Most organizations still pick a security framework the way they did in 2022: find the biggest name, check the box, move on. That approach hasn’t survived contact with the last three years, three new regulations, a finalized quantum-cryptography standard, and an entirely new AI threat surface later.
The current situation: A framework landscape transformed since 2022
Choosing the right security framework has never been more consequential or more complex. When IDC last published comprehensive guidance on this topic in 2022, the landscape was manageable: a stable set of well-known frameworks and a relatively predictable regulatory backdrop. The intervening years have fundamentally changed both dimensions.
Four structural shifts now define what buyers must navigate:
- NIST CSF 2.0 (February 2024) introduced a formal Govern function, its first major revision in a decade, elevating cybersecurity from an operational discipline to a board governance obligation and broadening scope to all organizations regardless of size or sector.
- DORA (EU 2022/2554) became fully applicable in January 2025, imposing mandatory ICT risk management and third-party oversight obligations on approximately 22,000 EU financial entities.
- PQC standards were finalized: NIST released three post-quantum cryptography standards in August 2024 (FIPS 203, 204, 205), transforming quantum readiness from a theoretical concern to an operational imperative.
- AI has created a new risk surface: NIST published a draft Cyber AI Profile (IR 8596) in December 2025, extending CSF 2.0 specifically to AI-related cybersecurity risks. Organizations that have deployed AI, particularly agentic AI or LLM-integrated workflows, must now factor AI governance into framework selection.
The wrong framework choice, one that exceeds organizational maturity, understates regulatory obligation, or ignores supply chain exposure, produces worse security outcomes than a well-adopted, properly scoped, simpler framework. The good news: there are strong options. The challenge: the decision is more complex than it was three years ago.
Decision-making criteria and methodology
Security framework selection is a risk management decision, not a technical checklist, requiring input from legal, compliance, finance, operations, and the board. IDC’s 2026 methodology starts with crown-jewel data classification, then splits into regulated and non-regulated tracks, now including universal AI governance and quantum-readiness branches. Key criteria include data classification, regulatory obligations, threat landscape, and AI adoption footprint. Organizations deploying agentic AI face risks that general-purpose frameworks don’t address, while harvest-now-decrypt-later (HNDL) exposure demands cryptographic roadmap planning alongside traditional control mapping.
Additional criteria round out the methodology: third-party risk (CSF 2.0’s Govern function and DORA Article 28 set the compliance floor), PQC readiness (FIPS 203-205 are finalized, with 2030 as a planning horizon), and organizational maturity (smaller organizations should start with CIS Controls IG1 rather than overreaching). Budget discipline favors phased, risk-prioritized roadmaps supported by cyber risk quantification. Finally, multi-framework interoperability and GRC technology support are now prerequisites: manual evidence collection across concurrent regimes such as CSF 2.0, ISO 27001, HIPAA, and DORA is no longer sustainable at scale.
Regulated versus non-regulated organizations: Two different journeys
Regulated organizations
For regulated organizations, the regulator largely determines the framework; strategic focus shifts to execution. Key questions: How can multiple simultaneous requirements (DORA + ISO 27001; HIPAA + NIST 800-53) be satisfied without duplicating evidence work? Which GRC platform best automates cross-framework mapping? How should gap closure be sequenced within the budget? Have ICT third-party providers been assessed against CSF 2.0 Govern, DORA Article 28, and NIST 800-161? Mature organizations typically adopt a “framework stack”: CSF 2.0 or ISO 27001 as backbone, NIST 800-161 for high-risk vendors, plus industry-specific overlays.
Non-regulated organizations
Non-regulated organizations must perform more active analysis, with the right starting point depending on maturity. Early-stage or SMB organizations should adopt CIS Controls v8 Implementation Group 1, 56 safeguards achievable with limited staff, mapped to NIST CSF 2.0 for growth. Mature programs or those facing elevated threat exposure should adopt NIST CSF 2.0 or ISO 27001:2022, both of which include a Govern function that supports board-level accountability and SEC disclosure readiness. All non-regulated organizations, regardless of status, should evaluate the AI Governance and Quantum Readiness branches given their present-day risk implications.
AI and quantum: Two criteria that didn’t exist in 2022
Artificial intelligence: risk surface and governance obligation
AI has added two urgent dimensions to the framework selection process. Offensively, adversaries use LLMs for convincing phishing, automated vulnerability discovery, and direct attacks via model poisoning and prompt injection. Assess whether your framework addresses AI-enabled detection and response. Defensively, organizations deploying AI in production, especially autonomous agentic AI, face authorization, auditability, model integrity, and supply chain risks that general-purpose frameworks don’t address. The NIST Cyber AI Profile (IR 8596, December 2025 draft) extends CSF 2.0 across three risk areas and should serve as a supplementary governance layer. Shadow AI and SaaS-embedded AI remain largely unmeasured exposures requiring dedicated governance tooling.
Post-quantum cryptography: from theory to operational imperative
PQC standards are finalized: NIST published FIPS 203, 204, and 205 in August 2024, with a fourth HQC-based standard selected in March 2025. The harvest-now-decrypt-later threat is present today: adversaries are collecting encrypted data now to decrypt once quantum computing matures, creating real exposure for organizations holding financial, healthcare, or critical infrastructure data. NSA’s CNSA 2.0 mandates 2030 migration for National Security Systems; commercial organizations should treat this as a planning horizon, not a start date. Immediate actions include completing a cryptographic inventory, prioritizing long-lived data systems, evaluating vendor PQC roadmaps, and considering hybrid cryptographic approaches.
Essential guidance for the technology buyer
A well-adopted, properly scoped framework always outperforms a theoretically superior one that exceeds organizational capacity. Buyers should structure stakeholder conversations, including legal, compliance, finance, and the board, around the 10 decision criteria, treating AI governance and PQC readiness as first-order, not future-state, considerations. Conduct a cryptographic inventory now and evaluate AI footprint against the NIST Cyber AI Profile. Address third-party risk per CSF 2.0, NIST 800-161, and DORA Article 28. Favor frameworks with strong cross-mapping, invest in automated GRC technology, and adopt cyber risk quantification for CFO-ready budget conversations. Build a phased, five-year roadmap, closing highest-risk gaps first, and recalibrate annually.
“The right security framework is a critical factor in adequately managing security risks, not only those present today, but also those that could emerge in the future. The 2026 landscape demands that organizations evaluate AI governance and post-quantum cryptography readiness as first-order criteria, not future-state considerations.” —Philip D. Harris, Research Director, Cybersecurity GRC Solutions, IDC
Guidance for the technology supplier and services provider
The security framework market is in structural transition, and suppliers calibrated to 2022 are selling into a market that no longer exists. Multi-framework compliance automation is now the dominant selection criterion, making unified control libraries across CSF 2.0, ISO 27001, HIPAA, and DORA essential. Suppliers should build DORA as a named capability, establish AI governance credibility now while the Cyber AI Profile remains in draft, and develop a PQC advisory practice anchored to cryptographic inventory services. Value propositions should be reframed financially for CFO-influenced procurement, while midmarket buyers increasingly favor managed compliance wrappers. Roadmap priorities span CSF 2.0/DORA now, Cyber AI Profile alignment in 2027, and full PQC/EU CRA support by 2030.