Jeden NIS2 control pokrýva GDPR, DORA aj ISO 27001
Pre každú z 10 oblastí NIS2 nájdete najbližšiu protistranu v GDPR, DORA a ISO/IEC 27001:2022 vrátane pokrytia v percentách a odkazu na konkrétny článok.
Priemerné pokrytie iných frameworkov, ak implementujete NIS2
Numbers odpovedajú na otázku: „Ak plne dodržím NIS2, koľko z daného frameworku mám splnené automaticky?" Hodnoty sú priemerom 10 oblastí.
Regulation (EU) 2016/679
Regulation (EU) 2022/2554
ISO/IEC 27001:2022
AICPA TSC 2017 (Security + Availability + Confidentiality)
NIST Cybersecurity Framework 2.0 (Feb 2024)
CIS Critical Security Controls v8 (May 2021)
HIPAA Security Rule 45 CFR §§ 164.302-318
PCI DSS v4.0 (March 2022)
Matica NIS2 → GDPR × DORA × ISO 27001
Každá oblasť NIS2 je premapovaná na referenčný článok v ostatných troch frameworkoch spolu s odhadom pokrytia.
| Oblasť | NIS2 | GDPR | DORA | ISO 27001 | SOC 2 | NIST CSF | CIS v8 | HIPAA | PCI DSS v4 |
|---|---|---|---|---|---|---|---|---|---|
| Governance a vedenie | Art. 20 | 70% Art. 24 + 32(4) | 95% Art. 5 | 85% A.5.1-5.4 | 80% CC1.1-1.5, CC2.1-2.3 | 95% GV.OC, GV.RR | 45% Implementation Group context | 60% § 164.308(a)(2) | 55% Req. 12.1, 12.4 |
| Riadenie rizík | Art. 21(1)-(2) | 65% Art. 32(1) + 35 | 100% Art. 6-16 | 95% A.5.7, 5.9, Clause 6 | 90% CC3.1-3.4 | 100% ID.RA, GV.RM | 70% CIS 1, 2, 11 | 85% § 164.308(a)(1)(ii)(A)-(B) | 70% Req. 12.3 |
| Zvládanie incidentov | Art. 23 | 75% Art. 33-34 | 100% Art. 17-23 | 90% A.5.24-5.28 | 85% CC7.3-7.5 | 95% DE.*, RS.* | 90% CIS 17 | 85% § 164.308(a)(6), § 164.400-414 | 80% Req. 12.10 |
| Kontinuita činností | Art. 21(2)(c) | 55% Art. 32(1)(c) | 100% Art. 11-14 | 100% A.5.29-5.30 | 90% A1.1-1.3, CC9.1 | 95% RC.RP, RC.CO, PR.IP-9 | 80% CIS 11 | 90% § 164.308(a)(7) | 45% Req. 9.4.1, 12.10.1 |
| Bezpečnosť dodávateľského reťazca | Art. 21(2)(d) | 75% Art. 28 + 46 | 100% Art. 28-30 | 95% A.5.19-5.23 | 80% CC9.2 | 95% GV.SC, ID.SC | 85% CIS 15 | 80% § 164.308(b), § 164.314(a) | 85% Req. 12.8, 12.9 |
| Riadenie prístupov | Art. 21(2)(i) | 65% Art. 32(1)(b) | 95% Art. 9 | 100% A.5.15-5.18, 8.2-8.5 | 95% CC6.1-6.3 | 100% PR.AA | 95% CIS 5, 6 | 90% § 164.308(a)(3)-(4), § 164.312(a)-(d) | 100% Req. 7, 8 |
| Kryptografia | Art. 21(2)(h) | 70% Art. 32(1)(a) | 95% Art. 9(2) | 100% A.8.24 | 85% CC6.7, C1.1-1.2 | 95% PR.DS-01, PR.DS-02 | 80% CIS 3 | 75% § 164.312(a)(2)(iv), § 164.312(e)(2)(ii) | 95% Req. 3, 4 |
| Povedomie a školenia | Art. 20(2) | 40% Art. 39(1)(b) | 80% Art. 13(6) | 95% A.6.3, Clause 7.3 | 75% CC1.4, CC2.2 | 95% PR.AT | 95% CIS 14 | 80% § 164.308(a)(5) | 70% Req. 12.6 |
| Personálna bezpečnosť | Art. 21(2)(i) | 55% Art. 29 + 32(4) | 70% Art. 5(2)(e) | 100% A.6.1-6.8 | 70% CC1.4, CC6.2 | 80% PR.AA-01, PR.AA-03, GV.RR-04 | 60% CIS 5, 6 | 70% § 164.308(a)(3)(ii), § 164.308(a)(4)(ii) | 55% Req. 12.7 |
| Správa aktív | Art. 21(2)(a) | 60% Art. 30 | 100% Art. 8 | 100% A.5.9-5.14, 8.1 | 80% CC6.1, C1.1 | 100% ID.AM | 100% CIS 1, 2, 3.1 | 55% § 164.310(d) | 70% Req. 9.5, 12.5.1 |
Detail jednotlivých oblastí
Governance a vedenie
NIS2 Art. 20Zodpovednosť štatutárov, školenia manažmentu, zdokumentovaná bezpečnostná stratégia.
