Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Get a demo
Show main menu Hide main menu

Frameworks vs Regulations: Cyber compliance deep dive

Ever wondered what really is the difference between a cybersecurity framework and regulation? In this latest blog, we compare the two and compare what many may think as similar (but not the same) in EU compliance: DORA and NIS2.

Contents

    Sarah Garmston
    read
    Last updated:

    What is a cybersecurity framework?

    A cybersecurity framework is a set of standards, guidelines, and best practices created to help manage an organization’s cyber risk program. It’s typically there to help companies or government’s structure and implement the controls they need to for their cybersecurity risk program.

    There are a wide range of different frameworks, and vary depending on region and industry you work in. We have previously covered NIST Cybersecurity Framework 2.0, yet there are so many to cover in your governance, risk, and compliance programs.

    A framework might only give you a three-sentence description about a particular outcome. So, it can still be somewhat challenging to say that this metric or these five metrics are going to help me measure that I've achieved that outcome.

    Some more granular frameworks, like CIS controls framework can be a little easier to map to in that sense, because they've put this focus in on helping you measure. The language is often cleaner or shorter. And that's not to say one or the other is better. They're just they just have different focuses in mind.

    What is a regulation?

    A regulation is something that's in law. And you must do it. This might be something that applies to you because of the region of the world you're operating in. Some ones you may have heard of are DORA and NIS2 in the EU, or the SEC in the US.

    With the rise in cyber threats and constant breaches or breakdowns in critical infrastructure, regulations are more at the forefront in government policy. We will see these come up more and more, particularly with more AI legislation to come in 2025. It can be difficult to start compliance efforts toward a regulation. Cyber teams and CISOs are not the intended audience for these documents.

    Frameworks tend to have been created, to align, your security program with. So they're designed with something like a CISO in mind, and are structured in a way that that makes sense for how security operates. When you want to do the same for regulation, it becomes much more challenging. This is because the regulation is not written in order for someone to structure nicely their security program. It's written to clearly define what they are expected to do, in a legal setting.

    Leila Powell
    Head of Data at Panaseer

    Regulations tend to be much longer text. They tend to have lots of sub clauses, lots of, definitions embedded. And you've got complex prose on one hand, often written with quite a legal language style. On the other hand, you've got a percentage metric and it's challenging trying to get these two things to line up.

    DORA for example, is a 79 paged piece of legislation that could take a long time to figure out on your own. We have a handy whitepaper to help introduce you to the topic, particularly breaking down that legal jargon into the language of the business.

    NIS2 vs DORA cyber compliance

    There's been a lot written about DORA and NIS2 recently and their impact on EU organizations. While from face value, they may seem similar, there are some key differences to note.

    Regulation versus directive

    DORA is a regulation in the EU, which means it becomes law immediately that it's, brought in. Whereas NIS2 is a directive, which means it's not law. The EU member states need to write it in to the local laws for it to become mandated. This means it’s down to the country itself where you legally must comply.

    Industry

    DORA is focused on financial services and improving operational and digital resiliency in that sector. With NIS2, it’s quite interesting because it is taking a much broader approach and covers many industries.

    NIS2 broadened the types of organization that will be covered by the directive to be much, to be much wider than before, bringing in a lot of organizations that weren't previously regulated to be regulated for perhaps the first time.

    Supply chain and third party risk

    Some of the similarities between the two is they are, both focused on things like, third party risk. Supply chain is a big theme across both. And this is interesting because it means it's not just, companies that are headquartered in the EU and companies maybe have a division in the EU that must abide by them. This also places constraints on companies that supply either of the previous two categories.

    They won't be directly regulated, but what they're going to find is that companies that need to abide by NIS2 or DORA are going to be demanding higher standards of security, such that they can demonstrate to the regulators for either framework that they are ensuring really high quality of security in their whole supply chain.

    Leila Powell
    Head of Data at Panaseer

    Threat intelligence

    The other thing that's common between the two is threat intelligence sharing. This means to share information across companies when it can improve the security levels of all.

    One key theme of NIS2 is implementing this across the whole EU. We can interpret this as raising the bar for every organization in one of the industries in scope across the whole of the EU. They want them to be applying similar standards, sharing information regularly so that they're supporting one another, and bringing one another up.

    Final thought on cyber compliance best practices

    It can be an overwhelming landscape. Where do you start with complying to frameworks and standards. How do you ensure enough time is put towards understanding legal jargon, and still having time to implement controls in place?

    It’s too complex and important to do manually, and that is why investing in the right product, like a Continuous Controls Monitoring platform, could be the key to automating your compliance efforts.

    A benefit of using the Panaseer platform is that we're already doing the hard work for you and mapping to the top frameworks and regulations. Dr Leila Powell, Head of Data at Panaseer explains the benefits of our methods for measurement:

    “We ensure the way we align to our metrics is consistent with the intent of either the regulation or the framework. You can be confident that your you're measuring the right thing to either provide visibility into your internal cybersecurity measurement program, your cybersecurity risk management, or that you can provide evidence that you are complying with the regulations you're subject to.”

    Want to know more or test the product? Take a tour of our cyber frameworks catalog, or get a demo with one of the team today.

    About the author

    Sarah Garmston

    Related blogs

    View all blogs