ENISA NCAF 2.0: What the April 2026 Update Means for CRA Manufacturers
ENISA published NCAF 2.0 in April 2026, the first update in six years. Three new objectives, 871 maturity questions, and explicit CRA references change how governments score cybersecurity readiness.
In this article
ENISA published the National Capabilities Assessment Framework 2.0 (NCAF 2.0) in April 2026. It is the first update since the original framework came out in December 2020. The document grew from 90 to 126 pages and added three strategic objectives that did not exist before. It now explicitly names the Cyber Resilience Act in its maturity questions. If your products are in scope of the CRA, this framework describes how your government will score its own readiness to support and enforce it.
Summary
- Three new objectives with no 2020 equivalent: national-level risk assessment (Objective 12), a coordinated vulnerability disclosure policy (Objective 19), and active cyber protection (Objective 20)
- 871 cybersecurity capacity questions are now part of the framework. Zero structured questions existed in 2020.
- The CRA is named explicitly in the introduction and in the maturity questions for Objective 1, which covers private-sector cyber resilience and hygiene for essential and important entities
- Objective 19 (CVD policy) sets a national target for governments to establish structured processes for reporting vulnerabilities to manufacturers. That is the upstream infrastructure that CRA Article 14 depends on.
- Maturity level names have changed: the five levels are now Foundation, Developing, Established, Mature, and Advanced. Level 1 now assumes a country has adopted an NCSS, which is a NIS2 requirement. In 2020, Level 1 described a country with no defined approach at all.
- NCAF 2.0 can be used for NIS2 Article 19 peer reviews. ENISA added this use case in Section 1.7 of the new document.
- 14 Member States completed the survey that shaped the update. Greece, Italy, and Luxembourg piloted the first draft.
- The standalone public-private partnership objective is gone. Information sharing and mutual assistance are now two separate scored objectives in its place.
Source: ENISA NCAF 2.0, April 2026. Objectives and question count: Section 3, p. 33. Survey count: Section 1.2.3, p. 12.
What NCAF Is and What It Scores
NCAF is a self-assessment tool for national governments. Specifically, for the policymakers and officials who design and implement a country's national cybersecurity strategy (NCSS). It is voluntary. A country's results are not published unless that country chooses to publish them.
The framework measures one thing: how mature a Member State's cybersecurity capabilities are across 20 strategic objectives. For each objective, a country answers a set of questions and receives two scores. The first is a maturity level score, which reflects the highest level where all required questions are answered positively. The second is a coverage ratio, which counts all positive answers regardless of level. Together, they give a picture of both depth and breadth.
ENISA added one use case in NCAF 2.0 that was not in the 2020 version: the framework can now serve as a basis for NIS2 Article 19 voluntary peer reviews. Member States that want to benchmark against each other have a structured tool to do it with. The EU Cybersecurity Index (EU-CSI) already uses some NCAF questions, and ENISA noted in Section 1.7 that the EU-CSI may evolve toward closer alignment with NCAF.
For manufacturers, the framework is a signal. A country that scores low on Objective 1 (private-sector cyber resilience), Objective 17 (supply chain), or Objective 19 (CVD policy) is telling you something about the enforcement environment your products will operate in.
The Three Objectives That Did Not Exist in 2020
Consolidate risk assessments across sectors to build a national view of critical assets and threats. Tied to NIS2 Article 7 and the Critical Entities Resilience (CER) Directive.
Create a structured national process for reporting vulnerabilities to manufacturers and service providers. Promote legal clarity for good-faith researchers, including exemptions from civil or criminal liability.
Integrate ACP into the NCSS. Promote proactive ACP policies as part of a wider defence strategy. ACP is defined in NIS2 Recital 57. Promote both internal and, in the best case, external ACP capabilities.
Objective 12: national-level risk assessment
In 2020, risk assessment was background context for every other objective. It was not an assessable item in its own right. NCAF 2.0 makes it a scored objective with three specific goals from Section 2.3.
- Establish a mechanism to consolidate risk assessments across sectors, "ensuring a national-level view of critical assets and threats, in line with existing requirements under NIS2 and the Critical Entities Resilience (CER) Directive."
- Align cybersecurity strategy objectives with national security needs through comprehensive national risk assessment.
- Facilitate sector-specific risk assessments to address the risks to critical sectors.
The national risk assessment feeds sector classification under NIS2. The sectors in NIS2 Annexes I and II determine which entities are essential or important, which determines the enforcement density around the products those entities buy. A country that has not completed a national risk assessment is operating without a clear picture of its own critical assets.
Objective 19: coordinated vulnerability disclosure policy
CVD appeared in the 2020 NCAF once, as footnote 18 under the supply chain section. It is now a top-level scored objective with three sub-goals from Section 2.3.
- Establish a CVD process "outlining a structured approach for reporting vulnerabilities to manufacturers and service providers."
- Develop a national policy to facilitate CVD and provide a framework for managing vulnerability reports.
- Promote legal clarity for good-faith vulnerability research, "including, where appropriate, exemptions or safeguards from civil or criminal liability, in line with national legal frameworks."
