Cross-regulation mappings¶
Most organizations don't face one EU digital regulation — they face several at once. The expensive mistake is building a separate compliance silo for each. These mappings show where obligations overlap so one control, one document or one process can serve multiple regulations.
Planned mappings¶
| Mapping | The practical question it answers |
|---|---|
| DORA × NIS2 | A financial entity is largely carved out of NIS2 where DORA applies — but group entities and suppliers may not be. Who follows which rulebook? |
| DORA × AI Act | AI systems inside a financial entity: which incident, risk and third-party obligations stack? |
| AI Act × GDPR | Training data, automated decision-making, DPIAs vs. FRIAs — where one assessment can feed the other |
| Incident reporting across all four | One incident, multiple clocks: a single reference for what must be reported to whom, and when |
| Third-party / supply-chain obligations | DORA Art. 28–30, NIS2 Art. 21(2)(d), GDPR Art. 28 — one vendor-management process to satisfy all three |
Under construction
Mappings ship once their underlying single-regulation artefacts exist. Announcements on the blog.