Skip to content

Editor’s Note: The EU’s approach to cybersecurity market intelligence has shifted from sporadic snapshots to structured, repeatable analysis — and ENISA’s updated ECSMAF framework is the methodological engine behind that shift. Version 3.0, released in March 2026, introduces configurable analytical pathways, support for recurrent analysis, and a continuous market monitoring model designed to operate alongside the Cyber Resilience Act and NIS 2 enforcement.

For cybersecurity, information governance, and eDiscovery professionals, the update signals that market assessments touching their domains will become both more frequent and more data-driven. Vendor evaluations, compliance benchmarking, and cross-border procurement standards are all downstream of the kind of structured intelligence ECSMAF is built to produce. Organizations operating as data providers, stakeholders, or regulated entities in ENISA’s market studies should prepare for deeper and more systematic engagement cycles.

Watch for how continuous market monitoring matures in tandem with CRA implementation — the framework’s capacity to detect systemic risk across product categories early will determine whether EU market oversight keeps pace with the threats it tracks.

Industry News – Cybersecurity Beat

ENISA Overhauls Its Cybersecurity Market Analysis Playbook With Version 3.0 of ECSMAF

ComplexDiscovery Staff

Europe’s ability to understand, measure, and act on cybersecurity market dynamics just got a methodological upgrade. The European Union Agency for Cybersecurity, ENISA, released Version 3.0 of its Cybersecurity Market Analysis Framework — known as ECSMAF — in March 2026, delivering the most substantial revision of the analytical tool since its inception in 2022.

The update arrives at a moment when EU policymakers and regulated industries are grappling with overlapping compliance deadlines. The Cyber Resilience Act’s mandatory vulnerability-reporting obligations take effect in September 2026, NIS 2 Directive enforcement is ramping up across Member States, and the European cybersecurity market — estimated between $55 billion and $82 billion in 2025, depending on the research firm — continues to expand at compound annual growth rates that multiple analysts peg between 8 and 11 percent. Against that backdrop, ENISA’s retooled framework aims to close a gap that its own analysts identified through three years of field application: the original ECSMAF worked well for one-off studies but struggled to support the kind of sustained, repeatable market intelligence that regulators and industry stakeholders increasingly demand.

ECSMAF V3.0 was developed jointly by ENISA staff and researchers at Università Bocconi in Milan. The authoring team — Nico Abbatemarco, Benedetta Burston, and Greta Nasi from Bocconi, alongside ENISA’s Louis Marinos and Silvia Portesi — built the revision on lessons drawn from applying earlier versions to concrete market studies. The cloud cybersecurity, cryptographic products and services, and managed security services analyses — conducted under ECSMAF V2.0 — most directly shaped the V3.0 overhaul, while an earlier IoT in distribution grids pilot informed the original framework’s design.

At its core, the framework retains the seven-step workflow that analysts follow when examining a cybersecurity market segment: initiate the analysis, scope the market segment, analyze the segment, describe the research methodology, collect data, analyze the data, and present and disseminate the results. Each step involves defined actions, validation checkpoints, and preparation for follow-up work.

What changes in Version 3.0 is how those steps adapt to different operational realities. The framework now organizes analytical pathways around two structural pillars — initiation and duration. Initiation distinguishes between planned analyses, which are anchored in ENISA’s strategic programming, and ad hoc analyses triggered by external requests from, for example, the European Commission, an EU Member State, or a cybersecurity event that demands rapid market assessment. Duration separates short engagements (under six months) from long ones (over six months), with each configuration carrying its own guidance on data collection methods, stakeholder engagement depth, and resource allocation.

A short, ad hoc analysis might rely primarily on desk research, existing secondary datasets, and targeted expert interviews, with initiation and scoping consuming a combined 40 percent of the total effort. A long, planned study would deploy full primary and secondary data collection, in-depth interview campaigns, tailored stakeholder engagement plans, and reusable modular tools such as standardized taxonomies and question banks. ENISA’s own experience indicates that long planned analyses typically require around 15 person-months over a 10-month period, while short ad hoc work runs roughly six person-months across four months.

Perhaps the most forward-looking addition is the framework’s explicit support for recurrent market analysis and continuous market monitoring — capabilities that earlier versions addressed only in passing. Recurrent analyses generate periodic snapshots of the same market segment, enabling year-over-year comparisons and trend identification. They reuse scoping categories, stakeholder maps, and data collection instruments from initial rounds, making each subsequent cycle faster and cheaper to execute.

Continuous market monitoring goes a step further. ENISA defines it as a permanent, semi-automated process for tracking market events — product vulnerabilities, certification changes, company acquisitions, shifts in open-source software supply chains — and triggering full market analyses when predefined rules are violated. The framework pays particular attention to OSS risk, distinguishing between vulnerabilities in community-driven projects without formal stewardship, those in foundation-managed projects with defined vulnerability management processes, and those in commercial OSS components offered by manufacturers under the CRA. That three-tier distinction matters because the high reusability of open-source modules means a single vulnerable component can cascade across a broad swath of products, generating systemic market impact. The framework draws an explicit analogy to system monitoring in IT operations: continuous monitoring detects anomalies, while the seven-step analysis process investigates root causes and recommends corrective action.

