Risk Management Frameworks for EU Organisations
Comprehensive overview of major risk management frameworks including ISO 31000, NIST RMF, and COSO ERM, with detailed analysis of EU-specific risk frameworks under DORA and NIS2. Guidance on selecting the right framework for your organisation's regulatory obligations.
- 1
ISO 31000 provides a universal risk management foundation but must be supplemented with domain-specific frameworks (ISO 27005, DORA Chapter II) for operational specificity.
- 2
DORA prescribes the most detailed mandatory ICT risk management framework in EU law — financial entities cannot substitute it with a voluntary standard.
- 3
For organisations subject to both DORA and NIS2, implement DORA's framework fully first, then gap-analyse against NIS2 Article 21 for residual obligations.
- 4
Avoid framework proliferation: maintain a single risk management process with multiple compliance overlays rather than separate frameworks per regulation.
- 5
Framework implementation is a governance exercise, not a technology purchase — success is measured by integration into decision-making, not by tool deployment.
1. Why Risk Management Frameworks Matter
A risk management framework is not a luxury or an academic exercise — it is the structural foundation on which every compliance programme, security investment decision, and board-level risk conversation rests. Without a framework, risk management devolves into ad hoc reactions: individual managers assessing threats through their own mental models, inconsistent scoring methodologies across departments, and no common language for comparing a supply chain risk against a cybersecurity risk against a regulatory risk. Frameworks impose discipline, consistency, and auditability on what would otherwise be subjective guesswork.
For EU organisations in 2026, frameworks are also a regulatory expectation. NIS2 Article 21(2)(a) explicitly requires essential and important entities to maintain risk analysis and information system security policies. DORA Chapter II (Articles 5-16) mandates a comprehensive ICT risk management framework for financial entities, specifying its governance, components, and review cadences in unusual detail for an EU regulation. ISO 27001:2022 Clause 6.1 requires organisations to determine risks and opportunities that need to be addressed and to plan actions for their treatment. The question is not whether to adopt a framework but which framework — or combination of frameworks — best serves your regulatory obligations and organisational reality.
The landscape of available frameworks is broad, and EU organisations face a particular challenge: many of the most widely referenced frameworks originate from non-EU bodies (ISO in Geneva, NIST in the United States, COSO as a US-sponsored commission). This does not disqualify them — ISO 31000 and ISO 27005 are genuinely international, and NIST frameworks are used globally — but it does require careful evaluation of how well they align with EU regulatory expectations, data sovereignty principles, and the specific control requirements of NIS2 and DORA. This guide maps the major options and provides selection criteria tailored to the EU context.
2. ISO 31000: The Universal Foundation
ISO 31000:2018 (Risk management — Guidelines) is the most broadly applicable risk management framework available. It is sector-agnostic, hazard-agnostic, and deliberately high-level — providing principles, a framework structure, and a process for managing risk across any domain. Its core process follows a logical sequence: scope, context, and criteria definition; risk assessment (identification, analysis, evaluation); risk treatment; monitoring and review; and recording and reporting. Surrounding this process is a framework that addresses leadership commitment, integration into organisational processes, design, implementation, evaluation, and improvement.
ISO 31000's strength is its universality. It works equally well for cybersecurity risk, operational risk, strategic risk, and financial risk. For EU organisations subject to multiple regulatory obligations, this breadth is valuable: ISO 31000 can serve as the overarching risk management philosophy into which domain-specific frameworks (ISO 27005 for information security, DORA's ICT risk framework for financial services) are nested. It provides common terminology — risk appetite, risk criteria, risk owner, risk treatment — that enables cross-domain risk conversations at the executive and board level.
Its weakness is that universality comes at the cost of specificity. ISO 31000 does not prescribe risk scoring methodologies, does not specify which threats to assess, and does not mandate particular controls or treatments. An organisation that adopts ISO 31000 alone, without domain-specific supplementation, will have an elegant risk process but no practical guidance on what to do with it in a cybersecurity context. For NIS2 and DORA compliance, ISO 31000 is necessary but not sufficient — think of it as the operating system on which more specific frameworks run.
