News Item

Focus on National Cybersecurity Capabilities: New Self-Assessment Framework to Empower EU Member States

The EU Agency for Cybersecurity issues a National Capabilities Assessment Framework (NCAF) to help EU Member States self-measure the level of maturity of their national cybersecurity capabilities.

Published on December 07, 2020

Why a capability assessment framework?

Cybersecurity capabilities are the main tools used by EU Member States to achieve the objectives of their National Cybersecurity Strategies. The purpose of the framework is to help Member States build and enhance cybersecurity capabilities by assessing their level of maturity.

The framework will allow EU Member States to:

  • Perform the evaluation of their national cybersecurity capabilities.
  • Increase the maturity level of awareness;
  • Identify areas for improvement;
  • Build new cybersecurity capabilities.

The report is available in all 24 official EU languages.

Download the ENISA Report - National Capabilities Assessment Framework

The origins of the concept

Deveoped with the support of 19 EU Member States, this framework was designed following an extensive exchange of ideas and good practices. The strategic objectives of the national cybersecurity strategies served as a basis of the study.

The framework was developed as part of the mandate of ENISA, as defined in the Cybersecurity Act. It falls under the provision to support EU Member States in building capacities in the area of national cybersecurity strategies through the exchange of good practices.

The key features

The self-assessment framework is composed of 17 objectives structured around 4 clusters. Each of these clusters is associated to a key thematic area for building cybersecurity capacity. Different objectives are also associated to each cluster. Based on 5 levels of maturity, specific questions were devised for each objective.

The clusters are as follows:

  • (I) Cybersecurity governance and standards - This dimension considers aspects of planning to prepare the Member State against cyber-attacks as well standards to protect Member States and digital identity
  • (II) Capacity-building and awareness - This cluster assesses the capacity of the Member States to raise awareness on cybersecurity risks and threats and on how to tackle them. Additionally, this dimension gauges the ability of the country to continuously build cybersecurity capabilities, increase knowledge and skills in the cybersecurity domain.
  • (III) Legal and regulatory - This cluster measures the capacity of the Member States to put in place the necessary legal and regulatory instruments to address cybercrime and also address legal requirements such as incident reporting, privacy matters, CIIP.
  • (IV) Cooperation - This cluster evaluates the cooperation and information sharing between different stakeholder groups at the national and international level.

Target Audience

The report issued is intended for policymakers as well as experts and officials responsible for, or involved in the design, implementation and evaluation of a national cybersecurity strategy and/or of national cybersecurity capabilities.

Further Information

ENISA Topic - National Cybersecurity Strategies

ENISA Report - Good Practice Guide on NCSS

ENISA Report - Good practices in Innovation

NCSS Evaluation Tool

NCSS Interactive Map

Press Contact

For questions related to the press and interviews, please contact press (at)

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies