How is this different from an auditor's gap analysis?

An audit firm's gap analysis is usually a consultant's spreadsheet, with the requirement text and the severity calls resting on the consultant's reading. Ours retrieves every requirement from the source legislation or standard through the gateway and cites each finding to the provision, so you — or your own auditor — can check the work against the source. It is an input to certification, not a substitute for it: we are not a certification body, and the report is built to be handed to one.

What evidence do we provide?

Your information-security policy, supporting procedures, and any records that show a control operating — incident logs, access reviews, supplier registers, continuity tests. The more you provide, the more of the requirement set the evidence mapping can close rather than flag as a gap. You send it through a secure, EU-hosted upload, and a confidentiality agreement is in place before anything is uploaded.

Which frameworks can we combine in one engagement?

NIS2, DORA, ISO 27001, GDPR, and the EU AI Act can be assessed together, and combining them is usually the point — the frameworks overlap heavily, so one evidence intake serves several requirement sets. We map the overlap so a control that satisfies NIS2 Article 21 and the matching ISO 27001 Annex A control is recorded once, not three times. Sector-specific regimes can be added where they apply to you.

How do the citations work?

Each requirement is retrieved from the source through the Ansvar gateway, which returns the provision at article or control level. The finding carries that citation into the report. Where a requirement cannot be grounded to a retrievable source, it is marked with its regulatory basis unresolved rather than cited from training data — a no-silent-fallback rule the platform enforces. There are no uncited findings and no invented article numbers.

Can our GRC tool import the result?

Yes. Alongside the PDF readout and the CSV, we deliver the findings in a GRC-tool import format so they land as tracked items in the platform you already run. If your tool needs a specific layout, tell us at the scoping call and we will match it.

Pricing is scoped per engagement against the number of frameworks in scope and the size of the evidence base. Contact us with a short description of your scope and we will return a fixed scope and price — we do not publish a single number, because a one-framework check and an estate-wide multi-framework assessment are not the same job.

Services

Compliance Gap Analysis

Where you stand against NIS2, DORA, ISO 27001, GDPR, and the EU AI Act — as a cited report, scoped at article and control level.

We assess your current posture against the frameworks that apply to you — NIS2, DORA, ISO 27001, GDPR, the EU AI Act, and the sector regulators above them — and deliver a structured, cited gap report with GRC-ready exports. Every finding traces to the provision and to your own evidence.

Scoped to your frameworks: ISO 27001, NIS2, DORA, GDPR, the EU AI Act, and sector regulators
Cited findings, each tracing to the provision and your own evidence
Delivered as PDF, CSV, and GRC-tool import format
Senior-reviewed before it ships

What's covered: NIS2, DORA, ISO 27001, GDPR, the EU AI Act

A gap analysis is only worth as much as the requirement set it measures you against. We assess against the frameworks that actually apply to your organisation, at the level the requirement is written — article for the EU regimes, control for the standards.

On the binding EU side that means NIS2 (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554). NIS2 turns on its risk-management article: Article 21 sets an all-hazards baseline covering incident handling, business continuity, supply-chain security, cryptography, access control, and basic cyber hygiene, while Article 20 puts the management body on the hook for approving and overseeing those measures and Article 32 sets out how authorities supervise and enforce. DORA runs in parallel for financial entities — Article 5 puts ICT risk on the management body, Article 6 requires a documented ICT-risk-management framework, Article 24 sets the testing programme, and Article 28 covers third-party risk and the register of ICT providers.

On the standards side we assess against ISO 27001:2022 — the management-system clauses and the Annex A controls. We also cover GDPR where personal data is in scope and the EU AI Act (Regulation (EU) 2024/1689) where you build or deploy AI systems. The frameworks overlap: an entity that implements NIS2 Article 21 correctly already satisfies much of ISO 27001 Annex A on access control, supplier relationships, incident management, and continuity. We map that overlap so you are not assessed three times for the same control.

Above the horizontal frameworks sit the sector regulators. Where your sector has its own cyber or resilience rules, we route the relevant requirements in rather than treating the horizontal regimes as the whole picture.

Article-level citations are the differentiator

A generic gap analysis tells you that you are weak on incident response. A cited gap analysis tells you that your incident-handling gap is against NIS2 Article 21, points at the exact requirement, and pairs it with the clause in your own policy that falls short. That is the difference between a finding you can act on and a finding you have to research before you can act on it.

Every requirement we assess is retrieved from the source legislation or standard through the Ansvar gateway, which returns the provision at article or control level. Findings carry that citation through to the report. Where the gateway returns only weak or unscoped sources for a requirement — as can happen for parts of a standard not indexed at clause level — we mark the regulatory basis unresolved rather than cite a training-data guess. There are no uncited findings, and no invented article numbers.

