How much overlap is there between the requirements?

Approximately 70-80% of NIS2 security requirements overlap with ISO 27001. The primary differences lie in compliance processes (registration, reporting to authorities, specific deadlines) rather than in the technical security measures. If you've implemented ISO 27001 correctly, you already have most of NIS2's security requirements in place.

What does it cost to have both?

If you start with ISO 27001 first and then add NIS2, the marginal costs for NIS2 are significantly lower than implementing them separately. Estimated, you can save 30-50% of total implementation cost by using an integrated approach. For a typical medium-sized business, the total investment may be €20,000-100,000 for initial implementation, depending on organisation size and complexity.

Must my management also be personally liable for ISO 27001?

No, ISO 27001 does not require personal management liability in the same way as NIS2. With ISO 27001, management must demonstrate commitment and take responsibility for the ISMS, but there are no personal sanctions associated with non-compliance. NIS2, however, can involve personal liability for management, where board members and directors can be held personally liable for gross negligence.

Can I use the same software for both frameworks?

Yes, and it's strongly recommended. Modern GRC platforms like .legal are built to handle multiple compliance frameworks in one integrated system. This gives you the ability to reuse documentation, share tasks across frameworks and get a unified overview of your compliance status. It significantly reduces duplication and ensures consistency in your security documentation.

What happens if I ignore NIS2 but have ISO 27001?

If your organisation is covered by NIS2, compliance is mandatory. ISO 27001 certification does not exempt you from NIS2 requirements. Non-compliance with NIS2 can result in significant fines (up to €10 million or 2% of global turnover for essential entities) as well as personal sanctions for management. However, ISO 27001 will help you meet most requirements faster and document your security to authorities.

Is ISO 27001:2013 good enough, or must it be the 2022 version?

ENISA specifically recommends ISO 27001:2022 (the latest version) for NIS2 compliance. The 2022 version has better alignment with modern cybersecurity threats and contains updated controls that better match NIS2 requirements. If you're already certified to the 2013 version, you must transition to the 2022 version at your next recertification. New implementations should always use the 2022 version.

NIS2 › NIS2 Compliance

NIS2 vs ISO 27001: What's the Difference and What Do You Need?

Q: Which should I start with?

If you're covered by NIS2, compliance is mandatory, so it's not a choice. But we strongly recommend starting by implementing the ISO 27001 framework first. This gives you a solid base of security policies, processes and controls. Then you can add the NIS2-specific elements on top. This approach provides the most value and avoids duplication.

Q: Does NIS2 require certification like ISO 27001?

No, NIS2 does not require certification. NIS2 is legislation, not a certifiable standard. You must demonstrate compliance to national authorities through documentation and potential inspections, but there's no third-party certification involved. However, ISO 27001 certification can help document your compliance to authorities.

NIS2 is mandatory legislation for covered entities, ISO 27001 is voluntary standard. But ISO 27001 covers 70-80% of NIS2 requirements. See complete mapping, gaps and practical guidance for compliance.

Flat illustration showing NIS2 and ISO 27001 as two certification badges facing each other with ‘VS’ in the centre, on a soft blue background with organic shapes.

Many organisations face the same question: Do we need NIS2 compliance, ISO 27001 certification or both? It can be confusing to navigate these two frameworks, especially when they both concern information security.

The short answer is: NIS2 is legislation (you MUST comply if covered), whilst ISO 27001 is a voluntary standard (you CHOOSE). But the interesting part is that ISO 27001 covers around 70-80% of NIS2 requirements, making it a strong foundation for NIS2 compliance.

In this guide, you'll get a complete comparison of the two frameworks, see precisely where they overlap, and receive practical recommendations for what your organisation needs.

What is NIS2?

NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity directive, which came into force in January 2023. The directive must be implemented in national legislation in all EU member states by October 2024, and organisations must be compliant from 17 October 2024.

NIS2 is mandatory legislation for organisations in critical and important sectors with more than 50 employees. It focuses specifically on cybersecurity for critical infrastructure and services essential to society's functioning.

The directive contains clear requirements for risk management, incident reporting and management accountability. Organisations covered by NIS2 must register with national authorities and are subject to supervision and potential sanctions for non-compliance.

The sanctions can be significant – up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities.

What is ISO 27001?

ISO 27001 is the internationally recognised standard for information security management systems (ISMS). Unlike NIS2, ISO 27001 is a voluntary standard that organisations can choose to implement and become certified in.

