Compliance Gap Analysis as a Management Tool: Navigating GDPR, NIS2, DORA, and ISO Standards

HomeResourcesArticlesCompliance Gap Analysis as a Management Tool: Navigating GDPR, NIS2, DORA, and ISO Standards

GDPR fines in Poland are already reaching tens of millions of zlotys, and the NIS2 Directive is adding personal liability for board members to the mix. The era where compliance was merely a boring appendix to an annual report is over. Today, it is a high-stakes management tool that protects not only the company’s finances but also the careers of its decision-makers.

In this article, we deconstruct gap analysis within the landscape of GDPR, NIS2, DORA, and ISO. We demonstrate how to merge these requirements into a single, cohesive system, how to avoid “paper compliance,” and why – without the involvement of process owners – any analysis is simply a waste of time.

Table of contents
  1. 1. Board liability and the real risk of non-compliance
    1. 1.1. Financial sanctions and personal liability
    2. 1.2. Operational, reputational, and contractual risk
    3. 1.3. Rising pressure from regulators
  2. 2. What is compliance gap analysis in practice?
    1. 2.1. Comparing the current state with GDPR, NIS2, DORA, and ISO
  3. 3. The role of analysis in risk management and internal control systems
  4. 4. Scope of the analysis: what is actually evaluated?
    1. 4.1. Responsibility and oversight structure
    2. 4.2. Procedures, policies, and real-world applications
    3. 4.3. Technical and organisational measures
    4. 4.4. Testing the effectiveness of control mechanisms
  5. 5. Regulations and standards that are accounted for in the analysis
    1. 5.1. GDPR – data protection and accountability
    2. 5.2. NIS2 – cybersecurity and incident management
    3. 5.3. DORA – operational resilience in the financial sector
    4. 5.4. ISO/IEC 27001, 27701 and 22301 – a systemic approach to security and privacy
    5. 5.5. The possibility of a single integrated approach to multiple regimes
  6. 6. How to use gap analysis results in management decisions
    1. 6.1. Prioritisation of remedial actions based on risk level
    2. 6.2. Action plan with defined responsibility and budget
    3. 6.3. Reporting to the management board and supervisory board
  7. 7. Common pitfalls to avoid in compliance gap analysis
    1. 7.1. Analysis limited to documentation
    2. 7.2. Lack of engagement from process owners
    3. 7.3. Reports without a real implementation plan

Board liability and the real risk of non-compliance

For some, a compliance gap analysis might seem like a mere formality. However, for a Management Board, it should be a rigorous control tool used to realistically assess where the company falls short of GDPR, NIS2, or DORA requirements. Ignoring these gaps is a direct path to financial penalties and, worse, a permanent loss of market reputation.

Financial sanctions and personal liability

The numbers speak for themselves, but the devil is in the details. In 2024, GDPR fines totalled €1.2 billion – and while this was a decrease from the previous year, giants like LinkedIn (a €310 million fine) felt the sting of non-compliance. Yet, it isn’t just the company’s money at stake.

The NIS2 Directive and the DORA Regulation are changing the game by introducing personal liability for board members. We are talking about fines reaching 2% of global turnover and even temporary bans on exercising management functions. Meanwhile, a lack of compliance with ISO 27001, though it won’t result in a government fine, can lead to the loss of key contracts and certifications. In practice, compliance has become an insurance policy for professional positions and market standing.

Operational, reputational, and contractual risk

Non-compliance also spikes operational risk. A single successful cyberattack can paralyse IT systems. In the financial sector covered by DORA, this could mean a loss of business continuity with severe consequences.

Consequently, a gap analysis must go beyond a document review; it must prove whether the organisation is truly resilient. In this context, NIS2 requirements and standards like ISO 27001 and ISO 22301 (business continuity) are essential for organising information security.

Reputational risk emerges the moment a data breach occurs. An administrative fine is only part of the problem – the loss of trust from customers and partners can be just as damaging. Recent decisions by supervisory authorities show that accountability can extend directly to individual board members.

Rising pressure from regulators

Today, even a minor compliance gap is a risk that can no longer be swept under the rug. Regulators like the European Banking Authority (EBA) and the European Data Protection Board (EDPB) have made it clear: the Board must actively participate in cybersecurity management, not just delegate it to the IT department.

