Risk Management Frameworks: The Complete 2026 Guide (7 Compared)
Compare the 7 major risk management frameworks — ISO 31000, NIST RMF, COSO ERM, COBIT 2019, FAIR, ISO 27005, and ENISA — and choose the right one for NIS2, DORA, and ISO 27001.
Risk Management Frameworks: The Complete 2026 Guide (7 Compared)
Short answer: A risk management framework is a structured set of principles, processes, and practices for identifying, assessing, treating, monitoring, and reporting risk systematically. The seven most widely used frameworks in 2026 are ISO 31000, the NIST Risk Management Framework, COSO ERM, COBIT 2019, FAIR, ISO/IEC 27005, and ENISA's Interoperable EU Risk Management Framework. Each is built for a different scope: enterprise-wide governance, IT and cybersecurity, financial quantification, or EU regulatory interoperability. Under NIS2 Article 21 and DORA Article 6, operating a documented framework is no longer optional for in-scope European organizations.
Choosing a risk management framework is one of the highest-leverage compliance decisions an organization makes. The framework you adopt shapes how you assess every threat, how you justify every control, and — increasingly — how you prove to regulators, auditors, and enterprise buyers that your risk decisions are defensible.
This guide compares the seven major risk management frameworks in depth, maps them to the EU regulations that now mandate them (NIS2, DORA, GDPR), and gives you a decision guide for choosing the right one by sector, size, and regulatory exposure. It is written for a European compliance landscape — EU-27, the EEA, and the post-Brexit United Kingdom — where the same organization often has to satisfy several overlapping regimes at once.
Key Takeaways
- A framework is the process, not the controls. It tells you how to identify, assess, treat, and monitor risk. Controls (encryption, MFA, backups) are what you implement to treat the risks the framework surfaces.
- The seven frameworks split into three families: enterprise/principles-based (ISO 31000, COSO ERM), IT and information security (NIST RMF, ISO/IEC 27005, COBIT 2019), and quantitative (FAIR) — with ENISA's framework acting as an EU interoperability layer over the rest.
- NIS2 and DORA now mandate frameworks, not just controls. NIS2 Article 21(2)(a) requires risk-analysis policies; Implementing Regulation (EU) 2024/2690 details the technical requirements; DORA Article 6 requires a documented ICT risk management framework reviewed at least annually [⁴][⁶].
- ISO/IEC 27005 is the practical default for ISO 27001 implementers because it satisfies Clause 6.1's risk-assessment requirement directly, and it maps cleanly to NIS2 and DORA.
- Most regulated organizations layer frameworks: ISO 31000 as the umbrella → COBIT 2019 for IT governance → ISO 27005 / NIST RMF for the cyber risk process → FAIR for the handful of risks that need a financial number.
- A framework on paper is not evidence. You need a living risk register, documented treatment decisions, and board-level oversight — and a way to expose that evidence to the stakeholders who ask for it.
What Is a Risk Management Framework?
A risk management framework is a structured, repeatable system for managing risk. Regardless of which standard you adopt, every credible framework defines five capabilities:
- Identify — what can go wrong, and where (assets, threats, vulnerabilities, dependencies)
- Assess — how likely each risk is and how severe the impact would be
- Treat — the decision to mitigate, transfer, accept, or avoid each risk
- Monitor — ongoing tracking, so the risk picture stays current as the environment changes
- Report — communicating risk to leadership, regulators, customers, and auditors
The reason this matters is consistency. Without a framework, two teams assess the same risk differently, documentation gaps appear, and you cannot produce the coherent, defensible evidence that NIS2 supervisory authorities, DORA's competent authorities, or an ISO 27001 certification body expect to see.
A framework is also distinct from a control framework. ISO 27001 Annex A and NIST SP 800-53 are catalogues of safeguards — the "what you implement." A risk management framework is the "how you decide." The two are complementary: the framework produces the risk register and treatment plan; the controls treat the risks it identifies.
The 7 Major Risk Management Frameworks
1. ISO 31000 — Enterprise Risk Management, Principles-Based
Purpose & scope: A universal, principles-based standard for managing any type of risk — strategic, financial, operational, compliance, or cyber. ISO 31000:2018 provides principles, a framework, and a generic process; it deliberately prescribes no specific controls [⁵].
