NIST CSF 2.0 & AI RMF Advisory in Belgium
Turn the NIST frameworks into a roadmap. We use NIST CSF 2.0 to assess your security maturity and the NIST AI RMF to govern AI risk, then crosswalk the controls to ISO 27001, NIS2 and DORA so one programme covers them all.
The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary, outcome-based reference organised around six functions — Govern, Identify, Protect, Detect, Respond and Recover — that gives leadership a common language for cyber risk. The NIST AI Risk Management Framework (AI RMF) extends the same discipline to artificial intelligence with its Govern, Map, Measure and Manage functions, a practical foundation for EU AI Act readiness. ICTLAB uses these frameworks to assess your current maturity, define a target profile, and build a prioritized roadmap — then crosswalks the controls to ISO 27001, NIS2 and DORA so a single control set evidences multiple obligations. The result is a governance backbone that is vendor-agnostic, board-readable, and regulation-aware.
What We Deliver
CSF 2.0 Maturity Assessment & Current Profile
An assessment of your security posture across the six CSF 2.0 functions, expressed as a current profile and maturity tiers.
Target Profile & Gap Analysis
A risk-informed target profile and the gap between current and desired outcomes, with prioritized actions.
Control Crosswalk (CSF to ISO 27001 / NIS2 / DORA)
A mapping that links CSF outcomes to ISO 27001 Annex A, NIS2 measures and DORA requirements so one control set serves several obligations.
Prioritized Roadmap
A phased implementation roadmap with owners, timelines and quick wins to move from the current to the target profile.
NIST AI RMF Assessment
An AI risk assessment for your AI systems using the AI RMF Govern/Map/Measure/Manage functions, supporting EU AI Act readiness.
Governance & Reporting Pack
Board-ready governance artefacts and dashboards that communicate cyber and AI risk in business terms.
How We Work
Scoping & Profile Selection
Define the scope and the CSF profile that fits your sector, risk appetite and regulatory drivers.
Current-State Maturity Assessment
Assess existing capabilities across Govern, Identify, Protect, Detect, Respond and Recover.
Target Profile & Gap Analysis
Set the desired outcomes and quantify the gap to prioritize investment.
Roadmap & Control Implementation
Implement the prioritized controls and crosswalk them to ISO 27001, NIS2 and DORA.
AI RMF for AI Systems
Apply the NIST AI RMF to govern, map, measure and manage AI risk where you build or deploy AI.
Monitor & Improve
Track metrics, review the profile periodically, and improve as threats, AI use and regulations evolve.
Technologies We Use
Frequently Asked Questions
What is NIST CSF 2.0 and what changed?
CSF 2.0, released in 2024, is the first major update since 2014. Its headline change is a new sixth function, Govern, that puts cybersecurity risk into the context of enterprise governance, alongside the existing Identify, Protect, Detect, Respond and Recover.
Is NIST mandatory in the EU?
No. NIST frameworks are voluntary, but they are widely used as a backbone because they map cleanly onto mandatory EU regimes like NIS2 and DORA. Adopting NIST gives you a structured way to evidence those obligations.
How does the NIST AI RMF relate to the EU AI Act?
The NIST AI RMF is a voluntary framework for managing AI risk; the EU AI Act is binding law. The AI RMF Govern/Map/Measure/Manage approach is a practical way to build the risk-management, documentation and oversight the AI Act expects for higher-risk AI systems.
CSF or SP 800-53 — which do we need?
The CSF is an outcome-based framework that communicates risk to leadership; SP 800-53 is a detailed control catalogue. Most organizations start with the CSF for direction and draw on SP 800-53 (or ISO 27001 Annex A) for the specific controls. We help you combine them.
Can NIST coexist with ISO 27001 and NIS2?
Yes — that is the point. We crosswalk NIST outcomes to ISO 27001 controls and NIS2/DORA obligations so a single, well-run programme satisfies all of them without duplicated effort.
From Our Blog
13 June 2026
DORA vs NIS2: Overlap, Differences and Which One Applies
DORA and NIS2 both govern cyber resilience — but which applies to your organisation? Scope, the lex specialis rule, the five DORA pillars, key dates, and a decision guide for Belgian entities.
13 June 2026
DORA ICT Third-Party Risk: Building Your Register of Information
DORA's third-party rules (Art. 28–30): what the Register of Information must contain, the mandatory contractual clauses (Art. 30(2) vs 30(3)), critical-or-important functions, and the 2025 reporting deadlines.
12 June 2026
NIST CSF 2.0 for European SMEs: A Practical Implementation Guide
A step-by-step guide to NIST Cybersecurity Framework 2.0 for European SMEs: the six functions (Govern, Identify, Protect, Detect, Respond, Recover), tiers, profiles, and how it maps to NIS2 and ISO 27001.
12 June 2026
NIST AI RMF: Building Trustworthy AI (and How It Maps to the AI Act)
NIST AI Risk Management Framework explained: the four functions (Govern, Map, Measure, Manage), the Generative AI Profile, trustworthy-AI characteristics, and how it complements the EU AI Act.
9 June 2026
AI Act Risk Classification: Prohibited, High-Risk or Limited-Risk?
A practical decision guide to classify your AI system under the EU AI Act: prohibited practices (Art. 5), high-risk systems (Annex III), limited and minimal risk — with concrete examples.
9 June 2026
GDPR & AI: Training Data, Automated Decisions and DPIAs in Belgium
How GDPR applies to AI for Belgian companies: lawful basis for training data, automated decision-making (Art. 22), data protection impact assessments, and where GDPR meets the AI Act.
Related Services
Security Audit
Comprehensive evaluation of your security posture against industry standards. Our audits identify gaps and provide actionable remediation plans.
NIS2 Compliance
Navigate NIS2 with confidence. We help Belgian organizations understand their obligations, close compliance gaps, and build the security capabilities the directive demands.
DORA Compliance
Make digital operational resilience auditable. We help Belgian financial entities and their ICT third parties meet DORA's five pillars — from the ICT risk-management framework to incident reporting, resilience testing, and third-party oversight.