How to Build and Maintain a Risk Register
Complete guide to building and maintaining a cybersecurity risk register for EU organisations. Covers register structure, mandatory fields for NIS2 and DORA compliance, risk scoring methodology, integration with compliance frameworks, and best practices for keeping the register current and actionable.
- 1
Maintain a single, unified risk register across all EU frameworks — recording each risk once with multi-framework mapping rather than maintaining separate registers per regulation.
- 2
Define specific, measurable calibration criteria for impact and likelihood scales to ensure consistent scoring across assessors and assessment cycles.
- 3
Assign named risk owners — specific individuals, not teams or roles — with operational authority to influence each risk and accountability for maintaining the register entry.
- 4
Integrate the risk register into operational workflows (project proposals, change management, incident response, vendor onboarding) to maintain currency without relying solely on periodic reviews.
- 5
Every register entry must be actionable: either under active treatment, formally accepted within risk appetite, or escalated for treatment decision within 90 days.
1. Risk Register Fundamentals and EU Requirements
A risk register is the central repository where an organisation records, tracks, and manages its identified risks. It is not a spreadsheet that sits in a shared drive until audit time — or at least, it should not be. A well-maintained risk register is a living management tool that drives investment decisions, informs board discussions, supports regulatory examinations, and provides the evidence trail that connects risk identification through to treatment and residual risk acceptance.
EU regulations do not use the term 'risk register' explicitly, but they mandate its substance. NIS2 Article 21(2)(a) requires risk analysis and information system security policies — which implies a structured record of identified risks, their assessment, and the policies addressing them. DORA Article 6(1) requires a comprehensive, documented, and continuously updated ICT risk management framework — which cannot exist without a central risk record. ISO 27001:2022 Clause 6.1.2 requires organisations to apply a risk assessment process that identifies information security risks, analyses and evaluates them, and retains documented information about the process and its results. The risk register is the artefact that satisfies all three requirements simultaneously.
The form of the risk register matters less than its content and governance. A spreadsheet can be adequate for a small organisation with fewer than fifty risks. A GRC platform is necessary for large enterprises managing hundreds of risks across multiple business units and jurisdictions. What matters is that the register contains all required fields (discussed in the next section), is accessible to all risk owners, is subject to a defined review cadence, and has clear ownership and governance. A beautifully designed register that nobody updates is worth less than a plain spreadsheet that is reviewed monthly.
For organisations operating under multiple EU frameworks, the risk register should be unified — not fragmented into separate registers for NIS2 risks, DORA risks, GDPR risks, and ISO 27001 risks. A single risk may be relevant to multiple frameworks (a data breach scenario is simultaneously a NIS2 incident, a DORA ICT disruption, a GDPR personal data breach, and an ISO 27001 information security event). Recording it four times in four registers creates maintenance overhead, inconsistency, and the risk of conflicting treatment plans. Record each risk once, with framework mapping fields that indicate which regulations it relates to.
ISO 27001:2022 Clause 6.1.2 note 1 states that the risk assessment process should be consistent, valid, and comparable — meaning your register's scoring methodology must produce repeatable results regardless of who performs the assessment. Invest time in calibration workshops where assessors score the same scenarios and discuss discrepancies.
2. Register Structure and Required Fields
A risk register entry should capture the complete lifecycle of a risk from identification through treatment to residual acceptance. The minimum field set for EU regulatory compliance includes: a unique risk identifier (for traceability and audit trail), risk title and description (a clear, unambiguous statement of what the risk is, not just a category label — 'unauthorised access to customer personal data through compromised third-party API credentials' is a risk; 'access management' is a category), the risk category (cyber, operational, compliance, strategic), the asset or business function at risk, the threat source and vulnerability, the inherent risk score (before controls), the existing controls and their assessed effectiveness, the residual risk score (after controls), the treatment decision (mitigate, transfer, avoid, accept), the treatment plan (if mitigating), the risk owner (the person accountable for managing this risk), applicable regulatory frameworks (NIS2, DORA, ISO 27001, GDPR), the date of last review, and the next scheduled review date.
For DORA-obligated financial entities, additional fields are recommended: the ICT asset or system affected (per Article 7 documentation requirements), the criticality classification of the affected business function (critical, important, or other), the potential impact on financial stability or market participants (per Article 8(3)), and the link to any related ICT third-party service provider (per Article 28 due diligence). These additional fields support the specific reporting and examination requirements that financial supervisors will impose.
