Walk into many organisations today and you will find three parallel universes: a NIS2 project run by IT, a DORA workstream owned by the resilience team, and an ISO 27001 effort that the quality department revived. Three plans, three sets of policies, three evidence binders — and three audits that ask substantially the same questions in slightly different words. It is exhausting, expensive, and entirely avoidable.
After building and running security functions inside government and the banking sector, I have learned one thing the hard way: regulation rewards organisations that treat security as a single, well-governed capability, and punishes those that treat each new obligation as a fresh fire drill. The good news is that NIS2, DORA and ISO 27001 are not three different problems. They are three views of the same problem — and ISO 27001 gives you the management system to hold them all.
Why the silos form
Silos rarely form by design; they form by deadline. A regulation lands, a date looms, someone is told to "get us compliant," and the fastest path appears to be a standalone project. Each project then builds its own risk assessment, its own policy pack and its own reporting line. The result is duplication, contradictory documents, and a control environment that nobody owns end to end. Auditors notice. So do attackers.
The principle: govern once, evidence once, report many times
The mature approach inverts the model. You build one Information Security Management System (ISMS) — the discipline ISO 27001 describes — and you treat NIS2 and DORA as additional sets of requirements mapped onto it. You analyse risk once. You write each policy once. You collect each piece of evidence once. Then you report against whichever framework is asking, drawing from the same source of truth.
Treating NIS2, DORA and ISO 27001 in silos is the most expensive mistake of the year. An integrated ISMS turns three programmes into one operating model.
Where the frameworks genuinely overlap
The overlap is larger than most teams assume. All three demand the same foundations:
- Governance and accountability — defined roles, management involvement, and a security function that does not report into the team it is meant to challenge.
- Risk management — a documented, repeatable method for identifying, treating and accepting risk.
- Technical and organisational measures — access control, cryptography, logging, vulnerability and patch management, secure configuration.
- Incident management — detection, response, and notification within tight regulatory clocks.
- Third-party / ICT supply-chain assurance — knowing who your critical providers are and holding them to account.
- Business continuity and testing — proving, not assuming, that you can withstand disruption.
An organisation that runs a real ISO 27001 ISMS has already built roughly 70–80% of what NIS2 and DORA ask for. The remaining work is targeting the specifics — not rebuilding the foundations.
Where they diverge — and you must add, not duplicate
Integration does not mean pretending the frameworks are identical. A few requirements are genuinely framework-specific, and you bolt these onto the ISMS rather than spin up a separate programme:
- DORA goes further on operational-resilience testing (including threat-led penetration testing for significant entities), a formal register of ICT third-party arrangements, and contractual provisions for critical providers.
- NIS2 sharpens incident-reporting timelines (an early warning typically within 24 hours, a fuller notification within 72), and makes management bodies personally accountable for approving and overseeing measures.
- ISO 27001 brings the certification discipline — Statement of Applicability, internal audit, management review — that gives the whole system its rhythm and external credibility.
Practical tips: building one backbone
- Anchor on ISO 27001 as the management system. Make it the spine; map everything else to it. The PDCA rhythm (plan-do-check-act) is what keeps compliance alive between audits.
- Build one control set with a crosswalk. Maintain a single control library and tag each control with the obligations it satisfies (ISO Annex A, NIS2 Article 21 measures, DORA chapters). One control, many references.
- Keep one risk register, viewed through multiple lenses. Don't run separate registers; add framework tags and filters so the same risk can be reported to a board, a regulator or an auditor.
- Collect evidence once, reuse everywhere. Establish a single evidence repository organised by control. When an auditor or a customer's due-diligence questionnaire arrives, you retrieve — you don't recreate.
- Set your incident process to the strictest clock. Design notification workflows around the tightest deadline you face (NIS2's 24-hour early warning), and the looser ones take care of themselves.
- Maintain one third-party register. A single inventory of providers, criticality and contractual controls feeds both DORA's ICT third-party oversight and NIS2's supply-chain expectations.
- Align continuity and testing — then add what's unique. Run one continuity and exercise programme; schedule DORA's advanced resilience testing as a specific, planned addition where it applies to you.
- Give it one accountable owner and a board cadence. Regulation now expects named accountability and management oversight. One owner, one quarterly report to the board, covering all frameworks.
- Calendar your audits together. Align internal audits, certification surveillance and regulatory reporting into a single annual rhythm so teams prepare once.
What "good" looks like
In a mature organisation, you can ask a single question — "show me how we manage access control" — and receive one policy, one set of evidence, and a clear line to the ISO control, the NIS2 measure and the DORA requirement it satisfies. Risk is discussed in one forum. The board sees one dashboard. When a new regulation arrives — and the Cyber Resilience Act is already on its way — it is absorbed as an extension of the system, not as another emergency.
The pitfalls to avoid
Three mistakes sink integration efforts. First, treating compliance as a document-production exercise rather than an operating discipline — auditors and attackers both find the gap between paper and practice. Second, letting each framework keep its own owner, which quietly rebuilds the silos. Third, chasing certificates while neglecting the basics: identity, patching, backups and logging. No amount of mapping compensates for weak fundamentals.
Regulation did not make cybersecurity harder. It made it real — structured, documented, measured and continuously improved. Organisations that build a single backbone don't just spend less on audits; they demonstrate genuine control of their risk, and that is what earns the trust of regulators, partners and customers alike.
Facing NIS2, DORA and ISO 27001 at once?
We help organisations build a single compliance backbone — assess risk once, evidence once, satisfy every framework.
Book a 20-minute discovery callThis article is general information from circl3.tech, not legal advice. Specific obligations under NIS2, DORA and ISO/IEC 27001 depend on your sector, size and national transposition — we recommend a scoped assessment for your organisation.