NIST CSF 2.0: Complete Guide to the 2024 Cybersecurity Framework

Published in February 2024, the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) is the first major revision since 2018 of the American reference framework for cybersecurity risk management. Now applicable far beyond critical infrastructure, it extends to any organization of any size and sector, with a reinforced focus on governance.

This guide details the structure of CSF 2.0, its evolutions from version 1.1, and how to implement it in a European organization.

What is NIST CSF?

The NIST Cybersecurity Framework is a cybersecurity best practices reference published by the National Institute of Standards and Technology (US Department of Commerce agency). It provides:

• A common vocabulary for cybersecurity
• A posture assessment methodology
• A taxonomy of controls and activities
• Customizable profiles

Although not legally binding outside US federal contracts, it has become a de facto global standard, used by Fortune 500 companies, SMEs under cyber insurance, and increasingly in Europe to structure security programs.

Major evolution in 2.0: the Govern function

The most significant novelty of CSF 2.0 is the addition of a sixth function: Govern. It umbrellas the 5 historical functions (Identify, Protect, Detect, Respond, Recover) by addressing:

• Leadership-level cyber strategy
• Organizational risk management
• Policies and oversight
• Roles and responsibilities
• Supply chain management

This addition reflects the recognition that cybersecurity is primarily a governance issue before being a technical one. It also aligns the framework with recent regulatory requirements (NIS2, DORA, SEC cyber disclosure 2023).

The 6 CSF 2.0 functions in detail

1. Govern (GV) — cybersecurity governance

6 categories:

• GV.OC — Organizational Context: mission, stakeholder expectations, legal requirements
• GV.RM — Risk Management Strategy: strategy, risk tolerance, appetite
• GV.RR — Roles, Responsibilities, and Authorities: who does what (CEO, CISO, owners)
• GV.PO — Policy: documented cybersecurity policies
• GV.OV — Oversight: monitoring and continuous improvement
• GV.SC — Cybersecurity Supply Chain Risk Management: supply chain risk management

2. Identify (ID) — identify

5 categories:

• ID.AM — Asset Management: asset inventory (hardware, software, data, services)
• ID.RA — Risk Assessment: cyber risk assessment
• ID.IM — Improvement: improving identify processes

Note: CSF 2.0 merged some redundant categories (BE, GV from 1.1 rolled up into Govern).

3. Protect (PR) — protect

5 categories:

• PR.AA — Identity Management, Authentication, and Access Control
• PR.AT — Awareness and Training: awareness and training
• PR.DS — Data Security: encryption, classification, retention
• PR.PS — Platform Security: OS, application, firmware hardening
• PR.IR — Technology Infrastructure Resilience: resilient architecture

4. Detect (DE) — detect

2 categories:

• DE.CM — Continuous Monitoring: continuous supervision
• DE.AE — Adverse Event Analysis: abnormal event analysis

5. Respond (RS) — respond

5 categories:

• RS.MA — Incident Management
• RS.AN — Incident Analysis: technical analysis
• RS.CO — Incident Response Reporting and Communication: reporting
• RS.MI — Incident Mitigation: mitigation

6. Recover (RC) — recover

2 categories:

• RC.RP — Incident Recovery Plan Execution
• RC.CO — Incident Recovery Communication: communication during recovery

Each category contains subcategories with measurable sub-outcomes (e.g., GV.RM-01 "Risk management objectives are established and agreed to by organizational stakeholders"). CSF 2.0 defines 106 subcategories in total.

Tiers and profiles — the implementation logic

The 4 implementation tiers

CSF 2.0 defines 4 levels of sophistication:

Unlike a CMMI maturity level, tier is not an objective in itself — each organization must choose the tier suited to its context (risk, sector, regulation).

Profiles — the operational core

A CSF profile is a list of subcategories with:

• Current level (current profile)
• Target level (target profile)
• Gap analysis between the two
• Action plan to close the gap

The profile is the main practical tool. You can create:

• Organizational profile: company-wide vision
• Sectoral profile: compliant with a framework (e.g., "CSF financial services profile")
• Threat-based profile: targeted at a threat category (e.g., "ransomware profile")

Community profiles — publicly available

NIST publishes community profiles for different sectors:

• Manufacturing
• Financial Services
• Healthcare
• Election Infrastructure
• Small Business

They provide an accelerated starting point for organizations in the sector.

NIST CSF 2.0 vs NIST CSF 1.1 — key changes

1. New Govern function

Already detailed. The GV function becomes the program's backbone, above the 5 operational functions.

