Skip to content
SecTepe Mit Sicherheit gut aufgestellt!
DE
Compliance

DORA + NIS-2 + ISO 27001: How a CISO Manages Three Mandates Without Burnout

SecTepe Editorial
|
|
6 min read

A typical mid-market CISO in 2026 gets three letters in one month: NIS-2 applicability confirmed, holding company demands ISO 27001 certification, and a financial services customer asks about DORA conformity. The three mandates aren't optional, the CISO remains one person.

Where the Three Frameworks Overlap – and Where They Don't

Good news: ~70 % of requirements overlap. Bad news: the remaining 30 % is framework-specific and can't be ignored.

  • ISO 27001 (general, Annex A): 93 controls across all security areas, ISMS-centric.
  • NIS-2 (EU, Art. 21): 10 minimum measure areas, critical-infrastructure-oriented, with binding reporting obligations.
  • DORA (EU, Art. 5–14, for finance): ICT risk management, incident reporting, ICT third-party risk, operational resilience tests.

The Three Burnout Drivers – and Their Antagonists

Driver 1: Duplicate Work Per Framework

Classically the CISO maintains three risk registers, three control lists, three audit preparations in parallel. Antagonist: multi-framework module with cross-mapping. One control fulfills three framework requirements, the evidence counts for all three. Maintenance effort minus 60–70 %.

Driver 2: Different Reporting Formats

Board wants ISO-compliant report, regulator wants NIS-2 early warning, finance customer wants DORA self-assessment. Antagonist: configurable reports from one data source. Board tab, regulator tab, customer tab – one platform, three views.

Driver 3: Audit Waves

Three mandates = three annual audits, three surveillance dates, three re-certifications. Without platform: three times 3 months of preparation. With audit prep in 4 weeks: 12 instead of 36 weeks, factor-3 reduction.

The Five Concrete Levers

  1. Cross-mapping as a duty spreadsheet: ISO A.5.34 ↔ NIS-2 Art. 21(2)(a) ↔ DORA Art. 9. One control fulfills all three.
  2. Supplier module with DORA obligations: DORA-specific requirements for ICT third parties (concentration analysis, exit strategy) extend the TPRM data model without a separate tool.
  3. Incident reporting from one source: one incident, multiple reporting templates (BSI for NIS-2, regulator for DORA, data protection for GDPR).
  4. Resilience tests documented: DORA Art. 24 demands TIBER-EU-like pen tests; ISO 27001 demands effectiveness reviews. Both in one test calendar with evidence.
  5. Management approvals once: NIS-2 Art. 20 and DORA Art. 5 both require explicit management approval – one eIDAS-signed approval counts for both.

What's Specific to DORA

For financial services or their suppliers:

  • ICT risk management framework: documented, approved by management, annually updated.
  • Incident classification with RTS: regulatory technical standards specify when an incident is "significant" – reporting trigger.
  • ICT third-party register: centralized inventory with concentration risks, exit plans, control rights.
  • Threat-led penetration testing (TLPT): for significant financial firms, every 3 years.
  • Operational resilience tests: annual, documented, with lessons learned.

A platform that extends the supplier module with DORA fields and the test-calendar module with TLPT workflow covers these without a separate tool.

What the CISO Must Tell Management

  • "Without a platform with cross-mapping we maintain three worlds in parallel – that doesn't scale with one person."
  • "Initial setup of an integrated platform costs less than the additional FTE capacity I'd otherwise need."
  • "Annual audit waves without a platform are 36 weeks of predictable bottleneck risk."
  • "Reports to board, regulator, and customer must come from one data source, otherwise they contradict each other eventually."

Compliance Mapping

  • ISO 27001 Annex A: 93 controls, ISMS-overarching.
  • NIS-2 Art. 20–23: management duty, minimum measures, reporting.
  • DORA Art. 5–14: ICT risk, incidents, resilience tests.
  • DORA Art. 28–44: ICT third-party risk and oversight.

Conclusion

Three mandates in parallel without platform support are burnout programs. With an integrated multi-framework GRC platform, 70 % of the obligations are done once and counted for all three frameworks, the remaining 30 % added framework-specifically. The CISO keeps bandwidth for strategic work – and management has the certainty that all three regulatory mandates are documented as fulfilled.

View all articles More in this category