Primary user: Boards and risk functions that want a single, organization-wide reference. It is the lower-friction path into enterprise risk management for non-US and mid-sized firms, and is adopted as a national standard in dozens of countries [¹].
EU adoption: Very high. ISO 31000 is the default umbrella framework for EU-headquartered manufacturers, scale-ups, and ISO-anchored organizations across Europe, and it underpins the risk vocabulary in many national transposition guides.
Strengths: Flexible, industry-agnostic, internationally recognized; works as the top of a layered framework stack. Limitations: High-level — it tells you how to think about risk, not which controls to deploy. It needs domain-specific supplementation for cybersecurity or IT governance.
2. NIST Risk Management Framework (RMF)
Purpose & scope: A prescriptive, seven-step process for integrating security and risk management into information systems, defined in NIST SP 800-37: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. It is tied to the NIST SP 800-53 control catalogue [¹].
Primary user: Organizations managing information systems, especially those aligned with US federal standards, NIST CSF, FedRAMP, or CMMC — and increasingly European technology teams that want a detailed, step-by-step cyber risk process.
EU adoption: Moderate. US-origin and not a certification standard, but widely used by EU companies with US customers or US federal exposure, and frequently paired with ISO 31000 at the enterprise layer.
Strengths: Prescriptive, exhaustively documented, free, and integrates tightly with the NIST control catalogue. Limitations: US-centric and system-focused; can be heavy for smaller organizations and does not address enterprise-wide non-IT risk.
3. COSO ERM — Enterprise Risk Management for Governance
Purpose & scope: The dominant framework for enterprise risk management in a corporate-governance and financial-reporting context. The 2017 update organizes risk across five components: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; and Information, Communication & Reporting [¹].
Primary user: Boards, audit committees, and listed companies — the default for SEC registrants, banks under US prudential supervision, and SOX-driven internal-control programmes.
EU adoption: Selective. Common in EU financial services and listed multinationals, especially those with US reporting obligations; less common in EU SMEs, which usually find ISO 31000 lighter-weight.
Strengths: Strong board-level governance focus; aligns naturally with SOX and internal-control reporting. Limitations: Broad and governance-oriented; needs supplementation for cyber and IT, and can feel abstract to operational teams.
4. COBIT 2019 — IT Governance and Management
Purpose & scope: ISACA's framework for the governance and management of enterprise IT. It contains 40 governance and management objectives across five domains: EDM (Evaluate, Direct, Monitor), APO (Align, Plan, Organize), BAI (Build, Acquire, Implement), DSS (Deliver, Service, Support), and MEA (Monitor, Evaluate, Assess) [³].
Primary user: IT governance, internal audit, and risk teams — especially financial entities under DORA, where board-level IT governance is mandatory.
EU adoption: Growing fast in financial services. ISACA published 2025 guidance on using COBIT to navigate NIS2 and DORA, and the EDM/APO domains map directly onto DORA's governance obligations [²].
Strengths: Comprehensive IT governance scope; clear regulatory mapping (DORA, NIS2, SOX IT controls); measurable objectives. Limitations: Complex to implement in full; IT-focused, so it needs ISO 31000 for non-IT risk and access to ISACA materials.
5. FAIR — Quantitative Cyber Risk Analysis
Purpose & scope: Factor Analysis of Information Risk is a quantitative model that expresses cyber risk as probable financial loss, decomposing it into Loss Event Frequency and Loss Magnitude. The Open Group formalized FAIR in 2013 as the Open FAIR Body of Knowledge (the O-RT Risk Taxonomy and O-RA Risk Analysis standards) [⁷].
Primary user: CISOs and risk quants who need to justify security investment to a board in euros rather than red/amber/green.
EU adoption: Niche but rising, especially in larger EU financial institutions and insurers that want cyber risk expressed in monetary terms for capital and board decisions.
Strengths: Produces financial metrics executives understand; enables genuine cost-benefit analysis of controls. Limitations: Data-hungry and more complex than qualitative methods; works best as a supplement to a structural framework, not as a standalone.
6. ISO/IEC 27005 — Information Security Risk Management
Purpose & scope: Detailed guidance for information security risk management, designed to complement ISO/IEC 27001. ISO/IEC 27005:2022 covers context establishment, risk identification (assets, threats, vulnerabilities, impacts), analysis, evaluation, treatment, and ongoing monitoring [⁶].
