Academy home
Blogs
Comparing EU cybersecurity frameworks: NIS2, GDPR, DORA and more
Part of ISO 27001 collection
Part of NIS2 collection

Comparing EU cybersecurity frameworks: NIS2, GDPR, DORA and more

ISO 27001 collection
Comparing EU cybersecurity frameworks: NIS2, GDPR, DORA and more
NIS2 collection
Comparing EU cybersecurity frameworks: NIS2, GDPR, DORA and more
Cyberday blog
Comparing EU cybersecurity frameworks: NIS2, GDPR, DORA and more

The cybersecurity regulatory landscape in the EU is tightening. With multiple new and updated frameworks rolling out, organizations are now expected to meet stricter and more comprehensive requirements than ever before.

At the same time, many companies find themselves needing to comply with more than one framework. A company might be handling personal data (GDPR), delivering digital services (NIS2), operating in finance (DORA), and using connected products (CRA)—all at once. This creates complexity, especially when the frameworks overlap in areas like risk management, incident response, or governance.

This article focuses on the most relevant cybersecurity frameworks regulated by the EU right now, namely NIS2, DORA, GDPR and CRA, as well as ISO 27001 as a voluntary benchmark.

We’ll break down who each framework applies to, what it requires, how they connect to each other, and how organizations can handle them efficiently using Cyberday.

If you're wondering what to prioritize, what’s legally required, and where different frameworks support each other—this article is for you.

Main frameworks and regulations EU-based organizations should consider

Below is a quick comparison of key cybersecurity frameworks in the EU, highlighting their focus areas, whether they’re mandatory, and what they typically require from organizations.

Framework Sector/Focus Mandatory? Key Requirements
NIS2 Critical infrastructure & digital services ✅ Yes Risk management, incident reporting, governance roles
GDPR All sectors (personal data) ✅ Yes Lawful data processing, DPO, breach notification, data subject rights
DORA Finance sector ✅ Yes ICT risk framework, incident classification, resilience testing
Cyber Resilience Act Digital products, connected devices ✅ Yes Secure development, vulnerability handling, lifecycle updates
ISO 27001 All sectors ❌ No (voluntary) ISMS, risk treatment, Annex A controls, continuous improvement

NIS2 banner

NIS2 (Network and Information Security Directive 2)

The NIS2 Directive is the EU’s main cybersecurity regulation for critical and important sectors. It significantly expands the scope of the original NIS Directive, applying stricter requirements and broader coverage across industries.

Who does NIS2 apply to?

NIS2 affects both essential and important entities in sectors such as energy, transport, health, ICT services, digital infrastructure, waste management, and public administration.

Generally, it applies to organizations with 50+ employees or over €10 million in annual turnover, though smaller organizations may also fall under the scope if they provide key services to society or the economy.

Read here the full breakdown of who NIS2 applies to.

What does NIS2 require?

Organizations must implement a set of risk management and governance practices to strengthen their resilience against cyber threats. Key requirements include:

  • Risk management measures covering policies, procedures, and technical controls
  • Incident reporting within 24 hours of becoming aware of a significant event
  • Regular security audits and vulnerability assessments
  • Supply chain risk management practices
  • Clear accountability: top management is responsible for cybersecurity decisions

Why is NIS2 important?

NIS2 is mandatory across the EU and brings higher expectations — and penalties — than before. Non-compliance can lead to significant fines and even personal liability for company leadership. The directive aims to harmonize cybersecurity readiness across the EU and strengthen cooperation between national authorities.

How does NIS2 overlap with other frameworks?

Many of NIS2’s requirements align closely with ISO 27001, especially in areas like risk management, governance, and incident response. If your organization is already working with ISO 27001, much of the groundwork is already in place, as these two overlap quite a lot. With full ISO 27001 compliance, you are looking roughly at 80% compliance of NIS2.

There are also strong links with DORA for financial-sector entities and GDPR where personal data breaches are concerned.

What regulations are similar to NIS2 outside the EU?

Comparable frameworks include the NIST Cybersecurity Framework in the US and the UK’s NIS Regulations, which continue post-Brexit with a similar approach.

What is the NIS2 compliance timeline?

The directive came into force in January 2023, and EU Member States must implement it nationally by October 17, 2024. Affected organizations will be expected to comply immediately after national laws go live.

Is NIS2 supported in Cyberday?

Yes. Cyberday ISMS includes full support for NIS2 — including tasks, documentation templates, and audit readiness. A big part of our customer organizations operate in NIS2 industries or as key suppliers for organizations in NIS2 scope. For this reason, over 70% of Cyberday customers utilize the NIS2 framework.

