Compliance Without Chaos: How an Integrated Approach Simplifies NIS2, DORA and ISO 27001 Compliance

Robert Clements
11th November 2025
General, InfoSec

During the Spitalfields Conservatory in London, November 2024, Robert Clements, Founder and CEO of Assent Risk Management, was joined by Paul Stevens from AvISO and Kevin Shiners from A-LIGN to explore the power of an integrated approach to NIS2, DORA, ISO 27001 and ISO 42001. Our focus will be on how NIS2 and DORA align with ISO 27001 and how this can be utilised to boost cybersecurity and streamline compliance.

What Is a Compliance Strategy and Why it Matters in Today’s Multi-Framework Environment

A compliance strategy is a systematic approach to the adherence to laws, regulations and internal policies. There are several challenges in the industry, one being the fact that there is no longer just one framework to work with. During a benchmark survey that A-LIGN underwent, it was found that only 9% of companies used one framework, meaning that a whopping 91% of companies are working with several frameworks. This is becoming increasingly challenging as the need for manpower and efficiency is growing, which then means there are not enough people in the market to facilitate these growing needs.

Something that is hugely important to A-LIGN is doing what works, becoming more efficient in what people do and how they do it whether it is larger clients such as SpaceX and PayPal or smaller clients with 1-2 people and everything in-between; helping them prepare not only with the current list of things that are needing to be done but also what will need to be done in 6-12 months.

Reiterating the previous point regarding the increase in frameworks now, in the beginning, AvISO saw clients that had one standard, maybe two but now have several clients that have up to five or six different ISO standards. When managing several standards, such as Tissax, SOC2, EcoVadis and B Corp, it can be seen as too much when treating them as individual frameworks with individual pieces of work. It is critical to look at efficient, smart ways of addressing these compliances, integrating the systems together to make them work better within your business.

Key Challenges of Managing Multiple Compliance Frameworks

There are a lot of challenges in the industry, one being that you must do several different things, many of them on repeat. It is the same underlying components that you must reuse repeatedly, when that shouldn’t have to be the case. If you are looking at individual controls and look at each certification separately, showing more evidence and go through the same audit process with the same conversations, you are effectively doing the same thing over and over again. Ideally, you should look at it from a controls-based perspective and look at the components that make up your complete set of audits, or frameworks that you must go through and reuse them rather than redo them.

Reduce, reuse, recycle. We have all used that term; this is applicable here. If you consolidate and reuse the same pieces of evidence and controls, it becomes one master project with reusable components, as opposed to five different projects. There is a finite amount of controls, tools and evidence that you can have as an organisation to show you are compliant, whether that be information security or environmental quality.

Evolving Compliance Landscape: How NIS2, DORA and ISO Standards Are Converging

Compliances and certifications are adapting to the new framework and legislation, due to this, many partners like A-LIGN are changing their approach to a more controls-based system. It is no longer just standards, it’s frameworks, legislations and regulations that are coming in.

ISO 27001 has been around a long time and is a very familiar management system but there are others out there; not just information security but quality, environment, safety and AI.

The way Assent has built a compliance system and certified it as a management system, so the way to approach other requirements like DORA, NIS2 and the CRA can be similar. If you put it within a management system and look at the controls, requirements and categorise those controls, there will be common themes that will appear. The more efficient, the better.

Unlike ISO 27001, NIS2 and DORA are not certifications – for both NIS2 and DORA there is senior management exposure, which means you must define who is the senior manager within the company and they are the ones personally liable if something goes wrong. For example, during audits, clients can claim they are NIS2 compliant but there is no way of proving it.

There are 10 major components of NIS2 and each one of these is built on ISO 27001 so many clients are asking their supply chain if they are ISO 27001 certified as a proxy for NIS2. In simple terms, it is an overlap of the same controls being used today but you are doing them for different purposes. There are of course some additional parts regarding the reporting and requirements, but in general, it is the same.

The Benefits of an Integrated Compliance Approach Across NIS2, DORA and ISO 27001

If you look at the share of environments, everybody’s client base is different. What they care about is different. The key part is that the overlap across all these frameworks and standards is huge. If you include SOC 2 into this as well, it’s about a 70% overlap of ISO 27001. You’re not creating HR policies and procedures differently for every single framework that you have, it’s the same set you are just reusing them.

If you are already using ISO 27001, you are already further ahead in your journey than you may think, as it becomes more about integrating the additional components effectively, having a single management system as opposed to managing each one individually, which can quickly become unsustainable and overwhelming.

With standards, there are many overlaps, the things that are being done, the evidence that is being built and the controls that are being implemented. For example, the overlap from environmental to business continuity to information security is huge.

One of the most important takeaways here is that an integrated approach to the frameworks discussed can help organisations streamline their approach to ensuring compliance with critical security and regulatory standards. Not only this, but the expert advice and insight that has been given to enhance organisational success and provide new business opportunities to those who align those frameworks together.

Robert Clements

Articles: 323

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
awpv3911	2 days	Description is currently not available.
AWSESS	session	Cookie used by the Awin platform in relation to affiliate links used on this website.
cf_clearance	1 year	Description is currently not available.