NIS2 and ISO 27001 are both cybersecurity frameworks used across the EU, but they serve fundamentally different purposes. NIS2 (Directive 2022/2555) is a mandatory EU law with legal penalties, while ISO 27001 is a voluntary international standard for information security management. Most organisations in scope for NIS2 need both.
"We have ISO 27001, does that mean we're NIS2 compliant?" This is the single most common question we hear from security leaders across the EU. The short answer: you're roughly 70% of the way there, but the remaining gaps carry the highest risk. ISO 27001 gives you a mature ISMS, risk methodology, and a comprehensive set of controls. NIS2 adds mandatory incident reporting timelines, personal liability for management bodies, deeper supply chain requirements, and sector-specific obligations that no voluntary standard can fully address.
This guide maps every NIS2 Article 21 requirement to specific ISO 27001:2022 controls, identifies the exact gaps, and provides a practical roadmap for organisations that need to satisfy both frameworks.
Quick Reference
NIS2
ISO 27001
Full name
Directive (EU) 2022/2555 (NIS2)
ISO/IEC 27001:2022
Type
Mandatory EU legislation
Voluntary international standard
Governing body
European Parliament and Council
ISO/IEC (International Organization for Standardization)
Geographic scope
EU/EEA Member States
Global
Who must comply
Essential and important entities across 18 sectors
Any organisation (any size, any sector)
Mandatory?
Yes, enforced by national authorities
No (but often required by contracts, regulators, or customers)
Penalties
Up to EUR 10M or 2% of global turnover
None (loss of certification)
Certification
No certification scheme; regulatory supervision
Third-party certification by accredited body
Focus
Cybersecurity of network and information systems
Information Security Management System (ISMS)
Update cycle
Legislative review (multi-year EU process)
Standard revision (last updated 2022)
Key Takeaways
ISO 27001 covers approximately 70% of NIS2 requirements for cybersecurity risk management under Article 21, making it the strongest available foundation for NIS2 compliance.
Share article
Need help with compliance?
Contact us for a free consultation
NIS2 is a mandatory EU law with penalties up to EUR 10 million or 2% of global annual turnover; ISO 27001 is a voluntary standard with no legal penalties.
The biggest gaps between ISO 27001 and NIS2 are incident reporting timelines (24h/72h/1 month), personal liability for management, and supply chain security depth.
ISO 27001 certification does not automatically mean NIS2 compliance, but organisations with an existing ISMS can typically close the remaining gaps in 2 to 3 months.
ENISA recommends ISO 27001 as a reference framework for implementing NIS2 measures, and national authorities may consider existing certification during compliance assessments.
The optimal strategy is to implement ISO 27001 first (or use an existing certification) and then layer NIS2-specific requirements on top.
Organisations subject to NIS2 that lack any formal security framework should expect a 9 to 12 month implementation timeline for full compliance.
NIS2 (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It establishes a high common level of cybersecurity across all Member States by imposing mandatory risk management and incident reporting obligations on organisations in 18 critical and important sectors.
Key characteristics of NIS2:
Scope: Applies to essential entities (energy, transport, health, banking, water, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research).
Risk management: Article 21 requires ten minimum cybersecurity measures covering everything from risk analysis to cryptography.
Incident reporting: Article 23 mandates a three-stage reporting process: early warning within 24 hours, detailed notification within 72 hours, and a final report within one month.
Management liability: Article 20 holds management bodies personally responsible for approving and overseeing cybersecurity measures, with potential bans on exercising managerial functions.
Penalties: Article 34 sets maximum fines at EUR 10 million or 2% of total worldwide annual turnover for essential entities.
National transposition: Member States were required to transpose NIS2 into national law by 17 October 2024, with enforcement regimes now active across the EU.
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing information security risks through policies, processes, and controls.
Key characteristics of ISO 27001:
Management system approach: Clauses 4 through 10 define requirements for context analysis, leadership commitment, risk planning, support resources, operational controls, performance evaluation, and continuous improvement.
93 Annex A controls: Organised across four themes (Organisational, People, Physical, Technological), these controls address everything from information security policies to network security.
Risk-based: The entire framework is driven by formal risk assessment. Organisations select controls based on identified risks and document their decisions in a Statement of Applicability (SoA).
Certification: A three-year certificate issued by an accredited certification body, maintained through annual surveillance audits.
Voluntary but influential: While not legally required, ISO 27001 is referenced by NIS2, DORA, GDPR guidance, and hundreds of customer security questionnaires.
