Already on NIST CSF 2.0? Your NIS2 Compliance Gap Analysis

If your organisation runs NIST Cybersecurity Framework 2.0 for US operations, you have already built more NIS2 readiness than most gap assessments credit. The six NIST CSF functions — Govern, Identify, Protect, Detect, Respond, Recover — map directly onto the ten security measures Article 21 of the NIS2 Directive requires. For seven of those ten measures, your existing NIST CSF controls provide credible compliance evidence.

The remaining three are where the exposure sits. NIS2 imposes mandatory incident reporting timelines to national authorities that NIST CSF does not address, creates personal liability for your management body that NIST’s Govern function does not replicate, and requires legally enforceable contractual security clauses with direct suppliers where NIST CSF offers only guidance. These are structural differences — not gaps you can close with an additional NIST subcategory.

This guide gives NIST CSF 2.0 practitioners a direct answer to the question regulators will ask: what did you build, and what remains? It covers the full Article 21 control mapping, where NIST CSF 2.0 goes deeper than NIS2, and a prioritised checklist of what to build next.

How to use this guide: CISOs and IT security managers will find the most value in the control mapping table and the section on where NIST exceeds NIS2 — both identify evidence you can reuse from existing NIST CSF work. Compliance officers and legal teams should focus on Section 4, which covers the three gaps that carry direct legal exposure. Board members and C-suite executives: the management liability provisions in Section 4 apply personally, not only to the organisation as a legal entity.

The Two Frameworks at a Glance

NIST CSF 2.0, released in February 2024, is a voluntary, risk-based framework designed to help organisations of any size manage cybersecurity risk. Its 2024 update added Govern as a sixth core function — alongside Identify, Protect, Detect, Respond, and Recover — and expanded supply chain risk management to ten subcategories under GV.SC. The framework is technology-agnostic and outcome-focused, with each subcategory linked to informative references including ISO 27001, NIST SP 800-53, and CIS Controls.

NIS2 (Directive (EU) 2022/2555) replaced the original NIS Directive with national transposition due by October 2024. It applies to essential and important entities across 18 sectors — energy, transport, banking, healthcare, digital infrastructure, ICT service managers, and others. Non-compliance carries administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover for essential entities, and EUR 7 million or 1.4% for important entities, whichever figure is higher.

The foundational difference is binding force. NIST CSF is a tool your organisation chooses to adopt. NIS2 is a legal obligation your national regulator enforces, with audit rights, binding instructions, and the power to temporarily prohibit individuals from managerial roles.

Dimension	NIST CSF 2.0	NIS2 Directive
Nature	Voluntary guidance	Binding regulation
Released / in force	February 2024	October 2024
Scope	Any organisation, self-determined	18+ sectors, EU essential and important entities
Structure	6 functions, ~106 outcome subcategories	10 minimum measures under Art. 21
Governance model	Organisational (collective)	Personal management body liability (Art. 20 + 32)
Incident reporting	No mandatory timelines	24h early warning, 72h notification, 30-day final report (Art. 23)
Supply chain	10 GV.SC subcategories (recommended)	Contractual security clauses with direct suppliers (mandatory)
Penalties	None	Up to EUR 10M / 2% global turnover (essential entities)
Enforcement body	None	National competent authorities

The Control Mapping: NIS2 Article 21 vs NIST CSF 2.0

Article 21(2) sets out ten minimum security measures, labelled (a) through (j). The table below maps each to the corresponding NIST CSF 2.0 functions and specific categories, with a coverage assessment reflecting what your existing NIST CSF work already satisfies.