The standard follows a risk-based approach to information security and applies to all types of organisations, regardless of size or industry. ISO 27001 certification demonstrates to customers, partners and stakeholders that the organisation takes information security seriously.

An ISO 27001 certification is valid for three years with annual surveillance audits. The standard requires organisations to establish, implement, maintain and continually improve an ISMS based on their specific risk profile.

ISO 27001:2022 (the latest version) contains 93 controls in Annex A, covering organisational, technical and physical security measures. The organisation selects which controls are relevant based on their risk assessment.

Read more about ISO 27001 compliance and how to implement ISO 27001.

Flat illustration comparing NIS2 legislation marked ‘Must’ with ISO 27001 certification marked ‘Choose’, presented as a law document and a certification badge side by side.

NIS2 vs ISO 27001: Quick Comparison

Aspect	NIS2	ISO 27001
Type	EU directive (law)	International standard
Mandatory?	Yes, for covered entities	No, voluntary
Who does it apply to?	Critical/important sectors, 50+ employees	All organisations
Focus	Cybersecurity for critical infrastructure	Information security broadly
Enforcement	National authorities, fines	Certification bodies
Sanctions	Up to €10M / 2% turnover	None (lose certification)
Certification	No (compliance)	Yes (3-year certification)
Incident reporting	Mandatory (24h/72h/30d)	Recommended, no deadlines
Supply chain	Explicit requirement	Covered in Annex A
Management liability	Personal liability	Management commitment
Geographic scope	EU/EEA	Global
Audit frequency	Supervision by authorities	Annual surveillance, 3-year recert

Is ISO 27001 Enough for NIS2 Compliance?

The Short Answer

No, ISO 27001 alone is not sufficient to meet all NIS2 requirements. But it covers approximately 70-80% of the requirements and therefore provides the best possible foundation for NIS2 compliance. If your organisation starts with ISO 27001, you significantly reduce the additional effort required to become NIS2-compliant.

What ISO 27001 Covers from NIS2

ISO 27001 covers most of the technical and organisational security requirements in NIS2:

✓ Risk assessment and management – Clause 6 and multiple Annex A controls
✓ Security policies – Comprehensive policies and procedures
✓ Incident handling – Processes for handling security incidents
✓ Business continuity – Continuity and disaster recovery
✓ Access control – Comprehensive controls for access management
✓ Cryptography – Requirements for cryptographic controls
✓ Awareness and training – Employee security education
✓ Supplier security – Supply chain security
✓ Asset management – Information asset management
✓ Secure development – Security in systems development

What NIS2 Requires Beyond ISO 27001

However, there are important areas where NIS2 requirements go beyond ISO 27001:

✗ Mandatory incident reporting to authorities – NIS2 requires reporting to CSIRT and national authorities
✗ Specific deadlines – 24 hours for early warning, 72 hours for incident report, 30 days for final report
✗ Registration as NIS2 entity – Formal registration requirement with authorities
✗ Sector-specific requirements – Some sectors have additional specific security requirements
✗ Personal management liability with sanctions – Management is personally liable and can be sanctioned
✗ Supply chain security – More explicit requirements for vendor management than ISO 27001
✗ Active cooperation with authorities – Ongoing cooperation and information sharing

Flat illustration of NIS2 and ISO 27001 badges inside overlapping circles, with ‘70–80%’ displayed in the centre to visualise their requirement overlap.

NIS2 and ISO 27001: Requirement-by-Requirement Mapping

To understand precisely where ISO 27001 covers NIS2 requirements, here's a detailed mapping of NIS2 Article 21 security measures against ISO 27001 controls:

NIS2 Article 21 Requirement	ISO 27001 Coverage	Gap
(a) Risk management policies	Clause 6, A.5.1	Minimal – ISO 27001 covers this fully
(b) Incident handling	A.5.24-A.5.28	Reporting deadlines and authority contact missing
(c) Business continuity	A.5.29-A.5.30	Minimal – almost fully covered
(d) Supply chain security	A.5.19-A.5.23	NIS2 requires more explicit focus
(e) Security in acquisition	A.5.8, A.8.25-A.8.31	Minimal gap
(f) Effectiveness assessment	Clause 9	Minimal – internal audit covers this
(g) Cyber hygiene and training	A.6.3	Minimal – awareness is covered
(h) Cryptography	A.8.24	Minimal – encryption controls exist
(i) HR security	A.6.1-A.6.8	Minimal – personnel security covered
(j) Access control and MFA	A.5.15-A.5.18, A.8.5	Minimal – MFA may require upgrade
(k) Secure communication	A.8.20-A.8.22	Minimal – network security covered

As the table shows, the primary gaps are not in the technical security measures, but in the compliance processes around reporting, registration and authority contact.

