ENISA NCAF 2.0 and NIS2 Article 19 Peer Reviews: What the New National Cybersecurity Assessment Framework Means for Your Compliance Audit (2026)

ENISA published the updated National Capabilities Assessment Framework — NCAF 2.0 — on April 22, 2026. It replaces NCAF 1.0 with a revised methodology aligned to the NIS2 Directive (EU) 2022/2555 and supports Member States in preparing for the voluntary peer review mechanism under NIS2 Article 19. The framework is voluntary for Member States, but its consequences for essential and important entities are indirect and real: how your national competent authority (NCA) performs on the 20 NCAF 2.0 strategic objectives determines where that NCA concentrates enforcement resources — and which of your Art.21 security obligations will face the closest scrutiny before the June 30, 2026 compliance audit deadline.

This guide explains what NCAF 2.0 contains, how NIS2 Art.19 peer reviews operate, and what the framework means for developer teams and CISOs preparing NIS2 compliance documentation.

What NCAF 2.0 Actually Is

NCAF 2.0 is a self-assessment methodology produced by ENISA for national authorities — NCAs, CSIRTs, and government ministries responsible for national cybersecurity strategies (NCSS). It is not an audit standard applied to individual companies. ENISA describes it as "voluntary, flexible, and adaptable."

The framework assesses maturity across 20 strategic objectives organised into thematic clusters derived from ENISA's National Cybersecurity Strategies Map. NCAF 2.0 updates three aspects of the 1.0 version:

1. Incorporates new NIS2 requirements — NIS2 Article 7 mandates that each Member State adopt an NCSS. NCAF 2.0 now maps its strategic objectives against specific NIS2 NCSS requirements, so Member States can use the framework to verify their strategy is NIS2-compliant before a peer review.

2. Revised maturity level descriptions — The five maturity levels (Initial, Managed, Defined, Quantitatively Managed, Optimising — aligned with CMM-like progression) are now defined with more precise behavioural indicators, reducing inter-assessor variance in peer reviews.

3. Reorganised objective clustering — The clusters now group strategic objectives to reflect NIS2's structure (governance, threat intelligence, incident response, education, critical infrastructure protection, international cooperation) rather than ENISA's earlier NCSS-map categories.

Why NCAF 2.0 Matters When You Are Not the Target

NCAF 2.0 is addressed to "policymakers, experts and government officials" — not to software developers or security teams at essential entities. So why should you care?

Because NCA enforcement priorities are shaped by capability gaps. An NCA that assesses itself as low-maturity on incident response coordination will channel resources into incident response audits of entities — pushing Art.23 notification compliance up its enforcement agenda. An NCA that identifies gaps in supply chain security oversight will prioritise Art.21(2)(d) supply chain audits.

NCAF 2.0 makes these capability gaps explicit and structured for the first time. When your NCA uses NCAF 2.0 for self-assessment, you get a public signal — through ENISA's annual State of Cybersecurity report under NIS2 Art.18 and the peer review reports — about where enforcement will concentrate in the next 12–24 months.

from dataclasses import dataclass, field
from enum import Enum


class MaturityLevel(Enum):
    INITIAL = 1           # Ad-hoc, no systematic approach
    MANAGED = 2           # Processes exist but not standardised
    DEFINED = 3           # Standardised, documented, communicated
    QUANTITATIVELY_MANAGED = 4  # Measured, controlled
    OPTIMISING = 5        # Continuous improvement


@dataclass
class NCAFObjectiveScore:
    """Represents a NCA's self-assessed score on one NCAF 2.0 strategic objective."""
    objective_id: str
    objective_name: str
    cluster: str
    maturity_level: MaturityLevel
    nis2_article_mapping: list[str]  # NIS2 articles this objective supports

    def is_enforcement_gap(self) -> bool:
        """
        NCA scores below 'Defined' (level 3) indicate capability gaps that
        are likely to manifest as stronger enforcement pressure in that domain.
        Entities in sectors covered by those NIS2 articles face higher audit risk.
        """
        return self.maturity_level.value < MaturityLevel.DEFINED.value


