PlatformAI EngineFree ToolsSecurityResources
Back to Resources
Guides30 March 202614 min read

One Control Set, Three Regulations: How to Satisfy NIS2, DORA, and GDPR Without Tripling Your Work

By ArvexLab Team — Compliance Research

The Triple-Regulation Challenge

If your organization is a financial institution operating in the EU, you are likely subject to three overlapping cybersecurity and data protection regimes: the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the General Data Protection Regulation (GDPR).

Each regulation has its own scope, terminology, reporting requirements, and supervisory authority. Without a unified approach, organizations end up building three parallel compliance programmes — tripling the documentation, tripling the audit burden, and tripling the risk of inconsistency.

The reality is that these three regulations share significant common ground. A well-designed unified control framework can satisfy 70-80% of all three sets of requirements with a single set of controls and evidence. This guide shows you how.

Where the Three Regulations Overlap

The Control Overlap Matrix

The following table maps key security domains to their requirements across all three regulations. Where a cell contains a reference, that regulation has an explicit requirement in that domain.

Security DomainNIS2DORAGDPR
Risk assessmentArt. 21(2)(a)Art. 6-16 (ICT risk framework)Art. 32(1) (security of processing)
Incident handlingArt. 21(2)(b), Art. 23Art. 17-23 (incident management)Art. 33-34 (breach notification)
Business continuityArt. 21(2)(c)Art. 11-12 (BCM and DR)Art. 32(1)(c) (resilience)
Supply chain securityArt. 21(2)(d)Art. 28-30 (ICT third-party risk)Art. 28 (processors)
Network securityArt. 21(2)(e)Art. 9 (protection and prevention)Art. 32(1)(a) (encryption)
Security testingArt. 21(2)(f)Art. 24-27 (TLPT)Art. 32(1)(d) (regular testing)
Training and awarenessArt. 21(2)(g)Art. 13(6) (training)Art. 39 (DPO awareness)
CryptographyArt. 21(2)(h)Art. 9(4)(b) (encryption)Art. 32(1)(a) (pseudonymisation, encryption)
Access controlArt. 21(2)(i)Art. 9(4)(c) (access management)Art. 32(1)(b) (confidentiality)
MFA and secure commsArt. 21(2)(j)Art. 9(4) (security tools)Implied by Art. 32

Key Insight

ISO 27001 Annex A provides the best unifying framework. An organization with a mature ISO 27001 implementation covers the vast majority of controls required by all three regulations. The gaps are in the regulation-specific requirements: reporting timelines, supervisory interactions, and sector-specific provisions.

The Triple-Reporting Problem

The most operationally complex overlap is incident reporting. Each regulation has different timelines, different authorities, and different thresholds.

Incident Reporting Timeline Comparison

RegulationInitial NotificationDetailed ReportFinal ReportAuthority
NIS224 hours (early warning)72 hours1 monthNational CSIRT
DORA4 hours (major incident)72 hours1 monthNCA (e.g., BaFin, CSSF)
GDPR72 hours (personal data breach)Included in initialFollow-up as neededData Protection Authority

Building One Incident Response Process

Instead of maintaining three separate incident response procedures, build a unified incident response workflow with parallel notification tracks:

  1. Detection and classification (Hour 0) — When an incident is detected, classify it against all three frameworks simultaneously. Is it a cybersecurity incident (NIS2)? Does it impact ICT operational resilience (DORA)? Does it involve personal data (GDPR)?
  1. DORA 4-hour notification — If the incident qualifies as a major ICT-related incident under DORA, submit the initial notification to your financial NCA within 4 hours. This is the tightest deadline.
  1. NIS2 24-hour early warning — Submit the early warning to your national CSIRT within 24 hours. Since you already classified the incident at Hour 0, this should be straightforward.
  1. GDPR 72-hour breach notification — If personal data is involved, notify your Data Protection Authority within 72 hours. Also assess whether affected data subjects must be notified.
  1. 72-hour detailed reports — Both NIS2 and DORA require detailed reports at the 72-hour mark. Prepare a single comprehensive incident report and adapt it for each authority's format.
  1. 1-month final report — Submit the final report covering root cause analysis, mitigation measures, and cross-border impact to all relevant authorities.

