The NIST Cybersecurity Framework 2.0, published on 26 February 2024, is the most widely used security framework in the world — and although it comes from a US agency, it is voluntary, free and framework-agnostic, which makes it an excellent backbone for European SMEs. Its real value is structure: it gives you a common language to organise security work and a clean way to map your programme onto regulatory regimes like NIS2 and ISO 27001.
TL;DR
- CSF 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, Recover.
- Govern is the new function — it elevates cybersecurity to a board-level risk topic.
- Scope expanded from critical infrastructure to all organisations, of any size.
- Use Tiers (1–4) to gauge maturity and Profiles to plan current → target state.
- It is voluntary but maps cleanly to NIS2 obligations and ISO 27001 controls.
The six functions
CSF 2.0’s core organises outcomes into six functions. The headline change from version 1.1 is the addition of Govern, which wraps around the other five.
| Function | What it covers |
|---|---|
| Govern (GV) | Strategy, roles, policy, risk appetite, supply-chain risk — cybersecurity as an enterprise risk owned by leadership. |
| Identify (ID) | Know your assets, data, suppliers and risks. You cannot protect what you have not mapped. |
| Protect (PR) | Safeguards: access control, awareness, data security, secure configuration, maintenance. |
| Detect (DE) | Find anomalies and incidents quickly through monitoring and analysis. |
| Respond (RS) | Contain, analyse, communicate and mitigate during an incident. |
| Recover (RC) | Restore services and learn, so the next incident hurts less. |
The arrival of Govern is the most strategically important update: it formally makes cybersecurity a governance and accountability question, which aligns precisely with what NIS2 and DORA now demand of management bodies.
Tiers and Profiles — how you actually use the framework
Two tools turn the functions into a programme. Tiers (1 Partial, 2 Risk-Informed, 3 Repeatable, 4 Adaptive) describe how rigorous and consistent your risk management is — they are a maturity gauge, not a grade to maximise. Profiles are where the work happens: you document a Current Profile(what you do today) and a Target Profile (what your risk and obligations require), and the gap between them becomes your prioritised roadmap.
A practical implementation path for an SME
- Set the Govern baseline. Name an owner, write a short cyber-risk policy, define risk appetite, and put supply-chain risk on the agenda.
- Build the Current Profile. Walk the six functions and honestly record what exists. An external security audit accelerates this.
- Define the Target Profile from your risk and your regulatory drivers (NIS2, DORA, client contracts).
- Prioritise the gaps by risk reduction per euro — usually Identify and Protect basics first.
- Execute and re-measure on a cycle; move your Tier up only where the risk justifies it.
Mapping CSF 2.0 to European obligations
CSF is not a compliance certificate, but it is a superb organising layer beneath one. Its outcomes map well to NIS2’s risk-management measures and to ISO 27001 Annex A controls, so a single CSF-based programme can feed multiple obligations at once.
| CSF 2.0 | NIS2 | ISO 27001 |
|---|---|---|
| Govern | Governance & management accountability | Clauses 4–6 (context, leadership, planning) |
| Identify | Risk analysis, asset & supply-chain management | Risk assessment; A.5 organisational controls |
| Protect | Security measures, access control, crypto | A.5–A.8 controls |
| Detect / Respond | Incident handling & reporting | A.5.24–A.5.28 incident management |
| Recover | Business continuity & crisis management | A.5.29–A.5.30 continuity |
Treat the mappings as a guide, not a legal equivalence: NIS2 and ISO 27001 impose specifics CSF does not. But as a way to build once and satisfy many, CSF 2.0 is hard to beat — which is exactly how we use it.
General information, not legal advice. ICTLAB uses NIST CSF 2.0 to structure security programmes that also satisfy NIS2 and ISO 27001 for Belgian organisations — explore our security audit service or talk to our team.