What is the difference between CIS Level 1 and Level 2?

More context

L1 covers settings like disabling default accounts, enforcing password policies, configuring audit logging, and removing unnecessary services. These are widely accepted as table-stakes for production systems.

L2 covers more restrictive settings: disabling additional protocols, stricter cryptography requirements, additional logging, application allowlisting. L2 is appropriate for systems handling classified data, financial transactions, protected health information, or other regulated data categories.