NIS2 Art. 21 Measure	NIST CSF 2.0 Function(s)	Key Categories	Coverage
(a) Risk analysis and information security policies	Govern, Identify	GV.RM, ID.RA	Full
(b) Incident handling	Detect, Respond	DE.AE, DE.CM, RS.RP, RS.MI	Partial — Art. 23 notification timelines not covered
(c) Business continuity, backup and disaster recovery	Recover, Identify	RC.RP, RC.CO, ID.BE	Full
(d) Supply chain security	Govern	GV.SC-01 through GV.SC-10	Partial — contractual obligation absent from NIST
(e) Security in acquisition, development and maintenance	Protect, Identify	PR.DS, PR.PS, ID.IM	Full
(f) Policies to assess effectiveness of risk measures	Govern, Identify	GV.RM, ID.IM	Full
(g) Cyber hygiene practices and training	Protect	PR.AT	Partial — Art. 20(2) management body training is mandatory; NIST does not differentiate
(h) Cryptography and encryption policies	Protect	PR.DS-1, PR.DS-2	Full
(i) Human resources security, access control, asset management	Protect, Identify	PR.AC, ID.AM	Full
(j) Multi-factor authentication and secure communications	Protect	PR.AC-5, PR.AC-7	Full

Seven of the ten Article 21 measures have full NIST CSF 2.0 coverage. The three partial-coverage measures — (b) incident handling, (d) supply chain, and (g) training — are partial not because NIST CSF lacks relevant controls, but because NIS2 adds legally binding obligations on top: mandatory notification timelines, contractual enforceability with suppliers, and a distinct mandatory training requirement for the management body that general staff training does not satisfy.

This mapping covers the Article 21 minimum measures. The Commission Implementing Regulation (EU) 2024/2690, which translates Article 21 into binding technical specifics for digital infrastructure and ICT service providers, adds further granularity. For the full requirements framework, see our guide to NIS2 requirements.

Where NIST CSF 2.0 Goes Deeper Than NIS2

Three areas of NIST CSF 2.0 provide substantially more operational depth than NIS2 mandates. This is evidence you can directly reuse in audit documentation without additional programme work.

Supply chain risk management (GV.SC)

NIST CSF 2.0’s GV.SC category contains ten subcategories where Article 21(d)’s single clause provides no equivalent granularity. Where Art. 21(d) requires assessing security practices of direct suppliers, GV.SC specifies the full supplier lifecycle from pre-engagement due diligence through post-contract termination:

• GV.SC-04: Suppliers are known and prioritised by criticality
• GV.SC-06: Due diligence is performed before entering formal supplier relationships
• GV.SC-07: Supplier risks are monitored continuously throughout the relationship
• GV.SC-08: Relevant suppliers are included in incident planning, response, and recovery activities
• GV.SC-10: Supply chain risk management plans cover post-contract termination

An organisation that has implemented GV.SC-01 through GV.SC-10 operates a more mature supply chain security programme than NIS2 Article 21(d) strictly requires. The gap is contractual enforceability: NIS2 makes security requirements in supplier agreements legally mandatory, while NIST recommends them under GV.SC-05. Your GV.SC documentation becomes the evidence base for the NIS2 supply chain programme — you are adding mandatory contractual clauses on top of an existing framework, not building from scratch.

Risk management governance (GV.RM)

NIST CSF 2.0’s GV.RM category requires documented risk appetite statements, risk tolerance levels, and standardised risk scoring methodologies. NIS2 Article 21(1) requires proportionate measures but does not prescribe how organisations must document risk appetite or tolerance thresholds. GV.RM documentation exceeds the directive’s minimum standard and constitutes strong, audit-ready evidence for your Art. 21(2)(a) risk policy obligation.

Informative references and cross-framework mapping

Each NIST CSF 2.0 subcategory links to informative references: ISO 27001 Annex A controls, NIST SP 800-53, CIS Controls v8, and COBIT 2019. ENISA’s June 2025 Technical Implementation Guidance maps NIS2 obligations to international standards including ISO 27001 across 170 pages of implementation detail, with a supplementary mapping table (version 1.2) available for download. Organisations with NIST CSF documentation can use these cross-references to demonstrate standards alignment to regulators without building a separate compliance artefact library. For the ENISA mapping, see our guide to ENISA NIS2 guidance.