For ISO 27001 certification, ensure that each risk entry can be traced to the Statement of Applicability (SoA) — the register should indicate which Annex A controls are relevant to each risk and which are implemented. This traceability is essential during certification audits, where assessors will trace from the SoA to the risk register to the risk assessment methodology to verify that control selection is risk-based rather than arbitrary.
Beyond the minimum field set, consider including: risk velocity (how quickly the risk could materialise after a trigger event — a ransomware attack has high velocity; regulatory change has lower velocity), interconnected risks (which other risks are correlated or causally linked — a supply chain compromise may trigger multiple downstream risks), and key risk indicators (leading metrics that signal whether the risk is increasing or decreasing). These fields transform the register from a static catalogue into a dynamic management tool, though they increase the maintenance burden and should be added incrementally as the organisation's risk maturity increases.
3. Scoring Methodology
The risk scoring methodology determines how consistently and meaningfully your register ranks risks. A methodology that produces scores everyone agrees on is more valuable than a sophisticated methodology that produces scores nobody trusts. The most widely adopted approach for cybersecurity risk is a matrix-based qualitative method: impact and likelihood are each assessed on a defined scale, and the risk score is the product (or a weighted combination) of the two.
Define your impact scale with specific, measurable criteria tied to your organisation's context. A five-level scale might look like: Level 1 (Negligible) — financial impact below EUR 50,000, no regulatory notification required, no service disruption; Level 2 (Minor) — financial impact EUR 50,000-500,000, internal reporting only, service degradation under 4 hours; Level 3 (Moderate) — financial impact EUR 500,000-2 million, regulatory notification potentially required, service disruption 4-24 hours; Level 4 (Major) — financial impact EUR 2-10 million, regulatory notification required, service disruption 1-7 days, media attention likely; Level 5 (Critical) — financial impact exceeding EUR 10 million, regulatory enforcement action, service disruption exceeding 7 days, systemic impact on sector. These thresholds should be calibrated to your organisation's size, revenue, and risk appetite — the EUR 50,000 lower bound that is negligible for a large bank is significant for a 100-person technology company.
Likelihood assessment should incorporate both historical data and forward-looking threat intelligence. A five-level scale: Level 1 (Rare) — unlikely to occur in the next 3 years; Level 2 (Unlikely) — may occur once in 3 years; Level 3 (Possible) — may occur once per year; Level 4 (Likely) — expected to occur multiple times per year; Level 5 (Almost Certain) — expected to occur monthly or more frequently. Calibrate these levels with reference to industry data — ENISA's annual statistics, sector-specific incident data from financial sector ISACs or national CSIRTs, and your own historical incident records.
The distinction between inherent risk (before controls) and residual risk (after controls) is essential for demonstrating control effectiveness and justifying investment. For each risk, first score the inherent risk assuming no controls exist, then document the controls in place and their assessed effectiveness, and finally score the residual risk. The gap between inherent and residual risk is the control effectiveness — the value your security programme is delivering. If inherent and residual risk scores are similar, your controls are not adequately mitigating the risk and either the controls or the risk treatment plan needs to be revised. This inherent-to-residual progression is particularly valuable for board reporting: it quantifies what the security programme is achieving and identifies where further investment would have the greatest impact.
4. Integration with Compliance Frameworks
A risk register that operates in isolation from your compliance frameworks creates duplicated effort and misaligned priorities. The register should be the single source of truth for risk-based decision-making, and compliance frameworks should draw from it rather than maintaining parallel risk views.
For NIS2 compliance, map each risk in your register to the relevant Article 21(2) measure categories. This mapping serves two purposes: it demonstrates to supervisory authorities that your measures are risk-based (not just a checkbox implementation of the ten categories), and it identifies measure categories where your risk register contains no entries (indicating potential gaps in your risk identification process). If your register contains no risks related to supply chain security, for example, you either have an extraordinarily secure supply chain or — more likely — a gap in your risk identification process that should be addressed before supervisory examination.
