European Union: European Union Agency for Cybersecurity released Market Analysis Framework

In March 2026, the European Union Agency for Cybersecurity ( ENISA) released Version 3.0 of the Cybersecurity Market Analysis Framework. This version updates earlier editions published in 2022 and 2023. Issued under Article 8(7) of the Cybersecurity Act Regulation (EU) 2019/881, the framework reflects experience from previous market analyses, including work on cloud cybersecurity, cryptographic products and services, and managed security services. It introduces standardised templates, modular tools, reusable taxonomies, and stakeholder-specific question sets. The framework is supported by seventeen annexes covering infrastructure mapping, value stack taxonomies, barrier and challenge classifications, and mixed methods research approaches. The framework can be used for planned analyses and for analyses requested on an ad hoc basis. It covers both short exercises of less than six months and longer exercises of more than six months. It also supports recurring market analysis and continuous market monitoring. Continuous monitoring is described as an ongoing and partly automated process that tracks market developments based on event detection. It considers technological, process-related, financial, and strategic developments affecting products or companies. The framework includes indicative resource estimates. Longer planned analyses are expected to require about 15 person months over around 10 months. Shorter ad hoc analyses are expected to require about six person months over around four months. The framework is aligned with the Cyber Resilience Act Regulation (EU) 2024/2847 and the NIS2 Directive (EU) 2022/2555. It sets out seven steps for conducting an analysis. These steps cover initiation, scoping, market assessment, defining analytical questions, data collection, data analysis, and the presentation and dissemination of results.