@dataclass
class NCAEnforcementProfile:
    """
    Builds a predictive enforcement profile for an NCA based on NCAF 2.0 scores.
    Used to prioritise which NIS2 obligations to harden before the June 30 audit.
    """
    nca_country: str
    ncaf_scores: list[NCAFObjectiveScore] = field(default_factory=list)

    def enforcement_priorities(self) -> list[str]:
        """
        Returns NIS2 articles most likely to face enforcement, ranked by
        NCA capability gap severity (lowest maturity first).
        """
        gaps = [s for s in self.ncaf_scores if s.is_enforcement_gap()]
        gaps.sort(key=lambda s: s.maturity_level.value)

        priority_articles = []
        seen = set()
        for gap in gaps:
            for article in gap.nis2_article_mapping:
                if article not in seen:
                    priority_articles.append(article)
                    seen.add(article)
        return priority_articles

    def high_risk_clusters(self) -> list[str]:
        """Returns clusters where NCA maturity is below Defined level."""
        return list({
            s.cluster for s in self.ncaf_scores
            if s.maturity_level.value < MaturityLevel.DEFINED.value
        })

    def peer_review_readiness(self) -> bool:
        """
        NIS2 Art.19 peer reviews evaluate whether the NCA's capabilities
        meet EU-level benchmarks. If average maturity across the 20 objectives
        is below Defined (3), the NCA is unlikely to volunteer for peer review.
        """
        if not self.ncaf_scores:
            return False
        avg = sum(s.maturity_level.value for s in self.ncaf_scores) / len(self.ncaf_scores)
        return avg >= MaturityLevel.DEFINED.value


# Example: building an enforcement profile from publicly available NCAF data
# (Germany BfV/BSI context — illustrative; actual NCAF data published by ENISA)
de_nca = NCAEnforcementProfile(nca_country="DE")
de_nca.ncaf_scores = [
    NCAFObjectiveScore(
        objective_id="01",
        objective_name="National Cybersecurity Strategy Governance",
        cluster="Governance",
        maturity_level=MaturityLevel.DEFINED,
        nis2_article_mapping=["Art.7"],
    ),
    NCAFObjectiveScore(
        objective_id="04",
        objective_name="Incident Response and Crisis Management",
        cluster="Incident Management",
        maturity_level=MaturityLevel.MANAGED,  # gap
        nis2_article_mapping=["Art.9", "Art.10", "Art.23", "Art.24"],
    ),
    NCAFObjectiveScore(
        objective_id="07",
        objective_name="Cyber Threat Intelligence and Information Sharing",
        cluster="Threat Intelligence",
        maturity_level=MaturityLevel.DEFINED,
        nis2_article_mapping=["Art.29"],
    ),
    NCAFObjectiveScore(
        objective_id="11",
        objective_name="Supply Chain Cybersecurity",
        cluster="Critical Infrastructure",
        maturity_level=MaturityLevel.INITIAL,  # gap — enforcement priority
        nis2_article_mapping=["Art.21(2)(d)", "Art.29"],
    ),
    NCAFObjectiveScore(
        objective_id="14",
        objective_name="Education and Training",
        cluster="Human Capital",
        maturity_level=MaturityLevel.MANAGED,
        nis2_article_mapping=["Art.21(2)(g)"],
    ),
]

print("Enforcement priorities (NIS2 articles, highest risk first):")
for article in de_nca.enforcement_priorities():
    print(f"  → {article}")

print(f"\nHigh-risk enforcement clusters: {de_nca.high_risk_clusters()}")
print(f"NCA peer review ready: {de_nca.peer_review_readiness()}")

Output:

Enforcement priorities (NIS2 articles, highest risk first):
  → Art.21(2)(d)
  → Art.29
  → Art.9
  → Art.10
  → Art.23
  → Art.24
  → Art.21(2)(g)

High-risk enforcement clusters: ['Critical Infrastructure', 'Incident Management', 'Human Capital']
NCA peer review ready: False

The model above is illustrative — actual NCA NCAF scores are published by ENISA after peer reviews. But the pattern is consistent: when your NCA publishes or is reviewed on NCAF 2.0 data, that data tells you where to concentrate your own compliance investment.

NIS2 Article 19: Peer Reviews — Mechanics and Scope

NIS2 Art.19 creates a voluntary peer learning mechanism for Member States. It is not an audit of individual entities — it evaluates the cybersecurity capabilities of the Member State's national authorities. Understanding the mechanics is important for developers and CISOs because the outputs of peer reviews directly influence NCA enforcement posture.

How Peer Reviews Work Under Art.19

Participation is voluntary. A Member State requests a peer review or the Cooperation Group proposes one by agreement. The reviewed Member State cannot be forced to undergo a review, but peer review participation signals EU-level confidence in that NCA.

Methodology established January 17, 2025. The NIS2 Cooperation Group, with ENISA and Commission assistance, finalised the peer review methodology and organisational arrangements. NCAF 2.0 was designed to align with this methodology — providing the self-assessment baseline that NCAs complete before a peer review.

Expert composition. Peer reviews are conducted by cybersecurity experts from at least two Member States different from the reviewed state. ENISA provides technical secretariat support. The experts assess the NCA's capabilities against the NCAF 2.0 strategic objectives.

