Gap analysis from your security policy
Your CISO needs to know how today's information-security policy maps against ISO 27001, NIS2, and DORA — without buying three separate audits.
How the gateway answered
What controls do ISO 27001:2022, NIS2 (Directive 2022/2555), and DORA (Regulation (EU) 2022/2554) each require from a regulated entity's information-security policy? Group by framework. Mark each requirement critical / material / minor with inline citations. (For a real gap analysis, attach your policy and the workflow will pair each control to your existing clause and flag the misses.)
search(query="information security management system requirements" frameworks=[ISO_27001] limit=10)→ 1 weakly-relevant result; ISO 27001 specific clauses not surfaced for this querysearch(query="essential entity cybersecurity risk management measur…" frameworks=[NIS2] limit=10)→ 10 results from EU Regulations MCP — NIS2 Art. 1, 16, 20, 21, 32 + Recitals 74, 78, 82, 85, 137search(query="ICT risk management framework digital operational res…" frameworks=[DORA] limit=10)→ 10 results from EU Regulations MCP — DORA Art. 1, 5, 6, 13, 16, 24, 28 + Recitals 8, 43, 45Gap-analysis baseline — ISO 27001 + NIS2 + DORA
The gateway returned strong coverage on NIS2 and DORA (the two binding EU regimes) and thin coverage on ISO 27001 (the management-system standard). The control set below is the superset of requirements the three regimes impose on an in-scope entity. Pair each row against your existing policy clauses to produce a real gap analysis.
NIS2 — Directive (EU) 2022/2555
The gateway returned the following on-point NIS2 articles (and recitals giving their motivation):
- Article 1 — Subject matter. Establishes the harmonised cybersecurity-risk-management and reporting baseline across the Union.
- Article 16 — Peer review framework. Member-State authorities review each other; the operator-side impact is that supervisory expectations converge over time.
- Article 20 — Governance. Management bodies of essential and important entities must approve the cybersecurity-risk-management measures and oversee their implementation, can be held liable for non-compliance, and must follow specific training. Critical.
- Article 21 — Cybersecurity risk-management measures. This is the load-bearing article. Mandates all-hazards approach with at least: risk-analysis + information-system security policies; incident handling; business continuity (backups, disaster recovery, crisis management); supply-chain security; security in acquisition / development / maintenance; vulnerability disclosure; assessment of effectiveness; …
Every claim traces to a source you can open
A typical AI assistant invents a citation that looks plausible. Ansvar retrieves the real one. Every finding above rests on one of these 10 primary sources — official legislation, agency guidance, and case law — each a link you or your auditor can open and check. Nothing here is generated.
- NIS2 Directive (EU) 2022/2555 Article 1 — Subject matterEU · regulation · eur-lex.europa.eu
- NIS2 Article 20 — GovernanceEU · regulation · eur-lex.europa.eu
- NIS2 Article 21 — Cybersecurity risk-management measuresEU · regulation · eur-lex.europa.eu
- NIS2 Article 32 — Supervisory and enforcement measuresEU · regulation · eur-lex.europa.eu
- DORA Regulation (EU) 2022/2554 Article 5 — Governance and organisationEU · regulation · eur-lex.europa.eu
- DORA Article 6 — ICT risk-management frameworkEU · regulation · eur-lex.europa.eu
- DORA Article 13 — Learning and evolvingEU · regulation · eur-lex.europa.eu
- DORA Article 16 — Simplified frameworkEU · regulation · eur-lex.europa.eu
- DORA Article 24 — Testing of ICT tools and systemsEU · regulation · eur-lex.europa.eu
- DORA Article 28 — Third-party-risk monitoringEU · regulation · eur-lex.europa.eu
Run this on your own data
This is available as a service: Gap Analysis. Bring your own documents and scope, and we'll run it end-to-end — every finding cited and validated by the expert who delivers it.