Primary user: Any organization implementing or maintaining ISO 27001 — it is the methodology that satisfies Clause 6.1.
EU adoption: Very high. Because ISO 27001 is the de facto European security baseline and is referenced by NIS2 and DORA, ISO 27005 is the most commonly used information-security risk methodology across the EU, EEA, and UK.
Strengths: Directly supports ISO 27001; practical, specific, and well-established; maps cleanly to NIS2 and DORA risk obligations. Limitations: Scoped to information security only; most useful inside an ISO 27001 context.
7. ENISA's Interoperable EU Risk Management Framework
Purpose & scope: Not a competing standard but an EU interoperability layer. ENISA, the EU Agency for Cybersecurity, published the Interoperable EU Risk Management Framework (2022) and the Interoperable EU Risk Management Toolbox (2023) to give Member States, businesses, and SMEs a shared methodology and vocabulary, and to map existing frameworks (ISO 27005, NIST, IT-Grundschutz, EBIOS) onto one another [⁸].
Primary user: EU regulators, Member State authorities, and organizations operating across borders that need a common reference for NIS2.
EU adoption: Increasing through NIS2. ENISA produced the technical implementation guidance behind Implementing Regulation (EU) 2024/2690, which sets out the technical and methodological requirements for the NIS2 Article 21(2) measures for relevant entities [⁸][⁴].
Strengths: Reduces cross-border and cross-sector coordination friction; directly aligned with the NIS2 implementing regulation. Limitations: A coordination layer rather than a self-contained method — you still implement an underlying framework such as ISO 27005.
Risk Management Frameworks Compared (Side-by-Side)
| Framework | Purpose / Scope | Approach | Primary User | EU Adoption |
|---|---|---|---|---|
| ISO 31000 | All risk types, enterprise-wide | Principles-based, flexible | Boards, enterprise risk functions | Very high — default umbrella |
| NIST RMF | Information systems & cyber | Prescriptive, 7-step | IT/security teams, US-aligned orgs | Moderate — common with US exposure |
| COSO ERM | Enterprise & financial-reporting risk | Governance-focused, 5 components | Boards, audit committees, listed firms | Selective — financial services & listed |
| COBIT 2019 | IT governance & management | Objectives-based, 40 objectives | IT governance, DORA financial entities | Growing fast in financial services |
| FAIR | Quantitative cyber risk | Data-driven, financial | CISOs, risk quants, insurers | Niche but rising |
| ISO/IEC 27005 | Information security risk | Methodology, pairs with ISO 27001 | ISO 27001 implementers | Very high — EU security baseline |
| ENISA EU RMF | EU interoperability / NIS2 | Coordination & mapping layer | EU regulators, cross-border orgs | Increasing via NIS2 |
Scope and adoption reflect 2026 practice across the EU-27, EEA, and UK. Most regulated organizations operate two or more of these in a layered model rather than choosing one in isolation.
Which Framework Fits My Company? A Decision Guide
There is no single "best" framework — the right answer depends on your sector, size, and regulatory exposure. Use the three lenses below.
By regulatory driver
| If you must comply with… | Adopt… |
|---|---|
| NIS2 (essential / important entity) | ISO/IEC 27005 + ISO 31000, aligned to ENISA's framework and Reg. (EU) 2024/2690 |
| DORA (financial entity / ICT provider) | COBIT 2019 (governance) + ISO/IEC 27005 (ICT risk process) |
| ISO 27001 certification | ISO/IEC 27005 |
| SOX / financial reporting | COSO ERM |
| NIST CSF / US federal | NIST RMF |
| Multiple EU regimes at once | ISO 31000 (umbrella) + COBIT 2019 + ISO/IEC 27005 |
By risk scope
- Information security only → ISO/IEC 27005 or NIST RMF
- IT governance and management → COBIT 2019 (essential for DORA-regulated entities)
- Enterprise-wide, all risk types → ISO 31000 or COSO ERM
- Need a financial number for the board → add FAIR on top of your structural framework
By organization size and maturity
- Starting out / SME / first ISO 27001: ISO/IEC 27005 is the most proportionate, structured entry point. A NIS2 "important entity" or a DORA ICT subcontractor in this band still needs a documented process — but not all 40 COBIT objectives.
- Scaling / multi-regulation: ISO 31000 as the umbrella, with ISO 27005 for the cyber process and COBIT for IT governance where DORA applies.
