Many companies already hold ISO 27001 certification and wonder whether this satisfies NIS2. The short answer: ISO 27001 provides a strong foundation, but it does not cover everything NIS2 requires. There are specific NIS2 obligations — incident reporting, supply chain security, management accountability — that ISO 27001 does not automatically address.
This article identifies exactly what ISO 27001 covers, what NIS2 adds, and what gaps you need to fill.
Where ISO 27001 and NIS2 Overlap
ISO 27001 is an international standard for information security management systems (ISMS). It covers:
- Risk identification, assessment, and treatment
- Security policies and procedures
- Physical and environmental security
- Access control
- Cryptography
- Operations security
- Incident management
- Business continuity
- Supplier relationships
- Compliance
NIS2 Article 21 lists the required security measures for in-scope entities. Almost every item on the NIS2 list has a corresponding ISO 27001 control:
| NIS2 requirement (Article 21) | ISO 27001 coverage |
|---|---|
| Risk analysis and information system security policies | Yes — ISO 27001 Clause 6 (risk assessment and treatment) |
| Incident handling | Yes — ISO 27001 Annex A, Control 5.24–5.28 |
| Business continuity and disaster recovery | Yes — ISO 27001 Annex A, Control 5.29–5.30 |
| Supply chain security | Partial — ISO 27001 Annex A, Control 5.19–5.22 |
| Security in network and information systems acquisition | Yes — ISO 27001 Annex A, Control 8.25–8.32 |
| Policies to assess effectiveness of measures | Yes — ISO 27001 Clause 9 (performance evaluation) |
| Cyber hygiene practices | Yes — ISO 27001 Annex A |
| Cryptographic policies | Yes — ISO 27001 Annex A, Control 8.24 |
| Human resources security, training | Yes — ISO 27001 Annex A, Control 6.3 |
| Multi-factor authentication | Yes — ISO 27001 Annex A, Control 8.5 |
Conclusion on technical security: If you have ISO 27001 and it is well-implemented, you probably meet most of NIS2's technical security requirements. The ISMS is the foundation.
Where NIS2 Goes Beyond ISO 27001
1. Incident Reporting — Specific Timelines
ISO 27001 requires an incident management process but does not specify notification timelines to external authorities. NIS2 requires:
- Early warning within 24 hours
- Incident notification within 72 hours
- Final report within 1 month
Your ISMS must be enhanced with specific NIS2 reporting procedures, authority contact details, and notification templates. ISO 27001 certification alone does not mean you have this.
2. Management Accountability — Personal Liability
ISO 27001 requires top management commitment and leadership in the ISMS. NIS2 goes further: it explicitly requires management bodies to approve security measures, bear responsibility for violations, and complete cybersecurity training.
NIS2 Article 20 creates management liability that ISO 27001 governance does not mirror exactly. The management body must:
- Formally approve your cybersecurity risk measures
- Have documented oversight of NIS2 compliance
- Be able to demonstrate ongoing training on cybersecurity risk
3. Registration with National Authorities
ISO 27001 has no registration requirement. NIS2 requires in-scope entities to register with national competent authorities. This is a regulatory step outside the scope of any ISMS standard.
4. Supply Chain Security — Depth and Documentation
ISO 27001 Annex A includes supplier security (Controls 5.19–5.22), but NIS2 Article 21(d) specifically requires policies on supply chain security addressing the security practices of each direct supplier and service provider. This includes:
- Risk assessment of suppliers based on their security practices
- Contractual requirements on suppliers
- Monitoring of supplier compliance
NIS2-level supply chain security documentation is typically more explicit and detailed than what ISO 27001 requires for certification.
5. National Law Compliance
NIS2 is transposed into national law, and compliance means complying with the national implementation in each member state where you operate. ISO 27001 is a global standard that is not jurisdiction-specific. Your national NIS2 obligations may include specific requirements that go beyond the ISO 27001 standard.
What ISO 27001 Gives You Towards NIS2
Credibility with authorities: ISO 27001 certification is widely recognised by NIS2 competent authorities as evidence of a mature security management programme. In enforcement situations, certification demonstrates good faith effort even where specific gaps exist.
A working ISMS: The risk assessment, control framework, and management system you built for ISO 27001 is exactly the foundation NIS2 requires. You are not starting from scratch.
Supplier management baseline: The supplier security controls in ISO 27001 provide a starting point for NIS2 supply chain compliance — they need to be extended, not rebuilt.
What You Need to Add
If you have ISO 27001 and want to close the NIS2 gap:
- Add NIS2-specific incident reporting procedures — 24-hour and 72-hour reporting timelines, authority contact details, notification templates
- Add management body approval process — formal board/leadership approval for the risk assessment and control framework, documented
- Add cybersecurity training records for management — NIS2 requires this specifically
- Register with national competent authority
- Enhance supply chain documentation — individual supplier risk assessments, contractual NIS2 requirements for direct suppliers
- Verify national implementation requirements — in each member state where you operate