NIS2 requires organisations to implement specific technical and organisational measures.
What many Compliance Officers underestimate is that large parts of these requirements overlap with ISO 27001, DORA or other frameworks your organisation is already working with.
Those who fail to capitalise on this are doing double the work. And that extra work piles up – in documentation, in audits, and in time.

Take access management via MFA. A single measure that addresses:

→ NIS2 Article 21 – authentication measures
→ ISO 27001 A.9.4 – access security
→ DORA Article 9 – ICT security

Yet we regularly see organisations developing, documenting and auditing this separately for each standard.
Three times the work, three times the chance of inconsistencies, precisely when a regulator or auditor is looking at it.
This is not only inefficient, it also increases the risk of inconsistencies during an assessment.

Control mapping provides structure.
By recording measures centrally and explicitly linking them to the relevant standards and articles, a single reliable basis is created.
A single change that affects all linked standards. A single overview that you can take to the boardroom or present to the auditor.

The principle is not new. But the urgency is.
With NIS2 now in force, the expectations of regulators are more concrete than ever.
Organisations that still work with separate documents for each standard run a real risk of gaps that they themselves can no longer keep track of.
The question is not whether you should start control mapping. The question is whether you have organised it in a sufficiently structured way to be able to demonstrate it.

Does this issue sound familiar? We’d be happy to discuss it with you. 👇