The EU Agency for Cybersecurity issues a National Capabilities Assessment Framework (NCAF) to help EU Member States self-measure the level of maturity of their national cybersecurity capabilities.
Why a capability assessment framework?
Cybersecurity capabilities are the main tools used by EU Member States to achieve the objectives of their National Cybersecurity Strategies. The purpose of the framework is to help Member States build and enhance cybersecurity capabilities by assessing their level of maturity.
The framework will allow EU Member States to:
- Perform the evaluation of their national cybersecurity capabilities.
- Increase the maturity level of awareness;
- Identify areas for improvement;
- Build new cybersecurity capabilities.
The report is available in all 24 official EU languages.
Download the ENISA Report - National Capabilities Assessment Framework
The origins of the concept
Deveoped with the support of 19 EU Member States, this framework was designed following an extensive exchange of ideas and good practices. The strategic objectives of the national cybersecurity strategies served as a basis of the study.
The framework was developed as part of the mandate of ENISA, as defined in the Cybersecurity Act. It falls under the provision to support EU Member States in building capacities in the area of national cybersecurity strategies through the exchange of good practices.
The key features
The self-assessment framework is composed of 17 objectives structured around 4 clusters. Each of these clusters is associated to a key thematic area for building cybersecurity capacity. Different objectives are also associated to each cluster. Based on 5 levels of maturity, specific questions were devised for each objective.
The clusters are as follows:
- (I) Cybersecurity governance and standards - This dimension considers aspects of planning to prepare the Member State against cyber-attacks as well standards to protect Member States and digital identity
- (II) Capacity-building and awareness - This cluster assesses the capacity of the Member States to raise awareness on cybersecurity risks and threats and on how to tackle them. Additionally, this dimension gauges the ability of the country to continuously build cybersecurity capabilities, increase knowledge and skills in the cybersecurity domain.
- (III) Legal and regulatory - This cluster measures the capacity of the Member States to put in place the necessary legal and regulatory instruments to address cybercrime and also address legal requirements such as incident reporting, privacy matters, CIIP.
- (IV) Cooperation - This cluster evaluates the cooperation and information sharing between different stakeholder groups at the national and international level.
Target Audience
The report issued is intended for policymakers as well as experts and officials responsible for, or involved in the design, implementation and evaluation of a national cybersecurity strategy and/or of national cybersecurity capabilities.
Further Information
ENISA Topic - National Cybersecurity Strategies
ENISA Report - Good Practice Guide on NCSS
ENISA Report - Good practices in Innovation
Press Contact
For questions related to the press and interviews, please contact press (at) enisa.europa.eu.