Yannick H.,
Too Long; Didn't Read
Compliance as a project fails. As an operational process, it works. Anyone who wants to pass their next audit without pulling a team out of day-to-day business for six weeks must integrate compliance requirements into existing processes—not alongside them. This is not a theoretical concept. It is the only approach that works in practice.
TL;DR
Running three compliance projects simultaneously doesn't cost you three times as much; it costs you four times as much because everything gets duplicated. GDPR, NIS2 and ISO 27001 overlap by 60-70%: risk register, incident response, access control, supplier management — it's the same work, just from different perspectives. If you use ISO 27001 as the backbone and map the other requirements onto it, you save 40-60% effort compared with isolated projects. The first step: stop treating them as three separate projects.
Imagine you're renovating a house. Three different tradespeople come in. Each one does their own survey. Each one orders their own materials. Each one writes their own report. In the end, all three have measured the same room, and yet the dimensions still don't match.
That is compliance management in many Swiss SMEs and mid-market companies today.
The GDPR project is underway. NIS2 readiness is being prepared. ISO 27001 certification is supposed to come next year. Three project managers, three documentation sets, three audit-preparation cycles. Triple the cost. Triple the confusion. And in the end someone in senior management asks why compliance costs so much time and money.
The answer: because you are doing the same thing three times.
Where GDPR, NIS2 and ISO 27001 really overlap
Before we talk about the way out, we need to be honest about the core of the problem. These three frameworks sound like three different things. Data protection. Cybersecurity for critical infrastructure. Information security management. Three worlds, right?
Not really.
If you start listing the actual requirements, not the marketing descriptions, but what you concretely have to do, you quickly see where the overlaps accumulate.
What all three have in common:
Risk assessment: All three require a systematic risk analysis. Not three different ones. One.
Asset inventory: Do you know which systems you operate, which data you process, which suppliers have access? All three need that.
Access control: Who has access to what, why, and is it reviewed regularly? The same question, three different frameworks.
Incident management: A security incident is a security incident. The reporting obligations differ, but the process behind them is the same.
Documentation: Policies, procedures, evidence. All three want to see that.
Supplier management: Who are your third parties? What risks do they bring? How do you assess that?
Awareness training: Your employees need to understand what is allowed and what is not. Train once, not three times.
That is not a marginal overlap. That is the largest part of the work.
What remains then are the truly specific requirements:
Only GDPR: Data subject rights (access, erasure, portability), DPIAs for high-risk processing, consent management, data retention periods.
Only NIS2: Mandatory liability of senior management, specific reporting windows (24-hour initial notification, 72-hour follow-up), enhanced supply-chain security.
Only ISO 27001: Formal ISMS scope and Statement of Applicability, certification audit by an accredited body, the 93 Annex A controls as a reference.
If you put it side by side, it becomes clear: the common core is enormous. The delta requirements are comparatively small. Anyone who builds this three times from scratch wastes massive resources.
Why almost everyone still works in silos
Good question. Usually it has to do with the way compliance projects are initiated.
GDPR came in 2018, under pressure from data protection officers or after an audit. ISO 27001 followed at some point because a major customer contract required certification. NIS2 is hot right now because EU supply-chain requirements are increasing the pressure.
Three different triggers, three different project owners, sometimes three different consultants. Each has its own approach. Each builds its own silo.
(And if you're unlucky, one of them sold a ready-made tool that doesn't talk to the next tool. Classic.)
The problem is not malicious intent. It is organic growth without an overarching architecture.
The integrated compliance framework: How it works
The solution is not complicated. But it does require stepping back and seeing the big picture.
The basic principle: use ISO 27001 as the backbone. It is the most structured of the three frameworks, has the broadest scope and the highest degree of maturity in practice. Then map the requirements of GDPR and NIS2 onto that backbone. Fill in the gaps that remain after that.
What that means in concrete terms:
1. One risk register, not three
Your risk register is the central hub. It captures risks, assessments, measures and responsibilities. ISO 27001 requires it. So does NIS2. GDPR as well, for processing personal data.
Difference: the format and the perspective. ISO 27001 looks broadly at information security risks. NIS2 focuses on operational continuity and resilience. GDPR looks at risks to the data subjects.
Solution: a single register with categorization. Each risk has tags for the applicable frameworks. When you record a new risk, you decide once which requirements it affects and maintain it in one place.
That sounds trivial. It isn't. We've seen companies rate the same risk differently in three separate Excel spreadsheets.
2. One policy set with regulatory mapping
Policies are necessary. Information Security Policy. Acceptable Use Policy. Incident Response Policy. Supplier Security Policy.
Instead of building a separate policy landscape for each framework, you write one policy and document which requirements it covers. One table is enough: policy, GDPR requirement, NIS2 requirement, ISO 27001 requirement, status.
This not only saves drafting effort. It saves even more at the next audit, because you can immediately show that one policy satisfies multiple requirements.
3. One audit calendar
ISO 27001 internal audits. GDPR data protection impact assessments. NIS2 maturity checks. Supplier assessments. Awareness training.