GDPR banner

GDPR (General Data Protection Regulation)

The General Data Protection Regulation (GDPR) is the EU’s flagship regulation for data privacy and security. It sets the standard for how organizations must handle personal data, regardless of whether they're based in the EU or simply processing data from EU residents.

Who does GDPR apply to?

GDPR applies to all organizations—regardless of size or sector—that collect or process personal data of individuals in the EU. This includes companies based outside the EU if they target or track EU users (e.g. via websites, apps, or services).

What does GDPR require?

GDPR lays out specific principles and rights around the processing of personal data. Key requirements include:

  • Lawful basis for processing personal data
  • Data subject rights (access, correction, deletion, etc.)
  • Data protection by design and by default
  • Appointment of a Data Protection Officer (DPO) in some cases
  • Mandatory data breach notifications within 72 hours
  • Maintain a Record of Processing Activities (ROPA)

Why is GDPR important?

GDPR is mandatory across the EU and has become the global benchmark for privacy regulation. Penalties can reach up to €20 million or 4% of global annual turnover, whichever is higher. Beyond compliance, GDPR builds trust with customers and business partners through transparent data practices.

How does GDPR overlap with other frameworks?

GDPR overlaps with NIS2 when personal data is involved in a security incident. It also aligns with ISO 27001 on controls around access management, risk assessment, and incident response. Organizations using DORA, CRA, or other frameworks will also encounter shared principles around security governance and breach reporting.

What regulations are similar to GDPR outside the EU?

Several countries have introduced GDPR-inspired laws:

  • CCPA/CPRA (California, USA)
  • LGPD (Brazil)
  • PIPEDA (Canada)

These share concepts like data subject rights and transparency but are often less strict.

What is the GDPR compliance timeline?

GDPR came into effect on May 25, 2018. Compliance is ongoing and expected from the moment an organization begins processing personal data from the EU.

Is GDPR supported in Cyberday?

Yes. Cyberday ISMS offers full GDPR coverage with ready-made tasks, documentation tools, and risk mapping. GDPR is used by over 75% of organizations in Cyberday, making it the second most common framework. It applies to everyone, and many use it alongside other frameworks — which explains its broad adoption, even if it's rarely the primary one.

DORA banner

DORA (Digital Operational Resilience Act)

DORA is the EU’s cybersecurity regulation specifically aimed at the financial sector. It focuses on ensuring that financial institutions can withstand and recover from operational disruptions, particularly those caused by ICT (information and communication technology) risks.

Who does DORA apply to?

DORA applies to nearly all types of financial entities operating in the EU, including:

  • Banks and credit institutions
  • Insurance and reinsurance firms
  • Investment firms and asset managers
  • Crypto service providers
  • Payment institutions and e-money providers
  • Critical third-party ICT service providers (including cloud providers)

If your organization is part of the financial ecosystem in any form, DORA likely applies.

What does DORA require?

DORA sets out clear rules for managing ICT risks. Its key requirements include:

  • A robust ICT risk management framework
  • Classification and reporting of major ICT-related incidents
  • Ongoing digital operational resilience testing
  • Third-party risk management for ICT service providers
  • Clear roles and responsibilities at the management level

Why is DORA important?

DORA is mandatory for in-scope financial entities and significantly raises the bar for operational resilience. It aligns with the EU’s goal to strengthen the financial system’s ability to prevent and respond to cyber disruptions. Compliance will be essential for maintaining licenses and avoiding regulatory penalties.

How does DORA overlap with other frameworks?

DORA overlaps with NIS2 for critical ICT infrastructure and incident handling, and shares risk management foundations with ISO 27001. If your organization is already implementing ISO or NIS2, there’s a strong base to build from. It also ties into GDPR when personal data is impacted during an incident.

What regulations are similar to DORA outside the EU?

The most comparable regulation is the US SEC Cybersecurity Rule for financial institutions. DORA also resembles NYDFS Cybersecurity Regulation in New York and other emerging operational resilience rules in Asia and the UK.

What is the DORA compliance timeline?

DORA came into force in January 2023. All financial entities must be fully compliant by January 17, 2025. Implementation efforts should already be underway.

Is DORA supported in Cyberday?

Yes. DORA is available as a dedicated framework in Cyberday, with tasks, policies, and documentation tools built for financial-sector compliance. The financial sector and their ICT service providers form a key segment in Cyberday, with around 20% of customers using the DORA framework.