This monitoring dimension ties directly to the Cyber Resilience Act. As CRA implementation progresses, product categories will be subject to closer regulatory scrutiny, software bills of materials will create richer data streams, and technical cybersecurity events will be linked to product components with greater precision. ENISA positions continuous monitoring as a capability that will mature in parallel with CRA adoption, eventually allowing the agency and its stakeholders to detect systemic risks early, react to changes in certifications and vulnerabilities before they escalate, and spot capability gaps across product categories as they develop.

Three cross-cutting activities run through every step of the ECSMAF process, regardless of configuration. Contextualisation requires analysts to ground their work in the broader landscape of macroeconomic trends, regulatory developments, geopolitical shifts, and emerging technologies — noting, for instance, that a cyberattack on critical infrastructure carries different market implications than one targeting a smaller entity. Validation mandates systematic stakeholder engagement to test assumptions, verify outputs, and enforce minimum quality thresholds, including requirements around data volume, source diversity, and data freshness. Preparation for follow-ups ensures that methods, templates, and lessons learned are documented in reusable formats for subsequent studies.

The framework’s target audience extends beyond ENISA itself. While designed primarily for the agency’s internal analysts and public-sector stakeholders, ECSMAF V3.0 is structured to be generic enough for adoption by national authorities, sectoral regulators, research institutes, and private companies seeking to conduct their own cybersecurity market assessments. ENISA envisions a federated model in which Member States conduct local analyses using the same methodology, with results aggregated and compared across jurisdictions to build a collective EU-wide evidence base.

Seventeen annexes accompany the main document, and they represent one of Version 3.0’s most tangible assets for practitioners. The package includes ready-to-use survey templates tailored to four stakeholder types — demand-side organizations, supply-side vendors, regulatory bodies, and research and development institutions — along with scoping criteria matrices, infrastructure mapping guides, coding schemas for qualitative data, practical step-by-step checklists for analysts, and templates for documenting lessons learned. These operational resources — many drawn directly from ENISA’s earlier market studies — are positioned as living tools that will continue to evolve as the framework accumulates additional applications.

ENISA’s market analysis work is grounded in Article 8(7) of the Cybersecurity Act (Regulation (EU) 2019/881), which mandates the agency to perform and disseminate regular analyses of cybersecurity market trends on both demand and supply sides. Recital 42 of the same regulation reinforces that mandate. The January 2026 proposal for a Cybersecurity Act 2 — which would eventually repeal Regulation 2019/881 — signals that the Commission views this market intelligence function as worth expanding, not winding down.

The timing of ECSMAF V3.0 reflects a broader shift in how the EU approaches cybersecurity governance. The European Commission’s January 2026 proposal to amend the NIS 2 Directive would grant ENISA a more operational supervisory role for companies operating across multiple Member States. Combined with the CRA’s expanding product-level requirements and the ongoing maturation of the EU cybersecurity certification framework, the demand for structured, repeatable market intelligence is likely to grow.

For information governance and eDiscovery professionals, the framework carries direct operational implications. ENISA’s market analyses shape EU-level assessments of cybersecurity product categories — assessments that feed into procurement standards, certification expectations, and regulatory benchmarks. When ENISA determines that a market segment such as managed security services shows particular supply-side concentration or demand-side adoption barriers, those findings influence compliance planning, vendor risk evaluation, and cross-border data handling standards that IG and eDiscovery teams navigate daily. Organizations evaluating cybersecurity tools for litigation readiness or regulatory response now have a transparent methodology against which vendors’ market claims can be tested.

The practical takeaway is clear: ENISA is building the infrastructure for a permanent market observatory, and ECSMAF V3.0 is the methodological backbone. Organizations that participate in or are subject to ENISA’s market analyses — whether as data providers, stakeholders, or regulated entities — should expect engagements to become both more frequent and more systematic. Those conducting their own market assessments now have a validated, publicly available framework aligned with the EU’s regulatory architecture.

As the EU’s cybersecurity regulatory stack grows denser and market spending across the continent pushes toward new highs each year, will the shift from one-off studies to continuous monitoring prove fast enough to keep pace with the threats and market disruptions that the framework is designed to track?

News Sources

Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

The post ENISA Overhauls Its Cybersecurity Market Analysis Playbook With Version 3.0 of ECSMAF appeared first on ComplexDiscovery.

Photo of Alan N. Sutin Alan N. Sutin

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy and cybersecurity matters, he advises clients in connection with transactions involving the development, acquisition, disposition and commercial exploitation of intellectual property with an emphasis on technology-related products and services, and counsels companies on a wide range of issues relating to privacy and cybersecurity. Alan holds the CIPP/US certification from the International Association of Privacy Professionals.

Alan also represents a wide variety of companies in connection with IT and business process outsourcing arrangements, strategic alliance agreements, commercial joint ventures and licensing matters. He has particular experience in Internet and electronic commerce issues and has been involved in many of the major policy issues surrounding the commercial development of the Internet. Alan has advised foreign governments and multinational corporations in connection with these issues and is a frequent speaker at major industry conferences and events around the world.

Read more about Alan N. Sutin
Show more Show less