As in the past, cybersecurity requirements are no longer just “best practices” but are, more than ever, legally binding requirements (and carrying with them high fines for non-compliance). While security ratings help give a snapshot of your organisation’s cyber health, it is crucial to align with various recognised frameworks in industry and regulations to show a solid, long-term cybersecurity commitment. The following discusses the most common frameworks for cybersecurity, with a particular focus on two key pieces of EU legislation which entered into force in 2024 and 2025 and will impact thousands of organisations around the world.
What is a cyber security framework?
A cybersecurity framework is a structured collection of standards, suggestions and best practices which can be used by organizations to control and decrease cybersecurity dangers. These frameworks offer an extensive guideline for evaluating, tracking and controlling potential threats. They set up consistent processes and controls, which enable organizations to adopt a proactive approach to security, handle regulatory compliance, and ensure effective communication between security professionals and stakeholders.
Cybersecurity frameworks play an important role in ensuring alignment of security across team, industry, and country. They provide a comprehensive way for security teams—including CISOs, risk management departments, and IT leadership—to evaluate their own security status as well as that of third-party providers in order to safeguard against threats and maintain enterprise security.
9 Top security frameworks
These frameworks are either required by regulation or voluntary, and give the backbone to an organization’s cyber strategy. We’ve summarized seven of the most commonly used cybersecurity frameworks and standards you can use to pilot your organisation to greater and more resilient security:
1. NIST 2.0 Framework
The NIST Cybersecurity Framework was created in the wake of an executive order by former President Obama, Improving Critical Infrastructure Cybersecurity, which directed the private and public sectors to work together to identify, assess, and manage cyber risk.
Although compliance is voluntary, NIST has set the benchmark on measuring cybersecurity maturity, uncovering security shortcomings, and meeting cybersecurity requirements.
NIST announced in 2024 its biggest update to the Cybersecurity Framework (CSF) since CSF 1.1 in 2018, namely CSF 2.0.
However, CSF 2.0 goes beyond critical infrastructure cybersecurity and is aimed at a broader range of organizations, with small schools, nonprofits, large agencies and corporations all potential targets to benefit from the guidance, regardless of their cybersecurity expertise.
One of the highlights of this release is the focus on cybersecurity governance, where cybersecurity is included in enterprise risk management along with financial and reputational risks.
The cybersecurity framework now includes six main functions: Identify, 2. Protect, 3. Detect, 4. Respond, 5. Recover, and 6. Govern — cybersecurity risk management, in a holistic sense.
NIST has also created a collection of tools to help with the implementation of the security framework. This includes quick-start guides specifically designed for different audiences, success stories from organisations which have adopted the CSF and a searchable list of informative references to enable organisations to bring existing practices in line with the guidance of the CSF.
Moreover, the CSF 2.0 will be aligned with international standards, thus supporting global cybersecurity resilience efforts. NIST is dedicated to making this transition from CSF 1.1 to CSF 2.0 to address new cybersecurity threats and the evolving needs of the users. While the CSF is provided as a general guide, organizations are encouraged to make edits to the CSF to reflect their context and to share their experiences with the community to improve the resource.The CSF is a general guide, and organizations are encouraged to edit it with regard to their context and share their experiences with the community to enhance the CSFs.
2. ISO 27001 & ISO 27002 Frameworks
Created by the International Organization for Standardization (ISO), ISO 27001 and ISO 27002 certifications are considered the international cybersecurity standard for validating a cybersecurity program — internally and across third parties.
Companies that receive an ISO certification will be able to prove to the board, customers, partners and shareholders that they are taking the right actions toward cyber risk management. Similarly, an ISO 27001/2 certified vendor is a sign (but not definitive) that they have established good cybersecurity practices and controls.
The downside is that it takes time and resources, so it should only be tried if there is a genuine benefit, in this case the opportunity to acquire new business. The certification is also a point in time effort, and may fail to capture elements of risk that can be identified through ongoing monitoring activities.
3. SOC2 Framework
The American Institute of Certified Public Accountants (AICPA) created Service Organization Control (SOC) Type 2, a trust-based cyber security framework and auditing standard to assist in ensuring that vendors and partners securely manage client information.
