The ENISA Cybersecurity Market Analysis Framework is a “cookbook” on how EU cybersecurity market analyses can be performed. is the cornerstone of ENISA activities in analysing the EU cybersecurity market, as it is used within ENISA to scope, customise and perform market analyses

Cybersecurity Market Analysis Framework

It is based on existing market analysis good practices and proposes improvements towards covering cybersecurity products, services and processes. In this context, in 2021 ENISA has developed an initial version of a cybersecurity analysis method. This work resulted in the initial version of the ENISA Cybersecurity Market Analysis Framework (ECSMAF)[1].

Essentially, this framework is aimed at those who need a market analysis for a cybersecurity market product, service and processe. It explains what the market analyst should do to describe the cybersecurity market segment (for example, a specific technology) and have an informed view of the demand and supply sides of the cybersecurity market in that segment.

More specifically, ECSMAF has several aims such as to

  • help identify gaps and opportunities in the European cybersecurity market;
  • serve as a template or model or guide for putting together a cybersecurity market analysis that can be used for assessing the prospects for any new cybersecurity product, service or process;
  • support the European cybersecurity market by applying more rigour and a more comprehensive, structured approach to the analysis of the market prospects for new products, services and/or processes;
  • complement other related work in ENISA (e.g., in risk assessment, research and innovation, cybersecurity index, policy development, cybersecurity certification) and outside ENISA (e.g., national market observatories and statistics organisations);
  • help the cybersecurity market analyst prepare a credible market analysis for new cybersecurity products, services and/or processes;
  • establish comparability and quality compliance among the results achieved within a single organisation (inter-organisation consistency);
  • establish comparability and quality compliance among results achieved by various analysts of various organisations (intra-organisation consistency);
  • increase re-usability of material developed within various analysis surveys.


Currently, ECSMAF is used by ENISA within performed cybersecurity market analyses, while it is subject of continuous improvements to enhance its applicability and usefulness for a variety of stakeholders who might be interested in performing their own cybersecurity market analyses. Examples of these stakeholders are:


  • EU institutions, bodies and agencies (e.g., DG-CNECT, DG-GROW, DG-JRC, DG-RTD, DG-TRADE, European Cybersecurity Competence Centre - ECCC, Eurostat, etc.). EU regulation and impact assessments often take into account market issues. Market analyses are important to help policymakers understand trends as well as related demand and supply issues. Market analyses can also help shape future calls in Horizon Europe and other EU programmes where there are market gaps.
  • Public authorities, especially cybersecurity authorities. Cybersecurity market surveillance is subject to regulation (e.g., CSA). The framework and its application may help in comparative market analyses and identifying shared efforts between the Member States.
  • ENISA stakeholder groups (e.g., European Cybersecurity Certification Group (ECCG) composed of Member States, Stakeholder Cybersecurity Certification Group, ENISA Advisory Group). The framework may support decision-making for prioritising certification efforts and spotting market gaps.
  • Industry associations [e.g., Ecosystem of Certification, EU TIC Council, the European Cyber Security Organisation (ECSO), the Information Security Forum (ISF)]: Industry and professional associations can use the framework to identify market opportunities, trends, challenges and vulnerabilities and the creation of competitive advantages to EU industry players.
  • Consumer organisations/associations. By using the framework, such organisations may assess the needs and requirements of consumers for cybersecurity products and services and their prospects in the European cybersecurity market.
  • Research institutions may use the proposed methodology to assess the maturity of existing products and markets and guide the development of new technologies and services.
  • Companies providing cybersecurity products, services and/or processes (supply side). The European Council has estimated that there are 60,000 such companies in Europe. Some are major companies who already conduct sophisticated market analyses, but by far the majority could benefit from some market analysis advice. For some companies, cybersecurity is their principal business; for others, it is just one line of business among others.
  • Companies who need cybersecurity products, services and/or processes (demand side). Such companies may have information security professionals and/or procurement officials who need to improve their companies’ cybersecurity. Hence, they need to find out what is available in the market to meet their needs and requirements.

In its current version, ECSMAF can be found HERE[2].



Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies