NIST CSF 2.0
Compliance Guide
A comprehensive guide to the NIST Cybersecurity Framework 2.0 — the six core functions, who uses it, and how to implement it effectively.
What is NIST CSF 2.0?
The NIST Cybersecurity Framework (CSF) 2.0 was released on 26 February 2024 by the National Institute of Standards and Technology. It is a major update to the original CSF 1.0 (2014) and CSF 1.1 (2018), adding a new sixth function — Govern — and expanding applicability beyond critical infrastructure to all organisations.
NIST CSF provides a common language and systematic methodology for managing cybersecurity risk. It is technology-neutral, industry-agnostic, and designed to complement (not replace) existing cybersecurity standards and regulations.
While NIST CSF is voluntary, it has become the de facto standard for cybersecurity risk management in the United States and is widely adopted internationally. Many regulators, auditors, and business partners reference NIST CSF as a benchmark.
The 6 Core Functions
Govern (GV)
Establish and monitor the organisation's cybersecurity risk management strategy, expectations, and policy. This new function elevates governance as a cross-cutting concern that informs all other functions. It covers organisational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.
Identify (ID)
Understand your organisation's cybersecurity risks by identifying assets, business environment, governance, risk assessment, and risk management strategy. This function helps you understand what you need to protect and prioritise your efforts accordingly.
Protect (PR)
Implement safeguards to ensure delivery of critical services. This includes identity management, access control, awareness training, data security, information protection processes, protective technology, and platform security.
Detect (DE)
Define and implement activities to identify cybersecurity events in a timely manner. This covers continuous monitoring, anomaly detection, and security event analysis to ensure threats are discovered quickly.
Respond (RS)
Take action regarding a detected cybersecurity incident. This includes response planning, communications, analysis, mitigation, and improvements to reduce the impact of incidents and prevent recurrence.
Recover (RC)
Maintain plans for resilience and restore any capabilities or services that were impaired by a cybersecurity incident. Recovery planning, improvements, and communications ensure timely restoration of normal operations.
Who uses NIST CSF?
While technically voluntary, NIST CSF 2.0 is widely adopted as a de facto standard across industries:
- US Financial Institutions — Banks, insurers, and investment firms use NIST CSF to demonstrate cybersecurity maturity to regulators and examiners.
- Federal Agencies — Executive Order 13800 mandates NIST CSF use for all US federal agencies.
- Critical Infrastructure — Energy, healthcare, water, and transportation sectors rely on NIST CSF for cybersecurity programme structure.
- International Organisations — Companies worldwide use NIST CSF alongside ISO 27001 as a complementary cybersecurity framework.
NIST CSF vs DORA
NIST CSF and DORA share many common themes but differ in scope, enforceability, and approach:
| NIST CSF 2.0 | DORA | |
|---|---|---|
| Type | Voluntary framework | Mandatory EU regulation |
| Scope | All organisations, all sectors | EU financial entities only |
| Structure | 6 functions, 22 categories | 5 pillars, 64 articles |
| Enforcement | No direct penalties | Administrative penalties |
| Third-party focus | GV.SC category | Entire Pillar 4 (Art. 28-44) |
| Incident reporting | RS function (no specific deadlines) | Strict 4h/72h/30d timelines |
How ComplyShield maps to NIST CSF 2.0
Govern
Policy management, compliance mapping, RBAC roles, board reports, and audit trail covering governance requirements.
Identify
ICT asset registry, dependency mapping, risk assessments, CIA scoring, and automated asset discovery from cloud providers.
Protect
Control mapping, 2FA enforcement, RBAC, session management, encryption, security headers, and IP whitelisting.
Detect
Vulnerability scanner integration (Qualys, Nessus, Rapid7), SIEM integration (Splunk, Sentinel), and continuous monitoring.
Respond
Incident management workflows, classification wizard, deadline tracking, PDF reports, and escalation automation.
Recover
Resilience testing tracker, business continuity evidence, lessons-learned workflows, and recovery plan documentation.
Ready to implement NIST CSF 2.0?
See how ComplyShield maps to all six NIST CSF functions and accelerates your cybersecurity programme.
Request Demo