国家能力评估框架2.0 - 2026版

NationalCapabilitiesAssessmentFramework 2.0 National Capabilities AssessmentFramework–2026 Edition APRIL2026 About ENISA The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving ahigh common level of cybersecurity across Europe. Established in 2004 and strengthened by the EUCybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy,enhances the trustworthiness of ICT products, services and processes with cybersecurity certificationschemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyberchallenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, theAgency works together with its key stakeholders to strengthen trust in the connected economy, toboost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s societyand citizensdigitally secure. More information about ENISA and its work can be found here:www.enisa.europa.eu. CONTACT For contacting theauthors,please useinfo@enisa.europa.euFor media enquiries about this paper, please usepress@enisa.europa.eu LEGAL NOTICE This publication represents the views and interpretations of ENISA, unless stated otherwise. It doesnot endorsea regulatory obligation of ENISA or of ENISA bodies pursuant to Regulation (EU)2019/881. ENISA has the right to alter, update or remove the publication or any of its contents. It is intended forinformation purposes only and must be accessible free of charge. All references to it or its use as awhole or in part must contain ENISA as its source. Third-party sources are quoted as appropriate. ENISA is not responsible or liable for the content of theexternal sources including external websites referenced in this publication. Neither ENISA nor anyperson acting on its behalf is responsible for the use that might be made of the information containedin this publication. ENISA maintains its intellectual property rights in relation to this publication.Luxembourg: Publications Office of the European Union, 2026 COPYRIGHT NOTICE © European Union Agency for Cybersecurity (ENISA), 2026Unless otherwise noted, the reuse of this document is authorised under the Creative CommonsAttribution 4.0International (CC BY 4.0) licence (https://creativecommons.org/licenses/by/4.0/).This means that reuse is allowed, provided appropriate credit is given and any changes are indicated. Copyright for the image on the cover © ShutterstockFor any use or reproduction of elements that are not owned by the European Union Agency forCybersecurity, permission may need to be sought directly from the respectiverightsholders.ISBN978-92-9204-789-4, DOI10.2824/5812948 USE OF AI-ASSISTED TOOLS AI-assisted toolswere used in a limited capacity to support language refinement, terminologyalignment, translation and preliminary document screening. All outputs were reviewed and validatedby subject-matter experts. No AI-generated content was used without substantivehuman oversight. Table of Contents Document HistoryError! Bookmark not defined. About ENISA1 Glossary of Terms 4 Executive Summary7 1.Introduction 10 1.2Methodological approach11 1.2.1Desk research of publicly availablesources11 1.2.5Reviewing feedback from Member States collected during the survey and developmentof the first draft of NCAF 2.013 1.2.8Finalisation of the NCAF 2.0Error! Bookmark not defined. 1.4Challenges of NCSS evaluation14 1.5Benefits of a national capabilities assessment14 1.6Principles of the framework15 2.NCAF methodology19 2.1Maturity levels19 2.2Strategic objectives identified within the european ncss20 2.3Goals of the strategic objectives21 2.4Clustering of the objectives26 3.NCAF indicators33 3.1Framework indicators 3.1.1Cluster #1: Capacity-building and awareness34 3.1.2Cluster #2: Cooperation and collaboration52 3.1.3Cluster #3: Cybersecurity governance68 3.1.4Cluster #4: Regulatory and policy frameworks89 3.2Guidelines to use the framework103 Annex A–Desk research bibliography106 European Commission documents106 A.2NCSS and related documents of Member States108 Maturity models and indices113 A.3 Annex B–Maturity models review116 B.1Cybersecurity Capacity Maturity Model for Nations (CMM)116B.2CybersecurityCapability Maturity Model (C2M2)117B.3Cybersecurity Maturity Model Certification (CMMC)118B.4Internal Audit Capacity Model (IA-CM) for the Public Sector120B.5The Cybersecurity Strategy Scorecard122B.6The Global Cybersecurity Index (GCI)123B.7The Cyber Defence Index (CDI)123 Glossary of Terms Executive Summary As cybersecurity threats continuously expand and intensify and the legislative landscape of theEuropean Union evolves to tackle these cybersecurity challenges, EU Member States need to reacteffectively by developing and adapting their national cybersecurity strategies (NCSSs). Since 2017, allMember States have had an NCSS. However, the development of a comprehensive NCSS is achallenging and