For DORA compliance, the integration is tighter. DORA Article 6(1) requires the ICT risk management framework to include strategies for managing ICT risk in accordance with the entity's risk appetite and tolerance. Your risk register should directly support this: each ICT risk entry should indicate whether the residual risk falls within or exceeds the risk appetite threshold, and risks exceeding the threshold should be flagged for management body attention. The register should also support DORA's incident classification requirements (Article 18) by linking risks to incident scenarios, enabling rapid classification when incidents occur.
For ISO 27001, the risk register is the foundation of the Statement of Applicability. Clause 6.1.3(c) requires organisations to determine which Annex A controls are necessary for risk treatment. This determination must be traceable to the risk assessment — you cannot select or exclude Annex A controls without a documented risk basis. Maintain a direct link between risk register entries and SoA lines so that certification auditors can trace the logic from risk identification through assessment to control selection.
For GDPR, risk register entries involving personal data should be linked to your Record of Processing Activities (Article 30) and to any DPIAs performed (Article 35). This linkage ensures that privacy risks are managed consistently with cybersecurity risks and that DPIA treatment plans do not conflict with the broader risk treatment strategy. A common integration failure is maintaining separate GDPR risk registers (often managed by the DPO) and cybersecurity risk registers (often managed by the CISO) — this leads to inconsistent scoring, duplicated mitigation efforts, and gaps in the intersection between privacy and security.
Use your risk register as the bridge between compliance frameworks by adding a multi-framework mapping field. When a risk is relevant to NIS2, DORA, and GDPR simultaneously, a single treatment plan addresses all three regulatory obligations — reducing compliance effort by 40-60% compared to framework-siloed approaches.
5. Maintaining a Living Risk Register
A risk register that is updated once a year for audit purposes is a compliance artefact, not a management tool. Converting it into a living document requires three structural changes: defined trigger events for updates, assigned ownership with accountability, and integration into operational workflows.
Trigger events should include: discovery of new threats or vulnerabilities (from threat intelligence feeds, vulnerability scans, or incident reports), significant changes to the IT environment (new systems, decommissioned systems, major configuration changes, cloud migrations), organisational changes (new business lines, geographic expansion, mergers or divestitures), regulatory changes (new requirements, supervisory guidance, enforcement decisions), security incidents (whether at your organisation or at comparable entities in your sector), and the results of audits, penetration tests, or compliance assessments. Each trigger should prompt a review of affected risk register entries and potentially the identification of new risks.
Risk ownership is the single most important factor in register maintenance. Each risk must have a named owner — not a team, not a department, not a role, but a specific individual who is accountable for monitoring the risk, maintaining the register entry, progressing the treatment plan, and escalating when the risk exceeds tolerance. Risk owners should be the people with the operational authority to influence the risk — typically business function leaders or system owners, not the risk management team. The risk management team facilitates, challenges, and aggregates — they do not own the risks themselves.
Integrate the register into operational workflows. New project proposals should include a risk register impact assessment: does this project introduce new risks or change existing ones? Change management processes should include a risk register checkpoint: does this change affect the residual risk score of any registered risk? Incident response playbooks should include a risk register update step: does this incident reveal a new risk or change the assessment of an existing one? Vendor onboarding should include a risk register entry for any significant third-party dependency. The more touch points the register has with daily operations, the more current and accurate it remains.
Conduct formal risk register reviews at a defined cadence. Monthly reviews by the risk management team should verify that all entries are current, all treatment plans are on track, and no trigger events have been missed. Quarterly reviews by senior leadership should evaluate the top risks, review risk appetite alignment, and make treatment priority decisions. Annual reviews should reassess the entire register from scratch — not just updating existing entries but re-evaluating whether the risk landscape has fundamentally shifted in ways that the incremental updates may have missed. Document these reviews with attendees, decisions made, and actions assigned.
A stale risk register is worse than no register at all. It creates false assurance — leadership and regulators believe risks are managed because a register exists, but the register does not reflect the current reality. If you cannot maintain a comprehensive register, maintain a smaller one that covers your top 20 risks with rigorous currency rather than a comprehensive one that nobody updates.
