NIS2 vs ISO 27001: Key Differences and How They Work Together

TL;DR

ISO 27001 and NIS2 overlap significantly but are not the same. ISO 27001 certification satisfies many Article 21 requirements, but not all. Authority registration, 24h/72h notification duties, and management personal liability are exclusive to NIS2. Implementing both together is the most efficient path to NIS2 compliance.

Many compliance teams ask: if we're already ISO 27001 certified, are we automatically NIS2-compliant? The short answer is no, but the overlaps are substantial, and ISO 27001 provides a solid foundation.

This article explains the difference between the two frameworks, which Article 21 measures are covered by ISO 27001, which are not, and how to find the most efficient path to dual compliance.

What Is the Difference?

Criterion	ISO 27001	NIS2
Nature	Voluntary standard (certifiable)	EU law (mandatory)
Scope	Any organisation worldwide	In-scope EU entities only
Audit authority	Accredited certification body	National competent authority
Fines	None (loss of certification)	Up to €10M / 2% turnover
Incident reporting	Not required	24h / 72h mandatory
Supply chain	Annex A.15 (recommended)	Art. 21(2)(d) (mandatory)
Management liability	Indirect (leadership commitment)	Direct personal liability (Art. 20)
Authority registration	No requirement	Mandatory (Art. 3)

Where Do NIS2 and ISO 27001 Overlap?

NIS2's 10 Article 21 measures map closely to ISO 27001:2022 Annex A controls. If you have implemented ISO 27001, you have likely already addressed these NIS2 requirements:

✓

Art. 21(2)(a): Risk analysis

ISO 27001 Clause 6.1 + A.8.2

✓

Art. 21(2)(b): Incident handling

ISO 27001 A.5.24–A.5.28

✓

Art. 21(2)(c): Business continuity

ISO 27001 A.5.29–A.5.30

✓

Art. 21(2)(e): Network security

ISO 27001 A.8.20–A.8.22

✓

Art. 21(2)(g): Cryptography

ISO 27001 A.8.24

✓

Art. 21(2)(h): Access control

ISO 27001 A.5.15–A.5.18

✓

Art. 21(2)(j): MFA

ISO 27001 A.8.5

✓

Art. 21(2)(f): Cyber hygiene

ISO 27001 A.6.3 + A.8.8

What ISO 27001 Does NOT Cover

Despite the significant overlap, there are material NIS2 requirements that fall outside the ISO 27001 framework:

✗

Mandatory authority registration

NIS2 requires registration with the national competent authority (Art. 3(3)). ISO 27001 has no such requirement. Without registration, you risk a fine before any security violation has occurred.

✗

24h/72h incident notification duty

ISO 27001 requires an incident management system but does not mandate regulatory notifications within specific time windows. The NIS2 early warning must be issued within 24 hours of becoming aware.

✗

Management board personal liability

NIS2 Article 20 makes management bodies personally liable and requires them to attend training. ISO 27001 only requires 'leadership commitment' (Clause 5.1). This is a material difference in liability exposure.

✗

Regulatory enforcement and fines

Non-compliance with NIS2 can result in fines up to €10 million or 2% of global turnover. ISO 27001 has no regulatory sanction mechanism.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Full Control Mapping: All 10 Article 21 Measures

Here is the full mapping of all 10 NIS2 Article 21 measures to ISO 27001:2022 controls, including the coverage level:

NIS2 Article 21 Measure	ISO 27001:2022 Reference	Coverage
21(2)(a): Risk analysis and security policies	Clause 6.1, 6.2, A.5.1, A.8.2	Full
21(2)(b): Incident handling	A.5.24–A.5.28	Partial (no authority notification)
21(2)(c): Business continuity and backup	A.5.29, A.5.30, A.8.13, A.8.14	Full
21(2)(d): Supply chain security	A.5.19–A.5.23	Full
21(2)(e): Network and system security	A.8.20–A.8.22, A.8.25–A.8.28	Full
21(2)(f): Effectiveness assessment of security measures	Clause 9.1, 9.2, A.5.35, A.5.36	Full
21(2)(g): Cyber hygiene and training	A.6.3, A.8.7, A.8.8	Partial (no management training obligation)
21(2)(h): Cryptography and encryption	A.8.24	Full
21(2)(i): HR security and access control	A.5.15–A.5.18, A.6.1–A.6.5	Full
21(2)(j): Multi-Factor Authentication	A.8.5	Full

Does NIS2 Recognise ISO 27001 as Proof of Compliance?