Pro tip: Use a single incident record in your compliance platform and generate authority-specific reports from it. This ensures consistency and avoids the risk of contradictory information reaching different regulators.

Supply Chain: Three Requirements, One Programme

Each regulation addresses third-party risk, but with different emphasis:

NIS2 Article 21(2)(d) — Supply Chain Security

  • Requires risk assessment of direct suppliers and service providers
  • Focuses on the overall security of the supply chain
  • Mandates contractual security clauses
  • Emphasis on vulnerability handling and secure development practices

DORA Articles 28-30 — ICT Third-Party Risk

  • Detailed Register of Information for all ICT provider contracts
  • Criticality assessment of ICT services
  • Sub-outsourcing chain documentation
  • Exit strategies for critical providers
  • ESA oversight of critical ICT third-party service providers

GDPR Article 28 — Processors

  • Data processing agreements (DPAs) with all processors
  • Documented instructions for processing
  • Sub-processor management and notification rights
  • International transfer safeguards (Chapter V)

The Unified Approach

Build a single vendor management programme that satisfies all three:

  1. Vendor inventory — Maintain one centralized inventory that classifies each vendor by: NIS2 criticality, DORA ICT service classification, and GDPR processor status
  2. Contract clauses — Include NIS2 security clauses, DORA contractual provisions (Art. 30), and GDPR DPA terms in a single contract addendum
  3. Risk assessment — Run one due diligence process that covers security posture (NIS2/DORA) and data protection practices (GDPR)
  4. Ongoing monitoring — Track vendor security and data protection performance through unified questionnaires and continuous monitoring

Risk Management: One Register, Three Views

Rather than maintaining separate risk registers for cybersecurity risk (NIS2), ICT operational risk (DORA), and data protection risk (GDPR), build a unified risk register with framework-specific views.

Risk Register Structure

Each risk entry should include:

  • Risk description — What could go wrong?
  • NIS2 relevance — Which Art. 21 measure does this relate to?
  • DORA relevance — Which ICT risk management pillar does this affect?
  • GDPR relevance — Does this risk involve personal data or data subject rights?
  • Controls — What controls mitigate this risk? (Map each control to all applicable framework requirements)
  • Residual risk — Risk level after controls are applied

This approach gives you a single source of truth while enabling framework-specific reporting and audit evidence.

Belgium's CyFun as a Benchmark

Belgium's Centre for Cybersecurity Belgium (CCB) developed the CyberFundamentals (CyFun) framework as its NIS2 implementation tool. CyFun is particularly instructive because it was explicitly designed to overlap with existing standards:

  • ~95% overlap with NIS2 Article 21 requirements
  • Based on the NIST Cybersecurity Framework and ISO 27001
  • Includes three maturity levels: Small, Basic, Important, and Essential
  • The "Essential" level satisfies NIS2 requirements for essential entities

CyFun demonstrates that a well-designed unified framework can serve as a compliance accelerator. If your organization operates in Belgium, achieving CyFun certification at the appropriate level effectively satisfies NIS2 while also covering the majority of GDPR Art. 32 and DORA Chapter II requirements.

The 4-Step Implementation Plan

Step 1: Determine Your Primary Regulation

Identify which regulation imposes the strictest requirements for your organization:

  • Financial entities: DORA is your primary framework (lex specialis over NIS2)
  • Healthcare, energy, transport: NIS2 is primary, with GDPR for personal data
  • Technology companies: GDPR may be primary if you process significant personal data, NIS2 if you provide digital infrastructure

Your primary regulation sets the baseline. The others layer additional requirements on top.

Step 2: Map the Overlaps

Using the control overlap matrix above, identify which controls satisfy multiple regulations. For most organizations, this yields:

  • 60-70% of controls satisfy all three regulations
  • 15-20% of controls satisfy two regulations
  • 10-15% of controls are unique to one regulation

Focus your gap analysis on the unique requirements, not the overlaps.

