NIS2 is an EU regulatory directive. NIST Cybersecurity Framework 2.0 is a US-origin voluntary framework, now widely adopted across the EU. They share a lot of substance — but they answer different audit questions. Here is the complete mapping and the decision matrix.
Type: EU regulatory directive (mandatory)
Who: Essential / Important entities in specific sectors
Geographic scope: EU only
Certification: No certification — enforced by national authorities
Fines: Up to €10M or 2% of turnover
Governance: Article 20 requires management accountability
Type: US-origin voluntary framework (NIST SP — Special Publication)
Who: Any organization wanting a structured cyber program
Geographic scope: Global (heavy US public-sector adoption; growing EU SME adoption)
Certification: No formal NIST CSF certification body
Fines: None — but framework alignment underpins many US contracts (FedRAMP, DoD CMMC)
Governance: GV (Govern) function added in CSF 2.0 (2024) — formalised board oversight
This crosswalk is currently undergoing an independent review by an external NIST CSF practitioner. The mapping reflects Reglyze's own technical analysis; the reviewed-and-signed badge will appear here once the engagement closes.
NIS2's 10 minimum measures from Article 21(2) plus the Article 20 management-body duties map across all six NIST CSF 2.0 Functions. NIST CSF 2.0 added the GV (Govern) function in 2024 — this is the function that absorbs most of NIS2's Article 20 substance, which earlier CSF versions struggled to express.
Overlap rating reflects how completely the NIS2 article's substance is expressed by the listed CSF 2.0 subcategories.
Risk analysis and information system security policies
NIST CSF 2.0: GV.PO-01/02, GV.RM-01..06, ID.RA-01..10 — Organizational risk management strategy + policies + risk assessment process
Incident handling
NIST CSF 2.0: DE.AE-02..04, DE.CM-01/09, RS.MA-01/03, RS.AN-03, RS.CO-02, RS.MI-01/02 — Detection categories + Respond categories (Management, Analysis, Comms, Mitigation)
Business continuity and crisis management
NIST CSF 2.0: PR.IR-04, PR.DS-11, RC.RP-01..04, RC.CO-03 — Infrastructure resilience + backup + recovery planning + recovery communications
Supply chain security
NIST CSF 2.0: GV.SC-01..10, ID.SC-04..05 — Cybersecurity supply chain risk management — strategy, roles, suppliers, contracts
Security in acquisition, development and maintenance
NIST CSF 2.0: PR.PS-01..06, PR.IR-01, ID.IM-01/04 — Platform security configuration + improvement processes
Policies and procedures to assess effectiveness
NIST CSF 2.0: ID.IM-01..04, GV.OV-01..03 — Improvement (lessons learned + tests + plans) + Oversight
Basic cyber hygiene and training
NIST CSF 2.0: PR.AT-01/02, PR.PS-04/05 — Awareness and training categories
Cryptography and encryption
NIST CSF 2.0: PR.DS-01/02/10/11 — Data security: in-transit, at-rest, integrity, key management
HR security, access control, asset management
NIST CSF 2.0: PR.AA-01..05, ID.AM-01/02/05, GV.RR-04 — Authentication and access control + Asset management + Roles & responsibilities
MFA, secure communications, secure emergency comms
NIST CSF 2.0: PR.AA-03, PR.IR-01/04, PR.DS-02 — Strong authentication + secure infrastructure + data-in-transit
Board oversight and accountability
NIST CSF 2.0: GV.RR-01..03, GV.PO-01, GV.OV-01..03 — Roles & responsibilities + Policy + Oversight functions — the GV (Govern) function added in CSF 2.0
Management body training
NIST CSF 2.0: PR.AT-01/02, GV.RR-04 — Awareness + training + responsibility allocation
You are 75–85% of the way to NIS2 compliance. Your existing CSF profile already exercises most of the 10 NIS2 minimum measures (especially the new GV function for Article 20).
What is still missing for NIS2:
You do not need NIST CSF to be NIS2 compliant. But adopting the CSF structure as a working model can:
If budget is tight, ship NIS2 compliance first (that is the legal obligation), then map your evidence onto the CSF Functions later — the same artefacts cover both.