NIS2 vs. ISO 27001: What Overlaps, What Doesn't, and What You Still Need to Do
If your organisation is ISO 27001 certified, you're ahead of most. The information security management system (ISMS) you've built covers a large portion of what NIS2 requires. But "a large portion" is not "all of it."
NIS2 introduces specific obligations that ISO 27001 does not address — and the consequences of missing them are severe. This article gives you a clear, practical comparison so you know exactly where you stand.
The short answer
NIS2 vs ISO 27001 — Requirements Comparison
◈NIS2 OnlyMandatory incident reporting to authorities (24h / 72h)Board-level personal liability for cybersecuritySupply chain security obligations for essential entitiesSector-specific regulatory obligations⬡Shared RequirementsInformation security risk managementAccess control and identity managementBusiness continuity and disaster recoverySecurity awareness and training◇ISO 27001 OnlyInternal audit and management review cyclesStatement of Applicability (SoA) documentationFormal certification and third-party audit◈NIS2 OnlyMandatory incident reporting to authorities (24h / 72h)Board-level personal liability for cybersecuritySupply chain security obligations for essential entitiesSector-specific regulatory obligations⬡Shared RequirementsInformation security risk managementAccess control and identity managementBusiness continuity and disaster recoverySecurity awareness and training◇ISO 27001 OnlyInternal audit and management review cyclesStatement of Applicability (SoA) documentationFormal certification and third-party auditThe centre column shows requirements that both NIS2 and ISO 27001 share
ISO 27001 gives you the management system. NIS2 adds legal obligations on top of it — with hard deadlines, personal liability, and government reporting.
Detailed comparison: the 10 Article 21 measures
Article 21 of NIS2 lists ten measure categories that organisations must implement. Here is how each maps to ISO 27001:
| # | NIS2 Article 21 measure | ISO 27001 coverage | Gap? |
|---|---|---|---|
| 1 | Risk analysis & security policies | Fully covered (clauses 6.1, 8.2, Annex A) | ✅ No gap |
| 2 | Incident handling | Mostly covered (A.5.24-A.5.28) | ⚠️ Gap: NIS2 requires 24h notification to authorities + 72h follow-up + 1-month final report. ISO 27001 has no such external reporting timeline. |
| 3 | Business continuity & crisis management | Mostly covered (A.5.29-A.5.30) | ⚠️ Gap: NIS2 emphasises crisis management procedures beyond standard BCP — including coordination with national CSIRTs. |
| 4 | Supply chain security | Partially covered (A.5.19-A.5.23) | ⚠️ Gap: NIS2 requires specific security assessments of each direct supplier. ISO 27001 addresses supplier relationships but not with the same depth or mandatory supply chain risk assessments. |
| 5 | Secure development & maintenance | Covered (A.8.25-A.8.33) | ✅ Minor gap |
| 6 | Effectiveness assessment | Covered (clause 9, internal audits) | ✅ No gap |
| 7 | Cyber hygiene & training | Covered (A.6.3) | ✅ No gap for staff — but NIS2 mandates board training which ISO 27001 does not |
| 8 | Cryptography & encryption | Covered (A.8.24) | ✅ No gap |
| 9 | HR security & access control | Covered (A.6.1-A.6.6, A.8.2-A.8.5) | ✅ No gap |
| 10 | MFA & secure communications | Partially covered (A.8.5) | ⚠️ Gap: NIS2 explicitly mandates MFA and secured emergency communications. ISO 27001 recommends but does not mandate MFA. |
The 6 critical gaps: what ISO 27001 doesn't cover
1. Mandatory incident reporting to authorities
This is the biggest operational gap. Under NIS2:
- Within 24 hours: You must notify your national supervisory authority and CSIRT
- Within 72 hours: Submit a follow-up with severity assessment
- Within 1 month: Deliver a final report with root cause analysis
ISO 27001 requires you to have an incident management process, but it does not require reporting to government authorities within specific timeframes. If you only follow ISO 27001, you have no process for this — and missing the 24-hour window can result in additional penalties.
2. Personal board liability
Under NIS2 Article 20, individual board members:
- Must approve cybersecurity risk management measures
- Must supervise their implementation
- Can be held personally liable for non-compliance
- Are required to undergo cybersecurity training
ISO 27001 requires "top management commitment" but does not create personal legal liability for individual directors. This is a fundamental difference.
