ImplementationNIS2DORAGDPRISO 27001

Compliance Programs 101: How to Build One for EU Regulations

14 minUpdated 2026-03-18

Foundational guide to building a compliance programme for EU-regulated organisations, covering programme structure, governance, policy frameworks, training, monitoring, multi-framework design, maturity assessment, and continuous improvement.

Key Takeaways

1
Design the compliance programme as an integrated multi-framework capability from the outset. Siloed framework-specific initiatives produce duplication, inconsistency, and boundary gaps.
2
Governance operates at three layers: management body oversight (NIS2 Article 20, DORA Article 5(2)), compliance committee coordination, and control owner execution. Document the structure in a board-approved charter.
3
Use a unified control architecture with many-to-many obligation mapping to eliminate redundant testing across NIS2, DORA, GDPR, and ISO 27001.
4
Training is a legal obligation under NIS2 Article 20(2) and DORA Article 13(6), not an optional enhancement. Measure effectiveness beyond completion rates.
5
Continuous improvement is a regulatory requirement across NIS2, DORA, and ISO 27001. Build structured feedback loops from incidents, testing, regulatory changes, and supervisory interactions into the programme.

1. Programme Structure and Governance

A compliance programme is the totality of an organisation's approach to meeting its regulatory obligations: the governance framework, organisational structure, policies, processes, training, monitoring, reporting, and continuous improvement mechanisms that collectively ensure legal and regulatory requirements are met on an ongoing basis. For EU organisations navigating NIS2, DORA, GDPR, and ISO 27001 simultaneously, the compliance programme must be designed as an integrated capability rather than a collection of framework-specific initiatives. Siloed programmes — one team for GDPR, another for NIS2, a third for DORA — produce duplication, inconsistency, and gaps at the boundaries.

Governance is the skeletal structure of the programme. Define three layers: strategic governance (management body oversight), tactical governance (compliance committee coordination), and operational governance (control owner execution). At the strategic layer, the management body must fulfil its obligations under NIS2 Article 20 (approving cybersecurity measures, receiving training, overseeing implementation) and DORA Article 5(2) (defining, approving, overseeing, and being accountable for the ICT risk management framework). At the tactical layer, a compliance committee — comprising the compliance officer, CISO, DPO, legal counsel, and business unit representatives — coordinates cross-framework activities, resolves conflicts between framework requirements, and allocates resources. At the operational layer, control owners implement and maintain specific controls, collect evidence, and report exceptions through defined escalation paths.

Document the governance structure in a compliance programme charter approved by the management body. The charter should define the programme's scope (which frameworks, which entities, which jurisdictions), the governance bodies and their mandates, reporting lines and escalation paths, roles and responsibilities (using RACI or equivalent), and the programme's relationship to other organisational functions (internal audit, risk management, legal). The charter serves both as an operational reference and as evidence for supervisory authorities that the compliance programme is formally constituted and management body-sponsored.

A compliance programme charter approved by the management body serves dual purposes: it operationalises governance and it provides evidence to supervisory authorities that the programme is formally constituted with board-level sponsorship.

2. Policy Framework

The policy framework translates regulatory obligations into internal rules that govern organisational behaviour. Structure policies in a hierarchy: a top-level compliance policy (setting the organisation's commitment to regulatory compliance and the programme's governance framework), domain policies (cybersecurity policy, data protection policy, ICT risk management policy, incident management policy, supply chain security policy), and supporting standards and procedures that provide implementation detail. This hierarchical structure allows the management body to approve top-level and domain policies while delegating procedural detail to subject matter experts, satisfying both the Article 20/Article 5(2) approval requirements and the need for operational specificity.

Each policy must address minimum content requirements imposed by the applicable frameworks. NIS2 Article 21(2)(a) requires risk analysis and information system security policies — these must cover all ten measure categories listed in Article 21(2)(a)-(j). DORA's RTS on ICT risk management (JC 2023 86) specifies minimum content for ICT security policies including information classification, cryptography, operations security, network security, project and change management, physical security, and human resources security. ISO 27001 Clause 5.2 requires an information security policy appropriate to the purpose of the organisation, providing a framework for setting objectives, and including a commitment to continual improvement. Map these requirements to avoid producing separate policies for each framework when a single integrated policy can satisfy all three.

Policy lifecycle management is as important as policy content. Every policy must have a defined owner, a scheduled review date (at least annually for NIS2 and DORA-related policies), an approval authority, and a distribution mechanism that ensures all relevant personnel can access and have acknowledged the current version. Track policy exceptions formally: when business circumstances require deviation from policy, document the exception with a risk assessment, an approving authority, a defined expiration date, and compensating controls. Policy exceptions that accumulate without resolution are a supervisory red flag — they suggest the policy framework is disconnected from operational reality.

3. Training and Awareness Programme

Training is a legal obligation, not an optional enhancement. NIS2 Article 20(2) requires management body members to undergo cybersecurity training and to offer similar training to employees on a regular basis. DORA Article 13(6) mandates ICT security awareness programmes and digital operational resilience training for all staff, with training content differentiated by role. GDPR Article 39(1)(b) assigns the DPO the task of monitoring compliance including awareness-raising and training of staff involved in processing operations. A compliance programme that does not include a structured training component is non-compliant by definition.

