{"risk_to_measures":[{"risk_id":"RISK-001","risk_title":"Cloud Provider Outage \u2014 Critical Services","risk_level":"high","frameworks":["DORA Art. 11","MaRisk AT 7.2","ISO 27001 A.8.14"],"measures_count":3,"score":15},{"risk_id":"RISK-002","risk_title":"Unauthorized Data Modification in Core Banking","risk_level":"high","frameworks":["DORA Art. 9(4)","MaRisk AT 7.2","ISO 27001 A.8.2"],"measures_count":3,"score":10},{"risk_id":"RISK-003","risk_title":"Third-Party Data Leakage via API","risk_level":"high","frameworks":["DORA Art. 28","MaRisk AT 9","ISO 27001 A.8.11"],"measures_count":3,"score":12},{"risk_id":"RISK-004","risk_title":"Critical ICT Service Provider Concentration","risk_level":"high","frameworks":["DORA Art. 28(3)","MaRisk AT 9","ISO 27001 A.5.19"],"measures_count":3,"score":12},{"risk_id":"RISK-005","risk_title":"TLPT Non-Compliance (Overdue)","risk_level":"critical","frameworks":["DORA Art. 24-25","MaRisk AT 4.3.5"],"measures_count":2,"score":20},{"risk_id":"RISK-006","risk_title":"Legacy System Single Point of Failure","risk_level":"medium","frameworks":["DORA Art. 11(4)","MaRisk AT 7.2"],"measures_count":2,"score":12},{"risk_id":"RISK-007","risk_title":"Ransomware Attack on Critical Systems","risk_level":"high","frameworks":["DORA Art. 11","MaRisk BT 3.2","ISO 27001 A.8.7"],"measures_count":3,"score":15},{"risk_id":"RISK-008","risk_title":"Sub-Contractor Non-Compliance Cascade","risk_level":"medium","frameworks":["DORA Art. 30","MaRisk AT 9","ISO 27001 A.5.20"],"measures_count":3,"score":6},{"risk_id":"RISK-009","risk_title":"DDoS Attack on Customer-Facing Platforms","risk_level":"medium","frameworks":["DORA Art. 11","ISO 27001 A.8.20"],"measures_count":2,"score":12},{"risk_id":"RISK-010","risk_title":"Information Register Submission Delay","risk_level":"medium","frameworks":["DORA Art. 28(3)","ITS 2024\/1777"],"measures_count":2,"score":9},{"risk_id":"RISK-011","risk_title":"AI Governance Framework Deficiency","risk_level":"high","frameworks":["EU AI Act Art. 6-8","MaRisk AT 7.2","ISO 27001 A.5.36"],"measures_count":3,"score":16},{"risk_id":"RISK-012","risk_title":"Cloud Exit Strategy Gap","risk_level":"high","frameworks":["DORA Art. 28(3)","MaRisk AT 9","ISO 27001 A.5.19"],"measures_count":3,"score":15},{"risk_id":"RISK-013","risk_title":"Insider Threat Data Exfiltration","risk_level":"high","frameworks":["DORA Art. 9(4)","MaRisk BT 3.2","ISO 27001 A.8.12"],"measures_count":3,"score":10},{"risk_id":"RISK-014","risk_title":"Legacy Cryptographic Algorithm Risk","risk_level":"medium","frameworks":["BSI TR-02102","ISO 27001 A.8.24","MaRisk AT 7.2"],"measures_count":3,"score":9},{"risk_id":"RISK-015","risk_title":"Supply Chain Audit Right Not Enforceable","risk_level":"high","frameworks":["DORA Art. 30","MaRisk AT 9","ISO 27001 A.5.20"],"measures_count":3,"score":12},{"risk_id":"RISK-016","risk_title":"Zero-Day Vulnerability in Core Banking Platform","risk_level":"critical","frameworks":["DORA Art. 11(3)","MaRisk AT 7.2","ISO 27001 A.8.8"],"measures_count":3,"score":20},{"risk_id":"RISK-017","risk_title":"Data Center Cooling System Failure","risk_level":"medium","frameworks":["ISO 27001 A.7.2","MaRisk AT 7.3"],"measures_count":2,"score":8},{"risk_id":"RISK-018","risk_title":"GDPR Non-Compliance in Customer Data Processing","risk_level":"high","frameworks":["GDPR Art. 6-7","DSGVO Art. 6-7","ISO 27001 A.5.33"],"measures_count":3,"score":12}],"compliance_summary":{"total_risks":18,"critical_risks":2,"overdue_items":1,"vendor_attention":3,"average_vendor_score":83,"framework_scores":{"risk_management":44,"third_party":83,"dora":45,"marisk":30,"iso27001":65,"nis2":40,"overall":51}},"evidence_gaps":[{"control":"Digital Operational Resilience Testing","id":"GOV-05","missing_in":["marisk","iso27001","nis2"],"note":"Unique to DORA Art. 24-25. TLPT requirement not found in other frameworks."},{"control":"Information Register & Asset Management","id":"GOV-06","missing_in":["marisk"],"note":"DORA Art. 28(3) requires detailed register. ISO A.5.9 covers asset inventory basics."},{"control":"Cryptography & Key Management","id":"GOV-08","missing_in":["marisk"],"note":"ISO 27001 A.8.24 most detailed. DORA mentions encryption broadly."},{"control":"Network Security & Segmentation","id":"GOV-09","missing_in":["dora","marisk"],"note":"ISO A.8.20-8.22 and NIS2 Art. 21 cover network security. DORA defers to general ICT security."},{"control":"Physical Security & Environmental Controls","id":"GOV-10","missing_in":["dora","marisk","nis2"],"note":"Unique to ISO 27001 A.7.1-7.14. Not addressed by DORA or NIS2."},{"control":"Threat Intelligence & Sharing","id":"GOV-15","missing_in":["marisk"],"note":"NIS2 Art. 21(6) requires threat intelligence sharing. DORA Art. 14 mentions information sharing arrangements."},{"control":"Incident Response Automation","id":"GOV-18","missing_in":["marisk","iso27001"],"note":"DORA Art. 17-18 strongly emphasizes automated detection and response. NIS2 references automated reporting."},{"control":"Mobile Device Management","id":"GOV-19","missing_in":["dora","marisk"],"note":"ISO 27001 A.8.10 covers mobile device policy. NIS2 references endpoint security measures broadly."}],"timestamp":"2026-06-30T07:12:44+00:00"}