All articles
8
min
NIS 2

NIS2 and ISO 27001: Everything You Need to Know Before Getting Started

"We're ISO 27001 certified, so we're NIS2 compliant." This statement comes up often in executive meetings—and it's incorrect. But the relationship between NIS2 and ISO 27001 is more nuanced than a simple "sufficient" or "insufficient." Here’s what the standard actually covers, where it falls short, and how to use it as a true compliance accelerator.

Key Takeaway — The 3 Levels to Distinguish

Level Nature Examples
Required:
(European Directive)		 Substantive requirements — Article 21 of NIS2 Risk management, incidents, business continuity, supply chain, MFA, vulnerabilities
Regulatory supplements Directly applicable, without transposition Implementation Agreement for Digital Service Providers (MSPs, Cloud Providers, MSSPs)
Best practice Useful, valuable, optional ISO 27001, internal SOC, additional certifications

ISO 27001 certification falls into the third category. It is a powerful tool, not a requirement.

NIS2 does not mandate any specific standards: here is what the text actually says

The first thing to remember is simple: NIS2 is deliberately non-prescriptive regarding the means.

"Essential and important entities shall take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems."
— Directive (EU) 2022/2555, Article 21

The directive defines expected outcomes and competencies to be demonstrated. It leaves it up to organizations to choose the means to achieve them. No standards, tools, or certifications are mandated. What matters is being able to explain and justify your actions in a manner consistent with the identified risks.

With that in mind, ISO 27001 is neither mandatory nor the only option—but it is a particularly effective tool, provided you know how to use it.

What NIS2 actually requires: the 8 areas covered by Article 21

Article 21 does not merely require "a risk analysis." It lists categories of minimum measures, all of which must be addressed in an appropriate and proportionate manner:

  1. Security Policies and Risk Management — Processes for Identifying, Assessing, and AddressingCyber Risks
  2. Incident Management — Detection, Classification, Response,Regulatory Notification‍
  3. Business continuitybackup plans,disaster recovery, andcrisis management: these three terms are explicitly mentioned in thedirective‍
  4. Supply Chain Security — ManagingCritical Suppliers and ServiceProviders‍
  5. Security in the procurement, development, and maintenance of systems andnetworks‍
  6. Vulnerability Management and Disclosure — Identification, Handling,and Coordination‍
  7. Cybersecurity and Training — Core Policies, Awareness,and Minimum Practices‍
  8. Cryptography, access control, and multi-factor authentication (MFA) — explicitly required in the text

The direct consequence is that an organization cannot rely solely on a thorough risk analysis. Risk analysis serves as the starting point for determining the appropriate measures. The eight areas listed above constitute the scope that must be covered.

What ISO 27001 Actually Brings to Your NIS2 Approach

ISO 27001 is an international standard for information security management systems (ISMS). It provides precisely what NIS2 does not specify: the "how."

On Governance

NIS2 imposes clear accountability on management (Article 20). ISO 27001 provides a formal framework for establishing a security policy approved by management, defining roles and responsibilities, and organizing oversight and reporting. This is an area of significant overlap—provided that management’s involvement is genuine and verifiable, not merely declarative.

On Risk Management

Risk management is at the heart of Clause 21. ISO 27001 provides a comprehensive methodology: analysis, treatment, prioritization, and traceability of decisions. This is where the two standards align most closely.

The focus is on one key point: the risk analysis must cover critical services, external dependencies, and plausible cyber scenarios—not just the entire IT system in a purely theoretical sense.

On security measures

Annex A of ISO 27001 provides a structured catalog of organizational, human, and technical controls—a solid starting point for selecting and justifying measures in relation to the eight domains outlined in Article 21. These controls cover areas such as cryptography, access management, and HR-related aspects, which align directly with the NIS2 requirements.

On continuous improvement

NIS2 is not a one-time compliance effort. ISO 27001 inherently incorporates regular reviews, internal audits, and a PDCA cycle—which helps demonstrate that cybersecurity is managed over the long term, a key factor in the event of an audit.

What ISO 27001 Does Not Adequately Cover: 4 Areas of Concern

1. Regulatory incident reporting

ISO 27001 includes incident management, but does not cover the NIS2 regulatory deadlines or the three-stage notification process required by Article 23:

Step NIS2 Deadline Does it comply with ISO 27001?
Early warning 24 hours ❌ Partially
Incident Report 72 hours ❌ Partially
Final report Within the month ❌ Partially

ISO 27001 provides a framework for the internal incident management process. The regulatory requirements (who to notify, when, and in what format) necessitate a specific NIS2 supplement.

2. Supply chain security

This is a critical aspect that is often overlooked in ISO 27001 ISMSs. NIS2 makes it an explicit requirement (Article 21) with specific expectations:

  • Supplier Risk Assessment: Classification by Criticality for Your Services
  • Contractual security requirements: cybersecurity clauses in contracts with critical suppliers
  • Monitoring third-party risks over time: not just during onboarding

ISO 27001 addresses the security of supplier relationships (controls in Annex A), but its operational implementation often falls short of NIS2 requirements. This is frequently the first non-conformity identified during a compliance assessment.

3. Enforcement measures for digital service providers

For MSPs, MSSPs, cloud providers, and data center operators, NIS2 is supplemented by a directly applicable European implementing regulation, which does not require national transposition. This regulation sets out very specific operational requirements tailored to multi-tenant and shared environments: management of incidents with systemic impact, continuity of shared services, and control over subcontracting in the supply chain.

ISO 27001 alone is insufficient for these stakeholders unless they read and incorporate this implementing regulation.

