Context: Navigating Multiple Regulatory Frameworks
Organisations operating in the European Union — particularly in financial services, critical infrastructure, and essential services — increasingly find themselves subject to multiple overlapping regulatory frameworks. ISO 27001, DORA (Digital Operational Resilience Act), and NIS2 (Network and Information Security Directive) each impose information security requirements that, while originating from different regulatory objectives, share substantial common ground.
For compliance officers and auditors, the key challenge is understanding where these frameworks align (implement once, evidence once), where they diverge (additional specific requirements), and how to build an efficient compliance programme that satisfies all three without tripling the effort.
This article provides a comprehensive overlap matrix and practical guidance for multi-framework compliance, with particular attention to CI/CD pipeline governance where all three frameworks have significant implications.
Comprehensive Controls Overlap Matrix
The following table maps ten core control domains across ISO 27001, DORA, and NIS2, identifying alignment and divergence points.
| Control Domain | ISO 27001 Reference | DORA Reference | NIS2 Reference | Alignment Notes |
|---|---|---|---|---|
| Risk Management | Clause 6.1, 8.2; A.6 Organisation | Article 6 — ICT risk management framework | Article 21(2)(a) — Risk analysis and information system security policies | Strong alignment. All three require formal risk management. DORA mandates ICT-specific risk framework with board-level oversight. NIS2 requires risk-based approach. ISO 27001 provides the methodology baseline. |
| Access Control | A.9 — Access Control (A.9.1–A.9.4) | Article 9(4)(c) — Access management policies | Article 21(2)(i) — Human resources security, access control policies | Strong alignment. All three require formal access control with least privilege. DORA specifically requires identity and access management for ICT systems. Map A.9 controls to satisfy all three. |
| Change Management | A.12.1.2 Change management; A.14.2.2 System change control | Article 9(4)(e) — ICT change management procedures | Article 21(2)(a) — Policies on information system security (includes change control) | Strong alignment. All three require formal change control. DORA explicitly mandates ICT change management with specific documentation requirements. CI/CD pipelines are the primary enforcement mechanism. |
| Incident Management | A.16 — Information security incident management | Articles 17–23 — ICT-related incident management (detailed classification, reporting timelines, notification to authorities) | Articles 23–24 — Incident reporting obligations (24-hour early warning, 72-hour notification) | Partial alignment. ISO 27001 provides the process framework. DORA and NIS2 add mandatory reporting timelines and authority notification that go beyond ISO 27001. DORA has the most prescriptive classification scheme. |
| Business Continuity | A.17 — Information security aspects of business continuity | Articles 11–12 — ICT business continuity management, response and recovery plans | Article 21(2)(c) — Business continuity and crisis management | Moderate alignment. All three require continuity planning. DORA adds specific ICT continuity testing requirements including scenario-based testing. NIS2 includes supply chain continuity considerations. |
| Supply Chain / Third-Party | A.15 — Supplier relationships | Articles 28–30 — ICT third-party risk management (detailed contractual requirements, concentration risk, critical third-party oversight) | Article 21(2)(d) — Supply chain security | Significant divergence. DORA has the most extensive requirements including an oversight framework for critical ICT third-party providers. NIS2 requires supply chain risk assessment. ISO 27001 A.15 provides the baseline but is less prescriptive. DORA requirements go substantially beyond ISO 27001. |
| Cryptography | A.10 — Cryptography | Article 9(4)(d) — Encryption and cryptographic controls | Article 21(2)(h) — Policies and procedures on cryptography and encryption | Strong alignment. All three require cryptographic controls and key management. NIS2 explicitly mentions encryption. Implement A.10 controls comprehensively to satisfy all three. |
| Vulnerability Management | A.12.6 — Technical vulnerability management | Article 9(3) — ICT systems shall be continuously monitored and controlled for vulnerabilities | Article 21(2)(e) — Vulnerability handling and disclosure | Moderate alignment. All require vulnerability management. NIS2 adds explicit vulnerability disclosure requirements. DORA requires continuous monitoring. ISO 27001 provides the process baseline. |
| Logging and Monitoring | A.12.4 — Logging and monitoring | Article 9(4)(b) — Monitoring and logging of ICT operations; Article 10 — Detection | Article 21(2)(b) — Incident handling (requires detection capability) | Moderate alignment. All require logging and monitoring. DORA has the most specific requirements for ICT operations monitoring and anomaly detection. ISO 27001 A.12.4 provides the baseline framework. |
| Security Testing | A.14.2.8 — System security testing | Articles 24–27 — Digital operational resilience testing (including advanced threat-led penetration testing — TLPT) | Article 21(2)(f) — Policies and procedures to assess effectiveness of cybersecurity risk management measures | Significant divergence. DORA has the most prescriptive testing requirements including mandatory TLPT for significant financial entities. NIS2 requires effectiveness assessment. ISO 27001 requires security testing but with less specificity. DORA testing requirements go substantially beyond ISO 27001. |
Where Frameworks Align — Implement Once, Evidence Once
The following control domains have sufficient alignment that a single, well-implemented control can satisfy all three frameworks simultaneously:
- Risk management methodology: A single risk management framework meeting ISO 27001 Clause 6.1 requirements, with ICT-specific risk categories, can serve as the foundation for DORA Article 6 and NIS2 Article 21(2)(a) compliance
- Access control: ISO 27001 A.9 controls implemented comprehensively (including service accounts, pipeline credentials, and MFA) satisfy DORA and NIS2 access control requirements
- Change management: Pipeline-enforced change control meeting A.14.2.2 and A.12.1.2 satisfies DORA Article 9(4)(e) and NIS2 change control expectations
- Cryptographic controls: A.10 implementation covering encryption at rest and in transit, key management, and certificate lifecycle management addresses all three frameworks
- Basic logging and monitoring: A.12.4 logging controls provide the foundation for all three frameworks, though DORA may require additional monitoring specificity
Where Frameworks Diverge — Additional Requirements
Certain domains require additional effort beyond ISO 27001 baseline controls to satisfy DORA and/or NIS2:
Incident Reporting (DORA + NIS2 specifics)
- DORA: Mandates a detailed incident classification scheme, initial notification to competent authorities within specified timeframes, intermediate reports, and final reports. Incidents must be classified by severity using specific criteria.