Where NIS2 Exceeds NIST CSF 2.0 — The Three Compliance Gaps

These are the obligations that a complete NIST CSF 2.0 implementation does not satisfy. Each is structural — not addressed by any NIST CSF subcategory — and each carries direct legal exposure under NIS2.

Gap 1: Mandatory incident reporting timelines (Article 23)

NIS2 Article 23 imposes a three-stage notification cascade with no NIST CSF equivalent:

• Early warning: Within 24 hours of becoming aware of a significant incident — to the national CSIRT or competent authority
• Incident notification: Within 72 hours — with an initial severity assessment and indicators of compromise
• Final report: Within one month — full incident analysis, impact assessment, and corrective measures taken

NIST CSF’s Detect and Respond functions address incident detection and response procedure without specifying when, to whom, or through what channel notification to external authorities occurs. An organisation whose incident response plan was designed entirely around NIST CSF may have a complete internal response capability while carrying no documented pathway to national authority notification within 24 hours.

The gap is procedural, not technical. You need a written notification SOP that names the competent authority in each relevant member state, defines the internal threshold for a “significant incident” under Art. 23, and assigns named individuals responsible for each notification stage. The 24-hour clock starts from the moment the organisation becomes aware — your on-call engineer at 2am on a Saturday needs a decision tree they can follow immediately, not a policy document they have to locate and interpret. ENISA’s June 2025 Technical Implementation Guidance confirms that significance is assessed by impact on service availability, confidentiality, and integrity, with the national CSIRT as the primary contact. For detailed notification structure and thresholds, see our guide to NIS2 incident reporting requirements.

Gap 2: Management body personal liability (Articles 20 and 32)

NIS2 Article 20 requires the management body of each essential or important entity to approve the cybersecurity risk-management measures taken under Article 21, oversee their implementation, and be held liable for the entity’s infringements. Article 32 provides the enforcement mechanism for essential entities: national competent authorities may issue a temporary prohibition preventing specific individuals from exercising managerial responsibilities where management accountability obligations are not met.

This is individual accountability — it attaches to board members and senior executives as persons, not only to the organisation as a legal entity. A CEO who delegates day-to-day cybersecurity implementation to the CISO remains personally accountable for the management body’s compliance with Article 20. Under Article 32, regulators can prohibit that individual from their role pending correction.

NIST CSF 2.0’s Govern function addresses organisational governance through GV.OC (organisational context) and GV.RM (risk management strategy) — collectively-held processes by which the organisation manages cybersecurity risk. GV.OC-03 captures legal and regulatory requirements as organisational inputs. Neither subcategory creates the individual accountability structure that Articles 20 and 32 require.

Closing this gap requires three documented artefacts:

• Annual board approval resolution formally approving the entity’s Art. 21 risk-management measures — the management body must demonstrate active oversight, not passive delegation to the CISO
• Management body cybersecurity training records — Article 20(2) states that management body members “are required to follow training” enabling them to assess cybersecurity risks and the adequacy of risk-management practices; the mandatory language is explicit and distinct from the permissive “encouraged” language applied to general staff training
• Named accountability assignment in the cybersecurity policy, designating which individual at board or senior management level holds defined responsibility for each Art. 21 obligation

Management training under Art. 20(2) must go beyond a 30-minute awareness module. The content requirement is specific: it must give board members sufficient knowledge to identify risks, evaluate cybersecurity practices, and assess their impact on services provided. That means enough technical substance to challenge the CISO’s risk presentation, not just to acknowledge receipt of it.

Gap 3: Contractual supply chain security requirements (Article 21(d))

Article 21(d) requires entities to address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” In regulatory practice, this means cybersecurity clauses must appear in supplier agreements as enforceable obligations — their absence at audit is a documented control deficiency.

NIST CSF 2.0 GV.SC-05 states that cybersecurity requirements should be incorporated into vendor agreements. “Should” reflects NIST’s voluntary character. NIS2 Article 21(d) is a legal obligation. A mature GV.SC supply chain programme without contractual enforcement remains non-compliant with Art. 21(d), regardless of how comprehensive your supplier risk assessments are.