2. Universal applicability

CSF 1.1 was explicitly critical infrastructure-oriented. CSF 2.0 removes this restriction: any organization is the target (SME, startup, association, public administration…).

3. Supply chain focus

The GV.SC category explicitly introduces supplier/third-party risk management, aligned with the rise of supply chain attacks (SolarWinds, Kaseya, MOVEit).

4. Simplifications and clarifications

• Merging redundant categories
• New more measurable subcategories
• Simplified and more accessible language

5. Practical accompanying tools

NIST published:

• Quick Start Guides per target audience (small business, enterprise, critical infrastructure)
• Online interactive Reference tool
• Informative References cross-referencing CSF with ISO 27001, SP 800-53, CIS Controls…

Implementation — 6-step method

Step 1 — Define scope

• Organizational scope (entire company? subsidiary? BU?)
• Expected level of detail (strategic vs operational profile)
• Deliverables and audiences (leadership, CISO, compliance, audit)

Step 2 — Create current profile

For each CSF subcategory, assess current maturity:

• Not implemented
• Partially implemented
• Largely implemented
• Fully implemented

Use interviews, questionnaires, document reviews, technical sampling.

Step 3 — Define target profile

Which subcategories are priority for your context? Criteria:

• Regulatory requirements (NIS2, DORA, GDPR)
• Major business risks
• Customer expectations / contracts
• Leadership risk appetite

Step 4 — Gap analysis

For each subcategory, calculate the gap between current and target. Prioritize gaps by:

• Criticality of addressed risk
• Remediation cost
• Dependencies with other subcategories

Step 5 — Action plan

Build a roadmap (12-36 months) with:

• Technical and organizational measures
• Owners
• Estimated budget
• Deadlines

Step 6 — Monitor and iterate

CSF profile must be reviewed at least annually. Cyber events, organizational changes, regulatory evolutions require updates.

NIST CSF 2.0 and European frameworks

NIS2

CSF 2.0 very widely covers NIS2 requirements. Mapping the 10 NIS2 Art. 21 measures to CSF is direct:

See our complete NIS2 guide for deeper reading.

DORA

DORA specifically targets the EU financial sector. The 5 DORA pillars map to CSF 2.0:

See our DORA 2026 guide.

ISO 27001

CSF 2.0 and ISO 27001 are complementary:

• ISO 27001: formal certification, documented ISMS, 93 Annex A controls
• CSF 2.0: flexible framework, adaptive profiles, outcome-oriented

Using both together is common: ISO 27001 for certification, CSF for program posture.

ISO 22301

ISO 22301 (continuity) and CSF 2.0 complement each other mainly on the Recover function:

• ISO 22301: structured BCMS, BIA, plans, exercises
• CSF RC: outcome principles

See ISO 22301 vs NIST CSF for deeper reading.

Common CSF implementation mistakes

1. Treating CSF as a checklist

CSF is not a list of controls to check off. It's a framework of outcomes. Each subcategory describes an expected result, not a precise action. Several different actions can satisfy the same subcategory.

2. Creating a profile without leadership involvement

The target profile commits investments. It must be validated by leadership and aligned with risk appetite.

3. Over-investing in measurement, under-investing in action

A perfect gap analysis that leads to no corrective action is waste. Aim for 80% action effort, 20% measurement effort.

4. Ignoring the Govern function

The GV function is new and often under-treated. Yet it determines strategic alignment and program sustainability.

5. Not iterating

An annual profile, no more. CSF is alive, threats are alive, the organization is alive.

How ResiPlan operationalizes NIST CSF 2.0

• CSF 2.0 module with the 6 functions, 23 categories, 106 subcategories
• Profile management: current, target, automated gap analysis
• Cross-mapping with NIS2, DORA, ISO 27001, ISO 22301
• Maturity dashboards by function and subcategory
• Integrated action plan with owner/deadline workflow
• Importable community profiles (financial, healthcare, manufacturing)

Start a 14-day free trial to test the CSF 2.0 module.

Conclusion

The NIST CSF 2.0 has become the most flexible and most adopted cybersecurity framework globally. Its new Govern function makes it fully compatible with European requirements (NIS2, DORA) while remaining adaptable to SMEs.

Its biggest asset: the outcome-based approach. Rather than imposing rigid controls, CSF describes what to achieve — letting each organization choose how to get there based on its context.

For deeper reading:

• ISO 22301 vs NIST CSF: which framework to choose
• NIS2 essential vs important entities
• EBIOS RM 5 workshops guide