Step 3: Address the Gaps

The most common gaps when moving from a unified baseline:

  • NIS2-specific: Management body training and personal accountability (Art. 20), specific incident reporting timelines to CSIRTs
  • DORA-specific: Register of Information (Art. 28), threat-led penetration testing (Art. 26-27), digital operational resilience strategy
  • GDPR-specific: Data subject rights processes (Art. 15-22), Data Protection Impact Assessments (Art. 35), international transfer mechanisms

Step 4: Unified Evidence Collection

Maintain a single evidence repository with cross-framework tagging. Each piece of evidence should be tagged with every framework requirement it satisfies. During audits, generate framework-specific evidence packs by filtering your repository.

This is where a compliance platform with cross-framework mapping capabilities becomes essential — it eliminates the manual work of maintaining multiple evidence sets.

Practical Tips for Implementation

Start with ISO 27001

If you do not yet have a formal ISMS, implementing ISO 27001 is the most efficient path to multi-framework compliance. It covers the vast majority of NIS2 and DORA requirements and provides a strong foundation for GDPR Art. 32.

Consolidate Your Reporting

Where possible, align your internal reporting cadence across frameworks. A quarterly compliance review that covers NIS2, DORA, and GDPR is far more efficient than three separate reviews.

Train Once, Document Thrice

Management body training can cover all three frameworks in a single session. Document attendance and topics covered, then reference the same training record for NIS2 Art. 20, DORA Art. 5(4), and GDPR accountability obligations.

Use Cross-Framework Mappings

Maintain an explicit mapping document that shows which controls satisfy which requirements across all frameworks. This becomes your Rosetta Stone during audits and significantly reduces the time auditors spend verifying compliance.

FAQ

Q: If I comply with DORA, do I still need to worry about NIS2 and GDPR?

Yes. DORA satisfies most NIS2 requirements for the areas it covers (lex specialis principle), but NIS2 has broader requirements around management accountability and non-ICT supply chain security. GDPR is an entirely separate regime focused on personal data protection — DORA compliance does not address GDPR requirements like data subject rights, DPIAs, or international transfer safeguards.

Q: Can I use a single audit to satisfy all three frameworks?

Not directly, as each framework has its own supervisory authority and audit expectations. However, you can use a single internal audit programme that covers all three, generating framework-specific reports. Some audit firms offer combined engagements that assess all three frameworks in a single visit.

Q: How should I handle conflicting requirements between the frameworks?

In practice, there are very few true conflicts. The most common tension is in incident reporting timelines — resolve this by defaulting to the strictest deadline (DORA's 4 hours for financial entities) and building additional notifications for the other authorities into your workflow.

Q: Is there a single certification that covers NIS2, DORA, and GDPR?

No single certification covers all three. ISO 27001 provides the strongest common foundation. You can supplement it with Belgium's CyFun certification (for NIS2), SOC 2 Type II (for DORA ICT controls), and a GDPR readiness assessment. The combination provides comprehensive coverage.

Ready to assess your NIS2 readiness?

Use our free self-assessment tool or speak with our compliance team.

Start NIS2 AssessmentContact Us

Related Articles

Guides

NIS2 for SMEs: A Realistic Compliance Guide for Companies with 50-249 Employees

NIS2 brought tens of thousands of mid-sized companies into regulatory scope for the first time. This guide addresses SME-specific realities — limited budgets, no dedicated CISO, and the proportionality principle.

1 April 2026|9 min read
AI in Compliance

How AI Cuts NIS2 Compliance Time by 80%

With 160,000+ entities now in scope, hiring compliance teams is not scalable. AI-driven automation can cut NIS2 evidence collection from weeks to hours — here is how the numbers work.

13 April 2026|9 min read
DORA

DORA and NIS2: Double Compliance for Financial Firms

EU banks and insurers must comply with both DORA and NIS2. Deloitte found 46% cite return on investment as the biggest challenge. This guide maps the overlaps, gaps, and evidence reuse strategy.

13 April 2026|11 min read

Get NIS2 Insights Weekly

Stay ahead of EU compliance requirements. Practical guidance on NIS2, DORA, and third-party risk management delivered to your inbox.