Article 14 requires manufacturers to report actively exploited vulnerabilities to the national CSIRT within 24 hours of becoming aware of them. That reporting path depends on a country having a functioning CVD infrastructure on the receiving end. A government that scores at Level 1 or 2 on Objective 19 has not built that infrastructure yet. Manufacturers in that country are being asked to report into a system that is still being built.
Objective 20: active cyber protection
Active cyber protection did not appear anywhere in the 2020 NCAF. ENISA defines ACP with reference to NIS2 Recital 57. Footnote 15 in Section 2.3 points there explicitly. The framework sets four goals.
- Integrate ACP into the NCSS.
- Promote policies on proactive ACP measures as part of a wider defence strategy.
- Promote the implementation of internal and, in the best case, external ACP capabilities to prevent, detect, monitor and mitigate network security breaches.
- Promote the use of ACP tools and services to share threat intelligence.
No other objective uses the phrase "external capabilities" or frames threat intelligence sharing as a national policy target at this level of specificity. Objective 20 reflects the post-2022 active defence discussion in EU policy, aligned with the Cyber Solidarity Act.
Where the CRA Appears in NCAF 2.0
NCAF 2.0 references the CRA across two sections and one question bank. These are the five locations.
Named alongside DORA as a key EU law ENISA supports Member States in adopting: "the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA)."
Listed as a primary EU regulatory document reviewed when building the updated framework. The CRA shaped the maturity question design directly.
Asks whether mandatory standards are "aligned with EU-level frameworks (e.g. the CRA, the EU cloud services scheme)." Level 4 governments must benchmark private-sector standards against the CRA by name.
Goals include "implement state-of-the-art measures to address the cybersecurity of the supply chain for ICT products and ICT services used by essential and important entities." This is the core of CRA product scope.
Sets a structured approach for reporting vulnerabilities "to manufacturers and service providers." Manufacturers are the party CRA Article 14 holds responsible for vulnerability handling and 24-hour reporting.
For manufacturers, the pattern matters as much as any single reference. Governments at Level 4 on Objective 1 are scored on whether their private-sector standards align with the CRA by name. Governments at Level 1 or 2 on Objective 19 have not yet built the national CVD infrastructure that CRA Article 14 reporting depends on.
871 Questions: How the Assessment Works in Practice
The 2020 NCAF described 17 objectives and gave each a list of goals. Countries self-assessed against those goals. There were no standard questions, no scoring tables, and no question bank. NCAF 2.0 adds that structure: 871 cybersecurity capacity questions across 20 objectives and five maturity levels.
Reading a question ID
Each question has a three-part identifier: objective number, maturity level, and question number within that level. Question 14.2.5 is the fifth question at maturity level 2 for Objective 14 (establish cybersecurity risk-management measures).
Alongside the 871 capacity questions, there are five generic strategy questions per level per objective. These are identical across all 20 objectives, asking whether the objective appears in the NCSS, whether an action plan exists, and whether progress is monitored. The 871 capacity questions are the objective-specific technical layer on top.
Requisite vs non-requisite
Each capacity question is tagged 1 (requisite) or 0 (non-requisite):
Must all be answered positively before a country can claim that maturity level. A single negative requisite answer caps the score at the previous level, regardless of how many other questions are answered correctly.
Count toward the coverage ratio but do not block level progression. A country can reach a level with non-requisite gaps; those gaps will show up in the coverage ratio rather than the maturity level score.
How scores are calculated
Scoring produces two numbers per objective, then averages them at cluster level and across all 20 objectives for the overall score.
The highest level where every requisite question is answered positively. This is the official level a country has reached for that objective. Progress within a level (answering some but not all requisites) does not move this number.
The proportion of positive answers across all questions for an objective, regardless of level. A country can be at Level 3 on maturity but show 80% coverage on Level 4 questions; the coverage ratio captures that partial progress.
The five maturity levels
All five levels were renamed and their descriptions rewritten. The key shift: Level 1 in 2026 assumes a Member State has already adopted a national cybersecurity strategy. Level 1 in 2020 described a country with no defined approach at all.
| Level | 2020 name | 2026 name | What changed |
|---|---|---|---|
| 1 | Initial / Ad Hoc | Foundation | Now assumes NCSS is adopted (NIS2 minimum). The 2020 version started from zero. |
| 2 | Early Definition | Developing | Action plans in place and stakeholders identified. |
| 3 | Establishment | Established | Governance structures in place, resources allocated, consistent implementation across the objective. |
| 4 | Optimisation | Mature | Long-term legislation, dedicated national funding, national agencies established and operating. |
| 5 | Adaptiveness | Advanced | Dynamic and adaptive. Explicitly aspirational: NCAF 2.0 states very few countries are expected to reach this level for all objectives. |
Cluster #4 Is a New Regulatory Grouping That Maps Directly to CRA
The 2020 NCAF had four clusters: Cybersecurity governance and standards, Capacity-building and awareness, Legal and regulatory, and Cooperation. NCAF 2.0 keeps four clusters but renames and reshuffles all of them. The most significant structural change for CRA manufacturers is the creation of Cluster #4.