For multinationals with large supplier bases, this is typically the highest-effort item in NIS2 compliance. Existing supplier agreements signed before October 2024 generally do not contain NIS2-specific security requirements. Updating them requires legal review, procurement process changes, and supplier renegotiation — a programme that can take six to twelve months for organisations with hundreds of direct suppliers. Begin immediately, using your GV.SC-04 supplier criticality classification to prioritise Tier 1 (critical) suppliers for the first amendment wave. For a structured supplier assessment approach, see our guide to NIS2 supply chain security.

Gap Checklist for NIST CSF 2.0 Organisations

The following items represent the NIS2 compliance work required on top of a mature NIST CSF 2.0 baseline. Effort ratings reflect typical implementation complexity based on published ENISA guidance; they do not reflect the legal weight of any individual requirement.

Gap Item	NIS2 Requirement	Effort	Owner
Incident notification SOP	Art. 23: documented 24h/72h/30-day procedure with named competent authority contacts	Low	CISO / Legal
Competent authority registration	Art. 3 and national transposition: register with the national authority in each relevant member state	Low	Legal / Compliance
Significant incident threshold definition	Art. 23: internal criteria defining what triggers a reportable significant incident	Low	CISO
Board approval resolution	Art. 20(1): annual formal management body approval of Art. 21 risk-management measures	Low	Board / Legal
Management body cybersecurity training	Art. 20(2): structured training enabling board members to assess cybersecurity risks and practices	Medium	CISO / HR
Named management accountability	Art. 20: designated individuals with documented Art. 21 responsibilities in the cybersecurity policy	Low	CISO / Legal
Supplier criticality classification	Art. 21(d): assess and tier direct suppliers by risk and criticality (GV.SC-04 provides the framework)	Medium	CISO / Procurement
Supplier agreement cybersecurity clauses	Art. 21(d): legally enforceable security requirements embedded in direct supplier contracts	High	Legal / Procurement

Effort key: Low — process or documentation only, typically under two weeks. Medium — cross-functional programme, four to eight weeks. High — legal and procurement process change, potentially six to twelve months for large supplier bases.

Start the High item — supplier agreement updates — immediately given its lead time, running it in parallel with the Low-effort items. The Low items together represent the fastest path to documented NIS2 compliance for NIST CSF practitioners; most can be completed within a standard compliance sprint.

Implementation Path for NIST CSF 2.0 Organisations

The NIS2 transition for a NIST CSF 2.0 organisation is a programme of targeted additions, not a framework rebuild. Your existing NIST CSF current Profile documentation becomes the compliance evidence baseline for Article 21.

Phase 1 — Confirm scope (Weeks 1–4)

Verify your entity’s NIS2 classification — essential or important — in each EU member state where you provide services. NIS2 applies to organisations providing services within the EU regardless of headquarters location: a US organisation providing managed security services or cloud infrastructure to EU customers in covered sectors may qualify as an important entity. Each member state’s national competent authority has published transposition guidance with implementation timelines and sector-specific requirements. Identify the competent authority contact in each relevant jurisdiction. Map your NIST CSF current Profile against the Article 21 control mapping table in this guide to produce your documented compliance evidence baseline — this becomes the audit artefact index.

Phase 2 — Board engagement and training (Weeks 5–8)

Schedule management body training meeting Article 20(2) content requirements: risk identification, cybersecurity risk-management practices, and their impact on services provided. This is a different programme from general staff security awareness — it must enable board members to challenge technical advice and approve controls with informed judgement. Produce the formal board approval resolution for Art. 21 measures and assign named accountability for each obligation. Both are Low-effort items whose practical constraint is board calendar time, not technical complexity.

Phase 3 — Notification procedure (Weeks 9–12)

Write and tabletop-test the Art. 23 incident notification SOP. Define the significant incident trigger criteria, map the 24-hour early warning workflow — who initiates, who approves, which authority receives the notification — and test the 72-hour notification process end-to-end. Assign backup owners for each stage so the procedure functions without any single individual being available. Pre-approved notification templates reduce execution time during off-hours incidents when the 24-hour window is most at risk.

Phase 4 — Supply chain programme (Ongoing, begin immediately)

Use your existing GV.SC-04 supplier criticality classification to prioritise direct suppliers for contract amendment. Engage legal and procurement to develop a standard cybersecurity contractual annex — a reusable template incorporating Art. 21(d) requirements — for new agreements and as the basis for renegotiating existing ones. ENISA’s Technical Implementation Guidance provides supplier assessment evidence examples aligned with the Commission Implementing Regulation. For organisations that also hold ISO 27001 certification, the crosswalk further reduces programme scope — see our comparison of NIS2 vs ISO 27001 for where that gap analysis applies.

Frequently Asked Questions

Does using NIST CSF 2.0 mean we are NIS2 compliant?

No. NIST CSF 2.0 provides full or substantial coverage for seven of the ten Article 21 minimum measures, but it does not address NIS2’s mandatory incident reporting timelines (Art. 23), management body personal liability (Art. 20 and 32), or the legally required contractual security clauses with direct suppliers (Art. 21(d)). These are structural gaps — they require deliberate additions to your compliance programme, not deeper NIST CSF implementation.

Approximately what percentage of NIS2 does NIST CSF 2.0 cover?

Based on Article 21 control mapping, NIST CSF 2.0 provides full or substantial coverage for roughly 70–75% of NIS2’s minimum security measures. The percentage increases if your implementation includes documented GV.RM risk appetite statements and a mature GV.SC supply chain programme. The remaining 25–30% comprises obligations structurally absent from NIST CSF: notification timelines, management personal liability, and contractual enforceability of supply chain requirements.

Do NIST CSF assessments count as effectiveness checks under Article 21(2)(f)?

Potentially yes, if documented formally with management sign-off. Article 21(2)(f) requires policies and procedures to assess the effectiveness of cybersecurity risk-management measures. NIST CSF Profile assessments — comparing current implementation against a defined target Profile and documenting gaps with management review — constitute exactly this kind of effectiveness measurement. The requirement is documentation: an undocumented assessment does not satisfy the Article 21 evidence standard at audit.

Which NIST CSF 2.0 function is most directly relevant to NIS2 compliance?

The Govern function maps most closely to NIS2’s governance requirements and produces the most reusable evidence. GV.RM (risk management strategy documentation) satisfies Art. 21(2)(a) risk policy requirements; GV.SC (supply chain risk management) provides the framework for Art. 21(d) compliance; GV.OC (organisational context) captures legal and regulatory requirements that inform the broader programme. No single function covers NIS2 fully, but GV is where to concentrate NIS2-specific effort if your NIST CSF maturity is uneven across functions.

Our organisation is headquartered outside the EU. Do we need NIS2 compliance?

NIS2 applies to organisations providing services within the EU, not only those headquartered there. A US, UK, or non-EU organisation providing cloud computing, managed security services, digital infrastructure, or online marketplace services to EU customers in covered sectors may qualify as an important entity subject to all NIS2 obligations, including penalty exposure. Scope confirmation — verifying entity classification with the relevant national competent authority — should be the first action in any NIS2 programme. For sector-specific scope definitions, see our guide to NIS2 requirements.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

• NIS 2 Directive, Article 21: Cybersecurity risk-management measures — nis-2-directive.com
• NIS2 Article 21 Risk Management Measures Explained: All 10 Controls — GloCert International
• NIS2 Technical Implementation Guidance (June 2025) — ENISA
• NIST CSF 2.0: Quick-Start Guide for Cybersecurity Supply Chain Risk Management (SP 1305) — NIST
• NIST vs NIS2: 6 Key Differences, Alignment and Overlap — N2W Software
• How to map NIS2 to ISO 27001, NIST and CIS Controls — nFlo
• Making Sense of NIS 2: Adopt a Cybersecurity Blueprint like NIST — Cato Networks