SOC2 sets over 60 compliance criteria along with detailed audit program requirements for third parties’ systems and controls. The process of an audit can last up to 1 year. At that point, a report is issued which attests to a vendors’ cybersecurity posture.
Because of its comprehensiveness, SOC2 is one of the toughest security frameworks to implement — especially for organizations in the finance or banking sector who face a higher standard for compliance than other sectors. This is an important security framework, however, which should be at the heart of any third-party risk management program.
Compliance
Check out our SOC2 compliance guide for SOC2 compliance requirements, types of SOC reports and standards, leadership recommendations and an in-depth SOC2 compliance checklist.
Bitsight Vendor Risk Management’s latest enhancement – Instant Insights – leverages AI to surface and summarize the most important details from vendor-provided SOC 2 reports. GRC teams can work more efficiently with the vendor onboarding and assessment process to respond to requests from business stakeholders more quickly with Instant Insights.
4. NERC-CIP Framework
Introduced to mitigate the rise in attacks on U.S. critical infrastructure and growing third-party risk, the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) is a set of cybersecurity standards designed to help those in the utility and power sector reduce cyber risk and ensure the reliability of bulk electric systems.
The NERC-CIP security framework calls for those affected to identify and reduce their third-party cyber risks in the supply chain.
NERC-SIP requires a variety of controls such as classification of systems & critical assets, personnel training, incident response and planning, recovery plans for critical cyber assets, vulnerability assessment, etc. Learn more about effective ways to become NERC-CIP compliant.
5. HIPAA Framework
Healthcare organizations have a cybersecurity framework to protect and secure electronic health information called the Health Insurance Portability and Accountability Act (HIPAA).
Per HIPAA, in addition to demonstrating compliance against cyber risk best practices — such as training employees — companies in the sector must also conduct risk assessments to manage and identify emerging risk.
As Bitsight’s research reveals, getting HIPAA compliant continues to be a potential challenge for healthcare organizations.
6. GDPR Framework
General Data Protection Regulation (GDPR) was introduced in 2016 to enhance data protection processes and practices of the citizens in the European Union (EU). The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens — including U.S. businesses.
The security framework contains 99 articles about the duties of a company to comply with these rules, such as a consumer’s access rights to their data, data protection policies and procedures, how the company will notify its national authority in case of a breach, etc.
The fines are steep – up to €20,000,000 or 4% of global turnover – and the EU is not afraid to impose them.
Compliance
Read our General Data Protection Regulation (GDPR) compliance checklist to learn more about developing a GDPR strategy and maintaining ongoing compliance.
7. FISMA Framework
Federal Information Security Management Act (FISMA): A comprehensive cybersecurity framework designed to help safeguard federal government information and systems from cyber attack. FISMA also applies to vendors and third parties that do work on behalf of federal agencies.
The FISMA security framework closely mirrors NIST cybersecurity standards, and mandates agencies and third parties to create a catalog of their digital assets and determine if there are network and system connections.
Sensitive information needs to be classified by risk and security controls need to adhere to minimum security standards based on security guidelines from FIPS and NIST 800. Impacts organizations also need to perform cyber security risk assessments, security audits on an annual basis, and ongoing IT infrastructure monitoring.
9. Person Centredness and Social Inclusion
The Digital Operational Resilience Act (DORA) (EU) 2022/2554 is the EU’s all-encompassing framework on ICT risk management in financial services. It will be in full effect from 17 January 2025 and it will apply to around 22,000 financial entities in all the EU member States, including banks, insurance companies, investment firms, payment institutions and importantly, the ICT third-party service providers serving these.
DORA goes beyond previous financial sector regulations, which considered cyber risk as an add-on to capital requirements, and instead considers “digital operational resilience” as a separate field of responsibility with its own governance framework, testing process and reporting obligations.
Who DORA applies to
DORA covers many financial institutions, irrespective of their size, such as credit institutions, payment institutions, insurance companies and reinsurers, investment firms, crypto-asset service providers and crowdfunding platforms. Notably, it is also directly applicable to critical third party service providers of ICT services (such as key cloud platforms). 19 providers, including AWS, Microsoft Azure and Google Cloud, have been identified as critical ICT third-party providers and will be supervised directly by the EU.
