Towards a unified European Cybersecurity Skills Framework: Structural insights from expert elicitation and international standards

The increasing complexity of cyber threats and the widening skills gap in Europe underscore the urgent need for coherent, interoperable strategies to build the cybersecurity workforce. Although several cybersecurity initiatives and frameworks have been proposed, their heterogeneous structures and modelling choices hinder harmonisation across education, training, and labour-market ecosystems. The European Cybersecurity Skills Framework (ECSF) represents a major step toward a common European reference model. However, its adoption raises several challenges related to its internal structure and interoperability with other frameworks. This study analyses the ECSF from a structural perspective, focusing on hierarchical organisation, component granularity, and the relationships among roles, tasks, skills, and knowledge. We employ a structured expert elicitation protocol to carry out a comparative structural analysis of eight cybersecurity skills frameworks, including internationally adopted standards such as NICE, SFIA, ESCO, and CyBOK. Based on this analysis, we identify six structural limitations of the ECSF and propose corresponding enhancement strategies to support its evolution toward a more coherent, expressive, and interoperable European framework. The study was conducted in the context of the AKADIMOS project, which aims to support the development of the European Cybersecurity Skills Academy and contribute to a coordinated effort to bridge the cybersecurity skills gap across the European Union.