Mandatory: cooperation with national CSIRTs, ENISA, and cross-border coordination groups
Not applicable
Sector-specific requirements
Commission may adopt implementing acts with technical and methodological requirements for specific sectors
Sector-agnostic standard
Cost (typical mid-size organisation)
EUR 50,000 to EUR 200,000 for compliance programme (excluding ISO 27001 costs if pursued separately)
EUR 40,000 to EUR 150,000 for initial certification (audit fees + implementation)
NIS2 vs ISO 27001: Requirements Mapping
This is the core reference section. Article 21(2) of NIS2 specifies ten minimum cybersecurity risk management measures. The table below maps each measure to the corresponding ISO 27001:2022 Annex A controls and management system clauses, with a coverage assessment.
#
NIS2 Art. 21(2) Requirement
Specific NIS2 Obligation
ISO 27001:2022 Mapping
Coverage Level
(a)
Risk analysis and information system security policies
Policies on risk analysis and overall information system security
Clause 6.1 (Risk assessment), Clause 8.2 (Risk assessment process), A.5.1 (Policies for information security)
Full
(b)
Incident handling
Prevention, detection, response to, and recovery from incidents
A.5.24 (Incident management planning), A.5.25 (Assessment and decision), A.5.26 (Response), A.5.27 (Learning from incidents), A.5.28 (Evidence collection)
Partial (no mandatory reporting timelines to authorities)
(c)
Business continuity and crisis management
Business continuity, backup management, disaster recovery, and crisis management
A.5.29 (ICT readiness for business continuity), A.5.30 (ICT readiness for business continuity planning)
Full
(d)
Supply chain security
Security of the supply chain, including security-related aspects of relationships between each entity and its direct suppliers or service providers
A.5.19 (Information security in supplier relationships), A.5.20 (Addressing security within supplier agreements), A.5.21 (Managing ICT supply chain), A.5.22 (Monitoring, review of supplier services), A.5.23 (Information security for cloud services)
Partial (NIS2 requires deeper assessment of supplier cybersecurity practices and product development procedures)
(e)
Network and information systems security
Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
A.8.8 (Management of technical vulnerabilities), A.8.20 (Network security), A.8.21 (Security of network services), A.8.22 (Segregation of networks), A.8.25-A.8.34 (Secure development lifecycle)
Full
(f)
Vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures, including vulnerability handling and disclosure
(a) Risk analysis, (c) Business continuity, (e) Network security, (f) Vulnerability handling, (g) Effectiveness assessment, (i) Cryptography, (j) HR and access control
Partial coverage
2 of 10
(b) Incident handling, (d) Supply chain security
Not covered by ISO 27001
Additional NIS2 requirements
Mandatory reporting timelines (Art. 23), management personal liability (Art. 20), registration with national authority, cross-border cooperation
Result: ISO 27001 provides full or substantial coverage for approximately 70% of NIS2 Article 21 requirements. The remaining 30% consists of NIS2-specific legal obligations that no voluntary standard can address.
Where ISO 27001 Falls Short for NIS2
Understanding the specific gaps is essential for organisations that rely on an existing ISO 27001 certification as the basis for NIS2 compliance. Five areas require additional measures.
1. Incident Reporting Timelines (Art. 23)
This is the most critical gap. ISO 27001 requires internal incident management processes (A.5.24 through A.5.28) but does not prescribe any deadlines for reporting to external authorities.
Aspect
ISO 27001
NIS2
Internal incident detection and classification
A.5.24, A.5.25
Required
Internal response and recovery
A.5.26
Required
Learning from incidents
A.5.27
Required
Evidence collection
A.5.28
Required
Reporting to national CSIRT/authority
Not required
Mandatory
Early warning deadline
N/A
24 hours
Detailed notification deadline
N/A
72 hours
Final report deadline
N/A
1 month
Significant incident criteria
Not defined
Defined in Art. 23(3)
Reporting templates and channels
N/A
Specified by national authority
Action required: Extend your ISO 27001 incident management procedures with NIS2-specific steps: define "significant incident" criteria per Art. 23(3), prepare reporting templates for your national CSIRT, designate responsible personnel, and conduct simulation exercises to verify you can meet the 24-hour early warning deadline.
2. Management Body Personal Liability (Art. 20)
ISO 27001 Clause 5 requires top management to demonstrate leadership and commitment, but it carries no personal legal consequences.