CRA banner

Cyber Resilience Act (CRA)

The Cyber Resilience Act is an EU regulation focused on improving the cybersecurity of digital products. It aims to ensure that hardware and software placed on the EU market come with built-in security features and responsibilities throughout their lifecycle.

Who does the CRA apply to?

CRA applies to manufacturers, importers, and distributors of products with digital elements, including:

  • Software applications
  • Connected devices (IoT)
  • Operating systems
  • Industrial control software
  • Embedded software in hardware products

Products already covered by other EU laws—like medical devices, vehicles, or aviation equipment—are excluded. If your organization develops, sells, or distributes digital products in the EU, the CRA will likely apply.

What does the CRA require?

The CRA introduces security obligations across the entire product lifecycle. Key requirements include:

  • Secure-by-design and default development practices
  • A documented vulnerability handling process
  • Incident reporting for actively exploited vulnerabilities
  • Ongoing security updates and support for products
  • Technical documentation demonstrating conformity

Certain “critical” product categories must undergo third-party conformity assessments, while others can self-declare compliance.

Why is the CRA important?

The CRA is mandatory and introduces legal accountability for insecure products. It shifts responsibility to vendors to ensure cybersecurity from day one — not as an afterthought. This helps reduce the EU-wide risk posed by poorly secured digital tools and creates market pressure for secure innovation.

How does the CRA overlap with other frameworks?

CRA overlaps with ISO 27001 on secure development, vulnerability management, and incident response. It also aligns with NIS2 when digital products are part of critical infrastructure, and with DORA in the financial sector. Like GDPR, it introduces incident reporting obligations — but tied to product vulnerabilities.

What regulations are similar to the CRA outside the EU?

  • US IoT Cybersecurity Improvement Act (public-sector procurement)
  • UK Product Security and Telecommunications Infrastructure Act (PSTI)
  • Various global standards around secure software development and product labeling

What is the CRA compliance timeline?

The CRA entered into force on December 10, 2024. Most obligations will apply from December 11, 2027. Manufacturers and distributors should start assessing affected products and prepare technical documentation well in advance.

Is CRA supported in Cyberday?

Yes. We have just finalized the full support for the Cyber Resilience Act in Cyberday. This includes tasks and controls for vulnerability handling, incident reporting, secure development practices, and technical documentation.

ISO 27001 banner

ISO 27001 (Information Security Management)

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). Unlike EU regulations, it’s not mandatory, but it’s widely adopted across industries to prove strong security practices and support regulatory compliance.

Who does ISO 27001 apply to?

ISO 27001 is voluntary, but valuable for any organization—large or small—that wants to manage information security systematically. It’s useful for any organization needing to prove security to customers or partners

What does ISO 27001 require?

The standard defines a structured approach to identify, manage, and reduce information security risks. Key elements include:

  • A formal Information Security Management System (ISMS)
  • Risk assessments and risk treatment planning
  • Clear security objectives and policies
  • Assignment of roles and responsibilities
  • Implementation of relevant controls from Annex A (updated in 2022)
  • Internal audits and continuous improvement

Organizations can certify against ISO 27001 by passing a formal audit.

Why is ISO 27001 important?

While not legally required, ISO 27001 is often considered the “gold standard” for information security. It’s recognized globally and often required in B2B deals, procurement processes, and vendor assessments. It also helps prepare for mandatory regulations like NIS2, DORA, and GDPR by covering overlapping control areas.

How does ISO 27001 overlap with other frameworks?

ISO 27001 provides a foundational structure for security, so there’s extensive overlap with:

  • NIS2 – risk management, governance, incident handling
  • DORA – ICT risk and operational resilience
  • GDPR – data access control, breach response
  • CRA – secure development and vulnerability management

Adopting ISO 27001 makes multi-framework compliance much easier.

What regulations are similar to ISO 27001 outside the EU?

ISO 27001 is international, so there’s no direct equivalent — but it often maps well to:

  • NIST Cybersecurity Framework (US)
  • SOC 2 (for service providers in the US)

What is the ISO 27001 compliance timeline?

There’s no fixed deadline — organizations can adopt and certify on their own schedule. However, those using the older 2013 version must transition to the 2022 revision by October 2025 to keep certification valid.

Is ISO 27001 supported in Cyberday?

Yes. Cyberday supports the full ISO 27001:2022 standard, including all updated Annex A controls, required documentation, and internal audit tracking. Over 600 organizations use ISO 27001 in Cyberday, making it the most popular cybersecurity framework.

