Essential Cybersecurity Frameworks Explained: NIST, ISO 27001, DORA & More (2026)

In today's regulatory environment, cybersecurity frameworks have evolved from voluntary best-practice guides to legally enforceable requirements — with significant financial penalties for non-compliance. Security ratings can provide a snapshot of your organisation's cyber health, but to demonstrate a robust, long-term commitment to cybersecurity, it's essential to align with recognized industry and regulatory frameworks. Below, we cover the most widely adopted cybersecurity frameworks — including two major EU regulations that came into force in 2024 and 2025 and now affect thousands of organisations globally.

What is a cybersecurity framework?

A cybersecurity framework is a structured set of standards, guidelines, and best practices designed to help organizations manage and reduce cybersecurity risks. These frameworks provide a comprehensive roadmap for assessing, monitoring, and mitigating potential threats. By establishing consistent processes and controls, they help organizations implement a proactive security strategy, manage regulatory requirements, and facilitate communication among security professionals and stakeholders.

Cybersecurity frameworks are critical for aligning security efforts across different teams, industries, and countries. They enable security leaders—such as CISOs, risk management teams, and IT leadership—to effectively assess their own security posture as well as that of third-party vendors, ensuring a unified approach to threat mitigation.

9 Top security frameworks

Whether mandated by regulation or adopted voluntarily, these frameworks form the backbone of an organization's cybersecurity strategy. Below, we outline seven of the most widely adopted cybersecurity frameworks and standards that can help guide your organization toward stronger, more resilient defenses:

1. NIST 2.0 Framework

The NIST Cybersecurity Framework was established in response to an executive order by former President Obama — Improving Critical Infrastructure Cybersecurity — which called for greater collaboration between the public and private sector for identifying, assessing, and managing cyber risk.

While compliance is voluntary, NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations.

Source: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

In 2024, NIST unveiled the Cybersecurity Framework 2.0 (CSF 2.0), marking its most significant update since the release of CSF 1.1 in 2018.

CSF 2.0 extends its reach beyond critical infrastructure cybersecurity, targeting a wider array of organizations including small schools, nonprofits, large agencies, and corporations, regardless of their cybersecurity expertise.

A notable addition in this update is the emphasis on cybersecurity governance, recognizing cybersecurity as a key component of enterprise risk management alongside financial and reputational risks.

The cybersecurity framework now encompasses six core functions — 1. Identify, 2. Protect, 3. Detect, 4. Respond, 5. Recover, and 6. Govern — providing a holistic approach to managing cybersecurity risk.

NIST has also introduced a suite of resources to facilitate the security framework's adoption. These include quick-start guides tailored for various audiences, success stories from organizations that have implemented the CSF, and a searchable catalog of informative references to align existing practices with the framework’s guidance.

Furthermore, the CSF 2.0 is designed to align with international standards, supporting global cybersecurity resilience efforts. The journey from CSF 1.1 to CSF 2.0 represents NIST's commitment to evolving the security framework in response to the changing cybersecurity challenges and the needs of its users. Organizations are encouraged to customize the CSF to their specific contexts and share their experiences to benefit the broader community.

2. ISO 27001 & ISO 27002 Frameworks

Created by the International Organization for Standardization (ISO), ISO 27001 and ISO 27002 certifications are considered the international cybersecurity standard for validating a cybersecurity program — internally and across third parties.

With an ISO certification, companies can demonstrate to the board, customers, partners, and shareholders that they are doing the right things with cyber risk management. Likewise, if a vendor is ISO 27001/2 certified, it’s a good indicator (although not the only one) that they have mature cybersecurity practices and controls in place.

The downside is that the process requires time and resources; organizations should only proceed if there is a true benefit, such as the ability to win new business. The certification is also a point-in-time exercise and could miss evolving risks that continuous monitoring can detect.

3. SOC2 Framework

Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to help verify that vendors and partners are securely managing client data.

SOC2 specifies more than 60 compliance requirements and extensive auditing processes for third-party systems and controls. Audits can take a year to complete. At that point, a report is issued which attests to a vendors’ cybersecurity posture.

Because of its comprehensiveness, SOC2 is one of the toughest security frameworks to implement — especially for organizations in the finance or banking sector who face a higher standard for compliance than other sectors. Nevertheless, it’s an important security framework that should be central to any third-party risk management program.

Compliance

Read our guide to SOC2 compliance for requirements, types of SOC reports and standards, leadership recommendations, and a complete SOC2 compliance checklist. 

Bitsight Vendor Risk Management’s latest enhancement – Instant Insights – leverages AI to surface and summarize the most important details from vendor-provided SOC 2 reports. With Instant Insights, GRC teams can work more efficiently through the vendor onboarding and assessment process, ultimately responding to requests from business stakeholders more quickly.

4. NERC-CIP Framework

Introduced to mitigate the rise in attacks on U.S. critical infrastructure and growing third-party risk, the North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) is a set of cybersecurity standards designed to help those in the utility and power sector reduce cyber risk and ensure the reliability of bulk electric systems.

The NERC-CIP security framework requires impacted organizations to identify and mitigate third-party cyber risks in their supply chain.

