European Cyber Skills Framework

Mansfeld-Südharz, Germany - December 3, 2025

Turning regional apprenticeships into passports that work from Bitterfeld to Barcelona

The European Commission never lacked ambition when it drew rectangles on whiteboards; it lacked translation layers. When ESCO, the European Skills, Competences and Occupations taxonomy, listed 1 487 micro-skills for cyber security, it forgot to mention how a nineteen-year-old apprentice in Köthen could prove she already satisfied half of them by rewiring a Siemens S7 during night shift. The Cyber Resilience Alliance spent the last twelve months closing that gap, not by writing another framework, but by building the first reversible map: a living spreadsheet that reads an Anhalt course catalogue sideways and exports a valid e-CF level 4 certificate upwards. The result feels like a Rosetta stone carved in YAML: same human, same neurons, different grammar, recognised from Sassari to Stockholm.

The starting point was brutally practical. Our academy had twelve modules—firmware fuzzing, policy-as-code, incident response in Low-German slang—running at EQF level 5, the German “staatlich geprüfter Techniker.” Yet when we sent graduates to job interviews in Luxembourg, recruiters asked for “e-CF level 3 with incident coordination descriptor 3.2.A.” The mismatch was linguistic, not intellectual; a learner who could triage a ransomware note in Bitterfeld-Wolfen was still forced to sit through a 40-hour Brussels refresher because no bureaucrat had signed a cross-walk document. We decided to automate the signature. By snapping ESCO codes onto every learning outcome in our Moodle back-end, we can now generate an XML file that plugs directly into the EUROPASS credential wallet. The first test case walked into a job centre in Valencia last month; her wallet flashed green for e-CF 3, and the counsellor skipped the skills interview entirely. One rectangle on a whiteboard suddenly touched the ground.

The technical plumbing is boring on purpose. Each academy unit is broken into micro-credentials of 25 learning hours, the smallest grain that ESCO recognises. We tag every hour with one knowledge descriptor, one skill descriptor and one autonomy-responsibility level, the holy trinity that e-CF demands. Tags are stored as xAPI statements, so when a student completes a sandbox exercise—say, writing a Rego policy that blocks lateral movement—the statement automatically asserts “e-CF KU3-SK3-A3.” A nightly cron job aggregates these atoms into a verifiable credential, signs it with the county’s public key, and pushes it to the learner’s EUROPASS wallet. No manual transcript, no PDF forgery, no begging a professor to answer an accreditation email. The entire pipeline is open source, so a vocational school in Brno or a polytechnic in Porto can fork the repository and start issuing compatible credentials within a weekend, confident that the ontology underneath has already been stress-tested by 200 German apprentices who refuse to click twice.

Governance is where the map becomes a movement. The Alliance signed a memorandum with the European Training Foundation in Turin that treats our tagging engine as a reference implementation for rural regions. The agreement is lightweight: we provide schema updates, ETF supplies political air-cover, and both sides refrain from adding proprietary extensions. In practice this means that whenever the Commission revises ESCO—cyber-physical security was added last spring—our Git repo receives a pull request within five working days, keeping the micro-credentials forever aligned with the master taxonomy. Conversely, when our instructors discover a skill that ESCO has not yet lexicalised—think firmware-side-channel analysis on RISC-V—we submit a change request that flows back into the next release. The loop is the first live feedback channel between a county classroom and a Brussels taxonomy, short-circuiting the decade-long lag that usually plagues standard-setting.

"We turned credentials into packets—once they carry the right headers, they route themselves across any border."

Financial alignment followed the same reversible logic. The county’s education department reimburses training providers 70 % of the cost per issued micro-credential, but only if the credential is mapped to an ESCO code that appears in the federal “Kursnet” database. That single rule nudged every commercial trainer in Saxony-Anhalt to adopt our tagging engine overnight, because refusal would mean losing public subsidies. The result is a self-funding flywheel: more providers tag more hours, more learners accumulate stackable credentials, and the regional labour market receives a steady influx of EU-recognised cyber operators without the Alliance having to build a second campus. In twelve months the credential count crossed 11 000, a microscopic number in Brussels terms but large enough to bend the local unemployment curve for IT security roles from 4.2 % to 1.9 %, the steepest drop recorded in any eastern German state.

portability layer is the final piece. We mapped our credentials not only to e-CF but to the French “Répertoire national des certifications professionnelles” and to the upcoming European Cybersecurity Skills Certification Framework (ECSCF), whose pilot runs until 2027. A learner who completes our level 5 incident-response module receives a badge that contains three embedded assertions: e-CF level 4, RNCP niveau II, and ECSCF intermediate. When that person applies for a job in Toulouse, the French HR system reads the RNCP layer; when she moves to Copenhagen, the e-CF layer lights up; and when she applies for an EU agency clearance, the ECSCF layer satisfies the personnel security branch. The badge itself is a single JSON file, smaller than a holiday photo, but it carries enough semantic density to make human capital as liquid as cloud storage. For the first time in the history of European labour markets, a credential born in a county night school can travel across borders without translation loss, a feat we used to reserve for containerised code, not for people.

The long-term bet is that once a hundred thousand such badges circulate, the framework effect kicks in: employers stop asking for “five years of experience” and start asking for “e-CF level 4 with descriptor 3.2.A,” knowing that any applicant who can flash that badge has already proven the exact competence required. When that shift happens, the labour market becomes a routing protocol instead of a guessing game, and regions like Anhalt-Bitterfeld stop being fly-over country and turn into origin nodes for certified talent. We do not need to build a giant campus; we only need to keep the map honest, the tags current and the wallets free. The rest is packet switching for humans.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.