Controller accountability + technical/organisational measures overlap with management oversight; GDPR does not require personal board training.
ICT risk management framework with explicit management body accountability — near-identical to NIS2 Art. 20.
Policies, roles, responsibilities, management commitment — covers governance with similar rigor.
Control Environment (governance, board oversight) + Communication — similar to NIS2 Art. 20 management responsibility.
Govern function — Organizational Context + Roles, Responsibilities & Authorities. CSF 2.0 Govern was added in 2024.
CIS Controls v8 are technical-first — governance / management-body accountability is implied via IG selection but not an explicit control.
Security Official designation (Assigned Security Responsibility) — narrower than NIS2 management-body accountability; no board-training mandate.
Requirement 12.1 — security policy governance + 12.4 executive management accountability. Scope limited to cardholder data environment (CDE).
Riadenie rizík
NIS2 Art. 21(1)-(2)Metodika hodnotenia rizík, register rizík, plány zvládania a kritériá akceptácie.
Risk-based security + DPIA for high-risk processing; scope narrower (personal data only).
Full ICT risk management framework, classification, monitoring, response — equivalent + deeper for FS.
Threat intelligence + risk assessment process in Clause 6.1 = direct NIS2 equivalent.
Risk Assessment objectives + risk identification + fraud risk + significant change assessment — strongly aligned with NIS2 Art. 21.
Identify — Risk Assessment + Govern — Risk Management Strategy. Direct equivalent of NIS2 Art. 21(1)-(2).
Inventory of Enterprise Assets + Software Assets + Data Recovery — CIS v8 is control-driven; no dedicated risk-assessment process but covers risk-reducing controls.
Risk Analysis + Risk Management (Administrative Safeguards) — mandatory, documented, periodically reviewed. Scope limited to ePHI.
Requirement 12.3 — risk assessment methodology to identify threats to CDE, at least annually + upon significant change.
Zvládanie incidentov
NIS2 Art. 2324h early warning, 72h hlásenie incidentu, 1 mesiac záverečná správa; detekcia, zastavenie, obnova.
72h data-breach notification to DPA + data-subject notification; narrower trigger (personal data breach).
4h major ICT incident classification + initial, intermediate, final reports — deeper and faster than NIS2.
Incident management lifecycle + lessons learned + evidence collection = aligned with NIS2 Art. 23.
Incident detection + response + recovery + root-cause analysis aligned with NIS2 Art. 23 notification chain.
Detect + Respond functions — full lifecycle from anomaly detection through response coordination. Close match to NIS2 Art. 23.
Incident Response Management — 9 safeguards covering plan, designation, reporting, lessons-learned. No regulator-notification requirement but operational alignment is strong.
Security Incident Procedures + Breach Notification Rule — 60-day notification to affected individuals + HHS (vs NIS2's 24h early warning + 72h update).
Requirement 12.10 — Incident Response Plan with testing, notifying card brands and acquirers upon suspected/confirmed card data breach.