Design training in tiers aligned with role-based risk exposure. General awareness training for all employees covers the organisation's compliance obligations at a high level, individual responsibilities (incident reporting, acceptable use, data handling), and the consequences of non-compliance. Role-specific training targets personnel with elevated compliance responsibilities: system administrators receive training on access control and logging requirements, developers on secure development practices and vulnerability management, procurement staff on supply chain security assessment procedures, and incident responders on the NIS2/DORA reporting cascades. Management body training — mandated explicitly by NIS2 Article 20(2) — must cover cybersecurity risk management concepts, the organisation's specific risk profile, governance obligations, and the personal liability implications of Article 20.

Measure training effectiveness beyond completion rates. Completion rate tells you who attended; it does not tell you who learned. Incorporate knowledge assessments into training (pre- and post-training quizzes with minimum passing scores), conduct phishing simulations to test security awareness behaviours, and track the correlation between training completion and operational metrics (do teams with higher training completion rates have fewer security incidents or policy exceptions?). Report training metrics to the management body as part of the compliance programme's regular reporting cycle — this simultaneously demonstrates training programme effectiveness and satisfies the management body's duty to oversee training under Article 20(2).

NIS2 Article 20(2) requires management body members to undergo cybersecurity training — not just to approve a training programme for others. Board-level training must be substantive, documented, and regular. An annual awareness email does not satisfy this obligation.

4. Multi-Framework Programme Design

EU organisations rarely face a single regulatory framework. The typical compliance programme must address NIS2, DORA (for financial entities or ICT service providers to financial entities), GDPR, and often ISO 27001 certification or sector-specific regulations. Designing the programme around a single framework and bolting on others as afterthoughts produces a fragmented compliance posture with redundant controls, inconsistent evidence, and gaps at framework boundaries. Instead, design the programme from the outset as a multi-framework capability with a unified control architecture.

The unified control architecture starts with a harmonised obligation register that maps requirements from all applicable frameworks to a common control set. Use a recognised mapping source as the starting point: ENISA's NIS2-to-ISO 27001 mapping, the ESA's DORA-to-existing-framework mapping references, or the Cloud Security Alliance's Cloud Controls Matrix for cross-framework alignment. For each control, document which framework requirements it satisfies (the many-to-many mapping), define the evidence required to demonstrate effectiveness, and assign a single control owner responsible for implementation and testing across all frameworks. This architecture means a control is tested once and the results count toward compliance across all linked frameworks — eliminating the redundant testing that siloed programmes generate.

Manage framework-specific requirements as extensions to the common control set rather than as separate programmes. NIS2's management body liability provisions (Article 20) have no direct equivalent in DORA or GDPR — they require specific governance controls added to the common set. DORA's register of information (Article 28(3)) has no equivalent in NIS2 — it requires a specific data management control. GDPR's data subject rights processing (Articles 15-22) has no equivalent in NIS2 or DORA — it requires specific operational procedures. These framework-specific controls sit alongside the common controls in the unified architecture, each mapped to its source obligation, each with defined evidence and ownership. The result is a compliance programme that addresses all frameworks comprehensively while eliminating duplication where requirements overlap.

Use a unified control architecture with many-to-many obligation mapping. A single control tested once can satisfy requirements from NIS2, DORA, GDPR, and ISO 27001 simultaneously — eliminating 30-50% of the testing effort that siloed programmes generate.

5. Monitoring and Continuous Compliance

Compliance monitoring ensures that controls remain effective between formal audit cycles. Design a monitoring programme with three components: continuous automated monitoring, periodic control testing, and management review. Continuous automated monitoring leverages technology to assess control states in real time — configuration management tools verifying system hardening standards, identity platforms tracking privileged access changes, SIEM platforms monitoring logging completeness, and vulnerability scanners assessing patch currency. Each automated check maps to one or more compliance controls, and deviations generate alerts that enter the exception management workflow.

Periodic control testing provides assurance where automation is not feasible or where human judgment is required. Conduct structured control tests on a risk-based schedule: critical controls (those addressing high-impact regulatory requirements or high-likelihood failure modes) tested quarterly, standard controls tested semi-annually, and lower-risk controls tested annually. Each test should follow a defined methodology: identify the control objective, select a sample of transactions or configurations, evaluate the sample against the control's expected behaviour, and document findings with evidence. Control testing is the compliance programme's primary mechanism for satisfying NIS2 Article 21(2)(f) — the explicit requirement to assess the effectiveness of cybersecurity risk-management measures.

Management review provides the governance layer over monitoring and testing. The compliance committee should review monitoring alerts and control testing results on a defined cadence (monthly is typical), assess the aggregate compliance posture, and escalate material findings to the management body. Establish clear criteria for what constitutes a material finding requiring board-level escalation: a critical control failure, a pattern of recurring exceptions in a single domain, a regulatory examination finding, or a significant change in the regulatory environment. Document management review meetings with minutes that record attendees, findings reviewed, decisions taken, and action items assigned — these minutes form part of the governance evidence trail that supervisory authorities will examine.