When Should You Have What?

Scenario 1: You Are Covered by NIS2

If your organisation falls within NIS2's scope, NIS2 compliance is mandatory. There's no way around it. However, we strongly recommend using ISO 27001 as the foundation:

Recommended approach:

Start by implementing the ISO 27001 framework (certification is optional)
Build NIS2-specific requirements on top of this foundation
Establish processes for incident reporting and authority contact
Register as a NIS2 entity with authorities

The advantage of this approach is that you get a solid, internationally recognised security system that also prepares you for NIS2.

Scenario 2: You Are NOT Covered by NIS2

If your organisation is not covered by NIS2, ISO 27001 is still relevant if:

Customers or partners require it – Many larger companies require ISO 27001 certification from their suppliers
You want to demonstrate security – Certification shows credibility to stakeholders
You want to prepare for potential NIS2 – If your organisation grows or changes focus, you may become covered later

However, be aware that even if you're not directly covered by NIS2, your customers may be. This means that as part of their supply chain, you may be subject to requirements for security documentation.

Scenario 3: You Are Already ISO 27001 Certified

If your organisation is already ISO 27001 certified and becomes covered by NIS2, you're in a good position. You simply need to:

Identify gaps – Review the mapping table above
Implement incident reporting – Establish processes for 24h/72h/30d reporting
Register as NIS2 entity – Contact relevant authorities
Document management liability – Ensure management understands their personal liability
Update vendor assessments – Strengthen supply chain security where necessary

The good news is that much of the work has already been done through your ISO 27001 compliance.

Scenario 4: You're Starting from Scratch

If you need to start from the ground up with both NIS2 and information security, we recommend:

Use ISO 27001 as the framework – Even if certification isn't the goal
Include NIS2 requirements from the start – Avoid duplication later
Use an integrated management system – One system for both frameworks
Prioritise critical areas first – Start with risk assessment and basic controls

This approach gives you the most value for money and avoids having to do the work twice.

Minimalist pyramid illustration showing ISO 27001 as the foundation, followed by filling NIS2 gaps, registering and reporting, and integrated security at the top.

Practical Approach: ISO 27001 as Foundation for NIS2

Here's a practical approach to using ISO 27001 as the foundation for NIS2 compliance:

Step 1: Implement ISO 27001 ISMS

Start by establishing an information security management system based on ISO 27001:

Conduct a comprehensive risk assessment of your information assets
Develop security policies and procedures
Implement relevant controls from Annex A based on your risks
Establish processes for internal audit and continual improvement

This gives you a solid framework for security management, whether or not you choose to pursue certification.

Step 2: Identify NIS2 Gaps

Use the mapping table earlier in this article to identify where ISO 27001 doesn't fully cover NIS2 requirements:

Incident reporting – Are you missing processes for authority reporting?
Registration – Are you registered as a NIS2 entity?
Management liability – Is management fully informed about their personal liability?
Supply chain – Do your vendor assessments meet NIS2 requirements?

Step 3: Fill the Gaps

Implement the missing elements:

Establish concrete processes for incident reporting with deadlines (24h/72h/30d)
Register with relevant national authorities
Document management's understanding and acceptance of liability
Update data processing agreements and vendor contracts to include NIS2 requirements
Establish contact point to CSIRT and national cybersecurity authorities

Step 4: Maintain Both

Operate an integrated management system where both frameworks are maintained together:

Use the same platform for documentation and task management
Coordinate internal audits to cover both frameworks
Update risk and compliance assessments continuously
Ensure training covers both ISO 27001 and NIS2 requirements

This integrated approach ensures you get maximum value from your compliance efforts without unnecessary duplication.

ENISA's Mapping: Official Guidance

The European Union Agency for Cybersecurity (ENISA) has published official guidance on the relationship between NIS2 and ISO 27001. ENISA confirms that ISO 27001 is a strong starting point for NIS2 compliance.

ENISA specifically recommends using ISO 27001:2022 (the latest version) rather than ISO 27001:2013, as the updated standard has better alignment with modern cybersecurity threats and requirements.

You can find ENISA's resources and guidance at www.enisa.europa.eu, where updated material on NIS2 implementation is continuously published.

What Do We Recommend?

