DORA Article 28 sets the ICT third-party risk obligations — register of information, termination grounds, exit strategies — but the contract clause checklist lives in Article 30. We map each subsection to ISO 27001 and SCF controls and to the evidence a supervisor will request, with every article verified through the gateway.
A practitioner mapping of every NIS2 Article 21(2) measure category to ISO 27001:2022 Annex A controls, grounded provision-by-provision. Plus the three places ISO leaves a real gap: the 24h/72h reporting clock, management liability, and supply chain depth — and why an ISO certificate is not NIS2 compliance.
Generic chat and RAG hallucinate regulatory citations and leave no audit trail. An MCP gateway adds routing, multi-source fan-out, tier auth, and deterministic citation validation on top of point MCP servers. Here's what each layer does and when you actually need it.