Kontinuita činností
NIS2 Art. 21(2)(c)BCP, DRP, stratégia zálohovania, otestované postupy obnovy.
Ability to restore availability/access to personal data in a timely manner — narrower than full BCP/DRP.
Business continuity policy + DR + scenario testing + response/recovery plans — fully aligned.
ICT readiness for business continuity + redundancy of processing facilities — direct equivalent.
Availability criteria — capacity planning, environmental protection, backup & recovery. Criterion A is an opt-in in SOC 2.
Recover function — Recovery Planning + Communications + Response/Recovery plan within Protect category.
Data Recovery — backups, isolated recovery, testing. Focused on data continuity; BCP process narrower than NIS2 full BC/DR scope.
Contingency Plan — Data Backup + Disaster Recovery Plan + Emergency Mode Operation + Testing & Revision + Applications & Data Criticality Analysis.
Requirement 9.4.1 — offline media backups + 12.10.1 data recovery procedures. PCI does not cover full BCP/DR for non-CDE operations.
Bezpečnosť dodávateľského reťazca
NIS2 Art. 21(2)(d)Hodnotenie rizík dodávateľov, zmluvné klauzuly, dohľad nad ICT tretími stranami.
Processor due diligence + Art. 28 DPA + transfer safeguards — overlaps for data-processing vendors only.
Third-party ICT risk framework + Register of Information + contractual clauses — deeper than NIS2.
Supplier relationships, addressing security in agreements, monitoring supplier services.
Vendor management — due diligence, monitoring, contract reviews. Narrower than NIS2 but aligned in intent.
Govern — Supply Chain Risk Mgmt + Identify — Supply Chain. New GV.SC category in CSF 2.0 is a direct NIS2 Art. 21(2)(d) equivalent.
Service Provider Management — inventory, classification, contractual security requirements, monitoring. Directly aligned with NIS2 Art. 21(2)(d).
Business Associate Contracts + written assurances — required BAAs for ePHI handlers. Narrower than NIS2 but same structural intent.
Requirement 12.8 — TPSP management (due diligence, written agreements, compliance monitoring) + 12.9 TPSP acknowledges responsibility. Directly aligned.
Riadenie prístupov
NIS2 Art. 21(2)(i)MFA, PAM, princíp najnižších oprávnení, pravidelný review prístupov.
Confidentiality + access control for personal data; no explicit MFA / PAM requirement.
Strong authentication + PAM + logical and physical access controls.
Access control policy + privileged rights + authentication + secure logon — full overlap with NIS2 MFA/PAM.
Logical and physical access controls + user authentication + authorization management. Near-identical requirement.
Protect — Identity Management, Authentication and Access Control (PR.AA-01 through PR.AA-06) — direct equivalent of NIS2 MFA/PAM.
Account Management + Access Control Management — MFA for admin + remote + external (Safeguards 6.3-6.5), privileged accounts (5.4), role-based access (6.8).
Workforce Security + Information Access Management + Access Control + Audit Controls + Integrity + Person or Entity Authentication — full AAA coverage for ePHI.
Requirement 7 — restrict access by business need-to-know + Requirement 8 — unique ID + MFA for all non-console admin + remote access (8.4/8.5). Tightest MFA requirements of any framework.
Kryptografia
NIS2 Art. 21(2)(h)Šifrovanie dát v pokoji a pri prenose, správa kľúčov, minimálne štandardy.
Pseudonymisation + encryption as example measure; not mandatory minimum standard.
Cryptographic controls and key management referenced in ICT security policy.
Use of cryptography — full equivalent, identical expectation of key management.
Encryption of data in transit and at rest. Criterion C (Confidentiality) is opt-in — selected by most SaaS vendors.
Protect — Data-in-rest and Data-in-transit protected. Cryptographic controls explicitly aligned with NIS2 Art. 21(2)(h).
Data Protection — data classification, encryption at rest (Safeguard 3.11), in transit (3.10). No explicit key-management process; relies on IG2/IG3 scope.