The NIS2 Directive itself does not explicitly cite ISO 27001 as sufficient. That is left to member states. In practice:

🇩🇪 Germany: BSI recommends ISO 27001 or IT-Grundschutz as acceptable assurance frameworks, but not as a full substitute for NIS2 registration and reporting duties.

🇧🇪 Belgium: The CyberFundamentals Framework (CFF) at 'Essential' level is aligned with ISO 27001 and accepted by CCB as a NIS2 assurance framework.

🇫🇷 France: ANSSI acknowledges ISO 27001 as a useful starting point but requires additional ANSSI-specific evidence for the highest risk tiers.

Cost Comparison: ISO 27001 vs. NIS2-Only vs. Both

For medium-sized companies (50–250 employees) with no existing formal security framework, approximate costs are:

Approach	Initial implementation	Annual costs	Notes
NIS2 without ISO 27001	€40,000–100,000	€15,000–35,000	No internationally recognised certificate
ISO 27001 without NIS2 extras	€50,000–120,000	€20,000–40,000	Insufficient without registration and notification processes
Both together	€60,000–130,000	€20,000–40,000	Most efficient approach, internationally recognised certificate

Indicative figures. Actual costs vary considerably based on existing infrastructure and the choice between internal implementation and external consultancy.

Recommendation: Implement Both Together

The most efficient strategy is to use ISO 27001 as your ISMS foundation and layer NIS2-specific requirements on top:

Implement or certify to ISO 27001 as your ISMS framework
Determine your NIS2 scope (Essential or Important Entity?)
Register with your national competent authority
Map ISO 27001 controls to NIS2 Article 21 and identify gaps (focus on incident notification, management training)
Build 24h/72h notification procedures and authority communication channels
Establish management training and approval documentation under Article 20
Formalise supply chain risk assessments specifically for NIS2 Art. 21(2)(d)

Where do you stand on NIS2 compliance?

Use our free Article 21 Gap Assessment to check your current controls against all 10 NIS2 measures.

📊 Start Gap Assessment 🎯 Check Your Scope

Frequently Asked Questions

Does ISO 27001 make NIS2 compliance unnecessary?

No. ISO 27001 is a voluntary standard that covers many Article 21 controls but does not include authority registration, incident reporting obligations, or management liability provisions.

Can we present ISO 27001 certification as evidence to NIS2 authorities?

In many EU countries, ISO 27001 is viewed favourably, but authorities typically require specific evidence for NIS2-specific requirements such as incident notifications and registration.

What is the fastest path to NIS2 compliance if we already have ISO 27001?

Conduct a gap assessment to identify NIS2-specific requirements not covered by your ISMS. Focus on registration, incident notification procedures, and management-level training.

Is there an official NIS2 certification like ISO 27001?

No. NIS2 itself does not provide for its own certification. ENISA develops cybersecurity certification schemes under the EU Cybersecurity Act (CSA), but these are not the same as a NIS2 compliance certificate. NIS2 conformity is determined through authority supervision and inspection, not external certification.

Does ISO 27001 also cover the supply chain requirements under NIS2?

ISO 27001 Annex A.5.19–A.5.23 covers supplier security and maps well to NIS2 Article 21(2)(d). However, the NIS2 requirements are more specific in some areas, for example on assessing vulnerability disclosure policies and the secure development practices of software suppliers.