6. Common Mistakes and How to Avoid Them
The most common mistake in risk register management is confusing risks with controls, threats, or vulnerabilities. 'We do not have multi-factor authentication' is not a risk — it is a control gap. 'Ransomware' is not a risk — it is a threat. 'Unpatched Apache servers' is not a risk — it is a vulnerability. A risk is a scenario that combines a threat, a vulnerability, and an impact: 'Ransomware operators exploit unpatched public-facing web servers to encrypt production databases, causing 72 hours of service disruption and triggering NIS2 incident notification obligations.' When register entries are poorly formulated, risk scoring becomes meaningless, treatment plans become generic, and the register fails to drive specific action.
A second common mistake is score inflation or deflation driven by cognitive biases. Risk owners tend to underestimate the likelihood and impact of risks in their domain (optimism bias and ownership bias), while external assessors may overestimate risks they do not fully understand (availability bias). Mitigate these biases through calibration workshops where multiple assessors score the same scenarios independently and then discuss their reasoning. If three assessors score a risk as 'possible' and one scores it as 'rare', the outlier must justify their assessment with evidence — not just intuition.
A third mistake is treating the register as a static inventory rather than a decision-support tool. Every entry in the register should be actionable: either it has a treatment plan in progress, or it has been formally accepted within risk appetite, or it is under review for treatment selection. Entries that sit in the register for years with no treatment decision and no formal acceptance represent governance failures. Set a maximum 'age without decision' threshold — any risk that has been in the register for more than 90 days without a treatment decision should be escalated to the risk committee.
Finally, avoid the trap of register proliferation. Large organisations frequently maintain separate registers for different risk domains (cyber, operational, compliance, strategic), different business units, or different regulatory requirements. This fragmentation makes it impossible to compare risks across domains, identify correlated risks, or present a coherent risk picture to the board. Maintain a single, unified register with category and framework tags that enable filtered views for different audiences. A CISO should be able to filter for cybersecurity risks, a compliance officer for DORA-relevant risks, and a board member for the top twenty enterprise risks — all from the same register.
How many risks should a risk register contain?
There is no correct number, but practical limits matter. A register with fewer than 20 entries for a medium-sized EU organisation is likely incomplete. A register with more than 200 entries is likely unmanageable without dedicated GRC tooling. Most organisations find that 40-80 cybersecurity risks, assessed at the scenario level (not the vulnerability level), provides sufficient coverage without overwhelming the review process. Start with your most critical business functions and the most material threat scenarios, then expand incrementally.
Should we use a GRC tool or a spreadsheet?
For organisations with fewer than 50 risks, a single regulatory framework, and a small compliance team, a well-structured spreadsheet is adequate. For organisations with multiple frameworks (NIS2 + DORA + ISO 27001), more than 50 risks, multiple business units, or regulatory examination expectations, a GRC tool provides essential capabilities: workflow automation, audit trails, framework mapping, dashboard reporting, and multi-user collaboration. The tool is not the programme — but beyond a certain complexity, the tool becomes necessary to sustain the programme.
How do we handle residual risks that exceed our risk appetite?
Risks exceeding risk appetite require one of three responses: additional mitigation (implement further controls to reduce residual risk below the appetite threshold), risk appetite adjustment (if the board determines that the current appetite is unrealistically low for a specific risk category, they may formally increase it with documented rationale), or escalation and acceptance (the management body formally accepts the exceedance with a documented justification, timeline for resolution, and review date). Under DORA Article 6(8), the management body must approve risk tolerance levels — accepting risks above appetite is a board-level decision, not a CISO decision.
How often should the risk register be reviewed?
Implement a three-tier review cadence: monthly operational reviews by the risk management team (verify currency, track treatment plans, process trigger events), quarterly strategic reviews by senior leadership (evaluate top risks, assess appetite alignment, make priority decisions), and annual comprehensive reviews (reassess the entire register, recalibrate scoring methodology, update threat landscape assumptions). Additionally, trigger-based reviews should occur whenever significant changes, incidents, or new intelligence warrant immediate update.
Can risk register data be shared with regulators?
Yes, and you should expect it. NIS2 supervisory authorities have examination powers that include requesting documentation on risk management measures. DORA competent authorities can request ICT risk management documentation, including risk registers, during ongoing supervision or on-site inspections. Design your register with regulatory examination in mind: ensure entries are professionally documented, scoring rationale is recorded, treatment decisions are justified, and no informal notes or internal shorthand could be misinterpreted. Consider maintaining a 'regulatory-ready' export format that presents register data in a structured, auditable format.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.