Why It's Not Possible to Map DORA vs ISO 27001 vs NIST CSF

Look at DORA vs ISO 27001 vs NIST CSF at a glance, and it might seem like there’s some overlap between what are, at a surface level, similar ICT risk management requirements.

You can even find DORA gap analysis assessment articles and workbooks online. Resources that promise to help you align relevant controls from the ISO 27001 or NIST CSF frameworks with the requirements within the five core pillars of DORA. 

So, can these kinds of mapping exercises help you confirm your organisation’s compliance with DORA? 

In our opinion, the answer is: No, mapping ISO27001 (or NIST CSF) to DORA does not ensure compliance. Here’s why. 

DORA Is An EU Regulation Targeted At FSI Firms

The Digital Operational Resilience Act (DORA) is an EU law that regulates the ICT risk management processes of FSI firms operating within the EU market. 

It was created by EU financial industry supervisory authorities and came into force on the 17th of January, 2025.

DORA applies to 20 different kinds of FSI businesses that trade in the EU. This includes FSI firms like banks, insurance companies, and brokers based outside the EU (like in the UK) that operate with EU customers. It can also apply to some non-FSI companies considered critical ICT third-party service providers to the FSI firms. 

The overall focus of the DORA regulation is to harmonise and upgrade cyber resilience legislation and practice within the EU’s financial industry.

DORA creates a prescriptive set of rules for how FSI firms must manage ICT risks, report incidents, test their digital resilience, and manage third-party service arrangements. 

Tens of thousands of firms need to comply with DORA standards. It is a non-optional regulation, and non-compliance can result in serious fines of up to 1% of global turnover.

We know that compliance with DORA is very individual challenge for the firms it covers.

Some companies, especially larger multinational banks, are likely able to easily map DORA compliance onto their preexisting cybersecurity resilience actions. However, for many covered entities, DORA requires significant security upgrades across the board, including faster response times, more frequent security testing, and a new approach to third-party risk governance.

There are also a host of new DORA requirements, like threat-led penetration testing and the need to report the root cause of incidents within a short time frame (i.e., 24 to 72 hours), which presents a new challenge for almost every organisation.

Distinctive features of DORA:

• EU regulation for the FSI: Applicable only to firms in the financial services industry (FSI) operating within the EU market, including non-EU firms serving EU customers and critical ICT third-party service providers. Enforced by the EU.
• Broad but prescriptive requirements: Mandates a range of ICT risk reduction actions, including reporting incidents, testing digital resilience, and overseeing third-party service arrangements.
• Mandatory compliance: Non-compliance penalties reaching up to 1% of global turnover.
• Standalone regulation: Not designed to overlap or map onto frameworks like the NIST CSF.

ISO 27001 Is a Broad Framework…

ISO/IEC 27001 is an internationally used set of policies, products, and controls for protecting sensitive information created by the International Organisation for Standardization (a Switzerland-based NGO). 

Unlike DORA, ISO 27001 is flexible and not specific to any industry or region. 

ISO 27001 is a way for a company to prove (to any interested third parties) that they take information security seriously. 

To get certified as an ISO 27001 compliant company, an organisation must manage information security risks, assess risks, and control information access to the ISO 27001 standard. 

The core requirement for compliance is that a company creates and maintains an information security management system (ISMS).

It’s important to note that while ISO 27001 is a standard that many companies look for when considering their partners or suppliers, it is not a regulation. 

Distinctive features of ISO 27001 compared to DORA:

• Broadly used standard (not a regulation): Voluntary standard that organisations adopt to improve their information security posture. Non-industry specific and applicable to any organisation type, regardless of size or sector.
• Prescriptive requirements: Compliance requirements are relatively granular and specific and generally less onerous than DORA.
• Certification-based: Organisations can achieve certification after an audit.
• Interoperable: Designed to integrate with other standards and frameworks like NIST CSF.

Why You Can’t (Necessarily) Map DORA vs ISO 27001 

Relying on mapping your existing ISO 27001 controls to DORA  is not, in our opinion, a good idea. 

The reason why is that DORA requirements are subjective and depend on interpretation, whereas ISO27001’s (and NIST CSF’s) requirements are more specific and unlikely to cover the full scope of action required by DORA. 

For example, ISO 27001:2022 Annex A 8.8 Management of Technical Vulnerabilities states that:

“Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved.”

This may seem similar to the DORA article 25 requirement for Testing of ICT tools and systems. 

However, the DORA requirement is broader and requires a more in-depth execution. Under DORA article 25, the testing requirement is the “execution of appropriate tests.” 

The law then lists a whole range of testing methods, including:

“Vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.”

This long list means that although, in some cases, the level of vulnerability management and testing done to comply with ISO27001 may be sufficient, it is unlikely to map over by default. 

More likely is that further testing will be required to become DORA compliant as an organisation's individual technical and environmental circumstances will decide the level of testing needed.

NIST CSF Is Also a Broad Framework 

The NIST Cybersecurity Framework (NIST CSF) is a set of standards developed by the National Institute of Standards and Technology (a U.S. federal agency).

The NIST CSF is not a regulatory requirement. 

It is a list of 108 security controls covering a range of network and data security practices that can be mapped to ISO 27001.

The core of the framework is built around five functions—Identify, Protect, Detect, Respond, and Recover—that provide a structured methodology for enhancing an organisation’s cybersecurity resilience. 

Distinctive features of NIST CSF compared to DORA:

• Maps onto ISO 27001: And is very similar to the EU Network and Information Systems (NIS) framework. 
• Exhaustive list of specific controls: 108 specific requirements for compliance (though these can be customised or partially applied), unlike DORA’s broader requirements.
• Not a regulation: Like ISO 27001, the NIST CSF is not a regulation, and compliance is a voluntary effort.

And You Can’t (Necessarily) Map NIST CSF to DORA, Either  

The same reason why ISO 27001 cannot be mapped onto DORA also holds true for NIST CSF vs DORA. 

Take the following NIST CSF governance controls as an example:

• GV.OC-01: The organisational mission is understood and informs cybersecurity risk management.
• GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered.

These could mean the same thing as DORA Article 5.2:

“The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).”

However, the controls do not necessarily map over. 

An organisation might be able to confidently say its management team understands cybersecurity as per NIST CSF but lack the formal processes needed to demonstrate DORA compliance. 

The difference is highly nuanced and depends on the organisation’s operational reality.

Bottom Line: Use ISO 27001 and NIST CSF for Guidance, But Don’t Rely On These Frameworks for DORA Compliance 

Depending on your organization, ISO 27001 and/or NIST CSF could help you address some DORA requirements. However, even in the best of circumstances, neither framework will be able to address the whole set of DORA requirements. 

Our advice? If you have one of these frameworks implemented already, use it as a starting point. But a gap analysis is still, in our opinion, necessary to ensure you are fully aligned with DORA. 

Boost Your DORA Compliance Program with SECFORCE

DORA is a significant challenge for most organisations. 

Work with a DORA compliance consultant to get an industry-wide perspective on identifying and bridging your DORA compliance gaps. 

Contact SECFORCE today.