NIS2 vs ISO 27001: What's the Difference and What Do You Need?

NIS2 is mandatory legislation for covered entities, ISO 27001 is voluntary standard. But ISO 27001 covers 70-80% of NIS2 requirements. See complete mapping, gaps and practical guidance for compliance.

Many organisations face the same question: Do we need NIS2 compliance, ISO 27001 certification or both? It can be confusing to navigate these two frameworks, especially when they both concern information security.

The short answer is: NIS2 is legislation (you MUST comply if covered), whilst ISO 27001 is a voluntary standard (you CHOOSE). But the interesting part is that ISO 27001 covers around 70-80% of NIS2 requirements, making it a strong foundation for NIS2 compliance.

In this guide, you'll get a complete comparison of the two frameworks, see precisely where they overlap, and receive practical recommendations for what your organisation needs.

What is NIS2?

NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity directive, which came into force in January 2023. The directive must be implemented in national legislation in all EU member states by October 2024, and organisations must be compliant from 17 October 2024.

NIS2 is mandatory legislation for organisations in critical and important sectors with more than 50 employees. It focuses specifically on cybersecurity for critical infrastructure and services essential to society's functioning.

The directive contains clear requirements for risk management, incident reporting and management accountability. Organisations covered by NIS2 must register with national authorities and are subject to supervision and potential sanctions for non-compliance.

The sanctions can be significant – up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities.

What is ISO 27001?

ISO 27001 is the internationally recognised standard for information security management systems (ISMS). Unlike NIS2, ISO 27001 is a voluntary standard that organisations can choose to implement and become certified in.

The standard follows a risk-based approach to information security and applies to all types of organisations, regardless of size or industry. ISO 27001 certification demonstrates to customers, partners and stakeholders that the organisation takes information security seriously.

An ISO 27001 certification is valid for three years with annual surveillance audits. The standard requires organisations to establish, implement, maintain and continually improve an ISMS based on their specific risk profile.

ISO 27001:2022 (the latest version) contains 93 controls in Annex A, covering organisational, technical and physical security measures. The organisation selects which controls are relevant based on their risk assessment.

Read more about ISO 27001 compliance and how to implement ISO 27001.

NIS2 vs ISO 27001: Quick Comparison

Aspect	NIS2	ISO 27001
Type	EU directive (law)	International standard
Mandatory?	Yes, for covered entities	No, voluntary
Who does it apply to?	Critical/important sectors, 50+ employees	All organisations
Focus	Cybersecurity for critical infrastructure	Information security broadly
Enforcement	National authorities, fines	Certification bodies
Sanctions	Up to €10M / 2% turnover	None (lose certification)
Certification	No (compliance)	Yes (3-year certification)
Incident reporting	Mandatory (24h/72h/30d)	Recommended, no deadlines
Supply chain	Explicit requirement	Covered in Annex A
Management liability	Personal liability	Management commitment
Geographic scope	EU/EEA	Global
Audit frequency	Supervision by authorities	Annual surveillance, 3-year recert

Is ISO 27001 Enough for NIS2 Compliance?

The Short Answer

No, ISO 27001 alone is not sufficient to meet all NIS2 requirements. But it covers approximately 70-80% of the requirements and therefore provides the best possible foundation for NIS2 compliance. If your organisation starts with ISO 27001, you significantly reduce the additional effort required to become NIS2-compliant.

What ISO 27001 Covers from NIS2

ISO 27001 covers most of the technical and organisational security requirements in NIS2:

✓ Risk assessment and management – Clause 6 and multiple Annex A controls
✓ Security policies – Comprehensive policies and procedures
✓ Incident handling – Processes for handling security incidents
✓ Business continuity – Continuity and disaster recovery
✓ Access control – Comprehensive controls for access management
✓ Cryptography – Requirements for cryptographic controls
✓ Awareness and training – Employee security education
✓ Supplier security – Supply chain security
✓ Asset management – Information asset management
✓ Secure development – Security in systems development

What NIS2 Requires Beyond ISO 27001

However, there are important areas where NIS2 requirements go beyond ISO 27001:

✗ Mandatory incident reporting to authorities – NIS2 requires reporting to CSIRT and national authorities
✗ Specific deadlines – 24 hours for early warning, 72 hours for incident report, 30 days for final report
✗ Registration as NIS2 entity – Formal registration requirement with authorities
✗ Sector-specific requirements – Some sectors have additional specific security requirements
✗ Personal management liability with sanctions – Management is personally liable and can be sanctioned
✗ Supply chain security – More explicit requirements for vendor management than ISO 27001
✗ Active cooperation with authorities – Ongoing cooperation and information sharing

NIS2 and ISO 27001: Requirement-by-Requirement Mapping

To understand precisely where ISO 27001 covers NIS2 requirements, here's a detailed mapping of NIS2 Article 21 security measures against ISO 27001 controls:

NIS2 Article 21 Requirement	ISO 27001 Coverage	Gap
(a) Risk management policies	Clause 6, A.5.1	Minimal – ISO 27001 covers this fully
(b) Incident handling	A.5.24-A.5.28	Reporting deadlines and authority contact missing
(c) Business continuity	A.5.29-A.5.30	Minimal – almost fully covered
(d) Supply chain security	A.5.19-A.5.23	NIS2 requires more explicit focus
(e) Security in acquisition	A.5.8, A.8.25-A.8.31	Minimal gap
(f) Effectiveness assessment	Clause 9	Minimal – internal audit covers this
(g) Cyber hygiene and training	A.6.3	Minimal – awareness is covered
(h) Cryptography	A.8.24	Minimal – encryption controls exist
(i) HR security	A.6.1-A.6.8	Minimal – personnel security covered
(j) Access control and MFA	A.5.15-A.5.18, A.8.5	Minimal – MFA may require upgrade
(k) Secure communication	A.8.20-A.8.22	Minimal – network security covered

As the table shows, the primary gaps are not in the technical security measures, but in the compliance processes around reporting, registration and authority contact.

When Should You Have What?

Scenario 1: You Are Covered by NIS2

If your organisation falls within NIS2's scope, NIS2 compliance is mandatory. There's no way around it. However, we strongly recommend using ISO 27001 as the foundation:

Recommended approach:

Start by implementing the ISO 27001 framework (certification is optional)
Build NIS2-specific requirements on top of this foundation
Establish processes for incident reporting and authority contact
Register as a NIS2 entity with authorities

The advantage of this approach is that you get a solid, internationally recognised security system that also prepares you for NIS2.

Scenario 2: You Are NOT Covered by NIS2

If your organisation is not covered by NIS2, ISO 27001 is still relevant if:

Customers or partners require it – Many larger companies require ISO 27001 certification from their suppliers
You want to demonstrate security – Certification shows credibility to stakeholders
You want to prepare for potential NIS2 – If your organisation grows or changes focus, you may become covered later

However, be aware that even if you're not directly covered by NIS2, your customers may be. This means that as part of their supply chain, you may be subject to requirements for security documentation.

Scenario 3: You Are Already ISO 27001 Certified

If your organisation is already ISO 27001 certified and becomes covered by NIS2, you're in a good position. You simply need to:

Identify gaps – Review the mapping table above
Implement incident reporting – Establish processes for 24h/72h/30d reporting
Register as NIS2 entity – Contact relevant authorities
Document management liability – Ensure management understands their personal liability
Update vendor assessments – Strengthen supply chain security where necessary

The good news is that much of the work has already been done through your ISO 27001 compliance.

Scenario 4: You're Starting from Scratch

If you need to start from the ground up with both NIS2 and information security, we recommend:

Use ISO 27001 as the framework – Even if certification isn't the goal
Include NIS2 requirements from the start – Avoid duplication later
Use an integrated management system – One system for both frameworks
Prioritise critical areas first – Start with risk assessment and basic controls

This approach gives you the most value for money and avoids having to do the work twice.

Practical Approach: ISO 27001 as Foundation for NIS2

Here's a practical approach to using ISO 27001 as the foundation for NIS2 compliance:

Step 1: Implement ISO 27001 ISMS

Start by establishing an information security management system based on ISO 27001:

Conduct a comprehensive risk assessment of your information assets
Develop security policies and procedures
Implement relevant controls from Annex A based on your risks
Establish processes for internal audit and continual improvement

This gives you a solid framework for security management, whether or not you choose to pursue certification.

Step 2: Identify NIS2 Gaps

Use the mapping table earlier in this article to identify where ISO 27001 doesn't fully cover NIS2 requirements:

Incident reporting – Are you missing processes for authority reporting?
Registration – Are you registered as a NIS2 entity?
Management liability – Is management fully informed about their personal liability?
Supply chain – Do your vendor assessments meet NIS2 requirements?

Step 3: Fill the Gaps

Implement the missing elements:

Establish concrete processes for incident reporting with deadlines (24h/72h/30d)
Register with relevant national authorities
Document management's understanding and acceptance of liability
Update data processing agreements and vendor contracts to include NIS2 requirements
Establish contact point to CSIRT and national cybersecurity authorities

Step 4: Maintain Both

Operate an integrated management system where both frameworks are maintained together:

Use the same platform for documentation and task management
Coordinate internal audits to cover both frameworks
Update risk and compliance assessments continuously
Ensure training covers both ISO 27001 and NIS2 requirements

This integrated approach ensures you get maximum value from your compliance efforts without unnecessary duplication.

ENISA's Mapping: Official Guidance

The European Union Agency for Cybersecurity (ENISA) has published official guidance on the relationship between NIS2 and ISO 27001. ENISA confirms that ISO 27001 is a strong starting point for NIS2 compliance.