The time for occasional reviews has passed. NIS2 and DORA mandate regular resilience testing and continuous reporting. For companies, this means investing in advanced monitoring systems because the bar for compliance has been set exceptionally high. In this confrontation with regulators, gap analysis is the only way to avoid being blindsided by new requirements.

What is compliance gap analysis in practice?

Compliance gap analysis is the process of identifying discrepancies between the organisation’s current state and regulatory requirements. By acknowledging existing gaps, companies can focus on building an effective compliance management system.

Comparing the current state with GDPR, NIS2, DORA, and ISO

This involves benchmarking current practices against data protection (GDPR), cybersecurity (NIS2), operational resilience (DORA), and systemic approaches (ISO). It evaluates processes, documentation, and safeguards to identify missing elements, such as incident reporting mechanisms.

To turn findings into management decisions, the analysis follows five key steps:

1. Identification and specification of regulatory requirements

The first step is to compile all obligations into a concrete, measurable format. This involves identifying precise requirements, such as the mandatory incident reporting timelines under NIS2 or the operational resilience testing required by DORA. For standards like ISO 27001 and ISO 22301, this means mapping out specific controls and systemic requirements.

2. Verification of the organisation’s actual state

Next, the organisation’s practical operations are put to the test. This includes interviews with process owners, documentation reviews, log analysis, and testing of selected mechanisms. The goal is to verify if incident reporting procedures actually function, if processing registers are up to date, and if technical safeguards are fully implemented and utilised.

3. Precise definition of the compliance gap

Every non-conformity must be described unambiguously. For example, instead of a vague statement about a “lack of security,” the analysis should pinpoint a specific gap, such as the absence of a formal NIS2-compliant incident reporting procedure or an incomplete Record of Processing Activities required by GDPR.

4. Risk and potential consequence assessment

Each gap must be linked to a specific risk. This could range from administrative fines under NIS2 or DORA to the cost of operational downtime under ISO 22301, or even the loss of a contract requiring ISO 27001 certification. Risk assessment enables prioritisation, highlighting which areas require immediate intervention.

5. Development of a corrective action plan

The final stage is the preparation of a remediation plan. For every gap identified, you must define the scope of action, the person responsible, the implementation deadline, and the estimated budget. Only then does a compliance gap analysis transform into a management tool that effectively mitigates legal, operational, and contractual risks, rather than remaining a mere archival report.

The role of analysis in risk management and internal control systems

Compliance gap analysis should be an integral component of the risk management and internal control system. Its findings are fed into the risk register and directly influence decisions regarding priorities, budgets, and accountability.

In practice, this means linking identified gaps with existing control mechanisms. Mapping controls to requirements such as ISO 27001, ISO 22301, NIS2, or DORA allows the organisation to verify which areas are adequately secured and which require reinforcement. Each review cycle provides data on control effectiveness, enabling a swift response to changes in regulations, organisational structure, or technology.

Scope of the analysis: what is actually evaluated?

Responsibility and oversight structure

A compliance gap analysis is, first and foremost, a deep dive into how responsibility is distributed within the organisation. In light of new regulations, the Management Board has become the central focal point of the audit.

The NIS2 Directive is explicit: the Board must “get in the game.” Simply signing off on a security policy is no longer sufficient. The gap analysis now verifies whether executive management actually approves risk management measures and actively oversees their implementation. Crucially, we also examine the so-called “competency gap” – verifying whether board members undergo training that lets them understand the impact of cyber threats on the company’s stability.

In the case of the DORA Regulation, we go a step further into the financial dimension. The gap analysis includes an assessment of whether the Board allocates appropriate budgets for digital resilience and training. We check if ICT roles are clearly defined and whether Business Continuity Plans (BCP) are based on real-world scenarios rather than being mere “dead” documents. The auditor scrutinises decision-makers to ensure, among other things, that reports actually reach the Board and that risk-related decisions are thoroughly documented.

Procedures, policies, and real-world applications

A gap analysis must go beyond the simple question: “Do we have this procedure?” According to NIS2 and ENISA guidelines, the key lies in evidence that policies actually work. An auditor isn’t just looking for a PDF file; they are looking for board approvals, change logs, and concrete evidence of incident handling or supply chain security.