This means that, for example, US and non-EU organisations that offer financial entities in the EU ICT services are within the scope of DORA, even if they are based in the United States.
DORA’s five pillars
Within the five areas that financial entities need to tackle, DORA sets its needs as follows:
- 1. ICT risk management: Financial entities should have an in-house governance and control framework for effective management of ICT risk, including policies for business continuity, backup and recovery. Senior management is clearly accountable and have oversight.
- 2. Incident management and reporting in relation to ICT: Major incidents involving the use of ICT must be detected, managed and reported to competent national authorities. The reporting process is divided into phases: immediate notification of an incident is required when it is considered to be major, after which there will be an intermediate report and a final report within one month.
- 3. Operational Resilience Testing for Digital: Regular resilience testing is required, such as basic testing (vulnerability, network security, gap analyses) and advanced testing, namely Threat-Led Penetration Testing (TLPT) for large financial institutions, at least once in three years.
- 4. Third-party (TP) risk management related to ICT: Financial entities need to deal with the risks of their ICT third party providers. There should be explicit terms and conditions regarding service levels, audit rights, termination rights, exit strategies and notification of incidents in all ICT contracts. Entities must have an up-to-date Register of Information that records all third party ICT arrangements.
- 5. Information sharing: DORA promotes information sharing of cyber threat intelligence and vulnerabilities amongst financial entities and between financial entities and regulators in order to enhance sector-wide cyber resilience.
Penalties for non-compliance
For serious violations, the financial institution will be punished by a fine of up to 10% of its annual turnover worldwide or EUR 10 million, whichever amount is higher. Third party service providers of ICT who are designated as critical may be fined up to 1% of their average daily global turnover. Senior managers may be liable to up to €1 million for personal fines.
This will have implications for your third party risk programme
The core of DORA is the shift from due diligence towards a continuous, contractually defined responsibility for third-party risk management in the field of ICT. Point-in-time (PIP) assessments of vendors are no longer the proper approach, with the introduction of the requirement to have a Register of Information (ROI) for all third-party arrangements and to regularly monitor critical providers. Now, the monitoring of your ICT supply chain is expected, rather than a best practice, and you need to have a real-time view of vendor security posture.
Bitsight’s third-party risk management and continuous monitoring features directly align with the third-party risk requirements of DORA. Our DORA compliance checklist provides a detailed overview of how to achieve compliance with each pillar of DORA.
NIS2 Directive (Network and Information Security Directive 2)
The NIS2 Directive (EU) 2022/2555 is the EU’s new framework for cybersecurity in critical infrastructure and essential services. It was adopted in place of the earlier NIS Directive in October 2024, when there was a requirement for all EU member states to transpose the directive into national legislation. Currently, 22 of 27 EU member states have laws to implement NIS2 and the remaining 5 countries are currently in the process of enacting legislation.
NIS2 is more comprehensive, rigorous, and impactful than its predecessor. Building on NIS1, which only applied to a limited number of operators of key critical infrastructures, NIS2 extends to 18 critical sectors and adds direct accountability of senior management for cybersecurity, making it a matter of accountability across the board across the EU.
NIS2 applies to medium-sized and large organisations (usually at least 50 employees or with an annual turnover of €10M) in 18 critical sectors. There are two levels of these:
Who does NIS2 apply to
Essential entities are those that are subject to pro-active supervision and most stringent compliance requirements. These involve energy, transport, banking and financial market infrastructure, health, drinking water and wastewater, digital infrastructure and ICT service management, public administration and space.
Important entities – reactive supervision (as a response to evidence of non-compliance). These include postal and courier services, waste management, production of critical products, food production, chemical manufacture, research, and digital providers (such as online market places, search engines, social platforms).
Some digital infrastructure providers, regardless of size (e.g. DNS service providers, TLD registries, cloud providers, data centres, managed security services providers) are included.