- Large / regulated / board-reporting: A full layered model — ISO 31000 + COSO ERM at the top, COBIT 2019 for IT governance, ISO 27005 / NIST RMF for the cyber process, and FAIR for quantifying the highest-impact risks.
For a deeper view of where a single information-security platform fits this stack, see our comparison of the best ISMS software in 2026 and our guide to what ISO 27001 actually is.
How NIS2 and DORA Map to ISO 27005 (The EU Differentiator)
This is where European organizations diverge sharply from a US-centric framework choice. In the EU, two regulations have turned "have a risk management framework" from best practice into a legal obligation — and both map onto ISO/IEC 27005.
NIS2 Article 21 → ISO 27005
NIS2 (Directive (EU) 2022/2555) Article 21(2)(a) requires in-scope essential and important entities to adopt "policies on risk analysis and information system security." It then lists ten minimum risk-management measures covering incident handling, business continuity, supply chain security, and more [⁴].
In October 2024, Implementing Regulation (EU) 2024/2690 laid down the technical and methodological requirements of the measures in Article 21(2) for relevant categories of entity (such as DNS providers, cloud and data centre services, and managed service providers), with ENISA providing the technical implementation guidance [⁴][⁸].
ISO/IEC 27005 supplies the risk-assessment methodology that produces the documented "risk analysis" NIS2 demands: context, asset/threat/vulnerability identification, analysis, evaluation against acceptance criteria, and treatment. Because ISO 27005 feeds an ISO 27001 ISMS, an organization with a 27001-aligned programme already produces much of the evidence a NIS2 supervisory authority will ask for — though NIS2's 24-hour early-warning reporting and management-body liability sit outside any ISMS and require additional implementation. See our NIS2 Directive guide for the full Article 21 breakdown.
DORA Article 6 → ISO 27005 (+ COBIT)
DORA (Regulation (EU) 2022/2554) Article 6 requires every in-scope financial entity to maintain "a sound, comprehensive and well-documented ICT risk management framework as part of [its] overall risk management system," enabling it to address ICT risk "quickly, efficiently and comprehensively." The framework must include a digital operational resilience strategy, be reviewed at least once a year (and after any major ICT incident), and — for non-microenterprises — be subject to independent internal audit by auditors with ICT expertise [⁶].
DORA is more prescriptive than NIS2. Financial entities typically implement it as two layers: COBIT 2019 for the governance and management layer (its EDM and APO domains map directly to DORA's board-accountability and oversight requirements), and ISO/IEC 27005 for the underlying ICT risk-assessment process. ISACA's 2025 guidance treats COBIT as a strong fit for DORA and NIS2 rather than a mandated model [²]. Our DORA compliance guide covers the Articles 5–16 framework in full.
Who enforces it: national competent authorities
Crucially, neither NIS2 nor DORA is policed by a central EU regulator — both are supervised and enforced by national competent authorities designated by each Member State, so the body that audits your risk framework depends on where you operate. For NIS2, Germany names the BSI (under the NIS2-Umsetzungsgesetz / NIS2UmsuCG), France names ANSSI, and the Netherlands names the Rijksinspectie Digitale Infrastructuur (RDI) as supervisor with NCSC-NL as the operational CSIRT [¹⁰]. For DORA, supervision runs through the existing financial regulators: BaFin in Germany, the ACPR (with the AMF for markets) in France, and De Nederlandsche Bank (DNB) with the AFM in the Netherlands [¹¹]. An ISO 27005-based risk programme produces the same documented evidence base regardless of which of these authorities comes knocking.
The compliance dividend
The practical consequence: an organization that builds its risk process on ISO/IEC 27005 inside an ISO 27001 ISMS establishes a single risk register and evidence base that can satisfy NIS2 Article 21, DORA Article 6, and GDPR Article 32's "appropriate technical and organisational measures" simultaneously — mapping evidence once instead of three times.
Risk Management Beyond the EU-27: UK and Norway/EEA
A pan-European risk programme has to account for the EEA and the post-Brexit United Kingdom, where the destination is similar but the route differs.
United Kingdom (post-Brexit divergence)
The UK did not adopt DORA. Instead, financial firms follow the FCA/PRA operational resilience regime under Policy Statement PS21/3, which required firms to identify important business services, set impact tolerances, and be fully compliant by 31 March 2025 [⁹]. The FCA has since moved further with PS26/2 on operational incident and third-party reporting, narrowing — but not closing — the gap with DORA [⁹].