ISO 31000 is complemented by ISO 27005:2022 (Information security risk management), which applies ISO 31000's principles specifically to information security. ISO 27005 provides more concrete guidance on threat identification, vulnerability assessment, and risk evaluation in an IT context, making it a natural bridge between ISO 31000's generality and the specific control requirements of ISO 27001 Annex A. For EU organisations pursuing ISO 27001 certification, combining ISO 31000 and ISO 27005 creates a risk management approach that is both principled and operationally actionable.
ISO 31000 was revised in 2018 with a stronger emphasis on leadership involvement and integration into decision-making. If your organisation is still referencing the 2009 edition, update your framework documentation — auditors and regulators expect the current version.
3. NIST RMF and COSO ERM in the EU Context
The NIST Risk Management Framework (RMF), documented in NIST Special Publication 800-37, originated as a US federal government standard but has been adopted globally, particularly in defence, critical infrastructure, and technology sectors. Its seven-step process — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — provides a rigorous, system-level approach to risk management that maps well to EU requirements for systematic, documented risk treatment. NIST RMF's emphasis on continuous monitoring (the final step) aligns directly with NIS2 Article 21(2)(f) and DORA Article 16 requirements for ongoing assessment of measure effectiveness.
However, NIST RMF carries US-specific assumptions that require adaptation for EU use. Its system categorisation approach (using FIPS 199 impact levels of low, moderate, and high) does not directly correspond to EU regulatory classifications. Its control catalogues (NIST SP 800-53) are comprehensive but reference US legal requirements, US government agencies, and US-specific supply chain considerations. EU organisations can use NIST RMF as a process model — its seven-step lifecycle is excellent — while substituting EU-appropriate control sets (ISO 27001 Annex A, NIS2 Article 21 measures, DORA technical standards) for the US-specific control catalogue.
COSO ERM (Enterprise Risk Management — Integrating with Strategy and Performance, updated in 2017) takes a broader view than either ISO 31000 or NIST RMF. It frames risk management as integral to strategy setting and performance management, organised around five components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting. COSO ERM is particularly relevant for EU financial institutions subject to DORA, because DORA Article 5 requires that the ICT risk management framework be integrated into the institution's overall risk management framework — exactly the integration that COSO ERM is designed to achieve.
The practical choice between these frameworks often comes down to organisational context. Financial institutions with existing COSO ERM deployments should extend them to cover ICT risk per DORA requirements rather than building a parallel framework. Technology companies and critical infrastructure operators may find NIST RMF's system-level rigour more natural. And organisations seeking a lightweight, principle-based foundation that leaves room for domain-specific customisation will gravitate toward ISO 31000. None of these choices is wrong — the critical success factor is intentional selection with documented rationale, not defaulting to whatever the compliance consultant happens to recommend.
4. EU-Specific Risk Frameworks: DORA and NIS2
While ISO 31000, NIST RMF, and COSO ERM are voluntary standards that organisations adopt by choice (or customer demand), DORA and NIS2 impose mandatory risk management requirements with regulatory force. Understanding their specific frameworks — and how they interact with voluntary standards — is essential for EU compliance.
DORA Chapter II (Articles 5-16) prescribes the most detailed ICT risk management framework in European law. Article 6 requires financial entities to maintain a comprehensive, documented, and continuously updated ICT risk management framework as part of their overall risk management system. This framework must include strategies, policies, procedures, and ICT protocols necessary to protect all relevant physical components, infrastructure, and ICT assets. Article 7 mandates specific ICT systems documentation, Article 8 requires identification of all ICT-supported business functions and information assets, Article 9 details protection and prevention measures, Article 10 covers detection capabilities, Article 11 addresses response and recovery, and Articles 12-13 cover backup, restoration, and learning processes. Critically, DORA Article 5(2) requires management body members to actively and continuously maintain sufficient knowledge and skills to understand and assess ICT risk — making risk framework governance a personal obligation of board members.