With DORA, the matter is even more straightforward. Risk management frameworks must be reviewed at least once a year. This review serves as a direct checkpoint – it must incorporate findings from resilience tests and previous audits. If your documentation does not evolve alongside real-world threats, a gap analysis will immediately expose it.

Technical and organisational measures

A compliance assessment must cover both technical safeguards and organisational solutions. Under GDPR, the benchmark is the requirement to ensure a “level of security appropriate to the risk” as stated in Article 32. This includes verifying measures such as pseudonymization, encryption, and ensuring the confidentiality, integrity, availability, and resilience of data processing systems.

In NIS2, technology and organisation are inseparable. Obligations include:

  • The use of cryptography
  • Access control
  • Asset management
  • Multi-factor authentication (MFA) in justified cases

DORA further expands the scope of evaluation to “critical and important functions” within the financial sector. ICT risk management frameworks are designed to protect information assets, systems, networks, and infrastructure components that support key business processes.

Testing the effectiveness of control mechanisms

Testing control mechanisms allows for an assessment of whether safeguards actually mitigate risk. Article 32 of the GDPR requires regular testing and measurement of the effectiveness of technical and organisational measures. A mere list of controls is not enough.

NIS2 follows the same path. It requires having policies and procedures in place to assess the effectiveness of risk management measures. This translates into an obligation for systematic measurement and reporting of results.

Guidelines from the European Union Agency for Cybersecurity (ENISA) point to practical methods such as self-assessments, vulnerability analyses, penetration tests, audits, and monitoring. The key is assigning responsibility for measurement and the subsequent analysis of results.

Furthermore, DORA introduces an obligation to test digital operational resilience. Financial entities must conduct regular testing of systems supporting critical or important functions – as a rule, at least once a year.

Regulations and standards that are accounted for in the analysis

The regulatory scope of a gap analysis should stem from two decisions. The first concerns which legal regimes apply to the business profile. The second involves which standards the organisation treats as a benchmark for its management system. NIS2 and DORA also contain mechanisms that limit the duplication of obligations between sectoral regimes.

GDPR – data protection and accountability

GDPR is not solely about data protection. The ability to demonstrate compliance is equally important. Therefore, a gap analysis must examine security update mechanisms and the regularity of their testing. The foundation lies in the records of processing activities and DPIA (Data Protection Impact Assessments) for high-risk processes. This is the “evidentiary minimum” that must be in order, regardless of the company’s technological advancement.

NIS2 – cybersecurity and incident management

The Directive imposes an obligation on the management board to approve and oversee protection measures, but the real test is response time. Essential and important entities providing ICT services have only 24 hours for an initial notification of a significant incident (i.e., one that significantly disrupts services, causes financial loss, or harm to others) and 72 hours for a full report. A gap analysis must, therefore, relentlessly expose whether a company can detect and classify a threat within such a short time window.

The arguments for implementing changes are exceptionally strong. For essential entities, fines start at €10 million or 2% of turnover, and for important entities, from €7 million or 1.4% of turnover. At such stakes, gap analysis ceases to be an IT project and becomes a priority on the board’s agenda, protecting not only infrastructure but also the company’s finances.

DORA – operational resilience in the financial sector

DORA has been in force since January 17, 2025, and serves as a key benchmark for financial institutions. In practice, a compliance gap analysis in this sector must include DORA requirements as a central element of the assessment.

The most important regulatory areas are:

  • ICT risk management frameworks.
  • Digital resilience testing. At least annual testing of systems supporting critical or important functions.
  • ICT third-party risk.
  • Sanctions and supervision.

An analysis framed this way allows for an assessment of not only formal compliance with DORA but also the organisation’s real operational resilience.

ISO/IEC 27001, 27701 and 22301 – a systemic approach to security and privacy

It’s worth noting here that ISO/IEC standards – while not being items of law – often form the foundation of a compliance system in the area of security and privacy.

Key elements include:

ISO/IEC 27001 – Information Security Management System (ISMS)

Specifies requirements for establishing, implementing, maintaining, and improving an information security management system. It provides an organised structure that can support demonstrating compliance with GDPR, NIS2, and DORA, provided controls are properly mapped to regulatory requirements.

ISO/IEC 27701 – Privacy Information Management System (PIMS) 

Extends ISO 27001 into the area of privacy and is aimed at data controllers and processors. It allows for the consistent integration of GDPR requirements into an existing management system. When performing a gap analysis, it is advisable to clearly state which edition of the standard serves as the benchmark.

