NIS2 vs ISO 27001: What's the Difference and Do You Need Both?

If your organization holds ISO 27001 certification, you've already done serious work on information security. You have a documented management system, a risk register, defined controls, and regular audits. So when NIS2 came into force across EU member states, a natural question arose: do we really need to do more?

The honest answer is: yes — but less than you might think. ISO 27001 and NIS2 share a great deal of common ground, but NIS2 introduces regulatory obligations that go beyond any voluntary framework. Understanding exactly where the gaps are will help you focus your effort and resources efficiently.

What ISO 27001 Covers

ISO 27001 is the international standard for Information Security Management Systems (ISMS). At its core, it requires organizations to:

• Define the scope of the ISMS and its context
• Conduct systematic risk assessments and implement risk treatment plans
• Apply a set of 93 controls from Annex A (covering security policies, access control, cryptography, physical security, incident management, supplier relationships, and more)
• Maintain documented evidence and undergo internal audits
• Conduct management reviews and demonstrate continual improvement

When implemented properly, ISO 27001 creates a mature, risk-driven security program. This is exactly the kind of foundation that NIS2 expects to see in place. In fact, the European Union Agency for Cybersecurity (ENISA) has acknowledged ISO 27001 as a useful baseline for NIS2 compliance.

What NIS2 Adds on Top

NIS2 (Directive EU 2022/2555) is not a voluntary standard — it is binding EU law. It introduces obligations that no certification framework, however rigorous, can substitute for. The key additions include:

Management Liability

NIS2 makes senior management personally accountable for the organization's cybersecurity posture. Management bodies can face personal liability for serious negligence, including temporary bans from management roles. ISO 27001 encourages "top management commitment," but it imposes no personal legal consequences.

Mandatory Incident Reporting Timelines

NIS2 requires covered entities to report significant incidents to their national competent authority (NCA) within 24 hours (initial early warning) and 72 hours (full incident notification). A final report is due within one month. ISO 27001's incident management controls are process-oriented — they don't mandate specific reporting timelines to regulators.

Sector-Specific Requirements

NIS2 organizes obligations by sector (energy, transport, health, digital infrastructure, etc.) and distinguishes between Essential and Important Entities with different fine levels and supervision intensity. ISO 27001 is sector-agnostic.

Supply Chain Security

While ISO 27001 Annex A includes supplier security controls, NIS2 Article 21 requires a more comprehensive approach to supply chain risk — including assessing the security practices of direct suppliers and their sub-suppliers, with documented evidence.

The Overlap: Where ISO 27001 Already Helps

The good news for ISO 27001 certified organizations is substantial. Research and practical experience suggest that 75–80% of the controls required under NIS2 Article 21 are already addressed by a well-implemented ISMS. This includes:

• Risk management and risk assessment processes
• Access control and identity management
• Cryptography and encryption policies
• Incident response and handling procedures
• Asset management and classification
• Vulnerability management and patch management
• Physical and environmental security
• HR security and awareness training
• Business continuity and disaster recovery planning
• Supplier and third-party risk management (basic)

What You Still Need to Do — Even with ISO 27001

ISO 27001 certification does not exempt you from NIS2 compliance. Beyond filling any technical control gaps, organizations in scope must address:

Formal NIS2 Registration

Depending on the EU member state(s) where you operate, you may be required to formally register with your National Competent Authority (NCA). This registration is a legal obligation separate from any certification.

Incident Reporting Procedures for Regulators

Your existing ISO 27001 incident response procedures need to be updated to include the NIS2-specific reporting chain: who notifies the NCA, what information is included, and within which timeframes. This is a procedural gap that few ISO 27001 implementations address.

Management Awareness and Training

NIS2 explicitly requires that management bodies approve and take responsibility for the organization's cybersecurity measures. This means senior leadership needs structured training on NIS2 obligations — not just awareness, but documented understanding and sign-off.

Documenting Compliance Evidence

Unlike ISO 27001, which is audited by a certification body, NIS2 compliance is supervised by national regulators who may request evidence at any time. Your documentation and compliance posture need to be regulation-ready, not just audit-ready.

Conclusion: A Strong Foundation — With Specific Gaps

ISO 27001 is genuinely valuable for NIS2 compliance — it's not "nice to have," it's a significant accelerator. Organizations with a mature ISMS will find NIS2 compliance achievable with focused, targeted effort rather than a complete overhaul.

However, the key word is "targeted." The gaps that do exist — management liability, 24/72h incident reporting, NCA registration, and sector-specific requirements — are not trivial. They require specific procedural changes and management engagement.

The most efficient path forward is a structured NIS2 gap assessment that maps your current ISO 27001 controls against NIS2 Article 21 requirements and identifies exactly what needs to be added, updated, or formalized.