NIS2's risk management requirements are less prescriptive than DORA's but equally mandatory. Article 21(1) requires appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information system security. Article 21(2)(a) specifically lists risk analysis and information system security policies as the first mandatory measure category. Unlike DORA, NIS2 does not prescribe a specific framework structure — it leaves implementation flexibility to entities, subject to the proportionality principle. This means NIS2-obligated organisations have more freedom to choose their framework but must demonstrate that whatever they choose adequately addresses the ten measure categories in Article 21(2).
For organisations subject to both DORA and NIS2 — which includes most EU financial entities, since the banking sector appears in NIS2 Annex I — DORA's lex specialis principle (Article 1(2)) means DORA takes precedence for ICT-related risk management. However, NIS2 may impose additional requirements in areas not fully covered by DORA, such as supply chain security beyond ICT third-party providers, or physical security of network infrastructure. The safe approach is to implement DORA's ICT risk management framework fully and then conduct a gap analysis against NIS2 Article 21 to identify any residual obligations.
DORA's Regulatory Technical Standards (RTS) on ICT risk management, developed by the European Supervisory Authorities, provide granular implementation requirements that go beyond the Level 1 text. Ensure your framework implementation accounts for the final RTS published in the Official Journal, not just the DORA Regulation itself.
5. How to Select the Right Framework
Framework selection should be driven by four factors: regulatory obligation, organisational context, existing maturity, and integration complexity. Start with regulatory obligation — if you are a DORA-obligated financial entity, DORA's Chapter II framework is not optional. If you are an NIS2 essential entity, you need a framework that demonstrably addresses Article 21 measures. Map your regulatory landscape first, then identify which framework requirements are mandatory versus discretionary.
Organisational context matters because frameworks vary in their assumptions about organisational structure, risk culture, and resource availability. COSO ERM assumes a mature governance structure with distinct risk oversight functions — appropriate for large financial institutions but potentially over-engineered for a 200-person technology company. NIST RMF assumes system-level risk categorisation that works well for organisations with clearly defined IT systems but less well for organisations with fluid, cloud-native architectures. ISO 31000 makes the fewest assumptions but also provides the least guidance, requiring more internal expertise to operationalise.
Existing maturity is the most overlooked factor. Organisations that have been managing risk informally — through experienced professionals making sound judgement calls without formal documentation — should not leap directly to DORA-grade framework maturity. Start with ISO 31000's principles to formalise what already works well, then layer on domain-specific requirements incrementally. Conversely, organisations with mature ERM programmes should not treat NIS2 or DORA as requiring a new framework — they should extend their existing framework to cover the new regulatory requirements.
Integration complexity determines long-term sustainability. A framework that exists as a standalone compliance artefact — separate from operational decision-making, disconnected from the organisation's strategy process, maintained by a dedicated team that nobody else interacts with — will atrophy and fail. Choose a framework that integrates naturally into your existing governance structures, risk committees, and reporting lines. DORA Article 5(4) makes this explicit: the ICT risk management framework must be reviewed at least annually, after major ICT incidents, and in light of supervisory observations. A framework that cannot sustain this review cadence because it exists outside normal operations is not fit for purpose.
The recommended approach for most EU organisations is a layered architecture: ISO 31000 as the overarching risk management philosophy, domain-specific frameworks (ISO 27005 for information security, DORA Chapter II for ICT risk in financial services) as the operational layer, and NIS2 Article 21 / DORA technical standards as the compliance verification layer. This provides principled foundations, operational specificity, and regulatory traceability in a single, coherent structure.