- NIS2: Requires early warning within 24 hours, incident notification within 72 hours, and a final report within one month. Applies to significant incidents affecting service provision.
- Gap from ISO 27001: ISO 27001 A.16 requires incident management but does not mandate authority notification timelines. Organisations must layer DORA/NIS2 reporting obligations on top of the ISO 27001 process.
Third-Party / Supply Chain Risk (DORA specifics)
- DORA: Requires a comprehensive register of ICT third-party providers, concentration risk assessment, mandatory contractual provisions (including audit rights, exit strategies, and sub-outsourcing controls), and ongoing monitoring. Critical ICT third-party providers are subject to a European oversight framework.
- NIS2: Requires supply chain security assessment considering the security practices of direct suppliers and service providers.
- Gap from ISO 27001: A.15 supplier management is less prescriptive than DORA. Organisations in financial services must significantly enhance their supplier management programme to meet DORA requirements — particularly for CI/CD platform providers and cloud-hosted pipeline services.
Resilience Testing (DORA specifics)
- DORA: Requires a comprehensive digital operational resilience testing programme, including scenario-based testing, vulnerability assessments, and — for significant entities — threat-led penetration testing (TLPT) conducted by qualified external testers following recognised frameworks.
- Gap from ISO 27001: A.14.2.8 requires security testing but does not mandate TLPT or the level of testing rigour specified by DORA. Financial services organisations must develop a substantially more comprehensive testing programme.
Vulnerability Disclosure (NIS2 specifics)
- NIS2: Introduces coordinated vulnerability disclosure requirements and mandates that organisations have policies for handling and disclosing vulnerabilities.
- Gap from ISO 27001: A.12.6 covers vulnerability management but does not address public disclosure. Organisations must develop vulnerability disclosure policies and processes.
Practical Approach: Build on ISO 27001, Layer DORA/NIS2
The most efficient path to multi-framework compliance follows a layered approach:
- Establish ISO 27001 as the baseline. ISO 27001 provides the most comprehensive management system framework. Its Annex A controls cover the broadest range of security domains. Start here.
- Map DORA-specific additions. Identify where DORA requires more than ISO 27001 delivers — primarily in incident reporting, third-party management, and resilience testing. Build these as extensions to existing ISO 27001 controls, not as separate programmes.
- Map NIS2-specific additions. Identify NIS2 requirements not already covered by ISO 27001 + DORA — primarily vulnerability disclosure and specific reporting timelines.
- Unify evidence collection. Design evidence collection processes that produce artifacts satisfying all three frameworks simultaneously. A single pipeline audit trail, properly structured, can serve ISO 27001, DORA, and NIS2 auditors.
Efficiency Recommendations for Multi-Framework Compliance
| Recommendation | Benefit | Implementation Priority |
|---|---|---|
| Use a single risk register with framework-specific tags | One risk assessment serves all three frameworks; auditors filter by applicable framework | High |
| Maintain a unified control matrix mapping controls to all applicable frameworks | Demonstrates coverage, identifies gaps, reduces duplicated assessment effort | High |
| Design incident management with the most stringent timeline (24-hour early warning) | Meeting the shortest timeline automatically satisfies longer timelines | High |
| Implement supplier management at DORA level of rigour | DORA has the most demanding requirements; meeting DORA automatically satisfies ISO 27001 and NIS2 | Medium |
| Structure pipeline audit trails with all three frameworks’ evidence needs in mind | Single evidence source serves multiple auditors; reduces evidence collection burden | High |
| Conduct resilience testing at DORA standard | DORA testing requirements exceed ISO 27001 and NIS2; meeting DORA satisfies all three | Medium |
| Align internal audit programme to cover all three frameworks in each cycle | Reduces audit fatigue; provides comprehensive assurance | Medium |
What Auditors Assess Differently Across Frameworks
While the control domains overlap significantly, auditors for each framework have distinct focus areas and assessment approaches:
- ISO 27001 certification auditors focus on the management system — the PDCA cycle, management commitment, continual improvement, and whether controls are operating as documented. They assess conformity to the standard.
- DORA supervisory assessments focus on operational resilience — can the organisation withstand, respond to, and recover from ICT disruptions? Assessors evaluate the maturity and effectiveness of resilience measures, with particular emphasis on testing results and third-party risk management.
- NIS2 compliance assessments focus on whether the organisation meets its duty of care for network and information security, with emphasis on incident reporting capability, supply chain security, and governance accountability (including management body personal liability under NIS2).
Understanding these different perspectives allows compliance officers to prepare targeted evidence and briefings for each type of assessment, even when the underlying controls are shared.
Further Reading
- ISO 27001 Compliance Hub
- DORA Compliance Hub
- NIS2 Compliance Hub
- Dual Compliance Architecture Explained
Related for Auditors
- Glossary — Plain-language definitions of technical terms
- NIS2 vs DORA Comparison
- DORA Article 21 Deep Dive
- NIS2 Security Architecture
New to CI/CD auditing? Start with our Auditor’s Guide.