ENISA specifically recommends using ISO 27001:2022 (the latest version) rather than ISO 27001:2013, as the updated standard has better alignment with modern cybersecurity threats and requirements.

You can find ENISA's resources and guidance at www.enisa.europa.eu, where updated material on NIS2 implementation is continuously published.

What Do We Recommend?

Based on our experience with hundreds of organisations working with compliance, here are our recommendations:

For companies covered by NIS2:

Start with ISO 27001 – Use it as a framework, even if certification isn't required
Consider certification – It provides credibility and facilitates compliance documentation
Add NIS2-specific requirements – Focus on gaps around reporting and registration
Use one integrated system – Avoid duplicate documentation and administration

For companies NOT covered by NIS2:

Assess business needs – Is ISO 27001 relevant for your customers and market?
Be aware of supply chain – Your customers may be covered and impose requirements on you
Start simple – Implement basic information security and scale up as needed
Prepare for the future – Your organisation may grow into NIS2's scope

The most important message is: Whether you're covered by NIS2 or not, a structured approach to information security provides value to the organisation. ISO 27001 gives you this framework, and if NIS2 becomes relevant, the work is already half done.

How .legal Helps with Both Frameworks

At .legal, we've developed a platform that specifically handles both NIS2 and ISO 27001 in one integrated system. Our Frameworks module gives you:

Pre-built frameworks with complete mapping between NIS2 and ISO 27001
Automatic tracking of overlap, so you don't document the same thing twice
Integrated task management with annual wheel for both frameworks
Reporting to management, internal audits and authority reporting
Vendor management that meets both ISO 27001 and NIS2 requirements

With .legal, you get an overview of your compliance status across frameworks and can focus on the actual security work instead of documentation administration.

See how we handle NIS2 and ISO 27001 or book a demo to see the platform in action.

Frequently asked questions about NIS2 vs ISO27001

Can I become NIS2-compliant without ISO 27001?

Yes, ISO 27001 is not a formal requirement for NIS2 compliance. You can implement NIS2 requirements directly without using ISO 27001 as a framework. But in practice, most organisations will find it easier and more efficient to use ISO 27001 as the foundation, as much of the work overlaps. Without a structured approach like ISO 27001, you risk missing connections and creating gaps in your security.

Does ISO 27001 certification automatically give NIS2 compliance?

No, ISO 27001 certification alone does not automatically provide NIS2 compliance. There are important gaps, especially around incident reporting to authorities, registration as a NIS2 entity and specific deadlines. However, ISO 27001 covers 70-80% of requirements, so certification takes you far along the way. You simply need to add the NIS2-specific elements to be fully compliant.

Which should I start with?

If you're covered by NIS2, compliance is mandatory, so it's not a choice. But we strongly recommend starting by implementing the ISO 27001 framework first. This gives you a solid base of security policies, processes and controls. Then you can add the NIS2-specific elements on top. This approach provides the most value and avoids duplication.

Does NIS2 require certification like ISO 27001?

No, NIS2 does not require certification. NIS2 is legislation, not a certifiable standard. You must demonstrate compliance to national authorities through documentation and potential inspections, but there's no third-party certification involved. However, ISO 27001 certification can help document your compliance to authorities.

How much overlap is there between the requirements?

Approximately 70-80% of NIS2 security requirements overlap with ISO 27001. The primary differences lie in compliance processes (registration, reporting to authorities, specific deadlines) rather than in the technical security measures. If you've implemented ISO 27001 correctly, you already have most of NIS2's security requirements in place.

What does it cost to have both?

If you start with ISO 27001 first and then add NIS2, the marginal costs for NIS2 are significantly lower than implementing them separately. Estimated, you can save 30-50% of total implementation cost by using an integrated approach. For a typical medium-sized business, the total investment may be €20,000-100,000 for initial implementation.

Must my management also be personally liable for ISO 27001?

No, ISO 27001 does not require personal management liability in the same way as NIS2. With ISO 27001, management must demonstrate commitment and take responsibility for the ISMS, but there are no personal sanctions associated with non-compliance. NIS2, however, can involve personal liability for management.

Can I use the same software for both frameworks?

Yes, and it's strongly recommended. Modern GRC platforms like .legal are built to handle multiple compliance frameworks in one integrated system. This gives you the ability to reuse documentation, share tasks across frameworks and get a unified overview of your compliance status.

See our Frameworks module

What happens if I ignore NIS2 but have ISO 27001?

If your organisation is covered by NIS2, compliance is mandatory. ISO 27001 certification does not exempt you from NIS2 requirements. Non-compliance with NIS2 can result in significant fines (up to €10 million or 2% of global turnover for essential entities) as well as personal sanctions for management.

Is ISO 27001:2013 good enough, or must it be the 2022 version?

ENISA specifically recommends ISO 27001:2022 (the latest version) for NIS2 compliance. The 2022 version has better alignment with modern cybersecurity threats and contains updated controls that better match NIS2 requirements. New implementations should always use the 2022 version.