National Cybersecurity Assessment Framework (NCAF) Tool

The National Capabilities Assessment Framework (NCAF) is a tool launched by ENISA (European Union Agency for Cybersecurity) in 2022 to help Member States measure the maturity level of their cybersecurity capabilities and support them in conducting an evaluation of their national cybersecurity capability, enhancing awareness of the country maturity level, identifying areas for improvement and building cybersecurity capabilities.

This framework should help the Member States, and in particular national policymakers, to perform a self-assessment exercise with the aim to improve national cybersecurity capabilities. This framework was designed with the support of ENISA subject matter experts and representatives from 19 Member States and EFTA countries .

Why is this a Digital Skills Resource?

The NCAF is a digital tool that helps Member States to:

Provide useful information to develop a long-term strategy (e.g. good practices, guidelines);
Help identify missing elements within the national cybersecurity strategies (NCSS);
Help in further building cybersecurity capabilities;
Support the accountability of political actions;
Give credibility towards general public and international partners;
Support outreach and enhance public image as a transparent organisation;
Help anticipate the issues lying ahead;
Help identify lessons learnt and best practices;
Provide a baseline on cybersecurity capacity across the EU to facilitate discussions;
Help evaluate the national capabilities regarding cybersecurity.

Who is this for?

The NCAF's primary target audience is policymakers, experts and government officials responsible for or involved in designing, implementing and evaluating an NCSS and, on a broader level, cybersecurity capabilities.

17 strategic objectives, 4 clusters

The National Capabilities Assessment Framework covers 17 strategic objectives and is
structured around four main clusters:

Cluster #1: Cybersecurity governance and standards: This cluster measures the capacity of the Member States to establish proper governance, standards and good practices in the cybersecurity domain. This dimension considers different aspects of cyber-defence and resilience while supporting the development of the national cybersecurity industry and building trust in governments.
Cluster 2: Capacity-building and awareness: This dimension gauges the ability of the country to continuously build cybersecurity capabilities and increase the overall level of knowledge and skills within this domain. It addresses the development of the cybersecurity market and advancements in cybersecurity R&D. This cluster regroups all objectives laying the groundwork to foster capacity-building.
Cluster 3: Legal and regulatory: This cluster measures the capacity of the Member States to put in place the necessary legal and regulatory instruments to address and counter the rise of cybercrime and related cyber-incidents, and to protect critical information infrastructure. Additionally, this dimension assess also the capacity of the Member States to create a legal framework to protect citizens and businesses as for instance in the case of balancing security with privacy.
Cluster 4: Cooperation: This cluster evaluates the cooperation and information sharing between different stakeholder groups at the national and international level as an important tool to better understand and respond to a constantly changing threat environment.

Find out more

More information about the framework and tool can be found in the NCAF report published by ENISA in 2020 or via the explanatory video developed for the launch of the tool.