Encryption & Decryption (addressable) for ePHI at rest + transmission security. Addressable = document alternative if not implemented.
Requirement 3 — protect stored account data (strong cryptography + key management lifecycle) + Requirement 4 — strong cryptography for transmission. Prescriptive key-management.
Povedomie a školenia
NIS2 Art. 20(2)Povinné bezpečnostné školenia pre manažment a zamestnancov, phishing simulácie.
DPO awareness training obligation only; GDPR does not mandate board training.
ICT security awareness programmes, including for management body.
Awareness, education, training — mandatory for all roles incl. top management.
Commitment to competence + internal communication on security objectives. Does not mandate board-level training explicitly.
Protect — Awareness and Training (PR.AT-01, -02). Covers workforce + privileged users + all relevant roles including management.
Security Awareness & Skills Training — 9 safeguards covering social engineering, data handling, authentication, causes of incidents + role-specific training.
Security Awareness & Training — periodic updates, security reminders, malware protection, login monitoring, password management. Covers all workforce but not board-specific.
Requirement 12.6 — security awareness program at hire + annually, multiple methods, acknowledgement. Does not mandate board-level training.
Personálna bezpečnosť
NIS2 Art. 21(2)(i)Preverovanie, onboarding, exit procedúry, rolové bezpečnostné povinnosti.
Confidentiality obligation of persons acting under authority of controller/processor.
HR policies for ICT staff + segregation of duties.
Screening + terms of employment + disciplinary process + termination — full HR security lifecycle.
Screening + authorization management + termination workflows. Less prescriptive than NIS2 on HR personnel security.
Personnel security overlaps with Identity Management (onboarding/offboarding) and Roles & Responsibilities.
Account lifecycle management (onboarding/offboarding/dormant accounts). No screening, terms-of-employment or disciplinary process in CIS v8.
Workforce Clearance Procedure + Access Authorization / Establishment / Modification + Termination Procedures — directly governs HR security lifecycle for ePHI access.
Requirement 12.7 — personnel screening before hire (background checks) for positions with access to CDE. Narrower than NIS2 full HR security lifecycle.
Správa aktív
NIS2 Art. 21(2)(a)Register aktív, klasifikácia, vlastníctvo, životný cyklus.
Record of Processing Activities (RoPA) — overlaps for assets processing personal data only.
Identification, classification and documentation of ICT assets + dependencies — identical requirement.
Inventory of information + classification + labelling + acceptable use — full asset management overlap.
Asset identification + protection + disposal of system assets and data. Less granular on inventory than NIS2.
Identify — Asset Management (ID.AM-01 through ID.AM-08). Inventory of hardware, software, data, services — direct equivalent.
Enterprise Assets + Software Assets + Data inventory. CIS Controls v8 anchors on asset inventory (Controls 1-3) — the strongest overlap in the entire framework.
Device and Media Controls — disposal, reuse, accountability, data backup/storage. Narrower than NIS2 — asset inventory is implied but not prescribed.
Requirement 9.5 — media inventory + 12.5.1 maintained inventory of system components in CDE. CDE-scoped inventory only.
Metodika hodnotenia
Percentá odrážajú kvalitatívne porovnanie článku NIS2 s najbližším ekvivalentom v inom frameworku.
- 90-100 % — plne ekvivalentný control (napr. NIS2 Art. 21(2)(h) ↔ ISO 27001 A.8.24 šifrovanie).
- 75-89 % — významný prekryv, ale cieľová norma má užšie alebo širšie pole.
- 60-74 % — čiastočný prekryv; implementácia NIS2 pokryje kľúčové princípy, ale treba doplniť detaily.
- pod 60 % — minimálny prekryv alebo framework-specific povinnosť (napr. GDPR Art. 6 právny základ).
Matica je analytická pomôcka, nie právna rada. Pre presné gap-assessment kontaktujte kvalifikovaného audítora alebo advokáta.
Získajte personalizovaný cross-framework gap report
Naskenujeme vás z pohľadu NIS2 a zobrazíme, čo automaticky pokrývate z GDPR, DORA a ISO 27001 — plus čo treba ešte doplniť.