NIST CSF 2.0 & NIS2 Trivia Quiz

1. Which of the following describes the core nature of NIS2 compared with NIST CSF 2.0?
   A) NIS2 is purely voluntary; NIST CSF 2.0 is legally binding.
   B) NIS2 sets legally binding obligations for entities in scope; NIST CSF 2.0 is a voluntary guidance framework.
   C) Both NIS2 and NIST CSF 2.0 are legally binding for all organizations globally.
   D) NIS2 is only a guideline for SMEs; NIST CSF 2.0 is mandatory for critical infrastructure.
2. One of the new additions in NIST CSF 2.0 compared to its earlier version is:
   A) Elimination of the “Protect” function.
   B) Addition of a new core function “Govern”.
   C) Making incident-reporting mandatory for all organizations.
   D) Restricting the scope to only U.S. federal agencies.
3. Which statement correctly reflects a similarity between NIS2 and NIST CSF 2.0?
   A) Both frameworks mandate an identical reporting timeline for incidents.
   B) Both emphasize risk management and organizational governance as foundational to cybersecurity.
   C) Both apply exclusively to U.S. critical infrastructure.
   D) Both prescribe the same controls.
4. Regarding geographic and sectoral scope, which is true?
   A) NIST CSF 2.0 applies only within the USA; NIS2 covers all companies worldwide.
   B) NIS2 applies within the EU and selected sectors; NIST CSF 2.0 is adaptable globally for all organizations.
   C) Both apply only to operators of essential services.
   D) NIS2 applies only to the public sector; NIST CSF 2.0 applies only to private companies.
5. Which of the following best captures how incident-reporting obligations differ between the two?
   A) NIS2 contains regulated, mandatory incident-reporting and potential sanctions; NIST CSF 2.0 does not.
   B) NIST CSF 2.0 mandates incident-reporting; NIS2 leaves it voluntary.
   C) Both frameworks ban external reporting.
   D) They share identical reporting timelines.
6. Which of the following is a meaningful way the two frameworks can complement each other?
   A) An EU entity can apply NIST CSF 2.0 to structure its internal governance and combine it with NIS2 to meet regulatory obligations.
   B) They cannot be used together.
   C) NIST CSF 2.0 replaces NIS2 entirely in the EU.
   D) NIS2 forbids using NIST CSF 2.0.
7. How do NIST CSF 2.0 and NIS2 address supply-chain cybersecurity?
   A) Both recognize supply-chain risk as integral, but NIS2 introduces explicit due diligence obligations for suppliers and service providers.
   B) Only NIST CSF 2.0 covers supply-chain issues; NIS2 omits them.
   C) NIS2 requires supply-chain certification by NIST.
   D) Neither framework mentions third-party risk management.
8. With respect to regulatory enforcement and supervisory oversight, which statement is accurate?
   A) NIST CSF 2.0 includes national supervisory authorities with sanction powers; NIS2 has none.
   B) NIS2 establishes national authorities and sanctions; NIST CSF 2.0 does not prescribe enforcement.
   C) Neither framework provides for sanctions.
   D) Both delegate enforcement exclusively to private bodies.
9. Which of the following statements about the structure and adaptation of the two is correct?
   A) NIS2 is entirely rigid and not adaptable.
   B) NIST CSF 2.0 uses profiles and tiers for tailoring; NIS2 allows some adaptation (size-based thresholds) but is less flexible.
   C) Both are only for large multinationals.
   D) NIST CSF 2.0 forces identical controls for all.
10. What is one of the key differences in how the two frameworks treat governance and accountability?
    A) NIS2 specifically requires assigned roles and executive accountability; NIST CSF 2.0 encourages governance with more flexibility.
    B) NIS2 has no governance requirements; NIST CSF 2.0 mandates them.
    C) Both treat governance identically.
    D) NIST CSF 2.0 prohibits executive involvement.

✅ Answer Key

1. B)
2. B)
3. B)
4. B)
5. A)
6. A)
7. A)
8. B)
9. B)
10. A)