6. Maturity Assessment and Continuous Improvement

Compliance programme maturity assessment provides an objective measure of how well the programme performs against its design objectives and regulatory expectations. Use a maturity model with defined levels — a common five-level scale covers: initial (ad-hoc, reactive compliance activities), developing (documented policies but inconsistent implementation), defined (standardised processes, assigned ownership, regular testing), managed (metrics-driven, quantitative understanding of compliance posture), and optimising (continuous improvement feedback loops, predictive risk identification). Assess each programme component (governance, policy framework, training, monitoring, reporting, technology) independently, as maturity levels typically vary across components.

Conduct maturity assessments annually, ideally timed to inform the management body's annual compliance programme review. Compare current maturity against target maturity — the target should be informed by regulatory expectations, peer benchmarks, and risk appetite. Not every component needs to reach the optimising level: for a mid-sized organisation, a target of defined (Level 3) for most components with managed (Level 4) for high-risk domains such as incident management and access control is realistic and defensible. Supervisory authorities assess proportionality — they expect maturity to scale with entity size, risk exposure, and the criticality of services provided.

Continuous improvement is not an aspiration — it is a regulatory requirement. NIS2 Article 21(1) requires measures that are appropriate and proportionate, implying ongoing adjustment as risks evolve. DORA Article 6(5) explicitly requires that the ICT risk management framework be improved continuously based on lessons learned. ISO 27001 Clause 10.1 mandates continual improvement of the ISMS. Build improvement inputs into the programme: post-incident reviews identifying control gaps, control testing findings revealing design weaknesses, regulatory changes requiring obligation updates, maturity assessment results highlighting capability shortfalls, and supervisory examination feedback. Channel these inputs through the compliance committee into a documented improvement plan with prioritised actions, assigned owners, and target completion dates. Track improvement plan execution as a programme-level KPI — it demonstrates the dynamic, evolving nature of your compliance programme to supervisory authorities.

Frequently Asked Questions

What is the difference between a compliance programme and a compliance management system?

A compliance programme is the broader organisational initiative encompassing strategy, governance, culture, training, and all activities undertaken to achieve and maintain regulatory compliance. A compliance management system (CMS) is the operational layer within the programme — the specific policies, processes, controls, and technology that identify obligations, implement measures, collect evidence, and produce reports. Think of the programme as the 'what and why' and the CMS as the 'how.' Every compliance programme needs a CMS, but the programme also includes elements the CMS does not cover, such as tone from the top, compliance culture, and strategic resource allocation.

How do we resource a compliance programme for a mid-sized EU organisation?

Resourcing depends on the number of applicable frameworks, organisational complexity, and current maturity. For a mid-sized organisation (100-500 employees) subject to NIS2, GDPR, and one additional framework, a typical programme requires: a dedicated compliance officer (or equivalent function), a CISO or security lead, a DPO (required under GDPR Article 37 for many organisations), and part-time contributions from control owners across IT, HR, legal, and procurement. Technology investment in a compliance management platform reduces manual effort and should be budgeted from programme inception. Total programme cost typically ranges from 2-5% of the IT security budget, depending on automation levels.

Can we use ISO 27001 certification as the foundation for our EU compliance programme?

ISO 27001 is an excellent foundation but not a complete solution. Its risk-based approach, control framework, and management system structure align well with NIS2 and DORA requirements. Approximately 70% of NIS2 Article 21 measures and 60-65% of DORA requirements map to ISO 27001 controls. However, ISO 27001 does not cover management body personal liability (NIS2 Article 20), prescriptive incident reporting timelines (NIS2 Article 23, DORA Article 19), the DORA register of information (Article 28(3)), or GDPR data subject rights. Build your programme on the ISO 27001 foundation and extend it with framework-specific controls for the gaps.

How long does it take to build a compliance programme from scratch?

A realistic timeline for a mid-sized organisation building a multi-framework programme (NIS2 + GDPR + one additional framework) from minimal existing maturity is 9 to 18 months to reach operational capability. Phase 1 (months 1-3) covers programme design, governance establishment, and obligation mapping. Phase 2 (months 4-8) covers policy development, control implementation, and technology deployment. Phase 3 (months 9-12) covers training rollout, monitoring activation, and first-cycle testing. Months 13-18 focus on optimisation based on lessons from the first operational cycle. Organisations with existing ISO 27001 certification can compress this timeline by 3-6 months by leveraging existing controls and documentation.

How do we demonstrate programme effectiveness to supervisory authorities?

Supervisory authorities assess programme effectiveness through evidence of sustained operation, not point-in-time snapshots. Demonstrate effectiveness by presenting: governance records (board minutes showing regular compliance oversight, committee meeting records), control testing results over multiple cycles (showing trends, not just current status), incident handling records (demonstrating the reporting process works under real conditions), training completion and effectiveness data, remediation tracking showing exceptions identified, addressed, and closed within defined timelines, and maturity assessment results showing progression over time. The key message to convey is that compliance is a continuously operating capability, not a project with a completion date.

Related Guides

Implementation

Ready to Operationalise This?

Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.

Create Account Schedule Demo