Cluster #4: Regulatory and policy frameworks. Five objectives that did not form a coherent regulatory grouping in 2020:
Balance security with privacy. Moved from the old "Legal and regulatory" cluster. Now a named regulatory instrument alongside supply chain and CVD.
Improve supply chain cybersecurity. In 2020 this sat alongside privacy and incident reporting. Now anchored in its own regulatory cluster with explicit NIS2 and procurement scope.
Protect critical sectors. Expanded from NIS1 terminology (OES/DSP) to NIS2 scope covering Annexes I and II, undersea cables, and the public core of the internet.
Establish a CVD policy. A footnote in 2020. Now a top-level scored objective with three sub-goals: the upstream national infrastructure that CRA Article 14 reporting depends on.
Promote active cyber protection. Did not exist in 2020. Reflects post-2022 active defence policy aligned with NIS2 Recital 57 and the Cyber Solidarity Act.
A government's scores across Cluster #4 tell you which of these instruments are in place. These are the five policy levers governments will use to implement and enforce CRA requirements nationally.
Download NCAF 2.0 from the ENISA publications page and check which of the 20 objectives your country's current NCSS covers. A country whose NCSS does not include an objective will score zero on that objective by default. That tells you exactly which policy instruments are not yet in place in your market.
NCAF 2.0 includes an explicit notice in Section 2.1: "Level 5 is considered as extremely high and very few countries, if any, are expected to reach this level for all objectives." The 2020 version carried no such caveat. This is a deliberate framing choice to make the framework useful as a progress-tracking tool across a realistic range.
Frequently Asked Questions
Does NCAF 2.0 create new obligations for product manufacturers?
No. NCAF 2.0 is a self-assessment tool for national governments, not a regulation for manufacturers. It does not create legal obligations. But it tells you which capabilities your government has committed to building and at what maturity level it currently operates. A government's score on Objective 19 (CVD policy) tells you whether the national vulnerability reporting infrastructure that CRA Article 14 depends on is in place. For your own CVD obligations as a manufacturer under the CRA, see our CVD policy template.
How does Objective 19 (CVD policy) connect to CRA Article 14?
CRA Article 14 requires manufacturers to report actively exploited vulnerabilities to the national CSIRT within 24 hours of becoming aware of them. That reporting path requires a functioning national CVD infrastructure on the receiving end. Objective 19 in NCAF 2.0 scores whether that infrastructure exists: a structured CVD process, a national policy for managing vulnerability reports, and legal protections for good-faith researchers. A country at Level 1 on Objective 19 has none of those in place. Manufacturers in that country are reporting into a system that is still being built. For how to structure your own CVD procedure, see our guide on ENISA's 24-hour vulnerability reporting requirements.
Is NCAF the same as NIS2 compliance assessment?
No. NCAF measures national cybersecurity strategy maturity, not entity-level NIS2 compliance. A government can score well on NCAF and still have gaps in how it supervises essential entities under NIS2. The connection is that several NCAF objectives are tied directly to NIS2 requirements: Objective 13 (strengthen national cybersecurity governance) covers the coordination mechanisms NIS2 requires, and Objective 14 (establish cybersecurity risk-management measures) maps to NIS2 Article 21. NCAF 2.0 can also be used as a tool in voluntary NIS2 Article 19 peer reviews between Member States. For how NIS2 and CRA obligations overlap for manufacturers, see the NIS2 and CRA overlap guide.
Can we use NCAF 2.0 to benchmark our own product security?
Not directly. NCAF 2.0 is designed for national governments assessing their NCSS. The "you" in NCAF questions refers to the Member State. That said, the goals and maturity questions for Objective 1 (private-sector cyber resilience, including SMEs) describe what a mature national cybersecurity programme expects of private-sector entities. Reading the Level 3 and Level 4 questions for Objective 1 tells you what a government at that maturity level will expect your organisation to demonstrate. For a direct assessment of your products against CRA requirements, use the CRA applicability check.
When will governments start using NCAF 2.0?
ENISA published NCAF 2.0 in April 2026 as a voluntary tool governments can use from now. There is no mandatory start date. Greece, Italy, and Luxembourg piloted the first draft. Luxembourg highlighted NCAF's value for structured NCSS preparation and the need for simplification. Italy noted it provides useful strategic input for the forthcoming policy cycle and helps support prioritisation and benchmarks against the EU Cybersecurity Index. Greece underlined its alignment with NIS2 and its usefulness in mapping national policies and identifying gaps. These are the observations the pilot countries shared during development, as recorded in Section 1.2.6 of NCAF 2.0.
What happened to the 2020 "future considerations" objectives?
The 2020 NCAF listed five objectives that were studied but excluded, flagged as potential future additions: sector-specific cybersecurity strategies, fighting disinformation campaigns, securing cutting-edge technologies (5G, AI, quantum computing), ensuring data sovereignty, and providing incentives for the cyber insurance industry. None of those five appear in NCAF 2.0 as standalone objectives. AI and post-quantum cryptography appear inside the goals for Objective 4 (foster R&D and innovation) as named examples, but not as separate scored items. The 2.0 version also removes the annex that listed those 2020 future considerations.
Next Steps
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.
Related Articles
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.