Management oversees implementation of those measures
Management defines the information security policy
Management members must undergo cybersecurity training
No personal liability
Personal liability for non-compliance
No sanctions on individuals
Potential ban from exercising managerial functions
Action required: Implement a formal board-level cybersecurity governance programme that includes documented approval of NIS2 measures, mandatory cybersecurity training for all management body members, and clear accountability assignments with legal briefings on personal exposure.
3. Supply Chain Security Depth (Art. 21(2)(d))
ISO 27001 addresses supplier relationships through controls A.5.19 through A.5.23, but NIS2 expects a deeper and more prescriptive assessment.
Requirement
ISO 27001
NIS2
Supplier information security policy
A.5.19
Required
Security clauses in supplier agreements
A.5.20
Required
ICT supply chain management
A.5.21
Required (broader scope)
Monitoring and review of supplier services
A.5.22
Required
Cloud service provider security
A.5.23
Required
Assessment of supplier product quality
Not explicitly required
Mandatory
Evaluation of supplier cybersecurity practices
Partially addressed
Mandatory
Assessment of supplier software development procedures
Not explicitly required
Mandatory
Coordinated vulnerability disclosure
Not explicitly required
Mandatory
Action required: Expand your vendor risk assessment programme to include evaluation of suppliers' cybersecurity practices, software development procedures, and product security. Integrate coordinated vulnerability disclosure into supplier agreements.
4. Cross-Border Cooperation and Regulatory Engagement
ISO 27001 is an internal management system standard with no external regulatory engagement requirements. NIS2 requires active cooperation with national and EU-level authorities.
Registration with the national competent authority
Participation in coordinated vulnerability disclosure programmes
Cooperation with national CSIRT during incidents
Potential involvement in EU-wide cyber crisis management exercises
Information sharing within sector-specific cooperation groups
Action required: Register your organisation with the relevant national authority, establish communication channels with your national CSIRT, and develop procedures for participating in cross-border cooperation activities.
5. Sector-Specific Technical Requirements
The European Commission may adopt implementing and delegated acts specifying technical and methodological requirements for specific sectors or types of entities. ISO 27001 is sector-agnostic and cannot anticipate these requirements.
Sectors likely to receive specific technical requirements include energy (with references to the Electricity Network Code on Cybersecurity), financial services (where DORA already applies), transport, health, and digital infrastructure.
Action required: Monitor sector-specific implementing acts from the European Commission and adjust your compliance programme as new technical requirements are published.
Does ISO 27001 Certification Mean NIS2 Compliance?
No. ISO 27001 certification does not equal NIS2 compliance. However, it provides the strongest available foundation.
Compliance Question
Answer
Does ISO 27001 cover all NIS2 requirements?
No. It covers approximately 70% of Art. 21 measures.
Is ISO 27001 certification legally required by NIS2?
No. NIS2 does not mandate any specific certification.
Can ISO 27001 be used to demonstrate NIS2 compliance?
Partially. ENISA recommends it as a reference framework, and national authorities may consider it.
Will regulators treat certified organisations more favourably?
Likely in practice. ISO 27001 demonstrates a systematic approach, but it does not guarantee lighter treatment.
How long to close the gaps if already ISO 27001 certified?
Typically 2 to 3 months with focused effort.
How long without ISO 27001?
Typically 9 to 12 months for a comprehensive NIS2 compliance programme.
Gap Analysis: ISO 27001 Certified Organisation vs Full NIS2 Compliance
NIS2 Requirement Area
Already Covered by ISO 27001?
Gap Severity
Estimated Effort to Close
Risk analysis and security policies
Yes
None
N/A
Incident handling (internal)
Yes
None
N/A
Incident reporting to authorities
No
Critical
2 to 4 weeks
Business continuity
Yes
None
N/A
Supply chain (basic)
Yes
Low
1 to 2 weeks
Supply chain (NIS2 depth)
Partial
Medium
4 to 8 weeks
Network and systems security
Yes
None
N/A
Vulnerability handling
Yes
None
N/A
Effectiveness assessment
Yes
None
N/A
Cyber hygiene and training (staff)
Yes
None
N/A
Management cybersecurity training
Partial
Medium
1 to 2 weeks
Cryptography
Yes
None
N/A
HR security and access control
Yes
None
N/A
Management personal liability framework
No
High
2 to 4 weeks
Regulatory registration
No
High
1 week
Cross-border cooperation procedures
No
Medium
2 to 4 weeks
NIS2-specific documentation
No
Medium
2 to 4 weeks
The Optimal Approach: ISO 27001 as NIS2 Foundation
The most efficient path to NIS2 compliance is to use ISO 27001 as the structural foundation and then add NIS2-specific layers. This approach is recommended by ENISA, adopted by most EU compliance advisory firms (including Vision Compliance), and supported by the practical reality that building an ISMS from scratch gives you the governance, risk methodology, and control framework that NIS2 presupposes.
