Stay updated
Stay updated
July 30, 2024

European Cybersecurity Skills Framework – the common language for cybersecurity professional workforce development 

The European Cybersecurity Skills Framework (ECSF), introduced by ENISA in September 2022, provides a practical tool to support the identification and articulation of tasks, competences, skills and knowledge associated with the roles of European cybersecurity professionals. The main purpose of the framework is to create a common understanding between individuals, employers and learning providers across EU Member States, making it a valuable tool to bridge the gap between the cybersecurity professional workplace and learning environments. 

Figure 1: The ECSF’s 12 Role Profiles for Cybersecurity Professionals  
Source: ECSF Part 1: The Framework (ENISA, 2022)  

Each role is defined by a set of key descriptors and criteria, based on a common template 

The 12 role profiles defined by the ECSF provide a common understanding of the main cybersecurity missions, tasks and skills needed in a professional cybersecurity context, making it a valuable reference for profiling skills and knowledge needed by cybersecurity professionals. The roles are defined in a format that can be understood in the workplace (what does the role need to ensure, why and for what, relevant tasks, mission, deliverables), and for learning (what does the role require in terms of skills and knowledge). e-CF competences from the European e-Competence Framework (EN16234-1) that are integrated in each role combine and connect both the workplace and learning perspectives, and provide the link with the broader European Information and Communication Technology (ICT) professional domain. 

Figure 2: The benefits of common cybersecurity professional definitions the ECSF is providing — example Risk Manager.  Source: ECSF User Manual, ENISA (2022) 

Target Audience 

Whilst the ultimate scope of the ECSF framework is cybersecurity core professionals, a particular emphasis is also placed on the ECSF target groups of non- cybersecurity experts who need a comprehensive view of the discipline. This focus makes the framework easy to understand for all stakeholders concerned.  

The target audience for the ECSF includes organisations’ management teams, human resources (HR) and cybersecurity functions, cybersecurity professionals, newcomers and cyber enthusiasts, as well as providers of learning programmes in the public and private context, sector associations, market researchers, and policy makers.

Figure 3: ECSF profiles guiding cybersecurity professional learning 

How the ECSF links to other relevant European standards and frameworks in the field

The ECSF is well connected with the current European ICT professional landscape to ensure easy take-up and broad recognition. The ECSF embedded e-CF competences and levels are focussing on ICT professional workplace proficiency (e-1 to e-5), and they are consistently linked with the learning levels defined by the European Qualifications Framework (EQF 3-8). 

On organisation level: identify the roles that need to be covered (in house, external) — strategy 

The ECSF provides a standard reference set of 12 typical roles executed by cybersecurity professionals from an organisational perspective, covering the cybersecurity needs of the organisations and the cybersecurity processes that need to be followed in order to secure their business, products, services and their supply chains. The framework thus provides a valuable guide and roadmap not only for building, expanding and running cybersecurity related functions within an organisation but also for ensuring its cybersecurity related mission, vision and goals are met. Thus, an organisation can use the ECSF as a guide to quickly and easily access the primary roles needed to manage their cybersecurity risks and build up their cybersecurity approach. At the same time, the ECSF profiles provide a common understanding among the parties involved regarding an organisation’s cybersecurity roles. 

In learning environment, the framework helps to understand the roles with most demand for training and the related competences and skills. 

On policy and strategy level, the framework helps to identify priorities for taking joint action. 

The ECSF thus makes an essential contribution towards strengthening the European cybersecurity culture, as an essential step towards Europe’s digital future.  

Learn more about ECSF