What you receive

A cited gap report. For every applicable requirement: the provision, the status, the evidence from your own documentation that supports the status, and the gap where there is one. Findings are marked critical, material, or minor so remediation can be sequenced by exposure rather than by the order the frameworks happen to list them.

An evidence mapping that pairs each requirement to the clause in your existing policies, procedures, or records that answers it — and flags the requirements nothing in your evidence answers. This is the part a downstream auditor leans on: it shows not just where the gaps are but what you already have that closes the rest.

Exports in the formats your team actually works in: PDF for the readout, CSV for analysis, and a GRC-tool import format so the findings land as tracked items in the system you already run rather than as a document someone has to re-key.

How it's delivered: gateway retrieval, senior review, no uncited findings

The requirement set is built by retrieving each provision from the source through the Ansvar gateway — the same gateway our customers use to ground their own compliance work. That keeps the requirement text current and the citations checkable against the source rather than against a snapshot.

A senior reviewer then checks every finding and every citation before the report ships. The platform enforces a no-silent-fallback rule: a requirement that cannot be grounded to a retrievable source is marked unresolved, not filled from training data. The result is a report you can hand to your own auditor or counsel and have them verify against the legislation, rather than one they have to take on trust.

Process and timeline

The engagement runs in five steps: a scoping call to fix the frameworks and the boundary, evidence intake through a secure EU-hosted upload, the analysis itself, senior review, and a live readout. Your team's time is concentrated at the start — assembling the evidence — and at the end, in the readout.

Duration depends on how many frameworks are in scope and how much evidence there is to map. A single-framework gap analysis against one well-documented policy turns around quickly; a multi-framework assessment across a larger evidence base takes longer. We give an honest range at the scoping call and confirm it in writing before work starts. We do not commit to a hard SLA we cannot hold.

What you receive

Cited gap report. Every applicable requirement with status, evidence, and gap — each finding cited to the provision and marked critical, material, or minor.
Evidence mapping. Each requirement paired to the clause in your own policies that answers it, with the unanswered requirements flagged.
PDF export. The readout document, for circulation to leadership and auditors.
CSV export. The full findings set as data, for your own analysis and tracking.
GRC-tool import format. Findings structured so they import as tracked items into your GRC platform rather than needing re-keying.

How it's delivered

Scoping call. An included call to fix which frameworks are in scope and where the assessment boundary sits.
Evidence intake. You send your policies, procedures, and records through a secure, EU-hosted upload.
Analysis. We retrieve each requirement through the gateway, pair it to your evidence, and record the gaps with citations.
Senior review. A senior reviewer checks every finding and citation; unresolved requirements are flagged, not guessed.
Readout. We walk the report with you live and hand over the PDF, CSV, and GRC-import exports.

Questions buyers ask first

How is this different from an auditor's gap analysis?: An audit firm's gap analysis is usually a consultant's spreadsheet, with the requirement text and the severity calls resting on the consultant's reading. Ours retrieves every requirement from the source legislation or standard through the gateway and cites each finding to the provision, so you — or your own auditor — can check the work against the source. It is an input to certification, not a substitute for it: we are not a certification body, and the report is built to be handed to one.
What evidence do we provide?: Your information-security policy, supporting procedures, and any records that show a control operating — incident logs, access reviews, supplier registers, continuity tests. The more you provide, the more of the requirement set the evidence mapping can close rather than flag as a gap. You send it through a secure, EU-hosted upload, and a confidentiality agreement is in place before anything is uploaded.
Which frameworks can we combine in one engagement?: NIS2, DORA, ISO 27001, GDPR, and the EU AI Act can be assessed together, and combining them is usually the point — the frameworks overlap heavily, so one evidence intake serves several requirement sets. We map the overlap so a control that satisfies NIS2 Article 21 and the matching ISO 27001 Annex A control is recorded once, not three times. Sector-specific regimes can be added where they apply to you.
How do the citations work?: Each requirement is retrieved from the source through the Ansvar gateway, which returns the provision at article or control level. The finding carries that citation into the report. Where a requirement cannot be grounded to a retrievable source, it is marked with its regulatory basis unresolved rather than cited from training data — a no-silent-fallback rule the platform enforces. There are no uncited findings and no invented article numbers.
Can our GRC tool import the result?: Yes. Alongside the PDF readout and the CSV, we deliver the findings in a GRC-tool import format so they land as tracked items in the platform you already run. If your tool needs a specific layout, tell us at the scoping call and we will match it.
What does it cost?: Pricing is scoped per engagement against the number of frameworks in scope and the size of the evidence base. Contact us with a short description of your scope and we will return a fixed scope and price — we do not publish a single number, because a one-framework check and an estate-wide multi-framework assessment are not the same job.