For organisations without ISO 27001:
Start with ISO 27001 implementation. This builds the ISMS, risk assessment methodology, control framework, documentation, internal audit programme, and management review process that NIS2 requires but does not specify how to implement.
Integrate NIS2 requirements from the beginning. During implementation, address NIS2-specific gaps (incident reporting, management liability, supply chain depth) as additions to the ISMS scope rather than as a separate project.
Pursue ISO 27001 certification. The certification demonstrates systematic security management to your national competent authority and provides external validation.
Register with your national authority and establish CSIRT relationships. Complete the regulatory engagement requirements.
For organisations already ISO 27001 certified:
Conduct a focused gap analysis. Map your existing ISMS controls against all NIS2 requirements (not just Art. 21) to identify specific gaps.
Prioritise incident reporting. This is the most time-sensitive gap. Build the reporting procedures, test them, and train your team before a real incident forces you to improvise.
Formalise management governance. Document board-level approval of cybersecurity measures, implement management training, and brief leadership on personal liability exposure.
Expand supply chain assessment. Upgrade your vendor risk programme to meet NIS2's deeper requirements.
Integrate into the existing ISMS. Add NIS2 requirements as an extension of your current management system rather than creating a parallel compliance framework.
This integrated approach is what firms like Vision Compliance implement for clients across the EU, typically reducing the total compliance timeline by 40 to 60% compared to organisations that treat NIS2 and ISO 27001 as entirely separate projects.
NIS2 + ISO 27001 Implementation Timeline
The following phased timeline applies to organisations starting from scratch (no existing ISMS or NIS2 programme). Organisations with existing ISO 27001 certification can skip to Phase 3.
Phase 1: Foundation (Months 1 to 3)
Activity
Deliverable
NIS2 Relevance
ISO 27001 Relevance
Scope definition and context analysis
ISMS scope document, NIS2 entity classification
Art. 2 (scope determination)
Clause 4 (Context of the organisation)
Risk assessment methodology
Risk assessment framework
Art. 21(2)(a)
Clause 6.1 (Actions to address risks)
Initial risk assessment
Risk register, risk treatment plan
Art. 21(2)(a)
Clause 8.2 (Risk assessment)
Information security policy suite
Core policies (15 to 20 documents)
Art. 21(2)(a)
A.5.1 (Policies for information security)
Asset inventory
Complete asset register
Art. 21(2)(j)
A.5.9 (Inventory of information and associated assets)
National authority registration
Registration confirmation
NIS2-specific
N/A
Phase 2: Implementation (Months 4 to 6)
Activity
Deliverable
NIS2 Relevance
ISO 27001 Relevance
Technical control implementation
Configured controls across all Annex A themes
Art. 21(2)(e), (f), (i), (j)
Annex A controls
Incident management with NIS2 reporting
Incident response plan with 24h/72h/1m reporting procedures
Board approval records, management training certificates
Art. 20
Clause 5
Phase 3: Validation (Months 7 to 9)
Activity
Deliverable
NIS2 Relevance
ISO 27001 Relevance
Effectiveness assessment
Metrics dashboard, KPIs, testing results
Art. 21(2)(g)
Clause 9.1
Internal audit
Internal audit report
Art. 21(2)(g)
Clause 9.2
Management review
Management review minutes
Art. 20
Clause 9.3
Incident simulation exercise
Exercise report, lessons learned
Art. 23 (readiness)
A.5.27
Gap remediation
Updated controls, policies, procedures
All
All
ISO 27001 Stage 1 audit
Stage 1 audit report
N/A
Certification process
Phase 4: Certification and Compliance (Months 10 to 12)
Activity
Deliverable
NIS2 Relevance
ISO 27001 Relevance
Stage 1 finding remediation
Evidence of corrective actions
N/A
Certification process
ISO 27001 Stage 2 audit
Stage 2 audit report, certificate
Demonstrates systematic approach to Art. 21
Certification
NIS2 compliance documentation package
Complete NIS2 compliance file for national authority
All articles
N/A
CSIRT relationship establishment
Documented communication channels and contacts
Art. 23
N/A
Ongoing monitoring programme launch
Continuous compliance monitoring
Art. 21(2)(g)
Clause 9, Clause 10
Frequently Asked Questions
Does ISO 27001 satisfy NIS2?
