The ADR/NOREA Cbw Control Framework: from NIS2 obligation to demonstrable control

With the introduction of the Cybersecurity Act (Cbw), there is a growing need for a practical and uniform approach to NIS2 compliance.

The Cbw (NIS2) Control Framework was launched in September 2025 by the Central Government Audit Service (ADR) and NOREA and was further developed in May 2026.
What makes this framework unique is that it helps organisations to align directly with the legal requirements of the Cybersecurity Act (Cbw) and the Cybersecurity Decree (Cbb). It does not introduce a new standard or replace the legislation, but offers a practical structure to make existing obligations transparent, manageable, demonstrable and auditable.

In addition, the framework is designed as a living model and includes mappings to, amongst others:

BIO2
NEN 7510
DORA
The implementing regulation for ICT service providers

This creates a powerful starting point for organisations that need to combine multiple compliance obligations within a single integrated approach.

As a living framework, it is continuously adapted to new legislation and regulations, as well as sector-specific developments. For example, the May 2026 update includes an English-language version, additional mappings and clarifications, as well as an extension featuring a mapping to NEN 7510 for organisations in the healthcare sector.

From compliance to demonstrable control
A key advantage of the Cbw Control Framework is its modular design. Organisations can combine relevant standards frameworks, whilst sector-specific or irrelevant requirements can easily be added, removed or filtered out.

Within IRM360, we have integrated the framework so that organisations can:

✓ Utilise mappings to existing standards frameworks such as ISO 27001
✓ Can translate audit information into demonstrable compliance for both ISMS and GRC users

Integrated into IRM360, the ADR/NOREA Cbw Control Framework provides a practical basis for many organisations to efficiently implement compliance obligations, demonstrate compliance and translate this into continuous improvement, risk management and corporate accountability.

Would you like to see how this framework is used within IRM360 for Cbw/NIS2, BIO2, DORA, NEN 7510 or ISO 27001 compliance? Please contact us for a demonstration or a no-obligation consultation.