60% of the documentary evidence produced for NIS 2, ISO 27001, CSRD, and Sapin 2 overlaps.

Yet, most companies continue to produce the same documents multiple times, for multiple audits, with multiple teams.

The problem: siloed compliance

Your compliance team consists of three people.

They manage six frameworks.

Last year, they:

• Responded to 4 external audits
• Produced 2 regulatory reports
• Prepared for 3 certifications
• Handled dozens of customer and supplier questionnaires

And despite all these efforts, much of the work had to be redone from scratch.

Not due to a lack of skills.

Simply because no one had the time to map the overlaps between the different frameworks.

The reality

A single piece of documentary evidence often meets multiple requirements:

✅ An ISO 27001 access management policy also covers NIS 2

✅ A Sapin 2 supplier assessment informs CSRD

✅ A NIS 2 incident management procedure addresses several ISO 27001 controls

Why siloing harms compliance teams

In many organizations:

• One team manages ISO 27001
• A consulting firm assists with NIS 2
• The CSR manager leads CSRD
• The legal department leads Sapin 2

Result:

• Duplicate documents
• Inconsistent policies
• Longer audits
• Artificially high workload

The hidden risk

When two auditors ask the same question and get two different answers, the discrepancy becomes a compliance issue.

Even when both answers are technically correct.

Pooling evidence therefore leads to:

• Time savings
• Increased consistency
• A reduction in audit risk

The 4 frameworks at a glance

NIS 2

Objective

Strengthen the cybersecurity of essential and important entities.

Key Requirements

• Cyber Risk Management
• Incident Management
• Business Continuity
• Supplier Security
• Access Control
• Cryptography

Sanctions

Up to €10M or 2% of global turnover.

ISO 27001:2022

Objective

Implement an Information Security Management System (ISMS).

Key Requirements

• Security Governance
• Risk Management
• Organizational Controls
• Human Controls
• Physical Controls
• Technological Controls

Certification

• Initial Audit
• Annual Audits
• Recertification every 3 years

CSRD

Objective

Standardize sustainability reporting.

Key Requirements

• Governance
• Social
• Environment
• Supplier Due Diligence
• Anti-corruption Policy

Key Point

Companies already subject to Sapin 2 often have a significant portion of the required evidence.

Sapin 2

Objective

Prevent corruption and influence peddling.

The 8 Pillars

1. Code of Conduct
2. Risk Mapping
3. Third-Party Assessment
4. Accounting Controls
5. Training
6. Whistleblowing System
7. Disciplinary System
8. Program Control

Overlap Map

Domain 1 — Governance

Shareable Documents

• Framework Policy
• Responsibility Chart
• Management Validation
• Annual Reviews

💡 A single governance policy can cover all 4 frameworks.

Domain 2 — Risk Management

Shareable Documents

• Analysis Methodology
• Risk Register
• Treatment Plans
• Annual Reviews

💡 A single method can be used for cyber, corruption, and ESG risks.

Domain 3 — Supplier Assessment

Shareable Documents

• Supplier Questionnaire
• Contractual Clauses
• Supplier Scoring
• Remediation Plans

💡 This domain offers the greatest potential for sharing.

Domain 4 — Training

Shareable Documents

• Training Plan
• Participant Register
• Session History
• Coverage Rate

💡 A single training register can serve all four frameworks.

Domain 5 — Incident and Alert Management

Shareable documents

• Reporting procedure
• Incident register
• Processing workflow
• Whistleblower policy

💡 The same system can address Sapin 2, CSRD, NIS 2, and ISO 27001.

Domain 6 — Business Continuity

Shareable documents

• BCP
• DRP
• Continuity tests
• Dependency mapping

💡 A single BCP/DRP simultaneously covers NIS 2 and ISO 27001.

Domain 7 — Access Management

Shareable documents

• IAM Policy
• Privilege management
• Segregation of duties
• Access Reviews

💡 Segregation of duties complies with both ISO 27001 and Sapin 2.

Domain 8 — Reporting and Traceability

Shareable Documents

• Compliance KPIs
• Annual Reports
• Internal Audits
• Decision Registers

💡 The same data often feeds CSRD and Sapin 2 reports.

The 5 Priority Documents to Produce

1. The Unified Supplier Questionnaire

The document with the best return on investment.

It simultaneously covers:

• NIS 2
• ISO 27001
• CSRD
• Sapin 2

2. The Governance Framework Policy

A single document for all four frameworks.

3. The unified training register

A single source of truth for all audits.

4. The unified alert system

A single channel.

A single procedure.

Two frameworks covered immediately.

5. Harmonized risk mapping

A single method.

Multiple scopes.

Zero duplication.

How Optivalue.ai accelerates pooling

The problem isn't just creating the documents.

The problem is finding them.

In most companies:

• The CISO owns the cyber documents
• Legal owns the Sapin 2 documents
• The CSR manager owns the ESG documents

No one has a comprehensive overview.

With Optivalue.ai

• Document centralization
• Cross-repository search
• Automated responses to audit questionnaires
• Systematically cited sources and evidence
• Document inconsistency detection
• Flagging expired documents

Result

Processing an audit questionnaire goes from days to hours.

Where to start this week?

Action #1

Analyze your last 3 audits and identify recurring questions.

Action #2

List your 5 documents with high reusability value.

Action #3

Centralize documents before attempting to rewrite them.

Conclusion

Companies don't suffer from a lack of documentation.

They suffer from a lack of reusability.

In 2026, effective compliance is no longer about producing the most documents.

It's about intelligently reusing existing evidence.

Discover Optivalue.ai

Centralize your compliance documentation and respond to your NIS 2, ISO 27001, CSRD, and Sapin 2 audits from a single document repository.

→ Request a personalized demo

‍