NERC-SIP stipulates a range of controls including categorizing systems and critical assets, training personnel, incident response and planning, recovery plans for critical cyber assets, vulnerability assessments, and more. Read more about effective strategies for achieving NERC-CIP compliance.

5. HIPAA Framework

The Health Insurance Portability and Accountability Act (HIPAA) is a cybersecurity framework that requires healthcare organizations to implement controls for securing and protecting the privacy of electronic health information.

Per HIPAA, in addition to demonstrating compliance against cyber risk best practices — such as training employees — companies in the sector must also conduct risk assessments to manage and identify emerging risk.

HIPAA compliance remains a keen challenge for healthcare organizations, as Bitsight research suggests.

6. GDPR Framework

The General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures and practices for citizens of the European Union (EU). The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens — including U.S. businesses.

The security framework includes 99 articles pertaining to a company’s compliance responsibilities including a consumer’s data access rights, data protection policies and procedures, data breach notification requirements (companies must notify their national regulator within 72 hours of breach discovery), and more.

Fines for non-compliance are high; up to €20,000,000 or 4% of global revenue, and the EU is not shy about enforcing them.

Compliance

Read our General Data Protection Regulation (GDPR) compliance checklist to learn more about developing a GDPR strategy and maintaining ongoing compliance.

7. FISMA Framework

The Federal Information Security Management Act (FISMA) is a comprehensive cybersecurity framework that protects federal government information and systems against cyber threats. FISMA also extends to third parties and vendors who work on behalf of federal agencies.

The FISMA security framework is aligned closely with NIST cybersecurity standards and requires agencies and third parties to maintain an inventory of their digital assets and identify any integrations between networks and systems.

Sensitive information must be categorized according to risk and security controls must meet minimum security standards as defined by FIPS and NIST 800 guidelines. Impacted organizations must also conduct cybersecurity risk assessments, annual security reviews, and continuously monitor their IT infrastructure.

8. DORA Framework (Digital Operational Resilience Act)

The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — is the EU's comprehensive framework for ICT risk management in the financial sector. It became fully applicable on 17 January 2025 and applies to approximately 22,000 financial entities across all EU member states, including banks, insurance companies, investment firms, payment institutions, and — critically — the ICT third-party service providers that serve them.

Unlike previous financial sector regulations that addressed cyber risk as an add-on to capital requirements, DORA treats digital operational resilience as a standalone discipline with its own governance structure, testing requirements, and incident reporting obligations.

Who DORA applies to

DORA applies to a wide range of financial entities regardless of size, including credit institutions, payment institutions, insurance and reinsurance undertakings, investment firms, crypto-asset service providers, and crowdfunding platforms. Importantly, it also applies directly to critical ICT third-party service providers — including major cloud platforms. As of November 2025, 19 providers (including AWS, Microsoft Azure, and Google Cloud) have been designated as critical ICT third-party service providers and are subject to direct EU supervisory oversight.

US and non-EU organisations that provide ICT services to EU financial entities are therefore within DORA's scope, regardless of where they are headquartered.

DORA's five pillars

DORA organises its requirements across five areas that financial entities must address:

1. ICT risk management. Financial entities must establish an internal governance and control framework for effective management of ICT risk, including policies for business continuity, backup, and recovery. Senior management is explicitly responsible for oversight and accountability.

2. ICT incident management and reporting. Entities must detect, manage, and report major ICT-related incidents to competent national authorities. The reporting timeline is structured: an initial notification is required as soon as an incident is classified as major, followed by an intermediate report and a final report within one month.

3. Digital operational resilience testing. Entities must conduct regular resilience testing, including basic testing (vulnerability assessments, network security scans, gap analyses) and, for significant financial institutions, advanced Threat-Led Penetration Testing (TLPT) at least every three years.

4. ICT third-party risk management. Financial entities must manage the risks arising from their ICT third-party providers. All ICT contracts must include specific provisions covering service levels, audit rights, termination rights, exit strategies, and incident notification procedures. Entities are required to maintain a complete Register of Information documenting all ICT third-party arrangements.

5. Information sharing. DORA encourages — and in some cases requires — financial entities to share cyber threat intelligence and vulnerability information with each other and with regulators to strengthen sector-wide resilience.

Penalties for non-compliance

Financial institutions face fines of up to 10% of annual global turnover or €10 million for serious breaches, whichever is higher. ICT third-party service providers designated as critical can be fined up to 1% of average daily global turnover. Individual senior managers can face personal fines of up to €1 million.

What this means for your third-party risk programme

DORA fundamentally elevates ICT third-party risk management from a due-diligence exercise to a continuous, contractually structured obligation. The requirement to maintain a Register of Information for all ICT third-party arrangements and conduct ongoing monitoring of critical providers means that point-in-time vendor assessments alone are no longer sufficient. Continuous monitoring of your ICT supply chain — with real-time visibility into vendor security posture — is now a regulatory expectation, not just a best practice.

Bitsight's third-party risk management and continuous monitoring capabilities are directly aligned with DORA's third-party risk requirements. Read our DORA compliance checklist for a detailed breakdown of how to meet each pillar.

