In this article, we will clarify the differences between frameworks and regulations, and help you understand what you really should implement and why.

Frameworks: guiding lines, not impositions

Frameworks are sets of best practices, logical structures and recommendations that guide the implementation of management, security or governance systems.

They are voluntary, but highly valued because they are proven and tested practices, especially in audits, public tenders, customer relationships and reputational risk management.

• Examples of frameworks:
  • ISO/IEC 27001 – Information security management
  • ISO 22301 – Business continuity
  • NIST CSF – Cybersecurity framework (USA)
  • COBIT 2019 – IT governance and management
  • CSA CCM – Cloud security control framework
  • CSA AICM – AI technology controls

• Why implement them?
  • They demonstrate organisational maturity
  • They enable alignment with international standards
  • They are globally recognised
  • They help prepare for future regulations
  • They support certifications that increase credibility

Regulations and directives: legal obligations

Regulations and directives are legal instruments of the European Union. They have legal force and must be complied with by all entities in scope.

Non-compliance can result in sanctions, fines, loss of contracts or legal proceedings.

• Examples:
  • NIS 2 (2022/2555) – Security of networks and systems in essential sectors
  • DORA (2022/2554) – Operational resilience in the financial sector
  • Cyber Resilience Act (2024/2847) – Security of digital products in the European market
  • GDPR (2016/679) – Personal data protection
  • AI Act (2024/1689) – Regulation of artificial intelligence systems
• Why comply?
  • Direct legal obligation
  • Supervision by national regulatory authorities
  • Significant penalties in the event of non-compliance
  • Reputation at risk in the event of an unreported or unmanaged incident

The common mistake: applying only frameworks… when legal obligations already apply

Many organisations implement ISO/IEC 27001 or the NIST CSF and assume that this is enough to comply with regulations such as NIS 2 or DORA. But it is not enough; it is necessary to go further.

Frameworks help, but they do not replace specific obligations.

Example:

• ISO/IEC 27001 helps structure and manage information security by defining generic requirements.
• But NIS 2 requires compliance with specific requirements, for example 24-hour reporting, accountability and specific commitments from top management, supply chain mapping, among other points that go beyond ISO.

So, what should you implement?

If you are in an important, essential or critical sector:

• Implement the applicable regulations (NIS 2, DORA, CER, CRA…)
• Complement them with frameworks such as ISO/IEC 27001, ISO 22301, NIST CSF to ensure robustness and maturity

If you do not yet have direct legal obligations:

• Start with recognised frameworks (e.g. ISO/IEC 27001, NIST CSF)
• Anticipate future regulation
• Reduce risks and increase market confidence

Practical tip: cross-mapping

Many Behaviour courses include mapping between regulations and frameworks. For example:

• ISO/IEC 27001 supports compliance with NIS 2
• ISO 22301 supports DORA requirements
• NIST CSF and SSDF strengthen preparedness for the CRA

This makes it possible to maximise effort and avoid duplicate work.

Frameworks guide. Regulations impose obligations. The key lies in knowing when to use each one and how to integrate them.

Those who rely only on the legal minimum comply. Those who combine frameworks + regulations lead.

At Behaviour, we train professionals and teams to act with confidence, clarity and vision, whether to obtain certification, ensure compliance or create competitive advantage.

Author: Behaviour
Published on: 15 October 2025
Copying or reproducing this article is not authorised.