3. Mandatory board cybersecurity training
NIS2 explicitly requires that management body members undergo training to identify risks and assess the adequacy of measures. ISO 27001's awareness training (A.6.3) targets all personnel but does not specifically require board-level cybersecurity education.
4. Registration with national authority
NIS2 entities must register with their national competent authority. This is a purely regulatory obligation that doesn't exist in ISO 27001.
5. Specific supply chain security requirements
While ISO 27001 addresses supplier relationships (Annex A.5.19-A.5.23), NIS2 goes further by requiring organisations to:
- Assess the cybersecurity practices of each direct supplier
- Consider the overall quality of products and cybersecurity practices of suppliers
- Take into account the results of coordinated EU-level supply chain risk assessments
6. Explicit MFA and emergency communications mandate
NIS2 Article 21(2)(j) specifically requires multi-factor authentication and secured emergency communication systems. ISO 27001 treats MFA as a control option, not a requirement.
Where ISO 27001 actually helps
Despite the gaps, having ISO 27001 gives you a significant advantage:
- Risk management framework — your ISMS provides the structured approach NIS2 expects
- Documentation culture — NIS2 requires demonstrable compliance, and ISO 27001 organisations are already used to maintaining evidence
- Internal audit process — maps directly to NIS2's effectiveness assessment requirement
- Continuous improvement cycle — Plan-Do-Check-Act aligns well with NIS2's expectations
- Supplier management — you have a foundation to build NIS2-specific supply chain requirements on
- Staff awareness — your training programmes likely cover most of what NIS2 requires for general staff
Estimates suggest that organisations with ISO 27001 already cover 60-70% of NIS2 requirements. The remaining 30-40% is where targeted effort is needed.
Practical roadmap: from ISO 27001 to NIS2 compliance
If you have ISO 27001, here's your action plan:
Phase 1: Close the reporting gap (high priority)
- Build an incident reporting process that meets the 24h / 72h / 1-month NIS2 timelines
- Identify your national competent authority and CSIRT
- Create report templates that meet NIS2 requirements
- Rehearse the process with a tabletop exercise
Phase 2: Address board governance (high priority)
- Brief your board on their personal liability under Article 20
- Schedule board cybersecurity training
- Establish regular board reporting on cybersecurity status
- Document board approvals of risk management measures
Phase 3: Strengthen supply chain security (medium priority)
- Conduct cybersecurity assessments of your direct suppliers
- Add NIS2-specific clauses to supplier contracts
- Establish ongoing monitoring of supplier security posture
Phase 4: Technical controls (medium priority)
- Implement MFA on all critical systems if not already in place
- Establish secured emergency communication channels
- Document and test these controls
Phase 5: Registration and compliance documentation
- Register with your national authority
- Compile your NIS2 compliance dossier — mapping your existing ISO 27001 documentation to NIS2 requirements
- Identify and fill any remaining documentation gaps
Common questions
"Can ISO 27001 certification serve as proof of NIS2 compliance?"
Not directly. NIS2 Article 21(5) allows the European Commission to adopt implementing acts that recognise certifications, but ISO 27001 is not automatically accepted as proof of full NIS2 compliance. It demonstrates a strong security posture, but you still need to address the specific gaps outlined above.
"Should we pursue ISO 27001 if we don't have it yet?"
If you're starting from scratch, focusing on NIS2 compliance directly may be more efficient. ISO 27001 is valuable but it's a broader standard. If you need to meet NIS2 deadlines quickly, address the 10 Article 21 measures directly and consider ISO 27001 as a longer-term goal.
"We have ISO 27001 — how long will NIS2 compliance take?"
With ISO 27001 in place, most organisations can close the gaps in 3-6 months with focused effort. Without ISO 27001, expect 6-12 months.
Find out exactly where your gaps are
Our free NIS2 quickscan maps your current state against all 10 Article 21 measure categories. If you already have ISO 27001, the scan will show you precisely where the NIS2-specific gaps are — so you can focus your effort where it matters most.
Read also
- The 10 Article 21 measures explained — Deep-dive into each measure your ISO 27001 may or may not cover
- NIS2 and personal board liability — One of the biggest gaps: personal liability for directors
- NIS2 incident reporting deadlines — Another major gap: mandatory reporting within 24 hours