DORA vs NIS-2 vs ISO 27001: Where They Overlap & How to Combine Them

Europe now runs on multiple cyber and resilience regimes. That’s good for outcomes, but it’s challenging when audits, evidence requests, and terminology vary by framework. Many teams duplicate work, maintain parallel trackers, and answer the same control questions in different ways.

The good news: these frameworks share a lot of DNA.

This comparison clarifies all things NIS-2, DORA and ISO 27001—and shows how to operate one control set and one evidence library that serve all three. If you need a deeper dive on DORA execution, see our unified approach in the DORA Compliance Guide.

DORA (Digital Operational Resilience Act)

1. Financial entities regulated in the EU
2. ICT providers through contractual flow-down and, if designated, EU-level oversight of critical ICT third-party providers (CTPPs)

What it emphasizes

1. Operational resilience program and ICT risk management
2. Major incident reporting with prescribed clocks and fields
3. Third-party oversight and subcontractor transparency
4. Testing, including Threat-Led Penetration Testing (TLPT) where designated

Why duplication happens

1. DORA introduces sector-specific reports, registers, and testing expectations that often sit alongside your existing security and continuity artifacts
2. Teams end up maintaining DORA-specific copies of documents they already keep for ISO or general risk management unless they unify control language and evidence routing

Why it matters in this comparison
EU regulation with harmonized supervision across member states [European Commission]

NIS-2 Directive

Who it covers

Essential and important entities across sectors such as energy, transport, health, water, finance, digital infrastructure, public administration, and more.

What it emphasizes

1. Cyber governance and accountability
2. Risk management and incident notification to national competent authorities (NCAs)
3. Supply-chain security and cooperation with NCAs.
4. Incident notification timelines are defined at EU level and implemented nationally

Why duplication happens

1. NIS-2 obligations are implemented via national law, so you may face different notification specifics per country in addition to DORA requirements
2. Without a single register and shared control names, you can end up answering similar questions twice in different formats

Why it matters in this comparison

EU directive transposed into national law with broad cross-sector reach [ENISA]

ISO/IEC 27001 (2022 revision)

Who it covers

Any organization that wants a certifiable Information Security Management System

What it emphasizes

1. Risk-based security management across people, process, and technology
2. Control objectives via Annex A and continuous improvement

Why duplication happens

1. ISO/IEC 27001 is the foundation for many controls, but it doesn’t set legal reporting clocks or sector-specific oversight requirements
2. Without mapping, teams keep ISO evidence in one place and rebuild near-identical proof sets for DORA and NIS-2

Why it matters in this comparison
Global standard that anchors cross-framework mapping and certification [ISO]

These regimes and operational resilience standards push organizations toward the same outcomes. Use the overlap to reduce duplication and reuse evidence.

1. Governance and accountability: Boards and committees are active with named owners and decision rights
2. Risk assessment and treatment: Ongoing assessment with treatment plans, KRIs/KPIs, and time-bound actions
3. Incident response: Classification logic, escalation, communication, and post-incident reviews
4. Third-party management: Tiering, required clauses, assurance artifacts, and evidence calendars
5. Continuous monitoring: Control health tracking, exceptions, and retesting
6. Business continuity and testing: Plans, exercises, failover tests, and lessons-learned cycles
7. Documentation and traceability: Policies, procedures, registers, and logs with clear lineage to obligations

Use this table to compare obligations at a glance; cells show where a theme is explicitly required or strongly supported.

Shared objectives table

Small distinctions change how you plan, resource, and evidence controls.

Use this table to scan the structural differences that drive audit and reporting expectations.

What it means in audits

1. DORA: expect detailed checks on registers, incident logic, testing cadence, and supplier oversight evidence
2. NIS-2: expect requests to show national notification decisioning and proof of supply-chain security measures
3. ISO/IEC 27001: expect ISMS governance, risk treatment, the Statement of Applicability, and certification-grade records

Map once, reuse often. The goal is reuse. Map controls once, then expose them through multiple framework views.

Use this table to see how common control themes align across regimes.

Traceability matters because supervisors, NCAs, and certification bodies ask for different slices of the same program. Use obligation → control → artifact → report mapping so each audience sees exactly what they need without duplicate work.

Treated this way, a DORA framework comparison becomes a control-mapping exercise instead of a parallel paperwork effort.

A practical path to unify compliance and cut duplicate work.

Step 1: Map what you already have

1. Start with your ISO/IEC 27001 control set and Statement of Applicability
2. Map each control to DORA outcomes and NIS-2 obligations
3. Capture gaps that are legal-specific, such as DORA’s incident clocks and data fields

Step 2: Consolidate one control set

1. Collapse duplicates so each obligation points to a single control
2. Assign owners, cadences, and evidence locations to every control
3. Keep one register for services, systems, data, and suppliers

Step 3: Align language and artifacts

1. Normalize control names so your controls read the same across frameworks
2. Use consistent tagging from obligation to control to artifact
3. Snapshot evidence before and after major changes so you can show what was true at the time

Step 4: Schedule testing and retesting

1. Put continuity drills, security testing, and post-incident reviews on a calendar
2. If designated for TLPT under DORA, integrate threat-led testing into your annual plan
3. Track findings to closure and attach retest proof

Step 5: Calibrate incident workflows

1. Mirror DORA-aligned fields and timelines where applicable
2. Document NIS-2 notification logic and national contacts
3. Route the same incident record to multiple reporting views to avoid duplicate data entry

Step 6: Report once, serve many

1. Build a dashboard with switchable views by framework
2. Export tailored packs for supervisors, NCAs, certification bodies, and leadership
3. Keep a change log so recurring audits see progress without re-asking for basics

For a practical build of a unified reporting dashboard, see The 5 Pillars of DORA Explained

Run one control set, many frameworks with a system designed for governance and evidence.

Control library and continuous control monitoring

1. Central control library with owners, cadences, and status
2. Exception queues and retest tracking for continuous improvement

Automated evidence collection

1. Pull artifacts on a schedule and capture versioned snapshots
2. Tag evidence to obligations and control IDs for traceability

Incident and vendor workflows

1. Forms that can mirror DORA incident fields and clocks
2. Vendor register, tiering, flow-down clauses, subcontractor visibility, and audit rights in one place

Policy and document governance

1. Lifecycle management, owner, cadence, and last-updated stamps

Reporting and audit packs

1. Multi-framework dashboards and exportable evidence packs for supervisors, NCAs, certification bodies, and leadership.