6. Implementation Considerations and Common Pitfalls
Implementing a risk management framework is fundamentally a governance exercise, not a technology exercise. The most common failure mode is purchasing a GRC tool, populating it with a risk register, and declaring the framework implemented. A framework is implemented when risk identification feeds into investment decisions, when risk treatment plans are resourced and tracked, when risk appetite statements constrain operational choices, and when the board reviews risk posture with the same rigour it reviews financial performance. Technology enables this; it does not constitute it.
A second common pitfall is framework proliferation. Organisations that acquire different frameworks for different regulatory requirements — one for DORA, another for NIS2, a third for ISO 27001, a fourth for GDPR — end up with duplicated risk registers, conflicting risk scoring methodologies, and no coherent enterprise-wide risk view. The solution is a single risk management process with multiple compliance overlays, not multiple processes with partial overlap. Every risk in the register should be assessed once, treated once, and mapped to all applicable regulatory requirements — not assessed differently depending on which framework the assessor happens to be working in.
Documentation quality determines framework sustainability. EU regulators under both NIS2 and DORA have examination powers that include reviewing risk management documentation. This documentation must demonstrate not just that a framework exists but that it operates: risk assessments were actually performed (with dates, participants, and methodologies recorded), risk treatment decisions were actually made (with rationale, resource allocation, and timelines), and risk reviews actually occurred (with meeting minutes, actions taken, and escalation records). A beautifully designed framework document that was last updated eighteen months ago is worse than a simple spreadsheet that is reviewed monthly.
Finally, plan for framework evolution. The EU regulatory landscape is not static: DORA technical standards are being refined, NIS2 transposition is still underway in several Member States, the EU AI Act introduces new risk management requirements for AI systems, and the Cyber Resilience Act will impose product-level security requirements. Your framework must be designed to absorb new regulatory requirements without wholesale reconstruction. Build modularity into your framework architecture — the core risk process should remain stable even as the specific requirements it addresses expand over time.
Schedule an annual framework alignment review that maps any new or updated EU regulations against your existing framework. This proactive approach prevents the scramble of reactive compliance and ensures new requirements are integrated systematically rather than bolted on as afterthoughts.
Can we use NIST frameworks for EU regulatory compliance?
Yes, with adaptation. NIST frameworks like the CSF and RMF are process-excellent and globally respected. However, they reference US-specific control catalogues (SP 800-53), US federal categorisation schemes (FIPS 199), and US legal requirements. EU organisations should use NIST as a process model while mapping to EU-appropriate controls (ISO 27001 Annex A, NIS2 Article 21 measures, DORA RTS requirements). Regulators will expect controls aligned with EU frameworks, not NIST control families.
Is ISO 27001 certification sufficient for NIS2 compliance?
ISO 27001 covers approximately 70% of NIS2 Article 21 requirements, but it is not sufficient on its own. NIS2 introduces obligations not covered by ISO 27001, including mandatory incident reporting timelines (24-hour early warning, 72-hour notification per Article 23), management body personal accountability (Article 20), and sector-specific supply chain security requirements. ISO 27001 is an excellent foundation, but a NIS2 gap analysis is essential.
How often should we review our risk management framework?
DORA Article 6(5) mandates at least annual review plus reviews after major ICT incidents and supervisory findings. NIS2 does not specify a review cadence, but best practice (and ISO 31000 guidance) is at minimum annually, after significant incidents, following organisational changes, and when the external threat landscape shifts materially. Most well-run EU organisations conduct formal reviews semi-annually with continuous refinement between reviews.
How do we handle risk management across multiple EU jurisdictions?
Maintain a single enterprise risk management framework with jurisdiction-specific overlays. Since NIS2 is a Directive with Member State transposition variations, your framework must accommodate different national requirements (e.g., Germany's NIS2UmsuCG vs France's transposition law). DORA, as a directly applicable Regulation, is consistent across the EU. Document jurisdiction-specific deviations in an annex to your main framework document, and assign local risk owners for Member State-specific requirements.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.