Two-year non-re-evaluation period. Once a Member State undergoes a peer review on specific aspects, those aspects cannot be reviewed again for two years. This creates a cycle: early participants gain visibility and credibility, later participants face a more established benchmark.

Review scope — what Art.19 evaluates:

What Art.19 Does NOT Evaluate

Peer reviews do not audit individual essential or important entities. If your NCA undergoes a peer review in 2026, your company's Art.21 compliance posture is not directly assessed. However, the peer review report will identify whether your NCA's supervision mechanisms are adequate — and inadequate supervision typically triggers ENISA or Commission follow-up, which increases NCA enforcement activity.

Peer Review Reports: Reading Them for Enforcement Signals

ENISA publishes peer review reports (with sensitive data redacted). For compliance teams, the key sections to read are:

1. NCA supervision capacity — if the review finds the NCA lacks resources to conduct systematic proactive supervision, expect reactive enforcement (incident-triggered) rather than proactive audits
2. Art.21 implementation assessment — identifies which of the Art.21(2) security measures the NCA considers priority enforcement targets in its jurisdiction
3. CSIRT incident handling — reveals whether Art.23 notifications are being processed systematically or backlogged
4. Supply chain oversight — Art.21(2)(d) supply chain security is the most common capability gap identified in national cybersecurity strategies

NCAF 2.0 and the June 30, 2026 NIS2 Audit Deadline

The June 30, 2026 deadline marks the expected start of first systematic NIS2 compliance audits in most Member States. NCAs have been transposing NIS2 since January 2023 and have had supervisory powers since October 2024. By June 2026, NCAs are expected to begin moving from self-registration to active verification.

NCAF 2.0 is timed for this transition. Member States that self-assess using NCAF 2.0 before June 2026 will have a structured view of their capability gaps — and will direct audit resources accordingly.

The Enforcement Concentration Pattern

Based on the NCAF objective clusters and known national strategy gaps across EU Member States, the most commonly under-developed NCAF clusters are:

Supply Chain Cybersecurity — Only a minority of Member States have implemented systematic supply chain risk assessment programs. NIS2 Art.21(2)(d) is therefore the highest-risk enforcement area for essential entities with complex ICT supply chains.

Incident Response Coordination — Art.23 notification compliance is inconsistently enforced across Member States. NCAs that score poorly on NCAF incident response objectives are likely to prioritise Art.23 early warning compliance in 2026 audits.

Vulnerability Disclosure — NIS2 Art.12 establishes coordinated vulnerability disclosure, but NCAF assessments consistently show implementation gaps. Entities with public-facing web infrastructure should ensure their VDP (Vulnerability Disclosure Policy) is documented.

Human Capital and Training — Art.21(2)(g) requires that security measures address security-in-development practices. NCAs that score low on education objectives may focus audits on developer security training documentation.

The Self-Assessment Tool: NCAF 2.0 Online

ENISA provides NCAF 2.0 as an online self-assessment tool (ncaf.enisa.europa.eu), addressing policymakers rather than entities. However, the tool's structure reveals the assessment dimensions NCAs apply when evaluating their own capabilities — and by extension, what they look for when auditing entities.

The five maturity levels in NCAF 2.0 map to audit outcomes in practice:

When your NCA reaches level 3 on incident response (Defined), expect Art.23 enforcement to shift from advisory to sanction-capable.

What NCAF 2.0 Means for Your Art.21 Security Measures

The 20 NCAF strategic objectives align with the ten specific security measures mandated by NIS2 Art.21(2). The alignment is not one-to-one, but the following mapping reflects the NCAF 2.0 cluster structure:

For essential and important entities preparing June 2026 audits: prioritise Art.21(2)(b), (c), and (d) documentation regardless of your sector. These are the most common NCAF capability gaps — and therefore the most likely first-wave enforcement targets in every Member State.

Preparing for NCA Scrutiny: A Practical Approach

Step 1: Identify your NCA's NCAF Position

Not all NCAs publish NCAF self-assessments. However, you can infer your NCA's maturity from:

• NIS2 transposition status (later transposition = lower governance maturity)
• Published NCA supervision plans or work programs
• ENISA's annual NIS report (Art.18 report) — aggregates NCA capability data
• Peer review reports already published (available on ENISA's website)

Step 2: Map NCAF Gaps to Your Internal Gaps

The NCAF gap areas that most frequently correspond to entity compliance failures are identical. An NCA that struggles to coordinate incident response across sectors has entities that lack Art.23-compliant incident detection and notification procedures. If your NCA has this gap, assume your own Art.23 procedures will be scrutinised first.

