ENISA releases ECSMAF v2.0 to analyze EU cybersecurity market, improve guidance to cybersecurity stakeholders

The European Union Agency for Cybersecurity (ENISA) released Monday a ‘cornerstone’ document of the agency’s activities in analyzing the European Union cybersecurity market, presenting an updated cybersecurity market analysis framework, with guidance on how EU cybersecurity market analyses can be performed. The ENISA Cybersecurity Market Analysis Framework (ECSMAF) v2.0 also contributes to the implementation of the Cybersecurity Act (CSA) supporting a strong EU cybersecurity market, using regulatory oversight and cybersecurity certification, as well as the EU’s December 2020 Cybersecurity Strategy for the Digital Decade. 

With this cybersecurity market analysis framework, ENISA aims to perform ‘analyses of the main trends in the cybersecurity market on both the demand and supply sides, to foster the cybersecurity market in the Union,’ define a method for market analysts for analyzing cybersecurity market segments, and amalgamating knowledge from cybersecurity market analyses. It also aims to serve as a guide for any stakeholder undertaking a cybersecurity market analysis. 

The ECSMAF v2.0 intends to help the agency and its stakeholders identify cybersecurity fields that are innovative, emerging, and have the potential for both demand and supply. It is also meant to zero in on cybersecurity market investment opportunities and risks based on demand and supply requirements, and help promote an EU-based security market and its objectives by analyzing and monitoring the EU cybersecurity market and its evolution. 

It also works towards assessing the importance of market segments in the context of potential threats and vulnerabilities and evaluating market needs for cybersecurity certification; and leveraging cybersecurity market data for informed policy decisions regarding cybersecurity within the EU and Member States. It also seeks to support the European cybersecurity market analysts by applying a comprehensive, structured approach to the analysis of the market prospects for new products, services, and/or processes.

The framework is aimed at supporting EU institutions, bodies and agencies (EUIBAs), including the European Commission and its Directorates Generals; national public authorities, particularly cybersecurity authorities; and ENISA stakeholder groups, like the European Cybersecurity Certification Group (ECCG), Stakeholder Cybersecurity Certification Group (SCCG), and ENISA Advisory Group. The framework may support decision-making for prioritizing certification efforts and spotting market gaps.

The ECSMAF v2.0 also covers industry and cross-sectoral associations, such as the TIC Council, the European Cyber Security Organisation (ECSO), and the Information Security Forum (ISF). It is also applicable to consumer organizations and associations, and research institutions which may use the proposed methodology to assess the maturity of existing products and markets and guide the development of new technologies and services.

The framework is also aimed at companies that provide cybersecurity products, services, and/or processes (supply side) which the European Council has estimated that there are 60,000 such companies in Europe. It also covers companies that need cybersecurity technologies, products, services, and/or processes (demand side), as these vendors may have information security professionals and/or procurement personnel who need to improve their companies’ cybersecurity. Lastly, the framework targets venture capitalists to make them aware of investment opportunities in the cybersecurity realm.

The ECSMAF v2.0 consists of seven steps, which market analysts can follow for identifying a segment of the cybersecurity market to be analyzed and for conducting the analysis. These include choosing the market segment for analysis; the scope of the market segment for analysis; analyzing the market segment, deciding what to ask stakeholders; collecting the data; analyzing the data, and disseminating the results.

When choosing the market segment for analysis, the ENISA framework lays down that the goals of the market analysis must be established, priorities must be assessed, the validation criteria must be developed and assessed, and the infrastructure and stakeholders must be identified. When it comes to evaluating the scope of the market segment for analysis, ENISA points to setting the scope, grouping scoping criteria, and considering a budget for the market analysis. 

At the point of analyzing the market segment, the ECSMAF v2.0 identifies the need to describe the infrastructure, identify assets, identify requirements/challenges, identify value stack elements, and identify market segmentation stakeholders. When it comes to deciding what to ask stakeholders, the document suggests identifying participating market stakeholder types and deciding on questions to ask the stakeholders. 

Moving over to collecting the data, the framework proposes conducting primary research, conducting secondary research, and taking into account ethics and data protection. At the step of analyzing the data, the ECSMAF v2.0 lays down the process of the data collected, identifying interesting findings, examining contextual factors; detecting trends, and assessing the sustainability, innovation, and evolution of the market, Lastly, the ENISA framework addresses disseminating the results, which includes identifying the tools for presenting the market analysis results, visualize the results with graphics, and assessing the effectiveness of the dissemination activities. 

In conclusion, the ENISA said that the ECSMAF v2.0 framework is an evolution of the ECSMAF Version 1.0 (V1.0) with the lessons learned from the pilots, i.e. the ENISA EU Cybersecurity Market Analysis – IoT in Distribution Grids and Cloud Cybersecurity Market Analysis. “It is entirely possible that it will be followed by subsequent versions, especially based on the lessons learned from other pilot analyses that may be conducted in the future and if we receive feedback from stakeholders about how we can improve it and how they can use it to improve the EU’s position in the cybersecurity domain,” it added. 

Doing so is not only to vitalize the EU cybersecurity market but also to contribute to the EU digital sovereignty, ENISA added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.