4. Regulatory Oversight and Sanctions

The powers of the competent authorities, audit processes, and enforcement mechanisms fall under public law and are outside the scope of any management standard. ISO 27001 does not prepare you for a regulatory audit; rather, it helps ensure you have something to show during such an audit.

The NIS2 ↔ ISO 27001 Mapping Table

NIS2 Requirement (Article 21) Contribution to ISO 27001 What needs to be filled in
Governance and Accountability (Art. 20) SSI Policy, Roles, Management Commitment True accountability for decisions, management training
Cyber Risk Management Comprehensive methodology, risk register Plausible cyber scenarios, critical services
Incident Management Partially covered process Regulatory notification (24 hours / 72 hours / 1 month)
Business Continuity (Backup, Disaster Recovery, Crisis Management) Integrated Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) Performance testing, cyber scenarios, vendor integration
Supply Chain Security Controls Appendix A (Supplier Relationships) Assessment, contractual provisions, third-party risk monitoring
Vulnerabilities, MFA, cryptography Inspections Appendix A Sector-specific implementing acts, if applicable
Continuous improvement Audits, reviews, corrective actions Evidence procedures during an audit

ISO 27001 as a catalyst: the path to European certification

The regulatory framework is evolving. The European Commission is developing a European Cybersecurity Certification Framework (ECCF), led by ENISA, which is intended to produce standardized evidence that can be used by NIS2 supervisory authorities. This framework is currently being developed at the European level and is not yet operational at this stage.

From this perspective, holding ISO 27001 certification offers a tangible strategic advantage: a structured ISMS, documented processes, proven governance, and auditable evidence that can be directly reused once the first European certification schemes become available. ISO 27001 is not redundant; it is a catalyst for achieving NIS2 maturity, provided it is not treated as an end in itself.

How to Use ISO 27001 Effectively in Your NIS2 Implementation

To do:

  • Use ISO 27001 as the backbone of your NIS2 program
  • Make clear what has already been covered, what needs to be added, and what needs to be justified
  • Tailor the risk analysis to NIS2-critical services, not to the entire IT system
  • Incorporate regulatory reporting requirements into your incident management process
  • Specifically strengthen the supply chain aspect: assessment, contracts, and monitoring

Avoid:

  • Consider ISO 27001 certification as a "NIS2 compliance ticket"
  • Applying ISO 27001 to the letter without reading NIS2 and its implementing acts
  • Producing a large volume of documentation with no real operational use
  • Ignore enforcement actions if you are a digital service provider

The golden rule: consistency over quantity

Whether or not you are ISO 27001 certified, NIS2 compliance depends less on the number of controls and more on the overall consistency of the framework: a policy that aligns with identified risks, justified measures, and usable evidence.

Quick Assessment: If you are ISO 27001 certified with a fully operational ISMS, you have likely met 60 to 80% of the NIS2 requirements—primarily in the areas of governance, risk analysis, and technical measures. The remaining 20 to 40% mainly concern regulatory notification, the supply chain, and any sector-specific implementing regulations. This is where your path to compliance will be determined.

An NIS2 auditor does not assess the sophistication of your tools. Instead, they assess your ability to explain your choices, demonstrate your practices, and correct any deviations—exactly what a well-maintained ISO 27001 ISMS enables you to do.

👉 Take our NIS 2 self-assessment in less than 5 minutes and pinpoint your NIS 2 gaps, whether you are ISO 27001 certified or not.

Join our newsletter
Cybersecurity tips, analyses and news delivered to your inbox every month! 
Learn more about our privacy policies.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
More content

Our latest Blog posts

See all articles
ISO 27090: Understanding the Future Cybersecurity Standard for AI Systems

Buffer overflows, data poisoning, model theft… AI systems introduce new attack vectors that traditional cybersecurity measures no longer cover. Learn what ISO 27090, the upcoming AI security standard, has to offer and how to integrate it into your strategy.

Read the article
NIS2 and ISO 27001: Everything You Need to Know Before Getting Started

ISO 27001 is often presented as the natural solution to NIS2. This is a dangerous oversimplification. The standard covers between 60% and 80% of the directive’s requirements—but leaves critical gaps: regulatory notification within 24 or 72 hours, supply chain security, and enforcement measures for digital service providers. Here is exactly what Article 21 says, where ISO 27001 speeds up your compliance, and where it falls short.

Read the article
NIS2 obligations: what the directive actually requires of managers

NIS2 management obligations go far beyond simply providing cyber information to committees. The directive requires: approval of risk management measures, supervision of their implementation, mandatory training, and personal liability in the event of non-compliance. Find out exactly what Articles 20, 21, and 23 say, and the first five actions to take.

Read the article
Join our newsletter
1 email/month

Cybersecurity tips, analyses and news delivered to your inbox every month! 

Services
Certification support
Compliance
Maintaining conformity
HDS support
ISO 27001 support
ISO 9001 support
Oversecur support
Solution (Oversecur)
The Oversecur tool
Offers
Training
GDPR
Information security
Health data
ISO 27001
ISO 9001
HDS
SECNUMCLOUD
Standards & Guidelines
ISO 9001
ISO 27001
HDS
ISO 42001
TISAX
SecNumCloud
SOC 2
NIS 2
GDPR
ISO 20000
ISO 13485
Resources
Blog posts
Manager's guide
Webinars & Events
Guides and Ebooks
ISO 27001 self-diagnosis
NIS 2 Self-Diagnosis
About us
About us
Contact us
FeelAgile white logo
Logo afaq ISO 27001 Information security AFNOR CERTIFICATION.
qualiopi certified logo

2025 FeelAgile

qualiopi certificate
Privacy policy
Terms of use