For cyber risk more broadly, UK supervisory bodies reference the NCSC Cyber Assessment Framework (CAF) [⁹]. The CAF's outcome-based principles map closely onto ISO 27001 Annex A, so ISO 31000 + ISO 27005 remains the most pragmatic multi-jurisdiction foundation for firms operating on both sides of the Channel. The forthcoming UK Cyber Security and Resilience Bill is expected to align the UK more closely with NIS2 without fully adopting it.
Norway (EEA)
Norway applies EU cybersecurity law via the EEA agreement. Notably, Norway has resisted publishing its own ISO 27001 variant, instead layering national and sector rules on top of ISO/IEC 27001:2022 — so a 27001/27005-based programme is the right baseline for Norwegian operations. The Nasjonal sikkerhetsmyndighet (NSM) publishes the influential ICT Security Principles, and the Sikkerhetsloven (National Security Act) governs entities tied to fundamental national functions. Norway's transposition of NIS2 via its Digital Security Act framework is progressing, with NSM as the central authority. The Norwegian DPA, Datatilsynet, supervises the GDPR/personvern dimension of risk.
Bottom line for European operators: an ISO 31000 umbrella with an ISO/IEC 27005 information-security risk process gives you the strongest single foundation across the EU-27, the EEA, and the UK — then you layer the jurisdiction-specific obligations (NIS2 reporting, DORA audit, FCA impact tolerances) on top.
Common Mistakes When Adopting a Framework
- Treating risk assessment as an annual checkbox. A risk register that is refreshed once a year and then filed away does not reduce risk and will not survive a NIS2 or DORA inspection. Effective frameworks are continuous.
- Confusing the framework with the controls. Jumping straight to MFA and encryption without a framework means you cannot explain why you chose those controls or whether they address your actual risks.
- Adopting one framework for everything. Enterprise, IT-governance, information-security, and quantitative risk have different dynamics. A layered approach almost always beats forcing one standard to do every job.
- Failing to connect risk to evidence. Your risk register, treatment decisions, and residual-risk acceptances are your compliance evidence. If a regulator, auditor, or enterprise buyer cannot see them, the framework provides no assurance value.
From Framework Outputs to Governed Trust Center Evidence
A risk management framework produces exactly the artefacts that customers, auditors, and regulators want to see: a current risk register, documented treatment decisions, evidence of board oversight, and proof that residual risk aligns with stated risk appetite. The recurring failure mode is that these outputs live in spreadsheets and slide decks that nobody outside the risk team can access.
This is where a Trust Center becomes the external evidence layer for your framework. Instead of re-keying your ISO 27005 risk treatment plan into a 200-question security questionnaire for every prospect, you publish governed, versioned evidence once — your ISO 27001 certificate, your NIS2/DORA risk-management posture, your control status — and let buyers and their AI agents self-serve it.
Compliance automation closes the loop by collecting the underlying evidence continuously and feeding it into that external-facing layer, so the gap between "we have a framework" and "we can prove it" disappears.
Frequently Asked Questions
What is a risk management framework?
A risk management framework is a structured set of principles, processes, and practices for identifying, assessing, treating, monitoring, and reporting risk in a repeatable way. Recognized examples include ISO 31000, NIST RMF, COSO ERM, COBIT 2019, FAIR, and ISO/IEC 27005. Under NIS2 Article 21 and DORA Article 6, in-scope European organizations must operate a documented framework.
What are the main types of risk management frameworks?
There are three families: enterprise/principles-based (ISO 31000, COSO ERM), IT and information-security (NIST RMF, ISO/IEC 27005, COBIT 2019), and quantitative (FAIR). Most mature organizations layer them, with an umbrella framework plus domain-specific ones.
What is the difference between ISO 31000 and NIST RMF?
ISO 31000 is a broad, principles-based standard for any kind of risk that tells you how to think about risk. NIST RMF (SP 800-37) is a prescriptive seven-step process for information systems and cybersecurity, tied to the SP 800-53 control catalogue. Many organizations use ISO 31000 as the umbrella and NIST RMF for the technical process.
How do NIS2 and DORA map to ISO 27005?