Other Relevant Regulations in the EU

Some additional EU and global regulations intersect with cybersecurity but aren’t the core focus of this article. Here are a few worth keeping on your radar:

EU AI Act

The EU AI Act regulates the development and use of artificial intelligence systems based on risk levels. While not a pure cybersecurity law, it introduces security-related requirements, especially for high-risk systems.

Relevant for organizations that:

  • Develop or use AI systems in regulated sectors
  • Handle sensitive data via AI
  • Deploy AI in decision-making roles (e.g., hiring, credit scoring)

Key overlaps with cybersecurity:

  • Robustness and accuracy of AI models
  • Risk and security assessments
  • Incident handling if AI causes harm or malfunction

If your organization uses AI, it’s worth tracking the AI Act’s final form and timelines.

Cyber Solidarity Act (CSA)

The Cyber Solidarity Act is not a framework organizations must comply with directly. Instead, it's an EU-level initiative aimed at boosting cross-border cyber threat detection, incident response, and crisis management capabilities.

It establishes things like:

  • An EU Cybersecurity Reserve
  • A European Cyber Shield (network of Security Operations Centres)
  • Funding and coordination support for large-scale incidents

While not something you implement internally, CSA could impact how your organization interacts with national authorities or receives support during major cyber events.

Industry-Specific Regulations

Depending on your sector, the following frameworks may also apply — either due to legal requirements or industry expectations:

  • PSD2 (EU): Payment services regulation with strong customer authentication and fraud prevention requirements.
  • PCI DSS (Global): Applies to any entity that processes or stores cardholder data.
  • EU MDR (EU): Requires cybersecurity controls in medical devices.
  • TISAX (EU): A widely adopted automotive industry standard for managing information security assessments.

These are more specialized but often sit alongside the main frameworks (like NIS2 or ISO 27001) in a broader compliance effort.

Simplify Compliance with Cyberday

Managing cybersecurity requirements from multiple frameworks doesn’t need to mean duplicate work. Cyberday is built to help organizations implement and maintain security frameworks in a centralized, efficient, and scalable way.

Each of the core frameworks covered in this article—NIS2, GDPR, DORA, CRA (soon), ISO 27001—is available as a ready-to-use structure in Cyberday, complete with tasks, documentation templates, policies, and audit tools. Once activated, Cyberday automatically identifies overlapping requirements between frameworks and lets you manage shared tasks only once.

Real overlap = real time savings

Here’s what that looks like in practice:

If you’re fully implementing NIS2, you’ve already covered:

  • ~40% of ISO 27001 tasks
  • ~45% of GDPR tasks
  • ~45% of DORA tasks

That’s a huge head start for organizations working with multiple regulations—and a good reason to avoid handling each framework in a silo.

One environment, multiple frameworks

Cyberday gives your team:

  • A clear task list for each active framework
  • Automatic mapping of overlapping requirements
  • A single view of your compliance documentation and audit status
  • Built-in guidance to keep your security efforts aligned with changing regulations

Whether you're starting from GDPR or scaling up to DORA and NIS2, Cyberday makes it easier to stay compliant without starting from scratch every time. Start your free trial today!

Written by
Tuomas Pitkänen
10.4.2025
@
LinkedIn

Article contents

Other articles in same topic

See full ISO 27001 collection
See full NIS2 collection

Other related blog articles

Share article

Other similar content from Academy

Blogs

Comparing EU cybersecurity frameworks: NIS2, GDPR, DORA and more

A comparison of key cybersecurity frameworks in the EU, including NIS2, GDPR, DORA, CRA, and ISO 27001. Learn who they apply to and what they require.
10.4.2025

ISO 27001 compliance vs. certification: differences, benefits & which path to choose

Understanding when to pursue ISO 27001 compliance rather than going for certification—or vice versa—hinges on your organizational priorities, resources, and long-term security strategies. Check the differences and learn which path to choose.
1.4.2025

Framework recap, US security & and role management: Cyberday product and news summary 3/2025 🛡️

The March product and news update presents updates to role management and the new Trust Center, a review of the key frameworks for 2025 and US security.
28.3.2025

Get started today

Start free, in your familiar Teams environment.
If you have some questions first, book a meeting with us.

Start free 14-day trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templates
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementDynamic policy documentsPrivacy management
Resources
AcademyWebinarsBlogHelp articlesVideo coursesContent libraryWeekly news digestsSubscribe to AcademyLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security