ENISA National Cybersecurity Strategies Guidelines
The Network and Information Security Directive, which entered into force in 2016, requires EU Member States to develop and adopt a national cybersecurity strategy (NCSS) to meet current and emerging cybersecurity threats. To support the efforts of these member states, the European Union Agency for Cybersecurity (ENISA) provides guidelines on how to develop, implement and update a NCSS.
Definition and purpose
The ENISA National Cybersecurity Strategies Guidelines aim to provide good practices for developing, implementing, and updating NCSS based on analysis of existing strategies. Their primary purpose is to enhance the overall level of cybersecurity preparedness of the Member States both at the national and EU level.
ENISA has also built a National Capabilities Assessment Framework (NCAF) to enable Member States to self-assess their level of maturity against their NCSS objectives and build and enhance their cybersecurity capabilities both at the strategic and operational level.
ENISA is responsible for the development and maintenance of the National Cybersecurity Strategies guidelines. It is an agency of the European Union that works closely with EU Member States and EU bodies in order to achieve a high common level of cybersecurity across Europe.
The ENISA National Cybersecurity Strategies Guidelines are periodically updated to to assist EU Member States in further building their cybersecurity capacities. The latest report was published in November 2021 and included guidelines for incorporating cybersecurity awareness into national cybersecurity strategies.
The ENISA Guidelines are designed for the whole cybersecurity ecosystem, but the specific target audience is national and EU policy and decision makers, operators of essential services and digital service providers, public and private sector organizations, and research organizations.
Controls and requirements
Rather than provide prescriptive controls or requirements, the ENISA Guidelines provides a wide range of best practices and recommendations, such as:
- Set the vision, scope, objectives and priorities for your NCSS
- Conduct a national risk assessment
- Identify and take into account existing policies, regulations and capabilities
- Develop within the NCSS a clear vision for national cybersecurity awareness raising, assigning clear roles and responsibilities to the different stakeholders involved.
- Provide regular analysis and reports of the threat environment.
- Involve stakeholders while developing and implementing innovation priorities both at National and EU level.
This list is not exhaustive. Please refer to the official ENISA documentation for the most comprehensive overview of ENISA guidelines.
Audit type, frequency, and duration
Member States can perform a self-assessment to measure the level of maturity of their cybersecurity capabilities using ENISA’s National Capabilities Assessment Framework (NCAF). These self-assessments should be performed periodically in order improve their maturity over time.