat in 2025, with reports showing attack methods evolving into complex, multilayered systems, as noted on April 18.
Impact on stakeholders
- National authorities of EU countries: Gain a structured tool to assess and improve cybersecurity capabilities, but may face administrative burden in conducting assessments and aligning with the framework.
- EU regulatory bodies (ENISA, Commission): Strengthen their role in harmonizing cybersecurity practices across Member States, but rely on voluntary adoption and peer reviews, limiting enforcement.
- EU citizens and businesses: Benefit from improved national cybersecurity postures, potentially reducing risks from phishing and ransomware attacks, though improvements may take time to materialize.
- Telecom providers and critical sectors: May face increased scrutiny as national strategies align with NIS2, requiring compliance with stricter security measures and reporting obligations.
Expected institutional follow-up
ENISA will continue to support Member States in using the framework, and the European Commission is expected to monitor its implementation as part of broader cybersecurity reforms under NIS2 and the proposed Digital Networks Act.