Four frameworks, one platform: eliminating compliance duplication at enterprise scale
“We were maintaining four separate control frameworks with four separate evidence repositories and four separate audit preparation cycles. The overlap was enormous — and so was the wasted effort. FortisEU unified everything.”
— Group Compliance Director, Dutch Insurance Group
As a large insurance group operating across the Netherlands, Belgium, and Luxembourg, the organisation was subject to an overlapping web of regulatory requirements: DORA for ICT operational resilience, NIS2 for cybersecurity as a provider of essential services, GDPR for personal data protection across their customer base of 3 million policyholders, and Solvency II for prudential risk management and governance.
Each regulation had been approached as a separate compliance programme, managed by different teams, using different tools, and producing different evidence packages. The result was a compliance operation that consumed significant resources — not because the individual requirements were excessive, but because the same underlying controls were being documented, tested, and evidenced four separate times.
An internal audit had quantified the problem: approximately 60% of the controls required by DORA, NIS2, GDPR, and Solvency II overlapped with at least one other framework. Yet the organisation was maintaining them as if they were entirely independent — quadrupling the audit preparation effort and creating inconsistencies between frameworks where the same control was described differently in different evidence packages.
60% control overlap, 0% reuse
Internal audit identified 60% overlap between DORA, NIS2, GDPR, and Solvency II controls — all maintained separately with no cross-framework evidence reuse.
Four audit cycles per year
Separate audit preparation for each framework, each requesting overlapping evidence in different formats from different teams — consuming months of cumulative preparation time.
Inconsistent control descriptions
The same security control described differently across four evidence packages, creating audit findings about inconsistency rather than actual control weaknesses.
Cross-border complexity
Operations across three Benelux jurisdictions with different national supervisory expectations, GDPR DPA coordination requirements, and NIS2 transposition variations.
FortisEU's multi-framework compliance engine mapped all four regulatory frameworks — DORA, NIS2, GDPR, and Solvency II — onto a unified control taxonomy. Each control was documented once, with framework-specific views generated automatically. When evidence was uploaded against a control, it automatically satisfied all applicable framework requirements — eliminating the duplication that had consumed the compliance team.
The cross-framework mapping engine identified not only overlaps but also gaps: controls that were unique to one framework and had been inadvertently missed in another. This gap analysis revealed several NIS2-specific supply chain requirements that the DORA programme had assumed were covered, and GDPR-specific data subject rights processes that Solvency II governance reporting had not considered.
Unified Control Taxonomy
Single control framework mapping DORA, NIS2, GDPR, and Solvency II requirements. One control = one evidence item = four frameworks satisfied simultaneously.
Automated Gap Analysis
Cross-framework gap detection identifying requirements unique to each framework, preventing assumptions that coverage in one framework implies coverage in another.
Framework-Specific Views
Auditor-ready exports filtered by framework: DORA view for DNB, NIS2 view for NCSC, GDPR view for AP, Solvency II view for EIOPA — all from the same underlying evidence.
Cross-Border Coordination
Multi-jurisdiction compliance management across Netherlands, Belgium, and Luxembourg with DPA coordination tracking and jurisdiction-specific requirement overlays.
The unified control taxonomy delivered the efficiency gains that internal audit had predicted were possible. The 60% control overlap that had previously meant 60% wasted effort was now 60% automatic reuse — each piece of evidence satisfying multiple frameworks simultaneously.
More importantly, the gap analysis revealed compliance blind spots that the separate programmes had missed. The group identified and remediated 23 control gaps in the first quarter — gaps that existed not because the organisation lacked the controls, but because the fragmented compliance structure had created coverage assumptions that were not actually valid.
“The real surprise was not the efficiency gain — we expected that. The surprise was the 23 gaps we discovered between frameworks. Our separate programmes each looked complete in isolation, but the overlaps were hiding genuine compliance holes. Unification did not just save time — it made us actually more compliant.”— Group Compliance Director, Dutch Insurance Group
Ready to Build Your Compliance Story?
See how FortisEU can operationalise your compliance programme. Create an account or schedule a personalised demo.