💡 🔧 Setup — Reuse the ISO 27001, SOC 2, NIST CSF and internal compliance work you've already done — NexCyber maps it to your EU regulatory obligations.

Map existing compliance work to NexCyber obligations

You probably haven't started from zero. Most companies arriving at NexCyber already have some compliance estate — ISO 27001 or SOC 2 work, sector-specific certifications, internal policies, audit reports. NexCyber doesn't want you to redo any of it. Instead, it maps what you have to what EU regulations require, so each existing artefact gets the maximum re-use.

This article shows you how to bring that work in.

What can you map?

NexCyber natively understands the most common compliance frameworks:

• ISO/IEC 27001 (Annex A controls) → CRA Annex I, NIS2 Art. 21, DORA Art. 9
• ISO/IEC 27017 and 27018 (cloud-specific) → DORA, NIS2 for cloud-native services
• SOC 2 (Trust Services Criteria) → NIS2 Art. 21 risk management measures
• NIST CSF / NIST 800-53 → CRA Annex I, NIS2 Art. 21
• EN 18031-1/-2/-3 (harmonised standards under RED) → RED cyber requirements
• PCI DSS → DORA ICT risk + NIS2 for payment services
• Internal control catalogues — any documented control with a description.

How to import a control catalogue

1. Go to /evidence → Import.
2. Pick the format:
   • ISO 27001 controls — upload a statement of applicability (SoA) Excel/CSV.
   • SOC 2 controls — upload your SOC 2 Type II report (PDF) or controls Excel.
   • NIST CSF — pick the version (1.1 / 2.0) and upload your tier matrix.
   • Custom — upload a CSV with one row per control: id, title, description, status, evidence_ref.
3. NexCyber parses the file and asks you to confirm each row.
4. After confirmation, each control becomes a mapped evidence item in your library, automatically linked to the NexCyber obligations it covers.

This is typically the biggest single time-saver for companies with a mature compliance estate. A SOC 2 Type II import can close 40–60% of NIS2 Art. 21 obligations on import alone.

Mapping logic — what to expect

NexCyber uses published regulatory crosswalks (ENISA NIS2 mapping, ETSI EN 18031 mapping, ISO 27001:2022 to NIS2 mapping) as the basis for each link. We never invent mappings.

For each control you import:

• Direct mapping — the control is a 1:1 match for one or more obligations. Auto-linked, marked "Covered" if the control is implemented.
• Partial mapping — the control covers part of an obligation. Auto-linked, marked "Partial" with a note explaining the residual gap.
• No mapping — the control isn't relevant to your selected regulations. Stays in your evidence library but doesn't auto-link anywhere.

You can override any auto-mapping. NexCyber records who overrode what and why, for audit trail purposes.

What about company-specific frameworks?

If you have an internal control framework that doesn't match any of the supported standards, you have two options:

1. Map manually — for each obligation in an assessment, attach the matching internal policy or document.
2. Request a custom mapping — Strategic plan customers can request a one-time custom crosswalk between their internal framework and NexCyber's obligation library. Contact us via the chat.

Re-using evidence across regulations

The same evidence item can link to obligations across multiple regulations. For example, a single document — "Acme Vulnerability Management Policy v3" — can satisfy:

• CRA Annex I § 2 (vulnerability handling)
• NIS2 Art. 21(2)(b) (incident handling) and 21(2)(e) (security in network and information systems)
• DORA Art. 17 (ICT-related incident management process)
• EN 18031 under RED for connected products

Link it once; coverage propagates everywhere.

Audit trail

Every mapping, override, and re-use is recorded. When an auditor asks "how do you justify that this policy closes CRA Annex I § 2 and NIS2 Art. 21(2)(b)?", you can show them the underlying crosswalk (published, sourced from ENISA / ETSI) plus your evidence — no hand-waving.

→ See "Build your evidence library"

💬 Need help?

• Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
• Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 · NexCyber Help Center