ISO 22301 – Business Continuity Management System (BCMS)

Defines the principles for planning, implementing, and improving business continuity. It can be directly linked to NIS2 continuity requirements and DORA obligations regarding ICT continuity policies and recovery plans.

The possibility of a single integrated approach to multiple regimes

Instead of building separate “silos” for GDPR, NIS2, and DORA, it is worth opting for a common management architecture. EU regulations, much like Annex SL in ISO standards, actually encourage integration. The key is a single risk model and a shared library of controls.

Integration is best based on three layers:

  1. Governance – a consistent budget, training, strategy, mission, policies, and procedures for the entire organisation (NIS2 and DORA requirements).
  2. Operational processes – including, among others, the alignment of incident and supply chain management.
  3. Effectiveness control – shared resilience tests and metrics that are reported to various authorities simultaneously.

This is the only way to reduce costs and avoid bureaucratic chaos.

How to use gap analysis results in management decisions

The results of the analysis translate into specific decisions, supporting strategic management.

Prioritisation of remedial actions based on risk level

After the gap analysis, you will receive a specific list of problems. It is impossible to fix everything at once, which is why a hierarchy is crucial. GDPR, NIS2, and DORA require actions that are proportionate to the threats. In the first instance, you must address what realistically threatens business continuity.

Systemic gaps are the most dangerous. If a company cannot quickly detect an attack, it has no chance of reporting an incident within 24 hours – as required by NIS2. Such deficiencies impact the management board the fastest. In this case, prioritisation is simply a matter of managing the company’s legal security.

Action plan with defined responsibility and budget

The gap analysis report must become a plan for specific actions. DORA imposes a clear obligation on the management board: it is the leadership that allocates funds for digital resilience and designates individuals responsible for specific areas. Similarly, NIS2 requires management not only to approve procedures, but also to oversee their implementation.

Every identified gap needs an “owner,” a budget, and a remediation deadline. The plan should immediately specify how we will verify the effects – what exactly we are measuring, who is doing it, and when the results will return to the board’s desk. Only such an approach allows dry audit findings to be turned into a real increase in security.

Reporting to the management board and supervisory board

The results of the compliance gap analysis should be presented in a way that supports management decisions. The report must show the risk level, potential consequences, and necessary actions – for example, IT investments resulting from NIS2 or DORA requirements.

Regulations clearly define the role of the management body. NIS2 requires the board to be able to assess risk, while DORA mandates the maintenance of competencies in the area of ICT risk.

A good solution is an annual report linked to a review of the ICT risk management framework, covering test results, audits, and a remediation action plan.

Common pitfalls to avoid in compliance gap analysis

Analysis limited to documentation

The biggest mistake is limiting the analysis solely to a document review. GDPR, NIS2, and DORA require evidence that safeguards are actually functioning, rather than just existing in a server folder. If a gap analysis does not examine real testing mechanisms, it simply fails to meet EU requirements.

It is worth adopting the ENISA model from the outset and collecting “hard evidence” such as system logs, penetration test reports, or security review records. Documentation is merely a declaration of intent – only the verification of its execution allows for a reliable assessment of the organisation’s compliance status.

Lack of engagement from process owners

A gap analysis conducted in isolation from the business is useless. NIS2 and DORA impact operational processes – from the supply chain to incident handling – so it is impossible to scrupulously assess the situation without the involvement of their actual owners. They are the ones who know how procedures work in practice and where the real flashpoints lie.

In large companies, the issue of separation of functions also comes into play. DORA requires a clear division between operations, control, and audit. In practice, this means that a gap analysis must involve multiple departments simultaneously. In accordance with the principle of Segregation of Duties (SoD), audit functions must be separated from operational activities. If business process owners are missing, the audit will not capture actual risks, but merely a “paper version” of them.

Reports without a real implementation plan

A report without implementation decisions quickly loses its value. DORA requires that issues identified during testing be prioritised and remediated. It also mandates internal validation methods to ensure weaknesses have been eliminated. Similarly, NIS2 provides for supervisory measures that may include an order to implement recommendations stemming from a security audit.

Fill in the form

    The Controller of your personal data is C&F S.A. with its headquarters in Warsaw, Poland. Your data will be processed in accordance with C&F S.A. Privacy Policy

    Other posts:

    Solutions

    The AdaptiveGRC platform offers a variety of modules to help manage GRC activities for your company in agreement with the latest regulations (DORA, NIS2).

    In order to meet your company's specific needs, our team of experienced developers can tailor the required functionalities to deliver exactly what your company needs. If your company requires a customized module to effectively meet its needs, we can help.

    Let us fit the best solution for your company. Fill out the form below.
    GET CONSULTATION

    Streamline Your GRC Activities with AdaptiveGRC
    Get Results Faster.

    • Fill out the form.
    • Our consultant will work with you to determine what your company needs.
    • We will schedule a product demo to show you the required features.
    • We will gain your feedback and tailor a tool to your needs.
    Fill in the form

      The Controller of your personal data is C&F S.A. with its headquarters in Warsaw, Poland. Your data will be processed in accordance with C&F S.A. Privacy Policy

      OUR TESTIMONIALS

      Read Gartner reviews to find out what users think about our solutions

      One of the best GRC software with very good price

      Adaptive GRC offers a great deal of flexibility in supporting GRC&AUDIT processes. The product is continuously developed and the customer receives new possibilities and functionalities. In addition, the price is very attractive in comparison to competitive products. The support team takes a flexible approach to the customer's needs.

      Sebastian B. CEO | Computer & Network Security Employees: 2–10

      Comprehensive platform for managing risk and compliance

      I used AdaptiveGRC Compliance and Risk Management modules for more than a year. Implementation went smooth, and the support team was always very helpful. I especially value the functionality AdaptiveGRC offers - all GRC processes can be managed in one tool, and there is a single database. The tool helped my organization lower operating costs and gain a better understanding of risks in the organization.

      Marcin K. Chief Information Security Officer | Financial Services Employees: 51–200

      Perfect program for compliance control

      It is amazing that thanks to AdaptiveGRC individual assessment management can be shortened from days to minutes. The tool can generate reports for different stakeholders containing only their desired assessment outcome data. I appreciate much the possibility of generating compliance specification lists for supplier contracts or internal departments.

      Jasween K. Compliance Pharmaceuticals Employees: 10 000+

      AdaptiveGRC supports insurance companies in their risk and compliance management processes

      I used AdaptiveGRC to 1. support insurance companies' compliance management processes following a complex industry-specific regulation. 2. I also used AdaptiveGRC to support the process of managing and monitoring data processors as GDPR came into effect. I experienced a significant increase in efficiency in both cases.

      Verified Reviewer Insurance | Self-employed

      What's in a name...

      As the name is representative, AdaptiveGRC is a complete, interconnected GRC solution that can be adapted to organizations across industries and size. The AGRC team did a superb job designing and building a best-in-class GRC solution that addresses the challenges faced in today's uncertain and ever-changing global business climate. Working with the AGRC team has been a pleasure and the support they have provided is exceptional.

      D Scott C. Business Development | Biotechnology Employees: 2–10

      Financial institutions could benefit greatly from AdaptiveGRC

      I am happy to be able to use AdaptiveGRC in my work. This dedicated solution is very helpful for anyone that has to fill out the SREP questionnaire. The extra time I gained was priceless. The platform's design was also very appealing to me. The fact that it was so simple to use was a major plus for me. Due to its comparison capabilities with past years' forms, I was able to cut down on the amount of time it took to complete the new questionnaire. What is more, I was able to monitor the progress of the people assigned to the process.

      Anna C. Head of Fin Crimes Team | Banking Employees: 10 000+

      Great support for insurance company

      My overall experience has been great. I also liked the layout of the platform. The time and control I gained is invaluable. I like the fact that it was very easy to use. It definitely allowed me to shorten the time I had to spend on filling out the SREP questionnaire. I also could easily control the status of work of my team members, check their progress, and monitor on daily basis.

      Verified Reviewer Insurance Employees: 201-500

      AdaptiveGRC - Big Player in GRC

      Easy to install and easy to configure. Out of the box solution. Cloud based or Server. AdaptiveGRC is an enterprise governance, risk management and compliance (eGRC) solution set with unique and unequalled capabilities. AdaptiveGRC can be deployed as one fully interconnected solution suite, or you can choose one or more modules.

      Leigh M. National Accounts | Consumer Goods