NIS2 Article 21(2)(a) requires risk-analysis policies, detailed further by Implementing Regulation (EU) 2024/2690; ISO/IEC 27005 supplies the methodology. DORA Article 6 requires a documented ICT risk management framework reviewed at least annually; ISO 27005 provides the ICT risk process, usually paired with COBIT 2019 for governance.
Which risk management framework is best for ISO 27001?
ISO/IEC 27005, because it satisfies ISO 27001 Clause 6.1's risk-assessment requirement directly. Organizations with enterprise risk beyond information security often add ISO 31000 as the overarching framework.
Can you use more than one risk management framework at once?
Yes — most regulated organizations layer ISO 31000 (umbrella), COBIT 2019 (IT governance), ISO 27005 or NIST RMF (information-security process), and FAIR (quantification). Clear governance and a single risk register keep them complementary.
What is the ENISA risk management framework?
ENISA's Interoperable EU Risk Management Framework (2022) and Toolbox (2023) provide a shared methodology and vocabulary for EU cyber risk, mapping existing frameworks to each other. ENISA also produced the technical guidance behind the NIS2 Implementing Regulation (EU) 2024/2690.
How is a risk management framework different from a control framework?
A risk management framework is the process and governance layer (how you decide). A control framework, like ISO 27001 Annex A or NIST SP 800-53, is the catalogue of safeguards (what you implement). They work together.
Do small companies need a formal risk management framework?
They need a documented, repeatable process — especially if in scope of NIS2, supplying ISO 27001-requiring buyers, or acting as an ICT provider to a DORA-regulated entity. ISO/IEC 27005 or a lightweight ISO 31000 application is usually the most proportionate start.
Further Reading
- What Is ISO 27001? The Complete Guide for 2026 — the standard whose Clause 6.1 ISO 27005 satisfies
- 10 Best ISMS Software Tools in 2026 — platforms that operationalize your risk framework
- NIS2 Directive Guide — Article 21 risk-management measures in full
- DORA Compliance Guide — the Articles 5–16 ICT risk management framework
- Risk Management Frameworks (glossary) — the quick-reference definition
- Compliance Automation — collecting framework evidence continuously
Sources & References
[¹] Moradi, P. — "COSO-ERM, NIST RMF, ISO 31000, COBIT" (framework comparison): https://www.linkedin.com/pulse/coso-erm-nist-rmf-iso-31000-cobit-pooyan-moradi
[²] ISACA — "Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements" (2025): https://www.isaca.org/resources/white-papers/2025/resilience-and-security-in-critical-sectors-navigating-nis2-and-dora-requirements
[³] ISACA — COBIT 2019 Framework (Governance and Management Objectives): https://www.isaca.org/resources/cobit
[⁴] EUR-Lex — Directive (EU) 2022/2555 (NIS2), Article 21; and Implementing Regulation (EU) 2024/2690: https://eur-lex.europa.eu/eli/dir/2022/2555/oj | https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
[⁵] ISO — ISO 31000:2018 Risk Management — Guidelines: https://www.iso.org/standard/65694.html
[⁶] EUR-Lex — Regulation (EU) 2022/2554 (DORA), Article 6 (ICT risk management framework); ISO/IEC 27005:2022: https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng | https://www.iso.org/standard/80585.html
[⁷] The Open Group — Open FAIR Body of Knowledge (Risk Taxonomy O-RT and Risk Analysis O-RA): https://www.opengroup.org/open-fair
[⁸] ENISA — Interoperable EU Risk Management Framework & Toolbox; Technical implementation guidance on cybersecurity risk-management measures: https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework | https://www.enisa.europa.eu/topics/risk-management
[⁹] FCA — PS21/3 Building Operational Resilience and PS26/2 Operational Incident & Third-Party Reporting; NCSC — Cyber Assessment Framework (CAF) v4.0: https://www.fca.org.uk/publications/policy-statements/ps21-3-operational-resilience | https://www.ncsc.gov.uk/collection/cyber-assessment-framework
[¹⁰] National NIS2 competent authorities — European Commission NIS2 implementation pages (Germany / France / Netherlands) and ANSSI: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive-france | https://cyber.gouv.fr/en/regulations/the-nis-2-directive/
[¹¹] National DORA competent authorities — BaFin (Germany), ACPR/AMF (France), DNB/AFM (Netherlands): https://www.bafin.de/EN/die-bafin/die-bafin_node_en.html | https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng