Why governance is at the centre of the new NIST Cybersecurity Framework 2.0 and how it relates to NIS2

NIST is the US National Institute of Standards and Technology, known for creating widely adopted security and risk-management frameworks. Its Cybersecurity Framework gives organisations a practical structure to manage cyber risk in a consistent, measurable way. NIST has reshaped its Cybersecurity Framework for the first time in years, and the shift is hard to ignore. CSF 2.0 adds a sixth function called Govern. For European boards and executive teams, this aligns neatly with the direction already set by NIS2. Both frameworks pull cyber out of the technical basement and place it firmly on the leadership agenda.

Why NIST introduced the Govern function

Earlier versions of the CSF focused on the technical lifecycle: Identify, Protect, Detect, Respond and Recover. CSF 2.0 accepts that this focus is no longer enough. The new Govern function places responsibility with senior leadership for setting objectives, determining risk appetite, assigning roles, and overseeing supply-chain exposure.
It reflects the reality that the biggest gaps in cybersecurity programmes rarely stem from firewalls or SIEM tooling. They arise from unclear ownership, poor decision-making structures and the absence of consistent policies. In other words, governance failure.

The link with European regulation

For organisations operating in the EU or serving EU customers, this shift mirrors what NIS2 already requires. NIS2 doesn’t treat cyber as an IT function. It treats it as a business-risk topic, with obligations that fall directly on the management body.
NIS2 expects leadership to:

• approve cybersecurity measures
• monitor implementation
• understand material cyber risks
• make sure supply-chain exposure is assessed and controlled
• demonstrate due care when making investment and policy decisions

These areas overlap almost one-to-one with NIST’s new Govern categories. European organisations using NIST as their internal framework will find that CSF 2.0 makes alignment with NIS2 far more straightforward.

What this means for boards

Boards can no longer rely on periodic IT updates or assume that risk ownership sits below them. CSF 2.0 and NIS2 both expect the management body to steer cyber strategy, measure progress and ask direct questions about exposure and resilience.
This requires:

• clear governance structures with defined roles
• documented policies backed by real oversight
• supply-chain controls that reflect business-level risk
• decision-making that links cybersecurity investment to organisational objectives

Creating this structure does not demand deep technical skills. It demands clarity, accountability and a willingness to challenge operational assumptions. The technical teams will still handle controls and tooling. Leadership must set expectations, validate strategy and monitor outcomes.

Why this shift matters now

European organisations are facing tighter regulatory pressure, increasing board liability and a threat landscape that continues to expand. CSF 2.0’s focus on governance gives leaders a practical way to respond.
It provides a structure that connects cyber decisions with enterprise risk, operational priorities and long-term resilience. For organisations preparing for NIS2 audits or reporting obligations, adopting the Govern function can accelerate readiness and create a cleaner narrative for regulators.

How Nomios can help

Nomios helps organisations build the governance and security structure that both CSF 2.0 and NIS2 expect. Our teams support board-level decision-making through services like virtual CISO, security assessments and cyber maturity modelling. We give you a clear view of gaps, priorities and required controls, then guide the implementation of policies, processes and technical measures across the organisation. Whether you need help defining strategy, improving supply-chain oversight or strengthening operational resilience, we provide practical support that fits your existing setup and delivers measurable progress.

Important dates

The NIST Cybersecurity Framework (CSF) 2.0 was officially launched on 26 February 2024.
In the Netherlands, the transposition of the NIS2 Directive is progressing under the draft Cybersecurity Act (Cyberbeveiligingswet) (“Cbw”):

• The deadline for Member States to adopt the implementing measures was 17 October 2024.
• The Dutch draft legislation was published for public consultation in June 2024.
• The Netherlands expects the Cybersecurity Act to enter into force in the second quarter of 2026.