NIS2’s Four Core Responsibilities
1. Cybersecurity risk management. Cyber security risks should be managed through technical, operational and organisational measures taken by entities. This encompasses risk analysis and information security policies, handling of incidents, business continuity/crisis management, supply chain security, secure development practices, mandatory multi-factor authentication (MFA), and encryption policies.
2. Corporate accountability. Management bodies explicitly approve and monitor cyber security risk management measures. Employees need to be trained in Cyber Security. Senior managers may also personally face liability for non-compliance, up to a point of possible temporary suspension from senior positions in extreme cases.
3. Incident reporting. Significant incidents are to be reported to the national authorities within a structured time frame; 24hrs for early warning, 72hrs for a detailed report of the incident and initial mitigation, and within one month of the incident for a detailed report of the recovery and long term improvements.
4. Business continuity. Organisations need to have in place well-defined plans for system recovery, emergency procedures, and also the capability to keep or speedily resuming key functions after a major cyber incident.
The future of chain risk under NIS2
One of the major new elements in NIS2 is its specific emphasis on supply chain security. Entities need to evaluate and control their cybersecurity risks at the whole supply chain level, which includes ICT service providers as well as software vendors. This involves a contractual commitment from suppliers, continuous monitoring and supplier accountability mechanisms. Notably, the legislation of NIS2 and DORA is conceived to be complementary: financial entities in scope of DORA would use it as their lex specialis on ICT risk, whereas NIS2 would apply the same principles to a wider array of sectors.
Penalties for non-compliance
The fines for essential entities are up to €10 million or 2% of global annual turnover, whichever is more. Fines are between €300,000 to up to €7 million or 1.4% of global annual turnover for important entities. National authorities may also carry out specific audits, provide binding instructions and increase the requirements for continuous oversight.
What’s changing in 2026
The European Commission also amended NIS2 in January 2026 to introduce new reporting obligations relating to ransomware incidents (such as whether a ransom was paid and to which entities) and increased the appointments of representatives to include non-EU organisations that provide non-EU services that fall under EU NIS2 regulation. Proposals for this directive are now being considered in legislation and are a further development of the directive.
The implications of this for your security programme
There are two things NIS2 emphasizes: that supply chain risk is a regulatory requirement, and that cybersecurity is becoming a leadership accountability question, rather than a technical problem. Organisations that use annual vendor assessments or periodic audits to manage third-party risk aren’t doing what the directive requires. A constant monitoring of your vendor and a clear chain of executive accountability is the model that NIS2 is looking to implement.
NIS2 vendor risk obligations are facilitated by Bitsight’s vendor risk management platform by monitoring vendor security posture continuously and automatically throughout your extended third-party supply chain. Consult our CISO Compliance Playbook on implementing NIS2, DORA and PS213.
Cybersecurity is no longer a guidepost, it’s a business imperative too.
Cybersecurity frameworks have undergone many changes in the past two years. What used to be a series of best-practice guidelines is now a intricate regime of regulation with seven and eight-figure penalties for non-compliance; personal accountability for executives and mandatory disclosure of incidents in the public arena.
The real-world challenge for security teams is that most organisations are working with multiple frameworks at once – a financial institution based in the United States but operating in Europe could be required to meet the demands of FISMA, SOC 2, DORA and NIS2 – and each has its own set of distinct need for incident management, third-party management and risk management.
What they all share in common is an increase in demand for ongoing, evidence-based compliance – regulators are no longer content with point-in-time certifications and audits on an annual basis. DORA is a live Register of Information that needs continuous vendor monitoring. NIS2 mandates ongoing risk management in the supply chain and periodic executive risk accountability reviews. The Govern function is a new addition to the NIST CSF 2.0 to incorporate cybersecurity into Enterprise Risk Management on an ongoing basis.
Security ratings and the ongoing monitoring features of Bitsight have been engineered to work in this environment; and as frameworks are increasingly demanding it as a minimum component, it offers the real-time visibility into your own security posture that you need, as well as your vendors’. Having a security framework (or multiple frameworks) as the guidance and a continuous monitoring model as the operating model, you will not only be able to show compliance, but also help to lessen the cyber risk in your organisation and supply chain.