Step 3: Document Before June 30

The Art.19 peer review cycle creates a predictable enforcement wave: NCAs that undergo peer reviews in H1 2026 receive reports by Q3 2026, which then inform H2 2026 enforcement plans. If your NCA participates in an early peer review, your sector may face structured audits by Q4 2026.

The minimum documentation set to have ready before June 30:

• Art.21(1) risk assessment (documented, dated, signed by management)
• Art.21(2)(b) incident handling procedure (with Art.23 notification thresholds)
• Art.21(2)(d) supply chain security policy (supplier register, risk tiering)
• Art.21(2)(f) vulnerability disclosure policy (published, referenced in your technical documentation)

NCAF 2.0 and NIS2 Article 19: Entity-Level Compliance Checklist (20 Items)

Understanding the Framework

1. ☐ Verify whether your NCA has published an NCAF 2.0 self-assessment or participated in an Art.19 peer review — this signals which NCAF clusters your NCA identifies as gaps
2. ☐ Check ENISA's annual NIS report (most recent: Art.18 report 2025/2026) for aggregated NCA capability data relevant to your Member State
3. ☐ Monitor ENISA's peer review publication page for reports covering your NCA — peer review reports identify specific enforcement priorities
4. ☐ Map NCAF gap clusters (Incident Management, Critical Infrastructure, Threat Intelligence) to your own Art.21 documentation to prioritise remediation

Art.21(2)(b) — Incident Handling (Highest NCAF Gap Frequency)

1. ☐ Document your incident classification procedure with explicit thresholds distinguishing "significant incidents" (Art.23 notification trigger) from internal incidents
2. ☐ Verify your Art.23 early warning timeline (24 hours), intermediate report (72 hours), and final report (1 month) are implemented with named responsible contacts
3. ☐ Test your Art.23 procedure: can your team actually produce an early warning within 24 hours? Run a tabletop exercise and document the outcome
4. ☐ Establish a log of all incidents assessed against the Art.23 significance threshold — including those that did not trigger notification — to demonstrate systematic assessment to an NCA auditor

Art.21(2)(d) — Supply Chain Security (Most Common NCAF Gap)

1. ☐ Create a supplier register covering all ICT service providers that could affect the security of your network and information systems
2. ☐ Risk-tier suppliers into at least three levels: Critical (direct access to production), Important (indirect access or SaaS tools used in production), Standard (no security-relevant access)
3. ☐ Document contractual security requirements for Critical and Important suppliers — reference Art.21(2)(d) in supplier agreements
4. ☐ Conduct at least one documented supply chain security assessment (questionnaire-based is sufficient) before June 30 — document date, methodology, findings, and remediation plan

Art.21(2)(f) — Vulnerability Disclosure (Art.12 CVD)

1. ☐ Publish a Vulnerability Disclosure Policy (VDP) if you operate network-accessible services — ENISA's CVD framework (Art.12) applies if you are an important or essential entity
2. ☐ Register as a coordinating CSIRT-contact entity for your sector if your NCA requires it — check your NCA's CVD implementation guidance

Art.19 Peer Review Preparation (for NCAs — awareness for entities)

1. ☐ Track whether your Member State has announced Art.19 peer review participation — announced reviews create public-sector awareness campaigns that increase entity compliance scrutiny in the review window
2. ☐ If your NCA undergoes a peer review: prepare for follow-up questionnaires from your NCA as it gathers entity-level data to substantiate its self-assessment

Art.21(2)(g) — Security Training

1. ☐ Document a security awareness training program covering at minimum: phishing, social engineering, and secure coding basics — Art.21(2)(g) requires measures to address human factors
2. ☐ Record training completion by technical staff — NCA auditors frequently request evidence that security training is conducted, not just that a policy exists

Governance and Management

1. ☐ Ensure management body has approved your NIS2 cybersecurity risk management measures under Art.20 — Art.20 creates personal liability for management for NIS2 compliance failures
2. ☐ Register in your NCA's entity register before June 30 — many Member States use self-registration as the trigger for proactive NCA supervision; unregistered entities face retroactive enforcement risk

See Also

• NIS2 Art.13–16: Union Crisis Response, International Cooperation, Peer Reviews, and ENISA Reporting
• NIS2 Art.9–12: CSIRT Network, EU-CyCLONe, ENISA Coordinated Vulnerability Disclosure
• ENISA NIS2 Technical Guidelines — Art.21 Security Measures Implementation
• NIS2 Art.17–21: Governance, Jurisdiction, DNS Liability, Risk Management and the 10 Security Measures
• NIS2 Amendment (Digital Omnibus + CSA 2.0): Changes for SaaS Developers 2026 — the Digital Omnibus amends NIS2 Art.21 proportionality thresholds directly relevant to NCAF 2.0 peer review scope and the June 30 compliance deadline