If you don't coordinate this, you're in audit mode all year long. And so are your internal teams, which keeps them from their actual work.
An integrated calendar plans all assessment activities together. Supplier assessment once a year, once for all relevant frameworks. An internal audit program that covers ISO 27001, GDPR and NIS2 requirements within the same review cycles. No topic is visited twice unless there is a good reason.
4. One incident process: framework-specific reporting obligations
This is where the devil is in the details. GDPR: 72-hour reporting obligation to the data protection authority if personal data is affected. NIS2: 24-hour initial notification, 72-hour full report to the national authority. ISO 27001: no regulatory time frame, but a structured process is required.
That sounds like an argument for three different processes. It isn't.
The process — detect, classify, contain, investigate, remediate, follow up — is always the same. What differs is one step: classifying which reporting obligations are triggered. And that step can be mapped in a single decision matrix.
Once an incident is classified, your team automatically knows: GDPR relevant? Then the 72-hour clock starts. NIS2 relevant (critical infrastructure affected)? 24-hour initial notification. Both? Both clocks run in parallel.
One process. Multiple consequences depending on classification.
5. One training, not three different ones
Awareness training is mandatory under all three. ISO 27001 requires security-aware behavior. GDPR requires basic data protection knowledge. NIS2 has its own requirements for awareness of cyber risks.
Can you combine that in one training session? Yes. It is even better, because the connections become clear. Data protection and information security are not separate topics; one largely follows from the other.
How the implementation looks in practice
When we approach this with companies, we follow a simple process:
Phase 1: Inventory (2-3 weeks). What already exists? Policies, risk register, documentation, processes. What is current, what is outdated, what is completely missing? And: where do overlaps exist between existing documents?
Phase 2: Gap analysis against all three frameworks at the same time. Not sequentially, simultaneously. This immediately shows where one measure closes several gaps.
Phase 3: Consolidation. Bring together what belongs together. Combine policies. Standardize the risk register. Eliminate duplicates.
Phase 4: Delta implementation. Only now are the truly specific requirements addressed that do not have a shared foundation. Data subject rights processes for GDPR. Board accountability documentation for NIS2. Statement of Applicability for ISO 27001.
Phase 5: Maintenance system. An integrated framework only delivers lasting value if it is also maintained in an integrated way. Who is responsible, which cycles are reviewed, how changes to one framework are reflected across the entire framework.
The effort for phase 5 is what most companies underestimate. Building a framework takes months. Operating it is the real work.
What this means specifically for Swiss companies
Brief context: Many Swiss companies are facing exactly this situation right now.
GDPR applies to anyone processing data of EU citizens, which is practically all companies doing business in or with the EU. NIS2 is EU law, but the pressure still comes through: companies integrated into EU supply chains are increasingly being checked by large suppliers and customers for NIS2 compliance. ISO 27001 is often a contractual requirement or will become one soon, especially in the financial, healthcare and industrial sectors.
That means: the three frameworks are not an academic exercise. They are operational reality.
We have already published our detailed guide to NIS2 implementation for Swiss companies; if you still need the basics there, that's a good starting point. And if you're interested in how compliance can also be positioned as a competitive advantage: this article on NIS2 and FINMA as a resilience structure shows the strategic perspective.
What we see in practice: companies taking an isolated approach typically need 18-24 months and significant external consulting costs to cover all three frameworks. Companies that think integratively from the outset achieve this in 12-15 months with significantly fewer consulting hours, because every hour counts toward multiple requirements at the same time.
40-60% less effort is not a marketing number. That is what happens when you stop documenting the same thing three times.
Where ISO 27001 brings the most value as a starting point
One small note if you're just getting started: ISO 27001 is not a must as a backbone, but it is the best choice if you have the option.
Why? Because it is the most structured of the three frameworks. It has a clear scope approach, a defined certification process and, importantly, the Annex A controls as a ready-made catalog of security measures. These controls already cover a great deal of what GDPR and NIS2 also require.
Anyone who implements ISO 27001 consistently has already completed a large part of the foundation for GDPR compliance and NIS2 requirements. The delta is then manageable.
If you're currently building a pragmatic ISMS, we've described the approach in this article in detail, especially the part about how to do it without needing three years for it.
And if you also have the EU AI Act in view (which is becoming relevant for many companies right now): Our article on EU AI Act compliance shows how you can integrate those requirements into the same framework. Anyone who plans for that early saves themselves the next parallel track.
The next step
Forget everything else. Tomorrow morning do exactly one thing: write down which compliance initiatives are currently running in parallel at your company. Names, project owners, document storage locations.
If you have more than one list item and no clear connection between them, you've identified the starting point of the problem.
The second step would be an honest inventory: what already exists in usable form, and what is currently being duplicated? This usually takes two to three weeks and often quickly shows where the biggest savings lie.
If you need support with that, we're happy to talk. No pitch, no consulting bingo, just a conversation about what's going on at your company right now and whether an integrated approach makes sense. Our compliance consulting shows how we approach it.