Based on our experience with hundreds of organisations working with compliance, here are our recommendations:

For companies covered by NIS2:

Start with ISO 27001 – Use it as a framework, even if certification isn't required
Consider certification – It provides credibility and facilitates compliance documentation
Add NIS2-specific requirements – Focus on gaps around reporting and registration
Use one integrated system – Avoid duplicate documentation and administration

For companies NOT covered by NIS2:

Assess business needs – Is ISO 27001 relevant for your customers and market?
Be aware of supply chain – Your customers may be covered and impose requirements on you
Start simple – Implement basic information security and scale up as needed
Prepare for the future – Your organisation may grow into NIS2's scope

The most important message is: Whether you're covered by NIS2 or not, a structured approach to information security provides value to the organisation. ISO 27001 gives you this framework, and if NIS2 becomes relevant, the work is already half done.

How .legal Helps with Both Frameworks

At .legal, we've developed a platform that specifically handles both NIS2 and ISO 27001 in one integrated system. Our Frameworks module gives you:

Pre-built frameworks with complete mapping between NIS2 and ISO 27001
Automatic tracking of overlap, so you don't document the same thing twice
Integrated task management with annual wheel for both frameworks
Reporting to management, internal audits and authority reporting
Vendor management that meets both ISO 27001 and NIS2 requirements

With .legal, you get an overview of your compliance status across frameworks and can focus on the actual security work instead of documentation administration.

See how we handle NIS2 and ISO 27001 or book a demo to see the platform in action.

Frequently asked questions about NIS2 vs ISO27001

Can I become NIS2-compliant without ISO 27001?

Yes, ISO 27001 is not a formal requirement for NIS2 compliance. You can implement NIS2 requirements directly without using ISO 27001 as a framework. But in practice, most organisations will find it easier and more efficient to use ISO 27001 as the foundation, as much of the work overlaps.

Does ISO 27001 certification automatically give NIS2 compliance?

No, ISO 27001 certification alone does not automatically provide NIS2 compliance. There are important gaps, especially around incident reporting to authorities, registration as a NIS2 entity and specific deadlines. However, ISO 27001 covers 70-80% of requirements.

Which should I start with, NIS2 or ISO 27001?

If you are covered by NIS2, compliance is mandatory. We recommend starting by implementing the ISO 27001 framework first as it provides a solid base of security policies, processes, and controls. Then add NIS2-specific elements on top for full compliance.

Does NIS2 require certification like ISO 27001?

No, NIS2 does not require third-party certification. It is a regulatory compliance obligation enforced by national authorities. ISO 27001 is a voluntary standard with optional third-party certification. However, ISO 27001 certification can demonstrate your security posture to regulators.

What does ISO 27001 cover that NIS2 does not?

ISO 27001 provides a comprehensive information security management system (ISMS) framework including detailed control implementation guidance, internal audit requirements, and continuous improvement processes. NIS2 focuses more on specific cybersecurity outcomes and reporting obligations.

What does NIS2 require that ISO 27001 does not cover?

NIS2 has unique requirements including mandatory incident reporting within 24/72 hours, registration with national authorities, specific supply chain security measures, management personal liability, and cooperation with national CSIRTs that ISO 27001 does not address directly.

How much overlap exists between NIS2 and ISO 27001?

ISO 27001 covers approximately 70-80% of NIS2 requirements. The overlapping areas include risk management, access control, business continuity, asset management, and security policies. The gaps are primarily in NIS2-specific regulatory requirements like incident notification deadlines.

Can I use ISO 27001 audit evidence for NIS2 compliance?

Yes, much of the documentation and evidence gathered for ISO 27001 can be reused for NIS2 compliance. Risk assessments, security policies, incident management procedures, and business continuity plans are relevant to both frameworks.

How do the enforcement mechanisms differ between NIS2 and ISO 27001?

NIS2 is enforced by national authorities with mandatory fines up to 10 million EUR or 2% of turnover, and management liability. ISO 27001 is voluntary with enforcement through certification body audits. Losing ISO 27001 certification has reputational but not legal consequences.

Should I integrate NIS2 and ISO 27001 into a single compliance programme?

Yes, integrating both frameworks into a single programme is the most efficient approach. Use ISO 27001's ISMS structure as the foundation and add NIS2-specific controls and processes. This avoids duplication, reduces effort, and ensures comprehensive coverage.

.legal compliance platform Bridge the Gap Between NIS2 and ISO 27001

ISO 27001 covers most of NIS2, but the gaps matter. Use .legal to identify exactly where your ISO 27001 programme falls short of NIS2 requirements and close those gaps systematically.