What's new in version 2.0?

Primarily the new "Govern" function, the expanded scope (all organizations), and Profiles and Tiers.

How does the CSF relate to ISO 27001 or NIS2?

The CSF is outcome-oriented and overarching; ISO 27001 is certifiable, and NIS2 is legally mandatory. They complement each other — Sightadel links them.

Is the CSF only relevant for US companies?

No. The CSF is US in origin but is used worldwide across sectors — often as a common language with international partners.

With the "Govern" function and an honest current profile. Sightadel guides you through both.

ISO 27001 ISO 9001 ISO 42001 NIS2 GDPR BSI C5:2026 NIST CSF 2.0 SOC 2

NIST CSF 2.0 · Cyber risk

NIST CSF 2.0: Managing Cyber Risk in a Structured Way

The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary, globally recognized framework for managing cyber risk. Version 2.0, published in February 2024, organizes security into six core functions and is aimed at organizations of any size and sector. This page explains what CSF 2.0 is, who it makes sense for (and who less so), how the six functions work together, and how to use the framework with Sightadel as a common language and management layer.

What Is NIST CSF 2.0?

The CSF was developed by the US National Institute of Standards and Technology (NIST). It is not a prescriptive control catalog but describes the desired cybersecurity outcomes — that is, what an organization should achieve, not necessarily how. This makes it flexible to adapt to size, sector, and maturity.

Version 2.0 brings three key updates:

New "Govern" function. Governance, risk strategy, roles, and supply chain risk are made visible as a standalone sixth function — previously they were scattered across "Identify."
Expanded scope. The CSF is no longer aimed primarily at critical infrastructure but at all organizations.
Profiles and tiers. With Organizational Profiles, you map your current and target state; tiers describe the maturity of your approach to cyber risk.

The six functions: Govern, Identify, Protect, Detect, Respond, Recover — together a complete risk lifecycle.

Who Is NIST CSF 2.0 Useful For — and Who Less So?

CSF 2.0 is useful for you if …

… you need a common, business-oriented language for cyber risk — across IT, management, and executive leadership. Particularly suitable if:

you want to evolve cybersecurity from a technical task into a governance responsibility,
you need to communicate risk understandably at the C-level and to the board,
you have international or US partners who expect the CSF as a reference,
you want to organize various requirements (ISO 27001, NIS2, DORA) under a common roof.

CSF 2.0 alone is not sufficient if …

… you need a certifiable proof for contractual or regulatory reasons. The CSF is not certifiable. Where customers require an ISO 27001 certification or a C5 attestation, the CSF does not replace them — but it works excellently as an overarching management and structuring layer to which these standards can attach.

The Six Functions at a Glance

Govern (GV): Strategy, roles, policies, risk management, and supply chain risk. The strategic foundation for the other functions.
Identify (ID): Understanding your own assets, systems, data, and risks.
Protect (PR): Safeguards such as access control, MFA, training, and data backup.
Detect (DE): Detecting anomalies and security events.
Respond (RS): Responding to incidents, containment, communication.
Recover (RC): Restoring services and improving after incidents.

The Typical Challenge in Applying the CSF

Outcome-oriented, but abstract. The CSF states what to achieve — not how. Translating that into concrete measures and evidence is left to the organization.
Current/target comparison by hand. Maintaining Organizational Profiles in spreadsheets is tedious and goes out of date quickly.
A silo alongside other standards. Without links to ISO 27001, NIS2, or C5, duplicate work arises.

How Sightadel Simplifies Applying the CSF

Sightadel is the compliance portal within the Pervigon Security Suite. It represents CSF 2.0 with its six functions, categories, and subcategories, turning the outcome model into a manageable catalog of measures and evidence.

From outcome to measure. Sightadel links the CSF subcategories to concrete measures and evidence. "What should be achieved" becomes "who does what by when."

Current and target profile always up to date. You maintain your Organizational Profile in the portal instead of in spreadsheets and see progress per function at a glance.

A common management layer. The CSF serves as the roof: Sightadel maps your measures both to the CSF functions and to the corresponding requirements in ISO 27001, NIS2, and DORA.

Reuse of evidence. A measure — such as access control — simultaneously satisfies "Protect" in the CSF and the corresponding requirement in ISO 27001 and NIS2. One piece of evidence, multiple frameworks.

No external consultants as a permanent crutch. The mapping logic is built into the portal and supported by the neoAI core. Your team manages the framework independently.

NIST CSF 2.0 with Sightadel in Practice

1
Create the current profile.Capture the current state per function and subcategory.
2
Define the target profile.Set the target state and maturity (tier), and surface gaps.
3
Derive measures.A prioritized plan with owners and deadlines — linked to your other standards.
4
Manage & communicate.Track progress and present cyber risk in management-ready terms.

Frequently Asked Questions About NIST CSF 2.0

No. The CSF is a voluntary framework, not a certifiable standard. It works as a management and communication layer.

Cyber Risk Management as a State, Not a Snapshot

Cyber risk evolves continuously — the CSF explicitly emphasizes this. Sightadel keeps your current/target profile and the linked measures continuously up to date, so the framework remains a living practice rather than a one-off assessment.

See your CSF 2.0 profile in Sightadel.

Book a demo