9. NIS2 Directive (Network and Information Security Directive 2)

The NIS2 Directive — Directive (EU) 2022/2555 — is the EU's updated framework for cybersecurity across critical infrastructure and essential services. It replaced the original NIS Directive in October 2024, when EU member states were required to transpose it into national law. As of May 2026, 22 of 27 EU member states have enacted NIS2 legislation, with the remaining five in active legislative processes.

NIS2 is broader, stricter, and more consequential than its predecessor. Where NIS1 covered a narrow set of critical infrastructure operators, NIS2 expands to 18 critical sectors and introduces direct personal liability for senior management — making cybersecurity a board-level accountability matter across the EU.

Who NIS2 applies to

NIS2 applies to medium-sized and large organisations (generally 50+ employees or €10M+ annual turnover) operating in 18 critical sectors. These are divided into two tiers:

Essential entities — subject to proactive supervision and the highest compliance obligations. These include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important entities — subject to reactive supervision (triggered by evidence of non-compliance). These include postal and courier services, waste management, manufacture of critical products, food production, chemical manufacture, research, and digital providers (online marketplaces, search engines, social platforms).

Certain digital infrastructure providers — such as DNS service providers, TLD registries, cloud providers, data centre operators, and managed security service providers — fall within scope regardless of size.

NIS2's four core obligations

1. Cybersecurity risk management. Entities must implement technical, operational, and organisational measures to manage cybersecurity risks. This includes risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, secure development practices, mandatory multi-factor authentication (MFA), and encryption policies.

2. Corporate accountability. Management bodies are explicitly responsible for approving and overseeing cybersecurity risk management measures. Executives must undergo cybersecurity training. Senior managers can be held personally liable for compliance failures — including temporary bans from leadership roles in severe cases.

3. Incident reporting. Significant incidents must be reported to national authorities on a structured timeline: a 24-hour early warning, a 72-hour full incident report detailing the breach and initial mitigation, and a final report within one month outlining recovery and long-term improvements.

4. Business continuity. Organisations must have structured plans covering system recovery, emergency procedures, and the ability to maintain or rapidly restore critical services following a significant cyber incident.

Supply chain risk under NIS2

A significant addition in NIS2 is its explicit focus on supply chain security. Entities must assess and manage cybersecurity risks across their entire supply chain — including their ICT service providers and software vendors. This requires contractual obligations on suppliers, ongoing monitoring, and vendor accountability mechanisms. Notably, NIS2 and DORA are designed to be complementary: financial entities in scope of DORA use it as their lex specialis for ICT risk, while NIS2 applies the same principles to a broader range of sectors.

Penalties for non-compliance

Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover. National authorities can also conduct targeted audits, impose binding instructions, and increase ongoing oversight requirements.

What's changing in 2026

In January 2026, the European Commission proposed amendments to NIS2 that would add ransomware-specific reporting requirements (including whether a ransom was paid and to whom) and expand the representative appointment requirements for non-EU organisations offering NIS2-regulated services in the EU. These proposals are currently in legislative review and represent the next evolution of the directive.

What this means for your security programme

NIS2 makes two things clear: supply chain risk is a regulatory requirement, and cybersecurity is now a leadership accountability issue — not just a technical one. Organisations that rely on annual vendor assessments or periodic audits to manage third-party risk are not meeting the directive's intent. Continuous monitoring of your vendor ecosystem, combined with a clear chain of executive accountability, is the operational model NIS2 is designed to enforce.

Bitsight's vendor risk management platform supports NIS2 supply chain obligations with continuous, automated monitoring of vendor security posture across your entire third-party ecosystem. Read our CISO's compliance playbook for NIS2, DORA, and PS213 for implementation guidance.

Cybersecurity frameworks are now a business imperative — not just a guidepost

The landscape of cybersecurity frameworks has changed significantly in the last two years. What was once a set of voluntary best-practice guides has evolved into a complex regulatory environment where non-compliance carries seven- and eight-figure penalties, personal liability for executives, and mandatory public disclosure of incidents.

The practical challenge for security leaders is that most organisations operate across multiple frameworks simultaneously — a US financial institution with EU operations may need to satisfy FISMA, SOC 2, DORA, and NIS2 at the same time, each with overlapping but distinct requirements for risk management, incident reporting, and third-party oversight.

The common thread across all of these frameworks is a shift toward continuous, evidence-based compliance: regulators are no longer satisfied with point-in-time certifications and annual audits. DORA requires ongoing vendor monitoring and a live Register of Information. NIS2 requires continuous supply chain risk management and regular executive accountability reviews. NIST CSF 2.0 introduces a Govern function specifically to embed cybersecurity into enterprise risk management on an ongoing basis.
Bitsight's security ratings and continuous monitoring capabilities are built for this environment — providing the real-time visibility into your own security posture and your vendors' that frameworks increasingly require as the baseline. With a security framework (or several) as your guidepost, and continuous monitoring as your operating model, you'll be positioned not just to demonstrate compliance, but to genuinely reduce cyber risk across your organisation and supply chain.