No. ISO 27001 covers approximately 70% of NIS2's cybersecurity risk management requirements under Article 21, but it does not address mandatory incident reporting timelines (Article 23), personal liability for management bodies (Article 20), regulatory registration, or cross-border cooperation obligations. Organisations need ISO 27001 as a foundation plus NIS2-specific additions.
Is ISO 27001 mandatory under NIS2?
No. NIS2 does not mandate any specific certification or standard. However, ENISA recommends ISO 27001 as a reference framework for implementing the required measures, and national competent authorities may consider existing certification when assessing compliance. Several Member States' transposition laws explicitly reference ISO 27001 as a recognised benchmark.
Can I use ISO 27001 to prove NIS2 compliance?
Partially. An ISO 27001 certificate demonstrates that you have a systematic approach to information security management, which covers a significant portion of NIS2's requirements. However, you will still need to demonstrate compliance with NIS2-specific obligations (incident reporting, management governance, supply chain depth) through additional documentation and evidence. The certificate is strong supporting evidence, not a compliance passport.
What does NIS2 require that ISO 27001 doesn't?
The five main areas where NIS2 goes beyond ISO 27001 are: (1) mandatory incident reporting to national authorities within 24 hours (early warning), 72 hours (detailed notification), and 1 month (final report); (2) personal liability for management body members, including potential bans from exercising managerial functions; (3) deeper supply chain security assessments covering product quality, cybersecurity practices, and software development procedures of suppliers; (4) registration with the national competent authority and cooperation with the national CSIRT; (5) sector-specific technical requirements that may be adopted through Commission implementing acts.
How long does it take to get ISO 27001 certified?
For a mid-size organisation starting from scratch, ISO 27001 certification typically takes 6 to 12 months. The timeline breaks down as follows: gap analysis and ISMS design (1 to 2 months), implementation (3 to 4 months), internal audit and management review (1 month), and the certification audit process (1 to 2 months). Organisations with mature security practices can achieve certification in as little as 4 to 6 months.
What if I already have ISO 27001?
You are in a strong position. A focused NIS2 gap analysis will identify the specific areas where your existing ISMS falls short of NIS2 requirements. Most ISO 27001 certified organisations can close the NIS2 gaps in 2 to 3 months with dedicated effort. The primary workstreams are: building incident reporting procedures with the required timelines, formalising management governance and training, expanding supply chain assessments, and registering with your national authority. Vision Compliance offers a dedicated NIS2 gap analysis for ISO 27001 certified organisations that produces a prioritised remediation plan.
NIS2 vs ISO 27001: how do the costs compare?
Cost Component
NIS2 Compliance (standalone)
ISO 27001 Certification (standalone)
Integrated NIS2 + ISO 27001
Consulting and advisory
EUR 30,000 to EUR 100,000
EUR 20,000 to EUR 80,000
EUR 40,000 to EUR 120,000
Internal staff time
300 to 600 hours
300 to 800 hours
400 to 900 hours
Audit/certification fees
N/A (regulatory supervision)
EUR 15,000 to EUR 50,000
EUR 15,000 to EUR 50,000
Technology and tools
EUR 5,000 to EUR 30,000
EUR 5,000 to EUR 50,000
EUR 5,000 to EUR 50,000
Training
EUR 5,000 to EUR 15,000
EUR 3,000 to EUR 10,000
EUR 5,000 to EUR 15,000
Total first year
EUR 50,000 to EUR 200,000
EUR 40,000 to EUR 150,000
EUR 60,000 to EUR 200,000
Savings from integrated approach
N/A
N/A
30 to 40% vs doing both separately
The integrated approach is more cost-effective because roughly 70% of the work (risk assessment, policy development, control implementation, training) serves both frameworks simultaneously.
Do I need both NIS2 compliance and ISO 27001?
If your organisation falls within NIS2's scope, you legally need NIS2 compliance. ISO 27001 certification is not legally required but is strongly recommended because it provides the management system structure that NIS2 presupposes, it is recognised by ENISA and national authorities, it demonstrates due diligence to regulators, and it meets customer and partner expectations across the EU. Most organisations subject to NIS2 benefit from pursuing both.
Need an integrated NIS2 + ISO 27001 programme? Vision Compliance helps organisations across the EU implement both frameworks as a single, efficient compliance programme. Whether you already have ISO 27001 and need a NIS2 gap analysis, or you are starting from scratch, we provide the advisory, implementation, and audit preparation support to get you compliant. Schedule a free consultation
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.
